필사 모드: How to Become a Kubestronaut in 2026 — The Complete CNCF Certification Roadmap (KCNA, KCSA, CKA, CKAD, CKS)
English- Introduction — A Journey to Collect Five Stars
- What Is the Kubestronaut Program?
- Kubestronaut Benefits — The Jacket Is Just the Beginning
- Golden Kubestronaut — The Summit of 15 Certifications
- The Five Certifications at a Glance
- KCNA — Your First Step into Cloud Native
- KCSA — The Second Theory Exam That Maps Out Security
- CKA — The Standard for Cluster Administration
- CKAD — A Speed Run from the Developer Perspective
- CKS — The Final Gate, Hands-On Security
- The Optimal Order — Why KCNA → CKAD → CKA → KCSA → CKS
- Cost Optimization — Bundles, Member Discounts, Black Friday
- The Retake Policy and the killer.sh Simulator
- The Study Stack — KodeKloud, Killercoda, Official Docs
- The Official Docs Bookmark Strategy
- The PSI Browser — Understanding the Exam Environment
- Exam Terminal Setup — Aliases and vim
- Time Management — Solving 17 Tasks in Two Hours
- Remote Exam Caveats — From Room Scans to Your ID
- A 6-12 Month Roadmap for Working Engineers
- Kubestronaut Communities in Korea and Japan
- Value in the Job Market — DevOps, SRE, Platform Engineering
- Practice with the Kubestronaut Quiz Tool on This Blog
- Closing — How to Reach Orbit
- References
Introduction — A Journey to Collect Five Stars
There is one jacket that always stands out at KubeCon.
The blue jacket with the rocket logo cannot be bought. It is reserved for people who hold all five CNCF Kubernetes certifications in active status at the same time — the Kubestronauts.
First announced at KubeCon Paris in 2024, the program has become a symbolic milestone for Kubernetes engineers. And above it now sits an even higher tier: the Golden Kubestronaut, which requires conquering every CNCF certification in existence.
This guide covers the entire path to becoming a Kubestronaut as of 2026: how the five exams are structured, the optimal order to take them, how to save hundreds of dollars on exam fees, how to use the killer.sh simulator, how to set up your terminal on exam day, and a realistic 6-12 month roadmap for people with full-time jobs.
What Is the Kubestronaut Program?
Kubestronaut is an official recognition program run by the CNCF (Cloud Native Computing Foundation).
The condition is simple: hold all five of the following certifications in simultaneously active status.
- KCNA — Kubernetes and Cloud Native Associate (multiple choice)
- KCSA — Kubernetes and Cloud Native Security Associate (multiple choice)
- CKA — Certified Kubernetes Administrator (hands-on)
- CKAD — Certified Kubernetes Application Developer (hands-on)
- CKS — Certified Kubernetes Security Specialist (hands-on)
The key phrase is "simultaneously active." If even one expires, you lose eligibility — which is why sequencing and schedule management matter as much as passing itself. Once you qualify, the CNCF verifies your status and reaches out with welcome package instructions, and the official page publishes the list of Kubestronauts by country.
Kubestronaut Benefits — The Jacket Is Just the Beginning
The jacket is the famous part, but the practical benefits go further.
- The Kubestronaut jacket: a limited edition available only to program achievers
- Credly digital badge: an official credential for LinkedIn and your resume
- Private community: an invite-only Slack channel and mailing list for Kubestronauts
- Certification discount coupons: renewed yearly, 50% off CNCF certifications (five per year per the announcement) — which dramatically lowers the cost of keeping everything active
- Event discounts: reduced registration for KubeCon and other CNCF events
The coupons are the quiet killer feature. Each of the five certifications expires after 24 months, so a program that halves your renewal costs is effectively a built-in retention mechanism. Details can change, so always confirm against the official page.
Golden Kubestronaut — The Summit of 15 Certifications
Announced in 2025, the Golden Kubestronaut is the next level up.
On top of the original five, it requires every remaining CNCF certification plus the Linux Foundation LFCS. As of 2026, that means roughly these 15 credentials.
