CKA

Onboarding

Welcome What Runs Here Overview of Kubernetes Certifications

Kubernetes Basics

What Is Kubernetes Cluster Architecture Overview Control Plane Components Node Components

Yaml And Objects

The Kubernetes Object Model Anatomy of a Manifest Generating Manifests from the CLI Object Names, UIDs, and DNS Rules

Kubectl Essentials

Imperative vs Declarative Viewing Resources Logs and Exec Creating and Editing Resources Delete and Cleanup Formatting Output and Tips

Pods

What Is a Pod Pod Structure Creating Your First Pod Pod Lifecycle and Phases Container Restart Policies Editing Pods

Namespaces

What Are Namespaces The Default Namespaces Working Across Namespaces When to Use Multiple Namespaces

Labels And Annotations

What Are Labels Label Selectors Annotations Recommended Labels

Cluster Architecture Deep

etcd-deep-dive kube-apiserver-internals kube-scheduler-internals kube-controller-manager container-runtime-interface

Cluster Installation

installation-options-overview kubeadm-master-node-setup kubeadm-worker-node-join high-availability-considerations

Cluster Maintenance

os-upgrades-and-drain version-skew-policy cluster-upgrade-process taint-based-evictions version-skew-and-safe-upgrade-flow

Backup And Restore

backup-strategies etcd-backup-with-etcdctl restore-from-snapshot etcdutl etcd-restore-drill-end-to-end

Commands And Args

docker-cmd-vs-entrypoint command-and-args-in-kubernetes practical-override-scenarios

Configmaps

what-is-a-configmap creating-configmaps using-via-environment-variables using-via-volume-mounts immutable-configmaps

Secrets

what-is-a-secret types-of-secrets creating-and-using-secrets encrypting-secrets-at-rest security-best-practices

Resource Management

resource-requests-and-limits how-scheduling-uses-requests what-happens-when-limits-are-exceeded qos-classes limitranges-and-resourcequotas in-place-resize-operational-considerations

Replicasets

Why ReplicaSets Creating a ReplicaSet Scaling and Self-Healing Limitations of ReplicaSets

Deployments

What Is a Deployment Creating a Deployment Rolling Updates Rollback and Revision History Update Strategies

Daemonsets

what-is-a-daemonset typical-use-cases daemonset-scheduling updating-daemonsets

Multi Container Pods

why-multiple-containers sidecar-pattern ambassador-and-adapter-patterns init-containers native-sidecar-patterns

Scheduling Basics

taints-and-tolerations node-selectors node-affinity taints-vs-node-affinity

Advanced Scheduling

manual-scheduling static-pods priority-classes multiple-schedulers scheduler-profiles

Probes

why-probes-matter liveness-probes readiness-probes startup-probes probe-types-and-configuration startup-probe-for-slow-apps

Jobs

what-is-a-job job-parallelism-and-completions backoff-and-retry cronjobs

Autoscaling

introduction-to-autoscaling horizontal-pod-autoscaler hpa-stabilization-and-behavior vertical-pod-autoscaler in-place-resize-of-pods event-driven-scaling-concepts

Statefulsets

stateful-vs-stateless statefulset-fundamentals headless-services storage-in-statefulsets ordering-and-updates

Services

Why Services Services and Endpoints ClusterIP NodePort LoadBalancer Named Ports

Dns

DNS in Kubernetes Service DNS Records Pod DNS Records DNS Debugging

Gateway API and Envoy Gateway

What Is Kubernetes Gateway API? The Controller Behind the Gateway Routing Traffic with Gateway and HTTPRoute Securing Traffic with TLS Termination Portable Traffic Manipulation with HTTPRoute Filters

Gateway Api

introduction-to-gateway-api gateway-api-structure practical-gateway-api tls-with-gateway-api mapping-ingress-to-gateway-api gatewayclass-and-controller-operations httproute-basics weighted-routing-canary

Network Policies

What Are Network Policies? NetworkPolicy Structure Ingress Rules Egress Rules Advanced NetworkPolicy Patterns

Networking Fundamentals

switching-and-routing dns-fundamentals network-namespaces docker-networking

Kubernetes Networking

cni-concepts pod-networking service-networking cluster-networking-configuration ipam cni-troubleshooting-method

Volumes

Why Volumes? emptyDir hostPath ConfigMap and Secret Volumes

Persistent Storage

PersistentVolumes and PersistentVolumeClaims Creating a PersistentVolume Creating a PersistentVolumeClaim Using PVCs in Pods Access Modes and Reclaim Policies

Storage Classes

static-vs-dynamic-provisioning what-is-a-storageclass dynamic-provisioning-in-practice container-storage-interface

Authentication

Kubernetes Security Fundamentals How Kubernetes Authenticates Identities Users vs ServiceAccounts

Service Accounts

What Is a ServiceAccount Creating and Assigning ServiceAccounts Token Projection and Automount ServiceAccount Practical Scenarios Projected ServiceAccount Tokens

Kubeconfig

What Is a Kubeconfig File Clusters, Users, and Contexts Switching Contexts Creating a Kubeconfig from Scratch

Tls Certificates

TLS and PKI Basics How Kubernetes Uses TLS Creating Certificates Viewing Certificate Details The Kubernetes Certificates API

Rbac

Authorization in Kubernetes Roles and RoleBindings ClusterRoles and ClusterRoleBindings Testing Permissions with kubectl auth can-i RBAC Best Practices

Security Contexts

Container Security: Linux Primitives Pod vs Container Security Context Running Containers as Non-Root Capabilities and Read-Only Root Filesystem

