Certified Kubernetes Application Developer (CKAD) #1: The Exam Environment — Mastering kubectl, dry-run, and generators

If the 26-post K8s hands-on track had you running a cluster yourself and the 9-post KCNA series validated the big picture of cloud native through multiple choice, the next step is proving you can build and fix manifests directly from the terminal. Among the CNCF Kubernetes certifications, the hands-on exam taken from an application developer’s point of view is the Certified Kubernetes Application Developer (CKAD). This series unpacks every domain you need to pass CKAD across 21 posts.

Where KCNA was multiple choice that asked you to recognize a concept, CKAD is hands-on — it asks you to produce the answer yourself in an empty terminal. So this first post covers not only what the exam asks, but also the kubectl environment setup that decides how you’ll spend your 2 hours. That setup is often what separates a pass from a fail.

What kind of certification is CKAD #

CKAD validates, hands-on, your ability to design, deploy, and operate applications on top of Kubernetes. The operator territory of installing the cluster itself or recovering the control plane is covered by CKA; CKAD focuses on the layer above that — the developer’s job of running apps. It checks whether you can finish tasks like these in an empty terminal within the time limit.

  • Design a multi-container Pod and place an init container and a sidecar
  • Roll out a Deployment with a rolling update and roll it back when something breaks
  • Inject a ConfigMap and a Secret as env or as a volume
  • Attach liveness and readiness probes in exactly the right format
  • Restrict container privileges with SecurityContext
  • Open communication paths with Service and NetworkPolicy

Someone who passes this exam isn’t writing manifests from memory — they can quickly combine kubectl and the official docs to produce the resource they want.

Who gets value from it #

RoleWhy
Backend / app developersProof of hands-on skill deploying on Kubernetes
DevOps / platform engineersApp-layer hands-on feel before moving on to CKA
SREValidation of speed at app deployment and troubleshooting
Cloud native migration teamsPeople who hold a standard for writing manifests

If KCNA was a conceptual intro, CKAD is your first hands-on certification. It’s the starting point of the three hands-on exams that lead into CKA and CKS, and the kubectl speed and dry-run habits you pick up here carry straight into both of those exams.

Exam structure #

The key facts about the CKAD exam are worth committing to memory.

ItemValue
FormatPerformance-based. You work on a real cluster
Number of questionsAbout 15–20 tasks
Exam time2 hours
Passing score66%
Exam fee$395 USD (includes one retake)
Validity2 years
EligibilityNone (anyone can sit)
Doc accessBrowsing the official docs at kubernetes.io/docs and similar is allowed during the exam
DeliveryOnline proctored (PSI). Remote terminal
Kubernetes versionThe latest minor version at the time you sit (confirm when booking)

The decisive difference from KCNA #

KCNA was multiple choice, so picking the concept was enough; CKAD has you create resources directly in an empty terminal and a grading script inspects the result. It’s not an exam you write from memory but one you produce, so even with the same knowledge, slow hands mean you run out of time. That’s why this series places kubectl commands and manifests alongside every concept — so you learn by typing along, not just reading.

What it means that doc access is allowed #

CKAD allows browsing the official docs during the exam, so you don’t need to memorize every YAML field. But time spent digging through the docs is exam time too, so the winning strategy is to generate the skeleton of frequently used resources instantly with a generator and use the docs only to confirm detailed fields.

The weight of the exam domains #

The CKAD scope is laid out across five domains in the official exam curriculum.

#DomainWeightSeries mapping
1Application Design and Build20%#2 , #3 , #4
2Application Deployment20%#5#10
3Application Observability and Maintenance15%#11 , #12
4Application Environment, Configuration and Security25%#13#17
5Services and Networking20%#18 , #19

The largest domain is Application Environment, Configuration and Security (25%), where ConfigMap, Secret, SecurityContext, and resource management all gather. Next come design, deployment, and networking at 20% each, with observability at 15%. The weights are your guide to how to split your study time.

Mastering the kubectl environment #

Half of CKAD is knowledge and half is speed. Doing the following setup the moment the exam starts saves tens of seconds per task.

Aliases and environment variables #

# kubectl to k
alias k=kubectl

# dry-run + YAML output to do
export do="--dry-run=client -o yaml"

# immediate deletion to now (for deleting and recreating a Pod fast)
export now="--force --grace-period=0"

With these in place, you can pull out a manifest skeleton in a single line, like k run nginx --image=nginx $do > pod.yaml. The default shell in the exam environment often already has the k alias and bash completion configured, but if it doesn’t, set it up yourself in the first minute.

