You Can Pass This Exam For Free
Choose Your Study Path
Limited Kubernetes or cloud native experience. You need to build foundational knowledge of cloud native concepts, Kubernetes, and the CNCF ecosystem before tackling platform engineering specifics.
Exam Overview
Format
60 multiple-choice questions, 120 minutes. Online proctored exam delivered through PSI. Closed-book with no external resources allowed.
Scoring
Percentage-based scoring. Passing: 75%. No penalty for wrong answers — always answer every question. Score report provided immediately after exam.
Domains & Weights
- Platform Engineering Core Fundamentals36%
- Platform Observability, Security, and Conformance20%
- Continuous Delivery and Platform Engineering16%
- Platform APIs and Provisioning Infrastructure12%
- IDPs and Developer Experience8%
- Measuring your Platform8%
Registration
$250 USD. Register at training.linuxfoundation.org. Exam fee is $250 USD. Certification is valid for 2 years and includes one free retake. A Linux Foundation account is required.
Topic Priority Table
Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.
Platform Engineering Core Fundamentals
The largest domain at 36% of the exam. Covers the foundational concepts: declarative resource management, DevOps practices, application environments, platform architecture, and the full CI/CD and GitOps lifecycle. This is the theoretical foundation that all other domains build on.
Key Topics
Must-Know Concepts
- Declarative vs imperative resource management: declarative defines desired state in files; imperative issues commands. Kubernetes is declarative — you apply YAML manifests
- The four OpenGitOps principles: declarative, versioned and immutable, pulled automatically, and continuously reconciled
- DevOps as both cultural and technical practices: breaking silos between dev and ops, shared responsibility for reliability, fast feedback loops
- Platform engineering as the discipline of building self-service platforms (IDPs) that enable developers to be productive without deep infrastructure knowledge
- Application environments: development, staging/pre-production, and production environments and the promotion patterns between them
- Continuous Integration: automated build, test, lint, scan, and artifact creation on every commit. Fast feedback for developers
- Continuous Delivery: automated deployment pipeline that can deploy to production at any time. Every commit should be deployable
- Continuous Deployment: every commit that passes CI is automatically deployed to production without manual approval (a subset of organizations practice this)
- GitOps workflow: developer commits to Git > CI pipeline builds and tests > GitOps operator detects change > reconciles cluster to new desired state
- Push vs pull deployment models and why pull-based (GitOps) provides better security, auditability, and drift prevention
Common Exam Traps
Platform Observability, Security, and Conformance
The second-largest domain at 20%. Covers the three pillars of observability (metrics, logs, traces), SLI/SLO/SLA frameworks, Kubernetes security (RBAC, pod security, network policies), mTLS and service meshes, and policy engines for conformance enforcement.
Key Topics
Must-Know Concepts
- Three pillars of observability: metrics (quantitative measurements), logs (discrete events), and traces (distributed request paths)
- SLI: the specific metric measured (e.g., request latency p99). SLO: the reliability target for that SLI (e.g., p99 < 200ms, 99.9% of the time). SLA: the contractual commitment, typically looser than the SLO
- Error budget: the acceptable amount of unreliability implied by an SLO. If SLO is 99.9%, the error budget is 0.1% — the budget guides release velocity decisions
- Prometheus: pull-based metrics collection, PromQL for queries, Alertmanager for routing alerts, PodMonitor/ServiceMonitor CRDs for Kubernetes scrape configuration
- Kubernetes RBAC: Roles and ClusterRoles define permissions, RoleBindings and ClusterRoleBindings assign them to subjects (users, groups, service accounts). Principle of least privilege
- Network Policies: Kubernetes objects that define allowed ingress and egress traffic for pods. By default, all traffic is allowed; network policies add restrictions
- Pod Security Standards: Privileged, Baseline, and Restricted pod security profiles enforced via Pod Security Admission controller in modern Kubernetes
- mTLS (mutual TLS): both client and server authenticate each other and encrypt communication. Service meshes (Istio, Linkerd) implement mTLS transparently for all service-to-service communication
- Admission webhooks: Kubernetes API intercept points that validate or mutate resources before persistence. Mutating webhooks run before validating webhooks
- Policy engines: OPA/Gatekeeper (Rego-based) and Kyverno (YAML-based) enforce organizational policies via admission webhooks. Both support audit and enforce modes
Common Exam Traps
Continuous Delivery and Platform Engineering
This domain covers CI pipeline architecture, advanced GitOps workflows, incident response practices, and how continuous delivery integrates with platform engineering. Expect questions on pipeline stages, deployment strategies, and GitOps branching models.
