💡 왼쪽 원문을 읽으면서 오른쪽에 따라 써보세요. Tab 키로 힌트를 받을 수 있습니다.

원문 렌더가 준비되기 전까지 텍스트 가이드로 표시합니다.

Intro — In May 2026, Kubestronaut has become the cloud-native diploma

The Kubestronaut program, first announced at KubeCon Paris in January 2024, has crossed **20,000 holders** worldwide as of May 2026. The title — awarded only to people who simultaneously hold valid CKA, CKAD, CKS, KCNA and KCSA certifications — has gone from "a cool patch" to a line item on senior SRE and platform engineering job posts in barely two years.

On top of that, the **Golden Kubestronaut** track (holding every active CNCF certification at once) introduced in late 2025, plus the six-plus associate exams that now exist, has turned cloud-native certification into a proper ladder. This post is not a marketing page — it covers actual exam environments, question patterns, prep hours, and salary impact honestly.

Kubestronaut at a glance — what, why, how

The Kubestronaut title is granted when you hold the five core CNCF certifications, run by the CNCF and proctored by the Linux Foundation, **valid at the same time**. Each cert has a typical two-year validity, and as of May 2026 every exam is delivered via PSI Bridge under online proctoring.

- **CKA** — Certified Kubernetes Administrator. Cluster operator track.

- **CKAD** — Certified Kubernetes Application Developer. Workload author track.

- **CKS** — Certified Kubernetes Security Specialist. Security track. CKA is a prerequisite.

- **KCNA** — Kubernetes and Cloud Native Associate. Entry track.

- **KCSA** — Kubernetes and Cloud Native Security Associate. Entry security track.

Kubestronauts get one free CNCF exam voucher per year, a limited-edition jacket and patch, hall-of-fame listing on the Linux Foundation site, and access to a dedicated lounge at CNCF events. The free voucher is effectively a **600 USD per year benefit**, so this is more than a vanity title.

The ladder — Associate, Professional, Specialty

CNCF certifications are organized into three tiers.

1. **Associate**: KCNA, KCSA, PCA (Prometheus), ICA (Istio), CAPA (Cilium), OTCA (OpenTelemetry), CGOA (Argo). 90 minutes, multiple choice, 75% to pass.

2. **Professional**: CKA, CKAD, CKS. Two hours, hands-on terminal. Passing score 66% for CKA/CKAD, 67% for CKS.

3. **Specialty**: CCSCA (Certified Cloud Security Specialist) and other senior tracks added in 2026.

The table below is the cleanest summary.

| ---- | ---- | ---- | ------ | ---- | --------- |

| KCNA | Associate | 90 min | 60 MC | 75% | 250 |

| KCSA | Associate | 90 min | 60 MC | 75% | 250 |

| PCA | Associate | 90 min | 60 MC | 75% | 250 |

| ICA | Associate | 90 min | 60 MC | 75% | 250 |

| CAPA | Associate | 90 min | 60 MC | 75% | 250 |

| OTCA | Associate | 90 min | 60 MC | 75% | 250 |

| CGOA | Associate | 90 min | 60 MC | 75% | 250 |

| CKAD | Pro | 2 hr | Hands-on terminal | 66% | 445 |

| CKA | Pro | 2 hr | Hands-on terminal | 66% | 445 |

| CKS | Pro | 2 hr | Hands-on terminal | 67% | 445 |

| CCSCA | Specialty | 2 hr | Hands-on terminal | 67% | 545 |

Fees are list price. Around KubeCon and Black Friday, 40-50% discount coupons go out, and Linux Foundation bundles (one exam plus training course) land around 595 USD.

KCNA — the ABCs of cloud native

KCNA starts from "why use Kubernetes at all". Domain weighting is:

- **Kubernetes Fundamentals 46%**: control plane, workloads, scheduling, services and networking.

- **Container Orchestration 22%**: runtimes, security, networking.

- **Cloud Native Architecture 16%**: autonomy, resilience, microservices, serverless.

