CKA

Onboarding

Welcome What Runs Here Overview of Kubernetes Certifications

Kubernetes Basics

What Is Kubernetes Cluster Architecture Overview Control Plane Components Node Components

Yaml And Objects

The Kubernetes Object Model Anatomy of a Manifest Generating Manifests from the CLI Object Names, UIDs, and DNS Rules

Kubectl Essentials

Imperative vs Declarative Viewing Resources Logs and Exec Creating and Editing Resources Delete and Cleanup Formatting Output and Tips

Pods

What Is a Pod Pod Structure Creating Your First Pod Pod Lifecycle and Phases Container Restart Policies Editing Pods

Namespaces

What Are Namespaces The Default Namespaces Working Across Namespaces When to Use Multiple Namespaces

Labels And Annotations

What Are Labels Label Selectors Annotations Recommended Labels

Cluster Architecture Deep

etcd-deep-dive kube-apiserver-internals kube-scheduler-internals kube-controller-manager container-runtime-interface

Cluster Installation

installation-options-overview kubeadm-master-node-setup kubeadm-worker-node-join high-availability-considerations

Cluster Maintenance

os-upgrades-and-drain version-skew-policy cluster-upgrade-process taint-based-evictions version-skew-and-safe-upgrade-flow

Backup And Restore

backup-strategies etcd-backup-with-etcdctl restore-from-snapshot etcdutl etcd-restore-drill-end-to-end

Commands And Args

docker-cmd-vs-entrypoint command-and-args-in-kubernetes practical-override-scenarios

Configmaps

what-is-a-configmap creating-configmaps using-via-environment-variables using-via-volume-mounts immutable-configmaps

Secrets

what-is-a-secret types-of-secrets creating-and-using-secrets encrypting-secrets-at-rest security-best-practices

Resource Management

resource-requests-and-limits how-scheduling-uses-requests what-happens-when-limits-are-exceeded qos-classes limitranges-and-resourcequotas in-place-resize-operational-considerations

Replicasets

Why ReplicaSets Creating a ReplicaSet Scaling and Self-Healing Limitations of ReplicaSets

Deployments

What Is a Deployment Creating a Deployment Rolling Updates Rollback and Revision History Update Strategies

Daemonsets

what-is-a-daemonset typical-use-cases daemonset-scheduling updating-daemonsets

Multi Container Pods

why-multiple-containers sidecar-pattern ambassador-and-adapter-patterns init-containers native-sidecar-patterns

Scheduling Basics

taints-and-tolerations node-selectors node-affinity taints-vs-node-affinity

Advanced Scheduling

manual-scheduling static-pods priority-classes multiple-schedulers scheduler-profiles

Probes

why-probes-matter liveness-probes readiness-probes startup-probes probe-types-and-configuration startup-probe-for-slow-apps

Jobs

what-is-a-job job-parallelism-and-completions backoff-and-retry cronjobs

Autoscaling

introduction-to-autoscaling horizontal-pod-autoscaler hpa-stabilization-and-behavior vertical-pod-autoscaler in-place-resize-of-pods event-driven-scaling-concepts

Statefulsets

stateful-vs-stateless statefulset-fundamentals headless-services storage-in-statefulsets ordering-and-updates

Services

Why Services Services and Endpoints ClusterIP NodePort LoadBalancer Named Ports

Dns

DNS in Kubernetes Service DNS Records Pod DNS Records DNS Debugging

Gateway API and Envoy Gateway

What Is Kubernetes Gateway API? The Controller Behind the Gateway Routing Traffic with Gateway and HTTPRoute Securing Traffic with TLS Termination Portable Traffic Manipulation with HTTPRoute Filters

Gateway Api

introduction-to-gateway-api gateway-api-structure practical-gateway-api tls-with-gateway-api mapping-ingress-to-gateway-api gatewayclass-and-controller-operations httproute-basics weighted-routing-canary

Network Policies

What Are Network Policies? NetworkPolicy Structure Ingress Rules Egress Rules Advanced NetworkPolicy Patterns

