Home DevOps CKA CKAD CKS Certification Guide
Advanced 4 min · July 12, 2026

CKA CKAD CKS Certification Guide

Learn CKA CKAD CKS Certification Guide with plain-English explanations and real examples..

N
Naren Founder & Principal Engineer

20+ years shipping production infrastructure and CI/CD at scale. Written from production experience, not tutorials.

Follow
Verified
production tested
July 12, 2026
last updated
2,073
articles · all by Naren
Before you start⏱ 30 min
  • Basic Linux command line, understanding of containers (Docker), familiarity with YAML, and at least 6 months of Kubernetes experience.
✦ Definition~90s read
What is CKA CKAD CKS Certification?

The CKA, CKAD, and CKS are three Kubernetes certifications from the CNCF that validate your ability to design, deploy, and secure production clusters. They matter because they are hands-on, performance-based exams that test real skills, not theory. Use them to prove your expertise for roles like platform engineer, SRE, or security engineer.

Think of CKA CKAD CKS Certification Guide like a tool in your DevOps toolkit — once you understand what it does and when to reach for it, managing Kubernetes clusters becomes second nature.
Plain-English First

Think of CKA CKAD CKS Certification Guide like a tool in your DevOps toolkit — once you understand what it does and when to reach for it, managing Kubernetes clusters becomes second nature.

A senior engineer spent 40 minutes debugging a network policy that wasn't blocking traffic. The root cause? A missing podSelector in a CKA-style cluster setup. That's the difference between knowing Kubernetes and being certified. The CKA, CKAD, and CKS exams are not multiple-choice trivia—they are grueling, hands-on tests where you must solve real problems under time pressure. If you can't debug a broken control plane or write a secure pod security policy in 30 minutes, you will fail. This guide breaks down each certification, the exact skills tested, and the production pitfalls that separate a certified engineer from a dangerous one.

The Trinity: CKA, CKAD, CKS — What Each Tests

The Certified Kubernetes Administrator (CKA) focuses on cluster operations: installing, configuring, and maintaining a Kubernetes cluster. You'll troubleshoot control plane components, manage etcd backups, and handle node failures. The Certified Kubernetes Application Developer (CKAD) tests your ability to design, build, and deploy applications on Kubernetes—think Deployments, Services, ConfigMaps, and Helm charts. The Certified Kubernetes Security Specialist (CKS) is the hardest: it covers cluster hardening, runtime security, network policies, and auditing. All three are performance-based: you SSH into a real cluster and complete tasks in a terminal. No multiple choice. No cheats. Just you and a broken cluster.

check-cluster-health.shBASH
1
2
3
4
5
6
#!/bin/bash
# Quick health check for CKA exam prep
kubectl get componentstatuses
kubectl get nodes -o wide
kubectl get pods --all-namespaces | grep -v Running
curl -k https://localhost:6443/healthz
Output
NAME STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-0 Healthy ok
NAME STATUS ROLES AGE VERSION
master Ready master 10d v1.28.0
worker1 Ready <none> 10d v1.28.0
No non-Running pods found
ok
🔥Exam Format
All exams are 2 hours (CKA, CKAD) or 2 hours 15 minutes (CKS). You get one free retake. The environment is a terminal with kubectl pre-installed. No GUI.
📊 Production Insight
In production, a CKA-certified engineer once restored an etcd backup from a snapshot taken 5 minutes before a corruption event. Without that skill, the cluster would have been rebuilt from scratch.
🎯 Key Takeaway
CKA = cluster ops, CKAD = app dev, CKS = security. Each builds on the last.

CKA Deep Dive: Cluster Architecture and Installation

The CKA exam expects you to install a cluster from scratch using kubeadm. You must know the control plane components: kube-apiserver, kube-controller-manager, kube-scheduler, and etcd. You'll configure TLS certificates, set up kubeconfig files, and join worker nodes. A common task: upgrade a cluster from one minor version to the next. You must drain nodes, upgrade kubeadm and kubelet, then uncordon. Another task: backup and restore etcd. You'll use etcdctl to snapshot and restore. Production tip: always test your backup restore in a staging environment first—etcd snapshots are version-specific.

