CKA

Onboarding

Welcome What Runs Here Overview of Kubernetes Certifications

Kubernetes Basics

What Is Kubernetes Cluster Architecture Overview Control Plane Components Node Components

Yaml And Objects

The Kubernetes Object Model Anatomy of a Manifest Generating Manifests from the CLI Object Names, UIDs, and DNS Rules

Kubectl Essentials

Imperative vs Declarative Viewing Resources Logs and Exec Creating and Editing Resources Delete and Cleanup Formatting Output and Tips

Pods

What Is a Pod Pod Structure Creating Your First Pod Pod Lifecycle and Phases Container Restart Policies Editing Pods

Namespaces

What Are Namespaces The Default Namespaces Working Across Namespaces When to Use Multiple Namespaces

Labels And Annotations

What Are Labels Label Selectors Annotations Recommended Labels

Cluster Architecture Deep

etcd-deep-dive kube-apiserver-internals kube-scheduler-internals kube-controller-manager container-runtime-interface

Cluster Installation

installation-options-overview kubeadm-master-node-setup kubeadm-worker-node-join high-availability-considerations

Cluster Maintenance

os-upgrades-and-drain version-skew-policy cluster-upgrade-process taint-based-evictions version-skew-and-safe-upgrade-flow

Backup And Restore

backup-strategies etcd-backup-with-etcdctl restore-from-snapshot etcdutl etcd-restore-drill-end-to-end

Commands And Args

docker-cmd-vs-entrypoint command-and-args-in-kubernetes practical-override-scenarios

Configmaps

what-is-a-configmap creating-configmaps using-via-environment-variables using-via-volume-mounts immutable-configmaps

Secrets

what-is-a-secret types-of-secrets creating-and-using-secrets encrypting-secrets-at-rest security-best-practices

Resource Management

resource-requests-and-limits how-scheduling-uses-requests what-happens-when-limits-are-exceeded qos-classes limitranges-and-resourcequotas in-place-resize-operational-considerations

Replicasets

Why ReplicaSets Creating a ReplicaSet Scaling and Self-Healing Limitations of ReplicaSets

Deployments

What Is a Deployment Creating a Deployment Rolling Updates Rollback and Revision History Update Strategies

Daemonsets

what-is-a-daemonset typical-use-cases daemonset-scheduling updating-daemonsets

Multi Container Pods

why-multiple-containers sidecar-pattern ambassador-and-adapter-patterns init-containers native-sidecar-patterns

Scheduling Basics

taints-and-tolerations node-selectors node-affinity taints-vs-node-affinity

Advanced Scheduling

manual-scheduling static-pods priority-classes multiple-schedulers scheduler-profiles

Probes

why-probes-matter liveness-probes readiness-probes startup-probes probe-types-and-configuration startup-probe-for-slow-apps

Jobs

what-is-a-job job-parallelism-and-completions backoff-and-retry cronjobs

Autoscaling

introduction-to-autoscaling horizontal-pod-autoscaler hpa-stabilization-and-behavior vertical-pod-autoscaler in-place-resize-of-pods event-driven-scaling-concepts

Statefulsets

stateful-vs-stateless statefulset-fundamentals headless-services storage-in-statefulsets ordering-and-updates

Services

Why Services Services and Endpoints ClusterIP NodePort LoadBalancer Named Ports

Dns

DNS in Kubernetes Service DNS Records Pod DNS Records DNS Debugging

Gateway API and Envoy Gateway

What Is Kubernetes Gateway API? The Controller Behind the Gateway Routing Traffic with Gateway and HTTPRoute Securing Traffic with TLS Termination Portable Traffic Manipulation with HTTPRoute Filters

Gateway Api

introduction-to-gateway-api gateway-api-structure practical-gateway-api tls-with-gateway-api mapping-ingress-to-gateway-api gatewayclass-and-controller-operations httproute-basics weighted-routing-canary

Network Policies

What Are Network Policies? NetworkPolicy Structure Ingress Rules Egress Rules Advanced NetworkPolicy Patterns

