CKA vs CKAD: which Kubernetes cert should you take first?

The clean answer: take CKA if you operate Kubernetes (cluster admin, platform engineer, SRE), take CKAD if you ship apps to Kubernetes that someone else operates (backend dev, ML engineer, application engineer). Both cost $445 and last two hours. Both include a free retake. Either one alone is sufficient credential for most senior roles that need a Kubernetes signal.

If you do both eventually, the standard order is CKA first, then CKAD. The reverse works too but most people find CKAD slightly easier after passing CKA.

Here's how they actually differ.

What each one tests

CKA (Certified Kubernetes Administrator) is the operator's exam. The tasks lean toward cluster-level concerns:

• Installing a cluster (kubeadm, including upgrades and joins)
• Backing up and restoring etcd
• Managing nodes (cordon, drain, taint)
• Diagnosing why a pod won't schedule (resource pressure, affinity, taints/tolerations, PodSecurity)
• Configuring networking (NetworkPolicy, services, kube-proxy modes)
• Storage (PV/PVC, StorageClass, CSI driver troubleshooting)
• RBAC (creating roles, role bindings, service accounts)
• Cluster upgrade procedures

The tasks frequently take you across multiple clusters during the exam. You'll switch contexts (kubectl config use-context) often. You'll edit kubeadm config files. You'll restart kubelets via SSH to fix broken nodes.

CKAD (Certified Kubernetes Application Developer) is the developer's exam. The tasks are application-shaped:

• Writing pod and deployment manifests (resource limits, init containers, multi-container patterns)
• Configuring application networking (services, ingress, NetworkPolicy as a consumer not architect)
• Managing application config (ConfigMaps, Secrets, environment vars)
• Persistent storage from the app side (mounting volumes, PVCs)
• Application observability (probes, logs, exec)
• Jobs, CronJobs, and batch patterns
• Helm templating basics (since 2023's curriculum refresh)

You stay in fewer contexts on CKAD. The work is more focused on building things correctly than on diagnosing why infrastructure is broken.

The two exams overlap on roughly 30–40% of content — both touch services, ConfigMaps, kubectl, basic troubleshooting. But the orientation is different: CKA asks "the cluster is broken, fix it"; CKAD asks "the application needs this behavior, build it."

Difficulty: which is harder?

Most candidates rate CKA as marginally harder than CKAD. Three reasons:

Multi-cluster context switching is mentally taxing. CKAD typically gives you one or two contexts; CKA may give you four or five. Forgetting to switch context costs you points and time.

etcd, kubeadm, and node-level work scare people. CKA expects you to be comfortable on the underlying Linux host (systemctl, journalctl, restarting kubelet, SSHing between nodes). CKAD assumes the cluster works and you only interact with it via kubectl.

CKA's troubleshooting questions can be deep. "This pod isn't running. Find the cause and fix it." The cause might be in node taints, in PodSecurity policy, in a missing secret, in a misconfigured kubelet, or in an incorrect ServiceAccount. CKAD troubleshooting is usually more localized — fix the manifest, fix the env var.

That said, CKAD has its own difficulty profile. The exam expects fast, accurate manifest writing under time pressure. Candidates with weak vim skills lose hard on CKAD because the volume of YAML editing is higher. CKA candidates use kubectl edit or imperative commands more.

If you've been operating Kubernetes daily for a year, CKA is easier for you (you do those things at work). If you've been writing apps that deploy to Kubernetes for a year, CKAD is easier.

Time management is everything

Both exams are 2 hours, 15–20 tasks. The free retake means you can recover from a bad first attempt; the brutal part is that "running out of time" is the most common failure mode for both.

Practical advice that works:

Do all the easy questions first. Both exams display point values per question. Triage in the first 5 minutes: read each task header (don't read the full body), star anything worth >5 points and looks doable in <10 minutes, do those first. Save the gnarly multi-step tasks for the second pass.

Use imperative kubectl whenever possible. kubectl run, kubectl create, and kubectl expose with --dry-run=client -o yaml are dramatically faster than writing YAML from scratch. Learn the ones that matter (deployment, service, configmap, secret, role, rolebinding, networkpolicy).

