CKA

Onboarding

Welcome What Runs Here Overview of Kubernetes Certifications

Kubernetes Basics

What Is Kubernetes Cluster Architecture Overview Control Plane Components Node Components

Yaml And Objects

The Kubernetes Object Model Anatomy of a Manifest Generating Manifests from the CLI Object Names, UIDs, and DNS Rules

Kubectl Essentials

Imperative vs Declarative Viewing Resources Logs and Exec Creating and Editing Resources Delete and Cleanup Formatting Output and Tips

Pods

What Is a Pod Pod Structure Creating Your First Pod Pod Lifecycle and Phases Container Restart Policies Editing Pods

Namespaces

What Are Namespaces The Default Namespaces Working Across Namespaces When to Use Multiple Namespaces

Labels And Annotations

What Are Labels Label Selectors Annotations Recommended Labels

Cluster Architecture Deep

etcd-deep-dive kube-apiserver-internals kube-scheduler-internals kube-controller-manager container-runtime-interface

Cluster Installation

installation-options-overview kubeadm-master-node-setup kubeadm-worker-node-join high-availability-considerations

Cluster Maintenance

os-upgrades-and-drain version-skew-policy cluster-upgrade-process taint-based-evictions version-skew-and-safe-upgrade-flow

Backup And Restore

backup-strategies etcd-backup-with-etcdctl restore-from-snapshot etcdutl etcd-restore-drill-end-to-end

Commands And Args

docker-cmd-vs-entrypoint command-and-args-in-kubernetes practical-override-scenarios

Configmaps

what-is-a-configmap creating-configmaps using-via-environment-variables using-via-volume-mounts immutable-configmaps

Secrets

what-is-a-secret types-of-secrets creating-and-using-secrets encrypting-secrets-at-rest security-best-practices

Resource Management

resource-requests-and-limits how-scheduling-uses-requests what-happens-when-limits-are-exceeded qos-classes limitranges-and-resourcequotas in-place-resize-operational-considerations

Replicasets

Why ReplicaSets Creating a ReplicaSet Scaling and Self-Healing Limitations of ReplicaSets

Deployments

What Is a Deployment Creating a Deployment Rolling Updates Rollback and Revision History Update Strategies

Daemonsets

what-is-a-daemonset typical-use-cases daemonset-scheduling updating-daemonsets

Multi Container Pods

why-multiple-containers sidecar-pattern ambassador-and-adapter-patterns init-containers native-sidecar-patterns

Scheduling Basics

taints-and-tolerations node-selectors node-affinity taints-vs-node-affinity

Advanced Scheduling

manual-scheduling static-pods priority-classes multiple-schedulers scheduler-profiles

Probes

why-probes-matter liveness-probes readiness-probes startup-probes probe-types-and-configuration startup-probe-for-slow-apps

Jobs

what-is-a-job job-parallelism-and-completions backoff-and-retry cronjobs

Autoscaling

introduction-to-autoscaling horizontal-pod-autoscaler hpa-stabilization-and-behavior vertical-pod-autoscaler in-place-resize-of-pods event-driven-scaling-concepts

Statefulsets

stateful-vs-stateless statefulset-fundamentals headless-services storage-in-statefulsets ordering-and-updates

Services

Why Services Services and Endpoints ClusterIP NodePort LoadBalancer Named Ports

Dns

DNS in Kubernetes Service DNS Records Pod DNS Records DNS Debugging

Gateway API and Envoy Gateway

What Is Kubernetes Gateway API? The Controller Behind the Gateway Routing Traffic with Gateway and HTTPRoute Securing Traffic with TLS Termination Portable Traffic Manipulation with HTTPRoute Filters

Gateway Api

introduction-to-gateway-api gateway-api-structure practical-gateway-api tls-with-gateway-api mapping-ingress-to-gateway-api gatewayclass-and-controller-operations httproute-basics weighted-routing-canary

Network Policies

What Are Network Policies? NetworkPolicy Structure Ingress Rules Egress Rules Advanced NetworkPolicy Patterns

