CKA

Onboarding

Welcome What Runs Here Overview of Kubernetes Certifications

Kubernetes Basics

What Is Kubernetes Cluster Architecture Overview Control Plane Components Node Components

Yaml And Objects

The Kubernetes Object Model Anatomy of a Manifest Generating Manifests from the CLI Object Names, UIDs, and DNS Rules

Kubectl Essentials

Imperative vs Declarative Viewing Resources Logs and Exec Creating and Editing Resources Delete and Cleanup Formatting Output and Tips

Pods

What Is a Pod Pod Structure Creating Your First Pod Pod Lifecycle and Phases Container Restart Policies Editing Pods

Namespaces

What Are Namespaces The Default Namespaces Working Across Namespaces When to Use Multiple Namespaces

Labels And Annotations

What Are Labels Label Selectors Annotations Recommended Labels

Cluster Architecture Deep

etcd-deep-dive kube-apiserver-internals kube-scheduler-internals kube-controller-manager container-runtime-interface

Cluster Installation

installation-options-overview kubeadm-master-node-setup kubeadm-worker-node-join high-availability-considerations

Cluster Maintenance

os-upgrades-and-drain version-skew-policy cluster-upgrade-process taint-based-evictions version-skew-and-safe-upgrade-flow

Backup And Restore

backup-strategies etcd-backup-with-etcdctl restore-from-snapshot etcdutl etcd-restore-drill-end-to-end

Commands And Args

docker-cmd-vs-entrypoint command-and-args-in-kubernetes practical-override-scenarios

Configmaps

what-is-a-configmap creating-configmaps using-via-environment-variables using-via-volume-mounts immutable-configmaps

Secrets

what-is-a-secret types-of-secrets creating-and-using-secrets encrypting-secrets-at-rest security-best-practices

Resource Management

resource-requests-and-limits how-scheduling-uses-requests what-happens-when-limits-are-exceeded qos-classes limitranges-and-resourcequotas in-place-resize-operational-considerations

Replicasets

Why ReplicaSets Creating a ReplicaSet Scaling and Self-Healing Limitations of ReplicaSets

Deployments

What Is a Deployment Creating a Deployment Rolling Updates Rollback and Revision History Update Strategies

Daemonsets

what-is-a-daemonset typical-use-cases daemonset-scheduling updating-daemonsets

Multi Container Pods

why-multiple-containers sidecar-pattern ambassador-and-adapter-patterns init-containers native-sidecar-patterns

Scheduling Basics

taints-and-tolerations node-selectors node-affinity taints-vs-node-affinity

Advanced Scheduling

manual-scheduling static-pods priority-classes multiple-schedulers scheduler-profiles

Probes

why-probes-matter liveness-probes readiness-probes startup-probes probe-types-and-configuration startup-probe-for-slow-apps

Jobs

what-is-a-job job-parallelism-and-completions backoff-and-retry cronjobs

Autoscaling

introduction-to-autoscaling horizontal-pod-autoscaler hpa-stabilization-and-behavior vertical-pod-autoscaler in-place-resize-of-pods event-driven-scaling-concepts

Statefulsets

stateful-vs-stateless statefulset-fundamentals headless-services storage-in-statefulsets ordering-and-updates

Services

Why Services Services and Endpoints ClusterIP NodePort LoadBalancer Named Ports

Dns

DNS in Kubernetes Service DNS Records Pod DNS Records DNS Debugging

Gateway API and Envoy Gateway

What Is Kubernetes Gateway API? The Controller Behind the Gateway Routing Traffic with Gateway and HTTPRoute Securing Traffic with TLS Termination Portable Traffic Manipulation with HTTPRoute Filters

Gateway Api

introduction-to-gateway-api gateway-api-structure practical-gateway-api tls-with-gateway-api mapping-ingress-to-gateway-api gatewayclass-and-controller-operations httproute-basics weighted-routing-canary

Network Policies

What Are Network Policies? NetworkPolicy Structure Ingress Rules Egress Rules Advanced NetworkPolicy Patterns

Networking Fundamentals

switching-and-routing dns-fundamentals network-namespaces docker-networking

Kubernetes Networking

cni-concepts pod-networking service-networking cluster-networking-configuration ipam cni-troubleshooting-method

Volumes

Why Volumes? emptyDir hostPath ConfigMap and Secret Volumes

Persistent Storage

PersistentVolumes and PersistentVolumeClaims Creating a PersistentVolume Creating a PersistentVolumeClaim Using PVCs in Pods Access Modes and Reclaim Policies

Storage Classes

static-vs-dynamic-provisioning what-is-a-storageclass dynamic-provisioning-in-practice container-storage-interface

Authentication

Kubernetes Security Fundamentals How Kubernetes Authenticates Identities Users vs ServiceAccounts

Service Accounts

What Is a ServiceAccount Creating and Assigning ServiceAccounts Token Projection and Automount ServiceAccount Practical Scenarios Projected ServiceAccount Tokens

Kubeconfig

What Is a Kubeconfig File Clusters, Users, and Contexts Switching Contexts Creating a Kubeconfig from Scratch

Tls Certificates

TLS and PKI Basics How Kubernetes Uses TLS Creating Certificates Viewing Certificate Details The Kubernetes Certificates API

