CKA

Onboarding

Welcome What Runs Here Overview of Kubernetes Certifications

Kubernetes Basics

What Is Kubernetes Cluster Architecture Overview Control Plane Components Node Components

Yaml And Objects

The Kubernetes Object Model Anatomy of a Manifest Generating Manifests from the CLI Object Names, UIDs, and DNS Rules

Kubectl Essentials

Imperative vs Declarative Viewing Resources Logs and Exec Creating and Editing Resources Delete and Cleanup Formatting Output and Tips

Pods

What Is a Pod Pod Structure Creating Your First Pod Pod Lifecycle and Phases Container Restart Policies Editing Pods

Namespaces

What Are Namespaces The Default Namespaces Working Across Namespaces When to Use Multiple Namespaces

Labels And Annotations

What Are Labels Label Selectors Annotations Recommended Labels

Cluster Architecture Deep

etcd-deep-dive kube-apiserver-internals kube-scheduler-internals kube-controller-manager container-runtime-interface

Cluster Installation

installation-options-overview kubeadm-master-node-setup kubeadm-worker-node-join high-availability-considerations

Cluster Maintenance

os-upgrades-and-drain version-skew-policy cluster-upgrade-process taint-based-evictions version-skew-and-safe-upgrade-flow

Backup And Restore

backup-strategies etcd-backup-with-etcdctl restore-from-snapshot etcdutl etcd-restore-drill-end-to-end

Commands And Args

docker-cmd-vs-entrypoint command-and-args-in-kubernetes practical-override-scenarios

Configmaps

what-is-a-configmap creating-configmaps using-via-environment-variables using-via-volume-mounts immutable-configmaps

Secrets

what-is-a-secret types-of-secrets creating-and-using-secrets encrypting-secrets-at-rest security-best-practices

Resource Management

resource-requests-and-limits how-scheduling-uses-requests what-happens-when-limits-are-exceeded qos-classes limitranges-and-resourcequotas in-place-resize-operational-considerations

Replicasets

Why ReplicaSets Creating a ReplicaSet Scaling and Self-Healing Limitations of ReplicaSets

Deployments

What Is a Deployment Creating a Deployment Rolling Updates Rollback and Revision History Update Strategies

Daemonsets

what-is-a-daemonset typical-use-cases daemonset-scheduling updating-daemonsets

Multi Container Pods

why-multiple-containers sidecar-pattern ambassador-and-adapter-patterns init-containers native-sidecar-patterns

Scheduling Basics

taints-and-tolerations node-selectors node-affinity taints-vs-node-affinity

Advanced Scheduling

manual-scheduling static-pods priority-classes multiple-schedulers scheduler-profiles

Probes

why-probes-matter liveness-probes readiness-probes startup-probes probe-types-and-configuration startup-probe-for-slow-apps

Jobs

what-is-a-job job-parallelism-and-completions backoff-and-retry cronjobs

Autoscaling

introduction-to-autoscaling horizontal-pod-autoscaler hpa-stabilization-and-behavior vertical-pod-autoscaler in-place-resize-of-pods event-driven-scaling-concepts

Statefulsets

stateful-vs-stateless statefulset-fundamentals headless-services storage-in-statefulsets ordering-and-updates

Services

Why Services Services and Endpoints ClusterIP NodePort LoadBalancer Named Ports

Dns

DNS in Kubernetes Service DNS Records Pod DNS Records DNS Debugging

Gateway API and Envoy Gateway

What Is Kubernetes Gateway API? The Controller Behind the Gateway Routing Traffic with Gateway and HTTPRoute Securing Traffic with TLS Termination Portable Traffic Manipulation with HTTPRoute Filters

Gateway Api

introduction-to-gateway-api gateway-api-structure practical-gateway-api tls-with-gateway-api mapping-ingress-to-gateway-api gatewayclass-and-controller-operations httproute-basics weighted-routing-canary

Network Policies

What Are Network Policies? NetworkPolicy Structure Ingress Rules Egress Rules Advanced NetworkPolicy Patterns

Networking Fundamentals

switching-and-routing dns-fundamentals network-namespaces docker-networking

Kubernetes Networking

cni-concepts pod-networking service-networking cluster-networking-configuration ipam cni-troubleshooting-method

Volumes

Why Volumes? emptyDir hostPath ConfigMap and Secret Volumes

Persistent Storage

PersistentVolumes and PersistentVolumeClaims Creating a PersistentVolume Creating a PersistentVolumeClaim Using PVCs in Pods Access Modes and Reclaim Policies

Storage Classes

static-vs-dynamic-provisioning what-is-a-storageclass dynamic-provisioning-in-practice container-storage-interface

Authentication

Kubernetes Security Fundamentals How Kubernetes Authenticates Identities Users vs ServiceAccounts

Service Accounts

What Is a ServiceAccount Creating and Assigning ServiceAccounts Token Projection and Automount ServiceAccount Practical Scenarios Projected ServiceAccount Tokens

Kubeconfig

What Is a Kubeconfig File Clusters, Users, and Contexts Switching Contexts Creating a Kubeconfig from Scratch

Tls Certificates

TLS and PKI Basics How Kubernetes Uses TLS Creating Certificates Viewing Certificate Details The Kubernetes Certificates API

Rbac

Authorization in Kubernetes Roles and RoleBindings ClusterRoles and ClusterRoleBindings Testing Permissions with kubectl auth can-i RBAC Best Practices

Security Contexts

Container Security: Linux Primitives Pod vs Container Security Context Running Containers as Non-Root Capabilities and Read-Only Root Filesystem

Image Security

Image Naming and Registries Pulling from Private Registries with imagePullSecrets Image Pull Policies

