The Cloud Native Computing Foundation issues three Kubernetes certifications: Certified Kubernetes Administrator (CKA), Certified Kubernetes Application Developer (CKAD), and Certified Kubernetes Security Specialist (CKS). They are frequently confused because they all carry the Kubernetes logo, but they target different roles, test different skills, and belong in different career paths. Choosing the wrong one costs time and signals confusion to hiring managers.
This guide breaks down each credential, compares them by role fit and compensation impact, and provides a decision framework based on target role and current experience.
The Three Certifications at a Glance
| Attribute | CKA | CKAD | CKS |
|---|---|---|---|
| Full name | Certified Kubernetes Administrator | Certified Kubernetes Application Developer | Certified Kubernetes Security Specialist |
| Target role | Platform engineer, SRE, DevOps | Application developer, backend engineer | Security engineer, DevSecOps |
| Prerequisites | None | None | Active CKA |
| Duration | 2 hours | 2 hours | 2 hours |
| Passing score | 66% | 66% | 67% |
| Format | Performance-based, hands-on | Performance-based, hands-on | Performance-based, hands-on |
| Cost | $395 USD | $395 USD | $395 USD |
| Validity | 2 years | 2 years | 2 years |
| Retake | 1 free retake included | 1 free retake included | 1 free retake included |
All three are performance-based. Candidates interact with a real Kubernetes cluster over SSH and solve problems against a scored rubric. There are no multiple-choice questions. This format separates these credentials from most vendor certifications.
"The performance-based exam format is what makes Kubernetes certifications credible to hiring managers. Anyone can memorize flashcards. These exams require that you actually operate a cluster under time pressure. Engineers who pass have demonstrated capability, not recognition." — Chris Short, DevOps engineer and author of DevOps'ish newsletter
CKA: The Administrator Path
CKA is the foundational certification for engineers who operate Kubernetes clusters. Its curriculum covers the Kubernetes operational lifecycle from cluster installation to troubleshooting.
Domain Weights (2024 update)
| Domain | Weight |
|---|---|
| Storage | 10% |
| Troubleshooting | 30% |
| Workloads and Scheduling | 15% |
| Cluster Architecture, Installation, and Configuration | 25% |
| Services and Networking | 20% |
The Troubleshooting domain at 30 percent is the highest-weighted and the single largest discriminator between passing and failing candidates. The exam presents broken clusters, broken deployments, and broken services. Candidates must diagnose and repair them under time pressure. Memorization alone does not pass. Troubleshooting fluency does.
The Cluster Architecture domain tests kubeadm cluster bootstrap, upgrade, and backup. Candidates should be able to upgrade a cluster one minor version using kubeadm, back up and restore etcd, and configure a new node joining an existing cluster.
Typical Preparation
Candidates with 6 to 12 months of hands-on Kubernetes exposure typically need 6 to 10 weeks at 10 hours per week. Candidates new to Kubernetes often need 14 to 20 weeks. The deciding factor is kubectl fluency. Engineers who cannot run 80 percent of common tasks without referencing documentation have not yet reached exam readiness.
Key exam tactics:
- Set up bash aliases for kubectl, namespace switching, and output formats
- Use kubectl imperative commands with dry-run to generate YAML
- Treat kubernetes.io docs as the only reference (allowed during exam)
- Flag questions that will take more than 8 minutes and return to them later
CKAD: The Developer Path
CKAD targets application developers deploying apps to Kubernetes. The curriculum overlaps with CKA on core concepts but narrows on cluster administration and expands on application lifecycle.
Domain Weights
| Domain | Weight |
|---|---|
| Application Design and Build | 20% |
| Application Deployment | 20% |
| Application Observability and Maintenance | 15% |
| Application Environment, Configuration, and Security | 25% |
| Services and Networking | 20% |
The Application Environment domain at 25 percent covers ConfigMaps, Secrets, SecurityContext, ServiceAccounts, and Helm. Many candidates underestimate this section because it looks like configuration work rather than design work.
CKAD vs CKA Overlap
Both exams test deployments, services, pods, and networking. The difference is the angle of approach. CKA asks "the cluster has a problem with this service, diagnose and fix it." CKAD asks "deploy this application with these requirements."
A developer already comfortable with kubectl often finds CKAD easier than CKA because the administrative tasks are lighter. A platform engineer often finds CKA easier because the developer-centric concerns like multi-container pods and Helm charts get less day-to-day attention in their work.
Typical Preparation
Candidates with backend development background and some Docker experience need 6 to 10 weeks. The curriculum is narrower than CKA, so preparation is slightly faster, but the time pressure on the exam is the same. kubectl fluency is the dominant success factor.
CKS: The Security Specialist Path
CKS is the security specialization certification. It requires an active CKA to attempt (within 2 years of CKA passing date). The curriculum assumes CKA-level Kubernetes operational knowledge and focuses on hardening, runtime security, and threat detection.
