etcd backup and restore is the single most tested task in CKA. Memorise: etcdctl snapshot save /backup/etcd.db --endpoints=https://127.0.0.1:2379 --cacert --cert --key. For restore: etcdctl snapshot restore, then update the etcd static pod manifest to point to the new data directory. RBAC: Role = namespace-scoped permissions; ClusterRole = cluster-wide. RoleBinding binds either type to a namespace; ClusterRoleBinding binds cluster-wide.

• kubeadm: init, join, upgrade workflow (kubeadm upgrade plan / apply)
• etcd: backup (etcdctl snapshot save) and restore — the most tested task
• RBAC: ClusterRole, Role, ClusterRoleBinding, RoleBinding — create and bind correctly
• TLS certificates: certificate rotation, kubeadm certs check-expiration
• Highly available control plane: stacked etcd vs external etcd topology
• CRI runtime: containerd vs Docker (Docker removed in k8s 1.24+)

Know when to use each workload type. Deployment = stateless apps with rolling updates. StatefulSet = stateful apps needing stable hostname (pod-0, pod-1) and PVC per replica. DaemonSet = one pod on every (or selected) node. For scheduling: taints REPEL pods (unless pod tolerates it); node affinity ATTRACTS pods to specific nodes. A taint with NoSchedule blocks new scheduling; NoExecute also evicts existing pods.

• Deployments: rolling updates, rollback (kubectl rollout undo)
• DaemonSets: one pod per node (logging agents, monitoring)
• StatefulSets: stable network identity and persistent storage for databases
• Jobs and CronJobs: completions, parallelism, backoffLimit, schedule syntax
• Resource requests and limits: CPU (millicores), memory (Mi/Gi), LimitRange, ResourceQuota
• Taints and tolerations, node affinity, pod affinity/anti-affinity, topologySpreadConstraints

NetworkPolicy is heavily tested — know that without any NetworkPolicy, all pods can communicate freely. A NetworkPolicy with an empty podSelector {} applies to ALL pods in the namespace. An empty ingress rule {} allows all inbound. An empty ingress array [] denies all inbound. Ingress resources require an Ingress controller (not installed by default). Services use DNS: <service-name>.<namespace>.svc.cluster.local.

• Service types: ClusterIP (internal), NodePort (external via node IP:port), LoadBalancer (cloud), ExternalName
• Ingress: path-based and host-based routing, TLS termination, Ingress controllers (nginx)
• NetworkPolicy: pod selectors, namespace selectors, ingress/egress rules — default deny
• CoreDNS: service DNS format (svc.namespace.svc.cluster.local), pod DNS
• CNI plugins: role in pod networking (Calico, Flannel, Cilium)
• kube-proxy: iptables and IPVS modes

Access modes are reliably tested. ReadWriteOnce (RWO) = mounted by one node at a time (most block storage). ReadWriteMany (RWX) = mounted by multiple nodes simultaneously (NFS, EFS). ReadOnlyMany (ROX) = multiple nodes, read-only. Dynamic provisioning via StorageClass removes the need to pre-create PVs — the provisioner creates a PV automatically when a PVC is created.

• PersistentVolumes (PV): capacity, accessModes, reclaimPolicy (Retain/Recycle/Delete)
• PersistentVolumeClaims (PVC): requesting storage, binding to a PV
• StorageClasses: dynamic provisioning, provisioner, reclaimPolicy, volumeBindingMode
• Volume types: emptyDir (ephemeral), hostPath (node path), configMap/secret mounts
• Expanding PVCs: allowVolumeExpansion in StorageClass
• ReadWriteOnce vs ReadWriteMany vs ReadOnlyMany access modes

The largest domain and the most practical. CrashLoopBackOff = container keeps crashing — check kubectl logs <pod> and kubectl describe pod for the exit code. OOMKilled = out of memory — increase memory limit. ImagePullBackOff = image not found or registry auth issue. For kubelet issues: it runs as a systemd service — check with systemctl status kubelet and journalctl -u kubelet. Pending pod = scheduling issue — describe pod to see why (resource, taint, affinity).

• Pod failures: kubectl describe pod (Events section), kubectl logs, CrashLoopBackOff causes
• Node failures: kubectl describe node, checking node conditions (MemoryPressure, DiskPressure, NotReady)
• Network connectivity: kubectl exec + curl/nslookup to test service DNS and endpoints
• Control plane component logs: journalctl for kubelet; kubectl logs in kube-system for API server, scheduler, controller-manager
• Cluster component health: kubectl get componentstatuses, kubectl cluster-info
• Resource constraints: kubectl top pod, kubectl top node (requires Metrics Server)