etcd-backup.shBASH
1
2
3
4
5
6
#!/bin/bash
ETCDCTL_API=3 etcdctl snapshot save /backup/etcd-snapshot-$(date +%Y%m%d).db \
  --endpoints=https://127.0.0.1:2379 \
  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  --cert=/etc/kubernetes/pki/etcd/server.crt \
  --key=/etc/kubernetes/pki/etcd/server.key
Output
Snapshot saved at /backup/etcd-snapshot-20260712.db
⚠ etcd Version Mismatch
When restoring, the etcd version must match the snapshot version. Restoring a v3.5 snapshot into v3.4 will corrupt the cluster.
📊 Production Insight
A real outage: a junior admin ran kubeadm reset on the master node without backing up etcd. The cluster was down for 4 hours while they rebuilt from scratch.
🎯 Key Takeaway
Master kubeadm, etcd backup/restore, and cluster upgrades—these are the core CKA tasks.
kubernetes-certification-guide THECODEFORGE.IO CKA/CKAD/CKS Certification Path Step-by-step journey through Kubernetes certifications Start with CKA Cluster architecture, installation, and configuration Master CKAD Workloads, pod design, and application management Advance to CKS Cluster hardening, security policies, and runtime security Practice Troubleshooting Common denominator across all exams Take Mock Exams Simulate real exam conditions and time management ⚠ Skipping CKA before CKS is a common mistake CKS requires CKA certification as a prerequisite THECODEFORGE.IO
thecodeforge.io
Kubernetes Certification Guide

CKAD Deep Dive: Workloads and Pod Design

CKAD is about application deployment: Deployments, StatefulSets, Jobs, CronJobs, and ConfigMaps. You'll write YAML from scratch, often with strict resource limits and liveness probes. A typical task: create a Deployment with 3 replicas, rolling update strategy, and a readiness probe that checks an HTTP endpoint. You must also handle multi-container pods with sidecar patterns. Production insight: always set resource requests and limits—without them, a single pod can starve the node. Another task: expose a Deployment via a Service of type ClusterIP, then verify connectivity using a temporary pod.

deployment.yamlYAML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
apiVersion: apps/v1
kind: Deployment
metadata:
  name: web-app
spec:
  replicas: 3
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
      maxSurge: 1
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
    spec:
      containers:
      - name: nginx
        image: nginx:1.25
        ports:
        - containerPort: 80
        resources:
          requests:
            memory: "64Mi"
            cpu: "250m"
          limits:
            memory: "128Mi"
            cpu: "500m"
        readinessProbe:
          httpGet:
            path: /
            port: 80
          initialDelaySeconds: 5
          periodSeconds: 10
Output
deployment.apps/web-app created
💡Imperative Commands Save Time
Use kubectl run and kubectl create deployment with --dry-run=client -o yaml to generate YAML quickly, then edit.
📊 Production Insight
A team once deployed a StatefulSet without persistent volume claims. Pods kept crashing because they had no storage. Always attach PVCs for stateful workloads.
🎯 Key Takeaway
Write YAML fast, use probes, set resource limits—CKAD is about application reliability.

CKS Deep Dive: Cluster Hardening and Security Policies

CKS is the most demanding. You'll harden the cluster: disable anonymous access, enable RBAC, use Pod Security Standards (baseline/restricted), and configure network policies. A common task: create a NetworkPolicy that allows only specific pods to communicate. Another: use kube-bench to audit the cluster and fix CIS benchmark failures. You'll also handle runtime security: use Falco to detect anomalous behavior, and configure Seccomp profiles. Production insight: many breaches start with a container running as root. Always enforce runAsNonRoot: true and drop all capabilities.

network-policy.yamlYAML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: api-allow
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: api
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - protocol: TCP
      port: 8080
Output
networkpolicy.networking.k8s.io/api-allow created
⚠ NetworkPolicy Default Deny
By default, all pods can communicate. A NetworkPolicy with only ingress rules does not block egress. To block egress, add an egress rule with an empty to.
📊 Production Insight
A real incident: a developer accidentally exposed a database pod via a NodePort Service. A CKS-certified engineer caught it during a security review and enforced a NetworkPolicy that blocked all external traffic.
🎯 Key Takeaway
CKS tests your ability to secure a cluster: RBAC, Pod Security, NetworkPolicies, and runtime security.

