Most people who chase the KubeAstronaut title — CNCF’s recognition for holding all five Kubernetes certifications at once — start by asking “which exam first?” That’s a fair question, and we answer it in the KubeAstronaut path guide. But there’s a more useful question to answer before you book anything: what, exactly, is tested across all five exams, and where do they overlap?
That’s what this article is — a single, side-by-side curriculum map of every domain on KCNA, KCSA, CKA, CKAD, and CKS. Understanding the map turns five separate study efforts into one connected journey. You’ll see which foundations you only learn once and reuse everywhere, which skills are unique to a single exam, and how to sequence your prep so each certification builds on the last instead of starting from zero.
If you’re still deciding whether the whole journey is worth it, read Is Becoming a KubeAstronaut Worth It in 2026? first. If you’re committed, this map is your study compass.
The five exams that make up KubeAstronaut
All five certifications are administered by the Linux Foundation in partnership with the CNCF. They split cleanly into two tiers: associate exams (multiple choice) and professional exams (hands-on, performance-based on a live cluster).
| Exam | Full name | Format | Tier | Prerequisite |
|---|---|---|---|---|
| KCNA | Kubernetes & Cloud Native Associate | Multiple choice | Associate | None |
| KCSA | Kubernetes & Cloud Native Security Associate | Multiple choice | Associate | None |
| CKA | Certified Kubernetes Administrator | Performance (hands-on) | Professional | None |
| CKAD | Certified Kubernetes Application Developer | Performance (hands-on) | Professional | None |
| CKS | Certified Kubernetes Security Specialist | Performance (hands-on) | Professional | Active CKA required |
A few logistics worth fixing in your head, because they shape how you prepare:
- Associate exams (KCNA, KCSA) are remotely proctored multiple-choice tests, around 60 questions in 90 minutes, with a pass mark near 75%. They test understanding, not muscle memory.
- Professional exams (CKA, CKAD, CKS) are 2-hour, performance-based exams in a real terminal against live clusters. Pass marks sit around 66–67%. They test speed and execution — you solve tasks with
kubectl, YAML, and the cluster, with access to the official kubernetes.io documentation during the exam. - CKS has a hard prerequisite: your CKA must be active when you take it. That single rule dictates ordering for anyone going for all five.
- All five are valid for two years; see Kubernetes certification renewal for how recertification works.
Domain weightings are periodically updated by the CNCF. Treat the percentages below as your study-time allocation guide, and always confirm the current curriculum on the official Linux Foundation exam pages before you sit.
KCNA — Kubernetes & Cloud Native Associate
KCNA is the entry point: a broad, conceptual exam covering Kubernetes fundamentals and the wider cloud native ecosystem. It’s the best place to build vocabulary you’ll reuse in every other exam.
| Domain | Weight |
|---|---|
| Kubernetes Fundamentals | 46% |
| Container Orchestration | 22% |
| Cloud Native Architecture | 16% |
| Cloud Native Observability | 8% |
| Cloud Native Application Delivery | 8% |
Nearly half the exam is Kubernetes Fundamentals — the API, core objects (Pods, Deployments, Services), the control plane, and kubectl basics. Our KCNA Kubernetes architecture fundamentals guide covers the control plane and core objects in depth, and KCNA cloud native architecture & observability covers the CNCF landscape, the 4 pillars of observability, and delivery concepts like GitOps. For format details and question style, see the KCNA exam format breakdown and the KCNA study guide.
What’s unique to KCNA: breadth of the cloud native ecosystem (service mesh, the CNCF project landscape, container runtimes/OCI) at a conceptual level you won’t be tested on so explicitly anywhere else.
KCSA — Kubernetes & Cloud Native Security Associate
KCSA is the security counterpart to KCNA: still multiple choice, but focused on Kubernetes security concepts. It’s the ideal conceptual bridge before the hands-on CKS later.
| Domain | Weight |
|---|---|
| Kubernetes Cluster Component Security | 22% |
| Kubernetes Security Fundamentals | 22% |
| Kubernetes Threat Model | 16% |
| Platform Security | 16% |
| Overview of Cloud Native Security | 14% |
| Compliance and Security Frameworks | 10% |
KCSA leans on the 4Cs of Cloud Native Security (Cloud, Cluster, Container, Code) — covered in our KCSA 4Cs guide — and a structured threat model (trust boundaries, attack vectors, persistence), covered in the KCSA Kubernetes threat model deep dive. Round it out with the KCSA exam topics and KCSA study plan.
