#Kubernetes

136 posts

Kubernetes and Cloud Native Associate (KCNA) #2: Kubernetes Fundamentals 1 — Architecture and Core Resources
12 min read

Kubernetes and Cloud Native Associate (KCNA) #2: Kubernetes Fundamentals 1 — Architecture and Core Resources

The second post in the KCNA series. The first half of Domain 1, the largest at 46%, covering the components of the control plane and worker nodes (kube-apiserver, etcd, kube-scheduler, controller-manager, kubelet, kube-proxy, container runtime), the declarative model and the reconciliation loop, and the core resources Pod, ReplicaSet, Deployment, Service, and Namespace.

Certified Kubernetes Administrator (CKA) #17 Storage 2: StorageClass, Dynamic Provisioning, Reclaim Policy, Expansion
10 min read

Certified Kubernetes Administrator (CKA) #17 Storage 2: StorageClass, Dynamic Provisioning, Reclaim Policy, Expansion

The 17th post in the Certified Kubernetes Administrator (CKA) series. We configure dynamic provisioning with a StorageClass so that creating just a PVC makes a PV appear automatically, and sort out the difference between the default StorageClass and volumeBindingMode. We also confirm with YAML how reclaimPolicy (Delete/Retain) treats data when a PV is removed, and how allowVolumeExpansion grows a volume.

Certified Kubernetes Application Developer (CKAD) #12 Observability: logging, kubectl debug, port-forward, ephemeral container
9 min read

Certified Kubernetes Application Developer (CKAD) #12 Observability: logging, kubectl debug, port-forward, ephemeral container

The twelfth post in the Certified Kubernetes Application Developer (CKAD) series. A hands-on tour of the observability tools you reach for when an app misbehaves. Follow logs with kubectl logs, read state with describe and events, get inside with exec and port-forward, and debug even shell-less containers with the ephemeral container of kubectl debug — building the muscle memory for the whole flow.

Certified Kubernetes Security Specialist (CKS) #10 Secrets Management: etcd Encryption, External Secrets
11 min read

Certified Kubernetes Security Specialist (CKS) #10 Secrets Management: etcd Encryption, External Secrets

The tenth post in the Certified Kubernetes Security Specialist (CKS) series. Starting from the fact that a Kubernetes Secret is stored in etcd as base64 only — which is not encryption — we walk through encrypting secrets at rest with an EncryptionConfiguration, wiring it to the apiserver flags, re-encrypting existing Secrets, and checking for plaintext with etcdctl. We then tie in the big picture of integrating an external secret store via the External Secrets Operator and KMS, plus minimizing Secret-access RBAC, so you get hands-on with the exam staple of enabling etcd encryption.

Kubernetes and Cloud Native Associate (KCNA) #1: Exam Introduction — Structure and Study Strategy
11 min read

Kubernetes and Cloud Native Associate (KCNA) #1: Exam Introduction — Structure and Study Strategy

The opening post of the Kubernetes and Cloud Native Associate (KCNA) series. The shape of 60 questions, 90 minutes, and a 75% passing line; the weight and meaning of the five domains; registration and the online-proctored testing environment; and the study strategy that turns the intuition built in the [K8s hands-on track](/en/posts/k8s-basics-1) into multiple-choice answers. This series targets a KCNA pass in nine posts, wrapping up with a mock multiple-choice exam in #9.

Certified Kubernetes Administrator (CKA) #16 Storage 1: Volume Types, PV, PVC, and Static Provisioning
10 min read

Certified Kubernetes Administrator (CKA) #16 Storage 1: Volume Types, PV, PVC, and Static Provisioning

The sixteenth post in the Certified Kubernetes Administrator (CKA) series. From Volume types (emptyDir, hostPath, configMap/secret, PVC) to a PersistentVolume's capacity and accessModes, persistentVolumeReclaimPolicy, the request and binding rules of a PersistentVolumeClaim, and the static provisioning where an admin creates PVs ahead of time — all walked through with YAML examples.

