All posts

Certified Kubernetes Security Specialist (CKS) #14: Image scan — Trivy, Kubesec, KubeLinter
9 min read

Certified Kubernetes Security Specialist (CKS) #14: Image scan — Trivy, Kubesec, KubeLinter

The fourteenth post in the Certified Kubernetes Security Specialist (CKS) series. We cover image vulnerability scanning, the heart of supply chain security. We compare in a table the role differences between Trivy — its image/filesystem/repo scans that find CVEs embedded in a container image's OS packages and language libraries, plus severity filtering and exit-code-based CI gates — Kubesec, which scores a manifest's securityContext settings, and KubeLinter, which statically analyzes manifests to catch anti-patterns. We also walk through, with command examples, the exam staple of finding and replacing an image that has a vulnerability of a given severity.

Kubernetes and Cloud Native Associate (KCNA) #5: Cloud Native Architecture (16%) — Autoscaling, Serverless, Community, Open Standards
13 min read

Kubernetes and Cloud Native Associate (KCNA) #5: Cloud Native Architecture (16%) — Autoscaling, Serverless, Community, Open Standards

The fifth post in the KCNA series. It walks through cloud native design philosophy (the CNCF definition, self-healing, resilience), autoscaling (HPA, VPA, Cluster Autoscaler, KEDA), serverless (Knative, FaaS), the CNCF community and project maturity levels, open standards (OCI, CRI, CNI, CSI, OpenTelemetry), and finishes with zero-downtime rollouts and immutable infrastructure.

Red Hat Certified Engineer (RHCE) #13: System roles (rhel-system-roles)
8 min read

Red Hat Certified Engineer (RHCE) #13: System roles (rhel-system-roles)

The 13th post in the Red Hat Certified Engineer (RHCE) series. We cover how rhel-system-roles — a set of validated roles Red Hat ships — abstracts away RHCSA tasks. We walk through installation (dnf and ansible-galaxy collection), where the docs live (/usr/share/doc/rhel-system-roles) and the example-playbook copy pattern, the timesync/firewall/selinux/storage/network/postfix roles and their variables, and the exam regulars — automating NTP, firewall, and SELinux — with worked examples.

Red Hat Certified System Administrator (RHCSA) #10 Basic Networking: NetworkManager (nmcli), hostname, /etc/hosts
9 min read

Red Hat Certified System Administrator (RHCSA) #10 Basic Networking: NetworkManager (nmcli), hostname, /etc/hosts

The tenth post in the Red Hat Certified System Administrator (RHCSA) series. We cover how NetworkManager manages networking on RHEL 9, how to create connections and set a static IP permanently with nmcli, how to change the hostname with hostnamectl and resolve names through /etc/hosts, and how to verify the result with the ip command — all typed out by hand. Setting a static IP so it survives a reboot is a perennial RHCSA exam task.

What Is an SSL Certificate, and Why Do You Need One? Certificates and the Trust Chain of a CA
5 min read

What Is an SSL Certificate, and Why Do You Need One? Certificates and the Trust Chain of a CA

What an SSL certificate is, why you need one, and who vouches for it — explained without code. It covers the certificate authority (CA) and the trust chain from root to intermediate to site certificate, and why a warning appears when a certificate expires, at a concept level.

LLM App Development #2: Understanding Messages and Parameters
6 min read

LLM App Development #2: Understanding Messages and Parameters

The role structure of messages and multi-turn conversations, the system prompt, and core parameters like max_tokens and temperature. The foundation for conveying context and instructions to Claude precisely.

AWS Certified CloudOps Engineer - Associate (SOA-C03) #5 Domain 2-1 Reliability: Multi-AZ, Auto Scaling, and ELB Health Checks
5 min read

AWS Certified CloudOps Engineer - Associate (SOA-C03) #5 Domain 2-1 Reliability: Multi-AZ, Auto Scaling, and ELB Health Checks

The fifth post of the SOA-C03 series covers availability operations, the first topic of the Reliability domain (22%). It covers redundancy across Availability Zones, Auto Scaling group capacity, policies, and lifecycle hooks, health checks and connection draining per ELB type, and Route 53 health-check-based failover.

AWS Certified Developer - Associate (DVA-C02) #11 Domain 3-3 Deployment — Deployment Strategies
4 min read

AWS Certified Developer - Associate (DVA-C02) #11 Domain 3-3 Deployment — Deployment Strategies

The third post of the DVA-C02 deployment domain. It covers, at the exam level, the difference between in-place and blue/green deployment, traffic-shifting methods like canary,linear,all-at-once, weighted routing using Lambda aliases and versions, gradual deployment through API Gateway stages, and automatic rollback tied to CloudWatch alarms. The key is how to update safely with zero downtime.

Certified Kubernetes Administrator (CKA) #20 Networking 3: CoreDNS, NetworkPolicy
12 min read

Certified Kubernetes Administrator (CKA) #20 Networking 3: CoreDNS, NetworkPolicy

The twentieth post in the Certified Kubernetes Administrator (CKA) series. We cover how CoreDNS lets Pods and Services find each other by name inside the cluster, the Corefile configuration, debugging DNS with nslookup, and the NetworkPolicy podSelector and ingress/egress rules that control which Pod can talk to which Pod — all from an operations point of view. We also work through the default deny pattern and the CNI dependency.

Certified Kubernetes Application Developer (CKAD) #15 SecurityContext and Capabilities: runAsUser, fsGroup, readOnly rootfs
9 min read

Certified Kubernetes Application Developer (CKAD) #15 SecurityContext and Capabilities: runAsUser, fsGroup, readOnly rootfs

The fifteenth post in the Certified Kubernetes Application Developer (CKAD) series. It covers how securityContext restricts which user and privileges a container runs with. We will get hands-on through YAML examples — runAsUser, runAsNonRoot, and fsGroup; readOnlyRootFilesystem and the emptyDir workaround; allowPrivilegeEscalation; the add and drop of Linux capabilities; and the danger of privileged containers.

Certified Kubernetes Security Specialist (CKS) #13 Minimal images: distroless, scratch (Supply Chain)
11 min read

Certified Kubernetes Security Specialist (CKS) #13 Minimal images: distroless, scratch (Supply Chain)

The thirteenth post in the Certified Kubernetes Security Specialist (CKS) series. It covers image minimization, the starting point of the Supply Chain Security domain — how a large image widens the attack surface with shells, package managers, and needless CVEs, what distroless and scratch strip away, and how to choose among them versus alpine. With Dockerfile examples, we walk through the multistage build pattern that separates build tools from the runtime, how to debug a shell-less image with an ephemeral container, and how to enforce a non-root user.

Kubernetes and Cloud Native Associate (KCNA) #4: Container Orchestration (22%) — Runtime, Security, Networking, Storage, Service Mesh
11 min read

Kubernetes and Cloud Native Associate (KCNA) #4: Container Orchestration (22%) — Runtime, Security, Networking, Storage, Service Mesh

A walkthrough of the core of the KCNA Container Orchestration domain — container runtimes and the OCI/CRI standards, RBAC and NetworkPolicy security, CNI networking and CoreDNS, CSI storage, and Service Mesh. We map the boundaries the three CRI/CNI/CSI interfaces draw, the Service types, the default behavior of NetworkPolicy, and other recurring exam points.