CKA

Onboarding

Welcome What Runs Here Overview of Kubernetes Certifications

Kubernetes Basics

What Is Kubernetes Cluster Architecture Overview Control Plane Components Node Components

Yaml And Objects

The Kubernetes Object Model Anatomy of a Manifest Generating Manifests from the CLI Object Names, UIDs, and DNS Rules

Kubectl Essentials

Imperative vs Declarative Viewing Resources Logs and Exec Creating and Editing Resources Delete and Cleanup Formatting Output and Tips

Pods

What Is a Pod Pod Structure Creating Your First Pod Pod Lifecycle and Phases Container Restart Policies Editing Pods

Namespaces

What Are Namespaces The Default Namespaces Working Across Namespaces When to Use Multiple Namespaces

Labels And Annotations

What Are Labels Label Selectors Annotations Recommended Labels

Cluster Architecture Deep

etcd-deep-dive kube-apiserver-internals kube-scheduler-internals kube-controller-manager container-runtime-interface

Cluster Installation

installation-options-overview kubeadm-master-node-setup kubeadm-worker-node-join high-availability-considerations

Cluster Maintenance

os-upgrades-and-drain version-skew-policy cluster-upgrade-process taint-based-evictions version-skew-and-safe-upgrade-flow

Backup And Restore

backup-strategies etcd-backup-with-etcdctl restore-from-snapshot etcdutl etcd-restore-drill-end-to-end

Commands And Args

docker-cmd-vs-entrypoint command-and-args-in-kubernetes practical-override-scenarios

Configmaps

what-is-a-configmap creating-configmaps using-via-environment-variables using-via-volume-mounts immutable-configmaps

Secrets

what-is-a-secret types-of-secrets creating-and-using-secrets encrypting-secrets-at-rest security-best-practices

Resource Management

resource-requests-and-limits how-scheduling-uses-requests what-happens-when-limits-are-exceeded qos-classes limitranges-and-resourcequotas in-place-resize-operational-considerations

Replicasets

Why ReplicaSets Creating a ReplicaSet Scaling and Self-Healing Limitations of ReplicaSets

Deployments

What Is a Deployment Creating a Deployment Rolling Updates Rollback and Revision History Update Strategies

Daemonsets

what-is-a-daemonset typical-use-cases daemonset-scheduling updating-daemonsets

Multi Container Pods

why-multiple-containers sidecar-pattern ambassador-and-adapter-patterns init-containers native-sidecar-patterns

Scheduling Basics

taints-and-tolerations node-selectors node-affinity taints-vs-node-affinity

Advanced Scheduling

manual-scheduling static-pods priority-classes multiple-schedulers scheduler-profiles

Probes

why-probes-matter liveness-probes readiness-probes startup-probes probe-types-and-configuration startup-probe-for-slow-apps

Jobs

what-is-a-job job-parallelism-and-completions backoff-and-retry cronjobs

Autoscaling

introduction-to-autoscaling horizontal-pod-autoscaler hpa-stabilization-and-behavior vertical-pod-autoscaler in-place-resize-of-pods event-driven-scaling-concepts

Statefulsets

stateful-vs-stateless statefulset-fundamentals headless-services storage-in-statefulsets ordering-and-updates

Services

Why Services Services and Endpoints ClusterIP NodePort LoadBalancer Named Ports

Dns

DNS in Kubernetes Service DNS Records Pod DNS Records DNS Debugging

Gateway API and Envoy Gateway

What Is Kubernetes Gateway API? The Controller Behind the Gateway Routing Traffic with Gateway and HTTPRoute Securing Traffic with TLS Termination Portable Traffic Manipulation with HTTPRoute Filters

Gateway Api

introduction-to-gateway-api gateway-api-structure practical-gateway-api tls-with-gateway-api mapping-ingress-to-gateway-api gatewayclass-and-controller-operations httproute-basics weighted-routing-canary