Rbac

Authorization in Kubernetes Roles and RoleBindings ClusterRoles and ClusterRoleBindings Testing Permissions with kubectl auth can-i RBAC Best Practices

Security Contexts

Container Security: Linux Primitives Pod vs Container Security Context Running Containers as Non-Root Capabilities and Read-Only Root Filesystem

Image Security

Image Naming and Registries Pulling from Private Registries with imagePullSecrets Image Pull Policies

Admission Controllers

What Are Admission Controllers Enabling and Disabling Admission Controllers Validating Admission Webhooks Mutating Admission Webhooks

Pod Security

Pod Security Standards Pod Security Admission Practical PSS Enforcement

Logging And Monitoring

Container Logging Basics Monitoring with Metrics Server Kubernetes Events Monitoring Cluster Component Logs

Troubleshooting

troubleshooting-application-failures troubleshooting-service-connectivity troubleshooting-control-plane troubleshooting-worker-nodes systematic-debugging-methodology debug-distroless-with-kubectl-debug

Api And Versioning

api-groups api-versions api-deprecation-policy field-selectors

Custom Resources

what-are-custom-resources creating-a-crd custom-controllers operator-pattern

Helm

what-is-helm installing-helm working-with-charts values-and-configuration finding-and-using-charts

Testing Permissions with kubectl auth can-i

You set up RBAC. Now how do you verify it actually works? You cannot always test by trying the forbidden action in production: a failed kubectl delete might succeed, a misconfigured binding might let through something it should block. Kubernetes provides a dry-run mechanism that does not touch any real resource: kubectl auth can-i.

Check your own permissions in the simulated cluster right away:

kubectl auth can-i get pods

The answer is either yes or no. No partial answers, no ambiguity. The API server evaluates your identity against all active RBAC policies and returns a binary result.

Checking your own permissions

kubectl auth can-i <verb> <resource> checks whether your own identity is allowed to perform the action in the current namespace. You can also specify a namespace explicitly:

kubectl auth can-i create deployments --namespace production

To see everything you are allowed to do in the current namespace, use the --list flag:

kubectl auth can-i --list

The output lists every verb and resource combination your identity is permitted to use. This is useful when you have been granted permissions through multiple Roles or ClusterRoles and want a consolidated view.

Quiz

How do you check what actions you are allowed to perform in the kube-system namespace?

Try it: kubectl auth can-i --list --namespace kube-system

Reveal answer

The output lists all verb-resource combinations permitted for your identity in kube-system. If you see nothing listed (or only selfsubjectaccessreviews), your identity has no permissions in that namespace.

Impersonating another subject

kubectl auth can-i becomes genuinely powerful when you combine it with --as. This lets you check another subject’s permissions without logging in as them.

kubectl auth can-i get pods --as system:serviceaccount:default:my-app

The --as value for a ServiceAccount follows the format system:serviceaccount:<namespace>:<name>. This is the exact identity string the API server uses internally when a ServiceAccount makes a request.

Why does this work? The --as flag sends an Impersonate-User header with the request. The API server runs a full RBAC evaluation as if the request came from that subject. Your own identity is not used for the permission check. This requires that you have impersonation permission yourself (which admin users typically do).

kubectl auth can-i delete nodes --as system:serviceaccount:default:my-app

When kubectl auth can-i returns no, that means the action will result in a 403 Forbidden error if the subject actually attempts it. But no does not tell you which Role is missing or why. It only tells you the effective result. To understand why, you need to trace back through the RoleBindings and ClusterRoleBindings that apply to the subject. kubectl auth can-i --list --as <subject> is the fastest way to see the complete picture.

Quiz

You created a ClusterRoleBinding that gives ServiceAccount monitor in namespace tools the view ClusterRole. How do you verify that monitor can list Secrets in the production namespace?

Try it: kubectl auth can-i list secrets --namespace production --as system:serviceaccount:tools:monitor

Reveal answer

The view ClusterRole does not include Secrets. The output should be no. The view built-in ClusterRole explicitly excludes Secrets to avoid accidentally granting broad secret access. To allow listing Secrets, you need a separate Role or ClusterRole that explicitly includes secrets in its rules.

Impersonating a user or group

The --as flag also works for users and groups. For a user named alice:

kubectl auth can-i get pods --as alice

For a group (as used in certificate O fields):

kubectl auth can-i get pods --as-group developers

This is useful when you want to verify that a certificate-based user, before they receive their credentials, will have the access they need.

The combination of kubectl auth can-i --list and impersonation gives you a complete testing toolkit. Before deploying any ServiceAccount-powered application, run a quick permission check. Before handing credentials to a new team member, verify their access profile. The next lesson wraps the RBAC module with the principles that keep permission policies maintainable and secure over time.

~>kubectl apply -f deployment.yaml

deployment.apps/nginx created

~>kubectl get pods

NAME READY STATUS RESTARTS AGE

nginx-7b4c9d8f5-xk2j 1/1 Running 0 12s

nginx-7b4c9d8f5-hn4vw 1/1 Running 0 11s

nginx-7b4c9d8f5-qp9rm 1/1 Running 0 10s

~>█

Get hands-on with Kubernetes

This lesson includes a live terminal with a simulated Kubernetes cluster. Upgrade to Pro to unlock the terminal (free during early access)

Upgrade Try the free crash course