CKA

Onboarding

Welcome What Runs Here Overview of Kubernetes Certifications

Kubernetes Basics

What Is Kubernetes Cluster Architecture Overview Control Plane Components Node Components

Yaml And Objects

The Kubernetes Object Model Anatomy of a Manifest Generating Manifests from the CLI Object Names, UIDs, and DNS Rules

Kubectl Essentials

Imperative vs Declarative Viewing Resources Logs and Exec Creating and Editing Resources Delete and Cleanup Formatting Output and Tips

Pods

What Is a Pod Pod Structure Creating Your First Pod Pod Lifecycle and Phases Container Restart Policies Editing Pods

Namespaces

What Are Namespaces The Default Namespaces Working Across Namespaces When to Use Multiple Namespaces

Labels And Annotations

What Are Labels Label Selectors Annotations Recommended Labels

Cluster Architecture Deep

etcd-deep-dive kube-apiserver-internals kube-scheduler-internals kube-controller-manager container-runtime-interface

Cluster Installation

installation-options-overview kubeadm-master-node-setup kubeadm-worker-node-join high-availability-considerations

Cluster Maintenance

os-upgrades-and-drain version-skew-policy cluster-upgrade-process taint-based-evictions version-skew-and-safe-upgrade-flow

Backup And Restore

backup-strategies etcd-backup-with-etcdctl restore-from-snapshot etcdutl etcd-restore-drill-end-to-end

Commands And Args

docker-cmd-vs-entrypoint command-and-args-in-kubernetes practical-override-scenarios

Configmaps

what-is-a-configmap creating-configmaps using-via-environment-variables using-via-volume-mounts immutable-configmaps

Secrets

what-is-a-secret types-of-secrets creating-and-using-secrets encrypting-secrets-at-rest security-best-practices

Resource Management

resource-requests-and-limits how-scheduling-uses-requests what-happens-when-limits-are-exceeded qos-classes limitranges-and-resourcequotas in-place-resize-operational-considerations

Replicasets

Why ReplicaSets Creating a ReplicaSet Scaling and Self-Healing Limitations of ReplicaSets

Deployments

What Is a Deployment Creating a Deployment Rolling Updates Rollback and Revision History Update Strategies

Daemonsets

what-is-a-daemonset typical-use-cases daemonset-scheduling updating-daemonsets

Multi Container Pods

why-multiple-containers sidecar-pattern ambassador-and-adapter-patterns init-containers native-sidecar-patterns

Scheduling Basics

taints-and-tolerations node-selectors node-affinity taints-vs-node-affinity

Advanced Scheduling

manual-scheduling static-pods priority-classes multiple-schedulers scheduler-profiles

Probes

why-probes-matter liveness-probes readiness-probes startup-probes probe-types-and-configuration startup-probe-for-slow-apps

Jobs

what-is-a-job job-parallelism-and-completions backoff-and-retry cronjobs

Autoscaling

introduction-to-autoscaling horizontal-pod-autoscaler hpa-stabilization-and-behavior vertical-pod-autoscaler in-place-resize-of-pods event-driven-scaling-concepts

Statefulsets

stateful-vs-stateless statefulset-fundamentals headless-services storage-in-statefulsets ordering-and-updates

Services

Why Services Services and Endpoints ClusterIP NodePort LoadBalancer Named Ports

Dns

DNS in Kubernetes Service DNS Records Pod DNS Records DNS Debugging

Gateway API and Envoy Gateway

What Is Kubernetes Gateway API? The Controller Behind the Gateway Routing Traffic with Gateway and HTTPRoute Securing Traffic with TLS Termination Portable Traffic Manipulation with HTTPRoute Filters

Gateway Api

introduction-to-gateway-api gateway-api-structure practical-gateway-api tls-with-gateway-api mapping-ingress-to-gateway-api gatewayclass-and-controller-operations httproute-basics weighted-routing-canary

Network Policies

What Are Network Policies? NetworkPolicy Structure Ingress Rules Egress Rules Advanced NetworkPolicy Patterns

Networking Fundamentals

switching-and-routing dns-fundamentals network-namespaces docker-networking

Kubernetes Networking

cni-concepts pod-networking service-networking cluster-networking-configuration ipam cni-troubleshooting-method

Volumes

Why Volumes? emptyDir hostPath ConfigMap and Secret Volumes

Persistent Storage

PersistentVolumes and PersistentVolumeClaims Creating a PersistentVolume Creating a PersistentVolumeClaim Using PVCs in Pods Access Modes and Reclaim Policies

Storage Classes

static-vs-dynamic-provisioning what-is-a-storageclass dynamic-provisioning-in-practice container-storage-interface

Authentication

Kubernetes Security Fundamentals How Kubernetes Authenticates Identities Users vs ServiceAccounts

Service Accounts

What Is a ServiceAccount Creating and Assigning ServiceAccounts Token Projection and Automount ServiceAccount Practical Scenarios Projected ServiceAccount Tokens

Kubeconfig

What Is a Kubeconfig File Clusters, Users, and Contexts Switching Contexts Creating a Kubeconfig from Scratch

Tls Certificates

TLS and PKI Basics How Kubernetes Uses TLS Creating Certificates Viewing Certificate Details The Kubernetes Certificates API

Rbac

Authorization in Kubernetes Roles and RoleBindings ClusterRoles and ClusterRoleBindings Testing Permissions with kubectl auth can-i RBAC Best Practices

Security Contexts

Container Security: Linux Primitives Pod vs Container Security Context Running Containers as Non-Root Capabilities and Read-Only Root Filesystem

