CKAD Study Guide 2026: 8-Week Plan to Pass Certified Kubernetes Application Developer

The Certified Kubernetes Application Developer (CKAD) is one of the most respected hands-on certifications in cloud-native engineering. It is also the most time-pressured exam you are likely to ever sit. There is no multiple choice, no “eliminate two answers” trick — you open a real cluster, you fix a real problem, you move on. This guide takes you from zero kubectl to a first-try pass in eight weeks.

Why CKAD Matters in 2026

Kubernetes is the de-facto orchestration layer for modern applications, and the CKAD is the credential employers use to filter for engineers who can actually ship to it. Demand is structural, not cyclical: every major cloud provider, every PaaS vendor, every internal platform team is built around Kubernetes primitives.

In 2026, listings tagged “CKAD preferred” have grown to over 30,000 globally on LinkedIn alone — up from roughly 18,000 two years ago. US base salaries for engineers holding CKAD plus 3+ years of cloud-native experience average $145K-$175K, with senior platform roles regularly crossing $200K. In India and Southeast Asia, CKAD-certified engineers command a 25-40% premium over peers without the credential.

The CKAD is also the credential with the longest practical shelf life. Unlike vendor-specific certifications that age out with each major service revamp, Kubernetes APIs are governed by a deprecation policy that protects stable resources for at least a year. The credential is valid for 2 years, but the skills you build — kubectl fluency, YAML literacy, troubleshooting muscle memory — carry across every major employer.

Compared to its sibling certifications, CKAD sits in the sweet spot for application engineers. CKA leans toward cluster operators (etcd, kubeadm, RBAC); CKS layers security on top of CKA. CKAD assumes you build the apps that run on the cluster — closer to what most developers actually do day-to-day.

CKAD Exam Format & What Changed

The CKAD is a 2-hour, online-proctored, performance-based exam. There are 15-20 hands-on tasks across one or more pre-built clusters. You ssh into a terminal, you read the task, you solve it using kubectl, manifests, helm, or whatever else the task requires. There are no multiple-choice questions.

The pass mark is 66%. The cost is $445 USD, which includes one free retake within 12 months. Linux Foundation often runs 30-40% off promotions around Black Friday, CNCF events, and KubeCon — never pay full price if you can wait.

The exam allows full access to kubernetes.io/docs, kubernetes.io/blog, and helm.sh/docs. You may open one extra browser tab for these references. Copy-paste is supported but quirky — practice the exact keyboard sequence (Ctrl+Shift+C / Ctrl+Shift+V in the exam terminal) ahead of time.

The 2026 curriculum tracks Kubernetes v1.30. Docker-specific knowledge has been removed from the exam — you will not be asked about Dockerfiles. Container runtime knowledge is generic (containerd, CRI-O, OCI image references). Helm is in scope at a basic level (install/upgrade/rollback of a chart, templating values). PodSecurityPolicy is gone; expect Pod Security Standards (privileged/baseline/restricted) instead.

The biggest exam-day shift in 2025-26 was the introduction of an in-browser remote desktop instead of pure SSH. You get a Linux desktop with a terminal, a Firefox window, and clipboard support — closer to a real workstation. Practice on killer.sh, which replicates this environment.

The 5 CKAD Domains, Weighted

The CKAD curriculum is split across five domains. Weighting tells you how to prioritize study time — do not spend a third of your prep on a 15% domain.

Application Design and Build — 20%

The fundamentals of Pod construction. Multi-container patterns (sidecar, ambassador, adapter), init containers (run before main containers, share volumes), Jobs (run-to-completion), CronJobs (scheduled), persistent volumes and PVCs, common container image referencing. Expect 3-4 tasks here. The trap: candidates over-engineer multi-container manifests when a single container would do.

Application Deployment — 20%

Deployments, ReplicaSets, rolling updates and rollbacks, deployment strategies (RollingUpdate vs Recreate), basic Helm operations (install, upgrade, rollback, list releases), Kustomize overlays. Canary and blue/green are not directly tested, but you should know how a percentage shift would be implemented. Expect 3-4 tasks.

Application Observability and Maintenance — 15%

Liveness, readiness, and startup probes. Pod and container logs (kubectl logs, --previous, -c). Resource monitoring (kubectl top, metrics-server). Debugging tooling (kubectl debug, ephemeral containers). API deprecations (read the changelog and act). Expect 2-3 tasks. The trap: misconfiguring readiness probes so pods never become Ready.

