CKA

Onboarding

Welcome What Runs Here Overview of Kubernetes Certifications

Kubernetes Basics

What Is Kubernetes Cluster Architecture Overview Control Plane Components Node Components

Yaml And Objects

The Kubernetes Object Model Anatomy of a Manifest Generating Manifests from the CLI Object Names, UIDs, and DNS Rules

Kubectl Essentials

Imperative vs Declarative Viewing Resources Logs and Exec Creating and Editing Resources Delete and Cleanup Formatting Output and Tips

Pods

What Is a Pod Pod Structure Creating Your First Pod Pod Lifecycle and Phases Container Restart Policies Editing Pods

Namespaces

What Are Namespaces The Default Namespaces Working Across Namespaces When to Use Multiple Namespaces

Labels And Annotations

What Are Labels Label Selectors Annotations Recommended Labels

Cluster Architecture Deep

etcd-deep-dive kube-apiserver-internals kube-scheduler-internals kube-controller-manager container-runtime-interface

Cluster Installation

installation-options-overview kubeadm-master-node-setup kubeadm-worker-node-join high-availability-considerations

Cluster Maintenance

os-upgrades-and-drain version-skew-policy cluster-upgrade-process taint-based-evictions version-skew-and-safe-upgrade-flow

Backup And Restore

backup-strategies etcd-backup-with-etcdctl restore-from-snapshot etcdutl etcd-restore-drill-end-to-end

Commands And Args

docker-cmd-vs-entrypoint command-and-args-in-kubernetes practical-override-scenarios

Configmaps

what-is-a-configmap creating-configmaps using-via-environment-variables using-via-volume-mounts immutable-configmaps

Secrets

what-is-a-secret types-of-secrets creating-and-using-secrets encrypting-secrets-at-rest security-best-practices

Resource Management

resource-requests-and-limits how-scheduling-uses-requests what-happens-when-limits-are-exceeded qos-classes limitranges-and-resourcequotas in-place-resize-operational-considerations

Replicasets

Why ReplicaSets Creating a ReplicaSet Scaling and Self-Healing Limitations of ReplicaSets

Deployments

What Is a Deployment Creating a Deployment Rolling Updates Rollback and Revision History Update Strategies

Daemonsets

what-is-a-daemonset typical-use-cases daemonset-scheduling updating-daemonsets

Multi Container Pods

why-multiple-containers sidecar-pattern ambassador-and-adapter-patterns init-containers native-sidecar-patterns

Scheduling Basics

taints-and-tolerations node-selectors node-affinity taints-vs-node-affinity

Advanced Scheduling

manual-scheduling static-pods priority-classes multiple-schedulers scheduler-profiles

Probes

why-probes-matter liveness-probes readiness-probes startup-probes probe-types-and-configuration startup-probe-for-slow-apps

Jobs

what-is-a-job job-parallelism-and-completions backoff-and-retry cronjobs

Autoscaling

introduction-to-autoscaling horizontal-pod-autoscaler hpa-stabilization-and-behavior vertical-pod-autoscaler in-place-resize-of-pods event-driven-scaling-concepts

Statefulsets

stateful-vs-stateless statefulset-fundamentals headless-services storage-in-statefulsets ordering-and-updates

Services

Why Services Services and Endpoints ClusterIP NodePort LoadBalancer Named Ports

Dns

DNS in Kubernetes Service DNS Records Pod DNS Records DNS Debugging

Gateway API and Envoy Gateway

What Is Kubernetes Gateway API? The Controller Behind the Gateway Routing Traffic with Gateway and HTTPRoute Securing Traffic with TLS Termination Portable Traffic Manipulation with HTTPRoute Filters

Gateway Api

introduction-to-gateway-api gateway-api-structure practical-gateway-api tls-with-gateway-api mapping-ingress-to-gateway-api gatewayclass-and-controller-operations httproute-basics weighted-routing-canary

Network Policies

What Are Network Policies? NetworkPolicy Structure Ingress Rules Egress Rules Advanced NetworkPolicy Patterns

Networking Fundamentals

switching-and-routing dns-fundamentals network-namespaces docker-networking

Kubernetes Networking

cni-concepts pod-networking service-networking cluster-networking-configuration ipam cni-troubleshooting-method

Volumes

Why Volumes? emptyDir hostPath ConfigMap and Secret Volumes

Persistent Storage

PersistentVolumes and PersistentVolumeClaims Creating a PersistentVolume Creating a PersistentVolumeClaim Using PVCs in Pods Access Modes and Reclaim Policies

Storage Classes

static-vs-dynamic-provisioning what-is-a-storageclass dynamic-provisioning-in-practice container-storage-interface

Authentication

Kubernetes Security Fundamentals How Kubernetes Authenticates Identities Users vs ServiceAccounts

Service Accounts

What Is a ServiceAccount Creating and Assigning ServiceAccounts Token Projection and Automount ServiceAccount Practical Scenarios Projected ServiceAccount Tokens

Kubeconfig

What Is a Kubeconfig File Clusters, Users, and Contexts Switching Contexts Creating a Kubeconfig from Scratch

Tls Certificates

TLS and PKI Basics How Kubernetes Uses TLS Creating Certificates Viewing Certificate Details The Kubernetes Certificates API

Rbac

Authorization in Kubernetes Roles and RoleBindings ClusterRoles and ClusterRoleBindings Testing Permissions with kubectl auth can-i RBAC Best Practices