Networking Fundamentals

switching-and-routing dns-fundamentals network-namespaces docker-networking

Kubernetes Networking

cni-concepts pod-networking service-networking cluster-networking-configuration ipam cni-troubleshooting-method

Volumes

Why Volumes? emptyDir hostPath ConfigMap and Secret Volumes

Persistent Storage

PersistentVolumes and PersistentVolumeClaims Creating a PersistentVolume Creating a PersistentVolumeClaim Using PVCs in Pods Access Modes and Reclaim Policies

Storage Classes

static-vs-dynamic-provisioning what-is-a-storageclass dynamic-provisioning-in-practice container-storage-interface

Authentication

Kubernetes Security Fundamentals How Kubernetes Authenticates Identities Users vs ServiceAccounts

Service Accounts

What Is a ServiceAccount Creating and Assigning ServiceAccounts Token Projection and Automount ServiceAccount Practical Scenarios Projected ServiceAccount Tokens

Kubeconfig

What Is a Kubeconfig File Clusters, Users, and Contexts Switching Contexts Creating a Kubeconfig from Scratch

Tls Certificates

TLS and PKI Basics How Kubernetes Uses TLS Creating Certificates Viewing Certificate Details The Kubernetes Certificates API

Rbac

Authorization in Kubernetes Roles and RoleBindings ClusterRoles and ClusterRoleBindings Testing Permissions with kubectl auth can-i RBAC Best Practices

Security Contexts

Container Security: Linux Primitives Pod vs Container Security Context Running Containers as Non-Root Capabilities and Read-Only Root Filesystem

Image Security

Image Naming and Registries Pulling from Private Registries with imagePullSecrets Image Pull Policies

Admission Controllers

What Are Admission Controllers Enabling and Disabling Admission Controllers Validating Admission Webhooks Mutating Admission Webhooks

Pod Security

Pod Security Standards Pod Security Admission Practical PSS Enforcement

Logging And Monitoring

Container Logging Basics Monitoring with Metrics Server Kubernetes Events Monitoring Cluster Component Logs

Troubleshooting

troubleshooting-application-failures troubleshooting-service-connectivity troubleshooting-control-plane troubleshooting-worker-nodes systematic-debugging-methodology debug-distroless-with-kubectl-debug

Api And Versioning

api-groups api-versions api-deprecation-policy field-selectors

Custom Resources

what-are-custom-resources creating-a-crd custom-controllers operator-pattern

Helm

what-is-helm installing-helm working-with-charts values-and-configuration finding-and-using-charts

The Kubernetes Certificates API

Manually signing certificates with the cluster CA requires access to the CA private key on the control plane node. That key is the most sensitive secret in the entire cluster. Handing out access to it for routine certificate issuance is a serious security risk. Kubernetes provides a built-in API for requesting and approving certificates without ever touching the CA key directly.

The CertificateSigningRequest resource

The CertificateSigningRequest (CSR) resource represents a request for a signed certificate. A user or an automated process creates a CSR object in Kubernetes. An administrator (or an automated controller) reviews it and approves or denies it. When approved, the Kubernetes controller manager signs the CSR using the cluster CA and stores the result in the CSR object’s status.certificate field.

kubectl get certificatesigningrequests

Run that now. In the simulator, the cluster is pre-configured and may have no pending CSRs. The command still confirms the Certificates API is reachable and shows you the column layout: NAME, AGE, SIGNERNAME, REQUESTOR, REQUESTEDDURATION, CONDITION.

The CONDITION column is the key field. It shows Pending for a CSR waiting for a decision, Approved for one the controller manager has signed, and Denied for one explicitly rejected.

The workflow

The developer generates their private key and a CSR file locally (using openssl, as shown in the previous lesson). They base64-encode the CSR file contents and embed that in a Kubernetes manifest. They submit the manifest. The admin inspects it and approves it. The signed certificate becomes available in the cluster object, and the developer retrieves it.

Building the CSR manifest

Start with the scaffolding:

nano developer-csr.yaml

The manifest needs the CSR contents, a signer, and the intended usages. Build it field by field.