Exam Strategy: Time Management and Imperative Commands

All three exams are timed. You must be fast. Use imperative commands to create resources quickly, then edit YAML for complex changes. For example, kubectl run nginx --image=nginx --restart=Never creates a pod instantly. Use --dry-run=client -o yaml to generate YAML for editing. Bookmark the Kubernetes documentation—it's allowed during the exam. But don't rely on it heavily; you'll lose time. Practice with kubectl explain to get field definitions. Production insight: in real life, you'd use GitOps tools like ArgoCD, but the exam tests raw kubectl skills.

quick-pod.shBASH
1
2
3
4
5
6
7
8
9
# Create a pod imperatively
kubectl run busybox --image=busybox --restart=Never -- sleep 3600

# Generate YAML for a deployment
kubectl create deployment web --image=nginx --replicas=3 --dry-run=client -o yaml > web-deploy.yaml

# Edit and apply
vim web-deploy.yaml
kubectl apply -f web-deploy.yaml
Output
pod/busybox created
deployment.apps/web created
💡Aliases and Shortcuts
Set aliases: alias k=kubectl, alias kgp='kubectl get pods', alias kaf='kubectl apply -f'. Every second counts.
📊 Production Insight
During a production incident, an engineer used kubectl run to spin up a debug pod in seconds. That speed saved the cluster from a cascading failure.
🎯 Key Takeaway
Speed is critical. Use imperative commands, aliases, and the official docs wisely.

Troubleshooting: The Common Denominator

All three exams heavily feature troubleshooting. For CKA: a node is NotReady, a control plane component is down, or etcd is corrupted. For CKAD: a pod is CrashLoopBackOff, a Service isn't routing traffic, or a ConfigMap isn't mounted. For CKS: a PodSecurityPolicy is blocking pods, or a NetworkPolicy is too restrictive. The key is to follow a systematic approach: check events, describe resources, inspect logs, and verify connectivity. Use kubectl describe, kubectl logs, and kubectl exec. Production insight: always check kubectl get events --sort-by='.lastTimestamp' first—it often points directly to the issue.

troubleshoot-pod.shBASH
1
2
3
4
5
6
7
8
9
10
# Pod in CrashLoopBackOff
kubectl describe pod my-pod
kubectl logs my-pod --previous
kubectl exec my-pod -- cat /var/log/app.log

# Check node conditions
kubectl describe node worker1 | grep -A5 Conditions

# Check network connectivity
kubectl run test-pod --image=busybox --rm -it -- wget -O- http://service-name:80
Output
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Pulled 5m kubelet Successfully pulled image
Normal Created 5m kubelet Created container
Normal Started 5m kubelet Started container
Warning BackOff 2m kubelet Back-off restarting failed container
🔥Systematic Debugging
Always start with kubectl get events. Then describe the resource. Then check logs. Never jump to conclusions.
📊 Production Insight
A production outage was caused by a misconfigured liveness probe that killed a pod every 30 seconds. The team spent an hour debugging before checking the probe definition.
🎯 Key Takeaway
Troubleshooting is a skill you must practice. Use events, describe, logs, and exec in that order.
kubernetes-certification-guide THECODEFORGE.IO Kubernetes Certification Stack Layered components tested across CKA, CKAD, and CKS Cluster Infrastructure etcd | kube-apiserver | kube-controller-manager Node Components kubelet | kube-proxy | container runtime Workloads and Pods Deployments | StatefulSets | DaemonSets Networking and Services Services | Ingress | Network Policies Security and Hardening RBAC | Pod Security Standards | Secrets THECODEFORGE.IO
thecodeforge.io
Kubernetes Certification Guide

Security in Depth: CKS-Specific Topics

CKS goes beyond basic RBAC. You'll configure Pod Security Admission (PSA) to enforce standards at the namespace level. You'll use kubectl auth can-i to verify permissions. You'll also set up audit logging: configure the API server to log all requests to a file, then analyze with kubectl logs. Another topic: container runtime security with gVisor or Kata Containers. You'll also handle secrets encryption at rest using KMS. Production insight: many clusters have audit logging disabled. Enable it—it's your only forensic evidence after a breach.

pod-security-admission.yamlYAML
1
2
3
4
5
6
7
8
apiVersion: v1
kind: Namespace
metadata:
  name: secure-ns
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted
Output
namespace/secure-ns created
⚠ PSA Breaking Changes
Enforcing 'restricted' will block many default images that run as root. Test in audit mode first.
📊 Production Insight
A company was fined for non-compliance because they had no audit logs. After enabling them, they detected a compromised service account within hours.
🎯 Key Takeaway
CKS requires deep security knowledge: PSA, audit logging, encryption, and runtime security.

