CKA

Onboarding

Welcome What Runs Here Overview of Kubernetes Certifications

Kubernetes Basics

What Is Kubernetes Cluster Architecture Overview Control Plane Components Node Components

Yaml And Objects

The Kubernetes Object Model Anatomy of a Manifest Generating Manifests from the CLI Object Names, UIDs, and DNS Rules

Kubectl Essentials

Imperative vs Declarative Viewing Resources Logs and Exec Creating and Editing Resources Delete and Cleanup Formatting Output and Tips

Pods

What Is a Pod Pod Structure Creating Your First Pod Pod Lifecycle and Phases Container Restart Policies Editing Pods

Namespaces

What Are Namespaces The Default Namespaces Working Across Namespaces When to Use Multiple Namespaces

Labels And Annotations

What Are Labels Label Selectors Annotations Recommended Labels

Cluster Architecture Deep

etcd-deep-dive kube-apiserver-internals kube-scheduler-internals kube-controller-manager container-runtime-interface

Cluster Installation

installation-options-overview kubeadm-master-node-setup kubeadm-worker-node-join high-availability-considerations

Cluster Maintenance

os-upgrades-and-drain version-skew-policy cluster-upgrade-process taint-based-evictions version-skew-and-safe-upgrade-flow

Backup And Restore

backup-strategies etcd-backup-with-etcdctl restore-from-snapshot etcdutl etcd-restore-drill-end-to-end

Commands And Args

docker-cmd-vs-entrypoint command-and-args-in-kubernetes practical-override-scenarios

Configmaps

what-is-a-configmap creating-configmaps using-via-environment-variables using-via-volume-mounts immutable-configmaps

Secrets

what-is-a-secret types-of-secrets creating-and-using-secrets encrypting-secrets-at-rest security-best-practices

Resource Management

resource-requests-and-limits how-scheduling-uses-requests what-happens-when-limits-are-exceeded qos-classes limitranges-and-resourcequotas in-place-resize-operational-considerations

Replicasets

Why ReplicaSets Creating a ReplicaSet Scaling and Self-Healing Limitations of ReplicaSets

Deployments

What Is a Deployment Creating a Deployment Rolling Updates Rollback and Revision History Update Strategies

Daemonsets

what-is-a-daemonset typical-use-cases daemonset-scheduling updating-daemonsets

Multi Container Pods

why-multiple-containers sidecar-pattern ambassador-and-adapter-patterns init-containers native-sidecar-patterns

Scheduling Basics

taints-and-tolerations node-selectors node-affinity taints-vs-node-affinity

Advanced Scheduling

manual-scheduling static-pods priority-classes multiple-schedulers scheduler-profiles

Probes

why-probes-matter liveness-probes readiness-probes startup-probes probe-types-and-configuration startup-probe-for-slow-apps

Jobs

what-is-a-job job-parallelism-and-completions backoff-and-retry cronjobs

Autoscaling

introduction-to-autoscaling horizontal-pod-autoscaler hpa-stabilization-and-behavior vertical-pod-autoscaler in-place-resize-of-pods event-driven-scaling-concepts

Statefulsets

stateful-vs-stateless statefulset-fundamentals headless-services storage-in-statefulsets ordering-and-updates

Services

Why Services Services and Endpoints ClusterIP NodePort LoadBalancer Named Ports

Dns

DNS in Kubernetes Service DNS Records Pod DNS Records DNS Debugging

Gateway API and Envoy Gateway

What Is Kubernetes Gateway API? The Controller Behind the Gateway Routing Traffic with Gateway and HTTPRoute Securing Traffic with TLS Termination Portable Traffic Manipulation with HTTPRoute Filters

Gateway Api

introduction-to-gateway-api gateway-api-structure practical-gateway-api tls-with-gateway-api mapping-ingress-to-gateway-api gatewayclass-and-controller-operations httproute-basics weighted-routing-canary

Network Policies

What Are Network Policies? NetworkPolicy Structure Ingress Rules Egress Rules Advanced NetworkPolicy Patterns

Networking Fundamentals

switching-and-routing dns-fundamentals network-namespaces docker-networking

Kubernetes Networking

cni-concepts pod-networking service-networking cluster-networking-configuration ipam cni-troubleshooting-method

Volumes

Why Volumes? emptyDir hostPath ConfigMap and Secret Volumes

Persistent Storage

PersistentVolumes and PersistentVolumeClaims Creating a PersistentVolume Creating a PersistentVolumeClaim Using PVCs in Pods Access Modes and Reclaim Policies

Storage Classes

static-vs-dynamic-provisioning what-is-a-storageclass dynamic-provisioning-in-practice container-storage-interface

Authentication

Kubernetes Security Fundamentals How Kubernetes Authenticates Identities Users vs ServiceAccounts

Service Accounts

What Is a ServiceAccount Creating and Assigning ServiceAccounts Token Projection and Automount ServiceAccount Practical Scenarios Projected ServiceAccount Tokens

Kubeconfig

What Is a Kubeconfig File Clusters, Users, and Contexts Switching Contexts Creating a Kubeconfig from Scratch

Tls Certificates

TLS and PKI Basics How Kubernetes Uses TLS Creating Certificates Viewing Certificate Details The Kubernetes Certificates API

Rbac

Authorization in Kubernetes Roles and RoleBindings ClusterRoles and ClusterRoleBindings Testing Permissions with kubectl auth can-i RBAC Best Practices

Security Contexts

Container Security: Linux Primitives Pod vs Container Security Context Running Containers as Non-Root Capabilities and Read-Only Root Filesystem

