CKA Exam Changes 2025-2026: What's New and How to Prepare

The Certified Kubernetes Administrator (CKA) certification is not static—it evolves with the Kubernetes ecosystem. If you’re preparing for the CKA exam in 2025-2026, you need to be aware of significant curriculum changes that CNCF has introduced. These changes reflect the latest developments in cloud-native infrastructure and include new technologies, adjusted weightages, and removed topics. This guide walks you through all the changes and how to adjust your preparation strategy.

Major Changes in 2025-2026

The CNCF officially updated the CKA curriculum to reflect modern Kubernetes practices and address feedback from professionals in the field. The most significant changes include the introduction of the Gateway API, updated domain weightages, and changes to networking emphasis.

New Content: Gateway API

What is the Gateway API?

The Gateway API is a new, more flexible alternative to the Ingress API for managing external access to services. Unlike Ingress, which is relatively simple but limited, the Gateway API provides:

• Role-based access control: Different teams can manage different parts of the routing configuration
• Better separation of concerns: Infrastructure providers and application developers have clear boundaries
• Advanced routing capabilities: More sophisticated traffic management than traditional Ingress

Gateway API Architecture

The Gateway API consists of several key resources:

GatewayClass The GatewayClass defines a class of gateways, similar to StorageClass for storage. It specifies which controller should implement the gateway.

apiVersion: gateway.networking.k8s.io/v1beta1
kind: GatewayClass
metadata:
  name: nginx
spec:
  controllerName: k8s.io/nginx-gateway

Gateway The Gateway resource defines a listener and selects routes to attach to it.

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: http-gateway
spec:
  gatewayClassName: nginx
  listeners:
  - name: http
    protocol: HTTP
    port: 80
    allowedRoutes:
      namespaces:
        from: All

HTTPRoute The HTTPRoute resource defines HTTP routing rules and attaches to a gateway.

apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: api-route
spec:
  parentRefs:
  - name: http-gateway
    kind: Gateway
  hostnames:
  - "api.example.com"
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /api
    backendRefs:
    - name: api-service
      port: 8080
      weight: 100

Key Differences from Ingress

Feature	Ingress	Gateway API
Maturity	Stable (v1)	Beta (v1beta1)
Flexibility	Limited routing options	Advanced routing capabilities
RBAC	Coarse-grained	Fine-grained role separation
Extensibility	Limited	Highly extensible
Use Cases	Simple routing	Complex enterprise scenarios
Learning Curve	Easy	Moderate to advanced

Gateway API on the CKA Exam

Expect 3-5 exam questions on Gateway API covering:

• Creating GatewayClass and Gateway resources
• Defining HTTPRoute rules
• Understanding role separation between infrastructure and application teams
• Configuring traffic routing with Gateway API
• Troubleshooting Gateway API connectivity issues

Preparation Strategy for Gateway API

1. Understand the Motivation: Learn why Gateway API exists and what problems it solves
2. Install a Gateway Controller: Set up Ingress Nginx or another controller that supports Gateway API
3. Practice Creating Resources: Build HTTPRoute examples from scratch
4. Compare with Ingress: Know when to use Gateway API vs traditional Ingress
5. Test Real Scenarios: Create multi-host and path-based routing examples

Updated Domain Weightages

The CKA exam domains have been reweighted to reflect current priorities:

New Weightage Distribution (2025-2026)

Domain	Previous %	Current %	Change
Cluster Architecture, Installation & Configuration	25%	25%	No change
Workloads & Scheduling	15%	12%	-3%
Services & Networking	20%	22%	+2%
Storage	10%	10%	No change
Troubleshooting	30%	31%	+1%

What This Means for Your Study

Increased Focus: Services & Networking (now 22%)

• Gateway API questions have been added
• More advanced networking scenarios
• Allocate extra study time here, especially for Gateway API
• Network policies remain crucial

Increased Focus: Troubleshooting (now 31%)

• This domain remains the largest
• Expect more complex debugging scenarios
• Multiple interconnected component failures
• Requires deep hands-on experience

Slightly Decreased: Workloads & Scheduling (now 12%)

• Still important, but slightly less emphasis
• Core concepts remain unchanged
• Advanced scheduling features less emphasized

Unchanged: Storage (10%) and Cluster Architecture (25%)

• No significant changes to these domains
• Previous study materials remain relevant

Removed and Deprecated Topics

CNCF has removed or deprecated certain topics that are no longer relevant or have been superseded:

