CKA

Onboarding

Welcome What Runs Here Overview of Kubernetes Certifications

Kubernetes Basics

What Is Kubernetes Cluster Architecture Overview Control Plane Components Node Components

Yaml And Objects

The Kubernetes Object Model Anatomy of a Manifest Generating Manifests from the CLI Object Names, UIDs, and DNS Rules

Kubectl Essentials

Imperative vs Declarative Viewing Resources Logs and Exec Creating and Editing Resources Delete and Cleanup Formatting Output and Tips

Pods

What Is a Pod Pod Structure Creating Your First Pod Pod Lifecycle and Phases Container Restart Policies Editing Pods

Namespaces

What Are Namespaces The Default Namespaces Working Across Namespaces When to Use Multiple Namespaces

Labels And Annotations

What Are Labels Label Selectors Annotations Recommended Labels

Cluster Architecture Deep

etcd-deep-dive kube-apiserver-internals kube-scheduler-internals kube-controller-manager container-runtime-interface

Cluster Installation

installation-options-overview kubeadm-master-node-setup kubeadm-worker-node-join high-availability-considerations

Cluster Maintenance

os-upgrades-and-drain version-skew-policy cluster-upgrade-process taint-based-evictions version-skew-and-safe-upgrade-flow

Backup And Restore

backup-strategies etcd-backup-with-etcdctl restore-from-snapshot etcdutl etcd-restore-drill-end-to-end

Commands And Args

docker-cmd-vs-entrypoint command-and-args-in-kubernetes practical-override-scenarios

Configmaps

what-is-a-configmap creating-configmaps using-via-environment-variables using-via-volume-mounts immutable-configmaps

Secrets

what-is-a-secret types-of-secrets creating-and-using-secrets encrypting-secrets-at-rest security-best-practices

Resource Management

resource-requests-and-limits how-scheduling-uses-requests what-happens-when-limits-are-exceeded qos-classes limitranges-and-resourcequotas in-place-resize-operational-considerations

Replicasets

Why ReplicaSets Creating a ReplicaSet Scaling and Self-Healing Limitations of ReplicaSets

Deployments

What Is a Deployment Creating a Deployment Rolling Updates Rollback and Revision History Update Strategies

Daemonsets

what-is-a-daemonset typical-use-cases daemonset-scheduling updating-daemonsets

Multi Container Pods

why-multiple-containers sidecar-pattern ambassador-and-adapter-patterns init-containers native-sidecar-patterns

Scheduling Basics

taints-and-tolerations node-selectors node-affinity taints-vs-node-affinity

Advanced Scheduling

manual-scheduling static-pods priority-classes multiple-schedulers scheduler-profiles

Probes

why-probes-matter liveness-probes readiness-probes startup-probes probe-types-and-configuration startup-probe-for-slow-apps

Jobs

what-is-a-job job-parallelism-and-completions backoff-and-retry cronjobs

Autoscaling

introduction-to-autoscaling horizontal-pod-autoscaler hpa-stabilization-and-behavior vertical-pod-autoscaler in-place-resize-of-pods event-driven-scaling-concepts

Statefulsets

stateful-vs-stateless statefulset-fundamentals headless-services storage-in-statefulsets ordering-and-updates

Services

Why Services Services and Endpoints ClusterIP NodePort LoadBalancer Named Ports

Dns

DNS in Kubernetes Service DNS Records Pod DNS Records DNS Debugging

Gateway API and Envoy Gateway

What Is Kubernetes Gateway API? The Controller Behind the Gateway Routing Traffic with Gateway and HTTPRoute Securing Traffic with TLS Termination Portable Traffic Manipulation with HTTPRoute Filters

Gateway Api

introduction-to-gateway-api gateway-api-structure practical-gateway-api tls-with-gateway-api mapping-ingress-to-gateway-api gatewayclass-and-controller-operations httproute-basics weighted-routing-canary

Network Policies

What Are Network Policies? NetworkPolicy Structure Ingress Rules Egress Rules Advanced NetworkPolicy Patterns

Networking Fundamentals

switching-and-routing dns-fundamentals network-namespaces docker-networking

Kubernetes Networking

cni-concepts pod-networking service-networking cluster-networking-configuration ipam cni-troubleshooting-method

Volumes

Why Volumes? emptyDir hostPath ConfigMap and Secret Volumes

Persistent Storage

PersistentVolumes and PersistentVolumeClaims Creating a PersistentVolume Creating a PersistentVolumeClaim Using PVCs in Pods Access Modes and Reclaim Policies

Storage Classes

static-vs-dynamic-provisioning what-is-a-storageclass dynamic-provisioning-in-practice container-storage-interface

Authentication

Kubernetes Security Fundamentals How Kubernetes Authenticates Identities Users vs ServiceAccounts

Service Accounts

What Is a ServiceAccount Creating and Assigning ServiceAccounts Token Projection and Automount ServiceAccount Practical Scenarios Projected ServiceAccount Tokens

Kubeconfig

What Is a Kubeconfig File Clusters, Users, and Contexts Switching Contexts Creating a Kubeconfig from Scratch

Tls Certificates

TLS and PKI Basics How Kubernetes Uses TLS Creating Certificates Viewing Certificate Details The Kubernetes Certificates API

Rbac

Authorization in Kubernetes Roles and RoleBindings ClusterRoles and ClusterRoleBindings Testing Permissions with kubectl auth can-i RBAC Best Practices

Security Contexts

Container Security: Linux Primitives Pod vs Container Security Context Running Containers as Non-Root Capabilities and Read-Only Root Filesystem