First, the metadata and the encoded request:

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: developer
spec:
  request: <base64-encoded-csr>

The request field holds the base64-encoded content of the .csr file. In a real workflow, you would generate this with:

# reference - not available in simulator
cat developer.csr | base64 | tr -d '\n'

Then add the signer and usages:

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: developer
spec:
  request: <base64-encoded-csr>
  signerName: kubernetes.io/kube-apiserver-client
  usages:
    - client auth

The signerName field tells Kubernetes which signing authority to use. kubernetes.io/kube-apiserver-client instructs the controller manager to sign with the cluster CA, producing a certificate valid for authenticating to the API server. The usages field restricts what the certificate can do. A client auth usage cannot be used as a server certificate, and vice versa.

kubectl apply -f developer-csr.yaml

Inspecting a pending CSR

After submitting, list all CSRs to confirm it arrived:

kubectl get certificatesigningrequests

You should see developer in the list with CONDITION Pending. Get the full object to verify the spec was recorded correctly:

kubectl get csr developer -o yaml

The status section is empty at this point: no certificate yet, because no approval has been given.

Quiz

You create a CSR object and immediately run kubectl get csr. The CONDITION column shows Pending. What does that mean?

Try it: kubectl get certificatesigningrequests

Reveal answer

Pending means the CSR has been received but no admin has approved or denied it yet. The controller manager will not sign it until an explicit approval is given. A CSR stays Pending indefinitely until acted on or deleted.

Approving and denying

An administrator reviews the request and approves it:

kubectl certificate approve developer

After approval, the controller manager signs the CSR immediately. List the CSRs again:

kubectl get certificatesigningrequests

The CONDITION column now shows Approved. To retrieve the signed certificate:

kubectl get csr developer -o yaml

The status.certificate field now contains the base64-encoded signed certificate. In a real workflow, the developer decodes that field and adds it to their kubeconfig alongside their private key.

If the request is invalid or should not be granted, an admin denies it instead:

# reference - not available in simulator
kubectl certificate deny developer

Once a CSR is approved or denied, the decision cannot be reversed by the same admin action. To reissue, delete the CSR object and have the developer submit a new one. A denied CSR stays visible in the cluster for auditing purposes until explicitly deleted.

Quiz

What is the security advantage of using the Certificates API instead of signing certificates directly with the CA private key?

Reveal answer

The CA private key never leaves the control plane node, and no individual user needs access to it for routine certificate issuance. An admin only needs permission to approve or deny CSR objects, which is a much narrower privilege. The signing itself is performed internally by the controller manager. This limits the blast radius if an admin account is compromised.

The identity encoded in the CSR

The CSR object’s spec.request contains the original CSR with its subject fields. When the controller manager signs it, those fields are carried into the resulting certificate. The CN in the CSR subject becomes the Kubernetes username. Each O value becomes a group. This means the admin approving the CSR should verify the subject before approving: a CSR with CN=cluster-admin in the subject would, if approved, grant the bearer an admin-level username in RBAC. (RBAC rules themselves are covered in the RBAC module.)

kubectl get certificatesigningrequests

Running this command one final time, note the REQUESTOR column. It shows which Kubernetes user created the CSR object, which is distinct from the identity being requested inside the CSR. Both pieces of information are relevant when auditing certificate issuance.

The Certificates API, the PKI layout, certificate creation, and diagnostic inspection together form the complete picture of how Kubernetes manages TLS security. Every connection in the cluster, from kubectl to the API server to etcd, depends on these building blocks working correctly.

~>kubectl apply -f deployment.yaml

deployment.apps/nginx created

~>kubectl get pods

NAME READY STATUS RESTARTS AGE

nginx-7b4c9d8f5-xk2j 1/1 Running 0 12s

nginx-7b4c9d8f5-hn4vw 1/1 Running 0 11s

nginx-7b4c9d8f5-qp9rm 1/1 Running 0 10s

~>█

Get hands-on with Kubernetes

This lesson includes a live terminal with a simulated Kubernetes cluster. Upgrade to Pro to unlock the terminal (free during early access)

Upgrade Try the free crash course