CKA

Onboarding

Welcome What Runs Here Overview of Kubernetes Certifications

Kubernetes Basics

What Is Kubernetes Cluster Architecture Overview Control Plane Components Node Components

Yaml And Objects

The Kubernetes Object Model Anatomy of a Manifest Generating Manifests from the CLI Object Names, UIDs, and DNS Rules

Kubectl Essentials

Imperative vs Declarative Viewing Resources Logs and Exec Creating and Editing Resources Delete and Cleanup Formatting Output and Tips

Pods

What Is a Pod Pod Structure Creating Your First Pod Pod Lifecycle and Phases Container Restart Policies Editing Pods

Namespaces

What Are Namespaces The Default Namespaces Working Across Namespaces When to Use Multiple Namespaces

Labels And Annotations

What Are Labels Label Selectors Annotations Recommended Labels

Cluster Architecture Deep

etcd-deep-dive kube-apiserver-internals kube-scheduler-internals kube-controller-manager container-runtime-interface

Cluster Installation

installation-options-overview kubeadm-master-node-setup kubeadm-worker-node-join high-availability-considerations

Cluster Maintenance

os-upgrades-and-drain version-skew-policy cluster-upgrade-process taint-based-evictions version-skew-and-safe-upgrade-flow

Backup And Restore

backup-strategies etcd-backup-with-etcdctl restore-from-snapshot etcdutl etcd-restore-drill-end-to-end

Commands And Args

docker-cmd-vs-entrypoint command-and-args-in-kubernetes practical-override-scenarios

Configmaps

what-is-a-configmap creating-configmaps using-via-environment-variables using-via-volume-mounts immutable-configmaps

Secrets

what-is-a-secret types-of-secrets creating-and-using-secrets encrypting-secrets-at-rest security-best-practices

Resource Management

resource-requests-and-limits how-scheduling-uses-requests what-happens-when-limits-are-exceeded qos-classes limitranges-and-resourcequotas in-place-resize-operational-considerations

Replicasets

Why ReplicaSets Creating a ReplicaSet Scaling and Self-Healing Limitations of ReplicaSets

Deployments

What Is a Deployment Creating a Deployment Rolling Updates Rollback and Revision History Update Strategies

Daemonsets

what-is-a-daemonset typical-use-cases daemonset-scheduling updating-daemonsets

Multi Container Pods

why-multiple-containers sidecar-pattern ambassador-and-adapter-patterns init-containers native-sidecar-patterns

Scheduling Basics

taints-and-tolerations node-selectors node-affinity taints-vs-node-affinity

Advanced Scheduling

manual-scheduling static-pods priority-classes multiple-schedulers scheduler-profiles

Probes

why-probes-matter liveness-probes readiness-probes startup-probes probe-types-and-configuration startup-probe-for-slow-apps

Jobs

what-is-a-job job-parallelism-and-completions backoff-and-retry cronjobs

Autoscaling

introduction-to-autoscaling horizontal-pod-autoscaler hpa-stabilization-and-behavior vertical-pod-autoscaler in-place-resize-of-pods event-driven-scaling-concepts

Statefulsets

stateful-vs-stateless statefulset-fundamentals headless-services storage-in-statefulsets ordering-and-updates

Services

Why Services Services and Endpoints ClusterIP NodePort LoadBalancer Named Ports

Dns

DNS in Kubernetes Service DNS Records Pod DNS Records DNS Debugging

Gateway API and Envoy Gateway

What Is Kubernetes Gateway API? The Controller Behind the Gateway Routing Traffic with Gateway and HTTPRoute Securing Traffic with TLS Termination Portable Traffic Manipulation with HTTPRoute Filters

Gateway Api

introduction-to-gateway-api gateway-api-structure practical-gateway-api tls-with-gateway-api mapping-ingress-to-gateway-api gatewayclass-and-controller-operations httproute-basics weighted-routing-canary

Network Policies

What Are Network Policies? NetworkPolicy Structure Ingress Rules Egress Rules Advanced NetworkPolicy Patterns

Networking Fundamentals

switching-and-routing dns-fundamentals network-namespaces docker-networking

Kubernetes Networking

cni-concepts pod-networking service-networking cluster-networking-configuration ipam cni-troubleshooting-method

Volumes

Why Volumes? emptyDir hostPath ConfigMap and Secret Volumes

Persistent Storage

PersistentVolumes and PersistentVolumeClaims Creating a PersistentVolume Creating a PersistentVolumeClaim Using PVCs in Pods Access Modes and Reclaim Policies

Storage Classes

static-vs-dynamic-provisioning what-is-a-storageclass dynamic-provisioning-in-practice container-storage-interface

Authentication

Kubernetes Security Fundamentals How Kubernetes Authenticates Identities Users vs ServiceAccounts

Service Accounts

What Is a ServiceAccount Creating and Assigning ServiceAccounts Token Projection and Automount ServiceAccount Practical Scenarios Projected ServiceAccount Tokens

Kubeconfig

What Is a Kubeconfig File Clusters, Users, and Contexts Switching Contexts Creating a Kubeconfig from Scratch

Tls Certificates

TLS and PKI Basics How Kubernetes Uses TLS Creating Certificates Viewing Certificate Details The Kubernetes Certificates API

Rbac

Authorization in Kubernetes Roles and RoleBindings ClusterRoles and ClusterRoleBindings Testing Permissions with kubectl auth can-i RBAC Best Practices

Security Contexts

Container Security: Linux Primitives Pod vs Container Security Context Running Containers as Non-Root Capabilities and Read-Only Root Filesystem