Image Security

Image Naming and Registries Pulling from Private Registries with imagePullSecrets Image Pull Policies

Admission Controllers

What Are Admission Controllers Enabling and Disabling Admission Controllers Validating Admission Webhooks Mutating Admission Webhooks

Pod Security

Pod Security Standards Pod Security Admission Practical PSS Enforcement

Logging And Monitoring

Container Logging Basics Monitoring with Metrics Server Kubernetes Events Monitoring Cluster Component Logs

Troubleshooting

troubleshooting-application-failures troubleshooting-service-connectivity troubleshooting-control-plane troubleshooting-worker-nodes systematic-debugging-methodology debug-distroless-with-kubectl-debug

Api And Versioning

api-groups api-versions api-deprecation-policy field-selectors

Custom Resources

what-are-custom-resources creating-a-crd custom-controllers operator-pattern

Helm

what-is-helm installing-helm working-with-charts values-and-configuration finding-and-using-charts

Pod vs Container Security Context

You want to enforce that every container in a Pod runs as a non-root user. You also want one specific container to run as a different UID than the others. Kubernetes handles both cases, but through two separate fields in the spec: one at the Pod level and one at the container level. Using the wrong level is one of the most common configuration mistakes in CKA scenarios. This lesson draws that line clearly.

Two levels, one spec

The Pod spec has two distinct places where you can set security properties.

spec.securityContext is the pod-level security context. It applies to every container in the Pod by default. Fields you set here become the baseline for all containers.

spec.containers[].securityContext is the container-level security context. It applies only to the specific container it is nested under. If a field is set at both levels, the container-level value wins for that container.

The override rule is field-by-field, not all-or-nothing. A container can inherit some pod-level settings and override others independently.

Which fields belong where

Not every field is available at both levels. The placement is deliberate.

Pod-level securityContext supports: runAsUser, runAsGroup, fsGroup, runAsNonRoot, sysctls, seccompProfile, and supplementalGroups. These are properties that make sense to apply uniformly across all containers.

Container-level securityContext supports: runAsUser, runAsNonRoot, allowPrivilegeEscalation, capabilities, readOnlyRootFilesystem, privileged, and seccompProfile. The most impactful hardening fields (capabilities and readOnlyRootFilesystem) live exclusively at the container level, because capability sets and filesystem write access are per-process concerns.

fsGroup is pod-level only. It sets the GID applied to volumes mounted into the Pod, so it is a property of the shared storage context, not of an individual container. You cannot set it per container.

Building the manifest incrementally

Start with a pod-level securityContext that sets a default UID for all containers.

nano secure-pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
  containers:
    - name: app
      image: nginx:1.28

At this point, every container in the Pod, there is only one here, will run as UID 1000 and primary GID 3000. Apply it:

kubectl apply -f secure-pod.yaml

Now add a container-level override. The app container needs to run as UID 2000 specifically, while still inheriting the pod-level group.

nano secure-pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
  containers:
    - name: app
      image: nginx:1.28
      securityContext:
        runAsUser: 2000

The result: the app container runs as UID 2000 (container-level wins for runAsUser) and GID 3000 (pod-level applies for runAsGroup, because no container-level override was set for that field).

Quiz

A Pod sets runAsUser: 1000 at the pod level. One container sets runAsUser: 2000 at the container level. Which UID does that container run as?

1000, because pod-level settings always take precedence
2000, because container-level settings override pod-level for the same field
Both are applied and the process inherits both UIDs

Reveal answer

2000, because container-level settings override pod-level for the same field. The other options are wrong: pod-level is a default, not a ceiling, and a Linux process has exactly one effective UID, not two.

Verifying the applied settings

kubectl describe pod secure-pod

In the output, look for the Containers section. Under each container you will see a Security Context block listing the effective settings. The pod-level settings also appear under the Security Context block at the Pod level, above the container entries.

If the describe output shows Run As User: 2000 for the container while the pod-level block shows Run As User: 1000, the override is working correctly.

This two-level model is not an accident. It reflects a deliberate separation of concerns: the Pod author sets a security baseline for the workload as a whole, and individual containers can tighten or adjust that baseline without breaking the others. A logging sidecar might need a different UID than the main application, without relaxing the pod-wide non-root policy.

Quiz

You have a Pod with two containers. You want both to run as non-root, but each needs a different UID. Where do you set runAsNonRoot and where do you set runAsUser?

Reveal answer

Set runAsNonRoot: true at the pod level so it applies to both containers as a shared baseline. Set runAsUser at the container level for each container individually, so each gets its own UID. The container-level runAsUser values override the pod-level default (if any) for runAsUser, while runAsNonRoot continues to apply from the pod level.

The next lesson goes deeper into the three most common pod-level fields: runAsUser, runAsGroup, and runAsNonRoot. You will see what happens when they are set correctly, and what happens when they conflict with what the container image expects.

~>kubectl apply -f deployment.yaml

deployment.apps/nginx created

~>kubectl get pods

NAME READY STATUS RESTARTS AGE

nginx-7b4c9d8f5-xk2j 1/1 Running 0 12s

nginx-7b4c9d8f5-hn4vw 1/1 Running 0 11s

nginx-7b4c9d8f5-qp9rm 1/1 Running 0 10s

~>█

Get hands-on with Kubernetes

This lesson includes a live terminal with a simulated Kubernetes cluster. Upgrade to Pro to unlock the terminal (free during early access)

Upgrade Try the free crash course