CKA

Onboarding

Welcome What Runs Here Overview of Kubernetes Certifications

Kubernetes Basics

What Is Kubernetes Cluster Architecture Overview Control Plane Components Node Components

Yaml And Objects

The Kubernetes Object Model Anatomy of a Manifest Generating Manifests from the CLI Object Names, UIDs, and DNS Rules

Kubectl Essentials

Imperative vs Declarative Viewing Resources Logs and Exec Creating and Editing Resources Delete and Cleanup Formatting Output and Tips

Pods

What Is a Pod Pod Structure Creating Your First Pod Pod Lifecycle and Phases Container Restart Policies Editing Pods

Namespaces

What Are Namespaces The Default Namespaces Working Across Namespaces When to Use Multiple Namespaces

Labels And Annotations

What Are Labels Label Selectors Annotations Recommended Labels

Cluster Architecture Deep

etcd-deep-dive kube-apiserver-internals kube-scheduler-internals kube-controller-manager container-runtime-interface

Cluster Installation

installation-options-overview kubeadm-master-node-setup kubeadm-worker-node-join high-availability-considerations

Cluster Maintenance

os-upgrades-and-drain version-skew-policy cluster-upgrade-process taint-based-evictions version-skew-and-safe-upgrade-flow

Backup And Restore

backup-strategies etcd-backup-with-etcdctl restore-from-snapshot etcdutl etcd-restore-drill-end-to-end

Commands And Args

docker-cmd-vs-entrypoint command-and-args-in-kubernetes practical-override-scenarios

Configmaps

what-is-a-configmap creating-configmaps using-via-environment-variables using-via-volume-mounts immutable-configmaps

Secrets

what-is-a-secret types-of-secrets creating-and-using-secrets encrypting-secrets-at-rest security-best-practices

Resource Management

resource-requests-and-limits how-scheduling-uses-requests what-happens-when-limits-are-exceeded qos-classes limitranges-and-resourcequotas in-place-resize-operational-considerations

Replicasets

Why ReplicaSets Creating a ReplicaSet Scaling and Self-Healing Limitations of ReplicaSets

Deployments

What Is a Deployment Creating a Deployment Rolling Updates Rollback and Revision History Update Strategies

Daemonsets

what-is-a-daemonset typical-use-cases daemonset-scheduling updating-daemonsets

Multi Container Pods

why-multiple-containers sidecar-pattern ambassador-and-adapter-patterns init-containers native-sidecar-patterns

Scheduling Basics

taints-and-tolerations node-selectors node-affinity taints-vs-node-affinity

Advanced Scheduling

manual-scheduling static-pods priority-classes multiple-schedulers scheduler-profiles

Probes

why-probes-matter liveness-probes readiness-probes startup-probes probe-types-and-configuration startup-probe-for-slow-apps

Jobs

what-is-a-job job-parallelism-and-completions backoff-and-retry cronjobs

Autoscaling

introduction-to-autoscaling horizontal-pod-autoscaler hpa-stabilization-and-behavior vertical-pod-autoscaler in-place-resize-of-pods event-driven-scaling-concepts

Statefulsets

stateful-vs-stateless statefulset-fundamentals headless-services storage-in-statefulsets ordering-and-updates

Services

Why Services Services and Endpoints ClusterIP NodePort LoadBalancer Named Ports

Dns

DNS in Kubernetes Service DNS Records Pod DNS Records DNS Debugging

Gateway API and Envoy Gateway

What Is Kubernetes Gateway API? The Controller Behind the Gateway Routing Traffic with Gateway and HTTPRoute Securing Traffic with TLS Termination Portable Traffic Manipulation with HTTPRoute Filters

Gateway Api

introduction-to-gateway-api gateway-api-structure practical-gateway-api tls-with-gateway-api mapping-ingress-to-gateway-api gatewayclass-and-controller-operations httproute-basics weighted-routing-canary

Network Policies

What Are Network Policies? NetworkPolicy Structure Ingress Rules Egress Rules Advanced NetworkPolicy Patterns

Networking Fundamentals

switching-and-routing dns-fundamentals network-namespaces docker-networking

Kubernetes Networking

cni-concepts pod-networking service-networking cluster-networking-configuration ipam cni-troubleshooting-method

Volumes

Why Volumes? emptyDir hostPath ConfigMap and Secret Volumes

Persistent Storage

PersistentVolumes and PersistentVolumeClaims Creating a PersistentVolume Creating a PersistentVolumeClaim Using PVCs in Pods Access Modes and Reclaim Policies

Storage Classes

static-vs-dynamic-provisioning what-is-a-storageclass dynamic-provisioning-in-practice container-storage-interface

Authentication

Kubernetes Security Fundamentals How Kubernetes Authenticates Identities Users vs ServiceAccounts

Service Accounts

What Is a ServiceAccount Creating and Assigning ServiceAccounts Token Projection and Automount ServiceAccount Practical Scenarios Projected ServiceAccount Tokens

Kubeconfig

What Is a Kubeconfig File Clusters, Users, and Contexts Switching Contexts Creating a Kubeconfig from Scratch

Tls Certificates

TLS and PKI Basics How Kubernetes Uses TLS Creating Certificates Viewing Certificate Details The Kubernetes Certificates API

Rbac

Authorization in Kubernetes Roles and RoleBindings ClusterRoles and ClusterRoleBindings Testing Permissions with kubectl auth can-i RBAC Best Practices

Security Contexts

Container Security: Linux Primitives Pod vs Container Security Context Running Containers as Non-Root Capabilities and Read-Only Root Filesystem

Image Security

Image Naming and Registries Pulling from Private Registries with imagePullSecrets Image Pull Policies

