Kubernetes Certifications: CKA, CKAD, CKS Explained
A field guide to the official Kubernetes certifications — CKA, CKAD, CKS, KCNA, and KCSA — who runs them, what each validates, and which one to take first.
Kubernetes Certifications: CKA, CKAD, CKS Explained
Track: Cloud. The official Kubernetes certifications are CKA, CKAD, CKS, KCNA, and KCSA. All five are vendor-neutral, run jointly by the Cloud Native Computing Foundation (CNCF) and the Linux Foundation. The hands-on exams test what you can actually do in a live cluster, not what you can memorize.
If you walked the Cloud track at almost any developer conference since the mid-2010s, you saw the same session retitled every year: someone explaining how they ran containers in production. First it was raw Docker. Then orchestration. Then, around 2015, Kubernetes ate the schedule. The talks changed names. The whiteboard didn’t — it still showed pods, nodes, and the question every team eventually asks: who actually understands this thing well enough to be on call for it?
A certification is one durable answer to that question. Below is the field map.
What are the official Kubernetes certifications?
There is no single “Kubernetes certificate.” There are five distinct credentials, and they sit at different levels of depth and different parts of the lifecycle. Knowing which is which saves you from studying for the wrong exam.
| Credential | Full name | Level | Format |
|---|---|---|---|
| KCNA | Kubernetes and Cloud Native Associate | Entry | Multiple choice |
| KCSA | Kubernetes and Cloud Native Security Associate | Entry (security) | Multiple choice |
| CKAD | Certified Kubernetes Application Developer | Intermediate | Performance-based, hands-on |
| CKA | Certified Kubernetes Administrator | Intermediate/Core | Performance-based, hands-on |
| CKS | Certified Kubernetes Security Specialist | Advanced | Performance-based, hands-on |
The two associate exams (KCNA, KCSA) are knowledge checks. The three specialist exams (CKAD, CKA, CKS) are the ones people mean when they say “the Kubernetes certs” — and they are unusual in the certification world because they are not multiple choice. You sit in a live terminal connected to real clusters and you solve real tasks against a clock.
Who runs them, and why vendor-neutral matters
The credentials are administered by the Linux Foundation and governed by the CNCF certification program. CNCF is the same foundation that hosts the upstream Kubernetes project itself, alongside Prometheus, Envoy, and most of the cloud-native ecosystem.
That ownership matters more than it sounds. These exams are vendor-neutral. They do not test AWS EKS, Google GKE, or Azure AKS specifics. They test Kubernetes as the project ships it: kubectl, the API objects, the control plane, the kubelet. A team that hires on these credentials is hiring portable skill, not lock-in to one cloud’s managed console. That is the whole point of a foundation-run program rather than a vendor badge.
CKA — Certified Kubernetes Administrator
Who it’s for: Operators, platform engineers, SREs, and anyone responsible for running and maintaining clusters.
What it validates: Cluster architecture and installation, workloads and scheduling, services and networking, storage, and — the part that separates operators from users — troubleshooting. The CKA leans heavily on diagnosing broken clusters: a dead node, a misconfigured kubelet, a failing control-plane component.
Format: Performance-based. A live terminal, multiple clusters, a set of weighted tasks. You are graded on the end state of the cluster, not on how you got there.
Rough prep time: Plan on six to twelve weeks if you already work with Kubernetes regularly, longer if it is new. The single biggest predictor of passing is raw kubectl speed under time pressure.
The CKA is the closest thing to a “default” Kubernetes credential. If someone says “get certified in Kubernetes” with no other context, they usually mean this one.
CKAD — Certified Kubernetes Application Developer
Who it’s for: Developers who deploy and run applications on Kubernetes but do not necessarily administer the cluster underneath.
What it validates: Designing and building application deployments — pods, deployments, jobs, config maps and secrets, multi-container patterns, observability, and services. It assumes someone else owns the control plane. Your job is to ship workloads onto it correctly.
Format: Performance-based, same live-terminal style as the CKA, with a heavier emphasis on writing and patching manifests quickly.
Rough prep time: Often slightly shorter than the CKA for working developers, because the scope is narrower and closer to daily application work. Four to eight weeks is a common range.
If your job ends at “my service runs and is healthy” and starts again only when the cluster itself misbehaves, CKAD maps to your reality better than CKA.
CKS — Certified Kubernetes Security Specialist
Who it’s for: Engineers hardening clusters and workloads against real attack surface. This is the advanced tier.