Certified Kubernetes Application Developer (CKAD) #11 Probes: liveness, readiness, startup (exec/HTTP/TCP)
10 min read

Certified Kubernetes Application Developer (CKAD) #11 Probes: liveness, readiness, startup (exec/HTTP/TCP)

Part 11 of the Certified Kubernetes Application Developer (CKAD) series. Learn the three probes (liveness, readiness, startup) and the three handlers (exec, httpGet, tcpSocket) that Kubernetes uses to check whether a container is alive and ready to take traffic — through YAML examples — and nail down the liveness-vs-readiness distinction that trips people up most often on the exam.

Certified Kubernetes Security Specialist (CKS) #9: Pod Security Admission (PSA, Pod Security Standards)
9 min read

Certified Kubernetes Security Specialist (CKS) #9: Pod Security Admission (PSA, Pod Security Standards)

The ninth post in the Certified Kubernetes Security Specialist (CKS) series. It covers how Pod Security Admission — the replacement for the retired PodSecurityPolicy — rejects dangerous Pods at the namespace level. We work through the three levels of the Pod Security Standards (privileged, baseline, restricted) and the three modes (enforce, audit, warn), applying them with namespace labels, the security settings restricted demands, and how to write a Pod that passes — all from an exam point of view.

Certified Kubernetes Administrator (CKA) #15 Resource Management: requests/limits, QoS, LimitRange, ResourceQuota
9 min read

Certified Kubernetes Administrator (CKA) #15 Resource Management: requests/limits, QoS, LimitRange, ResourceQuota

The 15th post in the Certified Kubernetes Administrator (CKA) series. We lay out how requests and limits reserve and cap cpu and memory, the difference between CPU throttling and memory OOMKilled, and how the three QoS classes — Guaranteed, Burstable, BestEffort — decide eviction order. Then we work through the operational policies that enforce container defaults with LimitRange and namespace totals with ResourceQuota, all in YAML.

Certified Kubernetes Application Developer (CKAD) #10 Kustomize: The Overlay Pattern and Per-Environment Manifests
9 min read

Certified Kubernetes Application Developer (CKAD) #10 Kustomize: The Overlay Pattern and Per-Environment Manifests

The tenth post in the Certified Kubernetes Application Developer (CKAD) series. It covers Kustomize, which transforms manifests per environment without templates. From the core fields of kustomization.yaml to the base/overlays structure, patchesStrategicMerge and JSON6902 patches, the hash-based rolling of configMapGenerator and secretGenerator, and the build-and-apply flow via the -k flag — organized from a hands-on exam perspective.

Certified Kubernetes Security Specialist (CKS) #8: kernel hardening, capabilities, /proc protection
11 min read

Certified Kubernetes Security Specialist (CKS) #8: kernel hardening, capabilities, /proc protection

The eighth post of the Certified Kubernetes Security Specialist (CKS) series. We cover how to strip privileges from containers with securityContext to shrink the attack surface. From the drop-ALL-then-add-only-what-you-need pattern for Linux capabilities, to the dangers of privileged and allowPrivilegeEscalation, runAsNonRoot and readOnlyRootFilesystem, /proc masking via procMount, and blocking hostPID/hostNetwork/hostIPC and host path mounts — all pulled together into a hardened YAML example.

Certified Kubernetes Administrator (CKA) #14 Scheduling 2: Taints/tolerations, Priority/PriorityClass, preemption
10 min read

Certified Kubernetes Administrator (CKA) #14 Scheduling 2: Taints/tolerations, Priority/PriorityClass, preemption

The fourteenth post in the Certified Kubernetes Administrator (CKA) series. We work through taints that let a node push Pods away and tolerations that accept that rejection (the NoSchedule/PreferNoSchedule/NoExecute effects, tolerationSeconds), the default taint on control plane nodes, and finally PriorityClass for ranking priority and preemption that evicts lower-priority Pods when resources run short — all from an operator's point of view with YAML and kubectl.