- **Cloud Native Observability 8%**: metrics vs logs vs traces.

- **Cloud Native Application Delivery 8%**: GitOps, CI/CD.

A typical KCNA question is conceptual: "Which of the following best describes the sidecar pattern?" There are no hands-on tasks, so the CNCF free docs plus 12-16 hours of KodeKloud video usually clears it. KCNA's real value is less the certificate itself and more that it forces you to standardize vocabulary before CKA.

KCSA — Cloud-native security entry exam

KCSA was added in late 2023 as the entry-level security exam. Its domains are:

- **Overview of Cloud Native Security 14%**: the 4C model (Cloud, Cluster, Container, Code).

- **Kubernetes Cluster Component Security 22%**: API server, etcd, kubelet, kube-proxy hardening.

- **Kubernetes Security Fundamentals 22%**: RBAC, Pod Security Standards, Network Policy, Secrets.

- **Kubernetes Threat Model 16%**: attack surface analysis.

- **Platform Security 16%**: supply chain, image signing, policy engines.

- **Compliance and Security Frameworks 10%**: NIST 800-190, MITRE ATT&CK for Containers.

Think of KCSA as roughly "half of CKS". CKS is hands-on whereas KCSA is multiple choice, which makes it the right warmup. It's the second associate I recommend after KCNA.

CKA — the classic operator track

CKA is the oldest exam in the family. The September 2024 V1.31 refresh shifted the weighting to:

- **Cluster Architecture, Installation and Configuration 25%**

- **Workloads and Scheduling 15%**

- **Services and Networking 20%**

- **Storage 10%**

- **Troubleshooting 30%**

That **30% troubleshooting** is the heart of the exam. Recurring scenarios:

- A node is NotReady. Diagnose and recover. (kubelet service, kubeconfig path, container runtime.)

- A Pod is Pending. (Taint/Toleration, node selectors, resource shortage.)

- A Service refuses connections. (Endpoints, kube-proxy iptables, NetworkPolicy.)

- etcd backup and restore. (`etcdctl snapshot save/restore`.)

The standard CKA skill set looks like this.

alias k=kubectl

export do='--dry-run=client -o yaml'

export now='--grace-period=0 --force'

k create deployment web --image=nginx:1.27 --replicas=3 $do > web.yaml

k apply -f web.yaml

k get pods -A -o wide --sort-by=.spec.nodeName

k describe pod failing-pod | sed -n '/Events/,$p'

k drain node-2 --ignore-daemonsets --delete-emptydir-data

sudo systemctl status kubelet

sudo journalctl -u kubelet -n 200 --no-pager

The `alias k=kubectl` and `export do='--dry-run=client -o yaml'` macros are the canonical time-savers. You have to clear 15-20 questions in two hours, so finger automation decides whether you pass.

CKAD — the application developer track

CKAD pivots away from cluster ops and toward **building and shipping workloads**. As of May 2026 the domains are:

- **Application Design and Build 20%**: Job, CronJob, init containers, multi-container patterns.

- **Application Deployment 20%**: Deployment strategies, Helm, Kustomize.

- **Application Observability and Maintenance 15%**: probes, logging, monitoring.

- **Application Environment, Configuration and Security 25%**: ConfigMap, Secret, SecurityContext, ServiceAccount.

- **Services and Networking 20%**: Service, Ingress, NetworkPolicy.

The typical CKAD workflow is: scaffold a Pod YAML via dry-run, then edit fields quickly.

apiVersion: v1

kind: Pod

metadata:

labels:

app: web

spec:

containers:

- name: web

image: nginx:1.27

ports:

- containerPort: 80

readinessProbe:

httpGet:

path: /

port: 80

initialDelaySeconds: 3

periodSeconds: 5

livenessProbe:

httpGet:

path: /

port: 80

initialDelaySeconds: 10

periodSeconds: 10

resources:

requests:

cpu: 100m

memory: 128Mi

limits:

cpu: 500m

memory: 256Mi

If CKA is "rescue the cluster", CKAD is "ship a well-behaved workload".

