The Kubernetes Certification Landscape
Five certifications. Two exam formats. One ecosystem that keeps expanding. If you're considering a Kubernetes certification, the first challenge isn't studying — it's figuring out which certification to study for.
As of 2026, the CNCF and Linux Foundation run five Kubernetes-specific certifications, ranging from entry-level multiple-choice tests to performance-based exams where you solve real problems in a live cluster. What follows is the map: what each one covers, how the exams work, what they cost, and which one you should pursue first.
The Five Certifications at a Glance
| Certification | Level | Format | Duration | Passing Score | Price | Prerequisite |
|---|---|---|---|---|---|---|
| KCNA — Kubernetes and Cloud Native Associate | Associate | Multiple choice | 90 min | 75% | $250 | None |
| KCSA — Kubernetes and Cloud Native Security Associate | Associate | Multiple choice | 90 min | 75% | $250 | None |
| CKA — Certified Kubernetes Administrator | Professional | Performance-based | 2 hours | 66% | $445 | None |
| CKAD — Certified Kubernetes Application Developer | Professional | Performance-based | 2 hours | 66% | $445 | None |
| CKS — Certified Kubernetes Security Specialist | Specialist | Performance-based | 2 hours | 67% | $445 | Active CKA |
All five certifications are valid for two years. Each exam includes two attempts — if you fail the first time, you get a free retake within a year.
The certifications fall into two distinct tracks: associate-level knowledge exams (KCNA, KCSA) and professional-level performance-based exams (CKA, CKAD, CKS). The difference between these two formats is fundamental and affects how you prepare.
Associate Track: KCNA and KCSA
The associate certifications are traditional multiple-choice exams. You select answers from a list — no terminal, no cluster, no hands-on tasks. They test whether you understand Kubernetes concepts, not whether you can operate a cluster under pressure.
KCNA — Kubernetes and Cloud Native Associate
KCNA is the entry point to the entire ecosystem. It covers:
- Kubernetes architecture (control plane, nodes, etcd, kubelet)
- Core resources (Pods, Deployments, Services, Namespaces)
- Cloud native concepts (containers, microservices, service mesh)
- Observability basics (Prometheus, Grafana, logging)
- Application delivery (GitOps, CI/CD, Helm)
Who it's for: People new to Kubernetes who want to validate foundational knowledge before investing in a hands-on certification. If you're a developer or ops engineer who has read about Kubernetes but hasn't worked with it daily, KCNA gives you a structured way to fill in the gaps.
Honest take: KCNA won't get you a job on its own. It's a stepping stone. Most hiring managers look for CKA or CKAD. But if you're early in your Kubernetes journey, KCNA forces you to learn the vocabulary and mental model you'll need for the professional exams.
KCSA — Kubernetes and Cloud Native Security Associate
KCSA is the security-focused counterpart to KCNA. It covers:
- The 4Cs of cloud native security (Cloud, Cluster, Container, Code)
- Kubernetes cluster component security
- Kubernetes security fundamentals (RBAC, Pod Security, Network Policies)
- Kubernetes threat model and attack surfaces
- Platform security (supply chain, image scanning, admission control)
Who it's for: Security engineers or DevSecOps practitioners who want to validate their understanding of Kubernetes security before pursuing CKS. Also useful for compliance-focused roles where you need to speak the language of cloud native security without being a full-time cluster administrator.
Honest take: KCSA is newer and less established than KCNA. If your goal is CKS, you can skip KCSA and go straight to CKA → CKS. But if you want a gentler on-ramp to Kubernetes security, it's a solid choice.
Professional Track: CKA, CKAD, and CKS
The professional certifications are where things get serious. These are performance-based exams: you're given a real Linux terminal connected to one or more Kubernetes clusters, and you have to solve problems by running actual commands. No multiple choice. No guessing. If you can't type the right kubectl command and produce the right result, you don't pass.
CKA — Certified Kubernetes Administrator
CKA tests whether you can install, configure, and manage a Kubernetes cluster. It's the operations certification.
| Domain | Weight |
|---|---|
| Cluster Architecture, Installation & Configuration | 25% |
| Workloads & Scheduling | 15% |
| Services & Networking | 20% |
| Storage | 10% |
| Troubleshooting | 30% |
Key skills tested: bootstrapping clusters with kubeadm, configuring etcd backups, troubleshooting broken nodes, managing RBAC, configuring network policies, setting up ingress controllers, managing persistent volumes.
Who it's for: Platform engineers, SREs, DevOps engineers — anyone responsible for keeping clusters running. If you provision infrastructure, debug node issues, or manage cluster upgrades, CKA is your certification.
