- What the CKA Exam Actually Tests
- Domain 1: Cluster Architecture, Installation & Configuration (25%)
- Domain 2: Workloads & Scheduling (15%)
- Domain 3: Services & Networking (20%)
- Domain 4: Storage (10%)
- Domain 5: Troubleshooting (30%)
- How Domain Weights Shape Your Preparation
- Exam Format, Open-Book Rules, and Scoring
- A Domain-Ordered Study Sequence
- Frequently Asked Questions
- Troubleshooting is the single largest domain at 30%-neglecting it is the fastest route to failing.
- The five domains span 100% of scoring; mastering all five is required to clear the 66% passing threshold.
- The exam is performance-based: ~15-20 real tasks solved in a live Linux terminal in 2 hours.
- Only approved in-VM resources (Kubernetes docs, Helm docs, Blog) are allowed-no external Google searches.
What the CKA Exam Actually Tests
The CKA Certification is not a multiple-choice knowledge quiz. Created by the Cloud Native Computing Foundation (CNCF) in collaboration with The Linux Foundation, it drops you into a live, multi-cluster Kubernetes environment and asks you to solve real operational problems-bootstrapping clusters, debugging broken pods, wiring up services, provisioning storage, and more-all within a strict two-hour window.
Understanding the five content domains is the most important structural decision you will make before you begin studying. Each domain represents a distinct slice of the Kubernetes administrator role, carries a specific percentage weight toward your final score, and demands a different category of hands-on skill. If you walk into the exam treating all five domains equally, you will misallocate your preparation time. The domain weights exist precisely so you know where the exam designers believe administrator competency matters most.
For a broader orientation on the credential itself, see What Is CKA Certification? This article goes deeper: it breaks down each domain, explains what tasks fall inside it, and shows you how the weights should drive your study plan.
Domain 1: Cluster Architecture, Installation & Configuration (25%)
At 25% of the exam, this is the second-largest domain and arguably the most foundational. You cannot competently administer a cluster you do not understand at the component level. Domain 1 covers how Kubernetes clusters are assembled, how they are bootstrapped, and how they are kept secure and auditable over time. For a full deep-dive, visit the CKA Domain 1: Cluster Architecture, Installation & Configuration (25%) - Complete Study Guide 2026.
Domain 1: Cluster Architecture, Installation & Configuration
Candidates must understand the role of every control-plane and worker-node component and demonstrate the ability to build, upgrade, and harden a cluster from scratch.
- Control plane components: kube-apiserver, etcd, kube-scheduler, kube-controller-manager, cloud-controller-manager
- Worker node components: kubelet, kube-proxy, container runtime
- Bootstrapping clusters with kubeadm, including init, join, and upgrade workflows
- Managing etcd: backup with etcdctl snapshot save, restore procedures
- Role-Based Access Control (RBAC): Roles, ClusterRoles, RoleBindings, ClusterRoleBindings, service accounts
- Kubernetes API versioning and kubeconfig management across multiple clusters
- CRDs and understanding the extension model
In exam tasks, this domain frequently surfaces as: "Upgrade this cluster from version X to version Y using kubeadm," "Restore etcd from the provided snapshot file," or "Create a ClusterRole that grants read access to pods and bind it to a service account." Speed with kubeadm, etcdctl, and kubectl auth subcommands is non-negotiable here.
Domain 2: Workloads & Scheduling (15%)
Weighted at 15%, this domain is the smallest alongside Storage but covers concepts that appear indirectly throughout the exam. Workloads and Scheduling is where candidates prove they can deploy, manage, and control how Kubernetes places applications across nodes. See the full breakdown in the CKA Domain 2: Workloads & Scheduling (15%) - Complete Study Guide 2026.
Domain 2: Workloads & Scheduling
Candidates must be fluent in the full lifecycle of Kubernetes workload objects and understand the mechanisms that influence pod placement decisions.
- Deployments, ReplicaSets, DaemonSets, StatefulSets, Jobs, CronJobs
- Rolling updates and rollbacks:
kubectl rolloutcommands - ConfigMaps and Secrets: creation, mounting as volumes or env vars
- Resource requests and limits; understanding how the scheduler uses them
- Node selectors, affinity, anti-affinity, taints and tolerations
- Pod disruption budgets and priority classes
- Helm: installing and upgrading charts (Helm docs are permitted in the exam)
Scheduling tasks often appear embedded inside other scenarios-for example, a troubleshooting task where a pod refuses to schedule because a node has a taint with no matching toleration. Recognizing that root cause requires Domain 2 knowledge even though the task scores inside Domain 5.
