CKA vs CKAD vs CKS: Kubernetes Certs 2026
CKA vs CKAD vs CKS: Kubernetes Certification Guide 2026
The Linux Foundation and CNCF offer three Kubernetes certifications that map cleanly to three distinct roles: the CKA for cluster administrators, the CKAD for application developers, and the CKS for security specialists. All three are performance-based — you work in a live terminal connected to real Kubernetes clusters, not multiple-choice questions.
Choosing the right one depends on what you actually do with Kubernetes, not which acronym looks most impressive on a resume.
Quick Comparison
| CKA | CKAD | CKS | |
|---|---|---|---|
| Full Name | Certified Kubernetes Administrator | Certified Kubernetes Application Developer | Certified Kubernetes Security Specialist |
| Target Role | DevOps / platform engineer | Backend / application developer | Security engineer |
| Cost | $395 (includes 1 retake) | $395 (includes 1 retake) | $395 (includes 1 retake) |
| Exam Duration | 2 hours | 2 hours | 2 hours |
| Format | Performance-based terminal tasks | Performance-based terminal tasks | Performance-based terminal tasks |
| Passing Score | 66% | 66% | 67% |
| Validity | 2 years | 2 years | 2 years |
| Prerequisite | None | None | Active CKA required |
| Difficulty | High | Moderate-High | Very High |
| Job Market | 78,000+ LinkedIn listings mention CKA | 32,000+ LinkedIn listings mention CKAD | 15,000+ LinkedIn listings mention CKS |
TL;DR
Take the CKA if you manage clusters, configure infrastructure, or work in platform/DevOps roles. Take the CKAD if you're a developer who deploys applications to Kubernetes but doesn't manage the cluster itself. The CKS requires an active CKA and is for engineers specializing in Kubernetes security — supply chain hardening, runtime threat detection, and cluster security posture.
Most engineers who pursue one eventually pursue both CKA and CKAD, since they complement each other. Only pursue the CKS after meaningful production Kubernetes experience.
The CKA: Certified Kubernetes Administrator
The CKA covers Kubernetes cluster administration — the full stack from cluster setup through day-to-day operations, networking, and troubleshooting.
What the CKA Covers
The exam is structured around five domain areas, weighted by importance:
Cluster Architecture, Installation & Configuration (25%)
- Bootstrap clusters with kubeadm
- Manage a highly available Kubernetes cluster
- Provision underlying infrastructure (nodes, certificates)
- Perform a version upgrade on a Kubernetes cluster using kubeadm
- Implement etcd backup and restore
Workloads & Scheduling (15%)
- Understand deployments and rolling updates
- Configure applications with ConfigMaps and Secrets
- Resource limits and pod autoscaling
- DaemonSets and static pods
- Manually schedule pods on nodes
Services & Networking (20%)
- Understand host networking configuration on the cluster nodes
- Deploy and configure network load balancer
- Implement and configure NetworkPolicies
- Understand Ingress controllers and Ingress resources
- Understand CoreDNS
Storage (10%)
- Understand storage classes and persistent volumes
- Volume modes, access modes, and reclaim policies
- Configure persistent volume claims
- Know how to configure applications with persistent storage
Troubleshooting (30%)
- Evaluate cluster and node logging
- Monitor applications, cluster component failures
- Troubleshoot application failures, networking issues
- Worker node failures
Troubleshooting carries the highest weight (30%) because real cluster administration is mostly diagnosis and repair, not initial setup.
Who Should Take the CKA
- DevOps engineers who provision and maintain Kubernetes clusters
- Platform engineers building internal developer platforms on K8s
- Site reliability engineers on-call for Kubernetes infrastructure
- Cloud engineers who manage EKS, GKE, or AKS environments
Salary context: LinkedIn salary data for CKA-certified engineers ranges from $130,000 to $185,000 in the US (Q1 2026), with the credential appearing in "preferred qualifications" for 78,000+ open roles.
Best CKA Prep Resources
Primary course: Mumshad Mannambeth's CKA with Practice Tests (Udemy / KodeKloud) — the community standard. 4.7/5 from 70,000+ reviews, with browser-based lab environments that closely mirror the exam format.
Lab practice: KodeKloud's hands-on labs and mock exams. The CKA is time-pressured — you need to execute tasks quickly and correctly. KodeKloud's challenge mode (troubleshoot a broken cluster) is better exam prep than guided labs alone.