Image Security

Image Naming and Registries Pulling from Private Registries with imagePullSecrets Image Pull Policies

Admission Controllers

What Are Admission Controllers Enabling and Disabling Admission Controllers Validating Admission Webhooks Mutating Admission Webhooks

Pod Security

Pod Security Standards Pod Security Admission Practical PSS Enforcement

Logging And Monitoring

Container Logging Basics Monitoring with Metrics Server Kubernetes Events Monitoring Cluster Component Logs

Troubleshooting

troubleshooting-application-failures troubleshooting-service-connectivity troubleshooting-control-plane troubleshooting-worker-nodes systematic-debugging-methodology debug-distroless-with-kubectl-debug

Api And Versioning

api-groups api-versions api-deprecation-policy field-selectors

Custom Resources

what-are-custom-resources creating-a-crd custom-controllers operator-pattern

Helm

what-is-helm installing-helm working-with-charts values-and-configuration finding-and-using-charts

Creating and Assigning ServiceAccounts

The default ServiceAccount works, but every Pod in the namespace shares it. If you grant that ServiceAccount any permissions, every Pod in the namespace inherits them. That is a real security problem: a compromised Pod could abuse permissions intended for a completely different application. The fix is straightforward: create one dedicated ServiceAccount per application.

Creating a ServiceAccount

Creating a ServiceAccount requires a single command.

kubectl create serviceaccount my-app

Kubernetes creates a namespaced object called my-app in the current namespace. It has no permissions yet. It is purely an identity. Permissions come from RBAC bindings, which are covered in the RBAC module.

Verify the ServiceAccount exists alongside the automatic default.

kubectl get serviceaccounts

You will see both default and my-app in the list. The AGE column on my-app will be just a few seconds old.

Quiz

You run kubectl create serviceaccount my-app. What can this ServiceAccount do in the cluster immediately after creation?

Reveal answer

Nothing. A ServiceAccount is an identity with no permissions attached by default. It cannot read, write, or watch any resource until a RoleBinding or ClusterRoleBinding connects it to a Role. Creating the SA is just the first step.

Assigning a ServiceAccount to a Pod

Once the ServiceAccount exists, you declare it in the Pod manifest under spec.serviceAccountName. Open a new file.

nano app-pod.yaml

Start with the basic metadata.

apiVersion: v1
kind: Pod
metadata:
  name: app-pod
  namespace: default

Add the spec block and put the ServiceAccount name first, before the containers.

spec:
  serviceAccountName: my-app

Then add the container definition below it.

  containers:
  - name: app
    image: nginx:stable

The complete manifest is ready to apply.

kubectl apply -f app-pod.yaml

After the Pod starts, inspect its stored spec to confirm the assignment was recorded correctly.

kubectl get pod app-pod -o yaml

Look for spec.serviceAccountName: my-app in the output. That field confirms the identity. You will also notice a volumes entry and a corresponding volumeMounts entry added automatically by Kubernetes. That is the projected token volume, which delivers the ServiceAccount credentials into the container filesystem. Lesson 03 explains exactly how that works.

Quiz

After applying the manifest, which field in kubectl get pod app-pod -o yaml confirms the ServiceAccount assignment?

Try it: kubectl get pod app-pod -o yaml

Reveal answer

The field spec.serviceAccountName: my-app confirms it. The presence of a projected volume mount under spec.volumes and spec.containers[].volumeMounts also confirms that the token injection is active.

What happens when the ServiceAccount does not exist

Here is the failure case you need to understand before working with ServiceAccounts in production.

nano bad-pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: default
spec:
  serviceAccountName: nonexistent-sa
  containers:
  - name: app
    image: nginx:stable

kubectl apply -f bad-pod.yaml

The API server may accept the manifest and create the Pod object, but the Pod will never reach Running status. The kubelet requires the referenced ServiceAccount to exist before it can set up the token volume. The Pod stays in Pending with an event describing the missing ServiceAccount. Always verify that the ServiceAccount exists before applying a Pod that references it. Use kubectl get serviceaccounts to confirm before you apply.

Check the Pod status after applying.

kubectl get pod bad-pod

The STATUS column will not show Running. Describe the Pod to see the events explaining why.

kubectl describe pod bad-pod

The events section will contain the reason. This is a common source of confusion when deploying to a new namespace where the required ServiceAccount was not yet created.

Quiz

You apply a Pod manifest that references serviceAccountName: nonexistent-sa, but that SA was never created. What is the most likely outcome?

The Pod uses the default ServiceAccount as a fallback
The Pod object is created but stays in Pending because the SA is missing
The kubectl apply command fails immediately with a validation error

Reveal answer

The Pod object is created but stays in Pending. The API server does not validate foreign key references at admission time by default, so the manifest is accepted. It is the kubelet that cannot proceed because the token volume cannot be prepared without the SA.

A dedicated ServiceAccount per application, explicitly assigned in the Pod spec, is the foundation of workload identity in Kubernetes. Now that you can create and assign ServiceAccounts, lesson 03 explains how Kubernetes delivers the actual token into the container filesystem through a projected volume.

~>kubectl apply -f deployment.yaml

deployment.apps/nginx created

~>kubectl get pods

NAME READY STATUS RESTARTS AGE

nginx-7b4c9d8f5-xk2j 1/1 Running 0 12s

nginx-7b4c9d8f5-hn4vw 1/1 Running 0 11s

nginx-7b4c9d8f5-qp9rm 1/1 Running 0 10s

~>█

Get hands-on with Kubernetes

This lesson includes a live terminal with a simulated Kubernetes cluster. Upgrade to Pro to unlock the terminal (free during early access)

Upgrade Try the free crash course