DevCerts logo DevCerts

Certification

Kubernetes Specialist

This certification is designed for engineers who work with Kubernetes in real delivery environments and are responsible for how workloads are deployed, configured, exposed, observed, and maintained over time.

It validates practical competence in core Kubernetes primitives, workload management, networking, service exposure, configuration handling, secret management, rollout strategies, resource control, troubleshooting, and operational reliability. The focus is on applying Kubernetes correctly in production rather than recognizing isolated terminology.

Candidates are expected to demonstrate that they can reason about how applications behave inside a cluster, identify misconfiguration and deployment risks, and make decisions that improve stability, resilience, and maintainability. This includes working with pods, deployments, services, ingress, probes, autoscaling, environment configuration, and debugging under realistic runtime conditions.

The certification is suitable for engineers who already use Kubernetes professionally and want to validate that they can operate containerized systems with confidence, technical clarity, and production-level platform discipline.
Get Certified

What this certification proves

Clear scope for candidates. Clear meaning for reviewers.

Passing result

What a pass confirms

This certificate confirms that the candidate demonstrated practical Kubernetes competence in deploying workloads, operating platform primitives, and maintaining production-ready containerized systems with sound engineering judgment.

Scope

What the exam validates

Scope includes pods, deployments, services, ingress, configuration and secrets, resource management, health checks, rollout strategies, observability basics, troubleshooting, security awareness, and production-focused Kubernetes operations.

For reviewers

What someone can verify later

The public certificate page shows the holder name, score, issue date, certificate ID, and current verification status without relying on screenshots.

Share flow

Share one record, not a bundle of files

Use the certificate page as the primary proof. PDF stays available as a convenient copy, but the live page is the canonical record.

Official certificate page

What the verifier will see

  • Candidate name
  • Score and pass outcome
  • Date and certificate ID
  • Current verification status

Preparation topics

Topics covered by the exam question set.

Use this topic map as a preparation checklist. Questions in this certification are built from these concrete topic areas.

Cluster Fundamentals

  • control plane
  • kube-apiserver
  • etcd
  • scheduler
  • controller manager
  • cloud controller
  • kubelet
  • kube-proxy
  • container runtime
  • static Pods
  • mirror Pods
  • CoreDNS
  • API communication
  • high availability

Kubectl Operations

  • kubectl logs
  • previous logs
  • kubectl exec
  • port-forward
  • rollout status
  • cluster events
  • dry-run
  • scheduling diagnosis
  • resource metrics
  • CRI tooling
  • ephemeral debugging
  • crash analysis

Pod Health

  • readiness probes
  • liveness probes
  • startup probes
  • init containers
  • native sidecars
  • readiness gates
  • lifecycle hooks
  • graceful shutdown
  • termination grace
  • terminating endpoints
  • restart behavior
  • warm-up handling

Workload Controllers

  • Pods
  • Deployments
  • StatefulSets
  • DaemonSets
  • Jobs
  • CronJobs
  • Indexed Jobs
  • backoff limit
  • failure policy
  • completion mode
  • one-shot tasks
  • scheduled tasks

Rollouts Delivery

  • rolling updates
  • rollback
  • rollout restart
  • rollout history
  • progress deadline
  • surge semantics
  • selector safety
  • canary releases
  • paused rollouts
  • PDBs
  • voluntary disruptions
  • image tags
  • pull policy
  • immutable images
  • template annotations
  • server-side apply
  • GitOps drift

Services Traffic

  • ClusterIP
  • headless Services
  • selectorless Services
  • LoadBalancer
  • ExternalName
  • Ingress
  • IngressClass
  • Gateway API
  • port mapping
  • named targetPort
  • session affinity
  • ExternalIPs
  • source ranges
  • internal traffic
  • topology routing
  • traffic distribution
  • dual-stack

DNS Discovery

  • Service DNS
  • namespace DNS
  • DNS policy
  • hostNetwork DNS
  • NodeLocal DNSCache
  • EndpointSlices
  • service discovery
  • FQDN egress

Scheduling Placement

  • taints
  • tolerations
  • nodeSelector
  • node affinity
  • pod anti-affinity
  • topology spread
  • dedicated nodes
  • zone placement
  • preemption
  • drain behavior
  • scheduling constraints
  • RuntimeClass scheduling

Resources Autoscaling

  • requests limits
  • QoS classes
  • LimitRange
  • ResourceQuota
  • HPA
  • CPU utilization
  • VPA
  • pod overhead
  • eviction signals
  • memory pressure
  • guaranteed QoS
  • resize strategy

Configuration Secrets

  • ConfigMaps
  • Secrets
  • env injection
  • secret volumes
  • config reloads
  • subPath caveats
  • immutable config
  • imagePullSecrets
  • secret rotation
  • encryption at rest
  • configuration drift

Storage Persistence

  • PVCs
  • StorageClass
  • access modes
  • PV reclaim
  • volume expansion
  • delayed binding
  • StatefulSet storage
  • emptyDir
  • volume snapshots
  • snapshot classes
  • PVC cloning
  • ephemeral volumes
  • volume mode
  • storage capacity
  • volume health

Security Access

  • ServiceAccounts
  • RBAC
  • Roles
  • RoleBindings
  • ClusterRoles
  • impersonation
  • can-i checks
  • non-resource URLs
  • token projection
  • automount tokens
  • Pod Security
  • securityContext
  • non-root
  • privilege escalation
  • read-only rootfs
  • seccomp
  • AppArmor
  • SELinux
  • Windows security

Policy Admission

  • NetworkPolicy
  • default deny
  • ingress rules
  • egress rules
  • namespace selectors
  • pod selectors
  • ipBlock
  • endPort
  • DNS egress
  • admission webhooks
  • failure policy
  • validating webhooks
  • mutating webhooks
  • audit policy
  • audit backends
  • audit levels

API Certificates

  • CSRs
  • signerName
  • certificate lifetime
  • approval flow
  • built-in signers
  • APIServices
  • API aggregation
  • aggregated auth
  • CRD upgrades

Platform Extensions

  • RuntimeClass
  • runtime handler
  • device plugins
  • CDI devices
  • DRA claims
  • ResourceClaims
  • DeviceTaints
  • PodResources
  • dynamic resources
  • Windows workloads
  • HostProcess
  • OS fields
  • mutable allocatable

How the certification works

From voucher purchase to public certificate.

Once the candidate decides to pursue this certification, the path is simple: buy a voucher, exchange it for this certification, complete the exam, and receive the official certificate after a successful result.

Step 01

Buy a voucher for account balance

The candidate tops up voucher balance first. DevCerts does not sell this certification as a direct one-off checkout item.

Step 02

Choose this certification and exchange the voucher

When the candidate is ready, one voucher is consumed and DevCerts opens exam access for this certification.

Step 03

Pass and receive the official certificate page

After a successful valid result is received from Askium, DevCerts issues the certificate, publishes the public verification page, and keeps PDF available as a secondary copy.

Current certificate policy

What this certification page promises today

  • A certificate is issued only after a successful valid result.
  • The public verification page is the canonical certificate artifact.
  • The issued certificate is active and non-expiring in the current MVP.