CKA

Onboarding

Welcome What Runs Here Overview of Kubernetes Certifications

Kubernetes Basics

What Is Kubernetes Cluster Architecture Overview Control Plane Components Node Components

Yaml And Objects

The Kubernetes Object Model Anatomy of a Manifest Generating Manifests from the CLI Object Names, UIDs, and DNS Rules

Kubectl Essentials

Imperative vs Declarative Viewing Resources Logs and Exec Creating and Editing Resources Delete and Cleanup Formatting Output and Tips

Pods

What Is a Pod Pod Structure Creating Your First Pod Pod Lifecycle and Phases Container Restart Policies Editing Pods

Namespaces

What Are Namespaces The Default Namespaces Working Across Namespaces When to Use Multiple Namespaces

Labels And Annotations

What Are Labels Label Selectors Annotations Recommended Labels

Cluster Architecture Deep

etcd-deep-dive kube-apiserver-internals kube-scheduler-internals kube-controller-manager container-runtime-interface

Cluster Installation

installation-options-overview kubeadm-master-node-setup kubeadm-worker-node-join high-availability-considerations

Cluster Maintenance

os-upgrades-and-drain version-skew-policy cluster-upgrade-process taint-based-evictions version-skew-and-safe-upgrade-flow

Backup And Restore

backup-strategies etcd-backup-with-etcdctl restore-from-snapshot etcdutl etcd-restore-drill-end-to-end

Commands And Args

docker-cmd-vs-entrypoint command-and-args-in-kubernetes practical-override-scenarios

Configmaps

what-is-a-configmap creating-configmaps using-via-environment-variables using-via-volume-mounts immutable-configmaps

Secrets

what-is-a-secret types-of-secrets creating-and-using-secrets encrypting-secrets-at-rest security-best-practices

Resource Management

resource-requests-and-limits how-scheduling-uses-requests what-happens-when-limits-are-exceeded qos-classes limitranges-and-resourcequotas in-place-resize-operational-considerations

Replicasets

Why ReplicaSets Creating a ReplicaSet Scaling and Self-Healing Limitations of ReplicaSets

Deployments

What Is a Deployment Creating a Deployment Rolling Updates Rollback and Revision History Update Strategies

Daemonsets

what-is-a-daemonset typical-use-cases daemonset-scheduling updating-daemonsets

Multi Container Pods

why-multiple-containers sidecar-pattern ambassador-and-adapter-patterns init-containers native-sidecar-patterns

Scheduling Basics

taints-and-tolerations node-selectors node-affinity taints-vs-node-affinity

Advanced Scheduling

manual-scheduling static-pods priority-classes multiple-schedulers scheduler-profiles

Probes

why-probes-matter liveness-probes readiness-probes startup-probes probe-types-and-configuration startup-probe-for-slow-apps

Jobs

what-is-a-job job-parallelism-and-completions backoff-and-retry cronjobs

Autoscaling

introduction-to-autoscaling horizontal-pod-autoscaler hpa-stabilization-and-behavior vertical-pod-autoscaler in-place-resize-of-pods event-driven-scaling-concepts

Statefulsets

stateful-vs-stateless statefulset-fundamentals headless-services storage-in-statefulsets ordering-and-updates

Services

Why Services Services and Endpoints ClusterIP NodePort LoadBalancer Named Ports

Dns

DNS in Kubernetes Service DNS Records Pod DNS Records DNS Debugging

Gateway API and Envoy Gateway

What Is Kubernetes Gateway API? The Controller Behind the Gateway Routing Traffic with Gateway and HTTPRoute Securing Traffic with TLS Termination Portable Traffic Manipulation with HTTPRoute Filters

Gateway Api

introduction-to-gateway-api gateway-api-structure practical-gateway-api tls-with-gateway-api mapping-ingress-to-gateway-api gatewayclass-and-controller-operations httproute-basics weighted-routing-canary