What it validates: Cluster setup hardening, supply-chain security, runtime security, minimizing microservice vulnerabilities, monitoring and logging for security events, and tools like network policies, admission control, and RBAC done seriously.
Format: Performance-based and notably harder than CKA or CKAD. It is also gated.
Rough prep time: Treat it as a step beyond the CKA, not a parallel track.
The important rule: the CKS requires a valid, active CKA before you can sit it. You cannot jump straight to security specialist. CNCF wants proof you can administer a cluster before it certifies you to defend one. Verify the current validity window for that CKA prerequisite on the official site, because renewal rules shift.
KCNA and KCSA — the entry tier
KCNA (Kubernetes and Cloud Native Associate) is the on-ramp. It is multiple choice, covers Kubernetes fundamentals plus the broader cloud-native landscape (container orchestration, GitOps concepts, observability, the CNCF project ecosystem), and is aimed at people newer to the space — junior engineers, career switchers, managers who need fluency without operating clusters.
KCSA (Kubernetes and Cloud Native Security Associate) is the security-flavored associate exam — multiple choice, a conceptual foundation in cluster security and threat models, designed as a gentle precursor to the much harder CKS.
Neither associate exam is hands-on, and neither is a prerequisite for the specialist exams. They are confidence-builders and resume signals for people not yet ready for a live-terminal exam.
Which Kubernetes certification should you take first?
Here is the decision guide. Match the row to your actual job, not your aspirational title.
| Your situation | Start here | Then consider |
|---|---|---|
| New to Kubernetes entirely | KCNA | CKAD or CKA |
| Developer shipping apps onto a cluster | CKAD | CKA |
| Operator / SRE / platform engineer | CKA | CKS |
| Security-focused engineer | CKA (required first) | CKS |
| Manager needing fluency, not ops skill | KCNA | KCSA |
Two practical rules from the field:
- If you operate clusters, the CKA is your anchor. It is the prerequisite for CKS and the most widely recognized of the set.
- Do not skip straight to CKS. The prerequisite is structural, and the exam assumes CKA-level fluency you cannot fake.
The certifications themselves are a checklist, not a strategy. The same lesson runs through our DevOps lessons from conference tracks: a credential is only useful when it maps to a team behavior — in this case, the behavior of being trusted with a production cluster.
What the exams are actually like
As of 2026, the performance-based exams (CKA, CKAD, CKS) are online, remotely proctored, and run roughly two hours. You work in a real browser-based terminal against live clusters, with access to the official Kubernetes documentation during the exam — which tells you something important: nobody expects you to memorize every flag. They expect you to navigate fast and execute correctly.
Exam details change. Pass thresholds, exact durations, retake policies, certification validity periods, and pricing are all set by CNCF and the Linux Foundation and are revised periodically. Do not trust a number from a blog post — including this one. Confirm current exam mechanics directly on the CNCF certification page before you register. The credentials also expire and require renewal, so check the active validity window for whichever exam you take.
A few preparation habits that hold up regardless of the year:
- Practice in a real cluster on a timer. The exams reward speed, not theory. A minikube or kind cluster and a stopwatch beats any video course for the final stretch.
- Learn kubectl imperative commands cold. Generating manifests with
kubectl create ... --dry-run=client -o yamlsaves minutes you do not have. - Bookmark the docs structure, not the content. Since the official docs are open during the exam, knowing where things live is worth more than knowing them by heart.
The durable lesson for teams
The conference-track version of this story is simple. Every cloud track for a decade has had a Kubernetes session, and every one of them eventually circles the same question: how does a team prove it can be trusted with the cluster? Certifications are one credible signal — vendor-neutral, hands-on, and tied to real operational tasks rather than slideware.
For a hiring manager, the credential is a filter, not a verdict. A CKA tells you a candidate can troubleshoot a broken control plane under time pressure. It does not tell you they will make good architectural tradeoffs for your specific workloads. Use it as evidence, weigh it against how the work actually gets delivered, and pair it with the same discipline you would apply to any CI/CD pipeline decision: the certificate is the talk title; the operational judgment is the tradeoff still alive on the whiteboard.
Related reading
- DevOps Lessons From Conference Tracks
- CI/CD Pipeline: What It Is and How To Ship Reliably
- How to Use a Developer Conference Archive
Sources
- “Kubernetes Certifications” — CNCF Training & Certification — the authority that governs CKA, CKAD, CKS, KCNA, and KCSA, including current exam details and prerequisites
- “Certification Catalog” — The Linux Foundation — administers the exams and publishes current pricing, format, and validity terms