Removed Topics

1. alpha API Versions

• All alpha API versions have been removed from the exam
• Study only stable (v1) API versions
• Kubernetes 1.29+ enforces this by default

2. Pod Security Policies (PSP)

• Pod Security Policies are deprecated and removed from recent Kubernetes versions
• Replaced by Pod Security Standards (PSS) and admission controllers
• Ensure you understand PSS, not PSP

3. Legacy Service Topology

• Service topology hints have been replaced by topology-aware routing
• Focus on Endpoint Slices instead
• Learn the newer topology patterns

Deprecated (Still on Exam but Being Phased Out)

1. Docker Shim (Dockershim)

• While removed from Kubernetes 1.24+, some exam questions may reference it
• Understand container runtimes like containerd and CRI-O
• Know the difference between container runtimes and kubelet

2. kubeadm Token Management

• Old token bootstrapping approaches are being phased out
• Focus on modern kubeadm join token workflows

New Kubernetes Version Requirements

Covered Kubernetes Versions

The CKA exam now covers Kubernetes 1.29 and 1.30 (as of 2026):

• Latest Version: Kubernetes 1.30.x
• Previous Version: Kubernetes 1.29.x

When Kubernetes 1.31 is released, the exam will shift to 1.30-1.31.

Important Version-Specific Changes

Kubernetes 1.29 Key Changes:

• Better support for Gateway API (moved to beta)
• Improved Kubernetes API deprecation policy
• Enhanced kubelet resource management
• Better validation of manifests

Kubernetes 1.30 Key Changes:

• Gateway API features refined
• Service mesh integration improvements
• Enhanced observability options
• Security improvements

New Emphasis Areas

1. Pod Security Standards (PSS)

Instead of Pod Security Policies, focus on:

• pod-security.kubernetes.io/enforce labels
• Admission controller configuration
• Baseline, restricted, and privileged profiles
• Namespace-level security policies

apiVersion: v1
kind: Namespace
metadata:
  name: secure-apps
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

2. Observability and Monitoring

Increased questions on:

• Metrics Server and resource metrics
• Container runtime interface (CRI) log access
• Kubernetes event streaming
• Component logging configurations

3. Advanced RBAC Scenarios

More complex RBAC questions including:

• Aggregated ClusterRoles
• RBAC with namespace resource quotas
• Multi-tenant cluster isolation with RBAC
• Service account token management

4. Storage Class and Dynamic Provisioning

Enhanced focus on:

• Custom StorageClass parameters
• Provider-specific configurations
• Dynamic provisioning failures and troubleshooting
• StatefulSet with dynamic storage

Updated Kubernetes API References

With these changes, certain API groups have been updated:

New/Updated API Groups:

• gateway.networking.k8s.io/v1beta1 (Gateway API)
• policy/v1 (Pod Disruption Budgets)
• resource.k8s.io (Resource slicing—advanced topic)

Deprecated API Groups:

• policy/v1beta1 (use v1 instead)
• networking.k8s.io/v1beta1 for NetworkPolicy (use v1)

How to Adapt Your Study Plan

If you’ve already started studying for the CKA exam, here’s how to adjust:

If You Haven’t Started Yet

Excellent—start fresh with current materials:

1. Use 2026-updated study resources
2. Allocate 22% of networking study to Gateway API
3. Ensure all hands-on practice uses Kubernetes 1.29+
4. Skip any Pod Security Policy content
5. Focus on Pod Security Standards instead

If You’ve Started Study Based on 2024 Materials

You’ll need to adjust your plan:

Immediate Actions:

1. Review Gateway API separately (invest 4-6 hours)
2. Replace PSP content with PSS content (1-2 hours)
3. Add 2-3 hours of extra networking study
4. Update your lab environment to Kubernetes 1.29+

Study Time Adjustment:

• Original plan: 40-60 hours
• Additional time for new content: +8-10 hours
• Revised total: 48-70 hours
• Estimated additional prep time: 5-7 days

Content to Supplement:

• Find updated Kubernetes 1.29+ specific documentation
• Locate Gateway API tutorials and hands-on guides
• Review Pod Security Standards implementation
• Study RBAC with newer Kubernetes versions

If Your Exam is Within 2 Weeks

Don’t panic, but prioritize:

1. Gateway API: 6 hours over next 2 weeks (30 min daily)
2. Pod Security Standards: 2 hours (vs Pod Security Policies)
3. Advanced troubleshooting: 4 hours
4. Reduced time on stable topics (Deployments, basic Services)