CKS — the security track, hardest of the five

CKS requires CKA as a prerequisite. The late-2024 V1.30 curriculum domains are:

- **Cluster Setup 10%**: CIS Benchmark, kubelet hardening, kube-apiserver flags.

- **Cluster Hardening 15%**: least-privilege RBAC, ServiceAccount.

- **System Hardening 10%**: host OS, AppArmor, seccomp.

- **Minimize Microservice Vulnerabilities 20%**: Pod Security Standards, sandboxing (gVisor, Kata Containers), Secrets.

- **Supply Chain Security 20%**: image verification, Cosign, SBOMs, admission controllers.

- **Monitoring, Logging and Runtime Security 20%**: Falco, audit logging.

A canonical CKS scenario: "Attach a gVisor RuntimeClass to the Pod below and add a NetworkPolicy that denies all egress except to a PostgreSQL backend."

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

namespace: payments

spec:

podSelector: {}

policyTypes:

- Egress

egress:

- to:

- namespaceSelector:

matchLabels:

tier: data

ports:

- protocol: TCP

port: 5432

apiVersion: node.k8s.io/v1

kind: RuntimeClass

metadata:

handler: runsc

apiVersion: v1

kind: Pod

metadata:

spec:

runtimeClassName: gvisor

containers:

- name: app

image: registry.internal/untrusted/app:1.0

Add "now write a Falco rule that fires on it" and the question is complete. The Falco DSL skeleton looks like this.

- rule: Shell in Container

desc: Detect interactive shell spawn inside container

condition: >

spawned_process and container and

proc.name in (bash, sh, zsh)

output: >

Interactive shell launched in container

(user=%user.name container=%container.id image=%container.image.repository)

priority: WARNING

tags: [container, shell, mitre_execution]

CKS is not a memorization exam — you need to have **actually written Pod Security Standards, Network Policies and Falco rules on a blank page**. Average prep time is 80-120 hours.

The associate ladder — PCA, ICA, CAPA, OTCA, CGOA, CCSCA

Across 2025 and 2026, CNCF added an associate certification per graduated project.

- **PCA (Prometheus Certified Associate)**: PromQL, recording rules, alerting rules, exporters, federation, remote_write.

- **ICA (Istio Certified Associate)**: VirtualService, DestinationRule, Gateway, AuthorizationPolicy, mTLS, telemetry v2.

- **CAPA (Cilium Associate)**: eBPF datapath, CiliumNetworkPolicy, Hubble, ClusterMesh.

- **OTCA (OpenTelemetry Certified Associate)**: SDK, Collector, exporters, OTLP, trace/metric/log signals.

- **CGOA (Argo Certified Associate)**: Argo Workflows, Events, Rollouts, CD; GitOps patterns.

- **CCSCA (Certified Cloud Security Specialist)**: 2026 hands-on security specialty. CKS's senior counterpart.

All associate exams share the same shape — 60 multiple choice, 90 minutes, 75% to pass. If you've used the tool in production for at least a quarter, 30-50 hours of prep lands you at the passing line.

Golden Kubestronaut — every CNCF cert at once

Golden Kubestronaut is awarded to anyone holding the five Kubestronaut certs, six-plus associates, plus the Linux Foundation LFCS/LFCT — **every active CNCF-adjacent certification at once**. As of May 2026 the global count is under 200.

Additional perks include:

- Gold jacket and a separate patch.

- VIP seating at KubeCon main keynotes.

- Automatic CNCF Ambassador nomination.

- Free vouchers for every cert each year.

Golden Kubestronaut is more about **signalling within the cloud-native ecosystem** than practical value. For senior SRE and platform engineering hires at large firms, it's a fast indicator that "this person genuinely goes deep".

Exam environment — PSI Bridge, ID checks, the whiteboard rule

In late 2024 Linux Foundation migrated all CNCF exams from ExamsLocal to **PSI Bridge**. As of May 2026 every CNCF exam runs on PSI Bridge with these rules:

- Check-in opens 15 minutes before start. One government-issued photo ID is mandatory (passport recommended).

