CKA

Onboarding

Welcome What Runs Here Overview of Kubernetes Certifications

Kubernetes Basics

What Is Kubernetes Cluster Architecture Overview Control Plane Components Node Components

Yaml And Objects

The Kubernetes Object Model Anatomy of a Manifest Generating Manifests from the CLI Object Names, UIDs, and DNS Rules

Kubectl Essentials

Imperative vs Declarative Viewing Resources Logs and Exec Creating and Editing Resources Delete and Cleanup Formatting Output and Tips

Pods

What Is a Pod Pod Structure Creating Your First Pod Pod Lifecycle and Phases Container Restart Policies Editing Pods

Namespaces

What Are Namespaces The Default Namespaces Working Across Namespaces When to Use Multiple Namespaces

Labels And Annotations

What Are Labels Label Selectors Annotations Recommended Labels

Cluster Architecture Deep

etcd-deep-dive kube-apiserver-internals kube-scheduler-internals kube-controller-manager container-runtime-interface

Cluster Installation

installation-options-overview kubeadm-master-node-setup kubeadm-worker-node-join high-availability-considerations

Cluster Maintenance

os-upgrades-and-drain version-skew-policy cluster-upgrade-process taint-based-evictions version-skew-and-safe-upgrade-flow

Backup And Restore

backup-strategies etcd-backup-with-etcdctl restore-from-snapshot etcdutl etcd-restore-drill-end-to-end

Commands And Args

docker-cmd-vs-entrypoint command-and-args-in-kubernetes practical-override-scenarios

Configmaps

what-is-a-configmap creating-configmaps using-via-environment-variables using-via-volume-mounts immutable-configmaps

Secrets

what-is-a-secret types-of-secrets creating-and-using-secrets encrypting-secrets-at-rest security-best-practices

Resource Management

resource-requests-and-limits how-scheduling-uses-requests what-happens-when-limits-are-exceeded qos-classes limitranges-and-resourcequotas in-place-resize-operational-considerations

Replicasets

Why ReplicaSets Creating a ReplicaSet Scaling and Self-Healing Limitations of ReplicaSets

Deployments

What Is a Deployment Creating a Deployment Rolling Updates Rollback and Revision History Update Strategies

Daemonsets

what-is-a-daemonset typical-use-cases daemonset-scheduling updating-daemonsets

Multi Container Pods

why-multiple-containers sidecar-pattern ambassador-and-adapter-patterns init-containers native-sidecar-patterns

Scheduling Basics

taints-and-tolerations node-selectors node-affinity taints-vs-node-affinity

Advanced Scheduling

manual-scheduling static-pods priority-classes multiple-schedulers scheduler-profiles

Probes

why-probes-matter liveness-probes readiness-probes startup-probes probe-types-and-configuration startup-probe-for-slow-apps

Jobs

what-is-a-job job-parallelism-and-completions backoff-and-retry cronjobs

Autoscaling

introduction-to-autoscaling horizontal-pod-autoscaler hpa-stabilization-and-behavior vertical-pod-autoscaler in-place-resize-of-pods event-driven-scaling-concepts

Statefulsets

stateful-vs-stateless statefulset-fundamentals headless-services storage-in-statefulsets ordering-and-updates

Services

Why Services Services and Endpoints ClusterIP NodePort LoadBalancer Named Ports

Dns

DNS in Kubernetes Service DNS Records Pod DNS Records DNS Debugging

Gateway API and Envoy Gateway

What Is Kubernetes Gateway API? The Controller Behind the Gateway Routing Traffic with Gateway and HTTPRoute Securing Traffic with TLS Termination Portable Traffic Manipulation with HTTPRoute Filters

Gateway Api

introduction-to-gateway-api gateway-api-structure practical-gateway-api tls-with-gateway-api mapping-ingress-to-gateway-api gatewayclass-and-controller-operations httproute-basics weighted-routing-canary

Network Policies

What Are Network Policies? NetworkPolicy Structure Ingress Rules Egress Rules Advanced NetworkPolicy Patterns

Networking Fundamentals

switching-and-routing dns-fundamentals network-namespaces docker-networking

Kubernetes Networking

cni-concepts pod-networking service-networking cluster-networking-configuration ipam cni-troubleshooting-method

Volumes

Why Volumes? emptyDir hostPath ConfigMap and Secret Volumes

Persistent Storage

PersistentVolumes and PersistentVolumeClaims Creating a PersistentVolume Creating a PersistentVolumeClaim Using PVCs in Pods Access Modes and Reclaim Policies

Storage Classes

static-vs-dynamic-provisioning what-is-a-storageclass dynamic-provisioning-in-practice container-storage-interface

Authentication

Kubernetes Security Fundamentals How Kubernetes Authenticates Identities Users vs ServiceAccounts

Service Accounts

What Is a ServiceAccount Creating and Assigning ServiceAccounts Token Projection and Automount ServiceAccount Practical Scenarios Projected ServiceAccount Tokens

Kubeconfig

What Is a Kubeconfig File Clusters, Users, and Contexts Switching Contexts Creating a Kubeconfig from Scratch

Tls Certificates

TLS and PKI Basics How Kubernetes Uses TLS Creating Certificates Viewing Certificate Details The Kubernetes Certificates API

Rbac

Authorization in Kubernetes Roles and RoleBindings ClusterRoles and ClusterRoleBindings Testing Permissions with kubectl auth can-i RBAC Best Practices