Docs strategy: The exam allows access to kubernetes.io/docs. Practice navigating the docs quickly — knowing where to find kubeadm upgrade steps or PersistentVolume examples saves minutes under pressure.
The CKAD: Certified Kubernetes Application Developer
The CKAD targets the developer experience layer: pods, deployments, configuration management, probes, Helm, and the patterns you encounter when deploying applications to Kubernetes without managing the cluster itself.
What the CKAD Covers
Application Design and Build (20%)
- Define, build, and modify container images
- Choose and use the right workload resource (Deployment, DaemonSet, CronJob)
- Understand multi-container pod patterns (sidecar, init containers, adapter)
- Use volumes and persistent volume claims
Application Deployment (20%)
- Use Kubernetes primitives to implement common deployment strategies
- Understand Deployments and rolling updates
- Use Helm package manager to deploy an existing package
Application Observability and Maintenance (15%)
- Understand API deprecations
- Implement probes and health checks (liveness, readiness, startup)
- Use built-in CLI tools to monitor Kubernetes applications
- Utilize container logs
- Debugging in Kubernetes
Application Environment, Configuration, and Security (25%)
- Discover and use resources that extend Kubernetes (CRD)
- Understand authentication, authorization, and admission control
- Understanding and defining resource requirements, limits, quotas
- Understand ConfigMaps, Secrets, and ServiceAccounts
- Understand SecurityContexts
Services and Networking (20%)
- Demonstrate basic understanding of NetworkPolicies
- Provide and troubleshoot access to applications via services
- Use Ingress rules to expose applications
Who Should Take the CKAD
- Backend developers who write Kubernetes manifests and Dockerfiles
- Engineers who deploy microservices to shared Kubernetes clusters
- Full-stack developers in organizations running Kubernetes for backend services
- Developers who want to understand why their pods are failing without escalating to ops
Important distinction: CKAD doesn't cover cluster setup, node management, etcd, or infrastructure-level troubleshooting. It assumes the cluster is running — your job is the applications on top.
Best CKAD Prep Resources
Primary course: Mumshad Mannambeth's CKAD course (Udemy / KodeKloud). Same format as the CKA course, tuned for developer topics. Mock exams from KodeKloud are well-calibrated to actual exam difficulty.
Lightning labs: KodeKloud's CKAD lightning labs are timed 20-minute sessions with realistic exam-style problems. These are more valuable than video review for final prep.
Killer.sh: The Linux Foundation provides two free mock exam sessions (via killer.sh) when you purchase the CKAD. These are harder than the actual exam and are excellent final prep.
The CKS: Certified Kubernetes Security Specialist
The CKS is the most advanced Kubernetes certification and requires a current (unexpired) CKA as a prerequisite. It covers Kubernetes security in depth — hardening clusters, securing workloads, detecting threats, and meeting compliance requirements.
What the CKS Covers
Cluster Setup (10%)
- Use CIS benchmarks to review the security configuration of Kubernetes components
- Properly configure Ingress objects with security control
- Protect node metadata and endpoints
- Minimize use of, and access to, GUI elements
- Verify platform binaries before deploying
Cluster Hardening (15%)
- Restrict access to Kubernetes API
- Use Role-Based Access Controls to minimize exposure
- Proper use of Kubernetes service accounts
- Update Kubernetes frequently
System Hardening (15%)
- Minimize host OS footprint (reduce attack surface)
- Minimize IAM roles
- Minimize external access to the network
- Appropriately use kernel hardening tools (AppArmor, seccomp)
Minimize Microservice Vulnerabilities (20%)
- Setup appropriate OS-level security domains
- Manage Kubernetes secrets securely
- Use container runtime sandboxes in multi-tenant environments
- Implement pod-to-pod encryption using Cilium or other means
Supply Chain Security (20%)
- Minimize base image footprint
- Secure your supply chain: whitelist allowed registries
- Use static analysis of user workloads (Kubesec, Trivy)
- Scan images for known vulnerabilities
Monitoring, Logging, and Runtime Security (20%)
- Perform behavioral analytics of syscall processes to detect malicious activities
- Detect threats within physical infrastructure, apps, networks, data, and users
- Detect all phases of attack regardless of where it occurs
- Perform deep analytical investigation and identification of bad actors within environment
- Ensure immutability of containers at runtime
- Use Kubernetes audit logs to monitor access
Who Should Take the CKS
- Security engineers specializing in cloud-native and container security
- Platform engineers who own cluster security posture
- DevSecOps engineers integrating security into Kubernetes CI/CD pipelines
- Engineers at organizations with compliance requirements (SOC 2, PCI DSS, HIPAA)
Prerequisite is real: You must have a valid CKA to attempt the CKS. The CKS exam assumes deep cluster administration knowledge and builds on top of it.
