CKA

Onboarding

Welcome What Runs Here Overview of Kubernetes Certifications

Kubernetes Basics

What Is Kubernetes Cluster Architecture Overview Control Plane Components Node Components

Yaml And Objects

The Kubernetes Object Model Anatomy of a Manifest Generating Manifests from the CLI Object Names, UIDs, and DNS Rules

Kubectl Essentials

Imperative vs Declarative Viewing Resources Logs and Exec Creating and Editing Resources Delete and Cleanup Formatting Output and Tips

Pods

What Is a Pod Pod Structure Creating Your First Pod Pod Lifecycle and Phases Container Restart Policies Editing Pods

Namespaces

What Are Namespaces The Default Namespaces Working Across Namespaces When to Use Multiple Namespaces

Labels And Annotations

What Are Labels Label Selectors Annotations Recommended Labels

Cluster Architecture Deep

etcd-deep-dive kube-apiserver-internals kube-scheduler-internals kube-controller-manager container-runtime-interface

Cluster Installation

installation-options-overview kubeadm-master-node-setup kubeadm-worker-node-join high-availability-considerations

Cluster Maintenance

os-upgrades-and-drain version-skew-policy cluster-upgrade-process taint-based-evictions version-skew-and-safe-upgrade-flow

Backup And Restore

backup-strategies etcd-backup-with-etcdctl restore-from-snapshot etcdutl etcd-restore-drill-end-to-end

Commands And Args

docker-cmd-vs-entrypoint command-and-args-in-kubernetes practical-override-scenarios

Configmaps

what-is-a-configmap creating-configmaps using-via-environment-variables using-via-volume-mounts immutable-configmaps

Secrets

what-is-a-secret types-of-secrets creating-and-using-secrets encrypting-secrets-at-rest security-best-practices

Resource Management

resource-requests-and-limits how-scheduling-uses-requests what-happens-when-limits-are-exceeded qos-classes limitranges-and-resourcequotas in-place-resize-operational-considerations

Replicasets

Why ReplicaSets Creating a ReplicaSet Scaling and Self-Healing Limitations of ReplicaSets

Deployments

What Is a Deployment Creating a Deployment Rolling Updates Rollback and Revision History Update Strategies

Daemonsets

what-is-a-daemonset typical-use-cases daemonset-scheduling updating-daemonsets

Multi Container Pods

why-multiple-containers sidecar-pattern ambassador-and-adapter-patterns init-containers native-sidecar-patterns

Scheduling Basics

taints-and-tolerations node-selectors node-affinity taints-vs-node-affinity

Advanced Scheduling

manual-scheduling static-pods priority-classes multiple-schedulers scheduler-profiles

Probes

why-probes-matter liveness-probes readiness-probes startup-probes probe-types-and-configuration startup-probe-for-slow-apps

Jobs

what-is-a-job job-parallelism-and-completions backoff-and-retry cronjobs

Autoscaling

introduction-to-autoscaling horizontal-pod-autoscaler hpa-stabilization-and-behavior vertical-pod-autoscaler in-place-resize-of-pods event-driven-scaling-concepts

Statefulsets

stateful-vs-stateless statefulset-fundamentals headless-services storage-in-statefulsets ordering-and-updates

Services

Why Services Services and Endpoints ClusterIP NodePort LoadBalancer Named Ports

Dns

DNS in Kubernetes Service DNS Records Pod DNS Records DNS Debugging

Gateway API and Envoy Gateway

What Is Kubernetes Gateway API? The Controller Behind the Gateway Routing Traffic with Gateway and HTTPRoute Securing Traffic with TLS Termination Portable Traffic Manipulation with HTTPRoute Filters

Gateway Api

introduction-to-gateway-api gateway-api-structure practical-gateway-api tls-with-gateway-api mapping-ingress-to-gateway-api gatewayclass-and-controller-operations httproute-basics weighted-routing-canary

Network Policies

What Are Network Policies? NetworkPolicy Structure Ingress Rules Egress Rules Advanced NetworkPolicy Patterns

Networking Fundamentals

switching-and-routing dns-fundamentals network-namespaces docker-networking

Kubernetes Networking

cni-concepts pod-networking service-networking cluster-networking-configuration ipam cni-troubleshooting-method

Volumes

Why Volumes? emptyDir hostPath ConfigMap and Secret Volumes

Persistent Storage

PersistentVolumes and PersistentVolumeClaims Creating a PersistentVolume Creating a PersistentVolumeClaim Using PVCs in Pods Access Modes and Reclaim Policies

Storage Classes

static-vs-dynamic-provisioning what-is-a-storageclass dynamic-provisioning-in-practice container-storage-interface

Authentication

Kubernetes Security Fundamentals How Kubernetes Authenticates Identities Users vs ServiceAccounts

Service Accounts

What Is a ServiceAccount Creating and Assigning ServiceAccounts Token Projection and Automount ServiceAccount Practical Scenarios Projected ServiceAccount Tokens

Kubeconfig

What Is a Kubeconfig File Clusters, Users, and Contexts Switching Contexts Creating a Kubeconfig from Scratch

Tls Certificates

TLS and PKI Basics How Kubernetes Uses TLS Creating Certificates Viewing Certificate Details The Kubernetes Certificates API

Rbac

Authorization in Kubernetes Roles and RoleBindings ClusterRoles and ClusterRoleBindings Testing Permissions with kubectl auth can-i RBAC Best Practices

Security Contexts

Container Security: Linux Primitives Pod vs Container Security Context Running Containers as Non-Root Capabilities and Read-Only Root Filesystem

Image Security

Image Naming and Registries Pulling from Private Registries with imagePullSecrets Image Pull Policies