- During the exam the desk may hold only a computer, keyboard, mouse and one glass of water. No paper, no pens.

- A whiteboard is built into the exam UI — that's where your notes go.

- A 360-degree room scan with the camera is required. Looking away from the screen or audible background noise triggers a warning or disqualification.

- The only external content allowed is **kubernetes.io, kubernetes.io/blog, and github.com/kubernetes**, in a single browser tab, plus the docs search inside the exam UI.

Plenty of candidates miss the one-tab rule. Opening a new tab or window mid-exam is immediate disqualification. **Train ahead of time to keep the kubectl reference, the official cheat sheet and docs search within that one tab.**

Exam tips — clearing 17 questions in two hours

CKA, CKAD and CKS are all hands-on terminal exams, so time allocation decides outcomes.

- **First 5 minutes**: skim every question and flag the high-value, low-effort ones. Each question's weight is shown as a percentage on the right.

- **Aliases (10 seconds)**: `alias k=kubectl`, `export do='--dry-run=client -o yaml'`, `export now='--grace-period=0 --force'`, `source <(kubectl completion bash)`.

- **vimrc (20 seconds)**: `~/.vimrc` with `set ts=2 sw=2 et ai`. Broken YAML indentation invalidates the answer.

- **Use kubectl explain**: if you can't recall an API field, run `kubectl explain pod.spec.containers --recursive`.

- **Context switch commands**: every task displays a context-switch command at the top. Running commands on the wrong cluster scores zero.

- **Double-check at the end**: even after submitting, verify each answer twice. For CKS, write the verification command that proves the policy actually fires.

CKA usually has 17-20 tasks, CKAD 14-17, CKS 15-18. To stay safe you need to finish each task in 5-9 minutes.

Study material — Killer Shell, KodeKloud, A Cloud Guru, LF Training

As of May 2026 the most cost-effective combination is the following stack.

- **Linux Foundation Training**: the official course. One exam plus the bundled training is roughly 595 USD. Pacing is gentle but it covers every domain.

- **KodeKloud**: highest praise across Korea, India and the US. Mumshad Mannambeth's course is effectively the de facto industry standard.

- **Killer Shell**: simulator provided free with every Linux Foundation exam registration. About 1.3x harder than the real thing.

- **A Cloud Guru / Pluralsight**: video first. Better for KCNA and KCSA than for CKA.

- **CNCF Curriculum repository**: the official domain PDF. Updated quarterly.

- **udemy "CKA with Practice Tests"**: the Udemy version of the same KodeKloud course — same content, cheaper.

Recommended flow: KodeKloud for concepts, the official CNCF PDF to gap-check, then two passes of Killer Shell. People who hit 80% on Killer Shell almost always clear the real exam.

Prep hour guide — first year vs fifth year

Realistic prep ranges based on field experience look like this.

| ---- | ------ | ------ | ------ | ----- |

| KCNA | 30-50h | 12-20h | 6-12h | concept review |

| KCSA | 40-60h | 20-30h | 12-20h | halve it with prior security work |

| CKAD | 80-120h | 40-70h | 25-40h | includes dry-run + Kustomize practice |

| CKA | 120-160h | 70-100h | 40-60h | real-cluster troubleshooting time |

| CKS | 100-140h | 70-100h | 50-80h | Falco/OPA/Trivy labs included |

| PCA | 40-60h | 20-30h | 12-20h | PromQL is the core |

| ICA | 60-80h | 30-50h | 20-30h | mTLS and traffic management labs |

| CAPA | 60-80h | 30-50h | 20-30h | eBPF concepts + CiliumNetworkPolicy |

| OTCA | 50-70h | 25-40h | 15-25h | Collector configuration labs |

| CGOA | 50-70h | 25-40h | 15-25h | Argo CD / Rollouts labs |

Hours combine lab time, video and mocks. Video alone does not build the muscle memory needed in the terminal.

