AWSFoundational
AWS Certified Cloud Practitioner
Exam: CLF-C02
Optional. Useful if you'll run Kubernetes on EKS/AKS/GKE and want to understand the underlying cloud layer.
~1 mo prepPractice questions
☸️
Cloud Native & Kubernetes Specialist Roadmap
Cloud native engineering is a distinct career track from cloud platform administration. This roadmap takes you through the full CNCF ecosystem: from Kubernetes basics (KCNA) to security (KCSA), platform engineering (CNPA), observability (OTCA), GitOps (CGOA), networking (Cilium), and policy (Kyverno) — plus the HashiCorp IaC and secrets management certs that complete a platform engineer's toolkit.
6 phases · 17 certifications10–20 months
Platform EngineerKubernetes EngineerCloud Native DeveloperSREDevOps Engineer
Filter by vendor
1
Phase 1 — Cloud & Container Foundations
Build the vocabulary for containers and cloud before diving into Kubernetes operations.
After this phase: You understand container images, runtimes, registries, and the cloud services that underpin managed Kubernetes clusters.
MirantisAssociateCross-vendor
Docker Certified Associate
Exam: M-DCA
Container fundamentals before Kubernetes. Image builds, networking, volumes, and multi-stage builds.
~2 mo prepPractice questions
2
Phase 2 — Kubernetes Core
The mandatory Kubernetes foundation — concepts first, then security basics.
After this phase: You can explain the Kubernetes architecture, deploy workloads, manage networking and storage, and articulate the cloud native security model.
Linux FoundationFoundationalCross-vendor
Kubernetes and Cloud Native Associate
Exam: KCNA
The entry-point to the CNCF certification path. Concept-level K8s — the most efficient way to pass the CKAD/CKA pre-work.
~1 mo prepPractice questions
Linux FoundationFoundationalCross-vendor
Kubernetes and Cloud Native Security Associate
Exam: KCSA
Security associate-level cert for K8s — RBAC, network policies, admission control, and supply chain security.
~2 mo prepPractice questions
3
Phase 3 — Infrastructure as Code & Secrets
Platform engineers provision and manage infrastructure declaratively. These are the two most-used HashiCorp tools in Kubernetes shops.
After this phase: You can provision cloud infrastructure with Terraform and manage secrets with Vault, integrated with Kubernetes.
HashiCorpFoundationalCross-vendor
HashiCorp Certified: Terraform Associate
Exam: TA-004
The standard IaC tool for provisioning the cloud infrastructure that K8s clusters run on.
~2 mo prepPractice questions
HashiCorpAssociateCross-vendor
HashiCorp Certified: Vault Associate
Exam: VA-003
Secrets injection into Kubernetes pods is a recurring platform engineering problem. Vault is the reference solution.
~2 mo prepPractice questions
HashiCorpAssociateCross-vendor
HashiCorp Certified: Consul Associate
Exam: CA-003
Service discovery and service mesh coordination. Relevant if your platform uses Consul for networking.
~2 mo prepPractice questions
4
Phase 4 — GitOps & CI/CD
GitOps has become the delivery standard for Kubernetes-based platforms.
After this phase: You can design and operate a GitOps delivery workflow with Argo CD or Flux, and automate pipelines with GitHub Actions.
Linux FoundationFoundationalCross-vendor
Certified GitOps Associate
Exam: CGOA
The CNCF GitOps cert — Argo CD, Flux, and the GitOps operating model.
~1 mo prepPractice questions
Linux FoundationFoundationalCross-vendor
Certified Argo Project Associate
Exam: CAPA
Argo CD is the most-deployed GitOps tool. CAPA goes deeper on Argo Workflows, Events, and Rollouts.
~2 mo prepPractice questions
GitHubAssociateCross-vendor
GitHub Actions
Exam: GH-200
GitHub Actions is the entry point of most cloud native delivery pipelines before they hit Argo/Flux.
~1 mo prepPractice questions
5
Phase 5 — Observability
You can't operate what you can't see. Observability is the SRE half of platform engineering.
After this phase: You can instrument services with OpenTelemetry, collect metrics with Prometheus, and correlate traces with logs.
Linux FoundationFoundationalCross-vendor
OpenTelemetry Certified Associate
Exam: OTCA
OTel is the vendor-neutral standard for distributed tracing, metrics, and logs. This is the cert for it.
~1 mo prepPractice questions
Linux FoundationFoundationalCross-vendor
Prometheus Certified Associate
Exam: PCA
Prometheus is the de-facto metrics system for Kubernetes. PCA validates the queries, alerts, and architecture.
~2 mo prepPractice questions
6
Phase 6 — Platform Specialist
Pick the specialist certs that match your platform's stack. Each of these is a distinct CNCF tool with its own cert.
After this phase: You own a deep specialty in at least one platform area — networking, policy, or service backbone.
Linux FoundationFoundationalCross-vendor
Cilium Certified Associate
Exam: CCA
Cilium has become the default CNI for Kubernetes at scale. CCA validates eBPF-based networking and network policy.
~2 mo prepPractice questions
Linux FoundationFoundationalCross-vendor
Kyverno Certified Associate
Exam: KCA
Kyverno is the leading Kubernetes policy engine. Policy-as-code for admission control and config validation.
~2 mo prepPractice questions
Linux FoundationFoundationalCross-vendor
Certified Cloud Native Platform Engineering Associate
Exam: CNPA
The broadest cloud native platform engineering cert — integrates the tools from this entire roadmap.
~3 mo prepPractice questions
Linux FoundationFoundationalCross-vendor
Certified Backstage Associate
Exam: CBA
Backstage is becoming the standard internal developer platform (IDP). CBA validates its architecture and extensibility.
~2 mo prepPractice questions
Linux FoundationFoundationalCross-vendor
FinOps Certified Practitioner
Exam: FOCP
Platform engineers increasingly own cluster cost. FinOps gives you the framework to manage it.
~1 mo prepPractice questions
Frequently Asked Questions
Which cert should I do first — KCNA or Docker?
KCNA if you understand containers already. Docker Certified Associate if you're still fuzzy on images, registries, and runtimes.
Is this roadmap relevant if I use managed Kubernetes (EKS/AKS/GKE)?
Yes — even on managed K8s you configure RBAC, networking, ingress, GitOps, and observability. The CNCF certs are vendor-neutral by design.
Do I need all the Phase 6 certs?
No — Phase 6 is a menu. Pick the two or three certs that match your current platform stack (e.g. Cilium + Kyverno if your team uses both, or CNPA if you want a breadth cert).
Related Roadmaps
⚙️
DevOps Engineer Certification Roadmap
A step-by-step path from cloud fundamentals to senior DevOps, covering AWS, Azure, GCP, Kubernetes, Terraform, and GitHub Actions.
🏛️
Cloud Architect Certification Roadmap
Become a cloud solutions architect on AWS, Azure, or GCP — with the cross-cloud and platform skills that get you to senior.
🛡️
Cloud Security Engineer Certification Roadmap
Move from general IT security into senior cloud security on AWS, Azure, or GCP — backed by vendor-neutral foundations.