Application Environment, Configuration and Security — 25%

The largest domain. ConfigMaps and Secrets (env vs volume mounts), SecurityContexts (runAsUser, runAsNonRoot, fsGroup), ServiceAccounts and RBAC bindings, resource requests/limits, taints/tolerations/affinity at the application level, Pod Security Standards. Custom Resource Definitions and Operators are in scope at a read-only level. Expect 4-5 tasks — nail this domain or you will not pass.

Services and Networking — 20%

Service types (ClusterIP, NodePort, LoadBalancer, ExternalName, Headless), Ingress and IngressClass, NetworkPolicies (default-deny, allow-from-namespace, allow-from-pod-label). DNS within the cluster. Expect 3-4 tasks. NetworkPolicies are a perennial trap: candidates write policies that look correct but fail because they did not include the egress rule for DNS (UDP 53 to kube-dns).

The 8-Week Study Plan

This plan assumes 1-2 hours per weekday and 3-4 hours each weekend day. Compress to 4 weeks if you are full-time studying; stretch to 12 weeks if you are juggling a day job.

Week 1-2: Foundations + Lab Setup

Install minikube or kind locally. (kind is faster on Apple Silicon and Windows WSL2.) Get a working cluster, install kubectl, and confirm kubectl get nodes works. Spend the rest of week 1 reading the official Kubernetes documentation overview — Pods, Nodes, Deployments, Services. Week 2: become fluent in YAML — indentation, lists vs maps, multi-document files. Drill kubectl run, kubectl create, kubectl apply, kubectl explain daily.

Week 3: Application Design

Build pods with multiple containers. Write a sidecar that tails a log file and emits to stdout. Add an init container that waits for a database to be ready. Schedule a CronJob that runs every minute. Create a PV, PVC, and mount it. Aim for 2-3 hands-on exercises per day, all written from scratch (do not paste templates).

Week 4: Deployment

Create a Deployment with 5 replicas, roll out an image change, observe the rolling update, roll back. Practice kubectl rollout status / history / undo commands until they are muscle memory. Install a Helm chart (try Bitnami’s nginx), upgrade it, rollback. Write a small Kustomize overlay that changes the image tag for “prod” vs “dev” namespaces.

Week 5: Observability & Maintenance

Add liveness and readiness probes to a deployment. Intentionally break the readiness probe and watch the pod drop out of the Service’s endpoint list. Use kubectl logs, kubectl logs --previous, kubectl describe pod, and kubectl get events to debug a crash-looping pod. Install metrics-server, run kubectl top pod / node. Try kubectl debug with an ephemeral container.

Week 6: Configuration & Security

Create ConfigMaps from literals, files, and env files. Mount them as env vars and as volumes. Same for Secrets. Set a SecurityContext to enforce runAsNonRoot: true, then watch a pod fail because the image runs as root. Create a ServiceAccount, bind it with a Role and RoleBinding, and call the Kubernetes API from inside a pod using the SA token. Set CPU and memory requests/limits and verify with kubectl describe pod.

Week 7: Services & Networking

Create ClusterIP, NodePort, and LoadBalancer services. Add an Ingress with two rules pointing to different services. Write a NetworkPolicy that denies all ingress to a namespace, then add a rule to allow only pods with label app=frontend. Resolve services by DNS from inside a pod (nslookup my-service.my-namespace.svc.cluster.local).

Week 8: Killer.sh Simulator + Speed Runs

Activate your killer.sh simulator (included free with your $445 exam fee — two attempts, 36 hours each). Take the first attempt cold to find your weak areas. Spend mid-week on focused remediation. Take the second attempt as a full timed run. Score 60%+ on killer.sh and you are ready — the real exam is meaningfully easier. End the week with two speed-run sessions where you solve 10 random tasks against the clock.

Killer kubectl Shortcuts Every CKAD Needs

Speed on the CKAD comes from kubectl muscle memory. The first thing to set up in your exam environment:

• alias k=kubectl
• complete -F __start_kubectl k (tab completion for the alias)
• export do="--dry-run=client -o yaml" (write k run nginx --image=nginx $do > pod.yaml)
• export now="--force --grace-period=0" (instant pod deletion: k delete pod nginx $now)

Generate manifests imperatively, then edit. Almost every CKAD task is faster as k create <resource> ... $do > file.yaml followed by vim file.yaml than as cold YAML. The resources you can generate:

• k run nginx --image=nginx --port=80 $do — Pod
• k create deployment web --image=nginx --replicas=3 $do — Deployment
• k expose deployment web --port=80 --target-port=8080 $do — Service
• k create configmap app-cfg --from-literal=LOG_LEVEL=debug $do — ConfigMap
• k create secret generic db --from-literal=PASSWORD=s3cret $do — Secret
• k create job hello --image=busybox -- echo hello $do — Job
• k create cronjob hello --image=busybox --schedule="*/1 * * * *" -- echo hello $do — CronJob
• k create role dev --verb=get,list --resource=pods $do — Role
• k create rolebinding dev-rb --role=dev --user=jane $do — RoleBinding
• k create ingress web --rule="example.com/*=web:80" $do — Ingress

kubectl explain is the offline doc lookup. k explain pod.spec.containers tells you every field on a container without opening the browser. Drill it: k explain deployment.spec.strategy.rollingUpdate, k explain networkpolicy.spec.ingress, k explain pod.spec.affinity.

Vim shortcuts that save seconds: :set number paste at the start of every file edit, dd to delete a line, yyp to duplicate, :%s/old/new/g for global replace, :wq to save and exit. These compound: 30 saved seconds per task across 20 tasks is 10 minutes back — the difference between pass and fail.

Exam-Day Strategy

Pace is everything. With 15-20 tasks in 120 minutes, you have ~6-8 minutes per task. The trap is spending 20 minutes on one hard task and running out of time on five easy ones at the bottom of the list.

Strategy:

1. First pass — quick wins. Read every task. Solve anything you can in under 5 minutes. Flag the rest with the exam’s built-in flagging tool.
2. Second pass — medium tasks. Return to flagged tasks. Spend up to 8 minutes each.
3. Final pass — the hard ones. Whatever time remains. Submit partial answers — partial credit is awarded.

Set your kubectl context at the start of every task. Tasks live in different namespaces and clusters — kubectl config use-context <name> is the first command of every task. Forgetting this is the #1 reason candidates lose points on otherwise-perfect solutions.

Use tmux if you are comfortable with it — horizontal split for kubectl in one pane, vim in the other. If tmux is new to you, do not learn it in week 8 — stick to tabs.

Bookmark the docs ahead of time: NetworkPolicy examples, SecurityContext reference, Pod multi-container examples, Helm chart commands. The bookmarks transfer into your exam browser session.

Common CKAD Mistakes That Fail Candidates

Five mistakes that cost more candidates a first-try pass than any knowledge gap:

1. Wrong namespace. The task says “in namespace ckad-app” and the candidate creates the resource in default. Always include -n <namespace> or use kubectl config set-context --current --namespace=<ns> at the start of each task.
2. Hand-writing YAML from scratch. Burns 5 minutes when k run/create $do would take 30 seconds. Imperative-first, always.
3. Skipping the verify step. Always confirm kubectl get pods -n <ns> shows Running before moving on. A misindented YAML file can apply without error but produce a CrashLoopBackOff.
4. NetworkPolicy without DNS egress. A default-deny policy on egress will break DNS lookups, making the pod fail to resolve any in-cluster service. Always allow UDP/53 to kube-system.
5. Not using --force --grace-period=0. When you need to delete and recreate a pod, the 30-second graceful shutdown adds up across the exam. Use the alias.

Recommended Resources & Next Steps

The best paid resources in 2026 are Mumshad Mannambeth’s CKAD course on KodeKloud (the gold-standard course, with browser-based labs), killer.sh (included free with your exam), and the official Kubernetes documentation tutorials (free, underrated). The CNCF’s own Kubernetes Fundamentals (LFS258) is also worth the certificate-bundle discount.

Free resources: the ExamCert CKAD free question sets, the Kubernetes documentation’s “Tasks” section, Walid Shaari’s CKAD-exercises GitHub repo, and the official Kubernetes YouTube channel’s 1.30 release videos.

After CKAD, the natural progression is CKA (the cluster admin side — etcd backups, kubeadm, troubleshooting nodes) followed by CKS (security — requires a current CKA). See our CKA vs CKAD comparison and the full Kubernetes certifications guide.

Frequently Asked Questions

How hard is the CKAD exam?

Moderate; 15-20 hands-on tasks in 2 hours = ~6-8 min each. Time pressure, not knowledge depth, is the killer. Pass rate ~62-70%.

How much does CKAD cost in 2026?

$445 USD via Linux Foundation including 1 free retake within 12 months.

Do I need CKA before CKAD?

No. They are independent. Many people start with CKAD because application development is closer to typical dev work than cluster admin.

Is killer.sh required for CKAD?

Not required but highly recommended. Two free attempts come with your $445 exam — use both. Most candidates score lower on killer.sh than the real exam.

What kubectl version is on the CKAD exam?

Currently v1.30. The Linux Foundation updates each cycle — check the official handbook before booking.