Set up shell aliases and vim config in the first 60 seconds. Both exams allow you to set alias k=kubectl, export do='--dry-run=client -o yaml', and configure vim for YAML (set ts=2 sw=2 et). The 60 seconds you spend doing this returns 5–10 minutes over the rest of the exam.

Don't fight a question for more than 12 minutes. Skip and come back. Time spent stuck on one question is time you're not earning points elsewhere. The exam interface lets you flag and revisit.

Cost, bundles, validity

Both are $445 USD as of 2026. Both include one free retake within a 12-month window. Linux Foundation runs frequent 30–60% off promo codes; never pay full price without checking.

Bundles:

• CKA + CKAD bundle: $590 (vs. $890 separately). Worth it if you're doing both within 12 months.
• CKA + CKAD + CKS bundle: roughly $1,150. CKS requires an active CKA, so the bundle pricing is sensible.
• Kubestronaut bundle (KCNA + KCSA + CKA + CKAD + CKS): about $788 off list price. Useful if you want the Kubestronaut badge.

Validity: 2 years for both since April 2024 (was 3 years previously). Renew by re-taking the current exam.

Should you do both?

Most engineers don't need both. Pick one, finish it, and move on with your career. The signal value of "passed CKA" and "passed CKA + CKAD" is roughly the same to recruiters — you've demonstrated hands-on Kubernetes competence and that's the gate.

Cases where doing both makes sense:

• You're going for the Kubestronaut badge.
• You work at a Kubernetes-focused consultancy where billable engineers need both.
• Your role legitimately spans both (rare; most engineers skew one way or the other).
• You're a candidate at a CNCF member company that values the credential collection.

Cases where doing both is probably overkill:

• You're a backend engineer who deploys to a managed cluster. CKAD is enough.
• You're a platform engineer running clusters. CKA is enough.
• You're doing it for the LinkedIn flex. Most recruiters can't distinguish CKA from CKAD on a résumé skim — the signal is "Kubernetes-certified", not "which Kubernetes cert."

CKS as an extension of CKA

A few people start with CKS (Kubernetes Security Specialist) and skip both CKA and CKAD. You can't actually skip CKA — CNCF requires an active CKA before you can sit CKS. So if you want CKS, your path is CKA → CKS, not "instead of."

CKS is harder than CKA, narrower in scope (auth, network policies, supply chain security, runtime security, mTLS), and aimed at security engineers / platform security roles. Salary impact is modest unless you're specifically in security; most roles that pay for CKS also expect CKA-level operations skills.

Practice question realism

Both exams are simulated by several question banks online. CertLabPro's CKA bank and CKAD bank include scenario-style multiple-choice items that test the same concepts as the live exam — useful for verifying conceptual fluency. Note that no multiple-choice question bank can fully simulate the hands-on terminal experience; use practice questions to check your understanding, then practice on a real cluster (k3d, kind, or minikube locally) for the actual operational reps.

The official CNCF practice environment (Killer Shell) is the closest to the real exam UX — every CKA / CKAD purchase includes two free Killer Shell sessions. Use them. They're substantially harder than the real exam by design (so the real one feels easier), and the time pressure simulation is realistic.

What to do this week

1. Pick one exam — CKA if you operate; CKAD if you build apps.
2. If you have less than six months of Kubernetes hands-on, take KCNA first as a no-pressure intro. KCNA is 60 multiple-choice questions, $250, no labs. It's not a prereq for CKA but it forces you to learn the vocabulary.
3. Schedule 8 weeks out and study 8–12 hours per week. Use a real cluster (kind locally is free) and practice operational tasks against it daily.
4. Two weeks before the exam, do both Killer Shell sessions. They will humble you. Use the gap they reveal to study.
5. Sit the exam. Use the free retake if needed. Most candidates pass either on the first attempt or by exhausting the retake — that's a 95%+ cumulative pass rate for people who actually study.

CKA and CKAD are both worth the time if you're working with Kubernetes. They're real, hands-on credentials that can't be cheated. Picking between them is mostly a question of which one matches your day job. Pick that one. Don't agonize.