Admission Controllers

What Are Admission Controllers Enabling and Disabling Admission Controllers Validating Admission Webhooks Mutating Admission Webhooks

Pod Security

Pod Security Standards Pod Security Admission Practical PSS Enforcement

Logging And Monitoring

Container Logging Basics Monitoring with Metrics Server Kubernetes Events Monitoring Cluster Component Logs

Troubleshooting

troubleshooting-application-failures troubleshooting-service-connectivity troubleshooting-control-plane troubleshooting-worker-nodes systematic-debugging-methodology debug-distroless-with-kubectl-debug

Api And Versioning

api-groups api-versions api-deprecation-policy field-selectors

Custom Resources

what-are-custom-resources creating-a-crd custom-controllers operator-pattern

Helm

what-is-helm installing-helm working-with-charts values-and-configuration finding-and-using-charts

Pulling from Private Registries with imagePullSecrets

Your company stores its container images in a private registry. No one outside the organization can pull them without credentials. Kubernetes needs those credentials too, but you do not hardcode them into the Pod spec where every developer on the team can read them. Instead, you store them in a Secret and reference that Secret from the Pod. The kubelet reads the Secret at pull time and authenticates against the registry on behalf of the Pod.

Storing credentials in a Secret

Docker registry credentials are stored as a Secret of type kubernetes.io/dockerconfigjson. This type is exactly what it sounds like: a base64-encoded version of the JSON config file that Docker writes to ~/.docker/config.json when you run docker login. Kubernetes knows how to hand this to the container runtime when pulling an image.

You create this Secret with a single command:

kubectl create secret docker-registry my-registry-creds --docker-server=registry.example.com --docker-username=myuser --docker-password=mypassword

In the simulator, this command creates the Secret object with placeholder credential values since no real external registry is reachable from the browser environment. The Secret structure and all subsequent steps work identically to a real cluster.

After creating it, confirm the Secret exists and has the correct type:

kubectl get secret my-registry-creds

The output will show the type as kubernetes.io/dockerconfigjson. You can also describe it to see its metadata, though the data field will be redacted in normal output:

kubectl describe secret my-registry-creds

Quiz

What Kubernetes Secret type holds Docker registry credentials?

Reveal answer

kubernetes.io/dockerconfigjson. Kubernetes treats this type specially: the kubelet knows to extract the credential payload and pass it to the container runtime when pulling an image. A generic Opaque Secret would not work for this purpose.

Referencing the Secret in a Pod

Once the Secret exists, you reference it in the Pod spec under spec.imagePullSecrets. Create the manifest:

nano private-pod.yaml

# illustrative only
apiVersion: v1
kind: Pod
metadata:
  name: private-pod
spec:
  imagePullSecrets:
    - name: my-registry-creds
  containers:
    - name: app
      image: registry.example.com/myapp:1.0

imagePullSecrets is a list, so you can reference multiple Secrets if the Pod needs images from more than one private registry. Apply the manifest:

kubectl apply -f private-pod.yaml

Then describe the Pod to verify that the pull secret was picked up:

kubectl describe pod private-pod

Look at the Image: field to confirm the full image reference, and at the Events section to see whether the pull succeeded. In a real cluster, the kubelet would contact registry.example.com, present the credentials from the Secret, and pull the image. In the simulator the image is resolved locally, but the pull secret reference is validated against cluster state.

A Pod that tries to pull from a private registry without imagePullSecrets will enter ImagePullBackOff with a clear error in its events: unauthorized: authentication required. Kubernetes makes no attempt to guess credentials. If the Secret name in imagePullSecrets is wrong or the Secret does not exist in the same namespace as the Pod, the result is the same failure. Secrets are namespace-scoped: a Secret in default cannot be referenced by a Pod in staging.

Attaching pull secrets to a ServiceAccount

Referencing imagePullSecrets on every individual Pod spec gets tedious quickly, especially in a namespace with dozens of Pods. There is a cleaner approach: attach the pull secret to the namespace’s ServiceAccount instead.

Every Pod in Kubernetes uses a ServiceAccount. Unless you specify one, it uses the default ServiceAccount of its namespace. If you patch imagePullSecrets onto that ServiceAccount, every Pod that uses it will inherit the pull secret automatically, with no change to individual Pod specs.

kubectl patch serviceaccount default -p '{"imagePullSecrets":[{"name":"my-registry-creds"}]}'

Quiz

How can you avoid adding imagePullSecrets to every Pod spec individually?

Reveal answer

Attach the pull Secret to the namespace’s ServiceAccount. Every Pod using that ServiceAccount inherits the pull credentials automatically. This is the standard approach for namespaces where all Pods pull from the same private registry.

The --docker-password flag you pass to kubectl create secret docker-registry is visible in your shell history and in process listings while the command runs. In a real production environment, prefer passing the password through an environment variable or reading it from a secrets manager. In the simulator this is not a concern, but forming the habit matters for the CKA exam context.

You can now authenticate Kubernetes against a private registry, store the credentials safely in a Secret, and apply them at Pod or ServiceAccount scope. The remaining question is: once Kubernetes has access to the image, when does it actually pull? That is controlled by imagePullPolicy, which is the subject of the next lesson.

~>kubectl apply -f deployment.yaml

deployment.apps/nginx created

~>kubectl get pods

NAME READY STATUS RESTARTS AGE

nginx-7b4c9d8f5-xk2j 1/1 Running 0 12s

nginx-7b4c9d8f5-hn4vw 1/1 Running 0 11s

nginx-7b4c9d8f5-qp9rm 1/1 Running 0 10s

~>█

Get hands-on with Kubernetes

This lesson includes a live terminal with a simulated Kubernetes cluster. Upgrade to Pro to unlock the terminal (free during early access)

Upgrade Try the free crash course