✍️ 필사 모드: The Complete Golden Kubestronaut Roadmap — Conquering All 16 CNCF Certifications (With Per-Cert Study Content, 2026)

Prologue — Kubestronaut, and the Golden tier above it

The Kubestronaut program from the CNCF (Cloud Native Computing Foundation) is the ultimate track for cloud native certifications.

• Kubestronaut — someone who has earned all 5 core Kubernetes certifications. You get a slick jacket and a community badge.
• Golden Kubestronaut — someone who has earned every CNCF certification plus LFCS. The top tier, introduced in April 2025. A title held for life.

Why do this? Honestly:

• Certifications don't prove skill. But they do force you to systematically sweep the entire cloud native ecosystem.
• The hands-on exams for CKA/CKAD/CKS really make you use your hands. You can't pass by memorizing.
• They're a clear signal in hiring, contracts, and promotions. Especially for DevOps and platform engineers.
• Above all — you get an excuse to go deep on Prometheus, Istio, Cilium, Argo, and OpenTelemetry individually. Normally you won't.

This post breaks down all 16 exams one by one. Format, domains, study content, difficulty, tips. In as much detail as possible.

Note: CNCF keeps adding new certifications. The Golden Kubestronaut requirements get updated accordingly. This post is current as of May 2026 — it includes CNPA (added October 2025) and CNPE (a requirement from March 2026). Always check the official page for the latest requirements before you sit an exam.

Chapter 1 · Two tiers — 5 vs 16

Kubestronaut — the Kubernetes 5

Golden Kubestronaut — the 5 above plus the 11 below

Total: 15 CNCF certifications plus LFCS = 16. Pass all of them and you are a Golden Kubestronaut.

Chapter 2 · The two exam formats — this difference is everything

CNCF exams come in exactly two kinds. The preparation strategy is completely different for each.

Performance-based (hands-on) — CKA, CKAD, CKS, CNPE, LFCS

• You work with real Kubernetes clusters and Linux systems in an actual terminal.
• 2 hours. You solve multiple practical tasks.
• You absolutely cannot pass by memorizing. You have to make kubectl second nature.
• CKA/CKAD/CKS include one free retake in the exam fee.
• Passing score: typically around 66% for CKA/CKS and 66% for CKAD (verify against the official criteria).

Multiple-choice — KCNA, KCSA, PCA, ICA, CCA, CAPA, CGOA, CBA, OTCA, KCA, CNPA

• Multiple choice. KCNA is 90 minutes.
• Concept-, architecture-, and terminology-focused. No hands-on labs.
• Relatively quick to earn — the "volume" part of Golden Kubestronaut.
• Still, having actually used the project gives you an overwhelming advantage.

The core of the strategy: the 5 hands-on certs need time and hands. The 11 multiple-choice certs need breadth of knowledge. You interleave the two to build your schedule (Chapter 8).

Chapter 3 · The recommended study order — the roadmap

Order matters. The easy ones become the foundation for the hard ones.

[Stage 1 · Foundation]   KCNA -> KCSA
                  (multiple-choice; draw the whole ecosystem map)
        |
        v
[Stage 2 · Hands-on core]  CKAD -> CKA -> CKS
                  (CKS requires passing CKA first; make kubectl second nature)
        |
        v
[Stage 3 · Project group]  CGOA -> CAPA -> PCA -> OTCA -> KCA -> CBA -> ICA -> CCA
                  (multiple-choice; layer on top of the K8s knowledge from Stage 2)
        |
        v
[Stage 4 · Platform and Linux]  LFCS -> CNPA -> CNPE
                  (LFCS is hands-on Linux; CNPE is hands-on platform engineering)

• KCNA first — draw the whole ecosystem map up front. It becomes the context for every other exam.
• CKAD before CKA is often recommended — the scope is narrower and the entry is smoother. (There's a counterargument too — CKA is more fundamental, so do it first. It depends on your background.)
• CKS only after passing CKA — that's the official prerequisite.
• The project group comes after Stage 2 — you need to know Kubernetes for Istio, Cilium, and Argo to make sense.

