layer5io · ShashaankS · Jul 16, 2025 · Jul 16, 2025 · Jul 16, 2025 · Jul 16, 2025
diff --git a/...learning-paths/mastering-kubernetes-for-engineers/cka/content/certifications.md b/...learning-paths/mastering-kubernetes-for-engineers/cka/content/certifications.md
@@ -0,0 +1,176 @@
+---
+docType: "Chapter"
+id: "certifications"
+chapterTitle: "Certifications"
+description: "Get an overview of the existing Kubernetes certifications and what you need to learn for the CKA."
+lectures: 10
+title: "Certifications"
+weight: 1
+---
+
+{{< chapterstyle >}}
+
+<h2>Several certifications available</h2>
+<hr>
+
+<p>The <a href="https://cncf.io">CNCF</a> delivers several Kubernetes certifications, which are listed in the following table.</p>
+
+<div style="display: flex; justify-content: center;">
+<table style="width: 80%; table-layout: fixed;">
+<thead>
+<tr>
+<th style="width: 50%; text-align: left;">Certification</th>
+<th style="width: 20%; text-align: center;">Type</th>
+<th style="width: 30%; text-align: center;">Badge</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td style="vertical-align: middle; padding: 10px;">Kubernetes and Cloud Native Associate (KCNA)</td>
+<td style="vertical-align: middle; text-align: center; padding: 10px;">MCQ</td>
+<td style="vertical-align: middle; text-align: center; padding: 10px;">{{< image src="/images/learning-path/cka/certifications/kcna.png" width="120px" align="center" alt="" >}}</td>
+</tr>
+<tr>
+<td style="vertical-align: middle; padding: 10px;">Kubernetes and Cloud Native Security Associate (KCSA)</td>
+<td style="vertical-align: middle; text-align: center; padding: 10px;">MCQ</td>
+<td style="vertical-align: middle; text-align: center; padding: 10px;">{{< image src="/images/learning-path/cka/certifications/kcsa.png" width="120px" align="center" alt="" >}}</td>
+</tr>
+<tr>
+<td style="vertical-align: middle; padding: 10px;">Certified Kubernetes Application Developer (CKAD)</td>
+<td style="vertical-align: middle; text-align: center; padding: 10px;">Practice</td>
+<td style="vertical-align: middle; text-align: center; padding: 10px;">{{< image src="/images/learning-path/cka/certifications/ckad.png" width="120px" align="center" alt="" >}}</td>
+</tr>
+<tr>
+<td style="vertical-align: middle; padding: 10px;">Certified Kubernetes Administrator (CKA)</td>
+<td style="vertical-align: middle; text-align: center; padding: 10px;">Practice</td>
+<td style="vertical-align: middle; text-align: center; padding: 10px;">{{< image src="/images/learning-path/cka/certifications/cka.png" width="120px" align="center" alt="" >}}</td>
+</tr>
+<tr>
+<td style="vertical-align: middle; padding: 10px;">Certified Kubernetes Security Specialist (CKS) <em>passing the CKA is a requirement before passing the CKS</em></td>
+<td style="vertical-align: middle; text-align: center; padding: 10px;">Practice</td>
+<td style="vertical-align: middle; text-align: center; padding: 10px;">{{< image src="/images/learning-path/cka/certifications/cks.png" width="120px" align="center" alt="" >}}</td>
+</tr>
+</tbody>
+</table>
+</div>
+
+<p>If you pass all those certifications, you become a <a href="https://www.cncf.io/training/kubestronaut/">Kubestronaut</a>.</p>
+<p>If you pass all those certifications, you become a <a href="https://www.cncf.io/training/kubestronaut/">Kubestronaut</a>.</p>
+
+<h2>Expectation for the CKA</h2>
+<hr>
+
+<p>The following table summarizes the distribution of the CKA questions across 5 main subjects.</p>
+
+<div style="display: flex; justify-content: center;">
+<table style="width: 80%; table-layout: fixed;">
+<thead>
+<tr>
+<th>Subject</th>
+<th>%</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>Cluster Architecture, Installation & Configuration</td>
+<td>25%</td>
+</tr>
+<tr>
+<td>Workloads & Scheduling</td>
+<td>15%</td>
+</tr>
+<tr>
+<td>Services & Networking</td>
+<td>20%</td>
+</tr>
+<tr>
+<td>Storage</td>
+<td>10%</td>
+</tr>
+<tr>
+<td>Troubleshooting</td>
+<td>30%</td>
+</tr>
+</tbody>
+</table>
+</div>
+
+<h2>CKA Environment</h2>
+<hr>
+
+<p>The CKA is a 2h exam. It contains 15/20 questions and requires at least 66% correct answers. This exam is remotely proctored, so you can take it from home (or any other quiet location) at a time that best suits your schedule.</p>
+
