Top 10 CKA interview questions and how to answer them in 2026

The 10 questions

1. What’s the difference between a Deployment, StatefulSet, and DaemonSet?

Deployment runs stateless replicas with rolling updates and random pod names. StatefulSet runs ordered, named replicas (web-0, web-1) with stable per-pod persistent volumes and ordered scale up/down — databases, Kafka, etcd, ZooKeeper. DaemonSet runs exactly one pod per node (or per matching node selector) and is used for log collectors, CNI agents, and monitoring exporters. Picking StatefulSet for a stateless workload “just to keep names stable” is a common red flag.

2. A pod is stuck in Pending. Walk me through your debug.

In order: kubectl describe pod — read the Events block. The five common causes are insufficient CPU/memory across the cluster, unsatisfied node selector or affinity, a taint with no matching toleration, an unbound PersistentVolumeClaim, and a missing ImagePullSecret. Candidates who jump to kubectl get nodes without reading Events first usually miss the real cause.

3. How do you back up and restore etcd in a kubeadm cluster?

Snapshot with ETCDCTL_API=3 etcdctl snapshot save /backup/etcd.db using the peer cert, key, and CA from /etc/kubernetes/pki/etcd. Restore by stopping the kube-apiserver and etcd static pods (move their manifests out of /etc/kubernetes/manifests), running etcdctl snapshot restore with --data-dir pointing to a fresh directory, updating the etcd manifest to mount it, then letting kubelet restart the static pods. This is task #1 on most CKA practical labs.

4. What’s the difference between resource requests and limits?

Requests are what the scheduler uses to place a pod on a node with enough free capacity. Limits are the cap kubelet enforces at runtime. CPU above the limit is throttled; memory above the limit triggers OOMKill. Pods without requests get no scheduling guarantee and land in the BestEffort QoS class — first to be evicted under node pressure.

5. How does a ServiceAccount get tied to a pod’s API permissions?

The pod spec references a ServiceAccount; the API server projects a short-lived bound token into /var/run/secrets/kubernetes.io/serviceaccount/token (since v1.24 the legacy long-lived Secret token is no longer auto-created). RBAC bindings — Role + RoleBinding for namespace-scoped, ClusterRole + ClusterRoleBinding for cluster-scoped — map the ServiceAccount subject to verbs and resources. Skipping the v1.24 token change is a current-knowledge tell.

6. Write a NetworkPolicy that default-denies all ingress in a namespace.

An empty podSelector: {} with policyTypes: [Ingress] and no ingress rules. Then layer allow-policies on top — NetworkPolicies are additive, not subtractive. The catch: NetworkPolicies require a CNI that enforces them (Calico, Cilium, Weave). On a stock kubeadm cluster with the default bridge CNI, the policy is accepted but never enforced.

7. What’s the difference between a PersistentVolume, a PersistentVolumeClaim, and a StorageClass?

PV is the cluster-scoped storage resource (an EBS volume, an NFS export). PVC is the namespaced request (“I need 20Gi, ReadWriteOnce”). StorageClass is the template that lets the cluster dynamically provision a PV when a PVC asks for it. In production you almost never create PVs by hand — you create a StorageClass once and let dynamic provisioning do the rest.

8. Rolling update vs. Recreate strategy — when do you pick which?

Rolling (default): old pods are replaced gradually using maxSurge and maxUnavailable, no downtime, but two versions briefly coexist — bad for schema-incompatible migrations. Recreate: all old pods are terminated before new pods start, downtime equal to startup time, used when two versions cannot coexist (database schema changes, breaking API contracts). Blue-green and canary go beyond what Deployment offers natively; that’s Argo Rollouts or Flagger territory.

9. How do you upgrade a kubeadm cluster from v1.29 to v1.30?

Control plane first: drain the node, apt-mark unhold kubeadm, install kubeadm 1.30, kubeadm upgrade plan then kubeadm upgrade apply v1.30.x, upgrade kubelet and kubectl packages, uncordon. Then each worker: drain, upgrade kubeadm, kubeadm upgrade node, upgrade kubelet, uncordon. Skipping minor versions (1.29 → 1.31) is unsupported. Read the deprecation notes — v1.32 removes several legacy APIs that v1.29 manifests may still use.

10. How much do Kubernetes-anchored platform and SRE roles pay in 2026?

$130,000–$165,000 mid-level in the US for platform engineer and SRE roles requiring CKA plus 2+ years of production operations. Senior platform engineers at FAANG and well-funded startups reach $180,000–$220,000 base. The official Linux Foundation CKA page covers the current exam objectives. BLS reports a 2024 median of $104,420 for all computer occupations; Kubernetes-focused roles consistently exceed that by 40–60%.

What these questions test

Every question has a “book answer” and an “operational answer.” Interviewers want the operational one — the version that includes the gotcha (v1.24 token change, NetworkPolicy needing a CNI that enforces it, schema-incompatible migrations breaking rolling updates). Passing the CKA proves you can finish 15 hands-on tasks under a clock. Answering these correctly proves you’ve actually run a cluster.

Frequently asked questions