Infrastructure
AWS Certified Developer - Associate (DVA-C02) #8 Domain 2-2 Security — Encryption and Secrets
The second post of the DVA-C02 security domain. It covers KMS key types and envelope encryption, at-rest and in-transit encryption, S3 server-side encryption options (SSE-S3, SSE-KMS, SSE-C) and Lambda environment variable encryption, and the difference between Secrets Manager and Parameter Store (automatic rotation, cost, hierarchy), all at the exam level. Keeping secrets out of code is the core.
Certified Kubernetes Administrator (CKA) #17 Storage 2: StorageClass, Dynamic Provisioning, Reclaim Policy, Expansion
The 17th post in the Certified Kubernetes Administrator (CKA) series. We configure dynamic provisioning with a StorageClass so that creating just a PVC makes a PV appear automatically, and sort out the difference between the default StorageClass and volumeBindingMode. We also confirm with YAML how reclaimPolicy (Delete/Retain) treats data when a PV is removed, and how allowVolumeExpansion grows a volume.
Certified Kubernetes Application Developer (CKAD) #12 Observability: logging, kubectl debug, port-forward, ephemeral container
The twelfth post in the Certified Kubernetes Application Developer (CKAD) series. A hands-on tour of the observability tools you reach for when an app misbehaves. Follow logs with kubectl logs, read state with describe and events, get inside with exec and port-forward, and debug even shell-less containers with the ephemeral container of kubectl debug — building the muscle memory for the whole flow.
Certified Kubernetes Security Specialist (CKS) #10 Secrets Management: etcd Encryption, External Secrets
The tenth post in the Certified Kubernetes Security Specialist (CKS) series. Starting from the fact that a Kubernetes Secret is stored in etcd as base64 only — which is not encryption — we walk through encrypting secrets at rest with an EncryptionConfiguration, wiring it to the apiserver flags, re-encrypting existing Secrets, and checking for plaintext with etcdctl. We then tie in the big picture of integrating an external secret store via the External Secrets Operator and KMS, plus minimizing Secret-access RBAC, so you get hands-on with the exam staple of enabling etcd encryption.
Kubernetes and Cloud Native Associate (KCNA) #1: Exam Introduction — Structure and Study Strategy
The opening post of the Kubernetes and Cloud Native Associate (KCNA) series. The shape of 60 questions, 90 minutes, and a 75% passing line; the weight and meaning of the five domains; registration and the online-proctored testing environment; and the study strategy that turns the intuition built in the [K8s hands-on track](/en/posts/k8s-basics-1) into multiple-choice answers. This series targets a KCNA pass in nine posts, wrapping up with a mock multiple-choice exam in #9.
Red Hat Certified Engineer (RHCE) #9 Tags and conditionals: when, loop, until
The ninth post in the Red Hat Certified Engineer (RHCE) series. We organize the core tools that control the flow of a playbook — conditional execution with when, iteration with loop, retries with until, and partial runs with tags. We learn the exam-staple patterns hands-on: branching by OS, bulk-creating a user list, retrying while waiting for a service to come up, and using tags to run only the tasks you need.
Red Hat Certified System Administrator (RHCSA) #6: Local Storage 2 — LVM Expansion and LUKS Encryption
The sixth post in the Red Hat Certified System Administrator (RHCSA) series. We add a PV to a volume group and grow it with vgextend, enlarge the logical volume with lvextend, then extend the file system itself with xfs_growfs and resize2fs — and we build a LUKS-encrypted volume with cryptsetup, setting it up to unlock automatically at boot through crypttab and fstab. We also cover exam staples like XFS being impossible to shrink.
AWS Certified CloudOps Engineer - Associate (SOA-C03) #1 Exam Introduction — Exam Structure and Study Roadmap
The first post in the AWS Certified CloudOps Engineer - Associate (SOA-C03) series. It covers the rename from SysOps Administrator to CloudOps Engineer, the 65-question / 130-minute / 720-point structure, the weight of the five domains (Monitoring 22% , Reliability 22% , Deployment Automation 22% , Networking 18% , Security 16%), and a study strategy that turns the hands-on experience from the [AWS practical track](/en/posts/aws-basics-1-account-region-az), [SAA-C03](/en/posts/aws-saa-1), and [DVA-C02](/en/posts/aws-dva-1) into operational judgment. This 15-part series is designed to help you pass SOA-C03, and it ends with a full-scale mock exam in #15.
AWS Certified Developer - Associate (DVA-C02) #7 Domain 2-1 Security — Authentication and Authorization
The first post of the DVA-C02 security domain. From a developer's perspective, it revisits IAM Roles (instance profile, ECS task role, Lambda execution role), STS temporary credentials and AssumeRole/federation, and the division of roles between a Cognito User Pool (authentication) and an Identity Pool (temporary AWS credentials), all at the exam level. The security domain is the second-largest at 26%.
Certified Kubernetes Administrator (CKA) #16 Storage 1: Volume Types, PV, PVC, and Static Provisioning
The sixteenth post in the Certified Kubernetes Administrator (CKA) series. From Volume types (emptyDir, hostPath, configMap/secret, PVC) to a PersistentVolume's capacity and accessModes, persistentVolumeReclaimPolicy, the request and binding rules of a PersistentVolumeClaim, and the static provisioning where an admin creates PVs ahead of time — all walked through with YAML examples.
Certified Kubernetes Application Developer (CKAD) #11 Probes: liveness, readiness, startup (exec/HTTP/TCP)
Part 11 of the Certified Kubernetes Application Developer (CKAD) series. Learn the three probes (liveness, readiness, startup) and the three handlers (exec, httpGet, tcpSocket) that Kubernetes uses to check whether a container is alive and ready to take traffic — through YAML examples — and nail down the liveness-vs-readiness distinction that trips people up most often on the exam.
Certified Kubernetes Security Specialist (CKS) #9: Pod Security Admission (PSA, Pod Security Standards)
The ninth post in the Certified Kubernetes Security Specialist (CKS) series. It covers how Pod Security Admission — the replacement for the retired PodSecurityPolicy — rejects dangerous Pods at the namespace level. We work through the three levels of the Pod Security Standards (privileged, baseline, restricted) and the three modes (enforce, audit, warn), applying them with namespace labels, the security settings restricted demands, and how to write a Pod that passes — all from an exam point of view.