+<p>Before launching the exam, which you do via your <a href="https://trainingportal.linuxfoundation.org/access/saml/login">Linux Foundation Training Portal</a>, you need to perform a couple of prerequisites including making sure the PSI Browser works correctly on your environment. This browser gives you access to the remote Desktop you'll use during the exam.</p>
+
+{{< image src="/images/learning-path/cka/certifications/psi-browser.png" width="100%" align="center" alt="" >}}
+
+<h2>Tips & tricks</h2>
+<hr>
+
+<h3>Tools</h3>
+
+<p>Make sure you have a basic knowledge of</p>
+
+<ul>
+<li><strong>vim</strong></li>
+<li><strong>openssl</strong></li>
+</ul>
+
+```bash
+Visualize the content of a certificate
+openssl x509 -in cert.crt -noout -text
+```
+
+<ul>
+<li><strong>systemd / systemctl / journalctl</strong></li>
+</ul>
+
+```bash
+Restart kubelet
+systemctl restart kubelet
+
+Check kubelet logs
+journalctl -u kubelet
+```
+
+<h3>Aliases</h3>
+
+<p>Defining a couple of aliases at the very beginning of the examination could save time.</p>
+
+```bash
+alias k=kubectl
+export dr="--dry-run=client -o yaml"
+export fd="--grace-period=0 --force"
+```
+
+<h3>Imperative commands</h3>
+
+<p>Don't create specifications manually, instead use <code>--dry-run=client -o yaml</code> as in these examples.</p>
+
+```bash
+k run nginx --image=nginx:1.20 --dry-run=client -o yaml > pod.yaml
+k create deploy www --image=nginx:1.20 --replicas=3 --dry-run=client -o yaml > deploy.yaml
+k create role create-pod --verb=create --resource=pods --dry-run=client -o yaml > role.yaml
+```
+
+<p>Quickly change the current Namespace.</p>
+
+```bash
+k config set-context --current --namespace=dev
+```
+
+<p>Don't wait for the grace period to get rid of a Pod.</p>
+
+```bash
+k delete po nginx --force --grace-period=0
+```
+
+<h3>Reference guide</h3>
+
+<p>The <a href="https://kubernetes.io/docs/reference/kubectl/quick-reference/">Kubectl quick reference guide</a> is a must-read.</p>
+
+<h3>Access to exam simulator</h3>
+
+<p>Registering for the CKA gives you access to two sessions of the official Exam simulator. I highly recommend using these sessions once you're almost ready.</p>
+
+{{< /chapterstyle >}}
diff --git a/...nt/en/learning-paths/mastering-kubernetes-for-engineers/cka/content/creation.md b/...nt/en/learning-paths/mastering-kubernetes-for-engineers/cka/content/creation.md
@@ -0,0 +1,210 @@
+---
+docType: "Chapter"
+id: "creation"
+chapterTitle: "Create a cluster"
+description: "Build a 3-node kubeadm cluster from scratch."
+lectures: 10
+title: "Create a cluster"
+weight: 2
+---
+
+{{< chapterstyle >}}
+
+<p>This section guides you in creating of a 3-nodes Kubernetes cluster using <a href="https://kubernetes.io/docs/reference/setup-tools/kubeadm/">kubeadm</a> bootstrapping tool. This is an important step as you will use this cluster throughout this workshop.</p>
+
+<p>The cluster you'll create is composed of 3 Nodes named <strong>controlplane</strong>, <strong>worker1</strong> and <strong>worker2</strong>. The controlplane Node runs the cluster components (API Server, Controller Manager, Scheduler, etcd), while worker1 and worker2 are the worker Nodes in charge of running the containerized workloads.</p>
+
+{{< image src="/images/learning-path/cka/creation/objectives.png" width="100%" align="center" alt="" >}}
+
+<h2>Provisioning VMs</h2>
+
+<p>Before creating a cluster, it's necessary to provision the infrastructure (bare metal servers or virtual machines). You can create the 3 VMs on your local machine or a cloud provider (but this last option will come with a small cost). Ensure you name those VMs <strong>controlplane</strong>, <strong>worker1</strong>, and <strong>worker2</strong> to keep consistency alongside the workshop. Please also ensure each VM has at least 2 vCPUs and 2G of RAM so it meets the <a href="https://bit.ly/kubeadm-prerequisites">prerequisites</a>.</p>
+
+<p>If you want to create those VMs on your local machine, we recommend using <a href="https://multipass.run">Multipass</a>, a tool from <a href="https://canonical.com/">Canonical</a>. Multipass makes creating local VMs a breeze. Once you have installed Multipass, create the VMs as follows.</p>
+
+```bash
+multipass launch --name controlplane --memory 2G --cpus 2 --disk 10G
+multipass launch --name worker1 --memory 2G --cpus 2 --disk 10G
+multipass launch --name worker2 --memory 2G --cpus 2 --disk 10G
