Appendix E — Learning paths¶
Ordered ways through this guide. Every link is a real chapter in this repository; the guide is standalone, so these map its chapters — they do not assume any other notes. Four paths: a one-week Fast track, the full Zero-to-production arc, an Exam-oriented mapping to CKAD/CKA/CKS, and a Platform/SRE/ops track. Each path lists ordered chapter links, a one-line "why this order", what it honestly skips, and ends at the same finish line: the end-to-end Bookstore (the right finish for Parts 00 - 09; readers continuing into the production-reality material then cross into the Bookstore Platform v2 grand capstone after Parts 10 - 12).
Reference material — no nine-section anatomy. Keep Appendix A — cheatsheet and Appendix B — glossary open while you work through any path.
Path 1 — Fast track (~1 week): deploy & operate an app¶
The minimum coherent path to deploy a real app and keep it running. It deliberately skips internals depth, scheduling theory, the full security/ delivery arc, and day-2 — you can deploy and debug, not yet harden or GitOps-deliver.
| # | Chapter | Why here |
|---|---|---|
| 1 | 00-foundations/01 — Why Kubernetes | The problem it solves; declarative vs imperative |
| 2 | 00-foundations/03 — Architecture overview | The parts you'll talk to (skip 04/05 deep dives for now) |
| 3 | 00-foundations/06 — The declarative API model | The one mental model everything else is a variation of |
| 4 | 00-foundations/07 — Local cluster setup | A real local cluster + the everyday kubectl verbs |
| 5 | 01-core-workloads/01 — Pods | The unit you actually run |
| 6 | 01-core-workloads/02 — Health and lifecycle | Probes — without these nothing is production-real |
| 7 | 01-core-workloads/04 — ReplicaSets and Deployments | Self-healing, rolling updates, rollback |
| 8 | 02-networking/02 — Services | Stable in-cluster endpoints |
| 9 | 02-networking/04 — Ingress | Reach the app from outside |
| 10 | 03-config-and-storage/01 — ConfigMaps | Externalize config |
| 11 | 03-config-and-storage/02 — Secrets | Credentials (and why base64 ≠ encryption) |
| 12 | 03-config-and-storage/04 — Persistent storage | The app's database needs durable storage |
| 13 | 08-day-2-operations/03 — Troubleshooting playbook | When it breaks: the method + kubectl debug |
| 14 | 09-end-to-end-bookstore/01 — Bookstore end-to-end | Stand the whole thing up (skim the GitOps/DR sections) |
Why this order: model → real cluster → run a workload → expose it → configure it → persist data → debug it → see it whole. Skips (be honest): control-plane/node internals, StatefulSets/DaemonSets/Jobs depth, scheduling, the full security hardening, observability/autoscaling, Helm/Kustomize/GitOps, and most of day-2 (troubleshooting is included; cluster upgrades/backup-DR/multi-tenancy/operators are skipped). Do the full arc (Path 2) before running anything you care about in production.
Path 2 — Zero-to-production (the full arc)¶
Parts 00→09 in order. This is how the guide is meant to be read: the Bookstore manifests are cumulative, each chapter adds one field/primitive to the same app. Nothing is skipped. Time estimates assume the hands-on is actually run on a local cluster.
| Part | Chapters | Est. | Why this order |
|---|---|---|---|
| 00 Foundations | 01 · 02 · 03 · 04 · 05 · 06 · 07 | 6–9 h | Containers → architecture → internals → the declarative model → a real cluster, before any workload |
| 01 Core Workloads | 01 · 02 · 03 · 04 · 05 · 06 · 07 · 08 | 8–12 h | Pod → health → resources → controllers; stateful/daemon/batch; how to roll changes |
| 02 Networking | 01 · 02 · 03 · 04 · 05 · 06 | 6–9 h | Model → Services → DNS → edge (Ingress/Gateway) → segmentation |
| 03 Config & Storage | 01 · 02 · 03 · 04 · 05 | 5–8 h | Config → secrets → volumes → PV/PVC → operating stateful data |
| 04 Scheduling | 01 · 02 · 03 | 3–5 h | How placement is decided → steering it → priority/preemption |
| 05 Security | 01 · 02 · 03 · 04 | 6–9 h | Identity/RBAC → pod hardening (PSA) → supply chain → secrets & cluster hardening |
| 06 Production Readiness | 01 · 02 · 03 · 04 · 05 · 06 | 7–10 h | See it (metrics/logs/traces) → scale it → keep it reliable → afford it |
| 07 Delivery | 01 · 02 · 03 · 04 · 05 | 7–10 h | Package (Helm/Kustomize) → CI/CD → GitOps → progressive delivery |
| 08 Day-2 Operations | 01 · 02 · 03 · 04 · 05 | 6–9 h | Lifecycle/upgrades → backup/DR → troubleshooting → multi-tenancy → operators |
| 09 Capstone | 01 | 2–4 h | Compose every part: GitOps up, observed, autoscaled, hardened, DR-drilled |
Why this order: it is the dependency order of the system itself — you cannot
secure or deliver a workload you cannot yet run, observe, or place. Skips:
nothing — this is the complete path. Total ≈ 55–85 hours of focused,
hands-on study (less if you skip the under-the-hood and In production:
sections; those are the production-relevant parts, so don't skip them if you're
going to production).