Security Contexts

Container Security: Linux Primitives Pod vs Container Security Context Running Containers as Non-Root Capabilities and Read-Only Root Filesystem

Image Security

Image Naming and Registries Pulling from Private Registries with imagePullSecrets Image Pull Policies

Admission Controllers

What Are Admission Controllers Enabling and Disabling Admission Controllers Validating Admission Webhooks Mutating Admission Webhooks

Pod Security

Pod Security Standards Pod Security Admission Practical PSS Enforcement

Logging And Monitoring

Container Logging Basics Monitoring with Metrics Server Kubernetes Events Monitoring Cluster Component Logs

Troubleshooting

troubleshooting-application-failures troubleshooting-service-connectivity troubleshooting-control-plane troubleshooting-worker-nodes systematic-debugging-methodology debug-distroless-with-kubectl-debug

Api And Versioning

api-groups api-versions api-deprecation-policy field-selectors

Custom Resources

what-are-custom-resources creating-a-crd custom-controllers operator-pattern

Helm

what-is-helm installing-helm working-with-charts values-and-configuration finding-and-using-charts

Pod Security Admission

Knowing the three profiles is not enough. You need a way to apply them. Pod Security Admission (PSA) is the built-in admission controller that enforces PSS at the namespace level. It requires no webhook server, no external tooling, just a label on the namespace.

How PSA intercepts Pod creation

When a Pod creation request arrives at the API server, PSA reads the labels on the target namespace. Those labels tell PSA which profile to apply and in which mode. Three modes are available, and each behaves differently when a violation is detected.

The enforce mode rejects any Pod that violates the profile. The kubectl apply call returns an error and the Pod is never created. The audit mode allows the Pod to be created but records the violation in the Kubernetes audit log, useful for detection without disrupting running workloads. The warn mode allows the Pod but returns a visible warning directly in the kubectl output, right in the terminal window.

Applying labels to a namespace

The label format is pod-security.kubernetes.io/<mode>: <profile>. You can set multiple modes simultaneously on the same namespace.

kubectl label namespace dev pod-security.kubernetes.io/enforce=baseline

kubectl label namespace dev pod-security.kubernetes.io/warn=restricted

kubectl get namespace dev --show-labels

The labels appear in the output immediately. Any Pod created in dev from this point on is checked against baseline at enforcement and against restricted for warnings. This combination is useful during a hardening phase: you get hard rejection for serious violations while surfacing what would fail at the stricter level.

Quiz

Apply the baseline enforcement label to the default namespace, then create a Pod with securityContext.privileged: true. What does kubectl return?

Try it:

kubectl label namespace default pod-security.kubernetes.io/enforce=baseline

Reveal answer

Running kubectl apply for a privileged Pod returns: Error from server (Forbidden): pods "<name>" is forbidden: violates PodSecurity "baseline:latest": privileged (container "app" must not set securityContext.privileged=true). The Pod is never created.

Seeing enforcement fail in practice

Create a manifest for a non-compliant Pod:

nano privileged-pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: dev
spec:
  containers:
    - name: app
      image: nginx:1.28
      securityContext:
        privileged: true

kubectl apply -f privileged-pod.yaml

The apply command returns immediately with a Forbidden error. No Pod object is created in the simulated cluster. The rejection happens at admission time, before any scheduling or image pulling occurs. The violation message names the specific field that caused the rejection. If you see this error, the fix is always in the Pod spec, not in the namespace label.

Why does Kubernetes reject at admission rather than letting the Pod be scheduled and then terminating it? Because a rejected admission keeps cluster state clean. There is no failed Pod object to clean up, no node resources consumed, no partial image pull. The contract is simple: if the spec is not compliant, the object does not exist.

Combining modes for staged enforcement

A common pattern during migration is to run all three modes at once on the same namespace. Set enforce at the level you are confident about, warn at the next stricter level to surface upcoming issues, and audit for full logging.

The label pod-security.kubernetes.io/enforce-version: v1.29 pins the profile definition to a specific Kubernetes minor version. Without version pinning, the profile version defaults to latest, which tracks the current cluster version. Pinning prevents a Kubernetes upgrade from silently changing what is allowed in your namespaces.

Quiz

You label a namespace with enforce=baseline and a Pod with privileged: true is already running there. What happens to that Pod?

It is immediately deleted
Nothing, PSA only acts on new admission requests
It enters a Terminating state until the spec is corrected

Reveal answer

Nothing. PSA only acts at admission time, when a Pod is being created or updated. Existing Pods are not evicted or deleted when you add or change PSS labels. This is why warn and audit modes are essential before switching to enforce: they give you a view of existing violations without touching running workloads.

PSA gives you enforcement without extra infrastructure. One label, one profile, one behavior. The practical challenge is deciding which profile to use for each type of namespace, and how to migrate namespaces that already contain running workloads. That is the focus of the next lesson.

~>kubectl apply -f deployment.yaml

deployment.apps/nginx created

~>kubectl get pods

NAME READY STATUS RESTARTS AGE

nginx-7b4c9d8f5-xk2j 1/1 Running 0 12s

nginx-7b4c9d8f5-hn4vw 1/1 Running 0 11s

nginx-7b4c9d8f5-qp9rm 1/1 Running 0 10s

~>█

Get hands-on with Kubernetes

This lesson includes a live terminal with a simulated Kubernetes cluster. Upgrade to Pro to unlock the terminal (free during early access)

Upgrade Try the free crash course