#Kubernetes
136 posts
Kubernetes and Cloud Native Associate (KCNA) #5: Cloud Native Architecture (16%) — Autoscaling, Serverless, Community, Open Standards
The fifth post in the KCNA series. It walks through cloud native design philosophy (the CNCF definition, self-healing, resilience), autoscaling (HPA, VPA, Cluster Autoscaler, KEDA), serverless (Knative, FaaS), the CNCF community and project maturity levels, open standards (OCI, CRI, CNI, CSI, OpenTelemetry), and finishes with zero-downtime rollouts and immutable infrastructure.
Certified Kubernetes Administrator (CKA) #20 Networking 3: CoreDNS, NetworkPolicy
The twentieth post in the Certified Kubernetes Administrator (CKA) series. We cover how CoreDNS lets Pods and Services find each other by name inside the cluster, the Corefile configuration, debugging DNS with nslookup, and the NetworkPolicy podSelector and ingress/egress rules that control which Pod can talk to which Pod — all from an operations point of view. We also work through the default deny pattern and the CNI dependency.
Certified Kubernetes Application Developer (CKAD) #15 SecurityContext and Capabilities: runAsUser, fsGroup, readOnly rootfs
The fifteenth post in the Certified Kubernetes Application Developer (CKAD) series. It covers how securityContext restricts which user and privileges a container runs with. We will get hands-on through YAML examples — runAsUser, runAsNonRoot, and fsGroup; readOnlyRootFilesystem and the emptyDir workaround; allowPrivilegeEscalation; the add and drop of Linux capabilities; and the danger of privileged containers.
Certified Kubernetes Security Specialist (CKS) #13 Minimal images: distroless, scratch (Supply Chain)
The thirteenth post in the Certified Kubernetes Security Specialist (CKS) series. It covers image minimization, the starting point of the Supply Chain Security domain — how a large image widens the attack surface with shells, package managers, and needless CVEs, what distroless and scratch strip away, and how to choose among them versus alpine. With Dockerfile examples, we walk through the multistage build pattern that separates build tools from the runtime, how to debug a shell-less image with an ephemeral container, and how to enforce a non-root user.
Kubernetes and Cloud Native Associate (KCNA) #4: Container Orchestration (22%) — Runtime, Security, Networking, Storage, Service Mesh
A walkthrough of the core of the KCNA Container Orchestration domain — container runtimes and the OCI/CRI standards, RBAC and NetworkPolicy security, CNI networking and CoreDNS, CSI storage, and Service Mesh. We map the boundaries the three CRI/CNI/CSI interfaces draw, the Service types, the default behavior of NetworkPolicy, and other recurring exam points.
Certified Kubernetes Administrator (CKA) #19 Networking 2: Ingress, IngressClass, TLS
The nineteenth post in the Certified Kubernetes Administrator (CKA) series. We cover how to consolidate host- and path-based routing and TLS termination — things Service alone cannot solve — into Ingress. From an operations angle, we work through Ingress rules (pathType Prefix/Exact, rules/backend, defaultBackend), IngressClass that separates multiple controllers, the Ingress Controller that must exist for Ingress to do anything, and the TLS section that references a Secret.
Certified Kubernetes Application Developer (CKAD) #14 ServiceAccount and RBAC (App Perspective)
Part 14 of the Certified Kubernetes Application Developer (CKAD) series. When an app running inside a Pod calls the Kubernetes API, what identity does it authenticate as and what permissions does it get authorized for — this post lays that out from the ServiceAccount and RBAC angle. You will get hands-on with automatic SA token mounting and turning it off, granting permissions with Role and RoleBinding, and verifying with kubectl auth can-i.
Certified Kubernetes Security Specialist (CKS) #12 Pod-to-Pod mTLS: Cilium
The twelfth post of the Certified Kubernetes Security Specialist (CKS) series. As the final topic of the Minimize Microservice Vulnerabilities domain, it covers the problem that Pod-to-Pod traffic is plaintext by default and the need for encryption in transit. We organize, concept-first, the sidecar mTLS model of Service Mesh (Istio/Linkerd), Cilium's transparent encryption (WireGuard/IPsec) and its mTLS direction, the difference between NetworkPolicy (L3/L4) and mTLS (encryption/identity), and why in-transit encryption matters from a CKS perspective.
Kubernetes and Cloud Native Associate (KCNA) #3: Kubernetes Fundamentals 2 — API, Containers, Scheduling
A rundown of the Kubernetes API object model (apiVersion, kind, metadata, spec, status) and the declarative vs. imperative styles, container images and runtimes, the kube-scheduler scheduling process (nodeSelector, affinity, taint), and how to inject configuration with ConfigMap and Secret. This wraps up the back half of Domain 1, Kubernetes Fundamentals (46%).
Certified Kubernetes Administrator (CKA) #18 Networking 1: Service (ClusterIP/NodePort/LoadBalancer/ExternalName)
Part 18 of the Certified Kubernetes Administrator (CKA) series. We follow the flow where a Service uses a selector to pick Pods, builds Endpoints, and kube-proxy turns those into node-level rules. We cover the four types — ClusterIP, NodePort, LoadBalancer, ExternalName — the distinction between port/targetPort/nodePort, headless Services, k expose, and the operational instinct for tracing the cause through Endpoints when a Service stops working.
Certified Kubernetes Application Developer (CKAD) #13 ConfigMap and Secret in Depth: volume vs env, Auto-Refresh
The thirteenth post in the Certified Kubernetes Application Developer (CKAD) series. We create ConfigMaps and Secrets that pull configuration and sensitive data out of code, and cover the three ways to inject them — env (valueFrom , envFrom) and volume mounts — in exam-task format. In particular, we drill the difference that env stays fixed until the Pod restarts while a volume auto-refreshes after a delay.
Certified Kubernetes Security Specialist (CKS) #11: Isolation — gVisor, Kata Containers, RuntimeClass
The eleventh post in the Certified Kubernetes Security Specialist (CKS) series. We pin down the root problem that container isolation is weak because containers share the host kernel, and lay out the sandbox runtimes that make up for it. We compare how gVisor (runsc), which intercepts system calls with a user-space kernel, and Kata Containers, which separates workloads in lightweight VMs, each work; how to declare a handler with RuntimeClass and apply it via a Pod's runtimeClassName; the trade-offs between security and performance/compatibility; and finally the RuntimeClass creation and Pod assignment tasks that show up often on the exam, building them by hand.