CKA

Onboarding

Welcome What Runs Here Overview of Kubernetes Certifications

Kubernetes Basics

What Is Kubernetes Cluster Architecture Overview Control Plane Components Node Components

Yaml And Objects

The Kubernetes Object Model Anatomy of a Manifest Generating Manifests from the CLI Object Names, UIDs, and DNS Rules

Kubectl Essentials

Imperative vs Declarative Viewing Resources Logs and Exec Creating and Editing Resources Delete and Cleanup Formatting Output and Tips

Pods

What Is a Pod Pod Structure Creating Your First Pod Pod Lifecycle and Phases Container Restart Policies Editing Pods

Namespaces

What Are Namespaces The Default Namespaces Working Across Namespaces When to Use Multiple Namespaces

Labels And Annotations

What Are Labels Label Selectors Annotations Recommended Labels

Cluster Architecture Deep

etcd-deep-dive kube-apiserver-internals kube-scheduler-internals kube-controller-manager container-runtime-interface

Cluster Installation

installation-options-overview kubeadm-master-node-setup kubeadm-worker-node-join high-availability-considerations

Cluster Maintenance

os-upgrades-and-drain version-skew-policy cluster-upgrade-process taint-based-evictions version-skew-and-safe-upgrade-flow

Backup And Restore

backup-strategies etcd-backup-with-etcdctl restore-from-snapshot etcdutl etcd-restore-drill-end-to-end

Commands And Args

docker-cmd-vs-entrypoint command-and-args-in-kubernetes practical-override-scenarios

Configmaps

what-is-a-configmap creating-configmaps using-via-environment-variables using-via-volume-mounts immutable-configmaps

Secrets

what-is-a-secret types-of-secrets creating-and-using-secrets encrypting-secrets-at-rest security-best-practices

Resource Management

resource-requests-and-limits how-scheduling-uses-requests what-happens-when-limits-are-exceeded qos-classes limitranges-and-resourcequotas in-place-resize-operational-considerations

Replicasets

Why ReplicaSets Creating a ReplicaSet Scaling and Self-Healing Limitations of ReplicaSets

Deployments

What Is a Deployment Creating a Deployment Rolling Updates Rollback and Revision History Update Strategies

Daemonsets

what-is-a-daemonset typical-use-cases daemonset-scheduling updating-daemonsets

Multi Container Pods

why-multiple-containers sidecar-pattern ambassador-and-adapter-patterns init-containers native-sidecar-patterns

Scheduling Basics

taints-and-tolerations node-selectors node-affinity taints-vs-node-affinity

Advanced Scheduling

manual-scheduling static-pods priority-classes multiple-schedulers scheduler-profiles

Probes

why-probes-matter liveness-probes readiness-probes startup-probes probe-types-and-configuration startup-probe-for-slow-apps

Jobs

what-is-a-job job-parallelism-and-completions backoff-and-retry cronjobs

Autoscaling

introduction-to-autoscaling horizontal-pod-autoscaler hpa-stabilization-and-behavior vertical-pod-autoscaler in-place-resize-of-pods event-driven-scaling-concepts

Statefulsets

stateful-vs-stateless statefulset-fundamentals headless-services storage-in-statefulsets ordering-and-updates

Services

Why Services Services and Endpoints ClusterIP NodePort LoadBalancer Named Ports

Dns

DNS in Kubernetes Service DNS Records Pod DNS Records DNS Debugging

Gateway API and Envoy Gateway

What Is Kubernetes Gateway API? The Controller Behind the Gateway Routing Traffic with Gateway and HTTPRoute Securing Traffic with TLS Termination Portable Traffic Manipulation with HTTPRoute Filters

Gateway Api

introduction-to-gateway-api gateway-api-structure practical-gateway-api tls-with-gateway-api mapping-ingress-to-gateway-api gatewayclass-and-controller-operations httproute-basics weighted-routing-canary

Network Policies

What Are Network Policies? NetworkPolicy Structure Ingress Rules Egress Rules Advanced NetworkPolicy Patterns