Network Policies

What Are Network Policies? NetworkPolicy Structure Ingress Rules Egress Rules Advanced NetworkPolicy Patterns

Networking Fundamentals

switching-and-routing dns-fundamentals network-namespaces docker-networking

Kubernetes Networking

cni-concepts pod-networking service-networking cluster-networking-configuration ipam cni-troubleshooting-method

Volumes

Why Volumes? emptyDir hostPath ConfigMap and Secret Volumes

Persistent Storage

PersistentVolumes and PersistentVolumeClaims Creating a PersistentVolume Creating a PersistentVolumeClaim Using PVCs in Pods Access Modes and Reclaim Policies

Storage Classes

static-vs-dynamic-provisioning what-is-a-storageclass dynamic-provisioning-in-practice container-storage-interface

Authentication

Kubernetes Security Fundamentals How Kubernetes Authenticates Identities Users vs ServiceAccounts

Service Accounts

What Is a ServiceAccount Creating and Assigning ServiceAccounts Token Projection and Automount ServiceAccount Practical Scenarios Projected ServiceAccount Tokens

Kubeconfig

What Is a Kubeconfig File Clusters, Users, and Contexts Switching Contexts Creating a Kubeconfig from Scratch

Tls Certificates

TLS and PKI Basics How Kubernetes Uses TLS Creating Certificates Viewing Certificate Details The Kubernetes Certificates API

Rbac

Authorization in Kubernetes Roles and RoleBindings ClusterRoles and ClusterRoleBindings Testing Permissions with kubectl auth can-i RBAC Best Practices

Security Contexts

Container Security: Linux Primitives Pod vs Container Security Context Running Containers as Non-Root Capabilities and Read-Only Root Filesystem

Image Security

Image Naming and Registries Pulling from Private Registries with imagePullSecrets Image Pull Policies

Admission Controllers

What Are Admission Controllers Enabling and Disabling Admission Controllers Validating Admission Webhooks Mutating Admission Webhooks

Pod Security

Pod Security Standards Pod Security Admission Practical PSS Enforcement

Logging And Monitoring

Container Logging Basics Monitoring with Metrics Server Kubernetes Events Monitoring Cluster Component Logs

Troubleshooting

troubleshooting-application-failures troubleshooting-service-connectivity troubleshooting-control-plane troubleshooting-worker-nodes systematic-debugging-methodology debug-distroless-with-kubectl-debug

Api And Versioning

api-groups api-versions api-deprecation-policy field-selectors

Custom Resources

what-are-custom-resources creating-a-crd custom-controllers operator-pattern

Helm

what-is-helm installing-helm working-with-charts values-and-configuration finding-and-using-charts

Image Pull Policies

Kubernetes does not necessarily pull a fresh image every time a Pod starts. It might use a copy already on the node from a previous pull. Whether it does or not is controlled by imagePullPolicy, and the default behavior is less obvious than it appears. Getting this wrong is a common source of “why is my update not showing up” confusion during the CKA exam and in real clusters.

The three pull policies

imagePullPolicy has three possible values: Always, IfNotPresent, and Never. Each one controls what the kubelet does at Pod startup when it is about to run a container.

Always tells the kubelet to contact the registry on every Pod start, regardless of whether a local copy of the image exists on the node. This ensures you always run exactly what the registry currently has at that tag. The trade-off is that every Pod start incurs a network round-trip to the registry, and startup is slower if the image is large.

IfNotPresent tells the kubelet to use the local copy if one exists and only pull if the node has never seen this image before. This is the most common policy in practice: fast startup once an image is cached, and no unnecessary registry traffic. The risk is that the local copy might be stale if the tag was moved at the registry.

Never tells the kubelet to never contact the registry. If the image is not already on the node, the Pod fails immediately. This is used in air-gapped environments or when images are pre-loaded onto nodes by a separate mechanism.

