Infrastructure
AWS Certified Solutions Architect - Associate (SAA-C03) #12 Domain 3-4 High-Performing Architectures — Choosing a DB
The final post of the SAA-C03 high-performing domain. It covers the decisive difference between RDS's Multi-AZ (high availability) and read replicas (read scaling), cloud-native Aurora (auto storage scaling , Global , Serverless), NoSQL DynamoDB (capacity modes , global tables , DAX), Redshift for analytics, and the criteria for choosing a database by workload.
Certified Kubernetes Administrator (CKA) #10 Workloads 1: Deployment in Depth, ReplicaSet, Rolling Update and Rollback
The tenth post in the Certified Kubernetes Administrator (CKA) series. We look deep into the Deployment, the workload an operator handles most often. We walk through the Deployment→ReplicaSet→Pod hierarchy and the label selector that binds them, how to create and scale with kubectl, the conditions under which the rollingUpdate strategy (maxSurge/maxUnavailable) guarantees a zero-downtime update, and the rollback that lets you track versions and revert with kubectl rollout — all drilled until they are second nature.
Certified Kubernetes Application Developer (CKAD) #5 Workloads 1: Deployment, ReplicaSet, Rolling Update, and Rollback
The fifth post in the Certified Kubernetes Application Developer (CKAD) series. We create a Deployment imperatively—the heart of app delivery—and lay out the relationship and scaling of Deployment, ReplicaSet, and Pod. We will get hands-on with the meaning of rollingUpdate's maxSurge and maxUnavailable, the flow of shipping a new version with kubectl set image, and the rollback scenario of tracking state with kubectl rollout and reverting a failed version with undo.
Certified Kubernetes Security Specialist (CKS) #3: CIS benchmark (kube-bench), component security, Ingress TLS, binary verification
The third post in the Certified Kubernetes Security Specialist (CKS) series. It covers the remaining half of the Cluster Setup domain — hardening the cluster itself. We get hands-on, with commands and manifests, on what the CIS Kubernetes benchmark is, how to inspect the control plane and nodes with kube-bench and read the PASS/FAIL/WARN results and apply remediation, the procedure for changing dangerous apiserver and kubelet flags to safe values, how to attach TLS to an Ingress, and the flow for verifying a downloaded binary with sha256sum.
Red Hat Certified Engineer (RHCE) #2 Inventory: static, dynamic, group/host_vars
The second post in the Red Hat Certified Engineer (RHCE) series. We work through the inventory that defines what Ansible operates on — static inventory in both INI and YAML form, groups and groups of groups (children), range notation, and the directory layout that splits variables into group_vars and host_vars. We also cover how to verify with ansible-inventory, the concept of dynamic inventory, and the task patterns that show up again and again on the exam.
AWS Certified Solutions Architect - Associate (SAA-C03) #11 Domain 3-3 High-Performing Architectures — Choosing Storage
The third post of the SAA-C03 high-performing domain. It covers the distinction between block (EBS) , file (EFS , FSx) , object (S3) storage, EBS volume types (gp3 , io2 , st1 , sc1) and selection criteria, the use cases for EFS and FSx (Windows File Server , Lustre), and how to optimize cost with S3 storage classes (Standard , Intelligent-Tiering , IA , Glacier family) and lifecycle policies.
Certified Kubernetes Administrator (CKA) #9 RBAC: Role/ClusterRole, RoleBinding, ServiceAccount, kubectl auth can-i
The ninth post in the Certified Kubernetes Administrator (CKA) series. We dig deep into RBAC — what decides who can do what — from an operator's perspective. We'll cover the combination rules of Role and ClusterRole, RoleBinding and ClusterRoleBinding, the structure of subjects (User/Group/ServiceAccount) and rules (apiGroups/resources/verbs), how to build them fast with kubectl create, how to verify permissions with kubectl auth can-i and --as, and the flow of wiring the user we created in [#8](/en/posts/cka-8) into RBAC.
Certified Kubernetes Application Developer (CKAD) #4 Container Images: Dockerfile, Multi-stage, and Building from Scratch on the Exam
The fourth post in the Certified Kubernetes Application Developer (CKAD) series. Some CKAD tasks require the full flow of building an image yourself, pushing it to a registry, and running it in a Pod. This post walks through the basic Dockerfile instructions and layer cache, how multi-stage builds slim an image down, the build/tag/push procedure with podman and buildah, the imagePullPolicy and the latest-tag trap, and the rules that map command/args onto ENTRYPOINT/CMD — all from a hands-on exam angle.
Certified Kubernetes Security Specialist (CKS) #2: NetworkPolicy in depth — default deny, ingress/egress (Cluster Setup)
The second post in the Certified Kubernetes Security Specialist (CKS) series. We cover network isolation, the heart of the Cluster Setup domain — from the all-allow default behavior when no NetworkPolicy exists, to the default deny pattern that blocks everything with podSelector and policyTypes, restricting ingress and egress separately, the trap where default deny egress breaks DNS and how to allow port 53, and the AND vs OR trap when combining namespaceSelector and podSelector. We build and verify it all firsthand with YAML and kubectl.
Red Hat Certified Engineer (RHCE) #1: Exam Overview — the environment, time management, ansible-navigator vs ansible-playbook
The opening post of the Red Hat Certified Engineer (RHCE) series. Assuming you already hold RHCSA, we lay out the format and domains of the EX294 hands-on exam, the 210/300 passing score and 4-hour testing environment, the nature of the exam as Ansible automation, and the ansible-navigator vs ansible-playbook execution styles. This 19-part series targets an RHCE pass, wrapping up with a full-scale mock exam in #19.
AWS Certified Solutions Architect - Associate (SAA-C03) #10 Domain 3-2 High-Performing Architectures — Caching
The second post of the SAA-C03 high-performing domain. It covers the difference between ElastiCache's Redis and Memcached, DAX for accelerating DynamoDB, CloudFront for caching content close to users (edge , OAC , signed URLs), cache strategies (lazy loading , write-through), and storing sessions externally for stateless design.
Certified Kubernetes Administrator (CKA) #8 Certificate Management: PKI, kubeconfig, Certificate Renewal
The eighth post in the Certified Kubernetes Administrator (CKA) series. We cover the TLS certificates that underpin every bit of communication in the cluster: the PKI structure under /etc/kubernetes/pki and who trusts whom, the clusters/users/contexts layout of kubeconfig, the procedure for checking expiration with kubeadm certs check-expiration and renewing with kubeadm certs renew all, and the flow for issuing user certificates with a CertificateSigningRequest — all of it drilled into your hands.