JT
JT Exams
Log inStart Free Trial
Cloud FoundationsCKAD

CKAD: Certified Kubernetes Application Developer

CKAD is aimed at developers who deploy and configure applications on Kubernetes — not cluster admins. The exam tilts toward workload configuration, multi-container pod patterns, resource management, and observability hooks. You still get a live cluster and two hours, but the tasks lean more toward app packaging than cluster maintenance.

12 min
4 sections · 6 exam key points

Core Application Design Patterns

Multi-container pod patterns: Sidecar (auxiliary container enhancing main — logging agent, service mesh proxy), Ambassador (proxy to external services, e.g., database connection pooler), Adapter (transforming output format for the main container). These aren't Kubernetes constructs — they're design patterns using shared pod resources (network namespace, volumes). Init containers: run sequentially to completion before app containers start. Used for prerequisite checks, data population, or secret retrieval. If an init container fails, the pod restarts (respects restartPolicy). Ephemeral containers: added to running pods for debugging (kubectl debug) — no resource limits, no probes, not restarted.

Configuration: ConfigMaps, Secrets, and Environment

ConfigMap: key-value pairs or file content. Consumed as env vars (envFrom or env with valueFrom.configMapKeyRef), as volume mounts (each key becomes a file), or via the Downward API. Secrets: same consumption patterns but base64-encoded at rest. Create imperatively: kubectl create secret generic name --from-literal=key=val --from-file=path. Downward API: exposes pod metadata (name, namespace, labels, annotations) and resource fields (requests/limits) via env vars or volume files. Resource quotas (ResourceQuota): namespace-level limits on count and compute. LimitRange: per-container/pod default requests/limits and min/max constraints — fills in missing resource specs automatically.

Probes, Lifecycle, and Disruption

Liveness probe: kubelet kills the container if it fails (restart). Readiness probe: removes pod from Service endpoints if it fails (no traffic, no restart). Startup probe: delays liveness/readiness checks until the app is ready — use for slow-starting apps. Probe types: httpGet, tcpSocket, exec (exit code 0 = success). Pod lifecycle hooks: postStart (runs immediately after container starts, blocks ready state), preStop (runs before SIGTERM — use for graceful shutdown, connection draining). terminationGracePeriodSeconds: how long Kubernetes waits after SIGTERM before sending SIGKILL (default 30s). PodDisruptionBudget (PDB): limits voluntary disruptions during node drains or rolling updates. minAvailable or maxUnavailable specify the constraint. Essential for stateful apps during maintenance windows.

Services, Ingress, and Jobs

Service account tokens: automounted by default into /var/run/secrets/kubernetes.io/serviceaccount/. Set automountServiceAccountToken: false to disable for security-sensitive workloads. CronJob: schedule in cron syntax (minute hour day month weekday), concurrencyPolicy (Allow/Forbid/Replace), successfulJobsHistoryLimit, failedJobsHistoryLimit. Job: activeDeadlineSeconds caps total runtime, ttlSecondsAfterFinished for automatic cleanup. Helm basics (now in CKAD scope): helm install, upgrade, rollback, uninstall. Chart structure: Chart.yaml (metadata), values.yaml (defaults), templates/ (Go templates). Override values with --set key=val or -f values-override.yaml.

Key exam facts — CKAD

  • CKAD focuses on application deployment, not cluster administration — you won't be asked to upgrade kubeadm
  • Know all three probe types (liveness, readiness, startup) and when each one is appropriate
  • ConfigMap and Secret volume mounts: each key in the data field becomes a file in the mountPath directory
  • PodDisruptionBudget protects against voluntary disruptions — it does not apply to node failures
  • CronJob concurrencyPolicy: Forbid skips the run if a previous run is still active; Replace cancels the previous run
  • Helm is now part of the CKAD curriculum — know install, upgrade, rollback, and how to override values

Common exam traps

The postStart hook always completes before the container ENTRYPOINT starts

postStart hook does not guarantee it runs before ENTRYPOINT completes — timing is non-deterministic

Readiness probe failure restarts the container to recover it

Readiness probe failure removes the pod from Service endpoints but does NOT restart the container

Kubernetes Secrets are encrypted at rest by default

Secrets are not encrypted at rest by default in Kubernetes — that requires etcd encryption configuration

Practice this topic

CKADpractice questions

Test yourself on CKAD

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice testStart 7-Day Free Trial

No credit card · Cancel anytime

Related certification topics

CKA

CKA