The three CNCF Kubernetes certifications — CKA (Certified Kubernetes Administrator), CKAD (Certified Kubernetes Application Developer), and CKS (Certified Kubernetes Security Specialist) — are the most in-demand credentials in cloud infrastructure today. But they test completely different skills, target different roles, and must be taken in a specific order.
Here is the short answer: most professionals should start with CKA. It builds the broadest cluster knowledge, is required before you can sit CKS, and is the one cert that consistently commands six-figure salaries across DevOps, platform engineering, and SRE roles. The longer answer depends on where you are in your career — and that is what this guide covers.
What Each Certification Actually Tests
All three exams are 100% performance-based. You solve real problems in a live Kubernetes cluster using a terminal — no multiple-choice questions, no theory-only answers. All three include two free Killer.sh simulator sessions and one free retake.
CKA — Certified Kubernetes Administrator
The CKA tests your ability to run and maintain Kubernetes clusters. Think cluster bootstrapping with kubeadm, network troubleshooting, persistent storage, RBAC configuration, and upgrading control plane components.
Exam domains (post-January 2025 revision):
| Domain | Weight |
|---|---|
| Troubleshooting | 30% |
| Cluster Architecture, Installation & Configuration | 25% |
| Services & Networking | 20% |
| Workloads & Scheduling | 15% |
| Storage | 10% |
The January 2025 curriculum revision was significant — it added Gateway API (the successor to Ingress), Helm, Kustomize, and custom resource definitions. If you are studying from guides written before 2025, they are out of date.
- Duration: 2 hours | Pass score: 66% | Cost: $445
- Open book: kubernetes.io/docs, kubernetes.io/blog, helm.sh/docs, gateway-api.sigs.k8s.io
- Prerequisites: None
CKAD — Certified Kubernetes Application Developer
The CKAD tests your ability to deploy and manage applications on Kubernetes. You spend exam time writing and debugging YAML manifests, configuring Deployments and StatefulSets, setting resource limits, and working with ConfigMaps, Secrets, and multi-container pod patterns.
Exam domains:
| Domain | Weight |
|---|---|
| Application Environment, Configuration and Security | 25% |
| Application Design and Build | 20% |
| Application Deployment | 20% |
| Services and Networking | 20% |
| Application Observability and Maintenance | 15% |
The CKAD skews heavily toward application-level concerns. You will not be bootstrapping clusters or managing etcd — you are the person shipping services onto a cluster that someone else operates.
- Duration: 2 hours | Pass score: 66% | Cost: $445
- Open book: kubernetes.io/docs, kubernetes.io/blog, helm.sh/docs
- Prerequisites: None
CKS — Certified Kubernetes Security Specialist
The CKS is the hardest of the three. It tests your ability to harden Kubernetes clusters and workloads against real-world attack vectors: supply chain attacks, container escape, privilege escalation, and runtime threat detection.
Exam domains:
| Domain | Weight |
|---|---|
| Minimize Microservice Vulnerabilities | 20% |
| Supply Chain Security | 20% |
| Monitoring, Logging and Runtime Security | 20% |
| Cluster Setup | 15% |
| Cluster Hardening | 15% |
| System Hardening | 10% |
You need to know Falco for runtime threat detection, Trivy and Cosign for image scanning and signing, OPA/Gatekeeper for policy enforcement, Pod Security Admission, AppArmor, seccomp profiles, network policies, and CIS Benchmarks.
- Duration: 2 hours | Pass score: 67% | Cost: $445
- Open book: kubernetes.io/docs, kubernetes.io/blog, helm.sh/docs
- Hard prerequisite: You must have passed CKA before you can schedule CKS
CKA vs CKAD vs CKS: Side-by-Side Comparison
| CKA | CKAD | CKS | |
|---|---|---|---|
| Primary focus | Operating clusters | Deploying apps | Securing clusters |
| Difficulty | Intermediate | Intermediate | Advanced |
| Cluster admin knowledge | Deep | Shallow | Deep (via CKA) |
| YAML/manifest writing | Moderate | Heavy | Moderate |
| Security hardening | Basic | Minimal | Extensive |
| Storage (PVs, PVCs) | Deep | Moderate | None |
| Supply chain security | None | None | Heavy |
| Runtime threat detection | None | None | Heavy (Falco) |
| Cluster bootstrapping | Yes (kubeadm) | No | No |
| Target role | Admin, SRE, DevOps | Developer, Platform Dev | Security Eng, DevSecOps |
| Prep time (experienced) | 8–16 weeks | 4–10 weeks | 6–12 weeks |
| Required before | CKS | — | — |
Salary and Career Impact
CNCF's 2025 survey found Kubernetes adoption at 84%+ across enterprises, which drives sustained demand for certified professionals. Across the three certifications, here is where salaries land in the US market for 2025–2026:
CKA holders:
- DevOps Engineer / Platform Engineer / SRE: $120,000–$180,000
- Senior/staff roles: $180,000–$200,000+
- Roughly 15–25% salary premium over non-certified peers in similar roles
CKAD holders:
- Cloud Developer / Backend Engineer (K8s-focused): $105,000–$150,000
- Higher in competitive tech markets (San Francisco, New York, Seattle)
- Entry-level certified roles: $85,000–$100,000
CKS holders:
- Security Engineer / DevSecOps: $130,000–$180,000+
- Senior/architect roles: $200,000+
- Commands the highest individual cert premium — 25–35% above non-certified security roles
If you are purely optimizing for salary leverage, the CKS has the best marginal return once you already have CKA. But CKA itself has the best absolute return because it opens the most job titles.
Which Should You Get First?