Korean community — KCD Seoul, Kubernetes Korea User Group

Roughly 380 Kubestronauts are based in Korea as of May 2026. Anchor communities:

- **Kubernetes Korea User Group (K8s Korea)**: facebook.com/groups/k8skr, around 17,000 members, monthly meetups.

- **KCD Seoul**: the Seoul edition of the official CNCF KCD series. November 2025 drew 1,400 attendees.

- **CNCG Seoul/Busan**: regional chapters in Busan and Daejeon. Lively exam-postmortem chats.

- **OpenInfra Day Korea**: broader infra event but with a sizable K8s/CNCF track.

- **NHN Forward, AWS Community Day, Naver DEVIEW**: enterprise conferences with Kubernetes tracks.

- **inflearn / fastcampus**: domestic Korean-language video courses. A useful entry point if KodeKloud English is a hurdle.

K8s Korea's Slack has a channel dedicated to within-24-hour postmortems after sittings. Members share difficulty and domain trends without breaking NDA on actual questions.

Japanese community — CNDT, KCD Tokyo, JKD

Japan has been running CloudNative Days Tokyo (CNDT) since 2018, roughly 1-2 years ahead of Korea's cloud-native conference scene.

- **Cloud Native Days Tokyo / Summer (CNDT/CNDS)**: every autumn and summer. CNDT 2024 drew 2,800 attendees.

- **KCD Tokyo**: first held in 2024 as part of the official CNCF KCD series.

- **Japan Container Days (JKD)**: predecessor of CNDT, still alive as a sub-event.

- **Cloud Native Community Japan (CNCJ)**: the umbrella organization. The `#cncj` Slack channel is active.

- **OpenStack Days Tokyo**: where the Kubernetes track now dominates.

The Japanese market has a large SIer footprint, so Kubestronaut holders quickly become the internal Kubernetes champion. SoftBank, LINE, CyberAgent, ZOZO, Yahoo Japan and Rakuten all subsidize cert costs as part of in-house learning budgets, with full reimbursement on pass.

Salary impact — how much does Kubestronaut move your pay

A certification alone does not set your salary. That said, the data consistently shows holders earn **12-22% more than equivalent non-holders**.

| Market | 1-3 yr | 4-7 yr | 8+ yr | Source |

| ------ | ------ | ------ | ----- | ------ |

The 2024 CNCF Survey reports that **67% of Kubestronaut holders received a raise or new job within 12 months** of certification. Self-selection probably inflates that number, so treat the +12-22% range as the safer anchor.

kubectl workflow — finger automation that wins the exam

In hands-on exams, what separates a pass from a fail is **how fast you produce a working answer**. Memorize these patterns until they're automatic.

Pod / Deployment / Service / Ingress scaffolds

k run nginx --image=nginx:1.27 --port=80 $do > pod.yaml

k create deployment api --image=api:1.0 --replicas=3 --port=8080 $do > deploy.yaml

k expose deployment api --port=80 --target-port=8080 --type=ClusterIP $do > svc.yaml

k create ingress api --rule="api.example.com/*=api:80" $do > ing.yaml

Job / CronJob

k create job hello --image=busybox:1.36 -- /bin/sh -c "echo hi; sleep 5" $do > job.yaml

k create cronjob nightly --image=busybox:1.36 --schedule="0 2 * * *" -- /bin/sh -c "echo nightly" $do > cron.yaml

ConfigMap / Secret

k create configmap app-cfg --from-literal=ENV=prod --from-file=app.properties $do > cm.yaml

k create secret generic db-cred --from-literal=DB_USER=app --from-literal=DB_PASS=pa55w0rd $do > secret.yaml

RBAC

k create serviceaccount deployer -n ci

k create clusterrole reader --verb=get,list,watch --resource=pods,deployments $do > role.yaml

k create clusterrolebinding deployer-reader --clusterrole=reader --serviceaccount=ci:deployer $do > rb.yaml

Combine these with the `do` and `now` environment variables, `kubectl explain` and `kubectl get -o jsonpath`, and roughly 90% of answers will flow out of your fingers.