Key Topics
Must-Know Concepts
- CI pipeline stages in cloud native: code commit > trigger > checkout > lint > unit test > build container image > scan image for vulnerabilities > push to registry > update GitOps manifests
- Deployment strategies: rolling update (gradual pod replacement), blue-green (two identical environments, switch traffic), canary (route small % traffic to new version, gradually increase)
- GitOps branching models: environment-per-branch (main=prod, staging branch, dev branch) vs directory-based (one branch, environments in subdirectories)
- Progressive delivery: combining canary deployments with automated analysis to automatically promote or rollback based on metrics (Argo Rollouts supports this)
- Incident response in platform engineering: alert triggers > on-call paged > triage (impact, scope) > communicate status > mitigate (rollback, scale, fix) > post-incident review > action items
- GitOps-based incident response: rollback by reverting the Git commit — the GitOps operator automatically restores the previous state
- Supply chain security in CI: image signing (cosign/Sigstore), SBOM generation, vulnerability scanning with Trivy or Grype, SLSA levels for build provenance
- Separation of concerns: CI is responsible for producing a validated artifact (container image); CD/GitOps is responsible for deploying it. They should not overlap
Common Exam Traps
Platform APIs and Provisioning Infrastructure
This domain covers how platforms expose APIs through Kubernetes extension mechanisms — CRDs, custom controllers, operators — and how infrastructure is provisioned through cloud native tooling like Crossplane and Terraform. The focus is on infrastructure-as-code in a Kubernetes-native context.
Key Topics
Must-Know Concepts
- CRD lifecycle: define schema in YAML > apply to cluster > Kubernetes API server accepts instances > custom controller watches and acts on instances
- The operator pattern: a software extension that uses CRDs and a custom controller to manage the complete lifecycle of a complex application (install, configure, backup, upgrade, recover)
- Reconciliation loop: watch for changes > observe current state > compare to desired state > take actions to reconcile > repeat continuously
- Infrastructure provisioning approaches: declarative (Terraform, Crossplane) vs imperative (scripts, manual). Platform teams should use declarative for reproducibility
- Crossplane architecture: providers (connect to cloud APIs), managed resources (map to cloud resources like RDS instances), composite resources (abstract multiple managed resources), and compositions (templates for composite resources)
- The difference between infrastructure provisioning (creating the resource) and infrastructure configuration (managing settings after creation) — both should be handled declaratively
- Kubernetes API groups and versioning: how API resources are organized (apiVersion: apps/v1, batch/v1, etc.) and why versioning matters for CRD stability
- Webhook admission patterns: how mutating and validating webhooks extend the Kubernetes API admission chain for platform governance
Common Exam Traps
IDPs and Developer Experience
This domain covers Internal Developer Platforms — how platform teams build self-service environments that improve developer productivity. Topics include service catalogs, developer portals (Backstage), golden paths, and how AI/ML automation is emerging in platform tooling.
Key Topics
Must-Know Concepts
- Platform engineering goal: reduce cognitive load on developers by providing self-service, paved roads, and golden paths for common tasks
- Golden paths: the recommended, pre-built, opinionated workflows that platform teams provide for common developer tasks (create a service, provision a database, set up CI). Golden paths, not golden cages — developers can deviate but it costs more
- Backstage core components: Software Catalog (register and discover all services, APIs, teams), Software Templates (scaffolding for new services), TechDocs (documentation as code), and the Plugin ecosystem
- Service catalog: a registry of all software components, services, APIs, and resources in the organization. Enables discoverability, ownership tracking, and dependency mapping
- Developer portals vs IDPs: the portal (Backstage) is the UI layer; the IDP is the entire platform. The portal surfaces capabilities the IDP provides
- Self-service provisioning: developers should be able to create standard resources (namespaces, databases, CI pipelines) without filing tickets or waiting for ops teams
- AI/ML in platform tooling: AI-assisted code review, AI-generated runbooks, ML-based anomaly detection in observability, and LLM-powered developer assistants integrated into portals
Common Exam Traps
Measuring your Platform
The smallest domain at 8%. Covers how platform engineering teams measure the effectiveness and efficiency of their platforms using DORA metrics, developer experience metrics, and platform-specific KPIs. Understanding what to measure and why is key.
Key Topics
Must-Know Concepts
- DORA four key metrics: Deployment Frequency, Lead Time for Changes, Change Failure Rate, and Mean Time to Restore (MTTR)
- DORA performance buckets: Elite performers have deployment frequency multiple times per day, lead time under one hour, change failure rate < 5%, MTTR under one hour
- Deployment Frequency: how often code is deployed to production. Higher frequency (with stability) indicates mature delivery pipeline
- Lead Time for Changes: time from code commit to running in production. Measures the efficiency of the entire delivery pipeline
- Change Failure Rate: percentage of deployments that cause an incident or require rollback. Measures deployment quality
- MTTR (Mean Time to Restore): average time to restore service after a production incident. Measures platform resilience and incident response effectiveness
- Platform adoption metrics: golden path adoption rate, developer portal active users, self-service request volume, ticket volume reduction
- Developer experience (DevEx) metrics: developer satisfaction scores (surveys), onboarding time for new developers, time to first deployment, cognitive load measures
- Relationship between DORA metrics: teams should aim to improve ALL four simultaneously. High deployment frequency with high change failure rate is not mature — stability matters as much as speed
Common Exam Traps
Concepts You Must Not Confuse
These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.
Top Mistakes to Avoid
Exam-Ready Checklist
Recommended Resources
Free & Official Resources
Paid Courses & Practice Exams
These are recommended if you prefer a structured learning path. They can save time but are not required to pass.