Path 3 — Exam-oriented (CKAD / CKA / CKS)¶
This guide is not an exam cram — it teaches the why and goes deeper than
the exams in places (internals, GitOps, operators) and lighter in others (raw
cluster install/etcd ops, exam-specific muscle memory). The maps below show
which guide chapters cover which exam domain, honestly flagged
[deeper] / [lighter] / [≈] vs the exam's depth. The official curricula
are the authority for exact, current domain weights:
https://github.com/cncf/curriculum. Drill speed with Appendix A's CKAD speed
tips.
Methodology: each exam domain is mapped to the guide chapter(s) that cover its objectives.
[deeper]= the guide goes well beyond exam depth;[lighter]= the guide covers the concept but the exam demands more hands-on speed or a topic the guide treats as note-only (e.g. rawkubeadminstall, etcd backup/restore by hand);[≈]= roughly exam-aligned. Not overclaimed: chapters are mapped only where they genuinely cover the objective.
CKAD — Certified Kubernetes Application Developer¶
Focus: building, deploying, configuring, and observing applications.
| CKAD domain (approx.) | Guide chapters | Depth vs exam |
|---|---|---|
| Application design & build (multi-container, init/sidecar, Jobs/CronJobs, volumes) | 01-core-workloads/01, 07; 03-config-and-storage/03 | [≈] |
| Application deployment (Deployments, rolling updates/rollback, Helm, blue-green/canary) | 01-core-workloads/04, 08; 07-delivery/01, 02 | [deeper] (Helm/Kustomize/GitOps beyond exam) |
Application observability & maintenance (probes, logs, kubectl debug, deprecated APIs) |
01-core-workloads/02; 06-production-readiness/02; 08-day-2-operations/03; appendix C | [≈] |
| Application environment, config & security (ConfigMaps/Secrets, SA, resources, securityContext) | 03-config-and-storage/01, 02; 01-core-workloads/03; 05-security/01, 02 | [≈] |
| Services & networking (Services, NetworkPolicy basics) | 02-networking/02, 03, 04, 06 | [≈] |
CKAD-targeted order: Path 1 chapters 1–12, then 01-core-workloads/03 · 07 · 08 · 03-config-and-storage/03 · 05-security/01 · 02 · 02-networking/06 → capstone. Exam reality the guide under-drills: raw command speed under time pressure — practice the imperative→manifest workflow in Appendix A §2.
CKA — Certified Kubernetes Administrator¶
Focus: operating and administering a cluster.
| CKA domain (approx.) | Guide chapters | Depth vs exam |
|---|---|---|
| Cluster architecture, installation & configuration (control plane, kubeadm, RBAC, upgrades) | 00-foundations/03, 04, 05; 05-security/01; 08-day-2-operations/01 | [lighter] — kubeadm init/kubeadm upgrade and manual certificate/kubeconfig management are covered conceptually + as In production:; the exam wants them performed from scratch (rehearse on a kind/kubeadm cluster) |
| Workloads & scheduling (Deployments, scaling, scheduling, affinity/taints) | 01-core-workloads/04; 04-scheduling/01, 02, 03; 06-production-readiness/04 | [deeper] |
| Services & networking (Services, Ingress, Gateway, CoreDNS, NetworkPolicy, CNI) | 02-networking/01, 02, 03, 04, 05, 06 | [≈]/[deeper] |
| Storage (StorageClass, PV/PVC, access modes, reclaim) | 03-config-and-storage/03, 04, 05 | [≈] |
| Troubleshooting (cluster/node/app, logs, events, networking) | 08-day-2-operations/03; 06-production-readiness/01, 02 | [≈] |
| Cluster maintenance & backup (etcd backup/restore, drain/cordon, version skew) | 08-day-2-operations/01, 02 | [lighter] on bare-hand etcdctl snapshot restore (covered, but exam wants it fast & manual) |
CKA-targeted order: Part 00 (all) → 01-core-workloads/04 → Part 02 (all) → Part 03 (all) → Part 04 (all) → 05-security/01 → Part 08 01/02/03 → capstone. Exam reality the guide under-drills: hand-running kubeadm upgrades and etcdctl snapshot save/restore on a vanilla cluster — rehearse those against a kind cluster using the official docs linked in Appendix D Part 08.