# completion (extends to k as well)
source <(kubectl completion bash)
complete -o default -F __start_kubectl k

generators: don’t write empty manifests by hand #

In CKAD, anyone who writes manifests from scratch by hand loses time. For most resources, it’s faster to generate the skeleton with an imperative generator and then fix only the fields you need.

# Pod manifest skeleton
k run nginx --image=nginx $do > pod.yaml

# Deployment skeleton (with replicas)
k create deploy web --image=nginx --replicas=3 $do > deploy.yaml

# Job / CronJob skeleton
k create job pi --image=perl $do > job.yaml
k create cronjob report --image=busybox --schedule="*/5 * * * *" $do > cj.yaml

# ConfigMap / Secret
k create configmap app-config --from-literal=KEY=value $do > cm.yaml
k create secret generic app-secret --from-literal=PASSWORD=1234 $do > secret.yaml

# Service (exposing a Pod/Deployment)
k expose deploy web --port=80 --target-port=8080 $do > svc.yaml

kubectl explain: checking fields faster than the docs #

When you’re unsure of a field path, kubectl explain is often faster than opening the docs in a browser.

k explain pod.spec.containers.resources
k explain deployment.spec.strategy --recursive

vim setup: preventing YAML indentation mishaps #

When you edit manifests directly, mixing tabs and spaces causes parse errors. At the start of the exam, put the following in ~/.vimrc.

set expandtab
set tabstop=2
set shiftwidth=2
set number

Check the context switch first of all #

Each task is only graded if you solve it in the designated cluster/namespace. Making it a habit to run first the kubectl config use-context ... command given for each question prevents wrong answers.

k config use-context <the context specified in the question>
k config set-context --current --namespace=<the question's namespace>

Study strategy #

1) Don’t read — type #

Every command and manifest in this series assumes you’ll learn by typing it along yourself. Spin up a local cluster with minikube or kind, run the examples from the post as-is, and check the results. In CKAD, your score tracks how well your hands know the moves.

2) Make dry-run a default habit #

Almost every task that needs a manifest starts with k ... $do > file.yaml. Once this becomes a habit, you’ll never face a blank screen in the exam.

3) Go for partial credit #

CKAD is graded per task, and some tasks award partial credit. When you get stuck on one task, flag it and move on, then pile up sure points starting with the easy tasks — that’s the path to clearing the passing line. Time management is covered in detail in #20.

4) Save mock exams for the back half #

After one loop through this series, you’ll find a full-scale hands-on mock exam in #21. If you need more practice, the CKAD scenarios on killercoda or the killer.sh mock environment included with your exam voucher are the trustworthy benchmark.

Registration and the testing environment #

Registration steps #

  1. Buy CKAD on the Linux Foundation training portal. Waiting for one of the frequent discount events lets you buy it cheaper
  2. Make use of the two killer.sh mock exams included with your voucher. The environment is nearly identical to the real exam
  3. Book your exam date in the PSI proctoring system
  4. Pass the system compatibility check (browser, webcam, network) before the exam

Preparing for the online-proctored exam #

CKAD is an online-proctored exam in which you work in a remote terminal.

  • ID — A passport with English Romanization is safest. The name must match your registration info exactly
  • Testing environment — Clear everything off the desk, use only one screen even with dual monitors, and block family and roommates from entering
  • System check — Check in 30 minutes before the exam and close all background apps. A stable wired network is recommended

Wrap-up #

What this post locked in:

  • CKAD is the first hands-on certification from an app developer’s perspective. An exam where you create resources directly in an empty terminal
  • About 15–20 tasks / 2 hours / 66% / $395 (includes one retake) / valid 2 years. Browsing the official docs is allowed during the exam
  • Five domains — Design and Build (20%), Deployment (20%), Observability and Maintenance (15%), Environment,Configuration,Security (25%), Services and Networking (20%)
  • kubectl setup — alias k, do (dry-run), now (immediate deletion), generators, explain, vim indentation, context switching
  • Study strategy — type, don’t read. Make dry-run a default. Go for partial credit. Save mock exams for the back half

Next — Pod and Container Lifecycle #

The environment is set. Now we go into the smallest unit of CKAD: the Pod.

In #2 Pod and Container Lifecycle: Restart Policy and Container States, we’ll work through the Pod lifecycle (Pending, Running, Succeeded, Failed), how restartPolicy (Always, OnFailure, Never) affects behavior, how to read container states (Waiting, Running, Terminated) and exit codes, and the “why does this Pod keep restarting” pattern that shows up often in the exam — all by building it ourselves.

X