The standard recommendation: CKA first
For most DevOps engineers, platform engineers, and SREs, CKA is the right starting point. It gives you the broadest foundation, is the direct prerequisite for CKS, and maps closest to how Kubernetes is actually operated in production environments. You can explore the full CKA study guide for a deep dive into domains and prep strategies.
CKA first makes sense if you:
- Work in operations, infrastructure, or platform engineering
- Want to maximize your options across the most job titles
- Plan to eventually earn CKS
- Are early in your Kubernetes journey
CKAD first if you are a developer who ships to K8s
If you are a software developer whose cluster is managed by someone else, CKAD may be the more relevant certification — and it requires less infrastructure background. CKAD prep time is typically 4–10 weeks versus CKA's 8–16 weeks for candidates without prior K8s admin experience.
CKAD first makes sense if you:
- Write application code that runs on Kubernetes but do not manage the cluster
- Want to add Kubernetes fluency to a backend or platform development role
- Plan to do CKA afterward for career breadth
CKS is always third
There is no debate about CKS ordering — it requires a passed CKA to schedule. Plan 6–12 additional weeks of focused prep after CKA before attempting CKS. The gap in scope is significant: CKS introduces entirely new tools (Falco, Trivy, Cosign, OPA) that do not appear in either of the other exams.
The CNCF Learning Path: Kubestronaut
Beyond the three core certs, CNCF offers two entry-level certifications:
- KCNA (Kubernetes and Cloud Native Associate) — multiple-choice, beginner-level
- KCSA (Kubernetes and Cloud Native Security Associate) — multiple-choice, security fundamentals
The full learning path: KCNA → KCSA → CKA → CKAD → CKS
Pass all five and you earn Kubestronaut status — an exclusive community of roughly 3,500 engineers as of 2026. Benefits include a 50% KubeCon registration discount for life, a free Kubernetes Community Day ticket, and a featured listing on the CNCF website.
In 2025, CNCF also launched the Golden Kubestronaut program: pass all 15 CNCF certifications and earn an exclusive backpack, professional recommendation letter, and "for life" designation.
Exam Format: What to Expect on Test Day
All three exams share the same format. Knowing this ahead of time reduces surprises:
It is entirely hands-on. You will have a browser-based terminal connected to one or more real Kubernetes clusters. Tasks are scored automatically based on cluster state after you finish — not on your specific commands.
The open-book policy is narrower than you think. You can open tabs to kubernetes.io/docs, kubernetes.io/blog, helm.sh/docs, and (for CKA) gateway-api.sigs.k8s.io. Google, Stack Overflow, and AI tools are not allowed. The practical implication: you need to be fast at navigating the official docs, not just know the material.
Speed matters more than most guides emphasize. With 15–20 tasks in 2 hours, you have roughly 6 minutes per task. Tasks have weighted points — skip low-value hard tasks and return to them. Most exam failure is time management, not knowledge gaps.
Two Killer.sh sessions are included. These 36-hour simulator sessions are the single best preparation resource. The difficulty is calibrated to be harder than the real exam. If you are comfortable with Killer.sh scores, you are ready.
Cost and Purchasing Strategy
All three exams cost $445 each as of February 2025. There are several ways to reduce that cost significantly:
Bundle deals:
- CKA + CKAD + CKS bundle: $1,245 (saves ~$90 vs. separate)
- Kubestronaut bundle (all 5 certs): ~$1,595 (saves ~$788 vs. separate)
Discount codes:
- CNCF regularly runs 35–40% off sales — the Earth Day, KubeCon, and Black Friday sales are the biggest
- Code
EARTH26was valid through June 21, 2026 (35% off, ~$289 per exam) - Watch the Linux Foundation training newsletter for upcoming codes before purchasing
The advice here: do not buy at full price. A 35% discount code appears at least 3–4 times per year.
Common Questions
Is CKA harder than CKAD? Generally yes, due to the breadth of cluster administration topics and kubeadm tasks. CKAD is more focused but time-pressured on manifest writing speed. Neither is easy — both require hands-on terminal practice, not just reading.
Does CKS require an active CKA? You must have passed CKA before scheduling CKS. Check the current Linux Foundation FAQ for whether CKA must still be within its 2-year validity window, as policies have been updated recently.
How long is each certification valid? 2 years (for certifications earned after April 1, 2024). You retake the exam to renew — there is no shorter renewal exam option.
What is the pass rate? CNCF does not publish official pass rates. Community estimates put CKA first-attempt success at roughly 50–60% for candidates who have completed hands-on practice. Killer.sh simulation completion is the strongest predictor of passing.
Can I use AI tools during the exam? No. The exam environment locks your browser to specific approved documentation URLs only. This is enforced by PSI proctoring software.
Getting Started with Hands-On Practice
Reading about Kubernetes certifications is necessary but not sufficient. All three exams are performance-based — the gap between understanding Kubernetes conceptually and executing tasks under exam time pressure is significant.
The fastest way to close that gap is hands-on lab practice. CloudaQube's Kubernetes learning paths give you guided labs covering CKA domains (cluster setup, networking, storage, troubleshooting), CKAD application patterns, and CKS security hardening scenarios — all in live cluster environments without local setup overhead. Once you are comfortable with the exam environments, review Kubernetes production best practices to see how these skills apply in real deployments.
The CKA certification study guide covers a complete domain-by-domain breakdown with essential kubectl commands and study timelines for each domain. If you are starting with CKAD, the same study discipline applies — swap cluster admin labs for application deployment patterns.
All three certifications are worth the investment. Kubernetes adoption shows no signs of slowing, and the performance-based format means certified professionals have demonstrably proven their skills in a way that multiple-choice exams cannot.
