Kubernetes Certification Study Guide (CKA, CKAD, CKS)
This guide covers the three main Kubernetes certifications: CKA (Administrator), CKAD (Developer), and CKS (Security Specialist). I’ve trained engineers for all three and this is the practical, non-padded version of what actually matters.
All three are hands-on, performance-based exams. You work in a live Kubernetes cluster in a browser. No multiple choice. This changes how you should study.
CKA — Certified Kubernetes Administrator
Section titled “CKA — Certified Kubernetes Administrator”Exam format: 2 hours, ~17 tasks, passing score 66% Prerequisite: None (but CKAD experience helps) Valid for: 3 years
Topic breakdown
Section titled “Topic breakdown”| Domain | Weight |
|---|---|
| Storage | 10% |
| Troubleshooting | 30% |
| Workloads & Scheduling | 15% |
| Cluster Architecture, Installation & Configuration | 25% |
| Services & Networking | 20% |
Troubleshooting at 30% is the one people consistently underestimate. You will break things and need to fix them under time pressure.
What the exam actually tests
Section titled “What the exam actually tests”The CKA is about administering clusters, not just deploying workloads. Expect to:
- Bootstrap a cluster from scratch with kubeadm
- Configure etcd backups and restore from one
- Debug nodes that have stopped scheduling
- Fix broken RBAC configurations
- Troubleshoot networking issues (CNI, DNS, service endpoints)
- Manage persistent storage (PVs, PVCs, storage classes)
- Upgrade a cluster
The questions are not tricky. They’re operational. Speed and accuracy under pressure is what separates people who pass from people who fail.
Study timeline
Section titled “Study timeline”| Experience level | Recommended prep time |
|---|---|
| No Kubernetes experience | 12–16 weeks |
| Using Kubernetes as a developer | 6–8 weeks |
| Managing Kubernetes clusters already | 3–4 weeks |
What to study
Section titled “What to study”Fundamentals first (if needed):
Understand how the control plane works: etcd, API server, scheduler, controller manager. Know what happens when you run kubectl apply.
Core skills to drill:
kubectlfluency — know the flags, know how to get help fromkubectl explainand--dry-run=client -o yaml- etcd backup and restore (comes up constantly)
- kubeadm cluster bootstrap and upgrade
- RBAC: ClusterRole, Role, ClusterRoleBinding, RoleBinding
- NetworkPolicy — how to read and write one that does what you intend
- PersistentVolumes and PVCs
- Taints, tolerations, node affinity, pod disruption budgets
- CronJobs, DaemonSets, StatefulSets (not just Deployments)
The Killer.sh simulator is worth the cost. It’s harder than the actual exam, which is the point. Two attempts are included with registration.
Tips from training engineers for this exam
Section titled “Tips from training engineers for this exam”Practice in the terminal, not the docs. The exam gives you access to kubernetes.io documentation, but reading docs during the exam is slow. The docs are a safety net, not a study method.
Get fast with kubectl shortcuts. Setting alias k=kubectl and export do="--dry-run=client -o yaml" in the exam terminal is standard practice.
The etcd restore is a task where people lose a lot of time if they haven’t practiced it exactly. Do it 5+ times until it’s automatic.
Don’t practice with minikube alone. Set up a multi-node cluster with kubeadm — either locally with VMs or on a cloud provider. The exam environment is always multi-node.
CKAD — Certified Kubernetes Application Developer
Section titled “CKAD — Certified Kubernetes Application Developer”Exam format: 2 hours, ~19 tasks, passing score 66% Prerequisite: None Valid for: 3 years
Topic breakdown
Section titled “Topic breakdown”| Domain | Weight |
|---|---|
| Application Design and Build | 20% |
| Application Deployment | 20% |
| Application Observability and Maintenance | 15% |
| Application Environment, Configuration and Security | 25% |
| Services & Networking | 20% |
What the exam actually tests
Section titled “What the exam actually tests”The CKAD is about deploying and managing applications in Kubernetes. You’re not bootstrapping clusters — you’re using one. Expect to:
- Build and push container images (Docker or Buildah)
- Write Deployments, StatefulSets, CronJobs, Jobs
- Configure ConfigMaps, Secrets, environment variables
- Define resource requests and limits
- Write Probes (liveness, readiness, startup)
- Create Services, Ingresses, and NetworkPolicies
- Debug failing applications (pod logs, events, exec)
- Use multi-container pods with init containers and sidecars
Study timeline
Section titled “Study timeline”| Experience level | Recommended prep time |
|---|---|
| New to containers | 10–14 weeks |
| Docker experience, new to Kubernetes | 5–7 weeks |
| Deploying apps on Kubernetes already | 3–4 weeks |
What to study
Section titled “What to study”The CKAD rewards people who are comfortable reading and writing YAML quickly. Understand each field, don’t just copy-paste. You need to know what you’re writing.
