#Infrastructure
300 posts
Certified Kubernetes Application Developer (CKAD) #18 Services: ClusterIP, NodePort, LoadBalancer, ExternalName
The eighteenth post in the Certified Kubernetes Application Developer (CKAD) series. It covers the Service, the object that puts a stable entry point in front of a shifting set of Pods. We learn how selectors and labels pick Pods and how Endpoints are managed automatically, the differences between the four types ClusterIP, NodePort, LoadBalancer, and ExternalName, the distinction between port, targetPort, and nodePort, headless Services and cluster DNS, and finally debugging empty endpoints — all through YAML and kubectl.
Certified Kubernetes Security Specialist (CKS) #16 Admission control: OPA/Gatekeeper, Kyverno
The 16th post in the Certified Kubernetes Security Specialist (CKS) series. We start from how an admission controller intercepts API requests to validate and mutate them, then learn the difference between validating and mutating webhooks, OPA/Gatekeeper's ConstraintTemplate and Constraint with Rego policies, and Kyverno's YAML-based validate/mutate/generate policies through examples. We implement "no latest tag" and "trusted-registry only" in both tools, and wrap up the exam-favorite pattern of rejecting a violating manifest.
HTTPS Certificates in Practice — From Let's Encrypt Issuance to Auto-Renewal (certbot, ACME, managed)
A hands-on guide to actually issuing, installing, and auto-renewing HTTPS certificates. It covers ACME and domain ownership validation, issuing Let's Encrypt with certbot, setting up auto-renewal, wildcards (DNS-01), managed options like AWS ACM and Cloudflare, and diagnosing common errors such as a missing chain or name mismatch.
Kubernetes and Cloud Native Associate (KCNA) #7: Cloud Native Application Delivery (8%) — GitOps, CI/CD
The seventh post in the KCNA series. We cover the whole of Domain 5: the split between CI and CD and the pipeline stages, the four principles of GitOps (ArgoCD, Flux) and pull-based delivery, deployment strategies (rolling, blue-green, canary), manifest management with Helm and Kustomize, and the basics of supply chain security.
Red Hat Certified Engineer (RHCE) #15 RHCSA Automation 2: Services, chronyd, log
The fifteenth post in the Red Hat Certified Engineer (RHCE) series. We automate the manual RHCSA work of service management, time synchronization, and log configuration with Ansible. We lock down daemons through enable and start in one shot with the service/systemd module, configure NTP with the timesync system role or a chrony template plus a handler, schedule jobs with the cron and at modules, and apply journald persistent storage and tuned profiles through playbooks.
Red Hat Certified System Administrator (RHCSA) #12: firewalld and SSH key authentication
The twelfth post in the Red Hat Certified System Administrator (RHCSA) series. We type through firewalld's zone concept and how to permanently allow services and ports with firewall-cmd, rich rules and source-based zone assignment, then how to set up SSH key authentication with ssh-keygen and ssh-copy-id and get the authorized_keys permissions right. We zero in on the RHCSA staples — permanently allowing ports and services and configuring key authentication — and the trap of forgetting --permanent.
AWS Certified CloudOps Engineer - Associate (SOA-C03) #7 Domain 3-1 Deployment — CloudFormation in Depth and IaC
The seventh post of the SOA-C03 series covers CloudFormation, the first topic of the deployment and automation domain (22%). It covers the structure of stacks and templates, change sets and drift detection, stack policies and deletion protection, StackSets for deploying across multiple accounts and regions, and the relationship with other IaC tools such as CDK and Terraform.
AWS Certified Developer - Associate (DVA-C02) #13 Domain 4-2 Troubleshooting and Optimization — Optimization and Problem Solving
The second post of the DVA-C02 troubleshooting domain. It covers choosing caching layers (CloudFront,ElastiCache,DAX,API Gateway), Lambda performance tuning (the relationship between memory and CPU,cold starts,concurrency), handling DynamoDB throttling, and the error codes that frequently appear on the exam (429,502,504,ProvisionedThroughputExceededException, etc.) and how to read them. This is the final step of looking at metrics, narrowing down the cause, and fixing it.
Certified Kubernetes Administrator (CKA) #22 Troubleshooting 1: Pods and Apps (Pending, CrashLoop, ImagePull, OOM)
The largest domain on the CKA exam is Troubleshooting (30%). In this post we tackle the four most common Pod-level failures within that domain. We organize Pending, CrashLoopBackOff, ImagePullBackOff/ErrImagePull, and OOMKilled each from symptom to diagnosis to fix in a single flow, and we drill the order in which to read describe, events, and logs so you reach the root cause fast.
Certified Kubernetes Application Developer (CKAD) #17 Volumes: emptyDir, PVC, projected, ephemeral
The seventeenth post in the Certified Kubernetes Application Developer (CKAD) series. Starting from the volatility of a container filesystem, it works through emptyDir and hostPath, the dynamic provisioning of PersistentVolumeClaim and StorageClass, the projected volume that bundles secret, configMap, and downwardAPI into one directory, and the generic ephemeral volume — all with hands-on YAML examples.
Certified Kubernetes Security Specialist (CKS) #15 Image signing: cosign, SBOM
The fifteenth post in the Certified Kubernetes Security Specialist (CKS) series. The only way to trust an image entering your cluster is to verify a signature that proves its origin. We walk through creating and verifying both key-based and keyless (OIDC) signatures with sigstore's cosign, generating an SBOM (SPDX/CycloneDX) with syft to track components, and closing the supply chain by blocking unsigned images at admission — all with command examples.
DNS Records Setup in Practice — Connecting a Domain to a Server or the Cloud (A, CNAME, apex, TTL)
A hands-on guide to connecting a domain to an actual server or the cloud. Nameserver delegation, real values for A/AAAA/CNAME/MX/TXT records, the apex domain problem and its fixes, TTL and propagation, how to check with dig, and common mistakes — covering both self-managed Linux and managed cloud side by side.