Mock Exam: Putting It All Together

Let's simulate a multi-part task that spans all three certifications. Scenario: You have a cluster with a broken control plane (CKA), a misconfigured application (CKAD), and a security vulnerability (CKS). Step 1: Fix the control plane—the kube-scheduler is not running. Check the static pod manifest, restart it. Step 2: The application Deployment has a wrong image tag, causing CrashLoopBackOff. Update the image. Step 3: The cluster allows privileged containers. Create a PodSecurityPolicy that restricts to baseline. This exercise forces you to switch contexts quickly, just like the real exams.

mock-exam.shBASH
1
2
3
4
5
6
7
8
9
10
11
12
# Step 1: Fix scheduler
kubectl get pods -n kube-system | grep scheduler
# If missing, check static pod manifest
ls /etc/kubernetes/manifests/
# Edit the manifest to fix any issues

# Step 2: Fix application
kubectl set image deployment/my-app my-container=nginx:1.25
kubectl rollout status deployment/my-app

# Step 3: Enforce security
kubectl label ns default pod-security.kubernetes.io/enforce=baseline
Output
pod/kube-scheduler-master 1/1 Running 0 10s
deployment.apps/my-app image updated
deployment.apps/my-app successfully rolled out
namespace/default labeled
💡Practice Under Time Pressure
Set a timer for 30 minutes and try to complete a multi-step scenario. This builds the mental stamina needed for the exam.
📊 Production Insight
In a real incident, an engineer had to simultaneously fix a broken etcd, update a misconfigured Ingress, and patch a security vulnerability—all under a 1-hour SLA.
🎯 Key Takeaway
Mock exams that combine CKA, CKAD, and CKS tasks prepare you for the real thing.

Resources and Study Plan

Official CNCF curriculum is the starting point. Use Killer.sh for realistic practice exams—they simulate the actual terminal environment. For CKA, focus on kubeadm, etcd, and networking. For CKAD, practice writing YAML under time constraints. For CKS, use kube-bench and Falco in a lab. Study plan: 2 weeks per certification, 2 hours daily. Week 1: theory and tutorials. Week 2: mock exams. Production insight: the best preparation is running a real cluster at home with Raspberry Pis or using kind. Break it intentionally, then fix it.

install-kind.shBASH
1
2
3
4
5
6
7
# Install kind for local cluster
curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64
chmod +x ./kind
./kind create cluster --name cka-lab

# Verify
kubectl cluster-info --context kind-cka-lab
Output
Creating cluster "cka-lab" ...
✓ Ensuring node image (kindest/node:v1.28.0) 🖼
✓ Preparing nodes 📦
✓ Writing configuration 📜
✓ Starting control-plane 🕹️
✓ Installing CNI 🔌
✓ Installing StorageClass 💾
Set kubectl context to "kind-cka-lab"
Kubernetes control plane is running at https://127.0.0.1:6443
🔥Free Resources
The official Kubernetes documentation has tasks for each certification. Also, check out the CNCF GitHub for sample questions.
📊 Production Insight
A senior engineer set up a CI pipeline that automatically breaks a test cluster every night. The team must fix it by morning. This kept their skills sharp.
🎯 Key Takeaway
Use Killer.sh, kind, and the official docs. Practice breaking and fixing clusters.

Common Pitfalls and How to Avoid Them

Pitfall 1: Not reading the question carefully. The exam often has multiple parts—if you miss one, you lose points. Pitfall 2: Overusing kubectl apply -f without checking YAML syntax. Use --validate flag. Pitfall 3: Forgetting to set context or namespace. Use kubectl config set-context and kubectl config set-context --namespace. Pitfall 4: Not saving your work. The exam environment may time out. Production insight: in a real cluster, a missing --validate flag once caused a typo in a YAML file that deleted all pods in a namespace. Always validate.

validate-yaml.shBASH
1
2
3
4
5
6
7
8
9
# Validate YAML before applying
kubectl apply -f deployment.yaml --validate=true --dry-run=client

# Set context and namespace
kubectl config set-context my-context --namespace=production --cluster=prod --user=admin
kubectl config use-context my-context

# Save work periodically
kubectl get all --all-namespaces -o yaml > cluster-state-backup.yaml
Output
deployment.apps/web-app configured (dry run)
Context "my-context" modified.
Switched to context "my-context".
⚠ Time Management
If you get stuck on a task for more than 5 minutes, skip it and come back. Each task is worth points, but you need to finish all.
📊 Production Insight
A production outage occurred when an engineer applied a YAML file with a missing kind field. The resource was created as a different type, causing a conflict. Always validate.
🎯 Key Takeaway
Read carefully, validate YAML, set context, and manage time. Avoid these common mistakes.
CKA vs CKAD vs CKS Exam Focus Key differences in objectives and skills tested CKA CKAD Primary Focus Cluster architecture and installation Application design and deployment Troubleshooting Weight High (30%) Moderate (20%) Security Emphasis Basic RBAC and network policies Minimal security topics Time Management 2 hours, 15-20 questions 2 hours, 19 questions Prerequisite None None Common Commands kubeadm, kubectl cluster management kubectl run, expose, create deployment THECODEFORGE.IO
thecodeforge.io
Kubernetes Certification Guide

