Back to Blog

CKA kubectl Cheat Sheet 2026: Every Command You Need to Pass

The complete kubectl cheat sheet for the CKA exam. Imperative commands, dry-run YAML generation, JSONPath, debugging, and time-saving aliases used by candidates who pass on the first attempt.

By Sailor Team , April 27, 2026

The CKA exam gives you 120 minutes to solve 15-20 hands-on tasks across live Kubernetes clusters. Most candidates don’t fail because they lack knowledge — they fail because they run out of time. The single most reliable way to buy back that time is fluent kubectl. This cheat sheet covers every command, flag, and shortcut you actually need on exam day, organized by exam domain so you can practice them in the same order they’ll appear.

Bookmark this page, print it, or pin it to a second monitor while you drill. By the end of this guide, you’ll know exactly which commands save the most time, which ones are traps, and how to generate clean YAML without ever opening a text editor from scratch.

Set Up Your Shell Before You Touch a Cluster

Before any command list, configure the exam terminal. The 30 seconds you spend here will save you 20 minutes over the course of the exam.

# The single most important alias
alias k=kubectl

# Tab completion for kubectl AND the alias
source <(kubectl completion bash)
complete -o default -F __start_kubectl k

# Dry-run shortcuts that generate YAML
export do="--dry-run=client -o yaml"
export now="--grace-period=0 --force"

# Vim setup for clean YAML editing
cat <<EOF >> ~/.vimrc
set tabstop=2
set expandtab
set shiftwidth=2
EOF

With these set, k run nginx --image=nginx $do > pod.yaml becomes a one-second muscle-memory action. k delete pod nginx $now becomes the instant pod kill you’ll need at least three times during the exam.

Context and Namespace Switching (The First Command of Every Question)

Every CKA question starts by specifying which cluster and namespace to work in. Failing to switch context is the #1 silent point loss on the exam — your YAML is correct, but you applied it to the wrong cluster.

# Switch context (cluster) — first command of every question
kubectl config use-context <cluster-name>

# View current context
kubectl config current-context

# Set default namespace for the current context (saves typing -n every time)
kubectl config set-context --current --namespace=<ns>

# List all contexts
kubectl config get-contexts

Make kubectl config use-context reflexive. Read the question’s context line, type the command, then read the question itself.

Imperative Commands: The Heart of Speed

The CKA is a kubectl create and kubectl run exam. Writing YAML by hand is almost always the wrong choice — generate a manifest with a dry-run, edit two lines, then apply.

Pods

# Create a pod
k run nginx --image=nginx

# Generate pod YAML without creating it
k run nginx --image=nginx $do > pod.yaml

# Pod with command and args
k run busybox --image=busybox --command -- sleep 3600

# Pod with env vars
k run nginx --image=nginx --env="KEY=value" $do > pod.yaml

# Pod with port exposed
k run nginx --image=nginx --port=80 $do > pod.yaml

# Pod with labels
k run nginx --image=nginx --labels="tier=frontend,env=prod" $do > pod.yaml

# Pod with resource requests/limits (use --requests/--limits flags)
k run nginx --image=nginx --requests=cpu=100m,memory=128Mi --limits=cpu=200m,memory=256Mi $do > pod.yaml

Deployments

# Create deployment
k create deploy nginx --image=nginx --replicas=3

# Generate deployment YAML
k create deploy nginx --image=nginx --replicas=3 $do > deploy.yaml

# Scale deployment
k scale deploy nginx --replicas=5

# Update image (rolling update)
k set image deploy/nginx nginx=nginx:1.25

# Pause/resume rollout
k rollout pause deploy nginx
k rollout resume deploy nginx

# Rollout history and rollback
k rollout history deploy nginx
k rollout undo deploy nginx
k rollout undo deploy nginx --to-revision=2

# Watch rollout status
k rollout status deploy nginx

Services

# Expose deployment as ClusterIP service
k expose deploy nginx --port=80 --target-port=80

# Expose as NodePort
k expose deploy nginx --port=80 --type=NodePort

# Generate service YAML
k expose deploy nginx --port=80 --target-port=80 $do > svc.yaml

# Create service directly
k create svc clusterip my-svc --tcp=80:8080
k create svc nodeport my-svc --tcp=80:8080

ConfigMaps and Secrets

# ConfigMap from literal
k create cm app-config --from-literal=APP_ENV=prod --from-literal=APP_DEBUG=false

# ConfigMap from file
k create cm app-config --from-file=config.properties

# Secret from literal
k create secret generic db-creds --from-literal=username=admin --from-literal=password=s3cret

# TLS secret
k create secret tls my-tls --cert=tls.crt --key=tls.key

# Docker registry secret
k create secret docker-registry regcred \
  --docker-server=registry.io --docker-username=user \
  --docker-password=pass [email protected]

Jobs and CronJobs

# Job
k create job pi --image=perl -- perl -Mbignum=bpi -wle 'print bpi(2000)'

# CronJob (runs every 5 minutes)
k create cj backup --image=busybox --schedule="*/5 * * * *" -- /bin/sh -c 'date'

# Generate CronJob YAML
k create cj backup --image=busybox --schedule="*/5 * * * *" $do > cj.yaml -- /bin/sh -c 'date'

Namespaces and ServiceAccounts

k create ns dev
k create sa app-sa -n dev
k create sa app-sa -n dev $do > sa.yaml