Image Security

Image Naming and Registries Pulling from Private Registries with imagePullSecrets Image Pull Policies

Admission Controllers

What Are Admission Controllers Enabling and Disabling Admission Controllers Validating Admission Webhooks Mutating Admission Webhooks

Pod Security

Pod Security Standards Pod Security Admission Practical PSS Enforcement

Logging And Monitoring

Container Logging Basics Monitoring with Metrics Server Kubernetes Events Monitoring Cluster Component Logs

Troubleshooting

troubleshooting-application-failures troubleshooting-service-connectivity troubleshooting-control-plane troubleshooting-worker-nodes systematic-debugging-methodology debug-distroless-with-kubectl-debug

Api And Versioning

api-groups api-versions api-deprecation-policy field-selectors

Custom Resources

what-are-custom-resources creating-a-crd custom-controllers operator-pattern

Helm

what-is-helm installing-helm working-with-charts values-and-configuration finding-and-using-charts

Kubernetes Security Fundamentals

You just deployed a web application to the simulated cluster. Anyone with credentials can run kubectl delete deployment my-app and wipe it. A rogue internal service could try to list all Secrets and read passwords. A misconfigured CI pipeline could push workloads to namespaces it should never touch. These are not theoretical risks. In a real organization, the cluster surface is accessible to many actors: developers, operators, automation jobs, and third-party tools.

The question is: how does Kubernetes decide who can do what?

Three gates, one path

Every request that reaches the Kubernetes API server, whether it comes from kubectl, a Pod’s service account, or any external client, travels through exactly three gates in sequence. None can be skipped.

Authentication answers: who is making this request? It verifies an identity, a certificate, a token, or an external credential. If the API server cannot identify the caller, the request stops here with a 401 Unauthorized error.

Authorization answers: is this identity allowed to perform this action? Kubernetes uses RBAC (Role-Based Access Control) by default. A valid identity that lacks permission gets a 403 Forbidden.

Admission Control is the third gate. It validates and mutates the request before the object is written to etcd. Admission controllers can enforce policies like “no container may run as root” or “every resource must have a label.” If a request fails admission, it is rejected even though the caller was authenticated and authorized.

Each gate is independent. Passing one does not guarantee passing the next.

Quiz

A request reaches the API server with a valid certificate. The API server returns 403 Forbidden. Which gate rejected it?

Authentication, because the certificate was not trusted
Authorization, because the identity lacks the required permission
Admission Control, because the resource spec is invalid

Reveal answer

Authorization. The certificate was valid (Authentication passed), but the identity behind it does not have permission to perform the requested action. A 403 means “I know who you are, but you cannot do this.”

What surfaces need protecting?

The three-gate model applies to every API request. But the cluster has more surfaces than just the API. Start by seeing your cluster’s entry point:

kubectl cluster-info

The output shows the control plane address. Every kubectl command, every Pod making API calls, every admission webhook, all of it goes through that single HTTPS endpoint. That is why the kube-apiserver is the highest-value target to protect.

kubectl get nodes

Each node runs a kubelet, the agent that starts and monitors Pods. The kubelet exposes its own HTTPS API on port 10250. It can be used to read logs, execute commands in containers, or query running Pods on that node. By default, the kubelet requires authenticated and authorized requests. A misconfigured kubelet with anonymous access enabled is a known attack vector.

Beyond the API server and kubelets, etcd is the most sensitive component. It stores every object in the cluster in plaintext. Anyone with direct read access to etcd bypasses all three gates. In a production cluster, etcd requires mutual TLS and is accessible only from the control plane. The simulator abstracts this with an in-memory store, but the access model remains the same.

The scheduler and controller manager also communicate with the API server using client certificates. They are internal actors, but they are still authenticated through the same gates. The principle is consistent: no component, internal or external, bypasses authentication.

The kubectl cluster-info dump command (not available in the simulator) produces a large JSON snapshot of cluster state including Secrets. In a real cluster, treat that output as sensitive. Always scope what you expose in CI pipelines or support tickets.

Quiz

Which component stores every Kubernetes object and must be protected independently from the API server?

Reveal answer

etcd. It is the underlying key-value store for all cluster state. Direct read access to etcd bypasses Authentication, Authorization, and Admission Control entirely. This is why etcd is isolated behind TLS and network controls in any hardened cluster.

Why the model is sequential

The sequence matters. Authentication always runs first because authorization needs a verified identity to evaluate. Admission Control always runs last because it validates the final, authorized request, often by injecting or mutating fields before writing to etcd. Reversing the order would break the entire security contract.

This design also means you can reason about failures precisely. A 401 tells you the identity check failed. A 403 tells you the identity was valid but the permission was not granted. An admission rejection has its own error message from the specific controller that blocked it. Each gate gives you a distinct diagnostic signal.

The next lessons go deeper into the first gate: how Kubernetes actually verifies identities, what methods it supports, and why users in Kubernetes work differently from users in almost every other system you have used.

~>kubectl apply -f deployment.yaml

deployment.apps/nginx created

~>kubectl get pods

NAME READY STATUS RESTARTS AGE

nginx-7b4c9d8f5-xk2j 1/1 Running 0 12s

nginx-7b4c9d8f5-hn4vw 1/1 Running 0 11s

nginx-7b4c9d8f5-qp9rm 1/1 Running 0 10s

~>█

Get hands-on with Kubernetes

This lesson includes a live terminal with a simulated Kubernetes cluster. Upgrade to Pro to unlock the terminal (free during early access)

Upgrade Try the free crash course