- The base five: KCNA, KCSA, CKA, CKAD, CKS
- PCA — Prometheus Certified Associate (monitoring)
- ICA — Istio Certified Associate (service mesh)
- CGOA — Certified GitOps Associate (GitOps principles)
- CAPA — Certified Argo Project Associate (Argo CD and Workflows)
- OTCA — OpenTelemetry Certified Associate (observability)
- KCA — Kyverno Certified Associate (policy engine)
- CCA — Cilium Certified Associate (eBPF networking)
- CBA — Certified Backstage Associate (developer portals)
- CNPA — Cloud Native Platform Engineering Associate (platform engineering)
- LFCS — Linux Foundation Certified System Administrator (hands-on Linux)
Per the announcement, the perks include a dedicated backpack and beanie, one free KubeCon registration per year, and a title that lasts a lifetime once achieved. Since new CNCF certifications can extend the requirements for future challengers, the shorter the list is, the better the time to start.
The Five Certifications at a Glance
Here is the full picture first. List prices reflect the official pages as of early 2026 and can change with sales and policy updates.
| Certification | Format | Duration | Questions | Pass Mark | List Price | Validity |
|---|---|---|---|---|---|---|
| KCNA | Multiple choice (proctored) | 90 min | 60 | 75% | $250 | 24 months |
| KCSA | Multiple choice (proctored) | 90 min | 60 | 75% | $250 | 24 months |
| CKA | Hands-on (terminal) | 120 min | 15-20 tasks | 66% | $445 | 24 months |
| CKAD | Hands-on (terminal) | 120 min | 15-20 tasks | 66% | $445 | 24 months |
| CKS | Hands-on (terminal) | 120 min | 15-20 tasks | 67% | $445 | 24 months |
Only two rules to remember. First, CKS can only be taken by holders of a valid CKA. Second, you must schedule each exam within 12 months of purchase, and every exam includes one free retake.
KCNA — Your First Step into Cloud Native
KCNA is the entry-level theory exam covering Kubernetes and the broader cloud native ecosystem.
| Domain | Weight |
|---|---|
| Kubernetes Fundamentals | 46% |
| Container Orchestration | 22% |
| Cloud Native Architecture | 16% |
| Cloud Native Observability | 8% |
| Cloud Native Application Delivery | 8% |
Nearly half the exam is Kubernetes fundamentals: core objects like Pods, Deployments and Services, control plane components, and general CNCF ecosystem literacy (Prometheus, Helm, GitOps concepts).
With hands-on experience, one to two weeks of study is usually enough; complete beginners should plan for about four weeks. But do not dismiss it as "the easy one." The pass mark is 75% — higher than the hands-on exams — and sloppy preparation trips people up surprisingly often.
KCSA — The Second Theory Exam That Maps Out Security
KCSA draws the conceptual map of Kubernetes security.
| Domain | Weight |
|---|---|
| Overview of Cloud Native Security | 14% |
| Kubernetes Cluster Component Security | 22% |
| Kubernetes Security Fundamentals | 22% |
| Kubernetes Threat Model | 16% |
| Platform Security | 16% |
| Compliance and Security Frameworks | 10% |
Expect an even spread of topics: the 4C model (Cloud, Cluster, Container, Code), STRIDE threat modeling, Pod Security Standards, RBAC, and audit logging.
Its positioning is what makes it interesting: KCSA is effectively the theory edition of CKS. Scheduling it right before CKS lets concept review and hands-on practice reinforce each other — which is exactly why the recommended sequence below puts KCSA fourth.
CKA — The Standard for Cluster Administration
CKA is the flagship Kubernetes certification. You get 120 minutes to solve 15-20 tasks while hopping between several live clusters.
| Domain | Weight |
|---|---|
| Troubleshooting | 30% |
| Cluster Architecture, Installation & Configuration | 25% |
| Services & Networking | 20% |
| Workloads & Scheduling | 15% |
| Storage | 10% |
As the weights suggest, troubleshooting dominates at 30%: reviving dead nodes, diagnosing kubelet failures, and repairing control planes — and those tasks carry high point values too. Since the February 2025 refresh, Helm, Kustomize, the Gateway API, CRDs and Operators are also in scope.
And then there is the most classic CKA task of all — the etcd backup, which you should practice until your hands remember it.