Networking Fundamentals

switching-and-routing dns-fundamentals network-namespaces docker-networking

Kubernetes Networking

cni-concepts pod-networking service-networking cluster-networking-configuration ipam cni-troubleshooting-method

Volumes

Why Volumes? emptyDir hostPath ConfigMap and Secret Volumes

Persistent Storage

PersistentVolumes and PersistentVolumeClaims Creating a PersistentVolume Creating a PersistentVolumeClaim Using PVCs in Pods Access Modes and Reclaim Policies

Storage Classes

static-vs-dynamic-provisioning what-is-a-storageclass dynamic-provisioning-in-practice container-storage-interface

Authentication

Kubernetes Security Fundamentals How Kubernetes Authenticates Identities Users vs ServiceAccounts

Service Accounts

What Is a ServiceAccount Creating and Assigning ServiceAccounts Token Projection and Automount ServiceAccount Practical Scenarios Projected ServiceAccount Tokens

Kubeconfig

What Is a Kubeconfig File Clusters, Users, and Contexts Switching Contexts Creating a Kubeconfig from Scratch

Tls Certificates

TLS and PKI Basics How Kubernetes Uses TLS Creating Certificates Viewing Certificate Details The Kubernetes Certificates API

Rbac

Authorization in Kubernetes Roles and RoleBindings ClusterRoles and ClusterRoleBindings Testing Permissions with kubectl auth can-i RBAC Best Practices

Security Contexts

Container Security: Linux Primitives Pod vs Container Security Context Running Containers as Non-Root Capabilities and Read-Only Root Filesystem

Image Security

Image Naming and Registries Pulling from Private Registries with imagePullSecrets Image Pull Policies

Admission Controllers

What Are Admission Controllers Enabling and Disabling Admission Controllers Validating Admission Webhooks Mutating Admission Webhooks

Pod Security

Pod Security Standards Pod Security Admission Practical PSS Enforcement

Logging And Monitoring

Container Logging Basics Monitoring with Metrics Server Kubernetes Events Monitoring Cluster Component Logs

Troubleshooting

troubleshooting-application-failures troubleshooting-service-connectivity troubleshooting-control-plane troubleshooting-worker-nodes systematic-debugging-methodology debug-distroless-with-kubectl-debug

Api And Versioning

api-groups api-versions api-deprecation-policy field-selectors

Custom Resources

what-are-custom-resources creating-a-crd custom-controllers operator-pattern

Helm

what-is-helm installing-helm working-with-charts values-and-configuration finding-and-using-charts

Projected ServiceAccount Tokens

In older Kubernetes versions, every ServiceAccount got a long-lived token stored in a Secret object. That token never expired. If it was stolen from a Pod or leaked in a log file, an attacker could use it indefinitely without any way to time-limit the damage. Kubernetes 1.21 changed this with projected ServiceAccount tokens: short-lived, audience-bound tokens that expire automatically and are rotated by the kubelet before the Pod ever sees a stale credential.

The old approach and its problem

Before projected tokens, Kubernetes created a Secret of type kubernetes.io/service-account-token for every ServiceAccount automatically. This Secret held a JWT token that was valid forever. Pods received it through a volume mount, and there was no built-in rotation mechanism.

The modern flow replaces the static Secret with a call to the TokenRequest API each time a Pod starts. The token that lands at the familiar path has a defined expiry (default one hour), is bound to a specific audience (the Kubernetes API server), and is automatically renewed by the kubelet before it expires. The Pod’s application does not need to do anything. It reads the same file path as before, but the content is a short-lived credential rather than a permanent one.

The file path /var/run/secrets/kubernetes.io/serviceaccount/token is identical in both systems. Applications written before Kubernetes 1.21 continue to work without modification. The difference is entirely in what the token contains and how long it remains valid.

Inspect a ServiceAccount to see the change.

kubectl get serviceaccount my-app -o yaml

In the output, notice that there is no secrets field listing a long-lived token Secret. That field is absent or empty in clusters using projected tokens. The token only exists when a running Pod holds it in memory as a projected volume file.

Quiz

What is the main security improvement of projected tokens over legacy kubernetes.io/service-account-token Secrets?