Domain 3: Services & Networking (20%)
Services & Networking carries 20% of the exam weight and is consistently cited by candidates as one of the most technically demanding areas. Kubernetes networking involves multiple interacting layers-cluster DNS, kube-proxy, CNI plugins, Ingress controllers, and now the Gateway API-and exam tasks expect you to configure and debug all of them. The complete topic list is in the CKA Domain 3: Services & Networking (20%) - Complete Study Guide 2026.
Domain 3: Services & Networking
Candidates must understand how traffic flows inside and into a Kubernetes cluster and must be able to configure and troubleshoot networking resources under time pressure.
- Service types: ClusterIP, NodePort, LoadBalancer, ExternalName, Headless
- Endpoints and EndpointSlices; how selectors bind pods to services
- CoreDNS: how pod and service DNS names are constructed, basic troubleshooting
- Network Policies: ingress and egress rules, default-deny patterns
- Ingress resources and ingress controllers
- Gateway API: HTTPRoute, GatewayClass, Gateway objects (CKA-specific Gateway API docs are permitted)
- CNI plugin basics and pod-to-pod connectivity model
- kube-proxy modes and iptables/ipvs fundamentals
Storage (10%)
Storage is the smallest domain at 10%, but the tasks it generates are precise and unforgiving-partial credit only helps if you get most of a task right. The CKA Domain 4: Storage (10%) - Complete Study Guide 2026 covers the complete topic list.
Domain 4: Storage
Candidates must understand the Kubernetes persistent storage model end-to-end and be able to provision, bind, and configure storage for stateful workloads.
- PersistentVolumes (PV) and PersistentVolumeClaims (PVC): static and dynamic provisioning
- StorageClasses: provisioner field, reclaim policies (Retain, Delete, Recycle)
- Access modes: ReadWriteOnce, ReadOnlyMany, ReadWriteMany
- Volume types: emptyDir, hostPath, configMap, secret, NFS, and CSI
- Mounting volumes into pods; subPath usage
- Understanding binding states and troubleshooting unbound PVCs
A common exam pattern: create a PersistentVolume with specific capacity and access mode, create a matching PVC, and attach it to a pod at a specified mount path. The task sounds straightforward but requires exact YAML syntax-even a mismatched access mode string will leave the PVC in a Pending state and cost you partial or full credit.
Domain 5: Troubleshooting (30%)
Troubleshooting is the largest domain on the CKA exam at 30% of total scoring. This is not an accident. The Linux Foundation's exam blueprint reflects the reality of the Kubernetes administrator role: a significant portion of daily work is diagnosing and fixing things that have stopped working. Candidates who underinvest in this domain cannot pass regardless of how polished their other skills are.
Domain 5: Troubleshooting
Candidates must systematically diagnose cluster, node, and application-level failures using logs, events, and direct component inspection-without external search access.
- Application failures: CrashLoopBackOff, ImagePullBackOff, OOMKilled, Pending pods
- Control plane component failures: unhealthy apiserver, scheduler, controller-manager
- Worker node failures: kubelet not running, node NotReady status
- Networking failures: services not routing, DNS resolution failures, NetworkPolicy blocking traffic
- Log collection:
kubectl logs,kubectl describe,journalctl -u kubelet,crictl - Event inspection and resource status analysis
- Identifying misconfigured YAML that has already been applied to the cluster
Key Takeaway
Because Troubleshooting is worth 30%, a candidate who scores perfectly on every other domain but earns zero on Troubleshooting still fails. Treat Domain 5 as the exam's primary battleground, not an afterthought.
Troubleshooting tasks in the exam present you with a broken environment and ask you to fix it-no hints, no error descriptions beyond what you can discover yourself. This is where diagnostic speed matters: knowing immediately to run kubectl get events, then kubectl describe pod, then kubectl logs, then pivot to journalctl on the node if needed, is the kind of practiced workflow that separates passing candidates from failing ones.
How Domain Weights Shape Your Preparation
| Domain | Weight | Priority Tier | Core Skill Category |
|---|---|---|---|
| Domain 5: Troubleshooting | 30% | Tier 1 - Critical | Diagnostic workflows, log analysis |
| Domain 1: Cluster Architecture, Installation & Configuration | 25% | Tier 1 - Critical | kubeadm, etcd, RBAC |
| Domain 3: Services & Networking | 20% | Tier 2 - High | Services, DNS, Network Policy, Gateway API |
| Domain 2: Workloads & Scheduling | 15% | Tier 2 - High | Deployments, scheduling, Helm |
| Domain 4: Storage | 10% | Tier 3 - Solid Foundation | PV, PVC, StorageClass |
The 66% passing score means a candidate must accumulate at least two-thirds of available points across partial-credit tasks. With Troubleshooting and Cluster Architecture together accounting for 55% of all points, weak performance in either domain creates a deficit that the smaller domains cannot compensate for. See How Hard Is the CKA Exam? Complete Difficulty Guide 2026 for a realistic picture of where candidates typically struggle.
