CKA

Onboarding

Welcome What Runs Here Overview of Kubernetes Certifications

Kubernetes Basics

What Is Kubernetes Cluster Architecture Overview Control Plane Components Node Components

Yaml And Objects

The Kubernetes Object Model Anatomy of a Manifest Generating Manifests from the CLI Object Names, UIDs, and DNS Rules

Kubectl Essentials

Imperative vs Declarative Viewing Resources Logs and Exec Creating and Editing Resources Delete and Cleanup Formatting Output and Tips

Pods

What Is a Pod Pod Structure Creating Your First Pod Pod Lifecycle and Phases Container Restart Policies Editing Pods

Namespaces

What Are Namespaces The Default Namespaces Working Across Namespaces When to Use Multiple Namespaces

Labels And Annotations

What Are Labels Label Selectors Annotations Recommended Labels

Cluster Architecture Deep

etcd-deep-dive kube-apiserver-internals kube-scheduler-internals kube-controller-manager container-runtime-interface

Cluster Installation

installation-options-overview kubeadm-master-node-setup kubeadm-worker-node-join high-availability-considerations

Cluster Maintenance

os-upgrades-and-drain version-skew-policy cluster-upgrade-process taint-based-evictions version-skew-and-safe-upgrade-flow

Backup And Restore

backup-strategies etcd-backup-with-etcdctl restore-from-snapshot etcdutl etcd-restore-drill-end-to-end

Commands And Args

docker-cmd-vs-entrypoint command-and-args-in-kubernetes practical-override-scenarios

Configmaps

what-is-a-configmap creating-configmaps using-via-environment-variables using-via-volume-mounts immutable-configmaps

Secrets

what-is-a-secret types-of-secrets creating-and-using-secrets encrypting-secrets-at-rest security-best-practices

Resource Management

resource-requests-and-limits how-scheduling-uses-requests what-happens-when-limits-are-exceeded qos-classes limitranges-and-resourcequotas in-place-resize-operational-considerations

Replicasets

Why ReplicaSets Creating a ReplicaSet Scaling and Self-Healing Limitations of ReplicaSets

Deployments

What Is a Deployment Creating a Deployment Rolling Updates Rollback and Revision History Update Strategies

Daemonsets

what-is-a-daemonset typical-use-cases daemonset-scheduling updating-daemonsets

Multi Container Pods

why-multiple-containers sidecar-pattern ambassador-and-adapter-patterns init-containers native-sidecar-patterns

Scheduling Basics

taints-and-tolerations node-selectors node-affinity taints-vs-node-affinity

Advanced Scheduling

manual-scheduling static-pods priority-classes multiple-schedulers scheduler-profiles

Probes

why-probes-matter liveness-probes readiness-probes startup-probes probe-types-and-configuration startup-probe-for-slow-apps

Jobs

what-is-a-job job-parallelism-and-completions backoff-and-retry cronjobs

Autoscaling

introduction-to-autoscaling horizontal-pod-autoscaler hpa-stabilization-and-behavior vertical-pod-autoscaler in-place-resize-of-pods event-driven-scaling-concepts

Statefulsets

stateful-vs-stateless statefulset-fundamentals headless-services storage-in-statefulsets ordering-and-updates

Services

Why Services Services and Endpoints ClusterIP NodePort LoadBalancer Named Ports

Dns

DNS in Kubernetes Service DNS Records Pod DNS Records DNS Debugging

Gateway API and Envoy Gateway

What Is Kubernetes Gateway API? The Controller Behind the Gateway Routing Traffic with Gateway and HTTPRoute Securing Traffic with TLS Termination Portable Traffic Manipulation with HTTPRoute Filters

Gateway Api

introduction-to-gateway-api gateway-api-structure practical-gateway-api tls-with-gateway-api mapping-ingress-to-gateway-api gatewayclass-and-controller-operations httproute-basics weighted-routing-canary

Network Policies

What Are Network Policies? NetworkPolicy Structure Ingress Rules Egress Rules Advanced NetworkPolicy Patterns

Networking Fundamentals

switching-and-routing dns-fundamentals network-namespaces docker-networking

Kubernetes Networking

cni-concepts pod-networking service-networking cluster-networking-configuration ipam cni-troubleshooting-method

Volumes

Why Volumes? emptyDir hostPath ConfigMap and Secret Volumes

Persistent Storage

PersistentVolumes and PersistentVolumeClaims Creating a PersistentVolume Creating a PersistentVolumeClaim Using PVCs in Pods Access Modes and Reclaim Policies

Storage Classes

static-vs-dynamic-provisioning what-is-a-storageclass dynamic-provisioning-in-practice container-storage-interface

Authentication

Kubernetes Security Fundamentals How Kubernetes Authenticates Identities Users vs ServiceAccounts

Service Accounts

What Is a ServiceAccount Creating and Assigning ServiceAccounts Token Projection and Automount ServiceAccount Practical Scenarios Projected ServiceAccount Tokens