Helm, Kustomize and GitOps — beyond CKAD

The exam is kubectl-centric but production isn't. Helm, Kustomize and Argo CD/Flux are taking up more and more space across the CNCF certification ladder.

kustomization.yaml

apiVersion: kustomize.config.k8s.io/v1beta1

kind: Kustomization

namespace: prod

commonLabels:

app: payments

env: prod

resources:

- ../../base

patches:

- target:

kind: Deployment

patch: |-

- op: replace

path: /spec/replicas

value: 8

- op: replace

path: /spec/template/spec/containers/0/image

value: registry.internal/payments:1.42.0

images:

- name: payments

newTag: 1.42.0

configMapGenerator:

- name: payments-cfg

literals:

- ENV=prod

- REGION=apne2

Helm basics

helm repo add bitnami https://charts.bitnami.com/bitnami

helm repo update

helm install pg bitnami/postgresql --version 15.5.20 -n data --create-namespace \

--set auth.username=app --set auth.password=pa55w0rd

Argo CD App definition (declarative GitOps)

kubectl apply -n argocd -f - <<'YAML'

apiVersion: argoproj.io/v1alpha1

kind: Application

metadata:

namespace: argocd

spec:

project: default

source:

repoURL: https://github.com/org/payments.git

path: deploy/overlays/prod

targetRevision: main

destination:

server: https://kubernetes.default.svc

namespace: prod

syncPolicy:

automated:

prune: true

selfHeal: true

YAML

CKAD doesn't drill deep on Helm or Kustomize, but **CGOA (Argo)**, **OTCA** and any senior production role require them.

Security tooling — Falco, OPA Gatekeeper, Kyverno, Trivy

CKS leans heavily on four tools:

- **Falco**: runtime intrusion detection on eBPF-monitored syscalls.

- **OPA Gatekeeper**: Rego-based admission policies.

- **Kyverno**: YAML-friendly admission policies. Easier to read for non-Rego users.

- **Trivy**: image, IaC and SBOM scanning. From Aqua Security.

A short Kyverno policy looks like this.

apiVersion: kyverno.io/v1

kind: ClusterPolicy

metadata:

spec:

validationFailureAction: Enforce

background: true

rules:

- name: check-runAsNonRoot

match:

any:

- resources:

kinds: ["Pod"]

validate:

message: "Pods must set runAsNonRoot=true"

pattern:

spec:

securityContext:

runAsNonRoot: true

If you can write a policy like this from scratch in the exam terminal, you are clearly above the CKS passing line.

Observability track — Prometheus, OpenTelemetry, Istio

PCA, OTCA and ICA form a tight cluster. Cloud-native observability splits into three pillars (metrics, traces, logs), and the standards are Prometheus, OpenTelemetry, and OpenSearch/Loki.

- **PCA**: PromQL 24%, instances/scrape 18%, alerting 18%, instrumentation 16%, ops/deployment 14%, other 10%.

- **OTCA**: distributed tracing concepts 22%, the OTel Collector 28%, SDK/API 20%, OTLP 12%, conventions 18%.

- **ICA**: traffic management 30%, security 25%, observability 15%, install/upgrade 20%, customization 10%.

A handful of PromQL one-liners cover most of PCA.

1-minute request rate

rate(http_requests_total[1m])

5xx ratio

sum(rate(http_requests_total{code=~"5.."}[5m]))

/ sum(rate(http_requests_total[5m]))

p99 latency

histogram_quantile(0.99,

sum by (le)(rate(http_request_duration_seconds_bucket[5m])))

Node disk projection (will it fill in 24h?)

predict_linear(node_filesystem_avail_bytes{mountpoint="/"}[6h], 86400) < 0

Read and write these comfortably and PCA is essentially a sure thing.

Scheduling the run — 6 months to all five certs

A standard 6-month plan to clear the full Kubestronaut sequence looks like:

- **Weeks 0-4**: KCNA. KodeKloud 12 hours plus the official PDF plus Killer Shell free tier.