Security Contexts

Container Security: Linux Primitives Pod vs Container Security Context Running Containers as Non-Root Capabilities and Read-Only Root Filesystem

Image Security

Image Naming and Registries Pulling from Private Registries with imagePullSecrets Image Pull Policies

Admission Controllers

What Are Admission Controllers Enabling and Disabling Admission Controllers Validating Admission Webhooks Mutating Admission Webhooks

Pod Security

Pod Security Standards Pod Security Admission Practical PSS Enforcement

Logging And Monitoring

Container Logging Basics Monitoring with Metrics Server Kubernetes Events Monitoring Cluster Component Logs

Troubleshooting

troubleshooting-application-failures troubleshooting-service-connectivity troubleshooting-control-plane troubleshooting-worker-nodes systematic-debugging-methodology debug-distroless-with-kubectl-debug

Api And Versioning

api-groups api-versions api-deprecation-policy field-selectors

Custom Resources

what-are-custom-resources creating-a-crd custom-controllers operator-pattern

Helm

what-is-helm installing-helm working-with-charts values-and-configuration finding-and-using-charts

ServiceAccount Practical Scenarios

Theory is clear. Now look at two concrete scenarios where ServiceAccount design decisions have real security consequences. The first is a workload that genuinely needs Kubernetes API access. The second is a workload that never should.

Scenario A: a monitoring agent

A metrics-collection agent runs in your simulated cluster. Its job is to scrape metrics from Pods across all namespaces. To build its list of targets, it calls the Kubernetes API to list Pods. It needs a dedicated ServiceAccount so you can attach exactly the right permissions to it and nothing more.

Create the ServiceAccount.

kubectl create serviceaccount monitoring-agent

Verify it appears in the list alongside default.

kubectl get serviceaccounts

The next step in a real workflow would be to create a ClusterRoleBinding connecting monitoring-agent to a ClusterRole that allows listing Pods. RBAC is covered in its own module. What matters here is that the identity is isolated: only the monitoring agent Pod carries this SA, so only it can ever receive those permissions.

Write the manifest for the agent Pod.

nano agent-pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: monitoring-agent-pod
  namespace: default
spec:
  serviceAccountName: monitoring-agent
  containers:
  - name: agent
    image: nginx:stable

kubectl apply -f agent-pod.yaml

Quiz

You created a ServiceAccount called monitoring-agent. Without any RBAC bindings, what happens when the agent Pod tries to list Pods via the API?

Reveal answer

The request is denied with a 403 Forbidden response. The SA identity is valid, but the API server’s authorization layer finds no RoleBinding or ClusterRoleBinding granting that identity the right to list Pods. Identity and permission are always separate concerns.

Scenario B: a stateless web application

Your second workload serves HTTP responses to users. It reads from a database and has no reason to call the Kubernetes API. Mounting a token into this Pod is unnecessary exposure.

Create a dedicated ServiceAccount for it.

kubectl create serviceaccount web-app

Write the manifest with automount disabled.

nano web-pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: web-pod
  namespace: default
spec:
  serviceAccountName: web-app
  automountServiceAccountToken: false
  containers:
  - name: web
    image: nginx:stable

kubectl apply -f web-pod.yaml

This Pod has an identity (web-app) but carries no token in its filesystem. If the container is ever compromised, the attacker finds no API credential to escalate with.

Quiz

Why assign a dedicated web-app ServiceAccount at all, if you are just going to disable automount? Why not use default with automount disabled?

Reveal answer

Because identity isolation matters independently of token presence. If you later add a RoleBinding for the default SA, the web Pod’s identity would inherit those permissions. A dedicated SA per application means that permissions are always tied to a specific identity, and a mistake in one binding cannot silently expand the attack surface of unrelated Pods.

Confirming both ServiceAccounts exist

Describe each SA to confirm their presence and configuration.

kubectl describe serviceaccount monitoring-agent

kubectl describe serviceaccount web-app

Both should show the correct namespace, no unexpected token Secrets, and the details Kubernetes recorded at creation time.

The risk of an overpermissioned default ServiceAccount

Here is the failure pattern worth internalizing. Suppose a developer is debugging a RBAC issue and temporarily grants cluster-admin to the default ServiceAccount in a namespace.

Every Pod in that namespace that does not declare an explicit serviceAccountName is now running with cluster-admin permissions. A single compromised container in any of those Pods gives an attacker full control of the cluster. This is not a contrived scenario. It happens in environments where RBAC is treated as a debugging convenience rather than a security boundary. One dedicated ServiceAccount per application, combined with least-privilege RBAC bindings, makes this class of mistake impossible to propagate silently.

The principle is consistent across both scenarios: isolate identities by application, grant only what is needed, and disable automount for workloads that have no reason to authenticate to the API.

Lesson 05 closes the module by explaining the difference between old-style token Secrets and the modern projected token system, and why the newer approach eliminates an entire category of credential-theft risk.

~>kubectl apply -f deployment.yaml

deployment.apps/nginx created

~>kubectl get pods

NAME READY STATUS RESTARTS AGE

nginx-7b4c9d8f5-xk2j 1/1 Running 0 12s

nginx-7b4c9d8f5-hn4vw 1/1 Running 0 11s

nginx-7b4c9d8f5-qp9rm 1/1 Running 0 10s

~>█

Get hands-on with Kubernetes

This lesson includes a live terminal with a simulated Kubernetes cluster. Upgrade to Pro to unlock the terminal (free during early access)

Upgrade Try the free crash course