Domain Weights
| Domain | Weight |
|---|---|
| Cluster Setup | 10% |
| Cluster Hardening | 15% |
| System Hardening | 15% |
| Minimize Microservice Vulnerabilities | 20% |
| Supply Chain Security | 20% |
| Monitoring, Logging, and Runtime Security | 20% |
CKS covers tools outside the Kubernetes distribution, including Trivy, Falco, AppArmor, OPA Gatekeeper, and kube-bench. Candidates who have only used Kubernetes without these tools often need 2 to 4 weeks of additional tool exposure before the exam is passable.
Preparation Complexity
CKS is the hardest of the three. Candidates report it consistently. The combination of depth (cluster hardening details) and breadth (multiple tools with distinct configuration models) produces a substantial preparation load. 10 to 16 weeks at 10 hours per week is typical for candidates who hold CKA.
"CKS is not incremental difficulty over CKA. It is a different class of exam. The security tooling, the specific hardening details, and the supply chain vectors all require dedicated preparation. Do not treat it as CKA plus a security chapter." — Aditya Suralkar, Kubernetes community contributor
Decision Framework
The right certification depends on current role and target role.
If You Are a Platform Engineer or SRE
CKA first. It is the credential hiring managers expect for platform roles. CKS as the follow-up if you move into security-focused platform work. CKAD is optional and rarely required for platform roles.
If You Are an Application Developer
CKAD first. It signals practical Kubernetes deployment capability to hiring managers building containerized applications. CKA as a later step if you move into platform or SRE work.
If You Are a Security Engineer Moving Into Cloud Native
CKA first as the prerequisite. CKS second once CKA is fresh. The security-only path without CKA is not available because CKS requires CKA.
If You Are Unsure
CKA covers the broadest knowledge base. It is the safest first choice for engineers who are not yet role-specialized. The IT career roadmap at Pass4Sure covers how Kubernetes expertise fits into different specialization tracks.
Salary and Market Impact
US salary data from Dice, Levels.fyi, and Stack Overflow 2024 surveys shows clear compensation patterns for Kubernetes-certified engineers.
| Role | Median Base Without Cert | Median Base With Cert |
|---|---|---|
| DevOps Engineer | $120,000 | $138,000 |
| SRE | $145,000 | $165,000 |
| Platform Engineer | $150,000 | $172,000 |
| Security Engineer (CKS) | $155,000 | $180,000 |
| Backend Engineer (CKAD) | $135,000 | $150,000 |
The compensation premium is consistent. Certified engineers move faster into senior roles and negotiate more effectively because the credential represents a concrete market data point.
The six-figure salary negotiation playbook at Pass4Sure covers how to leverage certifications specifically during offer negotiations.
Exam Format Mechanics
All three exams share a format worth understanding in detail.
The exam is delivered online through a browser with a live proctor. A remote cluster is accessed via kubectl from a terminal inside the browser. Candidates can open one additional browser tab for the official kubernetes.io documentation. No other tabs or references are permitted.
Time pressure is the defining characteristic. Two hours for 15 to 20 tasks means 6 to 8 minutes per task on average. Candidates who try to solve every task in order typically run out of time on the last 3 to 5 tasks. Effective candidates triage ruthlessly: skip any task that looks time-intensive and return to it only if time permits.
Task Weighting
Tasks are weighted differently. A task worth 7 percent of the exam score justifies more time than a task worth 2 percent. The task weight is displayed at the top of each task. Candidates who ignore weighting and spend equal time on every task underperform.
Environment Setup
The first 2 minutes of the exam should be used for environment setup:
- Configure bash aliases (alias k=kubectl, alias kgp='kubectl get pods')
- Set kubectl dry-run export format
- Open the kubernetes.io tab with the cheat sheet bookmarked
This 2-minute investment saves 10 to 15 minutes across the exam.
Preparation Protocol
A 10-week preparation plan structured around the exam format:
| Week | Focus | Deliverable |
|---|---|---|
| 1 | Kubernetes fundamentals, kubectl basics | 30 tasks from KillerCoda |
| 2 | Pods, deployments, services | 25 tasks, under 6 min each |
| 3 | Storage, ConfigMaps, Secrets | Lab exercises on persistent volumes |
| 4 | Networking, ingress, network policy | NetworkPolicy deep dive |
| 5 | Cluster administration (CKA) or apps (CKAD) | Kubeadm or Helm exercises |
| 6 | Troubleshooting scenarios | 15 broken-cluster exercises |
| 7 | Mock exam 1 | Full 2-hour mock, review gaps |
| 8 | Weak-area targeted practice | Focus on missed domains |
| 9 | Mock exams 2 and 3 | Passing scores on both mocks |
| 10 | Light review, rest, exam | Environment setup practice |
Active recall during preparation is essential. The performance-based exam format rewards procedural fluency rather than recognition. The active recall vs passive review science at Pass4Sure covers the research on why retrieval practice produces better procedural retention. For retention across a multi-week preparation window, spaced repetition helps, particularly for command-line syntax. The study frameworks at When Notes Fly cover the interval-based review patterns that preserve procedural knowledge.