- **Weeks 5-8**: KCSA. After KCNA, reinforce security. 30-50 hours.

- **Weeks 9-16**: CKAD. About 100 hours. Two-hour Killer Shell session every Saturday.

- **Weeks 17-22**: CKA. 120-160 hours. One mock exam per week.

- **Weeks 23-26**: CKS. 100-140 hours. Book it immediately after CKA passes so the vim and `k` muscle memory is still warm.

Once all five are valid simultaneously, the Kubestronaut title is granted automatically. Processing usually takes 3-5 business days.

Common pitfalls — time management, the one-tab rule, answer verification

Five recurring failure patterns to avoid:

1. **Bad time allocation**: spending 30 minutes on question one and running out for the rest. Skip hard tasks immediately and circle back at the end.

2. **One-tab violations**: some kubernetes.io links auto-open in a new tab. Always navigate within the same tab.

3. **Broken YAML indentation**: without the vimrc settings, an answer can grade as zero. Type the one-line vimrc within the first 30 seconds.

4. **Skipping verification**: writing a policy without checking it actually fires loses points. Lean on `kubectl auth can-i` and `kubectl run --rm -it test --image=busybox`.

5. **Wrong context**: every task switches the cluster. Run the context command shown at the top, every single time.

Avoiding these five alone visibly raises pass rates.

Conclusion — certs are the starting line, operational experience is the real value

Kubestronaut is less "a marathon you breeze through if you're already good" and more "external pressure that forces you to study Kubernetes systematically". Working through CKAD, CKA and CKS forces RBAC, Pod Security Standards, NetworkPolicy, image signing, GitOps and observability concepts into muscle memory.

The certificate itself doesn't set your salary. But a 12-22% comp delta at equivalent experience, plus 67% of holders receiving a raise or new job within 12 months, is hard to ignore. More importantly, the cloud-native ecosystem has already started sorting people along this ladder. By late 2026 the associate certifications will be preferred attributes for new graduate hires, and Kubestronaut will be the default signal for senior SRE roles.

References

- CNCF Certifications Overview — https://www.cncf.io/training/certification/

- Kubestronaut Program — https://www.linuxfoundation.org/kubestronaut

- CNCF Curriculum Repository — https://github.com/cncf/curriculum

- CKA Exam Curriculum — https://github.com/cncf/curriculum/blob/main/CKA_Curriculum_v1.31.pdf

- CKAD Exam Curriculum — https://github.com/cncf/curriculum/blob/main/CKAD_Curriculum.pdf

- CKS Exam Curriculum — https://github.com/cncf/curriculum/blob/main/CKS_Curriculum_v1.30.pdf

- KCNA Exam Curriculum — https://github.com/cncf/curriculum/blob/main/KCNA_Curriculum.pdf

- KCSA Exam Curriculum — https://github.com/cncf/curriculum/blob/main/KCSA_Curriculum.pdf

- Killer Shell Simulator — https://killer.sh

- KodeKloud — https://kodekloud.com/

- Linux Foundation Training — https://training.linuxfoundation.org/

- Learn CNCF — https://learn.cncf.io/

- Kubernetes Documentation — https://kubernetes.io/docs/

- Cilium Documentation — https://docs.cilium.io/

- Istio Documentation — https://istio.io/latest/docs/

- OpenTelemetry Documentation — https://opentelemetry.io/docs/

- Argo Project — https://argoproj.github.io/

- Prometheus Documentation — https://prometheus.io/docs/introduction/overview/

- Falco Documentation — https://falco.org/docs/

- Kyverno — https://kyverno.io/docs/

- OPA Gatekeeper — https://open-policy-agent.github.io/gatekeeper/website/

- Trivy — https://trivy.dev/

- KCD Seoul — https://community.cncf.io/kcd-seoul/

- KCD Tokyo — https://community.cncf.io/kcd-tokyo/

- Cloud Native Days Tokyo — https://cloudnativedays.jp/

- Stack Overflow Developer Survey 2025 — https://survey.stackoverflow.co/2025