CKA vs CKAD vs CKS: Complete Comparison of All Three Professional Kubernetes Certifications

All three are hands-on, performance-based exams in a live terminal. All three cost $445, give you 2 hours, and include a free retake. The difference is what they test. The CKA tests cluster administration. The CKAD tests application deployment. The CKS tests security. Your role determines which ones you need and what order to take them in.

Here is the complete breakdown.

Side by Side: All Three Exams

	CKA	CKAD	CKS
Full name	Certified Kubernetes Administrator	Certified Kubernetes Application Developer	Certified Kubernetes Security Specialist
Price	$445	$445	$445
Duration	2 hours	2 hours	2 hours
Tasks	15 to 20	15 to 20	15 to 20
Passing score	66%	66%	67%
Validity	2 years	2 years	2 years
Prerequisites	None	None	Valid CKA
Format	Hands-on terminal	Hands-on terminal	Hands-on terminal
Free retake	Yes	Yes	Yes
practice sessions	2 sessions	2 sessions	2 sessions
Open book	kubernetes.io/docs	kubernetes.io/docs + helm.sh	kubernetes.io/docs + security tool docs
Primary audience	Cluster admins, DevOps, SREs	Developers, app architects	Security engineers, DevSecOps
Difficulty	Hard	Moderate	Hardest
Community pass rate	~50 to 60%	~55 to 65%	~40 to 55%
Estimated salary premium	+$15K to $20K	+$12K to $18K	+$20K to $30K

The exam logistics are nearly identical. Same proctoring platform, same browser-based terminal, same rules. The CKS passing score is one point higher (67% vs 66%), which is essentially no difference. What separates these exams is the content.

What Each Exam Tests

CKA: The Cluster Operations Exam

The CKA treats you as the person responsible for keeping Kubernetes running. You install clusters, upgrade them, back up etcd, configure networking, set up storage, manage access control, and fix things when they break.

Domain	Weight
Troubleshooting	30%
Cluster Architecture, Installation & Configuration	25%
Services & Networking	20%
Workloads & Scheduling	15%
Storage	10%

Troubleshooting at 30% is the defining characteristic. The exam throws broken clusters at you and expects you to diagnose and fix them. A Pod stuck in CrashLoopBackOff. A Service with no endpoints. A node that will not join the cluster. A kubelet that will not start. These tasks require understanding how the entire system fits together, not just memorizing commands.

CKA-exclusive topics (not on CKAD or CKS):

• Installing clusters with kubeadm (init, join, tokens)
• Upgrading cluster versions
• etcd backup and restore
• Node maintenance (cordon, drain, uncordon)
• Troubleshooting cluster components (API server, scheduler, controller manager, kubelet)
• Managing kubeconfig files and cluster contexts

Full breakdown: CKA study guide

CKAD: The Application Deployment Exam

The CKAD treats you as a developer who deploys and manages applications on a cluster someone else runs. You create workloads, configure them, expose them, debug them, and manage their lifecycle.

Domain	Weight
Application Environment, Configuration & Security	25%
Application Design and Build	20%
Application Deployment	20%
Services & Networking	20%
Application Observability and Maintenance	15%

The weight is distributed more evenly than the CKA. No single domain dominates.

CKAD-exclusive topics (not on CKA or CKS):

• Helm operations (install, upgrade, rollback, search)
• Multi-container Pod patterns in depth (sidecars, init containers, ambassadors)
• All three probe types in depth (liveness, readiness, startup)
• Custom Resource Definitions
• API version deprecations and conversions
• Advanced Job/CronJob patterns (parallelism, completions, backoff limits)

Full breakdown: CKAD study guide

CKS: The Security Exam

The CKS treats you as the person responsible for securing everything: the cluster, the workloads, the supply chain, and the runtime environment. It assumes you already know CKA-level cluster administration and adds security on top.

Domain	Weight
Minimize Microservice Vulnerabilities	20%
Supply Chain Security	20%
Monitoring, Logging & Runtime Security	20%
Cluster Hardening	15%
System Hardening	15%
Cluster Setup	10%

Three domains at 20% each make up 60% of the exam. The security focus is broad: from Dockerfile best practices (build time) to Falco alerting (runtime).

