CKA

Onboarding

Welcome What Runs Here Overview of Kubernetes Certifications

Kubernetes Basics

What Is Kubernetes Cluster Architecture Overview Control Plane Components Node Components

Yaml And Objects

The Kubernetes Object Model Anatomy of a Manifest Generating Manifests from the CLI Object Names, UIDs, and DNS Rules

Kubectl Essentials

Imperative vs Declarative Viewing Resources Logs and Exec Creating and Editing Resources Delete and Cleanup Formatting Output and Tips

Pods

What Is a Pod Pod Structure Creating Your First Pod Pod Lifecycle and Phases Container Restart Policies Editing Pods

Namespaces

What Are Namespaces The Default Namespaces Working Across Namespaces When to Use Multiple Namespaces

Labels And Annotations

What Are Labels Label Selectors Annotations Recommended Labels

Cluster Architecture Deep

etcd-deep-dive kube-apiserver-internals kube-scheduler-internals kube-controller-manager container-runtime-interface

Cluster Installation

installation-options-overview kubeadm-master-node-setup kubeadm-worker-node-join high-availability-considerations

Cluster Maintenance

os-upgrades-and-drain version-skew-policy cluster-upgrade-process taint-based-evictions version-skew-and-safe-upgrade-flow

Backup And Restore

backup-strategies etcd-backup-with-etcdctl restore-from-snapshot etcdutl etcd-restore-drill-end-to-end

Commands And Args

docker-cmd-vs-entrypoint command-and-args-in-kubernetes practical-override-scenarios

Configmaps

what-is-a-configmap creating-configmaps using-via-environment-variables using-via-volume-mounts immutable-configmaps

Secrets

what-is-a-secret types-of-secrets creating-and-using-secrets encrypting-secrets-at-rest security-best-practices

Resource Management

resource-requests-and-limits how-scheduling-uses-requests what-happens-when-limits-are-exceeded qos-classes limitranges-and-resourcequotas in-place-resize-operational-considerations

Replicasets

Why ReplicaSets Creating a ReplicaSet Scaling and Self-Healing Limitations of ReplicaSets

Deployments

What Is a Deployment Creating a Deployment Rolling Updates Rollback and Revision History Update Strategies

Daemonsets

what-is-a-daemonset typical-use-cases daemonset-scheduling updating-daemonsets

Multi Container Pods

why-multiple-containers sidecar-pattern ambassador-and-adapter-patterns init-containers native-sidecar-patterns

Scheduling Basics

taints-and-tolerations node-selectors node-affinity taints-vs-node-affinity

Advanced Scheduling

manual-scheduling static-pods priority-classes multiple-schedulers scheduler-profiles

Probes

why-probes-matter liveness-probes readiness-probes startup-probes probe-types-and-configuration startup-probe-for-slow-apps

Jobs

what-is-a-job job-parallelism-and-completions backoff-and-retry cronjobs

Autoscaling

introduction-to-autoscaling horizontal-pod-autoscaler hpa-stabilization-and-behavior vertical-pod-autoscaler in-place-resize-of-pods event-driven-scaling-concepts

Statefulsets

stateful-vs-stateless statefulset-fundamentals headless-services storage-in-statefulsets ordering-and-updates

Services

Why Services Services and Endpoints ClusterIP NodePort LoadBalancer Named Ports

Dns

DNS in Kubernetes Service DNS Records Pod DNS Records DNS Debugging

Gateway API and Envoy Gateway

What Is Kubernetes Gateway API? The Controller Behind the Gateway Routing Traffic with Gateway and HTTPRoute Securing Traffic with TLS Termination Portable Traffic Manipulation with HTTPRoute Filters

Gateway Api

introduction-to-gateway-api gateway-api-structure practical-gateway-api tls-with-gateway-api mapping-ingress-to-gateway-api gatewayclass-and-controller-operations httproute-basics weighted-routing-canary

Network Policies

What Are Network Policies? NetworkPolicy Structure Ingress Rules Egress Rules Advanced NetworkPolicy Patterns

Networking Fundamentals

switching-and-routing dns-fundamentals network-namespaces docker-networking

Kubernetes Networking

cni-concepts pod-networking service-networking cluster-networking-configuration ipam cni-troubleshooting-method

Volumes

Why Volumes? emptyDir hostPath ConfigMap and Secret Volumes

Persistent Storage

PersistentVolumes and PersistentVolumeClaims Creating a PersistentVolume Creating a PersistentVolumeClaim Using PVCs in Pods Access Modes and Reclaim Policies

Storage Classes

static-vs-dynamic-provisioning what-is-a-storageclass dynamic-provisioning-in-practice container-storage-interface

Authentication

Kubernetes Security Fundamentals How Kubernetes Authenticates Identities Users vs ServiceAccounts

Service Accounts

What Is a ServiceAccount Creating and Assigning ServiceAccounts Token Projection and Automount ServiceAccount Practical Scenarios Projected ServiceAccount Tokens

Kubeconfig

What Is a Kubeconfig File Clusters, Users, and Contexts Switching Contexts Creating a Kubeconfig from Scratch

Tls Certificates

TLS and PKI Basics How Kubernetes Uses TLS Creating Certificates Viewing Certificate Details The Kubernetes Certificates API

Rbac

Authorization in Kubernetes Roles and RoleBindings ClusterRoles and ClusterRoleBindings Testing Permissions with kubectl auth can-i RBAC Best Practices

Security Contexts

Container Security: Linux Primitives Pod vs Container Security Context Running Containers as Non-Root Capabilities and Read-Only Root Filesystem