RBAC in 30 Seconds

RBAC questions appear on nearly every exam. Memorize this exact pattern:

# Role: namespace-scoped permissions
k create role pod-reader --verb=get,list,watch --resource=pods -n dev

# RoleBinding: bind a role to a user/group/sa
k create rolebinding read-pods --role=pod-reader --user=jane -n dev
k create rolebinding read-pods --role=pod-reader --serviceaccount=dev:app-sa -n dev

# ClusterRole: cluster-wide permissions
k create clusterrole node-reader --verb=get,list,watch --resource=nodes

# ClusterRoleBinding: bind a clusterrole cluster-wide
k create clusterrolebinding read-nodes --clusterrole=node-reader --user=jane

# Verify permissions
k auth can-i get pods --as=jane -n dev
k auth can-i list nodes --as=system:serviceaccount:dev:app-sa

The k auth can-i command is gold for RBAC questions — use it to verify your work without leaving the terminal.

Inspecting Resources (Get, Describe, Logs)

# Get with extra columns
k get pods -o wide
k get pods --show-labels
k get pods -l tier=frontend
k get pods --field-selector=status.phase=Running

# Get across all namespaces
k get pods -A

# Watch live updates
k get pods -w

# Describe (the diagnosis hammer)
k describe pod nginx
k describe node worker-1

# Logs
k logs nginx
k logs nginx -c sidecar           # specific container
k logs nginx --previous           # crashed container's last logs
k logs -l tier=frontend --tail=50 # by label
k logs -f nginx                    # follow

# Events sorted by time (essential for troubleshooting)
k get events --sort-by=.lastTimestamp
k get events -n dev --field-selector type=Warning

JSONPath and Custom Columns (Save Time on Filter Questions)

Several CKA questions ask for output saved to a file in a specific format — node names sorted, pods using a specific image, the InternalIP of a node. JSONPath is faster than piping through grep and awk.

# Get all node names
k get nodes -o jsonpath='{.items[*].metadata.name}'

# Get InternalIP of all nodes
k get nodes -o jsonpath='{.items[*].status.addresses[?(@.type=="InternalIP")].address}'

# Pods using a specific image
k get pods -A -o jsonpath='{range .items[?(@.spec.containers[*].image=="nginx")]}{.metadata.namespace}/{.metadata.name}{"\n"}{end}'

# Custom columns (cleaner output, often what the question wants)
k get pods -o custom-columns=NAME:.metadata.name,STATUS:.status.phase,NODE:.spec.nodeName

# Sort by a field
k get pods --sort-by=.metadata.creationTimestamp
k get nodes --sort-by=.metadata.name

Memorize the --sort-by and custom-columns patterns — they appear in 2-3 questions on most exams.

Node Operations (Cordon, Drain, Taints)

# Mark node unschedulable
k cordon worker-1

# Evict pods and cordon (use --ignore-daemonsets for system pods)
k drain worker-1 --ignore-daemonsets --delete-emptydir-data

# Bring node back
k uncordon worker-1

# Taints
k taint nodes worker-1 key=value:NoSchedule
k taint nodes worker-1 key=value:NoSchedule-   # remove (note trailing minus)

# Label/unlabel
k label node worker-1 disk=ssd
k label node worker-1 disk-                     # remove

The trailing minus syntax (disk-, key=value:NoSchedule-) is one of the most-missed details on the exam.

Storage (PV/PVC/StorageClass)

There’s no clean imperative shortcut for PVs and PVCs — you’ll write YAML. Keep this template in your head:

# pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: data-pvc
spec:
  accessModes: ["ReadWriteOnce"]
  resources:
    requests:
      storage: 1Gi
  storageClassName: standard
# Inspect
k get pv
k get pvc
k get sc
k describe pvc data-pvc

Common gotcha: a PVC stuck in Pending is almost always a storageClassName mismatch or no matching PV. Check with k describe pvc.

Networking and Network Policies

# Service inspection
k get svc
k get endpoints
k describe svc my-svc

# Test connectivity from inside a pod
k run tmp --rm -it --image=busybox --restart=Never -- wget -qO- http://my-svc.dev.svc.cluster.local

# Port-forward for local testing
k port-forward svc/my-svc 8080:80

# DNS test
k run tmp --rm -it --image=busybox --restart=Never -- nslookup my-svc.dev

NetworkPolicy is YAML-only. Memorize a default-deny + allow-from-namespace template — it covers ~80% of NetworkPolicy questions.

etcd Backup and Restore (Almost Guaranteed Question)

# Backup
ETCDCTL_API=3 etcdctl --endpoints=https://127.0.0.1:2379 \
  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  --cert=/etc/kubernetes/pki/etcd/server.crt \
  --key=/etc/kubernetes/pki/etcd/server.key \
  snapshot save /opt/backup.db

# Verify
ETCDCTL_API=3 etcdctl --write-out=table snapshot status /opt/backup.db

# Restore (creates a new data dir)
ETCDCTL_API=3 etcdctl snapshot restore /opt/backup.db \
  --data-dir=/var/lib/etcd-restore

After restore, edit /etc/kubernetes/manifests/etcd.yaml to point --data-dir at the new directory. The kubelet will restart etcd automatically. Full step-by-step in our CKA etcd backup and restore guide.

