⚓

Formation · Administrator · CKA-aligned

Kubernetes — Advanced

Architecture, installation, security, networking, storage, troubleshooting: everything needed to operate a production Kubernetes cluster. Program aligned with the 5 domains of the official CKA (Certified Kubernetes Administrator) curriculum maintained by the CNCF, with a full day dedicated to troubleshooting (30% of the exam).

Duration

4 days

Level

Advanced

Format

Inter / Intra

Inter-company price

From €2,400

Students

10 max

Book a session Request a private session

Learning objectives

What you'll be able to do after the training.

⚙

Install & operate

Deploy a cluster with kubeadm, manage certificates, operate etcd (backup/restore), build HA topology, upgrade the control plane.

🛡

Secure & govern

Full RBAC, NetworkPolicies (ingress + egress), Pod Security Standards, audit logging, kubeconfig and ServiceAccount management.

🔍

Diagnose

Identify and fix incidents: control plane, kubelet, networking, scheduling, storage, applications. Master the kubectl debug toolkit.

Target audience

Who it's for, what's required.

👥 Audience

DevOps / SRE engineers operating a K8s cluster
Lead Tech preparing the CKA certification
Architects responsible for a production Kubernetes platform
Platform engineers and infra leads

📋 Prerequisites

Solid app-side Kubernetes (CKAD-equivalent or regular practice)
Linux and basic networking experience (DNS, routing, iptables)
Comfort with kubectl and YAML manifests
A laptop for the labs; cloud / local VMs provided

Detailed program

Syllabus, day by day.

Cluster Architecture, Installation & Configuration · 25%

Day 1 — Architecture, install, cluster security

Control plane components (api-server, scheduler, controller-manager, etcd, kubelet)
Cluster install with kubeadm: single-node, HA multi-master
TLS certificate management, kubeconfig, contexts
RBAC: Roles, ClusterRoles, RoleBindings, ServiceAccounts
Cluster upgrade (control plane + nodes)
etcd backup / restore (snapshot + restore)
Helm & Kustomize for cluster admin (cluster add-ons)

LabInstall a 3-master HA cluster with kubeadm, set up fine-grained RBAC, snapshot etcd and test a restore.

Workloads & Scheduling · Storage · 25%

Day 2 — Workloads, scheduling and storage

Deployments, ReplicaSets, DaemonSets, StatefulSets — production patterns
Affinity / anti-affinity, taints, tolerations, topology spread
Schedulers: default, custom, priority classes
HPA, VPA, KEDA — overview
StorageClasses, dynamic provisioning, CSI
PersistentVolumes / Claims: reclaim policies, expansion
ConfigMaps & Secrets at cluster level (encryption at rest)

LabDeploy a stateful workload (Postgres) with a dynamic StorageClass, set up HPA + Pod Disruption Budget, drain a node and observe rescheduling.

Services & Networking · 20%

Day 3 — Internal cluster networking

kube-proxy: iptables / IPVS modes, choosing an implementation
CoreDNS: architecture, plugins, resolution debugging
CNI plugins: Cilium, Calico, Flannel — comparison and choice
Ingress controllers: NGINX, Traefik, Gateway API
Advanced NetworkPolicies: ingress + egress, namespace isolation, default-deny
Service mesh overview (Istio, Linkerd, Cilium Mesh)
Pod Security Standards (restricted) and runtime security

LabSet up an NGINX Ingress with automated TLS, write default-deny NetworkPolicies, verify namespace isolation and traffic observability.

Troubleshooting · 30%

Day 4 — Troubleshooting & CKA prep

Diagnostic methodology: top-down vs bottom-up
Cluster troubleshooting: control plane, kubelet, NotReady nodes, expired certs
Application troubleshooting: OOMKilled, ImagePullBackOff, scheduling failures, ImagePullErr
Networking troubleshooting: DNS, services, Ingress, NetworkPolicies
Storage troubleshooting: Pending PVs, mount failures, expansion
kubectl debug, ephemeral containers, node debug
Centralized logs (Loki/EFK), metrics (Prometheus, kubectl top)
CKA certification prep: exam workflow, time management, kubectl tips

LabDiagnose 8 timed simulated outages (CKA format): control plane down, Pending pod, CrashLoopBackOff, blocking NetworkPolicy, PV that won't mount, expired certificate, etcd restore, full exam-style scenario.