# Classic CKA task — take an etcd snapshot backup
ETCDCTL_API=3 etcdctl snapshot save /var/lib/backup/etcd-snapshot.db \
--endpoints=https://127.0.0.1:2379 \
--cacert=/etc/kubernetes/pki/etcd/ca.crt \
--cert=/etc/kubernetes/pki/etcd/server.crt \
--key=/etc/kubernetes/pki/etcd/server.key
If you have to look up those three certificate paths in the docs every time, you lose three minutes. Run the backup and restore as a pair at least ten times before exam day.
CKAD — A Speed Run from the Developer Perspective
CKAD tests your ability to run applications on Kubernetes.
| Domain | Weight |
|---|---|
| Application Environment, Configuration and Security | 25% |
| Application Design and Build | 20% |
| Application Deployment | 20% |
| Services and Networking | 20% |
| Application Observability and Maintenance | 15% |
The focus is everything a developer touches daily: ConfigMaps and Secrets, all three probe types, resource limits, CronJobs, canary and blue-green rollout strategies, and working with Helm charts.
The essence of CKAD is speed. Individual tasks are gentler than CKA, but the time per question is tighter — without the habit of generating YAML through imperative commands, you will simply run out of clock. Its scope overlaps heavily with CKA, so preparing them back to back pays off.
CKS — The Final Gate, Hands-On Security
CKS is widely considered the hardest of the five. The fact that a valid CKA is a prerequisite tells you something about the level.
| Domain | Weight |
|---|---|
| Minimize Microservice Vulnerabilities | 20% |
| Supply Chain Security | 20% |
| Monitoring, Logging and Runtime Security | 20% |
| Cluster Setup | 15% |
| Cluster Hardening | 15% |
| System Hardening | 10% |
NetworkPolicy, least-privilege RBAC, Pod Security Standards, AppArmor and seccomp profiles, runtime sandboxes, Falco runtime detection, Trivy image scanning, SBOMs — the sheer breadth of tooling is what makes CKS hard.
Among all of them, NetworkPolicy is the one you must internalize.
# Classic CKS task — a default deny NetworkPolicy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: prod
spec:
podSelector: {}
policyTypes:
- Ingress
An empty podSelector means "every Pod in the namespace," and Ingress and Egress are controlled separately — countless exam variations grow out of this one base pattern.
The Optimal Order — Why KCNA → CKAD → CKA → KCSA → CKS
There is no single right answer, but for a first-time challenger this sequence is the one to beat.
- KCNA — build the conceptual map, and experience the remote exam process with low stakes
- CKAD — the lowest barrier to entry among the hands-on exams; your kubectl speed gets forged here
- CKA — stack cluster operations and troubleshooting on top of the speed you built in CKAD
- KCSA — right before CKS, pre-learn the security concepts in theory form
- CKS — break through the final gate with everything in place
The logic rests on three points.
First, the difficulty rises like a staircase: theory → approachable hands-on → deep hands-on → security theory → security hands-on. There is no sudden wall.
Second, KCSA acts as a preview of CKS. You cover the same security domains twice — once in theory, once in practice — which compounds your study efficiency.
Third, it plays well with the validity window. All five must be active at once, so the final exam has to land within 24 months of the first. Starting with the easier exams keeps the early phase from slipping. If you already run clusters for a living, a variant that starts with CKA and defers CKAD works just as well.
Cost Optimization — Bundles, Member Discounts, Black Friday
At list price, all five cost $445 times three plus $250 times two — $1,835 in total. Almost nobody pays that.
- Black Friday and Cyber Monday: the biggest Linux Foundation sale of the year, in late November. Discounts have historically landed in the 40-65% range. Buying all five at once here is the standard play — you have 12 months after purchase to schedule, so stockpiling is safe.
- Bundles: combos like CKA plus CKS and Kubestronaut-oriented bundles routinely run 20-30% below list.
- Evergreen coupons: 30-40% codes circulate regularly through the Linux Foundation newsletter and CNCF community channels, and KubeCon attendees receive discount codes as well.
- Employer budgets: many companies cover exams from training budgets, and team voucher purchases often unlock further discounts.
