#Container Orchestration

72 posts

Certified Kubernetes Administrator (CKA) #19 Networking 2: Ingress, IngressClass, TLS
8 min read

Certified Kubernetes Administrator (CKA) #19 Networking 2: Ingress, IngressClass, TLS

The nineteenth post in the Certified Kubernetes Administrator (CKA) series. We cover how to consolidate host- and path-based routing and TLS termination — things Service alone cannot solve — into Ingress. From an operations angle, we work through Ingress rules (pathType Prefix/Exact, rules/backend, defaultBackend), IngressClass that separates multiple controllers, the Ingress Controller that must exist for Ingress to do anything, and the TLS section that references a Secret.

Certified Kubernetes Application Developer (CKAD) #14 ServiceAccount and RBAC (App Perspective)
10 min read

Certified Kubernetes Application Developer (CKAD) #14 ServiceAccount and RBAC (App Perspective)

Part 14 of the Certified Kubernetes Application Developer (CKAD) series. When an app running inside a Pod calls the Kubernetes API, what identity does it authenticate as and what permissions does it get authorized for — this post lays that out from the ServiceAccount and RBAC angle. You will get hands-on with automatic SA token mounting and turning it off, granting permissions with Role and RoleBinding, and verifying with kubectl auth can-i.

Certified Kubernetes Security Specialist (CKS) #12 Pod-to-Pod mTLS: Cilium
9 min read

Certified Kubernetes Security Specialist (CKS) #12 Pod-to-Pod mTLS: Cilium

The twelfth post of the Certified Kubernetes Security Specialist (CKS) series. As the final topic of the Minimize Microservice Vulnerabilities domain, it covers the problem that Pod-to-Pod traffic is plaintext by default and the need for encryption in transit. We organize, concept-first, the sidecar mTLS model of Service Mesh (Istio/Linkerd), Cilium's transparent encryption (WireGuard/IPsec) and its mTLS direction, the difference between NetworkPolicy (L3/L4) and mTLS (encryption/identity), and why in-transit encryption matters from a CKS perspective.

Kubernetes and Cloud Native Associate (KCNA) #3: Kubernetes Fundamentals 2 — API, Containers, Scheduling
13 min read

Kubernetes and Cloud Native Associate (KCNA) #3: Kubernetes Fundamentals 2 — API, Containers, Scheduling

A rundown of the Kubernetes API object model (apiVersion, kind, metadata, spec, status) and the declarative vs. imperative styles, container images and runtimes, the kube-scheduler scheduling process (nodeSelector, affinity, taint), and how to inject configuration with ConfigMap and Secret. This wraps up the back half of Domain 1, Kubernetes Fundamentals (46%).

Certified Kubernetes Administrator (CKA) #18 Networking 1: Service (ClusterIP/NodePort/LoadBalancer/ExternalName)
10 min read

Certified Kubernetes Administrator (CKA) #18 Networking 1: Service (ClusterIP/NodePort/LoadBalancer/ExternalName)

Part 18 of the Certified Kubernetes Administrator (CKA) series. We follow the flow where a Service uses a selector to pick Pods, builds Endpoints, and kube-proxy turns those into node-level rules. We cover the four types — ClusterIP, NodePort, LoadBalancer, ExternalName — the distinction between port/targetPort/nodePort, headless Services, k expose, and the operational instinct for tracing the cause through Endpoints when a Service stops working.

Certified Kubernetes Application Developer (CKAD) #13 ConfigMap and Secret in Depth: volume vs env, Auto-Refresh
9 min read

Certified Kubernetes Application Developer (CKAD) #13 ConfigMap and Secret in Depth: volume vs env, Auto-Refresh

The thirteenth post in the Certified Kubernetes Application Developer (CKAD) series. We create ConfigMaps and Secrets that pull configuration and sensitive data out of code, and cover the three ways to inject them — env (valueFrom , envFrom) and volume mounts — in exam-task format. In particular, we drill the difference that env stays fixed until the Pod restarts while a volume auto-refreshes after a delay.

