#Container Orchestration

72 posts

Certified Kubernetes Administrator (CKA) #16 Storage 1: Volume Types, PV, PVC, and Static Provisioning
10 min read

Certified Kubernetes Administrator (CKA) #16 Storage 1: Volume Types, PV, PVC, and Static Provisioning

The sixteenth post in the Certified Kubernetes Administrator (CKA) series. From Volume types (emptyDir, hostPath, configMap/secret, PVC) to a PersistentVolume's capacity and accessModes, persistentVolumeReclaimPolicy, the request and binding rules of a PersistentVolumeClaim, and the static provisioning where an admin creates PVs ahead of time — all walked through with YAML examples.

Certified Kubernetes Application Developer (CKAD) #11 Probes: liveness, readiness, startup (exec/HTTP/TCP)
10 min read

Certified Kubernetes Application Developer (CKAD) #11 Probes: liveness, readiness, startup (exec/HTTP/TCP)

Part 11 of the Certified Kubernetes Application Developer (CKAD) series. Learn the three probes (liveness, readiness, startup) and the three handlers (exec, httpGet, tcpSocket) that Kubernetes uses to check whether a container is alive and ready to take traffic — through YAML examples — and nail down the liveness-vs-readiness distinction that trips people up most often on the exam.

Certified Kubernetes Security Specialist (CKS) #9: Pod Security Admission (PSA, Pod Security Standards)
9 min read

Certified Kubernetes Security Specialist (CKS) #9: Pod Security Admission (PSA, Pod Security Standards)

The ninth post in the Certified Kubernetes Security Specialist (CKS) series. It covers how Pod Security Admission — the replacement for the retired PodSecurityPolicy — rejects dangerous Pods at the namespace level. We work through the three levels of the Pod Security Standards (privileged, baseline, restricted) and the three modes (enforce, audit, warn), applying them with namespace labels, the security settings restricted demands, and how to write a Pod that passes — all from an exam point of view.

Certified Kubernetes Administrator (CKA) #15 Resource Management: requests/limits, QoS, LimitRange, ResourceQuota
9 min read

Certified Kubernetes Administrator (CKA) #15 Resource Management: requests/limits, QoS, LimitRange, ResourceQuota

The 15th post in the Certified Kubernetes Administrator (CKA) series. We lay out how requests and limits reserve and cap cpu and memory, the difference between CPU throttling and memory OOMKilled, and how the three QoS classes — Guaranteed, Burstable, BestEffort — decide eviction order. Then we work through the operational policies that enforce container defaults with LimitRange and namespace totals with ResourceQuota, all in YAML.

Certified Kubernetes Application Developer (CKAD) #10 Kustomize: The Overlay Pattern and Per-Environment Manifests
9 min read

Certified Kubernetes Application Developer (CKAD) #10 Kustomize: The Overlay Pattern and Per-Environment Manifests

The tenth post in the Certified Kubernetes Application Developer (CKAD) series. It covers Kustomize, which transforms manifests per environment without templates. From the core fields of kustomization.yaml to the base/overlays structure, patchesStrategicMerge and JSON6902 patches, the hash-based rolling of configMapGenerator and secretGenerator, and the build-and-apply flow via the -k flag — organized from a hands-on exam perspective.

Certified Kubernetes Security Specialist (CKS) #8: kernel hardening, capabilities, /proc protection
11 min read

Certified Kubernetes Security Specialist (CKS) #8: kernel hardening, capabilities, /proc protection

The eighth post of the Certified Kubernetes Security Specialist (CKS) series. We cover how to strip privileges from containers with securityContext to shrink the attack surface. From the drop-ALL-then-add-only-what-you-need pattern for Linux capabilities, to the dangers of privileged and allowPrivilegeEscalation, runAsNonRoot and readOnlyRootFilesystem, /proc masking via procMount, and blocking hostPID/hostNetwork/hostIPC and host path mounts — all pulled together into a hardened YAML example.

Certified Kubernetes Administrator (CKA) #14 Scheduling 2: Taints/tolerations, Priority/PriorityClass, preemption
10 min read

Certified Kubernetes Administrator (CKA) #14 Scheduling 2: Taints/tolerations, Priority/PriorityClass, preemption

The fourteenth post in the Certified Kubernetes Administrator (CKA) series. We work through taints that let a node push Pods away and tolerations that accept that rejection (the NoSchedule/PreferNoSchedule/NoExecute effects, tolerationSeconds), the default taint on control plane nodes, and finally PriorityClass for ranking priority and preemption that evicts lower-priority Pods when resources run short — all from an operator's point of view with YAML and kubectl.

Certified Kubernetes Application Developer (CKAD) #9 Helm: install, upgrade, rollback, values
9 min read

Certified Kubernetes Application Developer (CKAD) #9 Helm: install, upgrade, rollback, values

The ninth post in the Certified Kubernetes Application Developer (CKAD) series. We organize Helm's chart structure and the release concept that lets you treat a bundle of manifests as a single package, then drill helm repo,install,upgrade,rollback and values overrides hands-on, command by command. We type through the full flow of previewing results with dry-run and reverting with history.

Certified Kubernetes Security Specialist (CKS) #7: seccomp Profiles
8 min read

Certified Kubernetes Security Specialist (CKS) #7: seccomp Profiles

The seventh post in the Certified Kubernetes Security Specialist (CKS) series. We cover how to use seccomp to filter the system calls a container can make. We work directly through the three profile types — RuntimeDefault, Localhost, and Unconfined — the securityContext.seccompProfile setting, and writing and verifying a custom profile JSON loaded onto the node.

Certified Kubernetes Administrator (CKA) #13 Scheduling 1: nodeSelector, nodeAffinity, podAffinity/antiAffinity
9 min read

Certified Kubernetes Administrator (CKA) #13 Scheduling 1: nodeSelector, nodeAffinity, podAffinity/antiAffinity

The thirteenth post in the Certified Kubernetes Administrator (CKA) series. We lay out the four tools that control which node the scheduler places a Pod on. nodeSelector does simple label matching, nodeAffinity expresses node conditions with required and preferred, and podAffinity/podAntiAffinity use topologyKey to place a Pod on the same node as — or a different node from — other Pods. We also look at manual placement that bypasses the scheduler with nodeName.

Certified Kubernetes Application Developer (CKAD) #8 Deployment Strategies: Blue-green, Canary
9 min read

Certified Kubernetes Application Developer (CKAD) #8 Deployment Strategies: Blue-green, Canary

The eighth post in the Certified Kubernetes Application Developer (CKAD) series. Implement zero-downtime deployment strategies by hand with nothing but Deployment, Service, and labels — no managed deployment tooling. We review rolling update and recreate, build instant cutover and rollback with blue-green, and implement traffic splitting through replicas ratios with canary.

Certified Kubernetes Security Specialist (CKS) #6: AppArmor profiles (System Hardening)
11 min read

Certified Kubernetes Security Specialist (CKS) #6: AppArmor profiles (System Hardening)

The sixth post in the Certified Kubernetes Security Specialist (CKS) series. We cover how to restrict a container's file and capability access at the kernel level with AppArmor, the Linux MAC. We work through the difference between enforce and complain modes, writing a profile with deny rules, loading it onto a node with apparmor_parser and confirming with aa-status, the two ways of attaching it to a Pod (1.30+ securityContext.appArmorProfile and the older annotation), and verifying with exec that the profile actually blocks.