CKA

Onboarding

Welcome What Runs Here Overview of Kubernetes Certifications

Kubernetes Basics

What Is Kubernetes Cluster Architecture Overview Control Plane Components Node Components

Yaml And Objects

The Kubernetes Object Model Anatomy of a Manifest Generating Manifests from the CLI Object Names, UIDs, and DNS Rules

Kubectl Essentials

Imperative vs Declarative Viewing Resources Logs and Exec Creating and Editing Resources Delete and Cleanup Formatting Output and Tips

Pods

What Is a Pod Pod Structure Creating Your First Pod Pod Lifecycle and Phases Container Restart Policies Editing Pods

Namespaces

What Are Namespaces The Default Namespaces Working Across Namespaces When to Use Multiple Namespaces

Labels And Annotations

What Are Labels Label Selectors Annotations Recommended Labels

Cluster Architecture Deep

etcd-deep-dive kube-apiserver-internals kube-scheduler-internals kube-controller-manager container-runtime-interface

Cluster Installation

installation-options-overview kubeadm-master-node-setup kubeadm-worker-node-join high-availability-considerations

Cluster Maintenance

os-upgrades-and-drain version-skew-policy cluster-upgrade-process taint-based-evictions version-skew-and-safe-upgrade-flow

Backup And Restore

backup-strategies etcd-backup-with-etcdctl restore-from-snapshot etcdutl etcd-restore-drill-end-to-end

Commands And Args

docker-cmd-vs-entrypoint command-and-args-in-kubernetes practical-override-scenarios

Configmaps

what-is-a-configmap creating-configmaps using-via-environment-variables using-via-volume-mounts immutable-configmaps

Secrets

what-is-a-secret types-of-secrets creating-and-using-secrets encrypting-secrets-at-rest security-best-practices

Resource Management

resource-requests-and-limits how-scheduling-uses-requests what-happens-when-limits-are-exceeded qos-classes limitranges-and-resourcequotas in-place-resize-operational-considerations

Replicasets

Why ReplicaSets Creating a ReplicaSet Scaling and Self-Healing Limitations of ReplicaSets

Deployments

What Is a Deployment Creating a Deployment Rolling Updates Rollback and Revision History Update Strategies

Daemonsets

what-is-a-daemonset typical-use-cases daemonset-scheduling updating-daemonsets

Multi Container Pods

why-multiple-containers sidecar-pattern ambassador-and-adapter-patterns init-containers native-sidecar-patterns

Scheduling Basics

taints-and-tolerations node-selectors node-affinity taints-vs-node-affinity

Advanced Scheduling

manual-scheduling static-pods priority-classes multiple-schedulers scheduler-profiles

Probes

why-probes-matter liveness-probes readiness-probes startup-probes probe-types-and-configuration startup-probe-for-slow-apps

Jobs

what-is-a-job job-parallelism-and-completions backoff-and-retry cronjobs

Autoscaling

introduction-to-autoscaling horizontal-pod-autoscaler hpa-stabilization-and-behavior vertical-pod-autoscaler in-place-resize-of-pods event-driven-scaling-concepts

Statefulsets

stateful-vs-stateless statefulset-fundamentals headless-services storage-in-statefulsets ordering-and-updates

Services

Why Services Services and Endpoints ClusterIP NodePort LoadBalancer Named Ports

Dns

DNS in Kubernetes Service DNS Records Pod DNS Records DNS Debugging

Gateway API and Envoy Gateway

What Is Kubernetes Gateway API? The Controller Behind the Gateway Routing Traffic with Gateway and HTTPRoute Securing Traffic with TLS Termination Portable Traffic Manipulation with HTTPRoute Filters

Gateway Api

introduction-to-gateway-api gateway-api-structure practical-gateway-api tls-with-gateway-api mapping-ingress-to-gateway-api gatewayclass-and-controller-operations httproute-basics weighted-routing-canary

Network Policies

What Are Network Policies? NetworkPolicy Structure Ingress Rules Egress Rules Advanced NetworkPolicy Patterns

Networking Fundamentals

switching-and-routing dns-fundamentals network-namespaces docker-networking

Kubernetes Networking

cni-concepts pod-networking service-networking cluster-networking-configuration ipam cni-troubleshooting-method

Volumes

Why Volumes? emptyDir hostPath ConfigMap and Secret Volumes

Persistent Storage

PersistentVolumes and PersistentVolumeClaims Creating a PersistentVolume Creating a PersistentVolumeClaim Using PVCs in Pods Access Modes and Reclaim Policies

Storage Classes

static-vs-dynamic-provisioning what-is-a-storageclass dynamic-provisioning-in-practice container-storage-interface

Authentication

Kubernetes Security Fundamentals How Kubernetes Authenticates Identities Users vs ServiceAccounts

Service Accounts

What Is a ServiceAccount Creating and Assigning ServiceAccounts Token Projection and Automount ServiceAccount Practical Scenarios Projected ServiceAccount Tokens

Kubeconfig

What Is a Kubeconfig File Clusters, Users, and Contexts Switching Contexts Creating a Kubeconfig from Scratch

Tls Certificates

TLS and PKI Basics How Kubernetes Uses TLS Creating Certificates Viewing Certificate Details The Kubernetes Certificates API

Rbac

Authorization in Kubernetes Roles and RoleBindings ClusterRoles and ClusterRoleBindings Testing Permissions with kubectl auth can-i RBAC Best Practices

Security Contexts

Container Security: Linux Primitives Pod vs Container Security Context Running Containers as Non-Root Capabilities and Read-Only Root Filesystem

Image Security

Image Naming and Registries Pulling from Private Registries with imagePullSecrets Image Pull Policies