Common Failure Modes
Patterns that consistently cost candidates points:
Over-Reliance on YAML From Memory
Writing YAML from scratch is slow. Using kubectl imperative commands with --dry-run=client -o yaml produces a baseline YAML quickly, then editing is faster than writing from memory.
Docs Navigation Without Bookmarks
Candidates who search kubernetes.io during the exam waste time. Pre-identifying the 10 to 15 pages most commonly needed and knowing their URLs saves 15 to 25 minutes across the exam.
Ignoring Context Switches
Every task specifies a kubectl context. Candidates who forget to switch contexts apply changes in the wrong cluster and receive zero credit. The first action of every task should be kubectl config use-context.
Skipping Mock Exams
Candidates who prepare only through tutorials and fail on mock exam conditions are common. Two hours of sustained task execution under pressure is a distinct skill from learning tasks in isolation.
Integration With Broader Career
Kubernetes certifications fit within a broader cloud-native career story. They pair well with cloud provider certifications.
The Azure Administrator AZ-104 complete study guide at Pass4Sure covers the cloud-level credential that commonly pairs with CKA for Azure-focused engineers. The Google Cloud Professional Cloud Architect exam guide at Pass4Sure covers the architect-level GCP credential for engineers building platforms on GKE.
Interview preparation after Kubernetes certification often includes system design questions on distributed systems, containerization, and orchestration. The system design interview framework at Pass4Sure covers structured answers for the design portion of technical loops. For the behavioral rounds common in senior platform roles, the STAR method framework at Pass4Sure covers structured answers.
Resume Positioning
The resume after Kubernetes certification should show the certification as one signal among many, not the headline. Measurable outcomes from production Kubernetes work (cluster scale, cost reduction, incident response time) carry more weight than the credential alone. The resume and writing templates at Evolang include structures specifically designed for platform and SRE roles.
Consultants and freelancers pursuing Kubernetes certification to support independent work should also consider entity formation. The business formation guides at Corpy cover the entity structures that independent technical consultants commonly use.
Focus And Environment
Performance-based exam preparation rewards sustained focus blocks. Two-hour deep-work sessions mirror the exam format and build the stamina the exam requires. The deep-work study environments profiled at Down Under Cafe describe settings that support this kind of extended concentration.
Cognitive demands during a performance-based exam are high. Working memory, attention, and procedural fluency all matter. Candidates who understand how their cognition degrades under time pressure can pace themselves more effectively. The cognitive demand breakdowns at What's Your IQ provide useful frames for candidates evaluating how to structure their preparation.
Credential Verification
After passing, the credential is verifiable through the Linux Foundation's system with a public profile link. For resumes and LinkedIn, scannable credential links have become standard. The QR code generation tools at QR Bar Code produce shareable verification links recruiters can validate instantly.
"Kubernetes certifications are concrete skill signals, not résumé decoration. The engineers who hold CKA and can also back it up with production work are the engineers platform teams actively compete for." — Kelsey Hightower, Kubernetes educator and principal engineer
Final Reading of the Credential Market
CKA has grown into the default Kubernetes credential for platform and SRE roles. CKAD has a smaller but steady market among application-focused engineers. CKS growth has accelerated with the rise of DevSecOps, and the combination of CKA and CKS now appears in many senior platform-security job postings.
Candidates planning 2026 and beyond should expect continued demand for Kubernetes skills given continued cloud native adoption reported by CNCF surveys. The cost-benefit of CKA remains high for engineers targeting platform or SRE tracks. The cost-benefit of CKAD and CKS is more role-dependent and should be evaluated against specific career targets.
References
Cloud Native Computing Foundation. Kubernetes Certification Program. CNCF, 2024. https://www.cncf.io/certification/
Cloud Native Computing Foundation. CKA Exam Curriculum v1.29. Linux Foundation, 2024.
Cloud Native Computing Foundation. CKAD Exam Curriculum v1.29. Linux Foundation, 2024.
Cloud Native Computing Foundation. CKS Exam Curriculum v1.29. Linux Foundation, 2024.
CNCF. Cloud Native Survey 2023. Cloud Native Computing Foundation, 2023. https://www.cncf.io/reports/
Ribbans, David, et al. "DevOps practice and certification outcomes in enterprise IT." Journal of Systems and Software, vol. 186, 2022. DOI: 10.1016/j.jss.2021.111217.
Burns, Brendan, et al. Kubernetes: Up and Running, 3rd Edition. O'Reilly Media, 2022. ISBN: 978-1098110208.
Stack Overflow. 2024 Developer Survey. Stack Overflow, 2024.