Network Policies

What Are Network Policies? NetworkPolicy Structure Ingress Rules Egress Rules Advanced NetworkPolicy Patterns

Networking Fundamentals

switching-and-routing dns-fundamentals network-namespaces docker-networking

Kubernetes Networking

cni-concepts pod-networking service-networking cluster-networking-configuration ipam cni-troubleshooting-method

Volumes

Why Volumes? emptyDir hostPath ConfigMap and Secret Volumes

Persistent Storage

PersistentVolumes and PersistentVolumeClaims Creating a PersistentVolume Creating a PersistentVolumeClaim Using PVCs in Pods Access Modes and Reclaim Policies

Storage Classes

static-vs-dynamic-provisioning what-is-a-storageclass dynamic-provisioning-in-practice container-storage-interface

Authentication

Kubernetes Security Fundamentals How Kubernetes Authenticates Identities Users vs ServiceAccounts

Service Accounts

What Is a ServiceAccount Creating and Assigning ServiceAccounts Token Projection and Automount ServiceAccount Practical Scenarios Projected ServiceAccount Tokens

Kubeconfig

What Is a Kubeconfig File Clusters, Users, and Contexts Switching Contexts Creating a Kubeconfig from Scratch

Tls Certificates

TLS and PKI Basics How Kubernetes Uses TLS Creating Certificates Viewing Certificate Details The Kubernetes Certificates API

Rbac

Authorization in Kubernetes Roles and RoleBindings ClusterRoles and ClusterRoleBindings Testing Permissions with kubectl auth can-i RBAC Best Practices

Security Contexts

Container Security: Linux Primitives Pod vs Container Security Context Running Containers as Non-Root Capabilities and Read-Only Root Filesystem

Image Security

Image Naming and Registries Pulling from Private Registries with imagePullSecrets Image Pull Policies

Admission Controllers

What Are Admission Controllers Enabling and Disabling Admission Controllers Validating Admission Webhooks Mutating Admission Webhooks

Pod Security

Pod Security Standards Pod Security Admission Practical PSS Enforcement

Logging And Monitoring

Container Logging Basics Monitoring with Metrics Server Kubernetes Events Monitoring Cluster Component Logs

Troubleshooting

troubleshooting-application-failures troubleshooting-service-connectivity troubleshooting-control-plane troubleshooting-worker-nodes systematic-debugging-methodology debug-distroless-with-kubectl-debug

Api And Versioning

api-groups api-versions api-deprecation-policy field-selectors

Custom Resources

what-are-custom-resources creating-a-crd custom-controllers operator-pattern

Helm

what-is-helm installing-helm working-with-charts values-and-configuration finding-and-using-charts

How Kubernetes Uses TLS

Kubernetes is not a single binary. It is a cluster of components, each talking to others over the network: kubectl talking to the API server, the API server talking to etcd, the kubelet talking back to the API server, the scheduler and controller manager calling the API server to watch resources. Every one of those connections is protected by TLS. That means every component has its own certificate and key pair.

The cluster CA: the root of all trust

At the center of the Kubernetes PKI is the cluster CA. When you bootstrap a cluster with kubeadm, it generates this CA and stores it on the control plane node at /etc/kubernetes/pki/ca.crt (public cert) and /etc/kubernetes/pki/ca.key (private key). Every other certificate in the cluster is signed by this CA.

kubectl get pods -n kube-system

Each pod listed there is a control plane component that holds its own certificate, signed by the cluster CA. The API server, the scheduler, the controller manager, all of them participate in the PKI topology shown above. None of them would appear here if their certificates were invalid or the CA trust chain were broken.

The kube-apiserver certificate

The API server acts as the central hub. Every other component connects to it. So the API server needs a server certificate that all clients can verify. This certificate must list every name and IP address that clients might use to reach the API server: the node’s internal IP, kubernetes, kubernetes.default, kubernetes.default.svc, and the cluster’s external endpoint if any. These entries are called Subject Alternative Names (SANs).