Admission Controllers

What Are Admission Controllers Enabling and Disabling Admission Controllers Validating Admission Webhooks Mutating Admission Webhooks

Pod Security

Pod Security Standards Pod Security Admission Practical PSS Enforcement

Logging And Monitoring

Container Logging Basics Monitoring with Metrics Server Kubernetes Events Monitoring Cluster Component Logs

Troubleshooting

troubleshooting-application-failures troubleshooting-service-connectivity troubleshooting-control-plane troubleshooting-worker-nodes systematic-debugging-methodology debug-distroless-with-kubectl-debug

Api And Versioning

api-groups api-versions api-deprecation-policy field-selectors

Custom Resources

what-are-custom-resources creating-a-crd custom-controllers operator-pattern

Helm

what-is-helm installing-helm working-with-charts values-and-configuration finding-and-using-charts

TLS and PKI Basics

Every request you send with kubectl travels over the network to the API server. How does kubectl know it is talking to the real API server and not an impostor sitting in between, intercepting your commands? How does the API server know the client is who they claim to be? The answer is TLS and a system called Public Key Infrastructure.

What TLS does

TLS (Transport Layer Security) solves two problems at once. First, it encrypts the channel so that anyone eavesdropping on the network sees only scrambled data. Second, it verifies identity: the server presents a certificate, and the client checks that certificate against a trusted authority before sending anything sensitive.

Think of it this way: when you connect to a bank website over HTTPS, your browser checks the bank’s certificate and confirms it was issued by a recognized authority. If the certificate is fake or self-signed by an unknown entity, your browser refuses the connection. kubectl does exactly the same thing when it connects to the Kubernetes API server.

Quiz

Why does encrypting the channel alone not prevent an impostor attack?

Reveal answer

Encryption protects the contents of the communication, but it does not prove who you are talking to. Without identity verification, you could establish an encrypted channel with an attacker who pretended to be the API server. TLS combines encryption with authentication, using certificates to prove the server’s identity before any data is exchanged.

Certificates, private keys, and the CA

A certificate is a document that binds an identity (a name, an IP address) to a public key. Anyone can read a certificate. The public key inside it is meant to be shared.

A private key is the counterpart to the public key. It stays secret on the server. Only the private key holder can prove they own the certificate. The math behind asymmetric cryptography ensures that what one key encrypts, only the other can decrypt. The server signs data with its private key, and anyone with the public key can verify that signature.

The remaining piece is trust. How do you know a certificate is genuine and not fabricated? That is the job of a Certificate Authority (CA). A CA is a trusted entity that signs certificates. When a CA signs your certificate, it is saying: “I have verified that this public key belongs to this identity.” If you trust the CA, you trust any certificate it has signed.

This chain is why the CA’s private key is the most sensitive asset in the whole system. A compromised CA can produce forged certificates for any identity. In Kubernetes, the cluster CA is what the entire PKI depends on.

The TLS handshake

When kubectl connects to the API server, both sides perform a handshake before any Kubernetes data flows. The server sends its certificate. kubectl checks that the certificate was signed by a CA it trusts (the cluster CA, whose public certificate is stored in your kubeconfig). If the check passes, both sides agree on an encryption key for the session, and the channel becomes private.

kubectl cluster-info

Run that command and observe: if the TLS handshake succeeds, you get back the API server URL and the CoreDNS address. If the certificate is expired or untrusted, kubectl refuses the connection and prints an x509 error instead.

Quiz

Why does trusting the CA mean you automatically trust any certificate it signed?

Reveal answer

Because the CA’s signature on a certificate is mathematically verifiable. A certificate contains the CA’s cryptographic signature over the certificate’s contents. Verifying that signature requires only the CA’s public key, which is public and shareable. A certificate cannot be forged without access to the CA’s private key. If you trust the CA’s public key, any certificate carrying a valid signature from that key is genuine.

A certificate up close

To make this concrete, here is what a certificate looks like in a Kubernetes-adjacent format. Tools like cert-manager use a CertificateRequest object to represent a request for a signed certificate:

# illustrative only
apiVersion: cert-manager.io/v1
kind: CertificateRequest
metadata:
  name: developer-cert-request
spec:
  issuerRef:
    name: cluster-ca
    kind: ClusterIssuer
  request: <base64-encoded-CSR>
  usages:
    - client auth

The request field contains a Certificate Signing Request (CSR), which carries the identity and public key. The issuer (the CA) receives that request, verifies it, and returns a signed certificate. You will see how Kubernetes handles this natively in the last lesson of this module.

kubectl get nodes

If the cluster’s TLS certificates are all valid, this returns your node list. If any certificate in the chain is expired or malformed, the command fails before it reaches Kubernetes. That is the concrete cost of a broken PKI: the cluster becomes unreachable.

The cluster CA is not the same as a public internet CA (like Let's Encrypt). It is a private CA generated when the cluster is bootstrapped, trusted only within the cluster. Its certificate is distributed to every component that needs to verify others.

TLS and PKI are the foundation that every other security feature in Kubernetes builds on. With those concepts established, the next lesson maps out exactly which certificates exist in a Kubernetes cluster and which component uses each one.

~>kubectl apply -f deployment.yaml

deployment.apps/nginx created

~>kubectl get pods

NAME READY STATUS RESTARTS AGE

nginx-7b4c9d8f5-xk2j 1/1 Running 0 12s

nginx-7b4c9d8f5-hn4vw 1/1 Running 0 11s

nginx-7b4c9d8f5-qp9rm 1/1 Running 0 10s

~>█

Get hands-on with Kubernetes

This lesson includes a live terminal with a simulated Kubernetes cluster. Upgrade to Pro to unlock the terminal (free during early access)

Upgrade Try the free crash course