CKA

Onboarding

Welcome What Runs Here Overview of Kubernetes Certifications

Kubernetes Basics

What Is Kubernetes Cluster Architecture Overview Control Plane Components Node Components

Yaml And Objects

The Kubernetes Object Model Anatomy of a Manifest Generating Manifests from the CLI Object Names, UIDs, and DNS Rules

Kubectl Essentials

Imperative vs Declarative Viewing Resources Logs and Exec Creating and Editing Resources Delete and Cleanup Formatting Output and Tips

Pods

What Is a Pod Pod Structure Creating Your First Pod Pod Lifecycle and Phases Container Restart Policies Editing Pods

Namespaces

What Are Namespaces The Default Namespaces Working Across Namespaces When to Use Multiple Namespaces

Labels And Annotations

What Are Labels Label Selectors Annotations Recommended Labels

Cluster Architecture Deep

etcd-deep-dive kube-apiserver-internals kube-scheduler-internals kube-controller-manager container-runtime-interface

Cluster Installation

installation-options-overview kubeadm-master-node-setup kubeadm-worker-node-join high-availability-considerations

Cluster Maintenance

os-upgrades-and-drain version-skew-policy cluster-upgrade-process taint-based-evictions version-skew-and-safe-upgrade-flow

Backup And Restore

backup-strategies etcd-backup-with-etcdctl restore-from-snapshot etcdutl etcd-restore-drill-end-to-end

Commands And Args

docker-cmd-vs-entrypoint command-and-args-in-kubernetes practical-override-scenarios

Configmaps

what-is-a-configmap creating-configmaps using-via-environment-variables using-via-volume-mounts immutable-configmaps

Secrets

what-is-a-secret types-of-secrets creating-and-using-secrets encrypting-secrets-at-rest security-best-practices

Resource Management

resource-requests-and-limits how-scheduling-uses-requests what-happens-when-limits-are-exceeded qos-classes limitranges-and-resourcequotas in-place-resize-operational-considerations

Replicasets

Why ReplicaSets Creating a ReplicaSet Scaling and Self-Healing Limitations of ReplicaSets

Deployments

What Is a Deployment Creating a Deployment Rolling Updates Rollback and Revision History Update Strategies

Daemonsets

what-is-a-daemonset typical-use-cases daemonset-scheduling updating-daemonsets

Multi Container Pods

why-multiple-containers sidecar-pattern ambassador-and-adapter-patterns init-containers native-sidecar-patterns

Scheduling Basics

taints-and-tolerations node-selectors node-affinity taints-vs-node-affinity

Advanced Scheduling

manual-scheduling static-pods priority-classes multiple-schedulers scheduler-profiles

Probes

why-probes-matter liveness-probes readiness-probes startup-probes probe-types-and-configuration startup-probe-for-slow-apps

Jobs

what-is-a-job job-parallelism-and-completions backoff-and-retry cronjobs

Autoscaling

introduction-to-autoscaling horizontal-pod-autoscaler hpa-stabilization-and-behavior vertical-pod-autoscaler in-place-resize-of-pods event-driven-scaling-concepts

Statefulsets

stateful-vs-stateless statefulset-fundamentals headless-services storage-in-statefulsets ordering-and-updates

Services

Why Services Services and Endpoints ClusterIP NodePort LoadBalancer Named Ports

Dns

DNS in Kubernetes Service DNS Records Pod DNS Records DNS Debugging

Gateway API and Envoy Gateway

What Is Kubernetes Gateway API? The Controller Behind the Gateway Routing Traffic with Gateway and HTTPRoute Securing Traffic with TLS Termination Portable Traffic Manipulation with HTTPRoute Filters

Gateway Api

introduction-to-gateway-api gateway-api-structure practical-gateway-api tls-with-gateway-api mapping-ingress-to-gateway-api gatewayclass-and-controller-operations httproute-basics weighted-routing-canary

Network Policies

What Are Network Policies? NetworkPolicy Structure Ingress Rules Egress Rules Advanced NetworkPolicy Patterns

Networking Fundamentals

switching-and-routing dns-fundamentals network-namespaces docker-networking

Kubernetes Networking

cni-concepts pod-networking service-networking cluster-networking-configuration ipam cni-troubleshooting-method

Volumes

Why Volumes? emptyDir hostPath ConfigMap and Secret Volumes

Persistent Storage

PersistentVolumes and PersistentVolumeClaims Creating a PersistentVolume Creating a PersistentVolumeClaim Using PVCs in Pods Access Modes and Reclaim Policies

Storage Classes

static-vs-dynamic-provisioning what-is-a-storageclass dynamic-provisioning-in-practice container-storage-interface

Authentication

Kubernetes Security Fundamentals How Kubernetes Authenticates Identities Users vs ServiceAccounts

Service Accounts

What Is a ServiceAccount Creating and Assigning ServiceAccounts Token Projection and Automount ServiceAccount Practical Scenarios Projected ServiceAccount Tokens

Kubeconfig

What Is a Kubeconfig File Clusters, Users, and Contexts Switching Contexts Creating a Kubeconfig from Scratch

Tls Certificates

TLS and PKI Basics How Kubernetes Uses TLS Creating Certificates Viewing Certificate Details The Kubernetes Certificates API

Rbac

Authorization in Kubernetes Roles and RoleBindings ClusterRoles and ClusterRoleBindings Testing Permissions with kubectl auth can-i RBAC Best Practices

Security Contexts

Container Security: Linux Primitives Pod vs Container Security Context Running Containers as Non-Root Capabilities and Read-Only Root Filesystem

Image Security

Image Naming and Registries Pulling from Private Registries with imagePullSecrets Image Pull Policies