+```
+{{< image src="/images/learning-path/cka/creation/step-1.png" width="100%" align="center" alt="" >}}
+
+<h2>Cluster initialization</h2>
+
+<p>Now that the VMs are created, you need to install some dependencies on each on them (a couple of packages including <strong>kubectl</strong>, <strong>containerd</strong> and <strong>kubeadm</strong>). To simplify this process we provide some scripts that will do this job for you.</p>
+
+<p>First, ssh on the controlplane VM and install those dependencies using the following command.</p>
+
+```bash
+curl https://luc.run/kubeadm/controlplane.sh | VERSION="1.32" sh
+```
+
+<p>Next, still from the controlplane VM, initialize the cluster.</p>
+
+```bash
+sudo kubeadm init
+```
+
+<p>The initialization should take a few tens of seconds. The list below shows all the steps it takes.</p>
+
+<pre>
+preflight                     Run pre-flight checks
+certs                         Certificate generation
+  /ca                           Generate the self-signed Kubernetes CA to provision identities for other Kubernetes components
+  /apiserver                    Generate the certificate for serving the Kubernetes API
+  /apiserver-kubelet-client     Generate the certificate for the API server to connect to kubelet
+  /front-proxy-ca               Generate the self-signed CA to provision identities for front proxy
+  /front-proxy-client           Generate the certificate for the front proxy client
+  /etcd-ca                      Generate the self-signed CA to provision identities for etcd
+  /etcd-server                  Generate the certificate for serving etcd
+  /etcd-peer                    Generate the certificate for etcd nodes to communicate with each other
+  /etcd-healthcheck-client      Generate the certificate for liveness probes to healthcheck etcd
+  /apiserver-etcd-client        Generate the certificate the apiserver uses to access etcd
+  /sa                           Generate a private key for signing service account tokens along with its public key
+kubeconfig                    Generate all kubeconfig files necessary to establish the control plane and the admin kubeconfig file
+  /admin                        Generate a kubeconfig file for the admin to use and for kubeadm itself
+  /super-admin                  Generate a kubeconfig file for the super-admin
+  /kubelet                      Generate a kubeconfig file for the kubelet to use *only* for cluster bootstrapping purposes
+  /controller-manager           Generate a kubeconfig file for the controller manager to use
+  /scheduler                    Generate a kubeconfig file for the scheduler to use
+etcd                          Generate static Pod manifest file for local etcd
+  /local                        Generate the static Pod manifest file for a local, single-node local etcd instance
+control-plane                 Generate all static Pod manifest files necessary to establish the control plane
+  /apiserver                    Generates the kube-apiserver static Pod manifest
+  /controller-manager           Generates the kube-controller-manager static Pod manifest
+  /scheduler                    Generates the kube-scheduler static Pod manifest
+kubelet-start                 Write kubelet settings and (re)start the kubelet
+upload-config                 Upload the kubeadm and kubelet configuration to a ConfigMap
+  /kubeadm                      Upload the kubeadm ClusterConfiguration to a ConfigMap
+  /kubelet                      Upload the kubelet component config to a ConfigMap
+upload-certs                  Upload certificates to kubeadm-certs
+mark-control-plane            Mark a node as a control-plane
+bootstrap-token               Generates bootstrap tokens used to join a node to a cluster
+kubelet-finalize              Updates settings relevant to the kubelet after TLS bootstrap
+  /enable-client-cert-rotation  Enable kubelet client certificate rotation
+addon                         Install required addons for passing conformance tests
+  /coredns                      Install the CoreDNS addon to a Kubernetes cluster
+  /kube-proxy                   Install the kube-proxy addon to a Kubernetes cluster
+show-join-command             Show the join command for control-plane and worker node
+</pre>
+
+<p>Several commands are returned at the end of the installation process, which you'll use in the next part.</p>
