Browse Linux Foundation and CNCF Guides

Linux Foundation KCNA Cheat Sheet: Cloud Native Basics and Kubernetes

April 24, 2026

Linux Foundation KCNA cheat sheet for cloud native basics, Kubernetes, traps, and final review.

On this page

Use this cheat sheet for Kubernetes and Cloud Native Associate (KCNA) after you know the vocabulary but need faster object and scenario decisions. KCNA rewards relationship awareness: what owns what, what exposes what, what schedules what, and what evidence proves the current state.

Read every KCNA question in this order

  1. Identify the lane: Kubernetes fundamentals, container orchestration, application delivery, or cloud native architecture.
  2. Name the object, control plane component, or workflow being tested.
  3. Decide whether the issue is desired state, scheduling, networking, configuration, storage, security, delivery, or observability.
  4. Choose the smallest object or control that satisfies the requirement.
  5. Reject answers that use a real Kubernetes term for the wrong layer.

KCNA answer sequence

Use this when the stem mixes objects, scheduling, traffic, security, or observability.

    flowchart TD
	  S["Scenario"] --> O["Name the object or control plane component"]
	  O --> L["Identify the Kubernetes lane"]
	  L --> P["Pick the smallest object that satisfies the need"]
	  P --> V["Verify labels, selectors, status, or events"]

Kubernetes object map

Requirement Start with What to verify
run one or more containers together Pod container state, restart behavior, volumes, probes, and resource requests
maintain replicas and rollouts Deployment desired replica count, ReplicaSet ownership, rollout status, and selector match
stable network identity for matching pods Service labels, selectors, endpoints, port, targetPort, and service type
HTTP routing into the cluster Ingress ingress controller, host/path rules, TLS, service backend, and annotations
environment-specific settings ConfigMap whether values are non-sensitive and mounted or injected correctly
sensitive values Secret access scope, encoding versus encryption, mount or env usage, and rotation
persistent data PersistentVolume and PersistentVolumeClaim storage class, access mode, binding state, and reclaim behavior
controlled batch work Job or CronJob completion, retries, schedule, concurrency policy, and logs

Control plane and node roles

Component Exam instinct
API server front door for cluster requests and policy enforcement path
etcd cluster state store; protect and back it up
scheduler places unscheduled pods on suitable nodes
controller manager runs reconciliation loops toward desired state
kubelet node agent that runs pod specs through the container runtime
kube-proxy or networking layer supports service networking and traffic forwarding
container runtime pulls and runs containers on nodes

Scheduling and resource triage

Symptom First layer to check
pod stays Pending node capacity, taints/tolerations, selectors, affinity, PVC binding, and resource requests
pod restarts repeatedly container exit reason, liveness probe, image command, config, dependency, and logs
rollout does not progress image pull, readiness probes, unavailable replicas, bad selector, and deployment events
workload disrupts neighbors requests, limits, quotas, priority, and node pressure
pod lands on wrong node nodeSelector, affinity, taints, tolerations, and scheduler constraints

Services and traffic

Question clue Better answer path
pods exist but service has no traffic check service selector and endpoints before changing the app
service works inside cluster only distinguish ClusterIP from NodePort, LoadBalancer, and Ingress
HTTP host or path routing use Ingress plus a working ingress controller
app is running but not receiving traffic verify readiness, labels, ports, targetPort, and network policy
external exposure must be minimized prefer the narrowest exposure type that satisfies access requirements

Cloud native delivery

Topic What to remember
container image immutable package, but not proof of trust by itself
registry stores images; access control and scanning matter
deployment rollout Kubernetes moves desired state forward gradually when configured correctly
rollback use deployment history and known-good versions, not blind restarts
GitOps repository state drives cluster reconciliation through an operator or controller
CI/CD builds, tests, scans, packages, and deploys; each stage has evidence
observability logs, metrics, traces, events, and health probes answer different questions

Security basics KCNA still tests

Control Fast distinction
namespace organization boundary; not sufficient security by itself
RBAC who can do which verb on which resource in which scope
service account workload identity inside the cluster
network policy traffic rule between pods, namespaces, and peers when the CNI supports it
secret sensitive configuration object; still requires access control and safe handling
image trust scanning, signing, provenance, and approved registries reduce supply-chain risk

Common traps

Trap Better instinct
Pod equals application deployments, services, ingress, config, and storage usually complete the app shape
namespace equals isolation pair namespaces with RBAC, quotas, network policy, and naming discipline
service name guarantees routing labels, selectors, endpoints, ports, and readiness decide traffic
restart is troubleshooting read status, events, logs, and recent changes first
cloud native means Kubernetes only include containers, service discovery, observability, automation, resilience, and delivery practices

Final 15-minute review

If the stem says… Start here
desired state, replicas, rollout Deployment, ReplicaSet, selector, image, and readiness
pod cannot schedule resources, node constraints, taints, tolerations, PVC, and events
service cannot reach pods labels, selectors, endpoints, ports, and readiness
persistent data PVC, PV, storage class, access mode, and lifecycle
cloud native delivery image, registry, CI/CD, GitOps, rollout, rollback, and evidence
security foundations RBAC, service accounts, secrets, namespaces, image trust, and network policy

Practice fit

Use IT Mastery for the exact product route, practice status, spaced review when available, and close-answer explanation practice as coverage expands.

Open the exact IT Mastery route here: KCNA on MasteryExamPrep.

One-line decision rule

KCNA answers should connect the Kubernetes object to its controller, selector, traffic path, security scope, and observable evidence.

Revised on Sunday, May 10, 2026
Study Plan