Realistic timeline: Most CKS candidates have 1-2 years of production Kubernetes experience after the CKA. Attempting the CKS immediately after the CKA is possible but significantly harder.
Best CKS Prep Resources
Primary course: Mumshad Mannambeth's CKS course (KodeKloud) — covers all exam domains with hands-on labs focused on security tooling.
Reference tools: You'll need hands-on experience with Falco (runtime threat detection), Trivy (image scanning), AppArmor, seccomp, OPA/Gatekeeper, and Kubernetes audit logging. Configure and operate these tools rather than just watching demos.
Killer.sh: The two included killer.sh mock sessions are especially valuable for CKS, since exam difficulty is highest here.
Which Certification Should You Take First?
I'm a DevOps / platform / infrastructure engineer: Start with CKA. It covers your core job function. The breadth of cluster administration topics in the CKA translates directly to day-to-day work.
I'm a developer who deploys apps to Kubernetes: Start with CKAD. You don't need cluster administration knowledge for your role, and CKAD focuses on the manifests, debugging, and deployment patterns you actually use.
I want to certify in both CKA and CKAD: Most people do CKA first, then CKAD. The exam topics have roughly 40% overlap, so preparing for one gives you a head start on the other. Alternatively, CKAD first if you're working toward application-focused roles now and plan to move into infrastructure roles later.
I want the CKS: Get the CKA first (required), then accumulate 1-2 years of production Kubernetes experience before attempting the CKS. The security tooling in the CKS requires real hands-on familiarity, not just course completion.
Exam Strategy and Tips
Speed is the constraint. All three exams give you 2 hours for 15-20 tasks. Some tasks are 5 minutes; some are 20. Skip tasks you can't solve quickly and return to them — partial credit isn't available, but time management is essential.
kubectl imperative commands save time. Creating objects from scratch with YAML is slower than generating a manifest and editing it. Practice:
kubectl run pod-name --image=nginx --dry-run=client -o yaml > pod.yaml
kubectl create deployment my-dep --image=nginx --dry-run=client -o yaml
kubectl expose pod my-pod --port=80 --target-port=8080 --type=NodePort --dry-run=client -o yaml
Set up aliases. The exam allows you to configure your environment. Pre-set these:
alias k=kubectl
export do="--dry-run=client -o yaml"
export now="--force --grace-period 0"
Use the allowed docs. The Kubernetes documentation is allowed during all three exams. Bookmark key pages: PersistentVolumes, RBAC, kubeadm upgrade, NetworkPolicy examples.
Understand the exam environment. The 2024+ exam interface uses a PSI browser with a single remote desktop. Familiarize yourself with the UI through the provided simulator before exam day.
Cost Breakdown
Each certification costs $395 and includes one free retake. Bundles are available:
- CKA + CKAD bundle: ~$650 (saves ~$140 vs. individual)
- CKA + CKS bundle: ~$650
Training courses add $11-299 depending on platform:
- Mumshad's Udemy courses: $11-15 per course (frequent sales)
- KodeKloud subscription: ~$299/year (includes all three certification paths)
- Pluralsight/A Cloud Guru: ~$299-499/year (includes cloud and K8s tracks)
Bottom Line
Take the CKA if your job involves cluster operations, infrastructure, or platform engineering. It's the most recognized Kubernetes credential in the job market with the widest employer recognition.
Take the CKAD if you deploy applications to Kubernetes and want to debug, configure, and manage those workloads independently without relying on your ops team. It's more relevant than the CKA for pure application developers.
Take the CKS after building real production Kubernetes experience with the CKA. It's the credential that distinguishes security-specialized engineers and is increasingly required at organizations with formal security compliance programs.
See the best Kubernetes courses guide for the specific courses that prepare you for these exams, the best DevOps courses guide for the broader DevOps skill set that complements K8s expertise, and the cloud certification path guide for how Kubernetes certifications fit alongside AWS, Azure, and GCP credentials.