CKA

Onboarding

Welcome What Runs Here Overview of Kubernetes Certifications

Kubernetes Basics

What Is Kubernetes Cluster Architecture Overview Control Plane Components Node Components

Yaml And Objects

The Kubernetes Object Model Anatomy of a Manifest Generating Manifests from the CLI Object Names, UIDs, and DNS Rules

Kubectl Essentials

Imperative vs Declarative Viewing Resources Logs and Exec Creating and Editing Resources Delete and Cleanup Formatting Output and Tips

Pods

What Is a Pod Pod Structure Creating Your First Pod Pod Lifecycle and Phases Container Restart Policies Editing Pods

Namespaces

What Are Namespaces The Default Namespaces Working Across Namespaces When to Use Multiple Namespaces

Labels And Annotations

What Are Labels Label Selectors Annotations Recommended Labels

Cluster Architecture Deep

etcd-deep-dive kube-apiserver-internals kube-scheduler-internals kube-controller-manager container-runtime-interface

Cluster Installation

installation-options-overview kubeadm-master-node-setup kubeadm-worker-node-join high-availability-considerations

Cluster Maintenance

os-upgrades-and-drain version-skew-policy cluster-upgrade-process taint-based-evictions version-skew-and-safe-upgrade-flow

Backup And Restore

backup-strategies etcd-backup-with-etcdctl restore-from-snapshot etcdutl etcd-restore-drill-end-to-end

Commands And Args

docker-cmd-vs-entrypoint command-and-args-in-kubernetes practical-override-scenarios

Configmaps

what-is-a-configmap creating-configmaps using-via-environment-variables using-via-volume-mounts immutable-configmaps

Secrets

what-is-a-secret types-of-secrets creating-and-using-secrets encrypting-secrets-at-rest security-best-practices

Resource Management

resource-requests-and-limits how-scheduling-uses-requests what-happens-when-limits-are-exceeded qos-classes limitranges-and-resourcequotas in-place-resize-operational-considerations

Replicasets

Why ReplicaSets Creating a ReplicaSet Scaling and Self-Healing Limitations of ReplicaSets

Deployments

What Is a Deployment Creating a Deployment Rolling Updates Rollback and Revision History Update Strategies

Daemonsets

what-is-a-daemonset typical-use-cases daemonset-scheduling updating-daemonsets

Multi Container Pods

why-multiple-containers sidecar-pattern ambassador-and-adapter-patterns init-containers native-sidecar-patterns

Scheduling Basics

taints-and-tolerations node-selectors node-affinity taints-vs-node-affinity

Advanced Scheduling

manual-scheduling static-pods priority-classes multiple-schedulers scheduler-profiles

Probes

why-probes-matter liveness-probes readiness-probes startup-probes probe-types-and-configuration startup-probe-for-slow-apps

Jobs

what-is-a-job job-parallelism-and-completions backoff-and-retry cronjobs

Autoscaling

introduction-to-autoscaling horizontal-pod-autoscaler hpa-stabilization-and-behavior vertical-pod-autoscaler in-place-resize-of-pods event-driven-scaling-concepts

Statefulsets

stateful-vs-stateless statefulset-fundamentals headless-services storage-in-statefulsets ordering-and-updates

Services

Why Services Services and Endpoints ClusterIP NodePort LoadBalancer Named Ports

Dns

DNS in Kubernetes Service DNS Records Pod DNS Records DNS Debugging

Gateway API and Envoy Gateway

What Is Kubernetes Gateway API? The Controller Behind the Gateway Routing Traffic with Gateway and HTTPRoute Securing Traffic with TLS Termination Portable Traffic Manipulation with HTTPRoute Filters

Gateway Api

introduction-to-gateway-api gateway-api-structure practical-gateway-api tls-with-gateway-api mapping-ingress-to-gateway-api gatewayclass-and-controller-operations httproute-basics weighted-routing-canary

Network Policies

What Are Network Policies? NetworkPolicy Structure Ingress Rules Egress Rules Advanced NetworkPolicy Patterns

Networking Fundamentals

switching-and-routing dns-fundamentals network-namespaces docker-networking

Kubernetes Networking

cni-concepts pod-networking service-networking cluster-networking-configuration ipam cni-troubleshooting-method

Volumes

Why Volumes? emptyDir hostPath ConfigMap and Secret Volumes

Persistent Storage

PersistentVolumes and PersistentVolumeClaims Creating a PersistentVolume Creating a PersistentVolumeClaim Using PVCs in Pods Access Modes and Reclaim Policies

Storage Classes

static-vs-dynamic-provisioning what-is-a-storageclass dynamic-provisioning-in-practice container-storage-interface

Authentication

Kubernetes Security Fundamentals How Kubernetes Authenticates Identities Users vs ServiceAccounts

Service Accounts

What Is a ServiceAccount Creating and Assigning ServiceAccounts Token Projection and Automount ServiceAccount Practical Scenarios Projected ServiceAccount Tokens

Kubeconfig

What Is a Kubeconfig File Clusters, Users, and Contexts Switching Contexts Creating a Kubeconfig from Scratch

Tls Certificates

TLS and PKI Basics How Kubernetes Uses TLS Creating Certificates Viewing Certificate Details The Kubernetes Certificates API

Rbac

Authorization in Kubernetes Roles and RoleBindings ClusterRoles and ClusterRoleBindings Testing Permissions with kubectl auth can-i RBAC Best Practices

Security Contexts

Container Security: Linux Primitives Pod vs Container Security Context Running Containers as Non-Root Capabilities and Read-Only Root Filesystem

