Every task in the lab maps to a domain in the official CKA curriculum. Below is the full list — what you'll practice, what skills each task tests, and how it maps to the exam blueprint.
Manage Kubernetes clusters: bootstrap with kubeadm, install CNI plugins, configure container runtimes, manage certificates, and understand control-plane components.
A cluster has been initialized but no CNI plugin is installed — all nodes show NotReady. Install a CNI plugin that enables pod-to-pod communication across nodes and supports NetworkPolicy enforcement.
Work with cert-manager Custom Resource Definitions. List all cert-manager CRDs and extract documentation for the Certificate spec using kubectl explain.
Update an existing Deployment to add a sidecar container that tails a log file using a shared emptyDir volume. Tests understanding of multi-container pod patterns, volume mounts, and Deployment updates.
Set up cri-dockerd as a container runtime interface on a node. Install the package, enable the service, configure kernel parameters for bridged networking and IP forwarding using sysctl.
Deploy and manage workloads: Deployments, HPA, PriorityClasses, taints and tolerations, resource requests/limits, and pod scheduling constraints.
Create an HPA for a Deployment with a CPU utilization target, min/max replica bounds, and a custom downscale stabilization window. Tests autoscaling configuration and the behavior API.
A Deployment has 3 replicas but none are running because a ResourceQuota blocks pods without resource requests. Investigate the quota, calculate equal per-pod shares, and configure requests equal to limits for Guaranteed QoS.
Create a new PriorityClass with a specific value relative to existing classes, then patch a Deployment to use it. Tests understanding of pod scheduling priority and preemption.
A worker node is tainted for dedicated GPU workloads. Create a pod with the correct toleration and nodeSelector to land on the tainted node while ensuring other workloads stay off it.
Configure cluster networking: Services (ClusterIP, NodePort), Ingress, Gateway API, Network Policies, DNS, and TLS termination.
Two deployments span separate namespaces. Review multiple NetworkPolicy YAML files and select the one that allows frontend-to-backend traffic with the least permissive rules. Tests understanding of namespace selectors, pod selectors, and ingress rules.
Migrate an existing Ingress resource to the new Gateway API. Create a Gateway with TLS termination and an HTTPRoute that forwards traffic to the backend. Tests the Kubernetes Gateway API, which replaces Ingress on the CKA exam.
A Deployment uses a ConfigMap for TLS configuration that currently allows TLS 1.2 and 1.3. Modify the config to enforce TLS 1.3 only, handling immutable ConfigMap replacement and Deployment restart.
Add a named container port to a Deployment, then create a NodePort Service that references the named port. Tests Service configuration, named ports, label selectors, and namespace context switching.
Create an Ingress resource with multiple path-based routing rules using the NGINX Ingress Controller. Route different URL paths to different backend services with Prefix path matching.
Manage persistent storage: PersistentVolumes, PersistentVolumeClaims, StorageClasses, volume binding modes, and data recovery from retained volumes.
Create a new StorageClass with a specific provisioner and WaitForFirstConsumer binding mode. Then make it the default StorageClass while ensuring no other class retains the default annotation.
A database Deployment was deleted but its PersistentVolume was retained. Create a PVC that binds to the specific retained PV using volumeName, then update the Deployment manifest to mount it and restore the database.
Diagnose and fix cluster failures: broken control planes, misconfigured static pod manifests, failed Deployments, Helm issues, and node-level problems. This is the highest-weighted domain on the CKA exam.
Install Argo CD using Helm with specific constraints: add the official repo, generate a template (not install) for an exact chart version with CRDs disabled, and save the output manifest. Tests Helm repo management, template generation, and flag usage.
After a cluster migration, the entire control plane is down. Three separate problems exist across the kube-apiserver, kube-controller-manager, and kube-scheduler static pod manifests. Identify and fix all issues to restore the cluster.
Try the first 3 tasks free with a real Kubernetes cluster — no credit card, no install. Full access is a one-time €29 for 14 days.