What’s unique to KCSA: security frameworks and compliance (CIS Benchmarks, supply chain frameworks, the threat model itself) at a conceptual level. Much of this becomes the practical CKS material later — see how they differ in KCSA vs CKS.
CKA — Certified Kubernetes Administrator
CKA is the first hands-on exam, and the operator’s certification: you build, configure, and troubleshoot clusters. It’s also the gateway to CKS, so most KubeAstronaut candidates treat it as the linchpin.
| Domain | Weight |
|---|---|
| Troubleshooting | 30% |
| Cluster Architecture, Installation & Configuration | 25% |
| Services & Networking | 20% |
| Workloads & Scheduling | 15% |
| Storage | 10% |
The biggest domain is Troubleshooting (30%) — diagnosing broken nodes, failing Pods, and control-plane issues against the clock. See our CKA troubleshooting guide. The cluster-lifecycle domain includes kubeadm upgrades (cluster upgrade guide) and etcd backup/restore (etcd guide) — both classic exam tasks. Deepen the rest with Workloads & Scheduling, Services & Networking, Storage: PV/PVC/StorageClass, and RBAC hands-on. The full curriculum is in the CKA exam domains breakdown.
What’s unique to CKA: cluster administration — installation with kubeadm, version upgrades, etcd operations, and node-level troubleshooting. No other exam tests you on running the cluster itself.
CKAD — Certified Kubernetes Application Developer
CKAD shares the hands-on format with CKA but flips the perspective: you’re the developer deploying and operating applications on Kubernetes, not the admin running the cluster.
| Domain | Weight |
|---|---|
| Application Environment, Configuration & Security | 25% |
| Application Design & Build | 20% |
| Application Deployment | 20% |
| Services & Networking | 20% |
| Application Observability & Maintenance | 15% |
CKAD goes deep on configuration and security from the app’s side — ConfigMaps, Secrets, ServiceAccounts, SecurityContexts, and resource controls. See resource management: requests, limits & quotas and ConfigMaps & Secrets. Design & Build covers multi-container Pod patterns, building container images, and Jobs & CronJobs; Deployment covers rolling updates; Observability covers liveness/readiness/startup probes and application troubleshooting. The full map is in the CKAD exam domains.
What’s unique to CKAD: application-design patterns (multi-container Pods, init containers, probes) and developer-centric workflows. The overlap with CKA on Services & Networking is real but tested from the consumer’s angle — see CKAD vs CKA.
CKS — Certified Kubernetes Security Specialist
CKS is the capstone: a hands-on security exam that assumes you already operate clusters fluently (hence the active-CKA requirement). It turns the concepts from KCSA into tasks you perform on a live, deliberately vulnerable cluster.
| Domain | Weight |
|---|---|
| Minimize Microservice Vulnerabilities | 20% |
| Supply Chain Security | 20% |
| Monitoring, Logging & Runtime Security | 20% |
| Cluster Hardening | 15% |
| System Hardening | 15% |
| Cluster Setup | 10% |
CKS spreads evenly across the security lifecycle. Start with cluster setup, hardening, RBAC, CIS & API server, then supply chain security: image scanning, SBOMs & admission control, and runtime security with Falco & audit logs. Round out with CKS exam topics, prerequisites, and the CKS exam practice environment guide.
What’s unique to CKS: hands-on tooling the other exams never touch — Falco, Trivy/image scanning, OPA Gatekeeper/admission control, AppArmor/seccomp, network policies for isolation, and the kube-bench CIS checks. It’s where KCSA’s theory becomes practice.
Where the exams overlap — and where they don’t
The single biggest insight from the map: a shared foundation appears in all five exams, so you learn it once and reuse it everywhere. The hands-on trio (CKA, CKAD, CKS) shares the same kubectl muscle memory and YAML fluency, which is why our Kubernetes exam terminal & kubectl speed mastery guide pays off three times over.