Core skills to drill:
- Writing Deployments from scratch (not copy-paste)
- Rolling updates and rollbacks
- ConfigMaps and Secrets (env vars, volume mounts)
- Resource limits and QoS classes
- Probes — how readiness vs liveness vs startup differ in behavior
- NetworkPolicy — allow/deny patterns
- Helm basics: install, upgrade, override values
- Debugging:
kubectl logs,kubectl describe,kubectl exec - Sidecar containers in a pod spec
The CKAD practice questions by Bhargav Bachina are a useful free resource. The official Kubernetes docs are the reference you’ll use during the exam.
The CKAD has more tasks than the CKA but most are shorter. Pace matters — skip and come back rather than spending 15 minutes on one question.
Write imperative kubectl commands first, then edit the YAML if needed. kubectl run nginx --image=nginx --dry-run=client -o yaml > pod.yaml is faster than writing from scratch.
Bookmark the following Kubernetes docs pages (the exam browser has bookmarks): Pod spec fields, Deployment spec, NetworkPolicy examples, CronJob spec, PodDisruptionBudget.
CKS — Certified Kubernetes Security Specialist
Section titled “CKS — Certified Kubernetes Security Specialist”Exam format: 2 hours, ~15–20 tasks, passing score 67% Prerequisite: Active CKA certification (required) Valid for: 2 years
Topic breakdown
Section titled “Topic breakdown”| Domain | Weight |
|---|---|
| Cluster Setup | 10% |
| Cluster Hardening | 15% |
| System Hardening | 15% |
| Minimize Microservice Vulnerabilities | 20% |
| Supply Chain Security | 20% |
| Monitoring, Logging and Runtime Security | 20% |
What the exam actually tests
Section titled “What the exam actually tests”The CKS is genuinely hard. It assumes you know the CKA material cold and adds a security layer on top. Expect to:
- Harden the API server (audit logging, authentication, admission controllers)
- Configure RBAC for minimal privilege
- Use Pod Security Standards / OPA Gatekeeper
- Configure network policies for defense-in-depth
- Scan images for vulnerabilities (Trivy)
- Analyze audit logs for suspicious activity
- Use Falco for runtime security monitoring
- Manage secrets with proper encryption at rest
- Use Seccomp and AppArmor profiles
- Verify supply chain with image signing and admission webhooks
Study timeline
Section titled “Study timeline”| Experience level | Recommended prep time |
|---|---|
| Just passed CKA | 8–12 weeks |
| Working with Kubernetes security tools | 4–6 weeks |
What to study
Section titled “What to study”The CKS requires you to understand why each security control exists, not just how to configure it. People who treat it as a configuration checklist tend to struggle.
Core areas to understand deeply:
- Kubernetes RBAC: how to audit it, tighten it, find over-privileged accounts
- API server flags: which ones affect security and why
- Pod Security Standards (baseline, restricted) — what each enforces
- OPA/Gatekeeper and policy enforcement
- Falco rules: read, write, trigger
- Image scanning workflow with Trivy
- Audit logging: policy format, what to log, how to analyze logs
- mTLS and service mesh basics (doesn’t require full mesh knowledge)
- Seccomp profiles: default, runtime/default, custom
The Kubernetes security docs are more scattered than the other cert docs. Build a personal reference of the key commands and flag names — you’ll be looking things up under pressure.
The CKS is the one certification where running out of time is a real risk even if you know the material. Practice speed.
Falco configuration trips people up most often. Know how to: read a rule, modify a rule file, restart Falco, and verify a rule is triggering. Practice this end-to-end.
The “supply chain” domain is often underestimated. Image signing, Trivy, and admission webhooks take hands-on time to get comfortable with.
Practice resources
Section titled “Practice resources”Official simulators: Both Killer.sh (included with exam registration) and the CNCF’s own practice environment are worth using. Killer.sh is harder than the exam.
Cluster setup for practice:
- Local: kubeadm on VirtualBox/Hyper-V VMs, or kind/k3d for CKAD
- Cloud: a small 3-node cluster on Hetzner (~€10/month) works well
- Avoid minikube for CKA practice — single node misses too much
Kubernetes docs to bookmark: kubernetes.io/docs/reference/kubectl/ and the concept docs for whatever you’re studying. The docs are searchable in the exam.
Ready to train for these?
Section titled “Ready to train for these?”I run preparation courses for all three: Kubernetes Administrator (CKA), Kubernetes Developer (CKAD), and Kubernetes Security (CKS).
The courses are hands-on, multi-node clusters from day one, and structured around exactly the task types you’ll see in the exam. Get in touch if you’re preparing a team for certification.