#Infrastructure

300 posts

AWS Certified Developer - Associate (DVA-C02) #11 Domain 3-3 Deployment — Deployment Strategies
4 min read

AWS Certified Developer - Associate (DVA-C02) #11 Domain 3-3 Deployment — Deployment Strategies

The third post of the DVA-C02 deployment domain. It covers, at the exam level, the difference between in-place and blue/green deployment, traffic-shifting methods like canary,linear,all-at-once, weighted routing using Lambda aliases and versions, gradual deployment through API Gateway stages, and automatic rollback tied to CloudWatch alarms. The key is how to update safely with zero downtime.

Certified Kubernetes Administrator (CKA) #20 Networking 3: CoreDNS, NetworkPolicy
12 min read

Certified Kubernetes Administrator (CKA) #20 Networking 3: CoreDNS, NetworkPolicy

The twentieth post in the Certified Kubernetes Administrator (CKA) series. We cover how CoreDNS lets Pods and Services find each other by name inside the cluster, the Corefile configuration, debugging DNS with nslookup, and the NetworkPolicy podSelector and ingress/egress rules that control which Pod can talk to which Pod — all from an operations point of view. We also work through the default deny pattern and the CNI dependency.

Certified Kubernetes Application Developer (CKAD) #15 SecurityContext and Capabilities: runAsUser, fsGroup, readOnly rootfs
9 min read

Certified Kubernetes Application Developer (CKAD) #15 SecurityContext and Capabilities: runAsUser, fsGroup, readOnly rootfs

The fifteenth post in the Certified Kubernetes Application Developer (CKAD) series. It covers how securityContext restricts which user and privileges a container runs with. We will get hands-on through YAML examples — runAsUser, runAsNonRoot, and fsGroup; readOnlyRootFilesystem and the emptyDir workaround; allowPrivilegeEscalation; the add and drop of Linux capabilities; and the danger of privileged containers.

Certified Kubernetes Security Specialist (CKS) #13 Minimal images: distroless, scratch (Supply Chain)
11 min read

Certified Kubernetes Security Specialist (CKS) #13 Minimal images: distroless, scratch (Supply Chain)

The thirteenth post in the Certified Kubernetes Security Specialist (CKS) series. It covers image minimization, the starting point of the Supply Chain Security domain — how a large image widens the attack surface with shells, package managers, and needless CVEs, what distroless and scratch strip away, and how to choose among them versus alpine. With Dockerfile examples, we walk through the multistage build pattern that separates build tools from the runtime, how to debug a shell-less image with an ephemeral container, and how to enforce a non-root user.

Kubernetes and Cloud Native Associate (KCNA) #4: Container Orchestration (22%) — Runtime, Security, Networking, Storage, Service Mesh
11 min read

Kubernetes and Cloud Native Associate (KCNA) #4: Container Orchestration (22%) — Runtime, Security, Networking, Storage, Service Mesh

A walkthrough of the core of the KCNA Container Orchestration domain — container runtimes and the OCI/CRI standards, RBAC and NetworkPolicy security, CNI networking and CoreDNS, CSI storage, and Service Mesh. We map the boundaries the three CRI/CNI/CSI interfaces draw, the Service types, the default behavior of NetworkPolicy, and other recurring exam points.

Red Hat Certified Engineer (RHCE) #12 Collection: Galaxy, Automation Hub
8 min read

Red Hat Certified Engineer (RHCE) #12 Collection: Galaxy, Automation Hub

Part 12 of the Red Hat Certified Engineer (RHCE) series. We cover the concept of an Ansible collection and FQCN (namespace.collection.module), how to install collections and roles with ansible-galaxy, the way to install dependencies in bulk with requirements.yml, the difference between Galaxy and Automation Hub, and the collections_path setting in ansible.cfg — all from a hands-on exam point of view. We work through the exam staple of downloading a collection with requirements.yml and using it via FQCN as a worked example.

Red Hat Certified System Administrator (RHCSA) #9 System Operations: chronyd, journald, cron, systemd timer, tuned
9 min read

Red Hat Certified System Administrator (RHCSA) #9 System Operations: chronyd, journald, cron, systemd timer, tuned

The ninth post in the Red Hat Certified System Administrator (RHCSA) series. We set system time with timedatectl and chronyd, read and persist logs with journald and rsyslog, schedule jobs with cron and systemd timers, and tune system profiles with tuned — the operational tasks, organized around the commands you actually type on the exam.

AWS Certified CloudOps Engineer - Associate (SOA-C03) #4 Domain 1-3 Monitoring — Automated Recovery and Performance Optimization
6 min read

AWS Certified CloudOps Engineer - Associate (SOA-C03) #4 Domain 1-3 Monitoring — Automated Recovery and Performance Optimization

The fourth post of the SOA-C03 series covers automated responses after detection. It covers how EventBridge reacts to events, how to automate recovery with Systems Manager Automation runbooks, EC2 automated recovery and Auto Scaling self-healing, and the flow of diagnosing performance bottlenecks with Compute Optimizer and CloudWatch while optimizing cost along the way.

AWS Certified Developer - Associate (DVA-C02) #10 Domain 3-2 Deployment — IaC and Serverless Deployment
4 min read

AWS Certified Developer - Associate (DVA-C02) #10 Domain 3-2 Deployment — IaC and Serverless Deployment

The second post of the DVA-C02 deployment domain. It covers, at the exam level, CloudFormation's template structure (Resources,Parameters,Mappings,Outputs), stacks,change sets,drift, nested stacks, SAM's template and sam deploy,sam local that simplify serverless deployment, and Elastic Beanstalk's deployment policies (All at once,Rolling,Immutable) along with .ebextensions.

Certified Kubernetes Administrator (CKA) #19 Networking 2: Ingress, IngressClass, TLS
8 min read

Certified Kubernetes Administrator (CKA) #19 Networking 2: Ingress, IngressClass, TLS

The nineteenth post in the Certified Kubernetes Administrator (CKA) series. We cover how to consolidate host- and path-based routing and TLS termination — things Service alone cannot solve — into Ingress. From an operations angle, we work through Ingress rules (pathType Prefix/Exact, rules/backend, defaultBackend), IngressClass that separates multiple controllers, the Ingress Controller that must exist for Ingress to do anything, and the TLS section that references a Secret.

Certified Kubernetes Application Developer (CKAD) #14 ServiceAccount and RBAC (App Perspective)
10 min read

Certified Kubernetes Application Developer (CKAD) #14 ServiceAccount and RBAC (App Perspective)

Part 14 of the Certified Kubernetes Application Developer (CKAD) series. When an app running inside a Pod calls the Kubernetes API, what identity does it authenticate as and what permissions does it get authorized for — this post lays that out from the ServiceAccount and RBAC angle. You will get hands-on with automatic SA token mounting and turning it off, granting permissions with Role and RoleBinding, and verifying with kubectl auth can-i.

Certified Kubernetes Security Specialist (CKS) #12 Pod-to-Pod mTLS: Cilium
9 min read

Certified Kubernetes Security Specialist (CKS) #12 Pod-to-Pod mTLS: Cilium

The twelfth post of the Certified Kubernetes Security Specialist (CKS) series. As the final topic of the Minimize Microservice Vulnerabilities domain, it covers the problem that Pod-to-Pod traffic is plaintext by default and the need for encryption in transit. We organize, concept-first, the sidecar mTLS model of Service Mesh (Istio/Linkerd), Cilium's transparent encryption (WireGuard/IPsec) and its mTLS direction, the difference between NetworkPolicy (L3/L4) and mTLS (encryption/identity), and why in-transit encryption matters from a CKS perspective.