Certified Kubernetes Application Developer
Validates the ability to design, build, configure, and expose cloud native applications for Kubernetes. Covers application design and build using containers and multi-container patterns, deployment strategies including rolling updates and Helm, application observability and maintenance, environment configuration and security, and services and networking. The CKAD is a performance-based exam requiring hands-on task completion in a live Kubernetes environment within a 2-hour time limit.
Exam domains
- Application Environment, Configuration and Security25%
Discover and use resources that extend Kubernetes — CustomResourceDefinitions (CRDs), kubectl get crds, custom resources via kubectl, Operators (controller pattern with custom resources), OperatorHub.io, Operator Lifecycle Manager (OLM). Understand authentication, authorization and admission control — authentication (X.509 certificates, ServiceAccount tokens — bound via TokenRequest API since 1.22, OIDC, webhook), authorization (RBAC primary, ABAC, Node, Webhook), admission controllers (mutating then validating webhooks, built-in admission plugins, ValidatingAdmissionPolicy CEL since 1.30 GA). Understand requests, limits, quotas — resource requests for scheduling and QoS, limits for runtime caps, ResourceQuota per namespace, LimitRange for default/min/max per pod or container, eviction at limit. Define resource requirements — CPU in millicores (1000m = 1 core), memory in bytes (Mi/Gi), GPU and other extended resources via DevicePlugin. Understand ConfigMaps — non-sensitive key-value config, mount as volume vs envFrom, immutable: true, projected volumes. Create & consume Secrets — base64 encoded, kubernetes.io/tls / dockerconfigjson / service-account-token types, encryption at rest via EncryptionConfiguration on apiserver, RBAC restrictions on secret access. Understand ServiceAccounts — pod identity within cluster, automountServiceAccountToken, audience-bound projected SA tokens (1.22+), externally-bound via OIDC for IAM federation. Understand Application Security — SecurityContext (runAsNonRoot, runAsUser, runAsGroup, fsGroup, capabilities add/drop, seccompProfile, seLinuxOptions, allowPrivilegeEscalation, readOnlyRootFilesystem), Pod Security Admission (privileged / baseline / restricted profiles, audit / warn / enforce modes per namespace label).
- Application Deployment20%
Use Kubernetes primitives to implement common deployment strategies (e.g. blue/green or canary) — multiple Deployments with selector-based traffic split, Service updates to swap selectors, weighted Service Mesh routing (Linkerd/Istio TrafficSplits), Argo Rollouts. Understand Deployments and how to perform rolling updates — Deployment .spec.strategy.rollingUpdate.maxSurge / maxUnavailable, kubectl rollout pause / resume / undo / status, revisionHistoryLimit, progressDeadlineSeconds, pod template hash. Use the Helm package manager to deploy existing packages — Helm 3 architecture (no Tiller), helm install / upgrade / rollback / uninstall, Chart.yaml, values.yaml override hierarchy (default values < -f file < --set), repository management (helm repo add / update). Kustomize — kustomize build / kubectl apply -k, kustomization.yaml, base + overlays, patches (strategic merge, JSON 6902), components, generators (configMapGenerator, secretGenerator), namespacing, name prefixes/suffixes.
Sources
Questions are grounded in 100 references from official and authoritative materials.