Chapter 4 · The Kubernetes 5 — domains and study content

KCNA — Kubernetes and Cloud Native Associate

• Format: multiple-choice, 90 minutes. Difficulty: entry-level.
• Domains: Kubernetes Fundamentals 46%, Container Orchestration 22%, Cloud Native Architecture 16%, Cloud Native Observability 8%, Cloud Native Application Delivery 8%.
• Study content: core objects like Pod, Deployment, Service, and Namespace; container runtimes and OCI; scheduling basics; cloud native architecture (microservices, autoscaling, 12-factor); the three observability pillars (metrics, logs, traces) as concepts; CI/CD, GitOps, and Helm concepts.
• Tip: the starting point of the whole journey. Nail the ecosystem terminology here and everything else gets easier.

KCSA — Kubernetes and Cloud Native Security Associate

• Format: multiple-choice. Difficulty: entry to intermediate.
• Study content: the Kubernetes security 4C (Cloud, Cluster, Container, Code); threat models; RBAC concepts; Pod Security Standards; network policy concepts; supply chain security; etcd and API server security; the authentication and authorization flow.
• Tip: the "concept edition" of CKS. Use KCSA to grab the security vocabulary, then implement it by hand in CKS.

CKAD — Certified Kubernetes Application Developer

• Format: hands-on, 2 hours. Difficulty: intermediate.
• Study content: application design and build (multi-container Pod patterns, init containers, Job/CronJob); deployment (Deployment rolling updates and rollbacks, Helm basics); configuration (ConfigMap and Secret, SecurityContext, ServiceAccount, resource requests/limits); observability (probes — liveness, readiness, startup; logs and debugging); networking and storage (Service, NetworkPolicy basics, PV/PVC).
• Tip: the developer's perspective. The ability to "run apps on top of K8s." The scope is narrower than CKA, which makes it a good entry point.

CKA — Certified Kubernetes Administrator

• Format: hands-on, 2 hours. Difficulty: intermediate to advanced.
• Study content: cluster architecture, installation, and configuration (building a cluster with kubeadm, upgrades, etcd backup and restore); workloads and scheduling; services and networking (CNI, CoreDNS, Ingress, Gateway API); storage (StorageClass, PV/PVC dynamic provisioning); troubleshooting (node, control plane, and app failures, log analysis) — troubleshooting carries a large weight.
• Tip: the most "fundamental" certification. etcd backup/restore and cluster upgrades will almost certainly appear. Make them second nature.

CKS — Certified Kubernetes Security Specialist

• Format: hands-on, 2 hours. Prerequisite: passing CKA. Difficulty: advanced.
• Study content: cluster setup hardening (CIS benchmarks, kube-bench); system hardening (least privilege, AppArmor and seccomp); minimizing microservice vulnerabilities (Pod Security Standards, OPA/Gatekeeper and Kyverno, mTLS); supply chain security (image scanning, SBOM, image signing); runtime security and monitoring (Falco, audit logs, behavioral analytics).
• Tip: the hardest one. There are a lot of tools (Falco, Trivy, kube-bench, AppArmor). You have to actually run each tool.

Chapter 5 · The project certification group — 8 certs (all multiple-choice)

Certifications tied to individual CNCF graduated and incubating projects. They're all multiple-choice, so you can collect them quickly.

PCA — Prometheus Certified Associate

• Project: Prometheus (metrics and monitoring).
• Study content: Prometheus architecture (scraping, TSDB, pull model); PromQL (selectors, functions, aggregation — the most important part); exporters and instrumentation; alerting (Alertmanager, routing and inhibition); service discovery; recording rules.

ICA — Istio Certified Associate

• Project: Istio (service mesh).
• Study content: mesh architecture (the Envoy data plane, the istiod control plane, sidecar vs ambient mode); traffic management (VirtualService, DestinationRule, canary and mirroring); security (mTLS, AuthorizationPolicy, PeerAuthentication); observability (distributed tracing, metrics).

CCA — Cilium Certified Associate

• Project: Cilium (eBPF-based networking and security).
• Study content: eBPF fundamentals; Cilium architecture; Cilium as a CNI; network policy (L3/L4/L7); observability with Hubble; cluster mesh; load balancing and kube-proxy replacement.

CAPA — Certified Argo Project Associate

• Project: Argo (CD, Workflows, Rollouts, Events).
• Study content: Argo CD (GitOps sync, App of Apps, sync waves); Argo Workflows (DAG and step workflows); Argo Rollouts (canary and blue-green, analysis); Argo Events (event-driven triggers).