Honest take: Troubleshooting is 30% of the exam and the section most people underestimate. You'll need to diagnose broken nodes, failing pods, and misconfigured networking under time pressure. If you've never SSH'd into a node to check kubelet logs, practice that before exam day.
CKAD — Certified Kubernetes Application Developer
CKAD tests whether you can design, build, and deploy applications on Kubernetes. It's the developer certification.
| Domain | Weight |
|---|---|
| Application Design and Build | 20% |
| Application Deployment | 20% |
| Application Observability and Maintenance | 15% |
| Application Environment, Configuration and Security | 25% |
| Services and Networking | 20% |
Key skills tested: creating Deployments, Jobs, and CronJobs, configuring probes and health checks, managing ConfigMaps and Secrets, using Helm and Kustomize, writing network policies, configuring resource requests and limits, exposing applications via Services and Ingress.
Who it's for: Backend developers, application engineers, and DevOps engineers who deploy workloads on Kubernetes but don't manage the underlying cluster. If you write Deployment manifests, configure CI/CD pipelines that target Kubernetes, or troubleshoot application-level issues, CKAD is your certification.
Honest take: If you write Kubernetes manifests at work, CKAD will feel more approachable than you expect. The challenge is speed, not knowledge — you need to complete tasks fast enough to get through all of them. The "Application Environment, Configuration and Security" domain at 25% is where most points live.
CKS — Certified Kubernetes Security Specialist
CKS is the advanced security certification. It's the only Kubernetes cert with a hard prerequisite: you must hold an active CKA to register.
| Domain | Weight |
|---|---|
| Cluster Setup | 15% |
| Cluster Hardening | 15% |
| System Hardening | 10% |
| Minimize Microservice Vulnerabilities | 20% |
| Supply Chain Security | 20% |
| Monitoring, Logging and Runtime Security | 20% |
Key skills tested: configuring API server audit logging, implementing Pod Security Standards, scanning images with Trivy, enforcing network policies, configuring OPA/Gatekeeper admission control, using Falco for runtime detection, securing the supply chain.
Who it's for: Security engineers, senior platform engineers, and anyone responsible for cluster security posture. If you define security policies, respond to incidents, or audit Kubernetes configurations for compliance, CKS is your certification.
Honest take: CKS is genuinely harder than CKA or CKAD. The tooling landscape — Falco, Trivy, OPA/Gatekeeper — changes faster than the other exams, and you need hands-on familiarity with tools you may not use daily. Budget more preparation time for CKS than you did for CKA.
What Performance-Based Exams Actually Look Like
If you've only taken multiple-choice certifications before, the CKA/CKAD/CKS exam format will feel different. Here's what to expect:
The environment: You get a Linux remote desktop in your browser via PSI Bridge. It has a terminal, a browser for the Kubernetes documentation, and you're connected to one or more pre-configured Kubernetes clusters. You switch between clusters using kubectl config use-context as instructed by each question.
The tasks: Each question is a specific task — "Create a NetworkPolicy that allows traffic only from namespace X to pods with label Y", "Fix the broken Deployment in namespace Z", "Configure an Ingress resource that routes /api to service A and / to service B." You complete the task, and a grading script checks the result.
What you can use: The Kubernetes documentation at kubernetes.io/docs is available during the exam. You can search docs, copy YAML snippets, and adapt them. This is by design — the exam tests whether you can apply knowledge under time pressure, not whether you memorized every field name.
What you can't use: No other websites, no notes, no AI assistants, no second monitor, no personal bookmarks. One remote desktop session, the Kubernetes docs, and your skills.
Time pressure is real: You have 2 hours for 15-20 tasks. Some are quick (2-3 minutes), others take 10-15 minutes. Knowing how to use kubectl efficiently is the difference between finishing and running out of time.
Here's the kind of workflow that saves minutes on exam day — generating a starter manifest instead of writing YAML from scratch:
# Generate a Deployment manifest without creating the resource
$ kubectl create deployment nginx --image=nginx:1.27 --replicas=3 --dry-run=client -o yaml > deploy.yaml
# Check what fields are available for a resource
$ kubectl explain deployment.spec.strategy
KIND: Deployment
VERSION: apps/v1
FIELD: strategy <DeploymentStrategy>
DESCRIPTION:
The deployment strategy to use to replace existing pods with new ones.
FIELDS:
rollingUpdate <RollingUpdateDeployment>
type <string>
Type of deployment. Can be "Recreate" or "RollingUpdate". Default is
RollingUpdate.
These two commands — --dry-run=client -o yaml for generating manifests and kubectl explain for looking up field names — will come up in nearly every task. Practice them until they're muscle memory.
Choosing Your Path
There's no single "right" certification to start with. The best choice depends on your role, experience, and goals.
By experience level
- New to Kubernetes: Start with KCNA. Build the mental model first, then move to CKA or CKAD.
