#Kubernetes

136 posts

Certified Kubernetes Application Developer (CKAD) #9 Helm: install, upgrade, rollback, values
9 min read

Certified Kubernetes Application Developer (CKAD) #9 Helm: install, upgrade, rollback, values

The ninth post in the Certified Kubernetes Application Developer (CKAD) series. We organize Helm's chart structure and the release concept that lets you treat a bundle of manifests as a single package, then drill helm repo,install,upgrade,rollback and values overrides hands-on, command by command. We type through the full flow of previewing results with dry-run and reverting with history.

Certified Kubernetes Security Specialist (CKS) #7: seccomp Profiles
8 min read

Certified Kubernetes Security Specialist (CKS) #7: seccomp Profiles

The seventh post in the Certified Kubernetes Security Specialist (CKS) series. We cover how to use seccomp to filter the system calls a container can make. We work directly through the three profile types — RuntimeDefault, Localhost, and Unconfined — the securityContext.seccompProfile setting, and writing and verifying a custom profile JSON loaded onto the node.

Kubernetes book now available free in full — Kubernetes: From Basics to EKS in Production
2 min read

Kubernetes book now available free in full — Kubernetes: From Basics to EKS in Production

From Pod basics to GitOps, observability, and cost governance on EKS, this 32-chapter Kubernetes book is free to read in full on the site.

Certified Kubernetes Administrator (CKA) #13 Scheduling 1: nodeSelector, nodeAffinity, podAffinity/antiAffinity
9 min read

Certified Kubernetes Administrator (CKA) #13 Scheduling 1: nodeSelector, nodeAffinity, podAffinity/antiAffinity

The thirteenth post in the Certified Kubernetes Administrator (CKA) series. We lay out the four tools that control which node the scheduler places a Pod on. nodeSelector does simple label matching, nodeAffinity expresses node conditions with required and preferred, and podAffinity/podAntiAffinity use topologyKey to place a Pod on the same node as — or a different node from — other Pods. We also look at manual placement that bypasses the scheduler with nodeName.

Certified Kubernetes Application Developer (CKAD) #8 Deployment Strategies: Blue-green, Canary
9 min read

Certified Kubernetes Application Developer (CKAD) #8 Deployment Strategies: Blue-green, Canary

The eighth post in the Certified Kubernetes Application Developer (CKAD) series. Implement zero-downtime deployment strategies by hand with nothing but Deployment, Service, and labels — no managed deployment tooling. We review rolling update and recreate, build instant cutover and rollback with blue-green, and implement traffic splitting through replicas ratios with canary.

Certified Kubernetes Security Specialist (CKS) #6: AppArmor profiles (System Hardening)
11 min read

Certified Kubernetes Security Specialist (CKS) #6: AppArmor profiles (System Hardening)

The sixth post in the Certified Kubernetes Security Specialist (CKS) series. We cover how to restrict a container's file and capability access at the kernel level with AppArmor, the Linux MAC. We work through the difference between enforce and complain modes, writing a profile with deny rules, loading it onto a node with apparmor_parser and confirming with aa-status, the two ways of attaching it to a Pod (1.30+ securityContext.appArmorProfile and the older annotation), and verifying with exec that the profile actually blocks.

Certified Kubernetes Administrator (CKA) #12 ConfigMap and Secret in Depth
9 min read

Certified Kubernetes Administrator (CKA) #12 ConfigMap and Secret in Depth

The twelfth post in the Certified Kubernetes Administrator (CKA) series. We dig into ConfigMap and Secret from an operator's point of view: the three sources of kubectl create (--from-literal, --from-file, --from-env-file), Secret types (generic/docker-registry/tls) and the fact that base64 is not encryption, the injection methods of env valueFrom, envFrom, volume mount, and subPath, the difference in auto-refresh between env and volume, and how immutable buys you both performance and safety — all laid out with YAML and kubectl.

Certified Kubernetes Application Developer (CKAD) #7 Workloads 3: Job, CronJob (Backoff, Concurrency)
10 min read

Certified Kubernetes Application Developer (CKAD) #7 Workloads 3: Job, CronJob (Backoff, Concurrency)

The seventh post in the Certified Kubernetes Application Developer (CKAD) series. It covers Job, which handles run-once batch work, and CronJob, which runs that work on a schedule, from a hands-on exam perspective. We will build completions, parallelism, backoffLimit, activeDeadlineSeconds, restartPolicy, and ttlSecondsAfterFinished, along with CronJob's schedule, concurrencyPolicy, startingDeadlineSeconds, and suspend, directly with YAML and kubectl.

Certified Kubernetes Security Specialist (CKS) #5: ServiceAccount token management, restricting API access, cluster upgrades
11 min read

Certified Kubernetes Security Specialist (CKS) #5: ServiceAccount token management, restricting API access, cluster upgrades

The fifth post in the Certified Kubernetes Security Specialist (CKS) series. It covers ServiceAccount token management, a frequent topic in the Cluster Hardening domain. We work through setting automountServiceAccountToken to false to block unnecessary token mounts, the expiration and audience of bound ServiceAccount tokens, and the difference between legacy Secret tokens and projected tokens. Then we shrink the API access surface by disabling anonymous-auth and protecting the kubelet API, and finish with cluster upgrades for applying security patches.

Admission Controller
12 min read

Admission Controller

We cover the admission model, where the Kubernetes API server inspects and transforms a manifest just before storing it in etcd. We organize the two types, Mutating and Validating; the built-in controllers (LimitRanger · ResourceQuota · PodSecurity, etc.); the webhook mechanism; and a comparison of the two policy engines built on top of it, OPA Gatekeeper (Rego) and Kyverno (YAML).

App Deployment Skeleton
14 min read

App Deployment Skeleton

We deploy the sample service myshop-api onto the empty EKS cluster stood up in Chapter 21 as a set of manifests. We organize the 9 objects Namespace · ServiceAccount · ConfigMap · Secret · Deployment · Service · Ingress · HPA · PodDisruptionBudget into a single flow, and auto-provision an ALB with the AWS Load Balancer Controller. We follow all the way through to abstracting that set into a Helm chart and applying it to dev / prod with different values.

Certified Kubernetes Administrator (CKA) #11 Workloads 2: DaemonSet, StatefulSet, Job, CronJob
11 min read

Certified Kubernetes Administrator (CKA) #11 Workloads 2: DaemonSet, StatefulSet, Job, CronJob

The eleventh post in the Certified Kubernetes Administrator (CKA) series. We organize the four workloads that Deployment can't cover: the DaemonSet that runs exactly one Pod per node, the StatefulSet with stable IDs, ordering, a headless Service, and volumeClaimTemplates, the Job that runs toward completion, and the CronJob that stamps out Jobs on a schedule — all drilled hands-on with YAML and kubectl.