Admission Controllers

What Are Admission Controllers Enabling and Disabling Admission Controllers Validating Admission Webhooks Mutating Admission Webhooks

Pod Security

Pod Security Standards Pod Security Admission Practical PSS Enforcement

Logging And Monitoring

Container Logging Basics Monitoring with Metrics Server Kubernetes Events Monitoring Cluster Component Logs

Troubleshooting

troubleshooting-application-failures troubleshooting-service-connectivity troubleshooting-control-plane troubleshooting-worker-nodes systematic-debugging-methodology debug-distroless-with-kubectl-debug

Api And Versioning

api-groups api-versions api-deprecation-policy field-selectors

Custom Resources

what-are-custom-resources creating-a-crd custom-controllers operator-pattern

Helm

what-is-helm installing-helm working-with-charts values-and-configuration finding-and-using-charts

Creating a Kubeconfig from Scratch

A new cluster admin hands you three files: a CA certificate, a client certificate, and a private key. They tell you the API server address. Your task is to configure kubectl so you can start running commands. There is no wizard, no GUI. You build the kubeconfig entry by entry using four kubectl config set-* commands.

The workflow has a fixed order. Each step registers one piece of the kubeconfig, and they accumulate until the full configuration is in place.

Step 1: Register the cluster

The first command tells kubectl where the cluster lives and how to trust its TLS certificate:

kubectl config set-cluster my-cluster --server=https://192.168.1.100:6443 --certificate-authority=/etc/kubernetes/pki/ca.crt

This writes a new entry into the clusters section of ~/.kube/config. The --server flag sets the API server URL. The --certificate-authority flag points to the CA certificate file that kubectl will use to verify the server’s TLS certificate. Without it, kubectl either rejects the connection or falls back to an insecure mode.

In the simulator, the kubeconfig is pre-configured and the certificate files shown in these examples do not exist on disk. These commands are shown as a conceptual reference for what you would run against a real cluster. In the simulator, run kubectl config view to see the kubeconfig that is already in place.

You can confirm the cluster was registered:

kubectl config get-clusters

The new cluster name my-cluster should appear in the list.

Step 2: Register the user credentials

The second command registers your identity, the client certificate and the corresponding private key:

kubectl config set-credentials my-user --client-certificate=/etc/kubernetes/pki/admin.crt --client-key=/etc/kubernetes/pki/admin.key

This writes a new entry into the users section. The --client-certificate file contains your certificate (the one signed by the cluster’s CA), and --client-key is the private key that proves you hold that certificate. The API server uses your certificate’s common name (CN) to look up your identity in its access control system.

Quiz

You run kubectl config set-credentials my-user --client-certificate=... but later realize you want to rename the user label from my-user to admin. Does this change your permissions in the cluster?

Reveal answer

No. The label in kubeconfig is local bookkeeping. The API server reads the certificate itself to determine your identity, specifically the CN field in the certificate. Renaming the kubeconfig label has no effect on what you are allowed to do. Permissions belong to RBAC, which is a separate module.

Step 3: Bind cluster and user into a context

With a cluster entry and a user entry registered, the third command creates a context that connects them:

kubectl config set-context my-context --cluster=my-cluster --user=my-user

This writes a new entry into the contexts section. You can optionally add --namespace=<ns> to set a default namespace for this context. Without it, kubectl defaults to the default namespace whenever you do not specify -n.

A common mistake at this step is a typo: the --cluster and --user values must exactly match the names used in the previous two commands. If they do not match, the context is created but kubectl will fail to resolve the cluster or user entry when you try to use it.

kubectl config set-context does not validate that the cluster and user names exist. You will get no error at creation time. The failure only appears when you try to run a command using that context and kubectl cannot resolve the references.

Step 4: Activate the context

The fourth command sets the new context as active:

kubectl config use-context my-context

Output:

Switched to context "my-context".

Now every kubectl command targets my-cluster using the my-user credentials, until you switch context again.

Verifying the result

After all four steps, confirm the full configuration:

kubectl config view

You should see your new clusters, users, and contexts entries, and current-context set to my-context. If anything is missing or misspelled, re-run the relevant set-* command with the corrected values. Subsequent runs overwrite the existing entry, they do not create duplicates.

The KUBECONFIG environment variable

By default kubectl reads a single file at ~/.kube/config. The KUBECONFIG environment variable lets you point kubectl at a different file or at multiple files at once. When you list multiple paths separated by colons, kubectl merges them in memory and treats them as one unified kubeconfig.

kubectl config view

In a shell where KUBECONFIG=/home/alice/.kube/config:/home/alice/.kube/work-config, this command shows the merged result of both files. This pattern is useful when different tools or clusters manage their own kubeconfig files separately. It is an advanced topic and the simulator does not require it, but you will encounter it in real multi-cluster setups.

You now know how to configure kubectl from scratch, from a CA certificate and a set of credentials down to a working context. The building blocks, set-cluster, set-credentials, set-context, and use-context, are also what tools like kubeadm call internally when they set up a cluster for the first time. The TLS certificates module covers the certificate files themselves: how they are generated, signed, and why the CA relationship matters.

~>kubectl apply -f deployment.yaml

deployment.apps/nginx created

~>kubectl get pods

NAME READY STATUS RESTARTS AGE

nginx-7b4c9d8f5-xk2j 1/1 Running 0 12s

nginx-7b4c9d8f5-hn4vw 1/1 Running 0 11s

nginx-7b4c9d8f5-qp9rm 1/1 Running 0 10s

~>█

Get hands-on with Kubernetes

This lesson includes a live terminal with a simulated Kubernetes cluster. Upgrade to Pro to unlock the terminal (free during early access)

Upgrade Try the free crash course