JT
JT Exams
Log inStart Free Trial
Cloud FoundationsKCNA

KCNA: Kubernetes and Cloud Native Associate Fundamentals

The KCNA (Kubernetes and Cloud Native Associate) is CNCF's entry-level Kubernetes certification. It tests conceptual understanding of Kubernetes architecture, cloud-native principles, and the broader CNCF ecosystem — without requiring hands-on cluster administration. If you are new to containers and Kubernetes and want to validate your foundational knowledge before pursuing the CKA (Certified Kubernetes Administrator) or CKAD (Certified Kubernetes Application Developer), KCNA is the right starting point.

12 min
4 sections · 10 exam key points

Cloud-Native Principles and Container Fundamentals

Cloud-native applications are designed to run in dynamic, distributed cloud environments — exploiting the cloud's elasticity, scalability, and resilience. The CNCF Cloud Native Trail Map guides adoption through containers, CI/CD, orchestration, observability, service mesh, and policy. Containers: lightweight isolated runtime environments sharing the host OS kernel — unlike VMs, containers do not include their own OS. Docker builds container images from Dockerfiles (layered filesystem, each instruction adds a layer). Images are stored in registries (Docker Hub, GitHub Container Registry, cloud-native registries like ECR, GCR, ACR). OCI (Open Container Initiative) standardises image format and runtime specification — Kubernetes uses container runtimes that implement the CRI (Container Runtime Interface): containerd (default in modern Kubernetes), CRI-O (Kubernetes-native). The twelve-factor app methodology defines best practices for cloud-native applications: stateless processes, configuration from environment, backing services via URL, explicit dependencies, and more.

Kubernetes Architecture and Core Objects

Kubernetes (K8s) is an open-source container orchestration platform — it manages the lifecycle of containerised workloads across a cluster of nodes. Control plane components (run on master node): kube-apiserver (the API gateway — all kubectl commands go here), etcd (distributed key-value store — the single source of truth for cluster state), kube-scheduler (assigns pods to nodes based on resource requirements and constraints), kube-controller-manager (runs control loops: node controller, replication controller, endpoints controller). Worker node components: kubelet (ensures pods are running on the node, talks to container runtime), kube-proxy (manages iptables/IPVS rules for Service networking), container runtime (containerd or CRI-O). Core API objects: Pod (smallest deployable unit — one or more containers sharing network and storage), Deployment (manages replicated, rolling-update-capable pods), Service (stable network endpoint for pods — ClusterIP, NodePort, LoadBalancer, ExternalName), ConfigMap (non-sensitive configuration as key-value or files), Secret (sensitive data — base64 encoded, RBAC-controlled), Namespace (logical cluster partition — resource quotas and RBAC per namespace).

Kubernetes Networking, Storage, and Security

Kubernetes networking model: every Pod gets a unique IP, all pods can communicate with all other pods without NAT (flat network model). CNI (Container Network Interface) plugins implement this: Calico (supports Network Policies, IPIP or BGP routing), Flannel (simple overlay network), Cilium (eBPF-based, Layer 7 visibility, strong Network Policy support). Services: ClusterIP (internal load balancer within cluster), NodePort (expose on each node's IP at a fixed port — for external access without cloud load balancer), LoadBalancer (provision a cloud load balancer automatically — cloud-provider specific), Ingress (layer 7 HTTP routing — paths and hostnames to different services — requires Ingress controller like nginx or Traefik). Storage: Volumes (ephemeral — tied to Pod lifecycle), PersistentVolume (PV — pre-provisioned storage resource), PersistentVolumeClaim (PVC — request for storage by a pod — dynamically provisioned via StorageClass). Kubernetes security: RBAC (Role and ClusterRole + RoleBinding and ClusterRoleBinding — control who can do what to which resources), Network Policies (restrict pod-to-pod traffic — Calico or Cilium required), Pod Security Admission (enforce pod security standards — restricted, baseline, privileged).

CNCF Ecosystem and Cloud Native Observability

The CNCF (Cloud Native Computing Foundation) hosts hundreds of projects organised by maturity: Graduated (production-ready — Kubernetes, Prometheus, Envoy, Helm, Flux, Argo, OpenTelemetry), Incubating (growing adoption — Kyverno, Buildpacks), Sandbox (early stage). Key CNCF projects: Prometheus (metrics — pull-based scraping, PromQL query language, Alertmanager for alerts), Grafana (dashboards for Prometheus metrics — visualise SLOs and SLIs), Jaeger and Tempo (distributed tracing), Fluentd and Fluent Bit (log aggregation), OpenTelemetry (unified observability instrumentation standard — traces, metrics, logs from one SDK). Service mesh: Istio (sidecar-based, feature-rich — mutual TLS between services, traffic management, telemetry) and Linkerd (lightweight alternative, eBPF-based in Linkerd 2.x). GitOps: Flux and Argo CD implement GitOps — desired cluster state is declared in Git, the operator continuously reconciles actual state to match. Helm: Kubernetes package manager — charts bundle Kubernetes manifests with templating, versioning, and upgrade management.

Key exam facts — KCNA

  • KCNA is conceptual — no hands-on kubectl or cluster administration required
  • Control plane: kube-apiserver (API gateway), etcd (state store), scheduler, controller-manager
  • Worker node: kubelet (runs pods), kube-proxy (networking), container runtime (containerd)
  • Service types: ClusterIP (internal), NodePort (external on node port), LoadBalancer (cloud LB), Ingress (L7 routing)
  • RBAC: Role (namespace-scoped) + ClusterRole (cluster-wide) bound via RoleBinding or ClusterRoleBinding
  • CNI plugins implement pod networking; Calico and Cilium support Network Policies
  • PVC (request) binds to PV (resource) dynamically via StorageClass
  • Prometheus scrapes metrics; Grafana visualises; OpenTelemetry standardises instrumentation
  • GitOps: Flux or Argo CD reconcile cluster state to match Git repository declarations
  • Helm charts bundle Kubernetes manifests with templating for reusable package management

Common exam traps

Containers are the same as virtual machines

Containers share the host OS kernel and are isolated via namespaces and cgroups. VMs include a full OS with their own kernel. Containers start in milliseconds and use significantly less memory than VMs — but they share more with the host, which has security implications.

Kubernetes automatically secures your workloads

Kubernetes provides security primitives (RBAC, Network Policies, Pod Security Admission), but you must configure them. Default Kubernetes clusters are permissive — pods can communicate with all other pods and the internet without any Network Policy.

A Kubernetes Deployment is required to run any container

Pods can be created directly, but Deployments are recommended because they manage replica count, rolling updates, and rollback. DaemonSets (one pod per node), StatefulSets (ordered, stable identity pods), and Jobs (run-to-completion) are alternatives for specific workload patterns.

Practice this topic

KCNApractice questions

Test yourself on KCNA Kubernetes Fundamentals

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice testStart 7-Day Free Trial

No credit card · Cancel anytime

Related certification topics

Terraform IaC

Terraform Associate

AWS Developer Associate

DVA-C02

Google ACE

ACE