For the record, the CKA fee was once $395 and now sits at $445, and the trend keeps pointing up. If you are going to earn these certifications eventually, buying during a sale is strictly better.
The Retake Policy and the killer.sh Simulator
Every CNCF exam purchase ships with two safety nets.
First, one free retake. If you fail the first attempt, you get another try within the 12-month eligibility window. Postponing your booking out of fear of failure is a strictly losing move.
Second, CKA, CKAD and CKS purchases include two killer.sh simulator sessions.
- Each session stays open for 36 hours after activation
- Both sessions contain the same question set, so use the second run to verify what you missed in the first
- The simulator is deliberately harder than the real exam. The community consensus is that 70-80% on the simulator puts you in the passing zone for the real thing
The recommended pattern: run session one about one to two weeks before the exam to expose weaknesses, patch them, then run session two as a final rehearsal two to three days out.
The Study Stack — KodeKloud, Killercoda, Official Docs
The proven combination looks like this.
- Courses: the KodeKloud CKA, CKAD and CKS tracks are the de facto standard, with browser labs that connect theory to practice immediately
- Free practice: Killercoda hosts dozens of free CKA, CKAD and CKS scenarios — perfect for commute-sized practice sessions
- Official docs: the kubernetes.io documentation and task pages are the best textbook there is, and since you can reference them during the exam, befriending the docs is exam prep in itself
- A local cluster: in the end, nothing teaches like breaking and repairing your own cluster
# A local practice cluster — pick whichever you prefer
minikube start --nodes=2
# or
kind create cluster --name practice
kubectl get nodes -o wide
For the theory exams (KCNA and KCSA), repeated question drilling beats watching more lectures. The quiz tool on this blog, introduced below, is built exactly for that.
The Official Docs Bookmark Strategy
During the hands-on exams you may browse the kubernetes.io documentation (plus the Helm docs, and for CKS a defined set of security tool docs) through Firefox inside the remote desktop.
One important trap — it is not your own browser, so your carefully curated bookmarks do not exist there. The real strategy is therefore not bookmarks but these two habits.
- Memorize search keywords: decide in advance what you will type into the docs search box. Need a NetworkPolicy example? Search "network policies". Creating a PV? Search "persistent volumes configure". Use the exact same queries in practice and in the exam
- kubectl explain is faster than the docs: when a field name escapes you, the terminal beats opening the browser
# Try explain before digging through the docs — when a field name escapes you
k explain pod.spec.containers.securityContext
k explain deployment.spec.strategy --recursive
k explain networkpolicy.spec --recursive
k api-resources | grep -i policy
If you drill "which page holds what" into muscle memory during practice, a single search lands you on the right page in the exam.
The PSI Browser — Understanding the Exam Environment
CNCF hands-on exams run on the PSI proctoring platform, and this environment is what surprises first-timers the most.
- You install the PSI Secure Browser, and the exam takes place inside a remote Linux desktop (XFCE) streamed within it
- Both the terminal and the browser (Firefox) run inside that remote desktop — not on your local machine
- Because the screen is remote, input latency is real. Verifying commands matters more than raw typing speed
- Copy and paste in the terminal uses Ctrl+Shift+C and Ctrl+Shift+V. Always copy resource names from the question text — a single typo scores zero
- Only one monitor is allowed. On a laptop, either disconnect external displays or use exactly one external monitor with the laptop lid closed
Run the PSI system compatibility check ahead of time, and use a wired connection if you possibly can.
Exam Terminal Setup — Aliases and vim
Invest the first minute or two of the exam in environment setup. Recent exam environments often come with the k alias and completion preconfigured — verify first, then set up whatever is missing.
# k alias and completion — often preconfigured in recent exam environments, check first
alias k=kubectl
complete -o default -F __start_kubectl k
# Frequently used flags as environment variables
export do="--dry-run=client -o yaml"
export now="--force --grace-period 0"
You will edit YAML in vim, so add the minimal settings that prevent indentation accidents.
# ~/.vimrc — prevent YAML indentation accidents
cat <<'EOF' >> ~/.vimrc
set tabstop=2
set shiftwidth=2
set expandtab
set number
EOF
Bundle both into a "first 60 seconds routine" and repeat it identically in every practice session — on exam day your hands will run it on autopilot.