After Certification: Maintaining Skills

Certifications expire after 3 years. But more importantly, Kubernetes evolves fast. Stay current by contributing to open source, running a home lab, or following the CNCF landscape. Production insight: the best engineers are those who break things in staging and learn from failures. Join the Kubernetes Slack community, attend KubeCon, and read the changelogs. Remember: a certification is a starting point, not a destination.

check-k8s-version.shBASH
1
2
3
4
5
6
7
# Check current version and upgrade path
kubectl version --short
# Check available versions
apt-cache policy kubeadm
# Upgrade kubeadm
apt-get update && apt-get install -y kubeadm=1.29.0-00
kubeadm upgrade plan
Output
Client Version: v1.28.0
Server Version: v1.28.0
kubeadm:
Installed: 1.28.0-00
Candidate: 1.29.0-00
[upgrade] Fetching available versions to upgrade to
[upgrade/versions] Cluster version: 1.28.0
[upgrade/versions] kubeadm upgrade plan: v1.29.0
🔥Continuous Learning
Set aside 30 minutes weekly to read Kubernetes release notes. New features like Ingress v2 or sidecar containers can change your architecture.
📊 Production Insight
A team that didn't upgrade for 18 months faced a critical vulnerability (CVE-2023-44487). They had to scramble to patch. Regular upgrades prevent such fire drills.
🎯 Key Takeaway
Certifications expire. Keep learning through labs, community, and production experience.
⚙ Quick Reference
11 commands from this guide
FileCommand / CodePurpose
check-cluster-health.shkubectl get componentstatusesThe Trinity: CKA, CKAD, CKS
etcd-backup.shETCDCTL_API=3 etcdctl snapshot save /backup/etcd-snapshot-$(date +%Y%m%d).db \CKA Deep Dive
deployment.yamlapiVersion: apps/v1CKAD Deep Dive
network-policy.yamlapiVersion: networking.k8s.io/v1CKS Deep Dive
quick-pod.shkubectl run busybox --image=busybox --restart=Never -- sleep 3600Exam Strategy
troubleshoot-pod.shkubectl describe pod my-podTroubleshooting
pod-security-admission.yamlapiVersion: v1Security in Depth
mock-exam.shkubectl get pods -n kube-system | grep schedulerMock Exam
install-kind.shcurl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64Resources and Study Plan
validate-yaml.shkubectl apply -f deployment.yaml --validate=true --dry-run=clientCommon Pitfalls and How to Avoid Them
check-k8s-version.shkubectl version --shortAfter Certification

Key takeaways

1
CKA for Operations
Master cluster installation, etcd backup/restore, and troubleshooting control plane components.
2
CKAD for Development
Focus on writing YAML fast, using probes, and managing application lifecycles.
3
CKS for Security
Harden clusters with RBAC, Pod Security, NetworkPolicies, and runtime security tools.
4
Practice Under Pressure
Use mock exams and time constraints to simulate real exam conditions.
INTERVIEW PREP · PRACTICE MODE

Interview Questions on This Topic

Q01JUNIOR
Which certification should I take first?
Q02JUNIOR
How long should I study for each exam?
Q03JUNIOR
Can I use the Kubernetes documentation during the exam?
Q01 of 03JUNIOR

Which certification should I take first?

ANSWER
Start with CKA if you're an admin or platform engineer. Start with CKAD if you're a developer. CKS requires CKA as a prerequisite.
FAQ · 6 QUESTIONS

Frequently Asked Questions

01
Which certification should I take first?
02
How long should I study for each exam?
03
Can I use the Kubernetes documentation during the exam?
04
What happens if I fail the exam?
05
Are these certifications recognized by employers?
06
How do I prepare for the CKS security tasks?
N
Naren Founder & Principal Engineer

20+ years shipping production infrastructure and CI/CD at scale. Written from production experience, not tutorials.

Follow
Verified
production tested
July 12, 2026
last updated
2,073
articles · all by Naren
🔥

That's Kubernetes. Mark it forged?

4 min read · try the examples if you haven't

Previous
Kubernetes Multi-Cluster and Federation
20 / 38 · Kubernetes
Next
Kubernetes Cost Optimization — Kubecost, Karpenter, Spot