CKS-exclusive topics (not on CKA or CKAD):

• Falco rules and runtime threat detection
• Trivy image vulnerability scanning
• AppArmor and Seccomp profiles
• OPA/Gatekeeper policy enforcement
• Kubernetes audit logging configuration
• Pod Security Standards and Pod Security Admission
• Encryption at rest for Secrets
• CIS Kubernetes benchmarks (kube-bench)
• Supply chain security (image signing, registry allowlisting)
• RuntimeClasses (gVisor, Kata Containers)
• Node metadata protection

Full breakdown: CKS study guide

The Overlap Between All Three

About 40% of CKA and CKAD content overlaps. The CKS overlaps with the CKA in a different way: it assumes CKA knowledge and builds on it rather than re-testing it.

Topics on all three exams

These appear on the CKA, CKAD, and CKS in some form:

• Pods and Deployments. Creating, configuring, and debugging workloads.
• Services. Exposing applications and understanding service types.
• ConfigMaps and Secrets. Creating and mounting configuration data.
• NetworkPolicies. Writing ingress and egress rules. The CKS goes deeper on security implications.
• RBAC. Roles, RoleBindings, ServiceAccounts. The CKA covers the basics. The CKS covers hardening and least privilege.
• Security Contexts. The CKA touches on them. The CKAD includes them in the configuration domain. The CKS requires deep knowledge of every field.
• Namespaces. Resource scoping and isolation.

CKA and CKAD overlap (not on CKS)

• Persistent Volumes and Persistent Volume Claims
• Resource requests and limits
• Labels, selectors, and annotations
• Rolling updates and rollbacks
• DaemonSets, StatefulSets
• StorageClasses

CKA and CKS overlap (not on CKAD)

• API server configuration and flags
• etcd security
• Certificate management
• Cluster component troubleshooting
• Node-level operations

No overlap

• Helm is CKAD only
• Falco is CKS only
• Trivy is CKS only
• kubeadm installation is CKA only
• etcd backup/restore is CKA only

Understanding the overlap is the key to efficient multi-cert study. You never need to learn the shared material twice if you take the exams in the right order and do not wait too long between them.

Difficulty Comparison

From easiest to hardest: CKAD < CKA < CKS

CKAD is the most accessible. The scope is narrower than the CKA. It skips cluster administration entirely. If you work with Kubernetes deployments, services, and config in your day job, most CKAD topics are already familiar. The challenge is speed, not knowledge gaps.

CKA is harder because of scope and troubleshooting. It covers everything the CKAD covers in the overlap areas, plus cluster operations, etcd, kubeadm, and heavy troubleshooting. The troubleshooting domain (30%) is the hardest part because failures are unpredictable. You need to understand how the system works, not just how to create resources.

CKS is the hardest because of unfamiliar tools. Most engineers have never used Falco, AppArmor, Seccomp, or OPA/Gatekeeper in their daily work. The CKS introduces an entire toolset that you probably need to learn from scratch. It also requires everything the CKA requires and adds the security layer on top. The combination of CKA-level skills plus new security tools makes it the most demanding exam.

Where people fail each exam

CKA: Running out of time on troubleshooting tasks. Forgetting to switch cluster contexts. Weak Linux fundamentals slowing down terminal work.

CKAD: Not being fast enough with kubectl imperative commands. Writing YAML from scratch instead of generating templates. Mixing up probe types or Job restart policies.

CKS: Not knowing security tool syntax (Falco rules, audit policies). Breaking the API server by editing its manifest incorrectly. Not understanding how Pod Security Standards enforcement works. Skipping Falco study.

Study Time Comparison

Starting Point	CKA	CKAD	CKS
No K8s experience, some Linux	8 to 12 weeks	6 to 8 weeks	N/A (need CKA first)
Some K8s experience	6 to 8 weeks	4 to 6 weeks	N/A (need CKA first)
Daily K8s user	3 to 4 weeks	2 to 3 weeks	N/A (need CKA first)
Just passed CKA	N/A	2 to 3 weeks	4 to 6 weeks
CKA + CKAD holder	N/A	N/A	4 to 6 weeks
CKA holder, 6+ months ago	N/A	3 to 4 weeks	6 to 8 weeks

The fastest path through all three: pass CKA, immediately start CKAD prep (2 to 3 weeks), pass CKAD, then CKS prep (4 to 6 weeks). Total: about 3 to 5 months from your first day of CKA study to passing all three.

