TL;DR: Every CNCF certification in a year — 199 hours of study, $2,653 total. I failed my first exam after 80 hours of prep. Once I got past that, each one came faster. My last took 1 hour.
I earned Golden Kubestronaut in January 2026, when there were roughly 240 recognized members worldwide. The program has since grown — these numbers reflect that point in time.
It Started With a Colleague's Demo
An engineer I was working with gave me a personal demo of their Kubernetes setup. Nodes scaling up in real time, pods rebalancing across the cluster — and all of it visible through k9s: logs, resource details, everything in one terminal.
I'd always thought of Kubernetes as overkill — a massively complex container orchestration system that was far beyond what my work required. I'd avoided it entirely, which is why I had zero experience with it. But watching it in action, I thought: this is cool. I want to understand this.
So I started tinkering. I built a small EKS cluster at home, deployed workloads, broke things. That's how I discovered ArgoCD, which deepened my curiosity further. That hands-on exploration is what eventually led me to attempt my first certification.
My First CKA Attempt Was a Disaster (But It Helped)
My first attempt at CKA (Certified Kubernetes Administrator) ended in failure. I had some relevant background — years of Linux and container experience, architecture design, LPIC-2, AWS Solutions Architect Professional — but Kubernetes itself was brand new to me. I studied for about 80 hours, mostly through KodeKloud courses. After all that prep, I figured I had a real shot.
Then I sat the exam — and it was a disaster. By the halfway mark I knew I was going to fail, and I did. The only thing that saved me was the free retake bundled with the exam.
That first attempt taught me things no course could:
- The exam environment can be brutally slow. This may vary, but in my case scrolling and typing had 2-3 seconds of lag. I couldn't even read the documentation properly. Practice environments like KodeKloud run smoothly — the real exam doesn't. Don't expect to perform at your practice level.
- Use the largest monitor you can. I took it on a laptop and could barely work — you need enough screen space to have the terminal, docs, and notepad side by side. The rules say one monitor only, but an external display is fine. I switched to a 32" monitor for every exam after this.
-
The remote desktop has different shortcuts. Copy is
Shift+Ctrl+C, paste isShift+Ctrl+V. This threw me off constantly. I strongly recommend running through killer.sh at least once before your exam — it uses the same environment, so you can get used to these quirks. - The exam tests hands-on accuracy and speed, not knowledge. I shifted my prep to focus more on drilling practice labs.
Armed with those lessons, I went back to drilling. I cycled through KodeKloud's hands-on labs until the muscle memory was there, and used Claude and ChatGPT as a sparring partner — every fuzzy concept got pushed back and forth with the AI until it clicked. "I think I get it" wasn't good enough.
On my second attempt I scraped through with 69% — just three points above the 66% passing line. Not glamorous. Borderline, honestly. But I was in.
The Snowball Effect: Why I Kept Going
After passing CKA, I looked at the Kubestronaut requirements and realized CKS (Security) was the real gatekeeper. If I could pass CKS, the rest would follow — CKAD shares about 70% of CKA material, and the knowledge-based exams (KCNA, KCSA) are essentially reviews of what the hands-on exams already cover.
Beyond strategy, I also had a personal reason to tackle CKS next: I'd been working on security-related tasks at my day job, so I was genuinely interested in the domain. CKS built directly on CKA concepts — 32 hours of additional study, 77%. After that, CKAD took 8 hours (85%), and the theory exams came noticeably easier from there. KCSA needed just 2 hours of prep.
Before I knew it, I had all five Kubestronaut certifications.
| Exam | Study Hours | Score | Notes |
|---|---|---|---|
| CKA | 80h | 69% | Failed first attempt, passed on retake |
| CKS | 32h | 77% | Builds heavily on CKA |
| CKAD | 8h | 85% | ~70% overlap with CKA |
| KCSA | 2h | 88% | Knowledge-based; CKS covers most of it |
| KCNA | 3h | 80% | Knowledge-based; CKA covers most of it |
From Kubestronaut to Golden: "What About All These Other Technologies?"
With Kubestronaut earned, I saw the path to Golden Kubestronaut — 10 more certifications covering Cilium, Istio, ArgoCD, Backstage, Prometheus, OpenTelemetry, and more. Technologies I'd heard of but never touched.
The remaining exam fees alone were roughly $2,000. Even with bundles and discounts, that's a significant investment. I needed to know: would I actually find these technologies interesting?
The $333 Trial Run
So I built a home lab. Three Raspberry Pi 5 boards (8GB each), power supplies, cables — about $333 total (¥50,000 JPY; hardware prices vary by region). Much cheaper than the exam fees, and something I'd wanted to build anyway. (More on the lab later — the whole cluster is open source on GitHub if you want to peek as you read.)