- Some Kubernetes experience (you've deployed apps, written manifests): Skip KCNA. Go directly to CKAD (if you're a developer) or CKA (if you're in ops/platform engineering).
- Experienced with Kubernetes (you manage clusters daily): Consider CKA first (if you haven't formalized your knowledge), then CKS for the security specialization.
By role
| Role | Recommended Path |
|---|---|
| Backend developer | CKAD → CKA (optional) |
| DevOps / Platform engineer | CKA → CKAD → CKS |
| SRE | CKA → CKS |
| Security engineer | KCSA → CKA → CKS |
| Student / Career switcher | KCNA → CKAD or CKA |
CKA vs CKAD — the common question
This is the most frequent question, and the answer is simpler than people think:
- CKA focuses on the cluster itself: installation, networking, storage, troubleshooting nodes. You manage the platform.
- CKAD focuses on what runs on the cluster: application design, deployment strategies, configuration, observability. You build on the platform.
There's overlap (both cover Services, ConfigMaps, RBAC basics), but the perspective is different. If you had to pick one, pick the one that matches what you do at work. If you plan to do both, the order doesn't matter much — the shared knowledge transfers either way.
The Kubestronaut Program
Pass all five Kubernetes certifications (KCNA, KCSA, CKA, CKAD, CKS) while all are active, and you earn the Kubestronaut title. The critical constraint: all five must be current simultaneously. Since each cert is valid for 2 years, you need to plan your exam schedule so nothing expires before you complete the set. Starting with the two associate exams and finishing with CKS is a common path.
Benefits include exam discounts (five 50%-off vouchers per year, shareable), CNCF event discounts, and a public listing on the Kubestronaut map. If you're planning to go for all five, the Kubestronaut Bundle offers a significant discount over buying each exam individually.
For the truly dedicated, the Golden Kubestronaut program requires passing all 15 CNCF certifications plus the LFCS — 16 exams total as of March 2026. The Golden title is awarded for life.
Gotchas
All certifications expire after 2 years. There's no "lifetime" Kubernetes certification. You need to recertify before expiration. The recertification exam is the same format and difficulty as the original — no shortcuts.
CKS requires an active CKA. You must hold a current CKA to register for CKS. If you're planning to hold both, keep your CKA renewal on your calendar — letting it lapse means you'll need to recertify CKA before you can recertify CKS.
The PSI Bridge environment is finicky. The proctored exam runs in a remote desktop session via PSI Bridge that occasionally has connectivity issues, webcam problems, or lag. Test your setup well before exam day using the PSI compatibility check. Close every other application. Use a wired connection if possible. You'll need to start the exam process 30 minutes before your scheduled time.
Don't underestimate time management. The performance-based exams give you enough time if you're efficient, but not if you're fumbling through basic kubectl operations. Practice until kubectl create, kubectl run, and kubectl explain are muscle memory. Know how to use --dry-run=client -o yaml to generate manifest starters instead of writing YAML from scratch.
The Kubernetes docs are your friend — but only if you know where things are. You're allowed to search kubernetes.io/docs during the exam. But if you've never navigated those docs before, you'll waste precious minutes hunting for the right page. Practice navigating the docs as part of your study routine.
Commit before buying bundles. The Kubestronaut Bundle offers a significant discount, but check the refund policy before purchasing — bundle terms differ from individual exams. Only buy the bundle if you're committed to the full set.
Wrap-up
Pick the certification that matches your current role and experience, not the one that sounds most impressive. A developer who passes CKAD and can confidently deploy applications has more practical value than someone who crammed for CKA but can't troubleshoot a broken pod.
The landscape breaks down cleanly: two associate exams for knowledge validation, three professional exams for hands-on proof, and the Kubestronaut path for breadth. Start with one, build from there.
KubeDojo's first certification series is the CKAD learning path — 18 articles covering every exam domain with hands-on exercises, real YAML manifests, and the gotchas that cost points on exam day. Building container images is where it starts.
Mastering the Kubernetes ecosystem — depth-first, no hype.
Subscribe to KubeDojo
Get the latest articles delivered to your inbox.
Related Articles
CNCF Certified Kubernetes AI Conformance Program
CNCF launched v1.0 of the Kubernetes AI Conformance Program defining baseline capabilities for running AI workloads across conformant clusters.
Introduction to KEDA and Event-Driven Autoscaling
How KEDA extends Kubernetes HPA with 65+ scalers, scale-to-zero, and a two-phase architecture for event-driven pod autoscaling.
NVIDIA AI Cluster Runtime: Validated GPU Kubernetes Recipes
NVIDIA released AI Cluster Runtime, an open-source project providing validated, version-locked Kubernetes configurations for GPU infrastructure.