Image Security

Image Naming and Registries Pulling from Private Registries with imagePullSecrets Image Pull Policies

Admission Controllers

What Are Admission Controllers Enabling and Disabling Admission Controllers Validating Admission Webhooks Mutating Admission Webhooks

Pod Security

Pod Security Standards Pod Security Admission Practical PSS Enforcement

Logging And Monitoring

Container Logging Basics Monitoring with Metrics Server Kubernetes Events Monitoring Cluster Component Logs

Troubleshooting

troubleshooting-application-failures troubleshooting-service-connectivity troubleshooting-control-plane troubleshooting-worker-nodes systematic-debugging-methodology debug-distroless-with-kubectl-debug

Api And Versioning

api-groups api-versions api-deprecation-policy field-selectors

Custom Resources

what-are-custom-resources creating-a-crd custom-controllers operator-pattern

Helm

what-is-helm installing-helm working-with-charts values-and-configuration finding-and-using-charts

Clusters, Users, and Contexts

A kubeconfig file is not a flat list of key-value pairs. It has three independent sections, and none of them mean anything on their own. A clusters entry without a matching contexts entry is an unused address. A users entry without a context pointing to it is a forgotten credential. The context is the glue: it binds one cluster and one user together under a single name, and that is the name kubectl uses.

Start by looking at the full file in the simulator:

kubectl config view

You will see a YAML document. Read through it with the following three sections in mind.

The clusters section

The clusters section is a list. Each entry has a name and a cluster block. The cluster block holds two things: the API server address (server) and the certificate authority data (certificate-authority-data).

# illustrative only
clusters:
  - name: production
    cluster:
      server: https://k8s.example.com:6443
      certificate-authority-data: <base64-ca>

The server field is the URL kubectl sends API requests to. The certificate-authority-data is a base64-encoded CA certificate. kubectl uses it to verify that the server it is talking to is actually the cluster it claims to be, not an impostor. This is standard TLS verification. The details of how that certificate is issued belong to the TLS module, but the important point here is: without a valid CA cert, kubectl refuses to connect.

kubectl config get-clusters

This command lists only the cluster names registered in your kubeconfig, one per line. It is a fast way to confirm which clusters kubectl knows about.

The users section

The users section is also a list. Each entry has a name and a user block that holds credentials. The credential format depends on the authentication method: client certificate and key, a bearer token, or an OIDC configuration. The details of authentication methods belong to the authentication module. For now, the important idea is that the user block answers the question “who are you?” when kubectl reaches the API server.

# illustrative only
users:
  - name: alice
    user:
      client-certificate-data: <base64-cert>
      client-key-data: <base64-key>

The user entry name (alice in the example) is just a label. It does not have to match a real username in the cluster. The API server uses the credential itself (the certificate common name or the token subject) to identify you, not the label in the kubeconfig. This is a common source of confusion: renaming the user entry in kubeconfig does not change your identity in the cluster.

Quiz

A colleague says “I renamed my user entry from alice to developer in kubeconfig. Now I have fewer permissions.” Is that possible?

Reveal answer

No. Renaming the kubeconfig label has no effect on cluster permissions. The API server reads the credential itself (the certificate CN or the token’s subject claim) to determine identity. The label in kubeconfig is local bookkeeping only. Permissions are controlled by RBAC, which is covered in the RBAC module.

The contexts section

The contexts section is the binding layer. Each entry has a name and a context block that references a cluster by name and a user by name. It can optionally include a namespace field.

# illustrative only
contexts:
  - name: prod-alice
    context:
      cluster: production
      user: alice
      namespace: payments

When namespace is set, every kubectl command that does not specify -n will query that namespace by default. Without it, kubectl defaults to the default namespace.

The current-context field at the top level of the kubeconfig file holds the name of the active context. It is a single string, not a list.

kubectl config get-contexts

This prints a table of all contexts. The row with an asterisk (*) in the leftmost column is the active context. The columns show the context name, the cluster it points to, the user it uses, and the default namespace (if any).

A kubeconfig can list dozens of contexts but only one is active at any moment. Switching contexts changes only the current-context field in the file. Everything else stays untouched.

Quiz

What are the three things a context entry contains?

A list of namespaces, a list of roles, and a cluster address
A cluster reference, a user reference, and an optional default namespace
A server URL, a token, and a context name

Reveal answer

A cluster reference, a user reference, and an optional default namespace. The cluster and user entries hold the actual addresses and credentials. The context just names the combination and optionally pins a default namespace.

Putting it together

The three sections form a deliberate separation of concerns. Cluster addresses are defined once and can be referenced by multiple contexts. User credentials are defined once and can be reused across contexts. A context is lightweight: it is just two names and an optional namespace string. This means you can define one alice user entry and create five contexts that all use it, each pointing to a different cluster, without duplicating the credential.

Verify what the simulator’s current context sees by combining two commands:

kubectl config current-context

Then inspect the full detail of the active configuration:

kubectl config view

Now that you understand what each section does, the next lesson shows how to switch between contexts and manage the active namespace, which is the day-to-day workflow when working with multiple simulated clusters.

~>kubectl apply -f deployment.yaml

deployment.apps/nginx created

~>kubectl get pods

NAME READY STATUS RESTARTS AGE

nginx-7b4c9d8f5-xk2j 1/1 Running 0 12s

nginx-7b4c9d8f5-hn4vw 1/1 Running 0 11s

nginx-7b4c9d8f5-qp9rm 1/1 Running 0 10s

~>█

Get hands-on with Kubernetes

This lesson includes a live terminal with a simulated Kubernetes cluster. Upgrade to Pro to unlock the terminal (free during early access)

Upgrade Try the free crash course