Certified Kubernetes Security Specialist (CKS) #11: Isolation — gVisor, Kata Containers, RuntimeClass
10 min read

Certified Kubernetes Security Specialist (CKS) #11: Isolation — gVisor, Kata Containers, RuntimeClass

The eleventh post in the Certified Kubernetes Security Specialist (CKS) series. We pin down the root problem that container isolation is weak because containers share the host kernel, and lay out the sandbox runtimes that make up for it. We compare how gVisor (runsc), which intercepts system calls with a user-space kernel, and Kata Containers, which separates workloads in lightweight VMs, each work; how to declare a handler with RuntimeClass and apply it via a Pod's runtimeClassName; the trade-offs between security and performance/compatibility; and finally the RuntimeClass creation and Pod assignment tasks that show up often on the exam, building them by hand.

Kubernetes and Cloud Native Associate (KCNA) #2: Kubernetes Fundamentals 1 — Architecture and Core Resources
12 min read

Kubernetes and Cloud Native Associate (KCNA) #2: Kubernetes Fundamentals 1 — Architecture and Core Resources

The second post in the KCNA series. The first half of Domain 1, the largest at 46%, covering the components of the control plane and worker nodes (kube-apiserver, etcd, kube-scheduler, controller-manager, kubelet, kube-proxy, container runtime), the declarative model and the reconciliation loop, and the core resources Pod, ReplicaSet, Deployment, Service, and Namespace.

Certified Kubernetes Administrator (CKA) #17 Storage 2: StorageClass, Dynamic Provisioning, Reclaim Policy, Expansion
10 min read

Certified Kubernetes Administrator (CKA) #17 Storage 2: StorageClass, Dynamic Provisioning, Reclaim Policy, Expansion

The 17th post in the Certified Kubernetes Administrator (CKA) series. We configure dynamic provisioning with a StorageClass so that creating just a PVC makes a PV appear automatically, and sort out the difference between the default StorageClass and volumeBindingMode. We also confirm with YAML how reclaimPolicy (Delete/Retain) treats data when a PV is removed, and how allowVolumeExpansion grows a volume.

Certified Kubernetes Application Developer (CKAD) #12 Observability: logging, kubectl debug, port-forward, ephemeral container
9 min read

Certified Kubernetes Application Developer (CKAD) #12 Observability: logging, kubectl debug, port-forward, ephemeral container

The twelfth post in the Certified Kubernetes Application Developer (CKAD) series. A hands-on tour of the observability tools you reach for when an app misbehaves. Follow logs with kubectl logs, read state with describe and events, get inside with exec and port-forward, and debug even shell-less containers with the ephemeral container of kubectl debug — building the muscle memory for the whole flow.

Certified Kubernetes Security Specialist (CKS) #10 Secrets Management: etcd Encryption, External Secrets
11 min read

Certified Kubernetes Security Specialist (CKS) #10 Secrets Management: etcd Encryption, External Secrets

The tenth post in the Certified Kubernetes Security Specialist (CKS) series. Starting from the fact that a Kubernetes Secret is stored in etcd as base64 only — which is not encryption — we walk through encrypting secrets at rest with an EncryptionConfiguration, wiring it to the apiserver flags, re-encrypting existing Secrets, and checking for plaintext with etcdctl. We then tie in the big picture of integrating an external secret store via the External Secrets Operator and KMS, plus minimizing Secret-access RBAC, so you get hands-on with the exam staple of enabling etcd encryption.

Kubernetes and Cloud Native Associate (KCNA) #1: Exam Introduction — Structure and Study Strategy
11 min read

Kubernetes and Cloud Native Associate (KCNA) #1: Exam Introduction — Structure and Study Strategy

The opening post of the Kubernetes and Cloud Native Associate (KCNA) series. The shape of 60 questions, 90 minutes, and a 75% passing line; the weight and meaning of the five domains; registration and the online-proctored testing environment; and the study strategy that turns the intuition built in the [K8s hands-on track](/en/posts/k8s-basics-1) into multiple-choice answers. This series targets a KCNA pass in nine posts, wrapping up with a mock multiple-choice exam in #9.