Kubernetes
Certified Kubernetes Application Developer (CKAD) #5 Workloads 1: Deployment, ReplicaSet, Rolling Update, and Rollback
The fifth post in the Certified Kubernetes Application Developer (CKAD) series. We create a Deployment imperatively—the heart of app delivery—and lay out the relationship and scaling of Deployment, ReplicaSet, and Pod. We will get hands-on with the meaning of rollingUpdate's maxSurge and maxUnavailable, the flow of shipping a new version with kubectl set image, and the rollback scenario of tracking state with kubectl rollout and reverting a failed version with undo.
Certified Kubernetes Security Specialist (CKS) #3: CIS benchmark (kube-bench), component security, Ingress TLS, binary verification
The third post in the Certified Kubernetes Security Specialist (CKS) series. It covers the remaining half of the Cluster Setup domain — hardening the cluster itself. We get hands-on, with commands and manifests, on what the CIS Kubernetes benchmark is, how to inspect the control plane and nodes with kube-bench and read the PASS/FAIL/WARN results and apply remediation, the procedure for changing dangerous apiserver and kubelet flags to safe values, how to attach TLS to an Ingress, and the flow for verifying a downloaded binary with sha256sum.
Certified Kubernetes Administrator (CKA) #9 RBAC: Role/ClusterRole, RoleBinding, ServiceAccount, kubectl auth can-i
The ninth post in the Certified Kubernetes Administrator (CKA) series. We dig deep into RBAC — what decides who can do what — from an operator's perspective. We'll cover the combination rules of Role and ClusterRole, RoleBinding and ClusterRoleBinding, the structure of subjects (User/Group/ServiceAccount) and rules (apiGroups/resources/verbs), how to build them fast with kubectl create, how to verify permissions with kubectl auth can-i and --as, and the flow of wiring the user we created in [#8](/en/posts/cka-8) into RBAC.
Certified Kubernetes Application Developer (CKAD) #4 Container Images: Dockerfile, Multi-stage, and Building from Scratch on the Exam
The fourth post in the Certified Kubernetes Application Developer (CKAD) series. Some CKAD tasks require the full flow of building an image yourself, pushing it to a registry, and running it in a Pod. This post walks through the basic Dockerfile instructions and layer cache, how multi-stage builds slim an image down, the build/tag/push procedure with podman and buildah, the imagePullPolicy and the latest-tag trap, and the rules that map command/args onto ENTRYPOINT/CMD — all from a hands-on exam angle.
Certified Kubernetes Security Specialist (CKS) #2: NetworkPolicy in depth — default deny, ingress/egress (Cluster Setup)
The second post in the Certified Kubernetes Security Specialist (CKS) series. We cover network isolation, the heart of the Cluster Setup domain — from the all-allow default behavior when no NetworkPolicy exists, to the default deny pattern that blocks everything with podSelector and policyTypes, restricting ingress and egress separately, the trap where default deny egress breaks DNS and how to allow port 53, and the AND vs OR trap when combining namespaceSelector and podSelector. We build and verify it all firsthand with YAML and kubectl.
Certified Kubernetes Administrator (CKA) #8 Certificate Management: PKI, kubeconfig, Certificate Renewal
The eighth post in the Certified Kubernetes Administrator (CKA) series. We cover the TLS certificates that underpin every bit of communication in the cluster: the PKI structure under /etc/kubernetes/pki and who trusts whom, the clusters/users/contexts layout of kubeconfig, the procedure for checking expiration with kubeadm certs check-expiration and renewing with kubeadm certs renew all, and the flow for issuing user certificates with a CertificateSigningRequest — all of it drilled into your hands.
Certified Kubernetes Application Developer (CKAD) #3 Multi-container Patterns: Init container, sidecar, ambassador, adapter
The third post in the Certified Kubernetes Application Developer (CKAD) series. It covers the collaboration patterns that arise when a single Pod holds multiple containers. We will build, with kubectl commands and YAML examples, the init container that guarantees sequential execution, the sidecar that runs alongside the main container, the ambassador that abstracts outbound connections, and the adapter that standardizes output format. It also covers emptyDir volume sharing and shared process namespace from a hands-on exam perspective.
Certified Kubernetes Security Specialist (CKS) #1: The Exam Environment — CKA prerequisite, tools, time management
The opening post of the Certified Kubernetes Security Specialist (CKS) series. We lay out the structure of the 2-hour hands-on security exam that assumes you already hold CKA, the weight of the six domains, the 67% passing line, and the testing environment — then map out the big picture of the security tools the exam covers (kube-bench, AppArmor, seccomp, OPA/Gatekeeper, Falco, Trivy, cosign) and a strategy for using the docs. This 20-part series targets a CKS pass, wrapping up with a hands-on mock exam in #20.
Certified Kubernetes Administrator (CKA) #7: etcd Backup and Restore — etcdctl snapshot save/restore
The seventh post of the Certified Kubernetes Administrator (CKA) series. It lays out the procedure for backing up and restoring etcd — which holds the entire state of your cluster — with etcdctl. You will get the flow into your hands: find the data-dir and certificate paths in the static Pod manifest, take a snapshot with snapshot save, restore it to a new data-dir with snapshot restore, and then bring etcd back up.
Certified Kubernetes Application Developer (CKAD) #2 Pod and Container Lifecycle — Restart Policy and Container States
The second post in the Certified Kubernetes Application Developer (CKAD) series. We build it all by hand: the Pod lifecycle (Pending, Running, Succeeded, Failed, Unknown) and how restartPolicy (Always, OnFailure, Never) shapes workload behavior, container states (Waiting, Running, Terminated) and reasons like CrashLoopBackOff, ImagePullBackOff, and OOMKilled, how to read exit codes, and the troubleshooting sequence the exam loves to test.
Certified Kubernetes Administrator (CKA) #6 Cluster Upgrade: kubeadm upgrade plan/apply, Per-node drain
The sixth post in the Certified Kubernetes Administrator (CKA) series. We lay out the standard procedure for bumping a kubeadm cluster up one minor version, in order from the control plane to the worker nodes. We drill kubeadm upgrade plan/apply, swapping the kubelet and kubectl packages, per-node drain and uncordon, and the traps people miss most often in the exam.
Certified Kubernetes Application Developer (CKAD) #1: The Exam Environment — Mastering kubectl, dry-run, and generators
The opening post of the Certified Kubernetes Application Developer (CKAD) series. We map out the structure of the 2-hour hands-on exam, the weight of the five domains, the passing line, and the testing environment — then drill the kubectl setup (alias, dry-run, generators, vim config) that decides how your exam time runs. This 21-part series targets a CKAD pass, wrapping up with a full-scale mock exam in #21.