#Container Orchestration
72 posts
Certified Kubernetes Application Developer (CKAD) #7 Workloads 3: Job, CronJob (Backoff, Concurrency)
The seventh post in the Certified Kubernetes Application Developer (CKAD) series. It covers Job, which handles run-once batch work, and CronJob, which runs that work on a schedule, from a hands-on exam perspective. We will build completions, parallelism, backoffLimit, activeDeadlineSeconds, restartPolicy, and ttlSecondsAfterFinished, along with CronJob's schedule, concurrencyPolicy, startingDeadlineSeconds, and suspend, directly with YAML and kubectl.
Certified Kubernetes Security Specialist (CKS) #5: ServiceAccount token management, restricting API access, cluster upgrades
The fifth post in the Certified Kubernetes Security Specialist (CKS) series. It covers ServiceAccount token management, a frequent topic in the Cluster Hardening domain. We work through setting automountServiceAccountToken to false to block unnecessary token mounts, the expiration and audience of bound ServiceAccount tokens, and the difference between legacy Secret tokens and projected tokens. Then we shrink the API access surface by disabling anonymous-auth and protecting the kubelet API, and finish with cluster upgrades for applying security patches.
Certified Kubernetes Administrator (CKA) #11 Workloads 2: DaemonSet, StatefulSet, Job, CronJob
The eleventh post in the Certified Kubernetes Administrator (CKA) series. We organize the four workloads that Deployment can't cover: the DaemonSet that runs exactly one Pod per node, the StatefulSet with stable IDs, ordering, a headless Service, and volumeClaimTemplates, the Job that runs toward completion, and the CronJob that stamps out Jobs on a schedule — all drilled hands-on with YAML and kubectl.
Certified Kubernetes Application Developer (CKAD) #6 Workloads 2: DaemonSet, StatefulSet
The sixth post in the Certified Kubernetes Application Developer (CKAD) series. It covers the workload controllers beyond Deployment — DaemonSet and StatefulSet — from a hands-on perspective. We will build the DaemonSet that places one Pod on every node, and the StatefulSet that needs a stable network ID and ordering guarantees, in YAML all the way down to the headless Service and volumeClaimTemplates.
Certified Kubernetes Security Specialist (CKS) #4: RBAC least privilege in depth (Cluster Hardening)
The fourth post in the Certified Kubernetes Security Specialist (CKS) series. On top of the RBAC you learned in CKA, we layer the principle of least privilege and go deep, from a security angle, on how to find and narrow Roles that are too broad. We cover the danger of wildcard verb/resource, removing default ServiceAccount permissions, cutting ClusterRoleBinding overuse down with RoleBinding, the gotchas of aggregated ClusterRole, identifying dangerous permissions like secrets get, pods/exec, escalate, bind, and impersonate, and the flow of verifying narrowed permissions with kubectl auth can-i --as.
Certified Kubernetes Administrator (CKA) #10 Workloads 1: Deployment in Depth, ReplicaSet, Rolling Update and Rollback
The tenth post in the Certified Kubernetes Administrator (CKA) series. We look deep into the Deployment, the workload an operator handles most often. We walk through the Deployment→ReplicaSet→Pod hierarchy and the label selector that binds them, how to create and scale with kubectl, the conditions under which the rollingUpdate strategy (maxSurge/maxUnavailable) guarantees a zero-downtime update, and the rollback that lets you track versions and revert with kubectl rollout — all drilled until they are second nature.
Certified Kubernetes Application Developer (CKAD) #5 Workloads 1: Deployment, ReplicaSet, Rolling Update, and Rollback
The fifth post in the Certified Kubernetes Application Developer (CKAD) series. We create a Deployment imperatively—the heart of app delivery—and lay out the relationship and scaling of Deployment, ReplicaSet, and Pod. We will get hands-on with the meaning of rollingUpdate's maxSurge and maxUnavailable, the flow of shipping a new version with kubectl set image, and the rollback scenario of tracking state with kubectl rollout and reverting a failed version with undo.
Certified Kubernetes Security Specialist (CKS) #3: CIS benchmark (kube-bench), component security, Ingress TLS, binary verification
The third post in the Certified Kubernetes Security Specialist (CKS) series. It covers the remaining half of the Cluster Setup domain — hardening the cluster itself. We get hands-on, with commands and manifests, on what the CIS Kubernetes benchmark is, how to inspect the control plane and nodes with kube-bench and read the PASS/FAIL/WARN results and apply remediation, the procedure for changing dangerous apiserver and kubelet flags to safe values, how to attach TLS to an Ingress, and the flow for verifying a downloaded binary with sha256sum.
Certified Kubernetes Administrator (CKA) #9 RBAC: Role/ClusterRole, RoleBinding, ServiceAccount, kubectl auth can-i
The ninth post in the Certified Kubernetes Administrator (CKA) series. We dig deep into RBAC — what decides who can do what — from an operator's perspective. We'll cover the combination rules of Role and ClusterRole, RoleBinding and ClusterRoleBinding, the structure of subjects (User/Group/ServiceAccount) and rules (apiGroups/resources/verbs), how to build them fast with kubectl create, how to verify permissions with kubectl auth can-i and --as, and the flow of wiring the user we created in [#8](/en/posts/cka-8) into RBAC.
Certified Kubernetes Application Developer (CKAD) #4 Container Images: Dockerfile, Multi-stage, and Building from Scratch on the Exam
The fourth post in the Certified Kubernetes Application Developer (CKAD) series. Some CKAD tasks require the full flow of building an image yourself, pushing it to a registry, and running it in a Pod. This post walks through the basic Dockerfile instructions and layer cache, how multi-stage builds slim an image down, the build/tag/push procedure with podman and buildah, the imagePullPolicy and the latest-tag trap, and the rules that map command/args onto ENTRYPOINT/CMD — all from a hands-on exam angle.
Certified Kubernetes Security Specialist (CKS) #2: NetworkPolicy in depth — default deny, ingress/egress (Cluster Setup)
The second post in the Certified Kubernetes Security Specialist (CKS) series. We cover network isolation, the heart of the Cluster Setup domain — from the all-allow default behavior when no NetworkPolicy exists, to the default deny pattern that blocks everything with podSelector and policyTypes, restricting ingress and egress separately, the trap where default deny egress breaks DNS and how to allow port 53, and the AND vs OR trap when combining namespaceSelector and podSelector. We build and verify it all firsthand with YAML and kubectl.
Certified Kubernetes Administrator (CKA) #8 Certificate Management: PKI, kubeconfig, Certificate Renewal
The eighth post in the Certified Kubernetes Administrator (CKA) series. We cover the TLS certificates that underpin every bit of communication in the cluster: the PKI structure under /etc/kubernetes/pki and who trusts whom, the clusters/users/contexts layout of kubeconfig, the procedure for checking expiration with kubeadm certs check-expiration and renewing with kubeadm certs renew all, and the flow for issuing user certificates with a CertificateSigningRequest — all of it drilled into your hands.