Exam Format, Open-Book Rules, and Scoring
The CKA is delivered through The Linux Foundation's certification platform using PSI Bridge remote proctoring. Candidates receive approximately 15-20 performance-based tasks spread across multiple pre-configured Kubernetes clusters. Every task is completed entirely from a Linux command line inside the exam VM.
The exam is open-resource, but the definition of "open" is narrower than most candidates expect. Approved resources accessible inside the exam VM include:
- kubernetes.io documentation and the Kubernetes Blog
- Helm documentation
- CKA Gateway API documentation
- Task-specific documentation surfaced in the terminal instructions
/usr/sharedocuments and packages pre-installed in the VM
External search results, Stack Overflow, GitHub issues, and third-party study sites are explicitly not permitted. This is a critical preparation implication: you must know the Kubernetes documentation well enough to navigate it quickly. Searching for a syntax you have never seen before costs minutes you cannot afford in a two-hour exam.
The exam fee is $445 and includes one free retake (two total attempts) plus two sessions on the Killer.sh simulator. Killer.sh scenarios are harder than the actual exam, which makes them valuable calibration tools. The $445 fee structure and what it includes is broken down further in the CKA Certification Cost 2026: Complete Pricing Breakdown.
Certifications earned after April 1, 2024 are valid for two years. Renewal requires retaking and passing the exam before expiration-there is no continuing education path.
A Domain-Ordered Study Sequence
Because the domains are interdependent-you cannot troubleshoot a cluster you have never built-a logical progression through the material matters more than arbitrary time allocation. The sequence below is grounded in the domain weights and technical dependencies, not a generic study formula.
Domain 1: Cluster Architecture, Installation & Configuration
- Build clusters from scratch with kubeadm repeatedly until the workflow is automatic
- Practice etcd backup and restore under simulated failures
- Create and test RBAC policies: Roles, ClusterRoles, bindings, service accounts
- Perform a full cluster upgrade (control plane + worker nodes) at least three times
Domains 2 & 4: Workloads, Scheduling, and Storage
- Deploy and manage every workload type; practice rollouts and rollbacks timed
- Configure taints, tolerations, and affinity rules; observe scheduler behavior
- Create PVs and PVCs with varying access modes; mount them into pods
- Build Helm chart deployments using only the Helm documentation tab
Domain 3: Services & Networking
- Configure each Service type and verify connectivity with curl from a test pod
- Write and apply Network Policies; verify with traffic tests
- Configure Gateway API objects (HTTPRoute, Gateway) using permitted documentation
- Diagnose DNS failures using nslookup and dig inside running pods
Domain 5: Troubleshooting - Primary Focus
- Deliberately break clusters and fix them: stop kubelet, corrupt kubeconfig, misconfigure RBAC
- Practice the diagnostic command chain from memory: events → describe → logs → journalctl
- Complete both Killer.sh simulator sessions; review every failed task in detail
- Run full timed practice tests at CKA Exam Prep practice tests
For a complete week-by-week schedule with specific resource recommendations, the CKA Study Guide 2026: How to Pass on Your First Attempt extends this framework across a full preparation timeline. Additional practice tests and domain-specific drills are available at CKA Exam Prep.
Frequently Asked Questions
Troubleshooting at 30% and Cluster Architecture at 25% together account for 55% of the exam. If study time is limited, those two domains deliver the highest return. Weak performance in either creates a deficit that Workloads (15%), Networking (20%), and Storage (10%) cannot compensate for when trying to clear 66%.
The five domain names and their weights-Troubleshooting 30%, Cluster Architecture 25%, Services & Networking 20%, Workloads & Scheduling 15%, Storage 10%-have been stable for several exam cycles. Topic scope within domains evolves; notably, Gateway API content was added to Domain 3 more recently. Always verify the current exam curriculum on the Linux Foundation's official CKA page before scheduling.
No. External search results are explicitly prohibited. Only approved resources accessible inside the exam VM are permitted: kubernetes.io docs, the Kubernetes Blog, Helm documentation, CKA Gateway API docs, and pre-installed /usr/share content. Candidates should practice navigating kubernetes.io quickly because documentation lookups consume real exam time.
The CKA contains approximately 15-20 performance-based tasks. The passing score is 66%. Partial credit is possible within individual tasks, so completing most steps of a complex task correctly still recovers some points. Candidates have exactly two hours to complete all tasks across multiple live Kubernetes clusters.
The $445 exam fee includes one free retake, giving candidates two total attempts. The retake must be used within 12 months of the original purchase. Before retaking, use the domain performance feedback in your score report to identify which of the five content areas cost you the most points, and focus remediation there-particularly if Troubleshooting or Cluster Architecture underperformed.