Networking Fundamentals

switching-and-routing dns-fundamentals network-namespaces docker-networking

Kubernetes Networking

cni-concepts pod-networking service-networking cluster-networking-configuration ipam cni-troubleshooting-method

Volumes

Why Volumes? emptyDir hostPath ConfigMap and Secret Volumes

Persistent Storage

PersistentVolumes and PersistentVolumeClaims Creating a PersistentVolume Creating a PersistentVolumeClaim Using PVCs in Pods Access Modes and Reclaim Policies

Storage Classes

static-vs-dynamic-provisioning what-is-a-storageclass dynamic-provisioning-in-practice container-storage-interface

Authentication

Kubernetes Security Fundamentals How Kubernetes Authenticates Identities Users vs ServiceAccounts

Service Accounts

What Is a ServiceAccount Creating and Assigning ServiceAccounts Token Projection and Automount ServiceAccount Practical Scenarios Projected ServiceAccount Tokens

Kubeconfig

What Is a Kubeconfig File Clusters, Users, and Contexts Switching Contexts Creating a Kubeconfig from Scratch

Tls Certificates

TLS and PKI Basics How Kubernetes Uses TLS Creating Certificates Viewing Certificate Details The Kubernetes Certificates API

Rbac

Authorization in Kubernetes Roles and RoleBindings ClusterRoles and ClusterRoleBindings Testing Permissions with kubectl auth can-i RBAC Best Practices

Security Contexts

Container Security: Linux Primitives Pod vs Container Security Context Running Containers as Non-Root Capabilities and Read-Only Root Filesystem

Image Security

Image Naming and Registries Pulling from Private Registries with imagePullSecrets Image Pull Policies

Admission Controllers

What Are Admission Controllers Enabling and Disabling Admission Controllers Validating Admission Webhooks Mutating Admission Webhooks

Pod Security

Pod Security Standards Pod Security Admission Practical PSS Enforcement

Logging And Monitoring

Container Logging Basics Monitoring with Metrics Server Kubernetes Events Monitoring Cluster Component Logs

Troubleshooting

troubleshooting-application-failures troubleshooting-service-connectivity troubleshooting-control-plane troubleshooting-worker-nodes systematic-debugging-methodology debug-distroless-with-kubectl-debug

Api And Versioning

api-groups api-versions api-deprecation-policy field-selectors

Custom Resources

what-are-custom-resources creating-a-crd custom-controllers operator-pattern

Helm

what-is-helm installing-helm working-with-charts values-and-configuration finding-and-using-charts

Capabilities and Read-Only Root Filesystem

Running as a non-root UID is a strong first step. But a process that runs as UID 1000 can still hold Linux capabilities inherited from the container runtime. And a process without any dangerous capabilities can still write malware to its own filesystem if it gets compromised. Two container-level fields address these remaining attack surfaces: capabilities and readOnlyRootFilesystem. Together with allowPrivilegeEscalation: false, they form the practical hardening checklist for a container.

Linux capabilities in practice

Recall from the first lesson that Linux capabilities break root into discrete privileges. The container runtime grants a default set when it starts a container. That set typically includes CAP_NET_RAW (raw socket access), CAP_CHOWN (change file ownership), CAP_SETUID, CAP_SETGID, and around a dozen others. Most applications need none of them.

The recommended pattern is: drop all capabilities first, then add back only the ones the application genuinely needs. This is the principle of least privilege applied at the kernel level.

nano hardened-pod.yaml

Start with the drop-all baseline:

apiVersion: v1
kind: Pod
metadata:
  name: hardened-pod
spec:
  containers:
    - name: app
      image: nginx:1.28
      securityContext:
        capabilities:
          drop:
            - ALL

kubectl apply -f hardened-pod.yaml

kubectl describe pod hardened-pod

In the Security Context block, look for Drop: [ALL]. That single entry tells the runtime to strip every capability from the container before it starts. If the application needs to bind to a port below 1024, you would add NET_BIND_SERVICE back:

# illustrative only
securityContext:
  capabilities:
    drop:
      - ALL
    add:
      - NET_BIND_SERVICE

Quiz

Why is drop: ["ALL"] followed by specific add entries safer than relying on the default capability set?