Networking Fundamentals

switching-and-routing dns-fundamentals network-namespaces docker-networking

Kubernetes Networking

cni-concepts pod-networking service-networking cluster-networking-configuration ipam cni-troubleshooting-method

Volumes

Why Volumes? emptyDir hostPath ConfigMap and Secret Volumes

Persistent Storage

PersistentVolumes and PersistentVolumeClaims Creating a PersistentVolume Creating a PersistentVolumeClaim Using PVCs in Pods Access Modes and Reclaim Policies

Storage Classes

static-vs-dynamic-provisioning what-is-a-storageclass dynamic-provisioning-in-practice container-storage-interface

Authentication

Kubernetes Security Fundamentals How Kubernetes Authenticates Identities Users vs ServiceAccounts

Service Accounts

What Is a ServiceAccount Creating and Assigning ServiceAccounts Token Projection and Automount ServiceAccount Practical Scenarios Projected ServiceAccount Tokens

Kubeconfig

What Is a Kubeconfig File Clusters, Users, and Contexts Switching Contexts Creating a Kubeconfig from Scratch

Tls Certificates

TLS and PKI Basics How Kubernetes Uses TLS Creating Certificates Viewing Certificate Details The Kubernetes Certificates API

Rbac

Authorization in Kubernetes Roles and RoleBindings ClusterRoles and ClusterRoleBindings Testing Permissions with kubectl auth can-i RBAC Best Practices

Security Contexts

Container Security: Linux Primitives Pod vs Container Security Context Running Containers as Non-Root Capabilities and Read-Only Root Filesystem

Image Security

Image Naming and Registries Pulling from Private Registries with imagePullSecrets Image Pull Policies

Admission Controllers

What Are Admission Controllers Enabling and Disabling Admission Controllers Validating Admission Webhooks Mutating Admission Webhooks

Pod Security

Pod Security Standards Pod Security Admission Practical PSS Enforcement

Logging And Monitoring

Container Logging Basics Monitoring with Metrics Server Kubernetes Events Monitoring Cluster Component Logs

Troubleshooting

troubleshooting-application-failures troubleshooting-service-connectivity troubleshooting-control-plane troubleshooting-worker-nodes systematic-debugging-methodology debug-distroless-with-kubectl-debug

Api And Versioning

api-groups api-versions api-deprecation-policy field-selectors

Custom Resources

what-are-custom-resources creating-a-crd custom-controllers operator-pattern

Helm

what-is-helm installing-helm working-with-charts values-and-configuration finding-and-using-charts

Practical PSS Enforcement

You are setting up a simulated cluster for a team. You need production namespaces locked down, development namespaces more permissive, and system namespaces exempt from restrictions. How do you design a PSS enforcement strategy that works for the whole cluster without breaking what is already running?

Namespace strategy by environment

The answer starts with recognizing that different namespaces have genuinely different security requirements. A namespace running control plane infrastructure has nothing in common with one running a user-facing web service. Apply the diagram below as a starting point, then adjust for your team’s specific workloads.

System namespaces like kube-system must use privileged because control plane components, the CNI plugin and kube-proxy DaemonSet among others, require host-level access. Labeling kube-system with enforce: restricted breaks the cluster. For production, enforce: baseline is the minimum. If your applications are designed without host access or excessive capabilities, consider enforce: restricted. Development namespaces benefit from warn: restricted rather than hard enforcement, giving developers early feedback without blocking their iteration.

kubectl get namespace kube-system --show-labels

Inspect kube-system in the simulated cluster. Notice that it carries no PSS labels by default. This means the admission controller applies no restrictions to it, which is the intended behavior for a system namespace.

Migration: audit first, then warn, then enforce

If you inherit a cluster with existing workloads, do not start with enforce. Start with audit, which records violations without blocking anything. Then add warn so developers see the messages in their kubectl output. Only after the team has resolved the violations do you switch to enforce.

kubectl label namespace production pod-security.kubernetes.io/audit=restricted

kubectl label namespace production pod-security.kubernetes.io/warn=restricted

kubectl label namespace production pod-security.kubernetes.io/enforce=baseline

The sequence gives visibility, then pressure, then enforcement. audit and warn are your observation period. enforce is the commitment.

