Kubernetes
Certified Kubernetes Application Developer (CKAD) #9 Helm: install, upgrade, rollback, values
The ninth post in the Certified Kubernetes Application Developer (CKAD) series. We organize Helm's chart structure and the release concept that lets you treat a bundle of manifests as a single package, then drill helm repo,install,upgrade,rollback and values overrides hands-on, command by command. We type through the full flow of previewing results with dry-run and reverting with history.
Certified Kubernetes Security Specialist (CKS) #7: seccomp Profiles
The seventh post in the Certified Kubernetes Security Specialist (CKS) series. We cover how to use seccomp to filter the system calls a container can make. We work directly through the three profile types — RuntimeDefault, Localhost, and Unconfined — the securityContext.seccompProfile setting, and writing and verifying a custom profile JSON loaded onto the node.
Certified Kubernetes Administrator (CKA) #13 Scheduling 1: nodeSelector, nodeAffinity, podAffinity/antiAffinity
The thirteenth post in the Certified Kubernetes Administrator (CKA) series. We lay out the four tools that control which node the scheduler places a Pod on. nodeSelector does simple label matching, nodeAffinity expresses node conditions with required and preferred, and podAffinity/podAntiAffinity use topologyKey to place a Pod on the same node as — or a different node from — other Pods. We also look at manual placement that bypasses the scheduler with nodeName.
Certified Kubernetes Application Developer (CKAD) #8 Deployment Strategies: Blue-green, Canary
The eighth post in the Certified Kubernetes Application Developer (CKAD) series. Implement zero-downtime deployment strategies by hand with nothing but Deployment, Service, and labels — no managed deployment tooling. We review rolling update and recreate, build instant cutover and rollback with blue-green, and implement traffic splitting through replicas ratios with canary.
Certified Kubernetes Security Specialist (CKS) #6: AppArmor profiles (System Hardening)
The sixth post in the Certified Kubernetes Security Specialist (CKS) series. We cover how to restrict a container's file and capability access at the kernel level with AppArmor, the Linux MAC. We work through the difference between enforce and complain modes, writing a profile with deny rules, loading it onto a node with apparmor_parser and confirming with aa-status, the two ways of attaching it to a Pod (1.30+ securityContext.appArmorProfile and the older annotation), and verifying with exec that the profile actually blocks.
Certified Kubernetes Administrator (CKA) #12 ConfigMap and Secret in Depth
The twelfth post in the Certified Kubernetes Administrator (CKA) series. We dig into ConfigMap and Secret from an operator's point of view: the three sources of kubectl create (--from-literal, --from-file, --from-env-file), Secret types (generic/docker-registry/tls) and the fact that base64 is not encryption, the injection methods of env valueFrom, envFrom, volume mount, and subPath, the difference in auto-refresh between env and volume, and how immutable buys you both performance and safety — all laid out with YAML and kubectl.
Certified Kubernetes Application Developer (CKAD) #7 Workloads 3: Job, CronJob (Backoff, Concurrency)
The seventh post in the Certified Kubernetes Application Developer (CKAD) series. It covers Job, which handles run-once batch work, and CronJob, which runs that work on a schedule, from a hands-on exam perspective. We will build completions, parallelism, backoffLimit, activeDeadlineSeconds, restartPolicy, and ttlSecondsAfterFinished, along with CronJob's schedule, concurrencyPolicy, startingDeadlineSeconds, and suspend, directly with YAML and kubectl.
Certified Kubernetes Security Specialist (CKS) #5: ServiceAccount token management, restricting API access, cluster upgrades
The fifth post in the Certified Kubernetes Security Specialist (CKS) series. It covers ServiceAccount token management, a frequent topic in the Cluster Hardening domain. We work through setting automountServiceAccountToken to false to block unnecessary token mounts, the expiration and audience of bound ServiceAccount tokens, and the difference between legacy Secret tokens and projected tokens. Then we shrink the API access surface by disabling anonymous-auth and protecting the kubelet API, and finish with cluster upgrades for applying security patches.
Certified Kubernetes Administrator (CKA) #11 Workloads 2: DaemonSet, StatefulSet, Job, CronJob
The eleventh post in the Certified Kubernetes Administrator (CKA) series. We organize the four workloads that Deployment can't cover: the DaemonSet that runs exactly one Pod per node, the StatefulSet with stable IDs, ordering, a headless Service, and volumeClaimTemplates, the Job that runs toward completion, and the CronJob that stamps out Jobs on a schedule — all drilled hands-on with YAML and kubectl.
Certified Kubernetes Application Developer (CKAD) #6 Workloads 2: DaemonSet, StatefulSet
The sixth post in the Certified Kubernetes Application Developer (CKAD) series. It covers the workload controllers beyond Deployment — DaemonSet and StatefulSet — from a hands-on perspective. We will build the DaemonSet that places one Pod on every node, and the StatefulSet that needs a stable network ID and ordering guarantees, in YAML all the way down to the headless Service and volumeClaimTemplates.
Certified Kubernetes Security Specialist (CKS) #4: RBAC least privilege in depth (Cluster Hardening)
The fourth post in the Certified Kubernetes Security Specialist (CKS) series. On top of the RBAC you learned in CKA, we layer the principle of least privilege and go deep, from a security angle, on how to find and narrow Roles that are too broad. We cover the danger of wildcard verb/resource, removing default ServiceAccount permissions, cutting ClusterRoleBinding overuse down with RoleBinding, the gotchas of aggregated ClusterRole, identifying dangerous permissions like secrets get, pods/exec, escalate, bind, and impersonate, and the flow of verifying narrowed permissions with kubectl auth can-i --as.
Certified Kubernetes Administrator (CKA) #10 Workloads 1: Deployment in Depth, ReplicaSet, Rolling Update and Rollback
The tenth post in the Certified Kubernetes Administrator (CKA) series. We look deep into the Deployment, the workload an operator handles most often. We walk through the Deployment→ReplicaSet→Pod hierarchy and the label selector that binds them, how to create and scale with kubectl, the conditions under which the rollingUpdate strategy (maxSurge/maxUnavailable) guarantees a zero-downtime update, and the rollback that lets you track versions and revert with kubectl rollout — all drilled until they are second nature.