Admission Controllers

What Are Admission Controllers Enabling and Disabling Admission Controllers Validating Admission Webhooks Mutating Admission Webhooks

Pod Security

Pod Security Standards Pod Security Admission Practical PSS Enforcement

Logging And Monitoring

Container Logging Basics Monitoring with Metrics Server Kubernetes Events Monitoring Cluster Component Logs

Troubleshooting

troubleshooting-application-failures troubleshooting-service-connectivity troubleshooting-control-plane troubleshooting-worker-nodes systematic-debugging-methodology debug-distroless-with-kubectl-debug

Api And Versioning

api-groups api-versions api-deprecation-policy field-selectors

Custom Resources

what-are-custom-resources creating-a-crd custom-controllers operator-pattern

Helm

what-is-helm installing-helm working-with-charts values-and-configuration finding-and-using-charts

RBAC Best Practices

RBAC is not just about making things work. It is about making things work with the minimum necessary permissions. A misconfigured RBAC policy is a security hole that may stay invisible for months, then surface in the worst possible moment. The principles in this lesson are not theoretical: they address the most common real-world mistakes.

Start by auditing what bindings already exist in your simulated cluster:

kubectl get rolebindings -A

kubectl get clusterrolebindings | grep -v system

These two commands give you a full inventory of who has been granted what. Run them whenever you join a new cluster or want to understand its permission landscape.

Least privilege

Grant only the verbs and resources a subject actually needs. Start with nothing and add permissions when a concrete need arises. The question to ask before every new rule is: “what is the minimum access this workload requires to do its job?”

A useful pattern: deploy the application first with no RBAC at all. Check the logs for 403 Forbidden errors. Each error tells you exactly what verb and resource are missing. Add precisely those rules and nothing more.

Quiz

Why is it better to start with no permissions and add them incrementally, rather than starting broad and restricting later?

Reveal answer

Restricting permissions that are already in use causes outages: the workload breaks the moment a permission is removed. Starting with nothing means the worst outcome is a 403 that you fix by adding a rule. There is no risk of accidentally leaving excess permissions in place, because you only ever add what is needed.

Prefer namespaced Roles over ClusterRoles

If a subject only operates in one namespace, give it a Role in that namespace and a RoleBinding. Do not reach for a ClusterRole unless you have a genuine cross-namespace or cluster-scoped need.

Why does this matter? A ClusterRole bound with a ClusterRoleBinding applies everywhere. If the subject is compromised, the blast radius is the entire cluster. A namespaced Role limits the damage to a single namespace.

kubectl describe clusterrolebinding cluster-admin

Inspect who is bound to cluster-admin. In a well-run cluster, this list should be very short: typically the kube-system ServiceAccounts that genuinely need it. If you see application ServiceAccounts in that list, that is a critical finding.

Bad pattern: ServiceAccount in namespace has a ClusterRoleBinding to . This gives unrestricted access to every resource in the cluster, including Secrets in all namespaces, Node objects, and the ability to modify RBAC policies themselves.

Good pattern: ServiceAccount my-app has a Role in namespace default with get and list on pods only. It can read the Pods it needs to operate and nothing else.

One ServiceAccount per application

Never share a ServiceAccount between two workloads that have different permission requirements. If service-a needs get secrets and service-b needs list pods, give each its own ServiceAccount and bind each Role independently.

Why? If you share one ServiceAccount across both, both workloads inherit the union of all permissions. When you later restrict permissions for one workload, you inadvertently restrict the other. Worse, if one workload is compromised, the attacker gains the permissions of both.

Avoid wildcards

verbs: ["*"] and resources: ["*"] are almost always too broad. Even if you scope resources to pods, a wildcard on verbs grants delete, patch, exec, and escalate.

Quiz

Why is verbs: ["*"] on a Role dangerous even if resources is scoped to ["pods"]?

Reveal answer

The wildcard includes exec (which opens a shell into a running container) and escalate (which allows binding higher-privilege roles). A subject that can exec into Pods can potentially escape to the underlying node or read mounted Secrets from the container’s environment. Scoping resources does not protect against the privilege escalation paths that wildcard verbs enable.

Audit regularly

RBAC policies accumulate over time. A binding created for a one-off task may never be cleaned up. Build a habit of reviewing what exists:

kubectl get clusterrolebindings | grep -v system

kubectl get rolebindings -A

For any binding you cannot immediately explain, describe it to see who it grants access to and what ClusterRole or Role it references:

kubectl describe clusterrolebinding cluster-admin

The audit loop above, run periodically, keeps RBAC policy from drifting into an unmaintainable state. Stale bindings are a quiet risk: the subject they were created for may no longer exist, but the binding remains and can be exploited if the subject name is reused.

You have now covered the full RBAC toolkit: authorization modes, Roles and RoleBindings, ClusterRoles and ClusterRoleBindings, permission testing with kubectl auth can-i, and the principles that keep policies safe over time. These concepts appear directly in CKA exam scenarios, so the best next step is to apply them in the simulator drills for this module.

~>kubectl apply -f deployment.yaml

deployment.apps/nginx created

~>kubectl get pods

NAME READY STATUS RESTARTS AGE

nginx-7b4c9d8f5-xk2j 1/1 Running 0 12s

nginx-7b4c9d8f5-hn4vw 1/1 Running 0 11s

nginx-7b4c9d8f5-qp9rm 1/1 Running 0 10s

~>█

Get hands-on with Kubernetes

This lesson includes a live terminal with a simulated Kubernetes cluster. Upgrade to Pro to unlock the terminal (free during early access)

Upgrade Try the free crash course