CGOA — GitOps Certified Associate

• Project: GitOps principles (a methodology, not a specific tool).
• Study content: the 4 GitOps principles (declarative; versioned and immutable; pulled automatically; continuously reconciled); push vs pull models; drift detection and self-healing; where tools like Flux and Argo CD fit; secret management.

CBA — Certified Backstage Associate

• Project: Backstage (developer portal).
• Study content: developer portal concepts; the Software Catalog (the entity model — Component, API, System); Software Templates (scaffolding); TechDocs; the plugin architecture; deploying Backstage.

OTCA — OpenTelemetry Certified Associate

• Project: OpenTelemetry (the observability standard).
• Study content: the three observability pillars (traces, metrics, logs) and OTel's unified model; instrumentation (automatic vs manual); the OpenTelemetry Collector (the receiver, processor, exporter pipeline); context propagation; semantic conventions; the OTLP protocol.

KCA — Kyverno Certified Associate

• Project: Kyverno (policy engine).
• Study content: the Policy as Code concept; Kyverno policy types (validate, mutate, generate, verifyImages); how it works as an admission controller; ClusterPolicy vs Policy; policy exceptions; a comparison with CKS's OPA/Gatekeeper.

Study efficiency tip: these 8 have huge synergy if you binge them right after finishing Stage 2 (CKA/CKAD/CKS). Once you know the K8s object model, Istio's CRDs, Argo's CRDs, and Kyverno's policies all read with the same pattern.

Chapter 6 · Platform engineering plus Linux — CNPA, CNPE, LFCS

LFCS — Linux Foundation Certified System Administrator

• Format: hands-on. Study content: general Linux operations — filesystems and storage, users and permissions, processes and services (systemd), networking, package management, shell scripting, basic security.
• Tip: it's not a CNCF certification, but it's a Golden requirement. It's also the base fitness for the K8s hands-on exams. vim, bash, grep, and sed become second nature.

CNPA — Cloud Native Platform Engineering Associate

• Format: multiple-choice. Added: a Golden requirement from October 15, 2025.
• Study content: platform engineering concepts; the internal developer platform (IDP); the golden path; developer experience (DevEx); self-service infrastructure; the platform-as-a-product mindset.

CNPE — Certified Cloud Native Platform Engineer

• Format: hands-on. Requirement date: a Golden requirement from March 1, 2026.
• Study content: the ability to actually build and operate an internal developer platform — weaving together multiple CNCF tools (Argo, Backstage, an observability stack, and so on) to create a self-service platform. It has the character of a capstone for all the preceding certifications.
• Tip: do it last, at the very end. It's an exam about assembling tools you learned in the other certifications, so it's natural to put it at the end.

Chapter 7 · Hands-on exam tactics

CKA, CKAD, CKS, CNPE, LFCS — the 5 hands-on certs require a distinct skill set.

Getting comfortable with the environment

• kubectl alias: the moment the exam starts, run alias k=kubectl. It saves finger time.
• Autocompletion: source <(kubectl completion bash).
• kubectl explain: when you can't remember the field structure, run kubectl explain pod.spec.containers. You don't have to leave the documentation.
• Official docs allowed: you can view kubernetes.io/docs during the exam. But if you rely on search, you'll run out of time. Memorize the things you use often.

Speed strategy

• --dry-run=client -o yaml: don't type objects from scratch. Generate a YAML skeleton with k run or k create, then edit it.
• Time allocation: start with the high-point questions. If you get stuck, flag it and move on — don't get bogged down in a single question.
• Context switching: each question may be a different cluster. For every question, always run first the given kubectl config use-context command.
• Verification: after you build an answer, check whether it actually works with k get and k describe. There is partial credit.

Practice environments

• killer.sh — the simulator included in the CKA/CKAD/CKS exam fee. It's harder than the actual exam. You can run it twice.
• Local clusters — break and fix things yourself with kind, minikube, and k3d.
• Killer practice: etcd backup/restore, cluster upgrades, reviving a broken node — CKA regulars. Practice until they're second nature.

Minimal vim survival skills

The hands-on exams will have you using vim. At a minimum:

• YAML indentation: :set expandtab tabstop=2 shiftwidth=2
• Multi-line indentation with visual block, substitution with :%s, and dd/yy/p.

