The Certified Kubernetes Application Developer (CKAD) is a two-hour, hands-on exam that proves you can build, deploy, configure, and troubleshoot applications running on Kubernetes — entirely from the command line. You need 66% to pass, the exam is based on Kubernetes v1.35, and it costs $445 with a free retake included. Unlike a multiple-choice cert, there is nowhere to hide: you either know how to fix a broken Deployment in four minutes or you don't.
This guide covers the five exam domains and their exact weights, a realistic study timeline, the kubectl muscle memory that actually wins you points, and the mistakes I see developers make under exam pressure. If you're still deciding between Kubernetes certs, start with CKA vs CKAD vs CKS — then come back here.
What the CKAD actually tests
The CKAD is aimed at the person who ships workloads to a cluster, not the person who runs the cluster. Where the CKA drills into etcd backups, node maintenance, and control-plane troubleshooting, the CKAD assumes the cluster is already healthy and asks: can you get an application onto it correctly?
In practice that means writing Pod, Deployment, Job, and CronJob manifests; wiring up ConfigMaps, Secrets, and environment variables; defining probes, resource requests, and security contexts; and exposing workloads through Services and Ingress. Every task is graded by an automated checker that inspects the resulting cluster state — so a manifest that looks right but never applied cleanly earns zero.
Here are the official 2026 facts, taken directly from the Linux Foundation CKAD page:
| Detail | Value |
|---|---|
| Passing score | 66% |
| Duration | 2 hours |
| Format | Performance-based (live cluster, CLI) |
| Tasks | ~15–20 |
| Kubernetes version | v1.35 |
| Cost | $445 (two attempts included) |
| Validity | 2 years |
| Simulator | 2 Killer.sh sessions, 36 hours each |
CKAD exam domains and weights
The exam is split across five domains. The single highest-weighted area is Application Environment, Configuration and Security at 25% — so if you have to prioritize one cluster of skills, that's it.
| Domain | Weight |
|---|---|
| Application Environment, Configuration and Security | 25% |
| Application Design and Build | 20% |
| Application Deployment | 20% |
| Services and Networking | 20% |
| Application Observability and Maintenance | 15% |
Application Environment, Configuration and Security (25%)
The biggest domain, and the one most candidates underprepare for. You need fluency with ConfigMaps and Secrets (both as environment variables and as mounted volumes), ServiceAccounts, securityContext at the pod and container level, resource requests and limits, and how to discover the right CRDs and admission behavior in an unfamiliar cluster. Expect at least one task that hinges on mounting a Secret as a file rather than an env var — a distinction people fumble under time pressure.
Application Design and Build (20%)
Container fundamentals: defining and building images, multi-container Pod patterns (sidecar, init containers), and the workload primitives — Jobs, CronJobs, and Deployments. You should be able to explain why you'd reach for an init container versus a sidecar, and write a CronJob with the correct schedule and concurrencyPolicy without looking it up.
Application Deployment (20%)
Rolling updates, rollbacks, and deployment strategies. Know kubectl rollout cold — status, history, undo, and --to-revision. You'll likely be asked to scale a Deployment, perform a rolling update, then roll it back to a specific revision. Helm and Kustomize basics also live here; you don't need to be a Helm expert, but you should be able to install and template a chart.
Services and Networking (20%)
ClusterIP, NodePort, and LoadBalancer Services; Ingress rules and controllers; and NetworkPolicy. NetworkPolicy is the highest-leverage topic in this domain because the syntax is fiddly and most candidates avoid practicing it. Learn to write a default-deny policy and then selectively allow ingress from a labeled namespace — that's a classic exam pattern.
Application Observability and Maintenance (15%)
Liveness, readiness, and startup probes; container logging; and debugging with kubectl describe, logs, exec, and events. Smallest domain, but probes show up everywhere — a misconfigured readiness probe is the most common reason a "correct" Deployment task still fails the grader.
How hard is the CKAD?
The CKAD is moderately hard, but the difficulty is time, not knowledge. The community pass rate sits around 62–70% for first-time takers (Practical DevSecOps), and most people who fail say the same thing: they knew how to do every task but ran out of clock. At roughly 6–8 minutes per task, there is no room to write YAML from scratch or read documentation leisurely.