GitOps and Claude Code turned out to be a great combination — writing infrastructure as code meant the initial setup took just a few days. I had a working Kubernetes cluster running kubeadm, Cilium for networking, and ArgoCD for GitOps. And the technologies were genuinely fun:
- ArgoCD: Push to Git, watch your cluster update. Seeing everything deploy from one dashboard is addictive.
- Cilium: Reading about eBPF philosophy alongside O'Reilly's Learning eBPF made me want to dig into the source code.
- Backstage: The developer portal concept clicked immediately — one repo per service, naturally composing into a portal.
That settled it. I committed to the remaining 10 exams.
The Golden 10
With hands-on experience from the lab, these exams went faster than expected — 74 hours total for all 10.
| Exam | Hours | Score | Difficulty | One-line take |
|---|---|---|---|---|
| CGOA (GitOps with ArgoCD) | 5h | 83% | ★☆☆☆☆ | Mostly the 4 GitOps principles. Straightforward |
| CBA (Backstage) | 10h | 88% | ★★☆☆☆ | Asks about granular config details. Harder than the mock exams |
| CCA (Cilium) | 10h | 78% | ★★★★☆ | eBPF, networking — widest scope. Possibly the hardest multiple-choice exam |
| PCA (Prometheus) | 10h | 93% | ★★☆☆☆ | You need PromQL basics. Once you have them, manageable |
| ICA (Istio) | 10h | 98% | ★★★☆☆ | Performance-based, but the scope is narrow. Lab practice pays off fast |
| LFCS (Linux) | 15h | 83% | ★★★☆☆ | Performance-based. Fine with LPIC-1 level knowledge; painful without it |
| KCA (Kyverno) | 5h | 88% | ★★☆☆☆ | Concepts are simple, but the questions test detailed policy config |
| OTCA (OpenTelemetry) | 5h | 85% | ★★☆☆☆ | Architecture comprehension is harder than other theory exams |
| CAPA (Argo Projects) | 3h | 91% | ★★☆☆☆ | Wide scope, but each product is simple to understand |
| CNPA (Cilium Network Policies) | 1h | 92% | ★☆☆☆☆ | If you have CCA + CKS, you can pass this with zero extra study |
The Full Cost Breakdown
Certifications aren't cheap. Here's what I actually paid:
| Item | Cost |
|---|---|
| CKA (full price, before I knew about bundles) | $455 |
| Kubestronaut bundle (KodeKloud coupon) | $864.50 |
| Golden bundle (Cyber Monday deal) | $1,334 |
| Total | $2,653 |
Key savings tip: Wait for bundle deals. The Kubestronaut and Golden bundles from the Linux Foundation significantly reduce per-exam cost. KodeKloud occasionally offers coupon codes for bundles. Black Friday / Cyber Monday is the best time to buy.
I self-funded everything. No employer reimbursement.
My Study System
One platform: KodeKloud
I used KodeKloud from the start and stuck with it for all 15 exams. Their courses map directly to the exam objectives, the hands-on labs simulate the real exam environment. The annual subscription at the time was $180 — not cheap, but far better than buying separate materials for 15 exams. The CKA lectures were especially clear for a beginner; for topics I already knew (LFCS, since I had LPIC-2) I skipped the videos and used their written docs to move faster. A few labs felt buggy and some sections felt rushed, but staying on one platform for everything was worth it.
Generative AI as a study partner
I used AI (Claude, ChatGPT) heavily throughout my preparation — not to memorize answers, but to:
- Explain concepts in different ways when the course material didn't click
- Generate practice scenarios beyond what KodeKloud offered
- Debug my home lab when things broke in unexpected ways
- Create visual diagrams to map relationships between Kubernetes components
AI doesn't replace hands-on practice, but it dramatically accelerates the feedback loop.
Parental leave + 3 hours a day
My daughter was born in August 2025, right in the middle of this journey. I was on parental leave, so I carved out about 3 hours every day — during naps, after bedtime, early mornings. No marathon weekend sessions — that wasn't an option with a newborn, and it turned out consistency mattered more than intensity.
Taking exams at home
All 15 exams were taken from home via the PSI secure browser. This was a huge advantage with a newborn — I could schedule exams flexibly without leaving the house. A few tips:
- Clear your desk completely. The proctor checks your workspace via webcam. Your desk needs to be clean, though bookshelves and a bed in the room were fine in my experience.
