Do I need CKA before taking CKS?

Yes. CKA is a registration prerequisite for the CKS exam — your CKA must be active when you sit for CKS. CKAD is not a prerequisite for either CKA or CKS.

Should I take CKAD or CKA first?

If your role is application development on Kubernetes, take CKAD first. If your role is cluster operations, security, or platform engineering, skip CKAD and take CKA — CKAD does not unlock anything that CKA does not.

What is the hardest of the three Kubernetes certifications?

CKS is generally considered the hardest of the three. It assumes everything CKA covers and adds six security-specific domains, including supply chain and runtime security. The pass score is also higher (67% vs 66%).

How long are the Kubernetes certifications valid?

All three CNCF Kubernetes certifications — CKS, CKA, and CKAD — are valid for 2 years. Recertification requires retaking the current version of the exam.

What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

CKS vs CKA vs CKAD

Side-by-side comparison of the three CNCF Kubernetes certifications — who they are for, what is on them, the prerequisite chain, and which order to take them in.

Last reviewed: April 27, 2026

The Short Answer

CKAD — Certified Kubernetes Application Developer. For developers shipping workloads onto a Kubernetes cluster they do not operate.
CKA — Certified Kubernetes Administrator. For operators and platform engineers who install, upgrade, and run clusters.
CKS — Certified Kubernetes Security Specialist. For security engineers and platform engineers focused on hardening Kubernetes workloads, infrastructure, and supply chain. Requires an active CKA.

Default cert path for security/platform engineers: skip CKAD, take CKA, then CKS. CKAD does not unlock anything CKA does not, and it is not a prerequisite for either of the other two.

Comparison at a Glance

Attribute	CKAD	CKA	CKS
Full name	Certified Kubernetes Application Developer	Certified Kubernetes Administrator	Certified Kubernetes Security Specialist
Audience	App developers shipping to Kubernetes	Cluster operators, platform engineers	Security engineers, platform engineers
Prerequisite	None	None	Active CKA
Format	Performance-based, hands-on	Performance-based, hands-on	Performance-based, hands-on
Duration	2 hours	2 hours	2 hours
Tasks	~15–20	~15–20	~15–20
Pass score	66%	66%	67%
Validity	2 years	2 years	2 years
Free retake	Yes (within 12 months)	Yes (within 12 months)	Yes (within 12 months)
Delivery	Online, proctored (PSI)	Online, proctored (PSI)	Online, proctored (PSI)

For current pricing on each, check the official Linux Foundation pages — CKAD, CKA, CKS. Bundles and storewide promotions (Black Friday, KubeCon, CKS Day) are often the cheapest path.

What Each Exam Covers

CKAD — Application Developer

Five domains, focused on building and deploying cloud-native applications onto Kubernetes:

Domain	Weight
Application Design and Build	20%
Application Deployment	20%
Application Observability and Maintenance	15%
Application Environment, Configuration, and Security	25%
Services and Networking	20%

CKA — Administrator

Five domains, focused on cluster operations:

Domain	Weight
Storage	10%
Troubleshooting	30%
Workloads and Scheduling	15%
Cluster Architecture, Installation, and Configuration	25%
Services and Networking	20%

CKS — Security Specialist

Six domains, focused on securing clusters and workloads:

Domain	Weight	Where to study
Cluster Setup	15%	Cluster Setup & Hardening
Cluster Hardening	15%	Cluster Setup & Hardening
System Hardening	10%	System Hardening
Minimize Microservice Vulnerabilities	20%	Microservice Security
Supply Chain Security	20%	Supply Chain Security
Monitoring, Logging & Runtime Security	20%	Monitoring, Logging, Runtime Security

How They Overlap

There is no overlap between CKS and CKAD beyond very basic kubectl usage — they target different roles. CKS depends heavily on CKA-level operational knowledge: kubeadm, etcd, scheduler flags, kubectl debugging, NetworkPolicy. Treat CKA as the foundation that CKS layers security on top of.

Topic	CKAD	CKA	CKS
Kubernetes architecture & kubeadm	—	Required	Assumed (from CKA)
Pod, Deployment, Service basics	Deep	Operational	Assumed
RBAC and ServiceAccounts	Use existing	Configure	Audit, harden, scope
NetworkPolicy	Apply	Configure	Default-deny + targeted allow
Pod Security Admission	Aware of	Configure	Enforce / audit profile
etcd, audit logging, KMS encryption	—	Operational	Hardening focus
Image scanning & signing	—	—	Trivy, Cosign, admission verify
Runtime detection (Falco, Tetragon)	—	—	Configure and write rules
seccomp, AppArmor, capabilities	Aware of	Aware of	Configure per workload

Which to Take First

If you are an application developer

Start with CKAD. It validates the part of the platform you actually use — Pod specs, ConfigMaps, Services, probes, Jobs. CKA is useful later if you want to move toward platform engineering, but not required for most app-dev roles.

If you are a platform / cluster operator

Start with CKA. Skip CKAD — it does not unlock anything CKA does not. Once CKA is active, decide whether security is core to your role; if it is, CKS is the natural next step.

If you are a security engineer

Take CKA → CKS. CKA is mandatory as a registration prerequisite for CKS, and the operational knowledge it builds — kubeadm, etcd, scheduler internals, debugging — is assumed throughout the CKS exam. Skip CKAD unless you also write application code on Kubernetes.

If you want all three

The most efficient order is CKAD → CKA → CKS, but CKA → CKAD → CKS is also fine. The only fixed dependency is CKA before CKS. Some organisations recognise the "Kubernetes Triple Crown" of holding all three; the value to you personally depends on whether each cert maps to current or near-term work.

Difficulty Comparison

All three exams use the same hands-on, performance-based format with the same duration and roughly the same task count. Practical difficulty differs based on scope:

CKAD — Manageable scope (5 domains tied to a small set of resources). Speed matters more than depth; people who know kubectl well usually pass.
CKA — Wider scope. Troubleshooting alone is 30% of the exam, which rewards experience working with broken clusters.
CKS — Hardest. Six domains, each with its own tooling (Trivy, Cosign, Falco, kube-bench, OPA/Kyverno). Requires both CKA-level operational fluency and security-specific depth, plus a higher pass score (67% vs 66%).

Cost Strategy Across Three Certs

Wait for storewide promotions (Black Friday / Cyber Monday / KubeCon / CKS Day). Discounts of 30–50% are common.
Bundle the cert with the official Kubernetes Fundamentals (LFS258) or Security Essentials (LFS260) course when bundle pricing is available.
Ask your employer for training-budget reimbursement — most engineering organisations cover Linux Foundation certs.
Avoid third-party voucher resellers. Codes there are often expired, region-locked, or already redeemed.

Resources on This Site

CKS Exam Guide — full breakdown of the CKS exam format, retake policy, and registration tips.
CKS Study Plan — 30/60/90-day plans sequencing the six CKS domains.
CKS Cheat Sheet — printable one-page reference for the exam.
Practice Questions — multiple-choice CKS practice covering all six domains.
Kubernetes Security Docs — the full documentation set this site is built around.

Decided on CKS? Start with the exam guide and study plan.

Open the CKS Exam Guide Study Plan