They are stored in a ConfigMap instead of a Secret, reducing exposure
They expire automatically and are audience-bound, limiting the window of misuse
They use a stronger hashing algorithm than legacy tokens

Reveal answer

They expire automatically and are audience-bound. A leaked projected token stops working after its expiry (typically within an hour). A leaked legacy token required manual deletion of the Secret to revoke, and in practice that step was often missed.

Creating a token on demand

Sometimes you need a short-lived token outside of a running Pod context, for a test script or a debugging session. The kubectl create token command issues one directly from the TokenRequest API.

kubectl create token my-app

The output is a JWT string. It is valid for a short period and bound to the my-app ServiceAccount. You can decode the base64-encoded payload section to see the claims it contains. The aud claim lists the intended audience. The exp claim holds the Unix timestamp at which the token expires.

kubectl create token my-app

Now do the same for the monitoring agent ServiceAccount.

kubectl create token monitoring-agent

Each call produces a fresh, independently expiring token. No Secret is created. The token is not stored anywhere by Kubernetes. When the token expires, it is simply gone.

Quiz

You want a short-lived token for the web-app ServiceAccount to test a script. Which command produces one without creating any persistent Kubernetes object?

Try it: kubectl create token web-app

Reveal answer

kubectl create token web-app. This calls the TokenRequest API and returns a JWT with a built-in expiry. It does not create a Secret and does not persist anywhere in etcd. Once the token expires, there is nothing to revoke or clean up.

Customizing the projected token in a Pod spec

Kubernetes injects the projected volume automatically when you do not specify it. You can also configure the token projection explicitly in the Pod spec when you need to set a custom expiry or a specific audience. This is useful when your application authenticates to an external service that accepts Kubernetes-issued tokens.

nano projected-pod.yaml

Start with the metadata.

# projected-pod.yaml - illustrative only
apiVersion: v1
kind: Pod
metadata:
  name: projected-pod
  namespace: default

Add the volume definition with an explicit expirationSeconds.

spec:
  serviceAccountName: my-app
  volumes:
  - name: kube-api-access
    projected:
      sources:
      - serviceAccountToken:
          expirationSeconds: 3600
          path: token

Then add the container and its volume mount.

  containers:
  - name: app
    image: nginx:stable
    volumeMounts:
    - name: kube-api-access
      mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      readOnly: true

Writing the projected volume manually is only necessary when you need to override the defaults, such as setting a custom expirationSeconds or an audience for an external workload identity use case. For normal in-cluster API access, Kubernetes injects the correct projection automatically. Do not copy this manifest pattern unless you have a specific reason to customize those fields.

Automatic rotation

The kubelet refreshes the projected token before its expiry. The application does not need to re-read the file on a schedule or implement any rotation logic. The kubelet overwrites the token file at the mount path with a fresh credential before the current one expires. From the application’s perspective, the file always contains a valid token as long as the kubelet is healthy.

Quiz

A projected token is mounted at /var/run/secrets/kubernetes.io/serviceaccount/token. The token was issued one hour ago and is about to expire. What happens next, without any action from the application?

Reveal answer

The kubelet detects that the token is approaching expiry and requests a new one from the TokenRequest API. It then overwrites the token file with the fresh credential. The application continues reading the same path and always receives a valid token, without implementing any rotation logic.

You now have the full picture of workload identity in Kubernetes: what a ServiceAccount is, how to create and assign one, how its credentials are delivered into the Pod through projected volumes, and how the modern token system eliminates the permanent-credential problem of earlier Kubernetes versions. The next module covers RBAC, where you will define exactly what each of these identities is allowed to do inside the cluster.

~>kubectl apply -f deployment.yaml

deployment.apps/nginx created

~>kubectl get pods

NAME READY STATUS RESTARTS AGE

nginx-7b4c9d8f5-xk2j 1/1 Running 0 12s

nginx-7b4c9d8f5-hn4vw 1/1 Running 0 11s

nginx-7b4c9d8f5-qp9rm 1/1 Running 0 10s

~>█

Get hands-on with Kubernetes

This lesson includes a live terminal with a simulated Kubernetes cluster. Upgrade to Pro to unlock the terminal (free during early access)

Upgrade Try the free crash course