# The 60-second routine right after the exam starts
kubectl config get-contexts # list available contexts
kubectl get nodes # confirm cluster connectivity
source <(kubectl completion bash) # load completion
alias k=kubectl
complete -o default -F __start_kubectl k
export do="--dry-run=client -o yaml"
Time Management — Solving 17 Tasks in Two Hours
Doing the math for CKA: 120 minutes across 15-20 tasks (usually around 17) gives you six to seven minutes per task on average. But point values range from 4% to 13%, so playing to the average is a mistake.
- Run the context-switch command specified in each question first — it prevents the worst-case blunder of building the right answer on the wrong cluster
- Work from question one without a preview pass, but if no approach forms within two minutes, flag it and move on — use the flagging feature in the exam UI aggressively
- Reserve time for the high-value troubleshooting tasks, and spend the final ten minutes retrying flagged questions
- Above all — never type YAML from scratch
# Never hand-type YAML from scratch — generate imperatively, then edit
k run web --image=nginx $do > pod.yaml
k create deployment api --image=nginx --replicas=3 $do > deploy.yaml
k expose deployment api --port=80 --target-port=8080 $do > svc.yaml
k create configmap app-config --from-literal=ENV=prod $do > cm.yaml
Imperative generation → save to file → edit only what needs changing in vim. That three-step move is the core time-management technique of the hands-on exams. For what it is worth, pure memorization accounts for <10% of what these exams test — the rest is hand speed and documentation fluency.
Remote Exam Caveats — From Room Scans to Your ID
Both the theory and hands-on exams are remotely proctored, and non-technical preparation can decide the outcome.
- Check-in opens 30 minutes early: ID verification and the environment check take longer than you expect
- Your ID must match your Latin-alphabet name: the name on the ID has to match your registration exactly. For Korean and Japanese candidates, a passport is the safest choice
- A 360-degree webcam room scan: you will be asked to show the desk surface, under the desk, the walls, even your wrists. Remove sticky notes, second monitors and any paper
- A quiet room, alone: someone walking in mid-exam can get it suspended, so warn your family or housemates in advance
- Only water in a transparent container is allowed
- Bathroom breaks are permitted, but the timer never stops
- Covering your mouth, reading aloud, or repeatedly looking off-screen draws proctor warnings
If this is your first rodeo, going through the whole procedure once with KCNA is an asset in itself.
A 6-12 Month Roadmap for Working Engineers
A standard plan assuming eight to ten hours per week (one hour on weekdays plus half a weekend day).
| Phase | Goal | Focus |
|---|---|---|
| Months 1-2 | Pass KCNA | Concept study plus question drilling; experience remote proctoring |
| Months 3-5 | Pass CKAD | kubectl speed training, imperative commands, first killer.sh run |
| Months 6-8 | Pass CKA | Cluster operations and troubleshooting; etcd backup and restore |
| Months 9-10 | Pass KCSA | Consolidate security concepts; pre-learn the CKS syllabus |
| Months 11-12 | Pass CKS | Security tool drills, final killer.sh run, apply for Kubestronaut |
Experienced engineers can compress this into six months: start with CKA, take CKAD two to three weeks later, then finish KCSA and CKS in one continuous push.
One principle governs the whole schedule: finish the fifth exam before the first certification expires (24 months). Completing within 12 months leaves a comfortable buffer — and buying all the exams during the November Black Friday sale, then leaning on the 12-month eligibility window, solves cost and scheduling in a single move.
Kubestronaut Communities in Korea and Japan
The official CNCF page lists Kubestronauts by country, and the names from both Korea and Japan keep multiplying.
Korea has a strong meetup and study-group culture around cloud native. CNCF community group events and open chat study groups actively share pass reports and legitimate study materials, and posting a photo in the Kubestronaut jacket has become something of a rite of passage.
In Japan, the Cloud Native Community Japan (CNCJ) is the center of gravity. After the first KubeCon + CloudNativeCon Japan was held in Tokyo in 2025, certification momentum visibly surged, and the density of pass write-ups on Zenn and Qiita rivals any community in the world.
