#Container Orchestration

72 posts

Certified Kubernetes Application Developer (CKAD) #18 Services: ClusterIP, NodePort, LoadBalancer, ExternalName
9 min read

Certified Kubernetes Application Developer (CKAD) #18 Services: ClusterIP, NodePort, LoadBalancer, ExternalName

The eighteenth post in the Certified Kubernetes Application Developer (CKAD) series. It covers the Service, the object that puts a stable entry point in front of a shifting set of Pods. We learn how selectors and labels pick Pods and how Endpoints are managed automatically, the differences between the four types ClusterIP, NodePort, LoadBalancer, and ExternalName, the distinction between port, targetPort, and nodePort, headless Services and cluster DNS, and finally debugging empty endpoints — all through YAML and kubectl.

Certified Kubernetes Security Specialist (CKS) #16 Admission control: OPA/Gatekeeper, Kyverno
9 min read

Certified Kubernetes Security Specialist (CKS) #16 Admission control: OPA/Gatekeeper, Kyverno

The 16th post in the Certified Kubernetes Security Specialist (CKS) series. We start from how an admission controller intercepts API requests to validate and mutate them, then learn the difference between validating and mutating webhooks, OPA/Gatekeeper's ConstraintTemplate and Constraint with Rego policies, and Kyverno's YAML-based validate/mutate/generate policies through examples. We implement "no latest tag" and "trusted-registry only" in both tools, and wrap up the exam-favorite pattern of rejecting a violating manifest.

Certified Kubernetes Administrator (CKA) #22 Troubleshooting 1: Pods and Apps (Pending, CrashLoop, ImagePull, OOM)
11 min read

Certified Kubernetes Administrator (CKA) #22 Troubleshooting 1: Pods and Apps (Pending, CrashLoop, ImagePull, OOM)

The largest domain on the CKA exam is Troubleshooting (30%). In this post we tackle the four most common Pod-level failures within that domain. We organize Pending, CrashLoopBackOff, ImagePullBackOff/ErrImagePull, and OOMKilled each from symptom to diagnosis to fix in a single flow, and we drill the order in which to read describe, events, and logs so you reach the root cause fast.

Certified Kubernetes Application Developer (CKAD) #17 Volumes: emptyDir, PVC, projected, ephemeral
9 min read

Certified Kubernetes Application Developer (CKAD) #17 Volumes: emptyDir, PVC, projected, ephemeral

The seventeenth post in the Certified Kubernetes Application Developer (CKAD) series. Starting from the volatility of a container filesystem, it works through emptyDir and hostPath, the dynamic provisioning of PersistentVolumeClaim and StorageClass, the projected volume that bundles secret, configMap, and downwardAPI into one directory, and the generic ephemeral volume — all with hands-on YAML examples.

Certified Kubernetes Security Specialist (CKS) #15 Image signing: cosign, SBOM
11 min read

Certified Kubernetes Security Specialist (CKS) #15 Image signing: cosign, SBOM

The fifteenth post in the Certified Kubernetes Security Specialist (CKS) series. The only way to trust an image entering your cluster is to verify a signature that proves its origin. We walk through creating and verifying both key-based and keyless (OIDC) signatures with sigstore's cosign, generating an SBOM (SPDX/CycloneDX) with syft to track components, and closing the supply chain by blocking unsigned images at admission — all with command examples.

Certified Kubernetes Administrator (CKA) #21 Helm and Kustomize: Managing Manifests
9 min read

Certified Kubernetes Administrator (CKA) #21 Helm and Kustomize: Managing Manifests

The twenty-first post in the Certified Kubernetes Administrator (CKA) series. We learn the two tools for managing manifests — Helm and Kustomize — with a focus on operational commands. Helm covers repo add/update, install/upgrade/rollback, value injection, and template rendering; Kustomize covers the base/overlays structure, patchesStrategicMerge, configMapGenerator, and kubectl apply -k. We lay out the difference between the two (template vs. overlay) in a table and pin down the CKA exam points.