If the API server's certificate does not include the IP or hostname a client uses to connect, TLS verification fails even if the certificate is otherwise perfectly valid. You will see an error like x509: certificate is valid for 10.96.0.1, not 192.168.1.5. The fix is to regenerate the certificate with the correct SANs included.

Kubelet client certificates

Each kubelet needs to prove its identity to the API server. It does this using a client certificate, signed by the cluster CA, with a subject like CN=system:node:node-name, O=system:nodes. The CN and O fields are not arbitrary: they map directly to a Kubernetes username and group used for RBAC authorization. (The RBAC rules themselves are covered in the RBAC module.)

kubectl get nodes

Each node that appears in that list is a kubelet that has successfully authenticated to the API server with its client certificate. A kubelet with an expired or missing certificate cannot register, and its node disappears from the list.

Quiz

Which of the following describes why each kubelet has its own unique certificate?

All kubelets share a single certificate so the API server only needs one trusted entry
Each kubelet has its own certificate so the API server can identify which specific node is making the request
The kubelet uses the same certificate as the kube-controller-manager to reduce the number of secrets

Reveal answer

Each kubelet has its own certificate so the API server can identify which node is making the request. The CN field (system:node:<node-name>) embeds the node’s identity. A shared certificate would make individual node authorization impossible.

etcd and the API server’s client certificate

The API server is a client to etcd: it reads and writes cluster state there. That connection also requires TLS. The API server holds a separate etcd client certificate (apiserver-etcd-client.crt), signed by the etcd CA (which may be the same cluster CA or a separate one). etcd checks that certificate before allowing any reads or writes.

etcd also has its own server certificate for incoming connections. This layering matters: etcd is the single source of truth for all cluster state. It accepts connections from almost nobody, only the API server.

The front-proxy CA

There is one more CA to know: the front-proxy CA, used for the API aggregation layer. When you install an extension API server (like the metrics-server), the main API server proxies requests to it and authenticates with a front-proxy certificate. This CA is separate from the cluster CA so that aggregation layer trust is isolated from core component trust.

Quiz

If kubectl get nodes returns “Unable to connect to the server: x509: certificate has expired or is not yet valid”, what is the most likely root cause?

Reveal answer

One of the certificates in the TLS chain has passed its expiry date. Certificates created by kubeadm expire after one year by default. When the API server certificate or the CA certificate expires, every component that verifies it refuses the connection. The fix is to renew the certificates with kubeadm certs renew, though that requires access to the control plane node.

Certificate expiry: the silent failure mode

Certificates created by kubeadm expire after one year. The cluster does not warn you. Nothing shows a countdown. On day 366, every component that needs to verify a certificate fails simultaneously. The API server becomes unreachable, kubectl returns x509 errors, and the cluster appears completely broken.

This is one of the most common production failures in clusters that are not actively managed. The solution is to renew certificates before they expire, or to set up automatic rotation. In the simulator, all certificates are pre-configured as valid, so you can focus on the concepts.

kubectl get certificatesigningrequests

That command queries the Certificates API, the Kubernetes-native mechanism for requesting and approving certificates without touching the CA private key directly. Even if no CSRs are pending right now, the command confirms that the certificate machinery is reachable, which means the API server’s own certificate is valid. Lesson 05 covers this API in full.

Now that you understand which certificates exist and which component uses each one, the next lesson walks through how a client certificate is actually created from scratch, and what information goes into a certificate subject.

~>kubectl apply -f deployment.yaml

deployment.apps/nginx created

~>kubectl get pods

NAME READY STATUS RESTARTS AGE

nginx-7b4c9d8f5-xk2j 1/1 Running 0 12s

nginx-7b4c9d8f5-hn4vw 1/1 Running 0 11s

nginx-7b4c9d8f5-qp9rm 1/1 Running 0 10s

~>█

Get hands-on with Kubernetes

This lesson includes a live terminal with a simulated Kubernetes cluster. Upgrade to Pro to unlock the terminal (free during early access)

Upgrade Try the free crash course