Comparison: Old vs New Exam Preparation

Old Study Focus (2024-2025)

• Ingress as primary external routing
• Pod Security Policies for pod-level security
• Docker as main container runtime
• Kubernetes 1.27-1.28 versions

New Study Focus (2025-2026)

• Gateway API for advanced routing (alongside Ingress)
• Pod Security Standards for pod-level security
• Container runtimes (containerd, CRI-O)
• Kubernetes 1.29-1.30 versions

Practice Questions: Testing Your Knowledge of Changes

Gateway API Question

Question: You need to route traffic for api.example.com/v1/* to the api-v1 service and api.example.com/v2/* to the api-v2 service. Both services are in the default namespace. Which resources would you need to create?

A) Two Ingress resources B) One HTTPRoute with two rules attached to a Gateway C) One Gateway and two Services D) ServiceMesh configuration

Answer: B) One HTTPRoute with two rules attached to a Gateway

Explanation: The HTTPRoute resource is specifically designed for this type of path-based routing. It can contain multiple rules for different path prefixes, all attached to a single Gateway.

Pod Security Standards Question

Question: Your organization requires all pods in the production namespace to run with restricted security. How would you enforce this?

A) Create a Pod Security Policy named restricted B) Add pod-security labels to the namespace C) Configure SecurityContexts in each pod D) Use a NetworkPolicy

Answer: B) Add pod-security labels to the namespace

Explanation: Pod Security Policies are deprecated. Pod Security Standards are now the standard approach, implemented via namespace labels like pod-security.kubernetes.io/enforce: restricted.

Timeline for Further Changes

CNCF typically updates the CKA curriculum:

• Minor updates: Every 3-4 months
• Major updates: Annually, coinciding with new Kubernetes releases

Upcoming Expected Changes (Late 2026-2027):

• Further refinement of Gateway API questions
• Possible inclusion of new Kubernetes 1.31 features
• Enhanced observability requirements
• Service mesh fundamentals (possible future addition)

Resources for Learning New Content

Official Resources

• Kubernetes Gateway API Documentation
• Pod Security Standards Guide
• Official Kubernetes 1.29 Release Notes

Community Resources

• Kubernetes Enhancement Proposals (KEPs) for Gateway API
• CNCF blog posts on curriculum updates
• Video tutorials on Gateway API implementations

Practice Platforms

• Sailor.sh mock exams updated with new curriculum
• Linux Foundation sample questions (updated to 2026)
• Community Kubernetes labs with 1.29+ versions

FAQ on CKA Exam Changes

Q: Does my current Kubernetes knowledge need updating for these changes? A: Partially. Gateway API is new, but core Kubernetes knowledge remains the same. Focus on learning Gateway API and Pod Security Standards.

Q: Can I use old study materials? A: Use them as foundation, but supplement with 2026-specific materials. Skip Pod Security Policy content entirely.

Q: If I learned Pod Security Policies, will they hurt me on the exam? A: No, but they won’t help either. Exam questions will focus on Pod Security Standards. Update that portion of your knowledge.

Q: How much additional study time do these changes require? A: If you have foundational Kubernetes knowledge, 8-10 additional hours. If you’re starting fresh, these are just part of normal 40-60 hour preparation.

Q: Are the Gateway API questions easier or harder than Ingress questions? A: Gateway API is more complex but also more intuitive for advanced routing scenarios. Expect moderate difficulty.

Q: When will Ingress be removed from the CKA exam? A: Ingress will remain on the exam for several more years. Both Ingress and Gateway API will likely coexist for the foreseeable future.

Q: Should I still learn Ingress if Gateway API is the future? A: Yes, absolutely. Many production clusters still use Ingress, and it’s simpler to understand. Learn both.

Q: Will these changes affect the exam passing score? A: No, the passing score remains 66%. The weightage change is internal; the overall difficulty should remain comparable.

Action Plan for Updated Preparation

1. This Week: Learn Gateway API basics and complete one HTTPRoute tutorial
2. Next Week: Practice creating Gateway and HTTPRoute resources from scratch
3. Week 3: Deep dive into Pod Security Standards
4. Week 4+: Integrate new topics into full mock exam practice

Stay current with these changes and adjust your study plan accordingly. Start preparing with Sailor.sh’s updated CKA mock exams that reflect the latest 2026 curriculum.