Certified Kubernetes Application Developer (CKAD) #16 Resource Management: requests/limits, QoS Class, LimitRange
8 min read

Certified Kubernetes Application Developer (CKAD) #16 Resource Management: requests/limits, QoS Class, LimitRange

The sixteenth post in the Certified Kubernetes Application Developer (CKAD) series. It nails down requests and limits — which decide how much a Pod asks for and how much it may use — right down to the units, and shows how CPU throttling and memory OOMKilled diverge. We also work through the three QoS classes and eviction priority, plus LimitRange that enforces namespace defaults and ResourceQuota that caps the total, all with YAML examples.

Certified Kubernetes Security Specialist (CKS) #14: Image scan — Trivy, Kubesec, KubeLinter
9 min read

Certified Kubernetes Security Specialist (CKS) #14: Image scan — Trivy, Kubesec, KubeLinter

The fourteenth post in the Certified Kubernetes Security Specialist (CKS) series. We cover image vulnerability scanning, the heart of supply chain security. We compare in a table the role differences between Trivy — its image/filesystem/repo scans that find CVEs embedded in a container image's OS packages and language libraries, plus severity filtering and exit-code-based CI gates — Kubesec, which scores a manifest's securityContext settings, and KubeLinter, which statically analyzes manifests to catch anti-patterns. We also walk through, with command examples, the exam staple of finding and replacing an image that has a vulnerability of a given severity.

Certified Kubernetes Administrator (CKA) #20 Networking 3: CoreDNS, NetworkPolicy
12 min read

Certified Kubernetes Administrator (CKA) #20 Networking 3: CoreDNS, NetworkPolicy

The twentieth post in the Certified Kubernetes Administrator (CKA) series. We cover how CoreDNS lets Pods and Services find each other by name inside the cluster, the Corefile configuration, debugging DNS with nslookup, and the NetworkPolicy podSelector and ingress/egress rules that control which Pod can talk to which Pod — all from an operations point of view. We also work through the default deny pattern and the CNI dependency.

Certified Kubernetes Application Developer (CKAD) #15 SecurityContext and Capabilities: runAsUser, fsGroup, readOnly rootfs
9 min read

Certified Kubernetes Application Developer (CKAD) #15 SecurityContext and Capabilities: runAsUser, fsGroup, readOnly rootfs

The fifteenth post in the Certified Kubernetes Application Developer (CKAD) series. It covers how securityContext restricts which user and privileges a container runs with. We will get hands-on through YAML examples — runAsUser, runAsNonRoot, and fsGroup; readOnlyRootFilesystem and the emptyDir workaround; allowPrivilegeEscalation; the add and drop of Linux capabilities; and the danger of privileged containers.

Certified Kubernetes Security Specialist (CKS) #13 Minimal images: distroless, scratch (Supply Chain)
11 min read

Certified Kubernetes Security Specialist (CKS) #13 Minimal images: distroless, scratch (Supply Chain)

The thirteenth post in the Certified Kubernetes Security Specialist (CKS) series. It covers image minimization, the starting point of the Supply Chain Security domain — how a large image widens the attack surface with shells, package managers, and needless CVEs, what distroless and scratch strip away, and how to choose among them versus alpine. With Dockerfile examples, we walk through the multistage build pattern that separates build tools from the runtime, how to debug a shell-less image with an ephemeral container, and how to enforce a non-root user.

Kubernetes and Cloud Native Associate (KCNA) #4: Container Orchestration (22%) — Runtime, Security, Networking, Storage, Service Mesh
11 min read

Kubernetes and Cloud Native Associate (KCNA) #4: Container Orchestration (22%) — Runtime, Security, Networking, Storage, Service Mesh

A walkthrough of the core of the KCNA Container Orchestration domain — container runtimes and the OCI/CRI standards, RBAC and NetworkPolicy security, CNI networking and CoreDNS, CSI storage, and Service Mesh. We map the boundaries the three CRI/CNI/CSI interfaces draw, the Service types, the default behavior of NetworkPolicy, and other recurring exam points.