Cluster Upgrade with kubeadm

# On control plane
apt-mark unhold kubeadm && apt-get install -y kubeadm=1.30.0-* && apt-mark hold kubeadm
kubeadm upgrade plan
kubeadm upgrade apply v1.30.0

# On every node (control plane + workers): drain, upgrade, uncordon
k drain <node> --ignore-daemonsets
apt-mark unhold kubelet kubectl
apt-get install -y kubelet=1.30.0-* kubectl=1.30.0-*
apt-mark hold kubelet kubectl
systemctl daemon-reload && systemctl restart kubelet
k uncordon <node>

Full hands-on walkthrough in our CKA cluster upgrade guide.

Debugging Patterns That Cover Most Troubleshooting Questions

# A pod is not running — what's wrong?
k describe pod <pod>           # Look at Events at the bottom
k logs <pod>
k logs <pod> --previous

# A service has no endpoints
k get endpoints <svc>          # No endpoints = label selector doesn't match
k get pods --show-labels       # Verify pod labels match svc selector

# Node is NotReady
k describe node <node>          # Check Conditions
ssh <node>
systemctl status kubelet
journalctl -u kubelet -n 100 --no-pager

# Control plane component down
ls /etc/kubernetes/manifests/   # Static pod manifests
crictl ps -a | grep -E "etcd|api|scheduler|controller"
crictl logs <container-id>

For a full diagnostic playbook, see our CKA troubleshooting guide.

Top 10 Time-Saving Aliases You Should Burn Into Muscle Memory

AliasCommandWhen to use
kkubectlAlways
k g pokubectl get podsDefault check
k g po -Akubectl get pods -AFind pods across namespaces
k d po <name>kubectl describe podDiagnose pod issues
k l <pod>kubectl logsDebug app errors
k ex -it <pod> -- shkubectl exec -itGet shell in pod
k g evkubectl get eventsSee recent cluster events
k apply -f .apply all manifests in dirApply at scale
k delete po <p> $nowforce deleteStuck pods
k run tmp --rm -it ...ephemeral debug podNetwork tests

Question-Order Strategy

Questions on the CKA are weighted (point values shown next to each). Don’t go in order — scan all of them in the first 5 minutes, then:

  1. First: All questions worth 8+ points that you can solve immediately. Bank the easy points.
  2. Second: Medium-difficulty questions in your strong domains.
  3. Third: Anything requiring cluster restart, etcd manipulation, or upgrades — they’re slow, save them for when you have a clear runway.
  4. Last: Questions you flagged. If you’re below the time threshold, attempt partial credit by writing a --dry-run YAML even if you can’t apply it cleanly.

The candidates who pass aren’t the ones who answer every question — they’re the ones who maximize points-per-minute.

How to Practice This Cheat Sheet

Reading commands isn’t enough. The exam tests muscle memory. Drill these commands until they’re automatic:

  1. Day 1-7: Practice each section of this cheat sheet on a real cluster (kind, minikube, or kubeadm). Don’t copy-paste — type every command.
  2. Day 8-14: Take timed practice questions and force yourself to use only this reference, no Google.
  3. Day 15+: Take full-length mock exams under exam conditions.

The fastest way to validate your readiness is a realistic, scored mock exam. Our CKA Mock Exam Bundle replicates the exam UI, time pressure, and scoring rubric so you know your real score before you pay $395.

Frequently Asked Questions

Q: Can I use kubectl bash completion on the exam? A: Yes. The exam terminal runs Linux with bash. Source completion at the start of each cluster session — it’s the single biggest speed boost available.

Q: Should I memorize YAML for every resource? A: No. Memorize the imperative kubectl create / run / expose commands and use --dry-run=client -o yaml to generate manifests. Only NetworkPolicy, PV/PVC, and complex multi-container pods need raw YAML knowledge.

Q: Can I copy commands from the Kubernetes docs during the exam? A: Yes. The official Kubernetes docs are the only allowed reference. Bookmark the Network Policies, Pod Security, and Persistent Volumes pages — those are the most-copied snippets.

Q: What’s the fastest way to switch between 6 clusters? A: kubectl config use-context <name> — make it the first command of every question. Don’t trust your memory of which cluster you’re on.

Q: Do I need vim? A: You need a terminal editor. Vim is fine if you know :set paste, :wq, and basic navigation. nano works too. Don’t learn a new editor in exam week.

Q: Are imperative commands enough to pass? A: For ~70% of questions, yes. The other 30% require YAML edits — but always start from a generated manifest, never a blank file.

Ready to put this cheat sheet to the test? Take a full-length scored simulator with our CKA Mock Exam Bundle and find out exactly where you’d score today.

Limited Time Offer: Get 80% off all Mock Exam Bundles | Sale ends in 7 days. Start learning today.

Claim Now