How to Pass CKAD (Certified Kubernetes Application Developer) in 2026: Complete Study Guide
CKAD tests how well you deploy, configure, and troubleshoot applications on Kubernetes — not cluster administration. This guide covers all 5 domains, the key differences from CKA, essential kubectl commands for developers, and a 6-week study plan.
The CKAD (Certified Kubernetes Application Developer) is a performance-based exam from the Cloud Native Computing Foundation (CNCF). You solve real tasks on live Kubernetes clusters — no multiple choice, no theory questions. You have 2 hours to complete enough weighted tasks to score at least 66%. The exam costs $395 and includes one free retake.
This guide focuses on what makes CKAD different from CKA, what each domain actually tests, and how to build a study plan that prepares you for the hands-on format.
CKAD vs CKA: What Is the Difference?
Both CKAD and CKA are performance-based CNCF exams on live clusters, but they test completely different roles:
| Aspect | CKAD | CKA |
|---|---|---|
| Target audience | Application developers, DevOps engineers | Cluster administrators, platform engineers |
| Focus | Deploying, configuring, and troubleshooting apps | Installing, upgrading, and maintaining clusters |
| Passing score | 66% | 66% |
| Duration | 2 hours | 2 hours |
| Key topics | Pods, Deployments, Helm, Probes, NetworkPolicy, HPA | etcd backup, kubeadm upgrade, RBAC, network plugins |
If you are a developer who writes YAML manifests and deploys services, CKAD aligns directly with your day-to-day work. CKA is better suited for those who manage the Kubernetes infrastructure itself.
The 5 Exam Domains
Domain 1: Application Design and Build (20%) — Covers defining container images, multi-container pod patterns (sidecar, init container, ambassador), volumes and persistent storage, and Jobs/CronJobs. You need to know when to use each multi-container pattern and how to configure volume mounts between containers.
Domain 2: Application Deployment (20%) — Covers Deployments with RollingUpdate and Recreate strategies, Helm chart management, and Kustomize for environment overlays. Helm tasks are common: installing a chart, upgrading with value overrides, rolling back to a previous revision.
Domain 3: Application Observability and Maintenance (15%) — Covers liveness, readiness, and startup probes; resource requests and limits; deprecation management; and basic troubleshooting with kubectl describe, kubectl logs, and kubectl exec.
Domain 4: Application Environment, Configuration and Security (25%) — The highest-weight domain. Covers ConfigMaps, Secrets, ServiceAccounts, SecurityContext, resource quotas, and admission controllers. Knowing the difference between container-level and pod-level SecurityContext settings is frequently tested.
Domain 5: Services and Networking (20%) — Covers ClusterIP, NodePort, and LoadBalancer services; Ingress rules and Ingress controllers; and NetworkPolicy for controlling pod-to-pod traffic. NetworkPolicy direction (ingress vs egress on each side) is a common source of mistakes.
Essential Tools: kubectl, Helm, Kustomize
kubectl is the primary interface for every task. Master these patterns before exam day:
kubectl run nginx --image=nginx --dry-run=client -o yaml > pod.yaml— generate a pod manifest without creating the resourcekubectl create deployment app --image=nginx --replicas=3 --dry-run=client -o yaml— generate a deployment manifestkubectl set image deployment/app nginx=nginx:1.25— update a container image in-placekubectl rollout status deployment/app— watch a rolling update to completionkubectl rollout undo deployment/app— roll back to the previous revisionkubectl explain pod.spec.containers.securityContext— look up field documentation during the exam
Helm is tested for chart lifecycle management. Key commands: helm install, helm upgrade, helm rollback, helm uninstall, and helm template for rendering manifests without deploying. Always check the installed release list with helm list -n <namespace>.
Kustomize is built into kubectl since version 1.14. Use kubectl apply -k . to apply a kustomization directory, or kubectl kustomize . | kubectl apply -f - for a preview step. The exam may ask you to add a commonLabel or patch a specific field using Kustomize overlays.
Must-Know Pod Patterns
Init container: Runs to completion before any app container starts. Used for setup tasks like waiting for a database to be ready, populating a shared volume, or fetching secrets. Defined under spec.initContainers. Init containers run sequentially — each must succeed before the next begins.
Sidecar container: Runs alongside the main container throughout the pod's life. Used for log shipping, metrics collection, or proxying. Defined as an additional entry in spec.containers. Both containers share the pod's network namespace and can share volumes.
Ambassador container: A specialized sidecar that acts as a proxy for external communication. The main application talks to localhost, and the ambassador handles protocol translation or routing. Less commonly tested but worth recognizing in scenario descriptions.
6-Week Study Plan
| Week | Focus | Milestone |
|---|---|---|
| Week 1 | Pods, Deployments, ReplicaSets, Services fundamentals | Create and expose a multi-replica deployment from scratch |
| Week 2 | ConfigMaps, Secrets, environment variables, volumes | Mount a Secret as a volume and as env vars in a pod |
| Week 3 | Multi-container patterns, Jobs, CronJobs, probes | Write a pod with an init container and a sidecar logger |
| Week 4 | SecurityContext, ServiceAccounts, NetworkPolicy | Apply a deny-all NetworkPolicy then open specific traffic |
| Week 5 | Helm, Kustomize, HPA, Ingress, resource quotas | Install a Helm chart, override values, roll back a revision |
| Week 6 | Full timed practice sessions on killer.sh | Score 75%+ on two killer.sh simulations before booking |
Recommended Resources
- CKAD Exercises (dgkanatsios/CKAD-exercises on GitHub): A free, community-maintained set of kubectl exercises organized by domain. This is the closest thing to the actual exam format.
- killer.sh: The official CNCF exam simulator. Each exam registration includes two free sessions. The difficulty is intentionally harder than the real exam — if you score 70%+ here, you are ready.
- KodeKloud CKAD course: Includes an embedded browser-based lab environment so you can practice without setting up a local cluster. Good for beginners building muscle memory.
- Kubernetes documentation (kubernetes.io/docs): The only reference you can use during the exam. Learn to navigate it quickly — especially the Tasks section for copy-paste YAML templates.
Exam Day Strategy
Use the imperative commands first. For simple tasks (create a pod, expose a service, scale a deployment), kubectl run and kubectl create with --dry-run=client -o yaml is faster than writing YAML by hand. Only drop into a YAML editor when the task requires fields that imperative commands cannot set.
Set your context immediately. Each task specifies a cluster context. Run kubectl config use-context <context> at the start of every task. Forgetting this is the most costly mistake you can make — all your work lands in the wrong cluster.
Use kubectl explain freely. You cannot Google during the exam, but kubectl explain pod.spec.containers.livenessProbe --recursive gives you every field and its type. This is faster than navigating the docs for syntax you half-remember.
Skip and return. Tasks are weighted. If a task is worth 4% and you are stuck, flag it and move on. A 7% task you solve cleanly is worth more than spending 15 minutes on a 4% task.
Verify your work. After each task, run kubectl get or kubectl describe to confirm the resource exists in the correct namespace with the correct configuration. A pod in CrashLoopBackOff does not earn full credit.
Ready to Practice?
Reinforce your CKAD knowledge with our full 340-question practice exam on CertLand — covering all 5 domains.
Practice CKAD Now →
Comments
No comments yet. Be the first!
Comments are reviewed before publication.