Kubernetes
Kubernetes and Cloud Native Associate (KCNA) #8: Exam Tips and Common Mistakes
A condensed recap to read one more time right before you walk into the KCNA exam. We cover time management for 60 questions in 90 minutes, the question formats people most often trip over (multiple response, double negatives), pairs of easily confused concepts (Deployment vs StatefulSet, CRI vs CNI vs CSI, HPA vs VPA, and more), techniques for narrowing down the options, a compact per-domain checklist, and a final pre-exam check for online-proctored sessions.
Certified Kubernetes Administrator (CKA) #23 Troubleshooting 2: Nodes and kubelet (NotReady, disk/memory pressure)
The twenty-third post in the Certified Kubernetes Administrator (CKA) series. We follow the diagnostic flow for a node that has dropped to NotReady from start to finish. We read conditions with k describe node, SSH into the node and narrow down the cause with systemctl status kubelet and journalctl -u kubelet, and fix a stopped kubelet, a stopped runtime, a full disk, and memory pressure symptom by symptom. We also cover how to isolate a problem node with cordon and drain.
Certified Kubernetes Application Developer (CKAD) #18 Services: ClusterIP, NodePort, LoadBalancer, ExternalName
The eighteenth post in the Certified Kubernetes Application Developer (CKAD) series. It covers the Service, the object that puts a stable entry point in front of a shifting set of Pods. We learn how selectors and labels pick Pods and how Endpoints are managed automatically, the differences between the four types ClusterIP, NodePort, LoadBalancer, and ExternalName, the distinction between port, targetPort, and nodePort, headless Services and cluster DNS, and finally debugging empty endpoints — all through YAML and kubectl.
Certified Kubernetes Security Specialist (CKS) #16 Admission control: OPA/Gatekeeper, Kyverno
The 16th post in the Certified Kubernetes Security Specialist (CKS) series. We start from how an admission controller intercepts API requests to validate and mutate them, then learn the difference between validating and mutating webhooks, OPA/Gatekeeper's ConstraintTemplate and Constraint with Rego policies, and Kyverno's YAML-based validate/mutate/generate policies through examples. We implement "no latest tag" and "trusted-registry only" in both tools, and wrap up the exam-favorite pattern of rejecting a violating manifest.
Kubernetes and Cloud Native Associate (KCNA) #7: Cloud Native Application Delivery (8%) — GitOps, CI/CD
The seventh post in the KCNA series. We cover the whole of Domain 5: the split between CI and CD and the pipeline stages, the four principles of GitOps (ArgoCD, Flux) and pull-based delivery, deployment strategies (rolling, blue-green, canary), manifest management with Helm and Kustomize, and the basics of supply chain security.
Certified Kubernetes Administrator (CKA) #22 Troubleshooting 1: Pods and Apps (Pending, CrashLoop, ImagePull, OOM)
The largest domain on the CKA exam is Troubleshooting (30%). In this post we tackle the four most common Pod-level failures within that domain. We organize Pending, CrashLoopBackOff, ImagePullBackOff/ErrImagePull, and OOMKilled each from symptom to diagnosis to fix in a single flow, and we drill the order in which to read describe, events, and logs so you reach the root cause fast.
Certified Kubernetes Application Developer (CKAD) #17 Volumes: emptyDir, PVC, projected, ephemeral
The seventeenth post in the Certified Kubernetes Application Developer (CKAD) series. Starting from the volatility of a container filesystem, it works through emptyDir and hostPath, the dynamic provisioning of PersistentVolumeClaim and StorageClass, the projected volume that bundles secret, configMap, and downwardAPI into one directory, and the generic ephemeral volume — all with hands-on YAML examples.
Certified Kubernetes Security Specialist (CKS) #15 Image signing: cosign, SBOM
The fifteenth post in the Certified Kubernetes Security Specialist (CKS) series. The only way to trust an image entering your cluster is to verify a signature that proves its origin. We walk through creating and verifying both key-based and keyless (OIDC) signatures with sigstore's cosign, generating an SBOM (SPDX/CycloneDX) with syft to track components, and closing the supply chain by blocking unsigned images at admission — all with command examples.
Kubernetes and Cloud Native Associate (KCNA) #6: Cloud Native Observability (8%) — Telemetry, Prometheus, Cost Management
The three pillars of telemetry (metrics, logs, traces), Prometheus pull-based metric collection with PromQL, Alertmanager, and Grafana, OpenTelemetry and distributed tracing, SLI/SLO/SLA and the golden signals, and FinOps cost management — a walk through KCNA Domain 4.
Certified Kubernetes Administrator (CKA) #21 Helm and Kustomize: Managing Manifests
The twenty-first post in the Certified Kubernetes Administrator (CKA) series. We learn the two tools for managing manifests — Helm and Kustomize — with a focus on operational commands. Helm covers repo add/update, install/upgrade/rollback, value injection, and template rendering; Kustomize covers the base/overlays structure, patchesStrategicMerge, configMapGenerator, and kubectl apply -k. We lay out the difference between the two (template vs. overlay) in a table and pin down the CKA exam points.
Certified Kubernetes Application Developer (CKAD) #16 Resource Management: requests/limits, QoS Class, LimitRange
The sixteenth post in the Certified Kubernetes Application Developer (CKAD) series. It nails down requests and limits — which decide how much a Pod asks for and how much it may use — right down to the units, and shows how CPU throttling and memory OOMKilled diverge. We also work through the three QoS classes and eviction priority, plus LimitRange that enforces namespace defaults and ResourceQuota that caps the total, all with YAML examples.
Certified Kubernetes Security Specialist (CKS) #14: Image scan — Trivy, Kubesec, KubeLinter
The fourteenth post in the Certified Kubernetes Security Specialist (CKS) series. We cover image vulnerability scanning, the heart of supply chain security. We compare in a table the role differences between Trivy — its image/filesystem/repo scans that find CVEs embedded in a container image's OS packages and language libraries, plus severity filtering and exit-code-based CI gates — Kubesec, which scores a manifest's securityContext settings, and KubeLinter, which statically analyzes manifests to catch anti-patterns. We also walk through, with command examples, the exam staple of finding and replacing an image that has a vulnerability of a given severity.