Where Certifications End and Real Learning Begins
Fifteen certifications didn't make me an expert. When I started building out my home lab for real, I kept hitting problems no exam had prepared me for:
-
NetworkPolicy
default-denybroke everything at once. DNS resolution, Prometheus scraping, ArgoCD repo syncing — all gone. Each one was obvious in hindsight ("of course deny-all blocks DNS egress"), but I hadn't predicted any of them. This taught me to always start with audit mode before enforcing. (The per-namespace policies I ended up writing are underinfrastructure/environments/*/network-policy.yamlin the repo.) -
Istio mTLS in STRICT mode killed non-mesh communication. The moment I applied
PeerAuthenticationcluster-wide, anything outside the service mesh stopped working. (Seeinfrastructure/network/istio/resources/peer-authentication.yamlfor the final config.) - GitOps needs end-to-end CI/CD, not just manifests. The exams mention this conceptually, but in practice, you need image builds, tagging, and automated manifest updates all wired together before GitOps actually works.
-
Backstage catalog management is real work. Templates create new services nicely, but retroactively onboarding existing apps means hand-writing a
catalog-info.yamlfor each one. - OpenTelemetry defaults produce noise, not insight. The Collector sends traces just fine, but without correlating traces to logs and pruning unnecessary spans, Grafana dashboards are unusable.
Here's the thing though — when something broke, I could usually guess which layer was involved. After one default-deny incident, an AI assistant suggested the pod's CrashLoopBackOff was due to a missing PyPI dependency. But I'd just applied NetworkPolicy changes, so I immediately asked: "Is egress being blocked?" It was. That intuition — knowing the CNCF landscape well enough to form good hypotheses quickly — is what 15 certifications actually gave me.
Certifications are a starting point, not a destination — but a genuinely useful one.
All of these issues — and their fixes — live in the actual manifests. The NetworkPolicy that broke DNS, the Istio PeerAuthentication config, the OTel Collector pipeline — it's all in the repo. If you're prepping for any of these certifications, treat it as a working reference: real configs on bare-metal ARM64 + AMD64, with broken-and-fixed states preserved in commit history. Browse it, fork it, take what's useful.
What It Actually Changed (So Far)
Honestly? No dramatic career transformation yet. My day job has evolved from ML to backend to cloud-focused full-stack, and I'm now in a management role — but none of that was because of CNCF certifications.
What did change is more subtle: the barrier to putting myself out there dropped significantly. Before Golden Kubestronaut, I would never have written a technical article in English, submitted a KubeCon CFP, or joined CNCF community channels. Now I'm doing all of those — and enjoying it. The program also comes with practical perks like 50% off KubeCon registration, which turned attending into a real possibility. I can't point to a single career outcome and say "certifications did this," but they gave me the confidence and the community to start doing things I'd been too hesitant to try.
2026 update: Golden Kubestronaut now requires 16 certifications (CNPE was added March 2026). The new CARE program auto-renews lower certs when you hold higher ones (CKA/CKAD → KCNA, CKS → KCSA), significantly reducing renewal burden. The barrier to entry keeps getting lower.
Maybe someone is watching your terminal right now, seeing pods scale up, and thinking: that looks cool. If so — a year, $2,653, and a lot of broken YAML later, I can tell you the curiosity is worth following.
What broke first when you applied default-deny in your cluster? Or if you're considering the CNCF certification path — what's holding you back? I'd love to hear in the comments.
Appendix
Timeline
Nov 2024 — Got curious about Kubernetes after a colleague's demo
Dec 2024 — Built a small EKS-based platform to get hands-on experience
Mar 2025 — Started studying for CKA
May 2025 — Failed CKA (first attempt)
Jun 2025 — Passed CKA (second attempt)
Aug 2025 — Daughter born; continued studying on parental leave
Sep 2025 — Passed CKS
Oct 2025 — Kubestronaut achieved (CKA, CKAD, CKS, KCNA, KCSA)
Nov 2025 — Built Raspberry Pi home lab ("GoldShip")
Dec 2025 — Golden Kubestronaut ~80% complete
Jan 2026 — Golden Kubestronaut recognized (~240 worldwide at the time)
What's in the Repo
The home lab covers technologies behind 12 of the 16 Golden Kubestronaut certifications. If you're studying for any of them, the manifests serve as working examples on bare-metal ARM64 + AMD64 hardware:
- GitOps: ArgoCD App-of-Apps with Helm multi-source
- Networking: Cilium L2 LoadBalancer + Istio Gateway API (dual-stack)
- Observability: Prometheus, Grafana, Loki, Tempo, OTel Collector
- Developer experience: Backstage with golden path templates and TechDocs
- Security: Keycloak SSO, cert-manager, Sealed Secrets
- Environment separation: Prod/dev overlays with Kustomize
Resources
- KodeKloud — The only study platform I used for all 15 exams
- killer.sh — Included with exam purchases; the closest thing to the real exam environment
- Original article (Japanese) — The detailed Japanese version with full exam-by-exam breakdowns
- Kubestronaut article (Japanese) — My earlier article on the first 5 certifications
Top comments (0)