Chapter 8 · Cost and schedule management

A sense of the cost

• CKA, CKAD, CKS: around 395 USD each (one free retake included).
• KCNA, KCSA, and the project multiple-choice exams: around 250 USD each.
• LFCS: hands-on, priced separately.
• All 16 together is a substantial amount. That said, CNCF frequently releases bundles, sales, and vouchers. Watch for the Kubestronaut/Golden bundles. KubeCon-season discounts are common too.
• Certifications typically have a validity period (usually 2 to 3 years, varying by certification). The Golden Kubestronaut title itself is for life, but check the renewal policy for the individual certifications.

Building the schedule — interleave hands-on and multiple-choice

The key to avoiding burnout: alternate heavy hands-on exams with light multiple-choice ones.

Example pace (adjust to your own circumstances):
  Month 1   KCNA + KCSA           (multiple-choice, warmup)
  Month 2-3 CKAD -> CKA           (hands-on, focus)
  Month 4   CGOA + CAPA + PCA     (multiple-choice, recovery + volume)
  Month 5   CKS                   (hands-on, hardest)
  Month 6   OTCA + KCA + CBA      (multiple-choice)
  Month 7   ICA + CCA + CNPA      (multiple-choice)
  Month 8   LFCS -> CNPE          (hands-on, capstone)

• Multiple-choice right after hands-on for recovery.
• CKS only after CKA is well settled — don't go straight from one to the other.
• CNPE at the very end — assemble after you've learned all the other tools.
• Don't try to do it all at once. A 6-to-12-month pace is realistic.

When you fail

The hands-on exams include a retake. Failing is normal. Note what was lacking — usually "speed on a specific task" or "unfamiliarity with a specific tool" — and after focused practice on just that part, retake it.

Epilogue — not a certification, but a journey

The real value of Golden Kubestronaut isn't the jacket. It's that you systematically and exhaustively sweep the entire cloud native ecosystem — from the Kubernetes core to Prometheus, Istio, Cilium, Argo, OpenTelemetry, Backstage, and Kyverno.

Normally you won't. You put it off — "someday I'll go deep on Cilium," "I should try Backstage sometime." The certification is the forcing mechanism that ends the procrastination. And the 5 hands-on certs — the exams you can't pass by memorizing — actually make you use your hands.

In order, interleaving hands-on and multiple-choice, over 6 to 12 months. When you finish, what's left is not 16 certifications but a mental model of the entire cloud native domain. That's the real reward.

Study checklist

1. Did you draw the whole ecosystem map first with KCNA?
2. Did you build your schedule by separating the 5 hands-on certs (CKA, CKAD, CKS, CNPE, LFCS) from the 11 multiple-choice certs?
3. Are the kubectl alias, autocompletion, and --dry-run second nature?
4. Have you done etcd backup/restore and cluster upgrades yourself?
5. Did you run the killer.sh simulator?
6. Did you pass CKA before CKS (the prerequisite)?
7. Did you place the 8 project certs right after CKA/CKAD/CKS?
8. Did you alternate hands-on and multiple-choice to avoid burnout?
9. Did you check for CNCF bundles, vouchers, and KubeCon discounts?
10. Did you check each certification's validity period and renewal policy?

7 anti-patterns

1. Jumping straight to CKA without KCNA — you flounder with no ecosystem context.
2. Preparing for hands-on exams "by memorizing" — it absolutely doesn't work.
3. Getting bogged down in one question during the exam — flag it and move on.
4. Not running the context-switch command for each question — you work on the wrong cluster.
5. Doing only hands-on back to back — burnout. Recover with multiple-choice.
6. Attempting CKS while still shaky on CKA — too many tools, and you collapse.
7. Paying full price only — missing bundles and sales is a big loss.

Next post preview

Candidates for the next post: A CKA exam hands-on walkthrough — from etcd backup to cluster upgrades, A complete roundup of CKS tools — hands-on with Falco, Trivy, kube-bench, OPA, and Kyverno, Building an internal developer platform for CNPE — Backstage plus Argo plus an observability stack.

"A certification is not a destination but a curriculum. The reward of Golden Kubestronaut is not the title, but the entire ecosystem you're forced to learn along the way."

— The Complete Golden Kubestronaut Roadmap, end.