+
+{{< image src="/images/learning-path/cka/creation/step-2.png" width="100%" align="center" alt="" >}}
+
+<h2>Retrieving kubeconfig file</h2>
+
+<p>The first set of commands returned during the initialization step allows configuring kubectl for the current user. Run those commands from a shell in the controlplane Node.</p>
+
+```bash
+mkdir -p $HOME/.kube
+sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
+sudo chown $(id -u):$(id -g) $HOME/.kube/config
+```
+
+<p>You can now list the Nodes. You'll get only one Node as you've not added the worker Nodes yet.</p>
+
+```bash
+$ kubectl get no
+NAME           STATUS     ROLES           AGE    VERSION
+controlplane   NotReady   control-plane   5m4s   v1.32.4
+```
+
+<h2>Adding the first worker Node</h2>
+
+<p>As you've done for the controlplane, use the following command to install the dependencies (kubectl, containerd, kubeadm) on worker1.</p>
+
+```bash
+curl https://luc.run/kubeadm/worker.sh | VERSION="1.32" sh
+```
+
+<p>Then, run the join command returned during the initialization step. This command allows you to add worker nodes to the cluster.</p>
+
+```bash
+sudo kubeadm join 10.81.0.174:6443 --token kolibl.0oieughn4y03zvm7 \
+        --discovery-token-ca-cert-hash sha256:a1d26efca219428731be6b62e3298a2e5014d829e51185e804f2f614b70d933d
+```
+
+<h2>Adding the second worker Node</h2>
+
+<p>You need to do the same on worker2. First, install the dependencies.</p>
+
+```bash
+curl https://luc.run/kubeadm/worker.sh | VERSION="1.32" sh
+```
+
+<p>Then, run the join command to add this Node to the cluster.</p>
+
+```bash
+sudo kubeadm join 10.81.0.174:6443 --token kolibl.0oieughn4y03zvm7 \
+        --discovery-token-ca-cert-hash sha256:a1d26efca219428731be6b62e3298a2e5014d829e51185e804f2f614b70d933d
+```
+
+<p>You now have cluster with 3 Nodes.</p>
+
+{{< image src="/images/learning-path/cka/creation/step-3.png" width="100%" align="center" alt="" >}}
+
+<h2>Status of the Nodes</h2>
+
+<p>List the Nodes and notice they are all in NotReady status.</p>
+
+```bash
+$ kubectl get nodes
+NAME            STATUS     ROLES           AGE     VERSION
+controlplane    NotReady   control-plane   9m58s   v1.32.4
+worker1         NotReady   <none>          58s     v1.32.4
+worker2         NotReady   <none>          55s     v1.32.4
+```
+
+<p>If you go one step further and describe the controlplane Node, you'll get why the cluster is not ready yet.</p>
+
+<pre>
+…
+KubeletNotReady              container runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:Network plugin returns error: cni plugin not initialized
+</pre>
+
+<h2>Installing a network plugin</h2>
+
+<p>Run the following commands from the controlplane Node to install Cilium in your cluster.</p>
+
+```bash
+OS="$(uname | tr '[:upper:]' '[:lower:]')"
+ARCH="$(uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/')"
+curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-$OS-$ARCH.tar.gz{,.sha256sum}
+sudo tar xzvfC cilium-$OS-$ARCH.tar.gz /usr/local/bin
+cilium install
+```
+
+<p>After a few tens of seconds, you'll see your cluster is ready.</p>
+
+```bash
+$ kubectl get nodes
+NAME            STATUS   ROLES           AGE     VERSION
+controlplane    Ready    control-plane   13m     v1.32.4
+worker1         Ready    <none>          4m28s   v1.32.4
+worker2         Ready    <none>          4m25s   v1.32.4
+```
+
+<h2>Get the kubeconfig on the host machine</h2>
+
+<p>To avoid connecting to the controlplane Node to run the kubectl commands, copy the kubeconfig file from the controlplane to the host machine. Make sure to copy this file into <code>$HOME/.kube/config</code> so it automatically configures kubectl.</p>
+
+<p>If you've created your VMs with Multipass, you can copy the kubeconfig file using the following commands.</p>
+
+```bash
+multipass transfer controlplane:/home/ubuntu/.kube/config config
+mkdir $HOME/.kube
+mv config $HOME/.kube/config
+```
+
+<p>You should now be able to direcly list the Nodes from the host machine.</p>
+
+```bash
+$ kubectl get nodes
+NAME            STATUS   ROLES           AGE     VERSION
+controlplane    Ready    control-plane   13m     v1.32.4
+worker1         Ready    <none>          4m28s   v1.32.4
+worker2         Ready    <none>          4m25s   v1.32.4
+```
+
+{{< /chapterstyle >}}