Default rules

Why does Kubernetes not simply pick one default for all images? Because the right default depends on the tag. If you use latest or omit the tag entirely, Kubernetes assumes the image is mutable and defaults to Always. If you use a specific tag like 1.28, Kubernetes assumes you intentionally pinned a version and defaults to IfNotPresent.

Quiz

A Pod uses image: my-app:1.0 with no imagePullPolicy specified. The image is already cached on the node from a previous deployment. You delete the Pod and it is recreated. Will Kubernetes pull a fresh image?

Reveal answer

No. With a non-latest tag and no explicit policy, Kubernetes defaults to IfNotPresent. The node already has the image, so the kubelet uses the cached copy. If the registry has a newer build under my-app:1.0 (because the tag was moved), you will not get it. To force a fresh pull, either set imagePullPolicy: Always or use a new unique tag or a digest.

Seeing the policy in action

Create a manifest with an explicit pull policy:

nano pull-policy-pod.yaml

# illustrative only
apiVersion: v1
kind: Pod
metadata:
  name: pull-policy-pod
spec:
  containers:
    - name: app
      image: nginx:1.28
      imagePullPolicy: Always

Apply it:

kubectl apply -f pull-policy-pod.yaml

Check that the Pod started:

kubectl get pod pull-policy-pod

Then describe it to see the resolved policy:

kubectl describe pod pull-policy-pod

In the Containers section, look for the Image pull policy: field. It will confirm the value Kubernetes applied, whether you set it explicitly or let it default. This field is the authoritative source of truth for what the kubelet will do on the next restart.

Setting imagePullPolicy: Never when the image is not cached on the node causes the Pod to enter ErrImageNeverPull immediately. This is a hard failure: the kubelet does not retry. The Pod will stay in that state until it is deleted. You can reproduce this by setting Never on an image that the simulated cluster has not yet pulled. Describe the Pod and read the Events section to see the exact kubelet message.

The most deterministic combination

IfNotPresent with a pinned tag is common, but there is a stronger pattern for production: Always combined with a digest reference.

# illustrative only
image: nginx@sha256:abc123...
imagePullPolicy: Always

A digest cannot change, so every pull is guaranteed to fetch the exact same image content. The Always policy ensures the kubelet verifies against the registry on every Pod start rather than trusting the local cache. Together, these two settings eliminate the two most common sources of image drift: a moved tag and a stale cache.

Using imagePullPolicy: Always with a digest is the most deterministic image pattern in Kubernetes. The digest makes the reference immutable, and Always ensures the node checks the registry rather than silently falling back to a cached layer. For CKA exam scenarios about image reproducibility, this combination is the correct answer.

Quiz

You set imagePullPolicy: IfNotPresent and deploy image: nginx:latest. The first Pod pulls the image and it is cached on the node. A week later a new nginx release lands and the latest tag moves. A new Pod is scheduled to the same node. Which nginx version does it run?

Reveal answer

The old cached version. IfNotPresent means the kubelet sees the image is already on the node and skips the pull entirely, even though the tag now points to something different at the registry. This is why latest with IfNotPresent is a trap: you think you are getting the newest image, but you are getting whatever was pulled first on that node.

You now control all three layers of image runtime behavior: the image reference that tells Kubernetes where to find the image, the pull secret that authenticates against private registries, and the pull policy that governs when the kubelet actually contacts the registry. The next module covers Admission Controllers, which operate one layer higher and let you enforce cluster-wide rules about what can be created in the first place.

~>kubectl apply -f deployment.yaml

deployment.apps/nginx created

~>kubectl get pods

NAME READY STATUS RESTARTS AGE

nginx-7b4c9d8f5-xk2j 1/1 Running 0 12s

nginx-7b4c9d8f5-hn4vw 1/1 Running 0 11s

nginx-7b4c9d8f5-qp9rm 1/1 Running 0 10s

~>█

Get hands-on with Kubernetes

This lesson includes a live terminal with a simulated Kubernetes cluster. Upgrade to Pro to unlock the terminal (free during early access)

Upgrade Try the free crash course