Quiz

A team wants to start using PSS but is worried about breaking existing workloads. What is the safest first step?

Reveal answer

Apply audit and warn modes before enforce. The audit mode records violations without blocking anything. The warn mode shows messages directly in kubectl output. This gives the team a full picture of what would break before any enforcement kicks in. Start observing, then decide.

Verifying namespace state

After applying labels, always verify the result before assuming it took effect:

kubectl get namespace production --show-labels

kubectl describe namespace production

The Labels section in the describe output lists every PSS label with its current value. This is the authoritative view of what enforcement is active on a namespace. Cross-check this whenever a workload is behaving unexpectedly after a labeling change.

Identifying violations in existing workloads

Even with careful planning, switching to restricted sometimes reveals that a Deployment cannot create new Pods. The violation does not delete existing Pods, but the next time the ReplicaSet tries to replace one, for example after a rolling update or a node drain, the admission controller rejects the new Pod.

kubectl get pods -n production

Look for Pods stuck in a Pending state or a ReplicaSet showing fewer Pods than desired. Then inspect the specific Pod:

kubectl describe pod bad-pod -n production

The Events section at the bottom of the output shows the admission rejection message. It names the specific field that violates the profile, for example runAsNonRoot is required or must not set securityContext.allowPrivilegeEscalation=true. That message is your actionable signal for which field to fix in the workload’s securityContext.

A common trap: you enforce restricted on a namespace, and a pre-existing Deployment appears healthy because its current Pods are still running. Only when those Pods are replaced, during a rolling update, a crash, or a node drain, does the enforcement kick in and block the new Pods. Always validate enforcement by creating a fresh test Pod immediately after labeling. Do not rely on existing Pods as evidence that everything is fine.

Quiz

You enforce restricted on a namespace. A Deployment has been running for three days with runAsNonRoot absent from its spec. You trigger a rolling update. What happens?

Reveal answer

The ReplicaSet tries to create new Pods with the updated spec. The admission controller rejects each one because runAsNonRoot is not set, which is required under restricted. The rolling update stalls. The Deployment shows fewer available Pods than desired. The Events on the failing Pods show the specific PSA violation message. This is why auditing before enforcing is not optional: it is the only way to discover this class of problem without causing an outage.

Exemptions for components that cannot comply

Some workloads genuinely cannot meet the target profile. Monitoring agents, log collectors, and network plugins often need capabilities or host access that restricted prohibits. PSA supports exemptions via the kube-apiserver configuration file, where specific namespaces, usernames, or RuntimeClass names can be excluded from PSA enforcement. Configuring the API server is outside the scope of the simulator, but understanding that exemptions exist prevents the false assumption that PSS must apply uniformly to every workload in the cluster. The exemption mechanism lets you enforce broadly while carving out specific, auditable exceptions.

You have now covered the full Security and Authentication section of the CKA curriculum. Authentication establishes identity, ServiceAccounts carry that identity inside the cluster, TLS secures every communication path, and RBAC decides what each identity is authorized to do. Security Contexts harden individual containers, image security controls what code enters the cluster, Admission Controllers gate every API request, and Pod Security Standards enforce a consistent security posture across entire namespaces. These layers are not independent features. They are a coordinated defense in depth: each layer assumes the others may be bypassed or misconfigured, and compensates accordingly. A cluster that applies all of them systematically is one where a single misconfiguration cannot escalate into a full compromise.

~>kubectl apply -f deployment.yaml

deployment.apps/nginx created

~>kubectl get pods

NAME READY STATUS RESTARTS AGE

nginx-7b4c9d8f5-xk2j 1/1 Running 0 12s

nginx-7b4c9d8f5-hn4vw 1/1 Running 0 11s

nginx-7b4c9d8f5-qp9rm 1/1 Running 0 10s

~>█

Get hands-on with Kubernetes

This lesson includes a live terminal with a simulated Kubernetes cluster. Upgrade to Pro to unlock the terminal (free during early access)

Upgrade Try the free crash course