Image Security

Image Naming and Registries Pulling from Private Registries with imagePullSecrets Image Pull Policies

Admission Controllers

What Are Admission Controllers Enabling and Disabling Admission Controllers Validating Admission Webhooks Mutating Admission Webhooks

Pod Security

Pod Security Standards Pod Security Admission Practical PSS Enforcement

Logging And Monitoring

Container Logging Basics Monitoring with Metrics Server Kubernetes Events Monitoring Cluster Component Logs

Troubleshooting

troubleshooting-application-failures troubleshooting-service-connectivity troubleshooting-control-plane troubleshooting-worker-nodes systematic-debugging-methodology debug-distroless-with-kubectl-debug

Api And Versioning

api-groups api-versions api-deprecation-policy field-selectors

Custom Resources

what-are-custom-resources creating-a-crd custom-controllers operator-pattern

Helm

what-is-helm installing-helm working-with-charts values-and-configuration finding-and-using-charts

ClusterRoles and ClusterRoleBindings

A monitoring agent needs to list Pods across all namespaces. A Role would not work: Roles are namespaced, so a Role in monitoring can only grant access to resources in monitoring. To read Pods everywhere, you need a ClusterRole.

Start by examining what Kubernetes ships with. In your simulated cluster:

kubectl get clusterroles | grep -v system

You will see a short list of built-in ClusterRoles that Kubernetes creates automatically. Inspect one of them:

kubectl describe clusterrole view

The view ClusterRole grants read-only access to most resources across any namespace. edit adds write access. admin adds the ability to manage RBAC objects within a namespace. cluster-admin grants unrestricted access to everything in the cluster.

ClusterRole vs Role

A ClusterRole is not tied to any namespace. Its rules can apply to resources in every namespace, and they can also apply to resources that have no namespace at all: Nodes, PersistentVolumes, StorageClasses, and Namespaces themselves are cluster-scoped and can only be granted through a ClusterRole.

The shape of a ClusterRole manifest is nearly identical to a Role. The namespace field is absent, and the kind is ClusterRole:

nano monitor-clusterrole.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pod-lister
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]

kubectl apply -f monitor-clusterrole.yaml

kubectl get clusterroles | grep pod-lister

Quiz

Which of the following requires a ClusterRole rather than a Role?

Allowing a subject to list Pods in the default namespace
Allowing a subject to list Nodes across the cluster
Allowing a subject to create ConfigMaps in the dev namespace

Reveal answer

Listing Nodes requires a ClusterRole. Nodes are a cluster-scoped resource with no namespace. A Role cannot reference them because Roles only operate within a namespace context. The other two options can use a namespaced Role.

ClusterRoleBinding

A ClusterRoleBinding binds a ClusterRole to a subject with cluster-wide scope. The subject receives the ClusterRole’s permissions in every namespace, plus any cluster-scoped resources.

nano monitor-crb.yaml

Note that subjects still requires a namespace for ServiceAccount entries, because a ServiceAccount is a namespaced object even if the binding is cluster-wide:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: monitoring-pod-lister
subjects:
  - kind: ServiceAccount
    name: monitoring-agent
    namespace: monitoring
roleRef:
  kind: ClusterRole
  name: pod-lister
  apiGroup: rbac.authorization.k8s.io

kubectl apply -f monitor-crb.yaml

kubectl get clusterrolebindings | grep monitoring

The ServiceAccount monitoring-agent in the monitoring namespace can now get, list, and watch Pods in any namespace in the cluster.

Never bind cluster-admin to an application ServiceAccount. The built-in cluster-admin ClusterRole grants unrestricted access to every resource and every verb, including creating and deleting Namespaces, modifying RBAC policies, and accessing Secrets cluster-wide. A misconfigured or compromised application with cluster-admin can destroy the entire cluster. Reserve cluster-admin for cluster operators only, and even then, use it for specific administrative tasks rather than persistent bindings.

A powerful pattern: ClusterRole bound with a RoleBinding

A ClusterRole can also be referenced by a regular namespaced RoleBinding. When you do this, the ClusterRole’s rules apply, but only within the namespace of that RoleBinding. This pattern lets you define permission templates once as ClusterRoles and reuse them across multiple namespaces without duplicating Role objects in every namespace.

Why does Kubernetes support this? Because maintaining identical Roles across twenty namespaces is error-prone. A single ClusterRole template with per-namespace RoleBindings is the standard pattern for shared permission sets.

Quiz

You have a ClusterRole named log-reader that allows get and list on pods/log. You create a RoleBinding in namespace staging that references this ClusterRole. What access does the subject receive?

Reveal answer

The subject can get and list pod logs only within the staging namespace. The RoleBinding scopes the ClusterRole’s rules to its own namespace. The subject does not gain access to pod logs in any other namespace. This is the namespace-scoping behavior of referencing a ClusterRole through a RoleBinding.

ClusterRoles and ClusterRoleBindings give you the cluster-wide reach that namespaced Roles cannot provide. The next lesson shows you how to verify that these permissions actually work the way you expect, using kubectl auth can-i to test access before deploying.

~>kubectl apply -f deployment.yaml

deployment.apps/nginx created

~>kubectl get pods

NAME READY STATUS RESTARTS AGE

nginx-7b4c9d8f5-xk2j 1/1 Running 0 12s

nginx-7b4c9d8f5-hn4vw 1/1 Running 0 11s

nginx-7b4c9d8f5-qp9rm 1/1 Running 0 10s

~>█

Get hands-on with Kubernetes

This lesson includes a live terminal with a simulated Kubernetes cluster. Upgrade to Pro to unlock the terminal (free during early access)

Upgrade Try the free crash course