Admission Controllers

What Are Admission Controllers Enabling and Disabling Admission Controllers Validating Admission Webhooks Mutating Admission Webhooks

Pod Security

Pod Security Standards Pod Security Admission Practical PSS Enforcement

Logging And Monitoring

Container Logging Basics Monitoring with Metrics Server Kubernetes Events Monitoring Cluster Component Logs

Troubleshooting

troubleshooting-application-failures troubleshooting-service-connectivity troubleshooting-control-plane troubleshooting-worker-nodes systematic-debugging-methodology debug-distroless-with-kubectl-debug

Api And Versioning

api-groups api-versions api-deprecation-policy field-selectors

Custom Resources

what-are-custom-resources creating-a-crd custom-controllers operator-pattern

Helm

what-is-helm installing-helm working-with-charts values-and-configuration finding-and-using-charts

Enabling and Disabling Admission Controllers

Imagine you just discovered that Pods in a namespace have no resource limits. You want LimitRanger to enforce defaults automatically. You search for a Kubernetes resource to configure it, a ConfigMap, a CRD, anything. There is nothing. Admission controllers are not Kubernetes objects. They are plugins compiled directly into the kube-apiserver binary. To turn one on or off, you must change a flag on the API server process itself.

The flags that control the plugin list

The kube-apiserver accepts two flags that manage which admission plugins are active.

--enable-admission-plugins takes a comma-separated list of plugins to enable in addition to the defaults. If the plugin is already in the default set, listing it here is harmless but redundant.

--disable-admission-plugins takes a comma-separated list of plugins to remove from the defaults. This is how you turn off a plugin that would otherwise run automatically.

The two flags work on top of a default set. As of Kubernetes 1.29, the default active plugins include NamespaceLifecycle, LimitRanger, ServiceAccount, DefaultStorageClass, ResourceQuota, MutatingAdmissionWebhook, and ValidatingAdmissionWebhook, among others. MutatingAdmissionWebhook and ValidatingAdmissionWebhook are what make custom webhooks possible. Disabling either one breaks all deployed webhooks immediately.

You can inspect the exact list on the simulated cluster right now:

kubectl describe pod kube-apiserver-controlplane -n kube-system

Scroll to the Command section. Each flag appears on its own line. Look for --enable-admission-plugins and --disable-admission-plugins. The absence of --disable-admission-plugins means no defaults have been removed.

Quiz

A team disabled MutatingAdmissionWebhook to troubleshoot a problem and forgot to re-enable it. What breaks immediately?

Reveal answer

Every MutatingWebhookConfiguration deployed in the cluster stops being called. Webhooks that inject sidecars, set default values, or patch resources silently stop working. Pods get created without the expected mutations, and the team may not notice until something fails at runtime.

On kubeadm clusters, the API server is a static Pod

On clusters bootstrapped with kubeadm, the kube-apiserver runs as a static Pod. Its manifest lives on the control plane node at /etc/kubernetes/manifests/kube-apiserver.yaml. The kubelet on that node watches this directory and automatically restarts the API server whenever the file changes.

To add or remove an admission plugin, you would edit that file directly on the control plane node. The change takes effect within a few seconds as the kubelet detects the modification and restarts the Pod.

Below is an illustrative snippet of what that manifest looks like:

# illustrative only
spec:
  containers:
    - command:
        - kube-apiserver
        - --enable-admission-plugins=NodeRestriction,PodSecurity
        - --disable-admission-plugins=DefaultStorageClass

NodeRestriction is a common plugin to enable explicitly. It limits what a kubelet can modify on the API server, preventing a compromised node from escalating privileges by editing other nodes’ objects.

In the simulated cluster, you cannot edit the kube-apiserver manifest. The control plane is emulated and does not expose /etc/kubernetes/manifests/. This lesson is about understanding the configuration model, not about modifying the simulator's control plane. On a real exam node with kubeadm, this file is exactly where you would go.

Checking what is actually active

Inspecting the Pod spec is the most reliable way to see the active plugin list. The API server does not expose its active plugins through a dedicated API endpoint.

kubectl get pods -n kube-system

On any kubeadm cluster, you will see kube-apiserver-<nodename>. The name suffix matches the node hostname. In the simulator, the node is named controlplane.

kubectl describe pod kube-apiserver-controlplane -n kube-system

Some managed Kubernetes providers (GKE, EKS, AKS) do not let you modify API server flags at all. The control plane is fully managed. You can still use webhooks, because MutatingAdmissionWebhook and ValidatingAdmissionWebhook are always enabled on managed clusters, but you cannot enable obscure built-in plugins that are not in the default set.

Quiz

A team needs to enforce resource limits on all Pods in a namespace. Which admission controller should be enabled, and what object must exist in the namespace for it to work?

Reveal answer

LimitRanger enforces default limits. You must also create a LimitRange object in the namespace that defines the default values. Without the LimitRange object, LimitRanger has nothing to read and does nothing, even if the plugin is listed in --enable-admission-plugins.

Admission controllers are binary: on or off, configured at the API server level, not per namespace or per object. The next lesson moves beyond built-in plugins to custom enforcement logic. Validating admission webhooks let you call an external HTTPS service to approve or reject any resource creation, with rules you define entirely yourself.

~>kubectl apply -f deployment.yaml

deployment.apps/nginx created

~>kubectl get pods

NAME READY STATUS RESTARTS AGE

nginx-7b4c9d8f5-xk2j 1/1 Running 0 12s

nginx-7b4c9d8f5-hn4vw 1/1 Running 0 11s

nginx-7b4c9d8f5-qp9rm 1/1 Running 0 10s

~>█

Get hands-on with Kubernetes

This lesson includes a live terminal with a simulated Kubernetes cluster. Upgrade to Pro to unlock the terminal (free during early access)

Upgrade Try the free crash course