Image Security

Image Naming and Registries Pulling from Private Registries with imagePullSecrets Image Pull Policies

Admission Controllers

What Are Admission Controllers Enabling and Disabling Admission Controllers Validating Admission Webhooks Mutating Admission Webhooks

Pod Security

Pod Security Standards Pod Security Admission Practical PSS Enforcement

Logging And Monitoring

Container Logging Basics Monitoring with Metrics Server Kubernetes Events Monitoring Cluster Component Logs

Troubleshooting

troubleshooting-application-failures troubleshooting-service-connectivity troubleshooting-control-plane troubleshooting-worker-nodes systematic-debugging-methodology debug-distroless-with-kubectl-debug

Api And Versioning

api-groups api-versions api-deprecation-policy field-selectors

Custom Resources

what-are-custom-resources creating-a-crd custom-controllers operator-pattern

Helm

what-is-helm installing-helm working-with-charts values-and-configuration finding-and-using-charts

Pod Security Standards

You have learned how to set security contexts on individual Pods. But what prevents a developer from creating a privileged Pod in a production namespace? Manually reviewing every Pod spec is not scalable. Pod Security Standards (PSS) define cluster-wide security profiles that Kubernetes can enforce automatically.

Three profiles, three risk levels

PSS defines exactly three profiles. Each profile is a named set of rules about which security context fields a Pod is and is not allowed to use. Before reading the definitions, look at how they relate to each other.

The privileged profile imposes no restrictions. A Pod at this level can use hostPID, hostIPC, set privileged: true on any container, and request any Linux capability. This level is reserved for trusted infrastructure components, like CNI plugins or node monitoring agents, that genuinely need host-level access.

The baseline profile blocks the most dangerous misconfigurations while staying compatible with most production workloads. It disallows privileged containers, host namespace sharing (hostPID, hostIPC, hostNetwork), and the most dangerous Linux capabilities. An application running as root is still allowed under baseline. This is the minimum recommended level for any shared namespace.

The restricted profile is the strictest. It requires runAsNonRoot: true, drops all Linux capabilities, prohibits privilege escalation, and requires a seccomp profile. Most well-designed containerized applications can meet these requirements with a small amount of configuration.

Quiz

A Pod uses securityContext.privileged: true. Which PSS profile(s) allow it?

privileged and baseline
Only privileged
All three profiles

Reveal answer

Only privileged. The baseline profile explicitly disallows privileged containers. restricted goes even further, requiring non-root execution and dropped capabilities.

PSS does not add fields, it checks them

An important distinction: PSS does not inject any securityContext configuration into your Pods. It reads what is already in the spec and decides whether that spec is compliant. If a field is omitted entirely, PSS uses the Kubernetes default for that field when evaluating. An omitted privileged field defaults to false, so it passes baseline. An omitted runAsNonRoot field defaults to false, so it fails restricted.

Start by inspecting the simulated cluster’s namespaces to see their current state:

kubectl get namespaces

kubectl describe namespace default

The Labels section of the output is where PSS enforcement labels appear. A namespace with no PSS labels is unconstrained, meaning any Pod spec is accepted. This is the default state of every namespace unless you label it explicitly.

kubectl get namespace default -o yaml

The YAML output shows the metadata.labels field. On a fresh namespace, this section is empty or absent. Once PSS labels are applied, they appear here and become the binding signal for the admission controller.

PSS is a specification, a document that defines what each profile allows and disallows. The mechanism that reads those labels and acts on them is called Pod Security Admission, which is covered in the next lesson. Understanding the profiles first means you can reason about enforcement without conflating the two concepts.

Why PSS replaced PodSecurityPolicy

PSS was designed as the successor to PodSecurityPolicy (PSP), which was removed in Kubernetes 1.25. PSP had the same goal but was notoriously difficult to configure correctly. Granting a PSP to a Pod required coordinating a RBAC binding, a ServiceAccount, and the policy object itself. A misconfigured binding could silently leave Pods unprotected, with no obvious error. Auditing which workloads were covered by which policy was painful.

PSS simplifies this entirely. A single label on a namespace controls the profile for every Pod in that namespace. There is no binding chain to trace, no ServiceAccount coordination required.

If you are preparing for the CKA exam on a cluster running Kubernetes 1.24 or earlier, PSP may still be present. On any cluster running 1.25 or later, PSP is gone. PSS and Pod Security Admission are the current model. The exam environment specifies the Kubernetes version, so check it before assuming which system is active.

Quiz

What is the key difference between how PSS is applied versus how PodSecurityPolicy worked?

Reveal answer

PSS enforcement is namespace-scoped and label-driven. You apply a label to a namespace and the built-in admission controller enforces that profile for every Pod in that namespace. PSP required explicit RBAC bindings between ServiceAccounts and policy objects, which was error-prone and harder to audit. PSS is simpler and the coverage is unambiguous.

PSS gives you a shared vocabulary: three named risk levels, each with a precise and documented set of rules. The next step is understanding how Kubernetes actually applies those rules at admission time.

~>kubectl apply -f deployment.yaml

deployment.apps/nginx created

~>kubectl get pods

NAME READY STATUS RESTARTS AGE

nginx-7b4c9d8f5-xk2j 1/1 Running 0 12s

nginx-7b4c9d8f5-hn4vw 1/1 Running 0 11s

nginx-7b4c9d8f5-qp9rm 1/1 Running 0 10s

~>█

Get hands-on with Kubernetes

This lesson includes a live terminal with a simulated Kubernetes cluster. Upgrade to Pro to unlock the terminal (free during early access)

Upgrade Try the free crash course