I've sat the performance-based CNCF exams, and the lesson that transfers across all of them is this: the candidates who pass aren't smarter, they're faster. They've turned manifest authoring into reflex. If you can't produce a working Deployment with a ConfigMap-backed env var and a readiness probe in under three minutes without thinking, you're not ready yet — regardless of how well you understand the concepts.
An 8-week CKAD study plan
This assumes you already know Docker and basic kubectl. If you don't, add 2–4 weeks up front or sit the KCNA first to build fundamentals.
| Weeks | Focus | Goal |
|---|---|---|
| 1–2 | Core workloads: Pods, Deployments, Jobs, CronJobs, multi-container patterns | Author any workload manifest from memory |
| 3–4 | Config & security (the 25% domain): ConfigMaps, Secrets, securityContext, resource limits | Mount config two ways without hesitation |
| 5 | Services, Ingress, NetworkPolicy | Write a default-deny + selective-allow policy |
| 6 | Observability: probes, logging, debugging workflow | Diagnose a broken pod in under 4 minutes |
| 7 | Killer.sh simulator session #1 + targeted review | Identify your slowest task types |
| 8 | Killer.sh simulator session #2 + speed drills | Finish a full mock with 20+ minutes to spare |
The two Killer.sh sessions included with your exam are harder than the real thing on purpose — treat a 60–70% there as a healthy sign, not a failure. Save them for the back half of your prep so they measure exam-readiness, not progress.
kubectl speed: where the exam is won
The single most valuable habit is generating YAML instead of writing it. Put this in your shell before you start:
export do="--dry-run=client -o yaml" # quick manifest skeleton
export now="--grace-period=0 --force" # fast pod deletion
alias k=kubectl
Now a Deployment skeleton is one line:
k create deploy web --image=nginx --replicas=3 $do > web.yaml
Generate, edit the two or three fields the task actually cares about, apply. Other reflexes worth drilling:
# Pod with a command, generated not hand-written
k run tester --image=busybox $do --command -- sleep 3600 > pod.yaml
# Imperative ConfigMap and Secret — faster than YAML for simple cases
k create configmap app-cfg --from-literal=LOG_LEVEL=debug
k create secret generic db-cred --from-literal=password=s3cr3t
# Rollout control
k rollout status deploy/web
k rollout undo deploy/web --to-revision=2
# Set the namespace once so you stop typing -n
k config set-context --current --namespace=ckad-ns
That last one matters more than it looks. Tasks specify a namespace, and forgetting -n is the quietest way to lose points — your resource lands in default, the grader checks the target namespace, and you score zero on something you did correctly.
Bookmark the official Kubernetes docs — they're the only reference allowed in the exam, and knowing where the ConfigMap and NetworkPolicy examples live saves precious minutes. Practice copying from them, not memorizing them.
Is the CKAD worth it?
For developers shipping to Kubernetes, yes. Self-reported CKAD-holder salaries in 2026 cluster between $115K and $160K in the US, with platform engineers in high-cost markets pushing higher (CertDemand). More to the point, GitOps, service mesh, and platform-engineering workflows now assume developers can read and write Kubernetes primitives — the CKAD is the cleanest signal that you can.
Where it's not worth it: if you operate clusters rather than deploy to them, the CKA is the better first cert and the required gateway to the CKS. And if your team is all-in on a managed platform that abstracts Kubernetes away entirely, the hands-on CLI skills the CKAD certifies may not match your day-to-day. Be honest about which side of that line you're on before spending the $445.
Practice the way the exam grades you
The CKAD rewards one thing above all: speed in a real cluster. Reading about probes won't get you to 66% — building, breaking, and fixing them under a clock will. That's exactly the gap CloudaQube's hands-on labs close. Spin up live Kubernetes environments, run the same kinds of deploy-configure-debug tasks the exam throws at you, and build the muscle memory that turns a panicked two hours into a comfortable one.
Start drilling with CloudaQube's hands-on Kubernetes labs and walk into the CKAD already knowing you're fast enough.