Career Value Comparison

Which roles want which certs?

Role	CKA	CKAD	CKS	Best Combination
DevOps Engineer	Required	Nice to have	Nice to have	CKA + CKAD
Platform Engineer	Required	Valuable	Valuable	CKA + CKS
SRE	Required	Nice to have	Valuable	CKA + CKS
Cloud Engineer	Required	Nice to have	Nice to have	CKA
Backend Developer	Nice to have	Required	Optional	CKAD + CKA
Security Engineer	Required	Optional	Required	CKA + CKS
DevSecOps Engineer	Required	Valuable	Required	All three
Solutions Architect	Valuable	Valuable	Nice to have	CKA + CKAD
Kubernetes Consultant	Required	Required	Valuable	All three

"Required" means the cert is strongly expected or frequently listed in job postings for that role. "Valuable" means it adds weight. "Nice to have" means it is a small positive. "Optional" means it rarely factors in.

Salary premium by certification

Certification	Salary Premium	Best For
CKA alone	+$15K to $20K	Broadest applicability
CKAD alone	+$12K to $18K	Developer roles
CKA + CKAD	+$18K to $25K	Full-stack K8s roles
CKA + CKS	+$20K to $30K	Security-focused roles
CKA + CKAD + CKS	+$22K to $32K	Maximum credential weight

The CKA provides the largest single-cert bump. Adding CKAD gives a moderate additional increase. Adding CKS gives a significant increase for security roles. The jump from two certs to three shows diminishing returns for non-security roles. See the full salary breakdown for detailed numbers by role and location.

Job posting frequency

Based on LinkedIn and job board data, certification mentions in job postings rank:

1. CKA appears most frequently. It is the default Kubernetes certification that employers ask for.
2. CKAD appears second, primarily in developer-focused roles.
3. CKS appears third, but is growing fastest as Kubernetes security becomes a priority.

The trend: CKS demand is increasing faster than CKA or CKAD demand because Kubernetes security is still maturing and companies are realizing they need specialized security skills as they move production workloads to K8s.

Which One Should You Get?

If you can only get one

Get the CKA. It is the most recognized, applies to the most roles, and provides the broadest foundation. It also unlocks the CKS if you want to specialize in security later.

The only exception: if you are purely a developer who deploys to Kubernetes and will never manage clusters, the CKAD is more directly relevant to your daily work. But even then, the CKA gives you broader career flexibility.

If you can get two

CKA + CKAD if you want maximum versatility. This combination covers both the infrastructure and application sides of Kubernetes. Most DevOps and platform engineering roles benefit from both.

CKA + CKS if security is part of your role or you work in regulated industries (finance, healthcare, government). The CKS salary premium is the highest of the three, and Kubernetes security skills are in growing demand.

If you can get all three

Do it. CKA + CKAD + CKS is the complete professional set. The triple bundle saves money over individual purchases. The total study time for all three is 3 to 5 months if you take them sequentially.

The recommended order:

1. CKA first. Broadest foundation, unlocks CKS.
2. CKAD second. 40% overlap with CKA. Two to three weeks of additional study.
3. CKS third. Builds on CKA knowledge. Hardest exam, best tackled while CKA skills are sharp.

Do not reverse the order. Going CKAD first then CKA is less efficient (the CKA adds cluster admin topics the CKAD does not cover). Going CKS before CKAD means tackling the hardest exam before the easiest one.

For the full path analysis with four different routes based on your starting point, see the Kubernetes certification path guide.

The Associate Certs: Where KCNA and KCSA Fit

This article focuses on the three professional certifications because they carry the most career weight. But the two associate certs round out the picture.

KCNA (Kubernetes and Cloud Native Associate): A $250, multiple-choice exam covering K8s fundamentals. Best for beginners or non-technical roles. If you pass any of the three professional exams, the KCNA material is a strict subset of what you already know.