| Skill area | KCNA | KCSA | CKA | CKAD | CKS |
|---|---|---|---|---|---|
| Core objects (Pods, Deployments, Services) | ✅ concept | ✅ concept | ✅ hands-on | ✅ hands-on | ✅ hands-on |
kubectl & YAML fluency | basic | basic | ✅ deep | ✅ deep | ✅ deep |
| Services & Networking | concept | concept | ✅ | ✅ | ✅ (NetworkPolicy) |
| RBAC & ServiceAccounts | concept | ✅ concept | ✅ | ✅ | ✅ deep |
| Cluster install/upgrade/etcd | — | — | ✅ unique | — | — |
| App design patterns/probes | — | — | — | ✅ unique | — |
| Security tooling (Falco, OPA, Trivy) | — | concept | — | — | ✅ unique |
| Cloud native ecosystem breadth | ✅ unique | partial | — | — | — |
Read the table this way: the left columns build vocabulary, the middle three turn it into hands-on skill, and each professional exam adds one unique pillar (CKA → running clusters, CKAD → building apps, CKS → securing them). The associate exams are not “lesser” — they’re the conceptual scaffolding that makes the hands-on exams click faster.
How to use this map to plan your study
The curriculum map points to a natural, low-friction order for KubeAstronaut:
- KCNA — build cloud native vocabulary and Kubernetes fundamentals. Low-stakes, high-leverage.
- KCSA — add the security mental models (4Cs, threat model) while the fundamentals are fresh.
- CKA — convert concepts into hands-on operations; this is your
kubectlbootcamp and the CKS prerequisite. - CKAD — reuse the same terminal skills from the developer’s angle; lots of CKA overlap means faster prep.
- CKS — finish with hands-on security, turning KCSA theory into practice. Requires the active CKA you earned in step 3.
This is one sensible sequence, not the only one — strong developers sometimes swap steps 3 and 4. For the full timeline, costs, and alternatives, see the KubeAstronaut path guide and the broader Kubernetes certification path guide for 2026.
Practice: turn the map into exam-ready skill
A curriculum map tells you what to learn; realistic practice tells you whether you’ve actually learned it. For the hands-on exams especially, reading isn’t enough — you need to solve tasks against a real cluster, under time pressure, until the workflow is automatic.
That’s exactly what the KubeAstronaut Mock Exam Bundle is built for: structured, exam-style mock exams covering all five certifications in one place — performance-based scenarios for CKA, CKAD, and CKS, and exam-style question banks for KCNA and KCSA — so you can validate every domain on this map with confidence before you sit the real thing. If you want to feel the live-terminal format first, our free Kubernetes exam simulator (CK-X) is a great way to start, and you can read how others used it in how I passed Kubernetes certifications with CK-X.
Frequently asked questions
Which exams do I need for KubeAstronaut?
All five: KCNA, KCSA, CKA, CKAD, and CKS. You must hold all of them active at the same time to earn (and keep) the KubeAstronaut title.
Do I have to take them in a specific order?
Only one rule is enforced: CKA must be active before you take CKS. Beyond that, ordering is your choice — but starting with the associate exams (KCNA, KCSA) and building toward the hands-on professionals is the lowest-friction path for most people.
How are the associate and professional exams different?
Associate exams (KCNA, KCSA) are multiple choice and test concepts. Professional exams (CKA, CKAD, CKS) are hands-on, performance-based exams where you solve real tasks in a terminal against live clusters. The associates build understanding; the professionals test execution and speed.
How much do the domains overlap?
Significantly. Core Kubernetes objects, kubectl, YAML, Services/Networking, and RBAC appear across multiple exams — so foundations learned for one exam transfer to the others. Each professional exam then adds one unique pillar: cluster administration (CKA), application development (CKAD), and security tooling (CKS).
Are the domain weightings fixed?
No. The CNCF updates curricula and weightings periodically. Use the percentages here to allocate study time, but always confirm the current breakdown on the official Linux Foundation exam pages before you book.
How long are the certifications valid?
Each CNCF Kubernetes certification is valid for two years. See Kubernetes certification renewal for how to keep your KubeAstronaut status current.
Conclusion
The KubeAstronaut journey looks like five mountains, but the curriculum map shows it’s really one mountain with five summits sharing the same base camp. The associate exams (KCNA, KCSA) build your vocabulary and security models; the professional exams (CKA, CKAD, CKS) turn that knowledge into hands-on skill, each adding a unique pillar — running clusters, building apps, and securing them. Learn the shared foundation once, sequence the exams so each builds on the last, and the title becomes a matter of disciplined, well-targeted practice rather than five disconnected cramming sessions.
Use this map to plan your study, lean on the linked domain deep dives to go deep where you’re weak, and validate every domain with realistic practice in the KubeAstronaut Mock Exam Bundle. Then go earn all five.