CKS — Certified Kubernetes Security Specialist¶
Focus: securing a cluster and its workloads (CKA is a prerequisite).
| CKS domain (approx.) | Guide chapters | Depth vs exam |
|---|---|---|
| Cluster setup (NetworkPolicy, CIS benchmark, ingress TLS, restricting metadata/dashboard) | 02-networking/06; 02-networking/04; 05-security/04 | [≈] |
| Cluster hardening (RBAC least privilege, restrict API access, upgrade discipline) | 05-security/01; 05-security/04; 08-day-2-operations/01 | [deeper] (RBAC treated end-to-end) |
| System hardening (least-privilege OS, seccomp/AppArmor, reduce attack surface) | 05-security/02; 00-foundations/02 (distroless) | [≈] |
| Minimize microservice vulnerabilities (PSA, securityContext, secrets, mTLS concept, sandboxing) | 05-security/02; 03-config-and-storage/02; 05-security/04 | [≈] |
| Supply chain security (image footprint, signing, scanning, SBOM, admission/Kyverno) | 05-security/03; 00-foundations/02; 07-delivery/03 | [deeper] |
| Monitoring, logging & runtime security (audit logs, behavioral analytics, threat detection) | 05-security/04 (audit logging) + 06-production-readiness/02 | [lighter] — metrics ([06/01]) and tracing ([06/03]) are not CKS-tested; focus on audit logs (05-security/04) + the official-curriculum Falco/runtime supplement (note-only in this guide) |
CKS-targeted order (do CKA first): Part 05 (all, in order) →
02-networking/06 →
00-foundations/02 →
07-delivery/03 →
06-production-readiness/01/02 →
capstone §(h) "Verify security
posture". Exam reality the guide under-drills: a runtime-security sensor
(e.g. Falco) and gVisor/kata sandboxing hands-on — the guide explains the
threat model and PSA/securityContext thoroughly but treats runtime IDS as
note-only; supplement from the official CKS curriculum.
Path 4 — Platform / SRE / Ops track (Parts 04–08 emphasis)¶
For engineers who already run apps and need the operate-at-scale skills: scheduling, security posture, observability, delivery automation, and day-2. Assumes Parts 00–03 fluency (skim them; do not skip 00-foundations/06 — SSA/GitOps hangs off it).
Why this order: internals → placement → security floor → observability → scale/reliability/cost → delivery automation → day-2 → compose it all. Skips (be honest): application-author depth (multi-container patterns, Jobs/CronJobs detail, app config ergonomics) — that is Path 1 / CKAD; this track assumes you can already write a workload and focuses on running fleets of them.
Choosing a path¶
Just need to deploy something soon ............ Path 1 (Fast track)
Learning Kubernetes properly, end to end ...... Path 2 (Zero-to-production) ← the default
Sitting CKAD ................................. Path 3 → CKAD map
Sitting CKA .................................. Path 3 → CKA map
Sitting CKS (after CKA) ...................... Path 3 → CKS map
Platform/SRE building & operating clusters ... Path 4 (Platform/SRE/ops)
Every path finishes at the end-to-end Bookstore — the Bookstore stood up from zero with GitOps, observed, autoscaled, hardened, and DR-drilled. If you can do that end-to-end and explain why each step is there, the path worked. Readers who then take Parts 10 - 12 (cloud / advanced production / ML) close on the Bookstore Platform v2 grand capstone — the production reality: N tenants across three regions with the day-2 runbook, on-call playbook, DR drill, and chaos game-day that turn the platform's capabilities into a working system.
See also: Appendix A — kubectl cheatsheet · Appendix B — Glossary · Appendix C — YAML & API conventions · Appendix D — Further reading (the book chapters behind each Part, and the CNCF-landscape pointer). Exam curricula (authoritative, current): https://github.com/cncf/curriculum.