KCNA vs KCSA: which Kubernetes associate exam should you take first?

Quick version: take KCNA first if you're new to Kubernetes or cloud-native generally. Take KCSA first if you already know Kubernetes well and you're on a security track. Take neither if you're going straight to CKA and you've already used Kubernetes in production for a year.

Both exams are $250, 60 multiple-choice questions, 90 minutes, online via PSI Bridge, with one free retake bundled. Both are CNCF associates — the entry tier below the hands-on pro exams (CKA, CKAD, CKS, CNPE). Neither is a hard prerequisite for any pro exam; they're optional on-ramps. The pricing and exam format are identical, so the choice is purely about content and where you are in your career.

What KCNA actually covers

KCNA — Kubernetes and Cloud Native Associate — is the broadest of the CNCF associates. The curriculum, current as of early 2026, breaks down roughly:

• Kubernetes fundamentals (~46%): pods, services, deployments, namespaces, ConfigMaps, Secrets, the control plane, the kubelet, the scheduler. The vocabulary tier — what each piece does and how they relate.
• Container orchestration (~22%): why containers, container runtimes, the OCI spec, container networking concepts.
• Cloud-native architecture (~16%): microservices, service discovery, observability, the 12-factor-ish principles.
• Cloud-native observability (~8%): Prometheus, OpenTelemetry, the metric / log / trace trinity, basic SLI/SLO concepts.
• Cloud-native application delivery (~8%): GitOps in concept, Argo CD / Flux at the surface level, basic CI/CD as it applies to K8s.

It's wide and shallow. You won't be asked to write YAML; you'll be asked which Kubernetes object handles a given concern. The tone is "do you understand the cloud-native universe well enough to be useful in conversations." That's actually a real bar — plenty of engineers have shipped K8s workloads without knowing what etcd is, and KCNA forces you to learn the names.

Time investment: 30–50 hours over 4–6 weeks if you're new. 10–15 hours if you've been around Kubernetes for a year and just need to fill vocabulary gaps.

What KCSA actually covers

KCSA — Kubernetes and Cloud Native Security Associate — is narrower and deeper than KCNA, but still multiple-choice and still conceptual:

• Overview of cloud-native security (~14%): the 4Cs (Cloud, Cluster, Container, Code), the shared responsibility model in the K8s context.
• Kubernetes cluster component security (~22%): API server hardening, etcd protection, kubelet flags, network plugins.
• Kubernetes security fundamentals (~22%): Pod Security Standards, network policies (concepts not YAML), Secrets handling, ServiceAccounts.
• Kubernetes threat model (~16%): STRIDE applied to K8s, attack surface analysis, the trust boundaries.
• Platform security (~16%): supply chain, image scanning concepts, admission control concepts.
• Compliance and security frameworks (~10%): CIS benchmarks, NIST, what kube-bench does at a conceptual level.

KCSA is essentially a primer for CKS minus the hands-on labs. About 70% of KCSA content overlaps with CKS in topic; the difference is KCSA tests "do you understand what NetworkPolicy is" and CKS tests "write a default-deny NetworkPolicy in YAML in 90 seconds without consulting docs."

Time investment: 25–40 hours over 4–5 weeks if you have working K8s knowledge. Trying to do KCSA without any K8s exposure is rough — you'll be learning two things at once and the security framing makes it harder than KCNA, not easier.

Who each one targets

KCNA targets career-changers, junior engineers, project managers and product managers who work on cloud-native products, sales engineers, and anyone who needs Kubernetes literacy without operating clusters. It's a great forcing function for "understand the vocabulary so I can have intelligent conversations." It's a poor signal for senior engineering hires — recruiters reading résumés mostly skim past KCNA on a senior candidate.

KCSA targets security engineers learning Kubernetes, AppSec / cloud security folks moving into K8s security, and engineers preparing for CKS who want a softer warm-up. It's also useful for compliance and audit roles where you need to talk about K8s security posture without operating clusters yourself.

If you're a junior engineer trying to break into cloud, KCNA. If you're a security engineer broadening into platform security, KCSA. If you're already a senior K8s operator, neither — go directly to CKA or CKS.

Exam mechanics: what's the same, what's different

Same:

• $250 USD as of 2026.
• 60 multiple-choice / multiple-select questions.
• 90 minutes.
• 75% to pass.
• Online proctored via PSI Bridge — webcam, screen share, ID check, the usual.
• One free retake within 12 months.
• 2-year validity (was 3 years pre-April 2024).
• Linux Foundation runs frequent 30–60% off promo codes; never pay full price without checking.

Different:

• KCNA is wider; KCSA is deeper-on-security.
• KCSA's question-style trends slightly more "given this scenario, what's the security concern" vs KCNA's "what does this Kubernetes thing do."

Neither has labs. Neither has terminal access. The PSI Bridge experience for both is identical to KCNA / KCSA / KCSA-style associates from any cloud vendor — webcam, no second monitor, clear desk, no notes, no scratch paper unless explicitly allowed.

When to do both

Doing both makes sense if you're going for the Kubestronaut badge (which requires KCNA + KCSA + CKA + CKAD + CKS). Outside that, doing both is mostly a nice-to-have. The signal value of "passed KCNA and KCSA" on a résumé is roughly the same as "passed KCSA" alone — recruiters see "Kubernetes-certified" and move on.

If you're doing both and not pursuing the Kubestronaut bundle, the order I'd recommend is KCNA first (4–6 weeks), then 1–2 months of hands-on K8s practice on a kind / k3d cluster, then KCSA. Doing them back-to-back without operational practice in between leaves you with vocabulary and zero reflexes.

When to skip both

Skip both if you've been operating Kubernetes in production for a year or more. CKA covers everything KCNA does and adds the hands-on operational tests. KCNA on a senior résumé is mild noise. CKA is signal.

Skip both if you're going for CKS specifically. CKS requires an active CKA, not KCNA or KCSA. KCSA helps with CKS prep but isn't required.

Skip both if your goal is a job change in the next 90 days and you can already get K8s interviews. Spend the time on a portfolio project — a kubectl plugin, a public Helm chart, a Kubernetes operator — those move the needle harder than an associate cert.

CNCF doesn't publish pass rates

For the record, CNCF doesn't publish official pass rates for any of its exams. Community polling (Linux Foundation forums, Reddit r/kubernetes, the CNCF Slack #certifications channel) suggests KCNA first-attempt pass rates are in the 70–80% range and KCSA in the 60–70% range. Take those numbers as anecdote — they're self-reported and skew toward people who passed and bothered to post.

What to do this week

If you're new to K8s: schedule KCNA 6 weeks out, study the kubernetes.io concepts pages, and run a kind cluster locally to ground the vocabulary in something real.

If you're security-track and K8s-comfortable: schedule KCSA 5 weeks out, study the CIS benchmarks, and read up on the 4Cs framework.

If you're ready for CKA: skip both, save the $500, and put it toward a CKA + CKAD bundle ($590) instead.

If you're going for it, browse the KCNA practice bank on CertLabPro or the KCSA bank. Both are useful for finding the gaps in vocabulary fast — vocabulary is what these exams actually test.