Reveal answer

The default set includes capabilities the application may never use but that an attacker could leverage after compromising the process. For example, CAP_NET_RAW allows crafting arbitrary raw packets, which is useful for network attacks. Dropping all and adding back only what is needed means a compromised container has the smallest possible kernel-level attack surface. This is least privilege applied at the syscall boundary.

allowPrivilegeEscalation: blocking setuid

Even without dangerous capabilities, a container can escalate privileges through setuid binaries, programs that run with the owner’s permissions rather than the caller’s. allowPrivilegeEscalation: false prevents any process in the container from gaining more privileges than its parent process holds. It blocks setuid and setgid execution at the kernel level.

Add it to the manifest:

nano hardened-pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: hardened-pod
spec:
  containers:
    - name: app
      image: nginx:1.28
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
            - ALL

kubectl apply -f hardened-pod.yaml

This field is container-level only, for the same reason capabilities are container-level: it is a per-process property, not a pod-wide policy.

readOnlyRootFilesystem: removing the writable surface

Now consider a different threat. An attacker achieves remote code execution inside your container. They want to install a persistent backdoor or download additional tools. If the container’s root filesystem is writable, they can. If it is not, they cannot.

readOnlyRootFilesystem: true mounts the container’s root filesystem as read-only. Writes fail immediately. The process can still read every file, but cannot create, modify, or delete anything on the root filesystem.

Add it to the manifest:

nano hardened-pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: hardened-pod
spec:
  containers:
    - name: app
      image: nginx:1.28
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
        capabilities:
          drop:
            - ALL

kubectl apply -f hardened-pod.yaml

kubectl describe pod hardened-pod

The describe output will show Read Only Root Filesystem: true under the container’s security context.

Setting readOnlyRootFilesystem: true on nginx:1.28 will cause the container to crash. nginx writes to /var/run/nginx.pid and /var/cache/nginx during startup. With a read-only root filesystem, those writes fail and nginx exits immediately. The fix is to mount emptyDir volumes at those paths, providing a writable in-memory location. In a real scenario you would add volume mounts for every directory the application needs to write to. For this lesson, the failure itself is the point: it shows that readOnlyRootFilesystem: true is genuinely enforced, not just advisory.

The complete hardened manifest

Here is the fully assembled hardened Pod spec with all three container-level fields applied:

nano hardened-pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: hardened-pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    runAsGroup: 2000
  containers:
    - name: app
      image: nginx:1.28
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
        capabilities:
          drop:
            - ALL

kubectl apply -f hardened-pod.yaml

kubectl describe pod hardened-pod

Reading the describe output from top to bottom gives you the full security posture: the pod-level UID and GID, then per-container the capability set, the privilege escalation block, and the filesystem mode. That is the complete picture.

Quiz

You set readOnlyRootFilesystem: true and the Pod crashes immediately after starting. How do you diagnose the problem using only the simulator?

Try it: kubectl describe pod hardened-pod

Reveal answer

The Events section at the bottom of the describe output will show the container’s exit event and often the reason. If the application crashes because it cannot write to a path on the root filesystem, you will see the container exit with a non-zero code shortly after starting. The fix is to identify which paths need to be writable and mount emptyDir volumes at those exact paths.

You now have the complete security context toolkit for container hardening: identity fields at the pod level, and capability, escalation, and filesystem restrictions at the container level. The next module moves from runtime security to image security, examining where container images come from, how to verify them, and how to control which images are allowed to run in a cluster.

~>kubectl apply -f deployment.yaml

deployment.apps/nginx created

~>kubectl get pods

NAME READY STATUS RESTARTS AGE

nginx-7b4c9d8f5-xk2j 1/1 Running 0 12s

nginx-7b4c9d8f5-hn4vw 1/1 Running 0 11s

nginx-7b4c9d8f5-qp9rm 1/1 Running 0 10s

~>█

Get hands-on with Kubernetes

This lesson includes a live terminal with a simulated Kubernetes cluster. Upgrade to Pro to unlock the terminal (free during early access)

Upgrade Try the free crash course