Image Security

Image Naming and Registries Pulling from Private Registries with imagePullSecrets Image Pull Policies

Admission Controllers

What Are Admission Controllers Enabling and Disabling Admission Controllers Validating Admission Webhooks Mutating Admission Webhooks

Pod Security

Pod Security Standards Pod Security Admission Practical PSS Enforcement

Logging And Monitoring

Container Logging Basics Monitoring with Metrics Server Kubernetes Events Monitoring Cluster Component Logs

Troubleshooting

troubleshooting-application-failures troubleshooting-service-connectivity troubleshooting-control-plane troubleshooting-worker-nodes systematic-debugging-methodology debug-distroless-with-kubectl-debug

Api And Versioning

api-groups api-versions api-deprecation-policy field-selectors

Custom Resources

what-are-custom-resources creating-a-crd custom-controllers operator-pattern

Helm

what-is-helm installing-helm working-with-charts values-and-configuration finding-and-using-charts

Roles and RoleBindings

You want to give a developer read-only access to Pods in the dev namespace. They should not see Secrets or modify anything. RBAC does this with two objects: a Role that defines what is allowed, and a RoleBinding that connects the Role to a subject. Neither object on its own does anything; you need both.

Start by creating the dev namespace in the simulated cluster:

kubectl create namespace dev

The Role object

A Role is a namespaced resource. It holds a list of rules, where each rule combines three elements: apiGroups, resources, and verbs. The Role grants only the listed verbs on the listed resources, and only within the namespace where the Role lives. A Role in dev has no effect in production.

Build the manifest one field at a time. Create the file:

nano dev-role.yaml

The kind field tells the API server this is a Role, not a ClusterRole:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role

The metadata section anchors the Role in the right namespace:

metadata:
  name: pod-reader
  namespace: dev

The rules section is where the permissions live. Each rule lists an apiGroups array (use "" for core resources like Pods), a resources array, and a verbs array:

rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]

Full file to write:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
  namespace: dev
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]

kubectl apply -f dev-role.yaml

kubectl get roles -n dev

You should see pod-reader listed. The Role exists, but nothing uses it yet. A Role without a RoleBinding grants access to nobody.

Quiz

What is the minimum Role definition to allow a subject to list and get ConfigMaps in a namespace?

Try it: Write a Role manifest with resources: ["configmaps"] and verbs: ["get", "list"], apply it, and verify with kubectl get roles -n dev.

Reveal answer

The apiGroups must be [""] (ConfigMaps are a core resource), resources must include "configmaps", and verbs must include at least "get" and "list". Watch is optional but commonly added for controllers that need to observe changes.

The RoleBinding object

A RoleBinding connects a Role to one or more subjects. The binding lives in the same namespace as the Role it references. A RoleBinding cannot reference a Role in a different namespace.

nano dev-rolebinding.yaml

The subjects array lists who receives the permissions. Each entry has a kind (User, Group, or ServiceAccount), a name, and an apiGroup:

subjects:
  - kind: User
    name: developer
    apiGroup: rbac.authorization.k8s.io

The roleRef points at the Role being bound. Once a RoleBinding is created, roleRef is immutable. To change it, delete the binding and recreate it:

roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

Full manifest:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pod-reader-binding
  namespace: dev
subjects:
  - kind: User
    name: developer
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

kubectl apply -f dev-rolebinding.yaml

kubectl get rolebindings -n dev

Now developer can get, list, and watch Pods in dev. They still cannot touch Secrets, ConfigMaps, or resources in any other namespace.

Binding a Role to a ServiceAccount

The subjects entry changes slightly when the subject is a ServiceAccount. A ServiceAccount belongs to a namespace, so you must specify it:

subjects:
  - kind: ServiceAccount
    name: my-app
    namespace: dev

A common mistake is omitting the namespace field on a ServiceAccount subject. If namespace is missing, the API server looks for the ServiceAccount in the namespace of the RoleBinding itself. If the ServiceAccount lives in a different namespace, the binding silently fails to grant access. The binding is created successfully, but the permissions never take effect for that subject. Always specify namespace explicitly when binding to a ServiceAccount.

Quiz

You created a RoleBinding in namespace dev that binds to ServiceAccount reporter with namespace: staging. The Role grants get pods. When reporter in staging tries to get pods in dev, access is denied. Why?

Reveal answer

The API server resolves the ServiceAccount identity as system:serviceaccount:staging:reporter. The RoleBinding subjects entry has namespace: staging, which means the binding correctly identifies that ServiceAccount. The issue is the opposite: if you wrote the wrong namespace, it would look for a ServiceAccount in the wrong place. In the correct scenario, the binding should work. Double-check that the name matches exactly, and use kubectl auth can-i with --as system:serviceaccount:staging:reporter in the dev namespace to debug.

With Roles and RoleBindings, you can grant precise permissions within a single namespace. The next lesson covers ClusterRoles and ClusterRoleBindings, which extend this model to resources that span the entire cluster or live outside any namespace.

~>kubectl apply -f deployment.yaml

deployment.apps/nginx created

~>kubectl get pods

NAME READY STATUS RESTARTS AGE

nginx-7b4c9d8f5-xk2j 1/1 Running 0 12s

nginx-7b4c9d8f5-hn4vw 1/1 Running 0 11s

nginx-7b4c9d8f5-qp9rm 1/1 Running 0 10s

~>█

Get hands-on with Kubernetes

This lesson includes a live terminal with a simulated Kubernetes cluster. Upgrade to Pro to unlock the terminal (free during early access)

Upgrade Try the free crash course