CNCF · 2026 Edition
A complete preparation guide written by CNCF-certified engineers. Covers the exam format,all 5 blueprint domains, a week-by-week study plan, and proven tips for passing first time.
2–3 months
Prep time
Intermediate
Difficulty
Hands-on lab
Format
Exam code
CKAD
Full name
Certified Kubernetes Application Developer
Vendor
CNCF
Duration
120 minutes
Exam format
Performance-based lab (no multiple-choice)
Domains covered
5 blueprint domains
Recommended experience
Basic Kubernetes knowledge; familiarity with containers and YAML
Typical prep time
2–3 months
CKAD validates Kubernetes application development skills — designing, building, and deploying cloud-native applications. It is the credential for developers working in Kubernetes-native environments who need to demonstrate operational fluency with the platform.
Job roles this opens
Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.
Performance-based exam
The real CKAD exam is entirely performance-based — you deploy and manage applications in a live Kubernetes cluster using kubectl and YAML manifests. There are no multiple-choice questions. Courseiva practice questions cover the underlying concepts, but hands-on lab practice with Deployments, Services, ConfigMaps, and resource limits is still required.
Weeks 1–3
Application Design and Build: containers, Jobs, CronJobs, init containers, multi-container pods
Tip: Multi-container pod patterns are tested on CKAD: sidecar (adds functionality to the main container), ambassador (proxies external communications), adapter (transforms output for consumption). Know the pattern by description — exam questions describe a scenario and ask which pattern applies.
Weeks 4–5
Application Deployment: Deployment strategies, Helm, Kustomize, rollbacks
Tip: Deployment rollout commands are core CKAD skills: kubectl rollout status, kubectl rollout history, kubectl rollout undo (and --to-revision=N for specific version). Know how to update a Deployment image imperatively: kubectl set image deployment/name container=image:tag.
Weeks 6–7
Application Observability and Maintenance: probes, logging, debugging, API deprecations
Tip: Liveness vs readiness vs startup probes: liveness (is the container running? restart if not), readiness (is the container ready to serve traffic? remove from service if not), startup (is the application started? used for slow-starting containers to prevent premature liveness restarts). Know the probe types (httpGet, exec, tcpSocket) and what each does.
Weeks 8–10
Services, Networking, Environment Configuration, and Security
Tip: SecurityContext settings tested on CKAD: runAsUser (UID for container process), runAsNonRoot (fail if container tries to run as root), readOnlyRootFilesystem (prevent writes to container filesystem), allowPrivilegeEscalation (prevent sudo-like escalation). Know how to set these at both pod and container level.
CKAD is open-book with the same permitted documentation as CKA. Set up kubectl aliases and completion before the exam timer starts.
ConfigMaps and Secrets are core CKAD topics. Know how to consume them as environment variables (env.valueFrom.configMapKeyRef) and as volumes (volumeMounts + volumes.configMap). Know that Secrets are base64 encoded (not encrypted) by default in etcd.
Resource requests vs limits in Kubernetes: requests are used by the scheduler to find a node with enough capacity; limits cap how much CPU/memory the container can use. A container that exceeds its memory limit is OOMKilled; a container that exceeds its CPU limit is throttled but not killed.
Helm chart structure: Chart.yaml (metadata), values.yaml (default values), templates/ (Kubernetes manifests with templating). Know how to install (helm install), upgrade (helm upgrade), rollback (helm rollback), and uninstall (helm uninstall) a release, and how to override values with --set or -f.
Network Policies in CKAD: by default, all pods can communicate with all other pods. A NetworkPolicy selectively restricts this. Know that an empty podSelector ({}) selects ALL pods in the namespace — this is how you create a default-deny policy and then whitelist specific traffic.
Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.
Deep-dive explanations of the key topics tested on CKAD — with exam key points and common misconceptions.