KCSA (Kubernetes and Cloud Native Security Associate): A $250, multiple-choice exam covering security concepts. Similar relationship to the CKS as the KCNA has to the CKA. After passing the CKS, the KCSA is a quick review.

Both associate certs matter primarily for the Kubestronaut title, which requires all five. As standalone credentials, they carry significantly less weight than CKA, CKAD, or CKS.

For the full comparison including the associate certs, see Best Kubernetes Certifications in 2026.

Preparing for Multiple Exams Efficiently

If you plan to take two or all three, these strategies save time.

Study the shared material once

The CKA covers Pods, Deployments, Services, ConfigMaps, Secrets, PVCs, NetworkPolicies, RBAC, and resource management. All of this carries into the CKAD and CKS. Study it thoroughly for the CKA and you will not need to re-learn it.

Take exams back to back

The 40% overlap between CKA and CKAD only helps if the knowledge is fresh. Taking the CKAD 2 to 3 weeks after passing the CKA is ideal. Waiting 6 months means you have to re-study much of the shared content.

Similarly, the CKS builds on CKA skills. Taking it within 2 to 3 months of the CKA keeps your cluster admin knowledge sharp.

Use practice sessions for each exam separately

Each exam purchase includes its own practice sessions. Do not skip them. The CKA practice sessions, CKAD practice sessions, and CKS practice sessions test different content. They are the best predictor of exam readiness for each specific test.

Keep a running cheat sheet

As you study for the CKA, write down the commands and patterns you use most. Carry that cheat sheet into your CKAD and CKS prep. Add new commands as you learn them. By the time you sit for the CKS, you will have a personal reference that covers all three exams. You cannot use it during the exam, but building it reinforces the knowledge.

Budget for all three upfront

If you know you want all three, buy the triple bundle from the start. It saves money and psychologically commits you to the full sequence. Having the exams purchased gives you a reason to keep going after the first pass.

FAQ

Which is harder, CKA or CKAD?

The CKA is harder for most people. It has a broader scope, includes cluster administration topics the CKAD skips, and the Troubleshooting domain (30%) requires deep understanding of how the entire system works. The CKAD is more focused on application deployment, which feels more natural to engineers who already work with Kubernetes. Both exams have the same time pressure.

Which is harder, CKA or CKS?

The CKS is harder. It requires everything the CKA requires plus an entire layer of security tools and concepts. The CKS assumes CKA-level knowledge and adds Falco, Trivy, AppArmor, Seccomp, OPA/Gatekeeper, audit logging, and supply chain security. Most of these tools are new to the average Kubernetes administrator.

Can I take CKAD and CKS without the CKA?

You can take the CKAD without the CKA. It has no prerequisites. You cannot take the CKS without a valid CKA. That is the only hard prerequisite in the Kubernetes certification system.

Is CKA + CKAD or CKA + CKS a better combination?

CKA + CKAD is better for general-purpose DevOps and platform engineering roles. CKA + CKS is better for security-focused roles and regulated industries. CKA + CKAD gives you the broadest skill coverage. CKA + CKS gives you the highest salary premium in the right role. If you can get all three, do it.

How much does it cost to get all three?

Individual pricing: $445 x 3 = $1,335. The CKA + CKAD + CKS triple bundle saves 15 to 30% depending on current promotions. Each exam includes a free retake and practice sessions regardless of whether you buy individually or as a bundle.

Can I take all three in the same month?

Technically possible but not recommended. Each exam is 2 hours of intense focus. You need time between exams to study the material specific to each one. A realistic timeline: CKA in month 1, CKAD 2 to 3 weeks later, CKS 4 to 8 weeks after that. Rushing leads to failed attempts, which wastes your free retakes.

Do all three certifications expire at the same time?

No. Each certification expires 2 years from the date you passed it. If you take CKA in January, CKAD in February, and CKS in April, they expire in January, February, and April two years later. You need to manage three separate renewal dates.

Which combination appears most in job postings?

CKA alone is the most requested. CKA + CKAD is the second most common combination, typically in roles that span both infrastructure and development. CKA + CKS is growing fastest, especially in enterprises and regulated industries. Requiring all three is rare but appears in senior architect and principal engineer postings.