In both countries the exams are primarily English-based (some exams offer Japanese), so tips from the community on handling English question text are genuinely practical help.
Value in the Job Market — DevOps, SRE, Platform Engineering
A certification does not guarantee skill. But its signaling effect in the hiring market is real.
- CKA is a fixture in the preferred qualifications of DevOps engineer, SRE and platform engineer postings. In cloud MSPs, system integrators and financial infrastructure teams, it functions as baseline proof of fundamentals
- The credibility comes from CKA and CKS being hands-on exams: unlike multiple-choice credentials, they certify that you can actually solve problems in a terminal
- Kubestronaut status is still rare enough to be a strong differentiator on a resume and LinkedIn — put the Credly badge link near the top
- The Japanese market has steady Kubernetes demand centered on system integrators and cloud integrators, and companies with certification allowances or exam-fee support are common
The point is to treat certifications not as the finish line but as the ticket that gets you to the interview table. Interviews ultimately probe your troubleshooting stories — and those stories accumulate naturally while you prepare for CKA and CKS.
Practice with the Kubestronaut Quiz Tool on This Blog
This blog ships a study tool built specifically for the Kubestronaut journey.
The Kubestronaut Quiz is a question bank of more than 772 questions spanning all five tracks — KCNA, KCSA, CKA, CKAD, CKS — plus Golden Kubestronaut scope.
- Per-certification tracks: questions weighted to mirror the real domain distribution
- Flashcard mode: for concept memorization on the commute
- Hands-on drills: training your recall of exam-style commands
- Weak-area review: re-serves the domains you keep missing
The recommended usage: for the theory exams (KCNA and KCSA), repeated runs through this quiz alone can carry you to the pass mark. For the hands-on exams, use the quiz to expose conceptual gaps and pair it with real cluster practice. The kubectl Command Finder and the Linux Command Quiz for LFCS and Golden preparation combine well with it.
Closing — How to Reach Orbit
Kubestronaut is, in the end, a certification of consistency. None of the five exams demands genius, but making all five valid inside a 24-month window demands planning and persistence.
A final checklist.
- Order: KCNA → CKAD → CKA → KCSA → CKS; experienced operators may start with CKA
- Buy exams as bundles on Black Friday; schedule within 12 months of purchase
- Place the two killer.sh sessions one to two weeks and two to three days before the exam
- Drill the 60-second opening routine (context check, alias, vim settings) into muscle memory
- Passport for ID, one monitor, an empty room, water in a transparent container
- Pass the fifth exam before the first one expires — ideally finish within 12 months
Before you close this tab, book a KCNA slot. A rocket does not lift off when the fuel tank is full — it lifts off when the countdown starts.
References
- CNCF Kubestronaut program official page: https://www.cncf.io/training/kubestronaut/
- CNCF certification catalog: https://www.cncf.io/training/certification/
- KCNA official page: https://www.cncf.io/training/certification/kcna/
- KCSA official page: https://www.cncf.io/training/certification/kcsa/
- CKA official page: https://www.cncf.io/training/certification/cka/
- CKAD official page: https://www.cncf.io/training/certification/ckad/
- CKS official page: https://www.cncf.io/training/certification/cks/
- Linux Foundation CKA registration page: https://training.linuxfoundation.org/certification/certified-kubernetes-administrator-cka/
- Linux Foundation certification catalog (bundles and sales): https://training.linuxfoundation.org/certification-catalog/
- LFCS official page: https://training.linuxfoundation.org/certification/linux-foundation-certified-sysadmin-lfcs/
- Official FAQ for CKA, CKAD and CKS: https://docs.linuxfoundation.org/tc-docs/certification/faq-cka-ckad-cks
- Linux Foundation candidate handbook: https://docs.linuxfoundation.org/tc-docs/certification/lf-handbook2
- killer.sh exam simulator: https://killer.sh/
- Killercoda free practice scenarios: https://killercoda.com/
- KodeKloud courses and labs: https://kodekloud.com/
- Kubernetes official documentation: https://kubernetes.io/docs/
현재 단락 (1/248)
There is one jacket that always stands out at KubeCon.