Kubeconfig

What Is a Kubeconfig File Clusters, Users, and Contexts Switching Contexts Creating a Kubeconfig from Scratch

Tls Certificates

TLS and PKI Basics How Kubernetes Uses TLS Creating Certificates Viewing Certificate Details The Kubernetes Certificates API

Rbac

Authorization in Kubernetes Roles and RoleBindings ClusterRoles and ClusterRoleBindings Testing Permissions with kubectl auth can-i RBAC Best Practices

Security Contexts

Container Security: Linux Primitives Pod vs Container Security Context Running Containers as Non-Root Capabilities and Read-Only Root Filesystem

Image Security

Image Naming and Registries Pulling from Private Registries with imagePullSecrets Image Pull Policies

Admission Controllers

What Are Admission Controllers Enabling and Disabling Admission Controllers Validating Admission Webhooks Mutating Admission Webhooks

Pod Security

Pod Security Standards Pod Security Admission Practical PSS Enforcement

Logging And Monitoring

Container Logging Basics Monitoring with Metrics Server Kubernetes Events Monitoring Cluster Component Logs

Troubleshooting

troubleshooting-application-failures troubleshooting-service-connectivity troubleshooting-control-plane troubleshooting-worker-nodes systematic-debugging-methodology debug-distroless-with-kubectl-debug

Api And Versioning

api-groups api-versions api-deprecation-policy field-selectors

Custom Resources

what-are-custom-resources creating-a-crd custom-controllers operator-pattern

Helm

what-is-helm installing-helm working-with-charts values-and-configuration finding-and-using-charts

Token Projection and Automount

You know that Pods authenticate using ServiceAccounts. But how does the token actually get into the Pod? It is not injected by magic. Kubernetes mounts it as a set of files inside every container’s filesystem, automatically, every time a Pod starts with a ServiceAccount assigned.

What Kubernetes injects

When a Pod is created with a ServiceAccount, Kubernetes automatically adds a projected volume to the Pod spec. That volume is mounted inside every container at a fixed path.

Three files always appear at that mount path. The token file holds the JWT the container uses to authenticate to the API server. The ca.crt file holds the cluster’s certificate authority certificate, which the container uses to verify the API server’s TLS identity. The namespace file holds the name of the namespace the Pod runs in. Together, these three files give a container everything it needs to make authenticated API calls without any additional configuration.

Inspect a running Pod to see this in action.

kubectl get pod app-pod -o yaml

Scroll through the output and find the volumes section near the bottom. You will see an entry of type projected with a serviceAccountToken source. In the containers section, look for volumeMounts. You will find an entry mounting that projected volume at /var/run/secrets/kubernetes.io/serviceaccount.

Quiz

A container inside a running Pod wants to call the Kubernetes API. Which file in the projected volume does it present to authenticate?

Try it: kubectl get pod app-pod -o yaml

Reveal answer

It reads /var/run/secrets/kubernetes.io/serviceaccount/token. The ca.crt file is used alongside it to verify the server certificate during the TLS handshake, but the token file is the actual credential.

Describing the projected volume

The describe command shows the same information in a more readable form.

kubectl describe pod app-pod

Under the Volumes section, look for a volume of type Projected. It lists the sources: a ServiceAccountToken entry, a ConfigMap entry for the CA, and a DownwardAPI entry for the namespace name. This is the complete picture of what lands at that mount path.

Why does Kubernetes inject these files automatically instead of requiring the application to fetch a token itself? Because the injection makes applications portable. Any application that knows the standard path can authenticate without environment-specific configuration. The path is the same in every cluster, on every cloud, in this simulated cluster and in a real one.

The ca.crt file in the projected volume is the cluster's own certificate authority, not a system-wide CA. It is specific to the Kubernetes API server. Your application uses it to trust the API server's TLS certificate without relying on the system's CA bundle.

Disabling automount

Not every Pod needs to call the Kubernetes API. A Pod that serves HTTP traffic, reads from a database, and returns responses to users has no reason to carry API credentials. Leaving the token mounted in such a Pod is an unnecessary risk: if the container is ever compromised, the attacker finds a valid Kubernetes credential ready to use.

Kubernetes lets you disable the automatic token mount at the Pod level with one field.

nano no-token-pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: no-token-pod
  namespace: default
spec:
  serviceAccountName: my-app
  automountServiceAccountToken: false
  containers:
  - name: app
    image: nginx:stable

kubectl apply -f no-token-pod.yaml

Now describe the Pod and look at the Volumes section.

kubectl describe pod no-token-pod

If you set automountServiceAccountToken: false on a Pod whose application actually needs to call the Kubernetes API, the application will fail at startup or at runtime with authentication errors. The token file will not exist at the expected path. Confirm whether your application makes API calls before disabling automount. When in doubt, check your application's documentation or source code for references to the KUBERNETES_SERVICE_HOST environment variable or the token file path.

You can also set automountServiceAccountToken: false on the ServiceAccount object itself. When set there, it applies as a default for all Pods that use that SA. A Pod can override the SA-level setting by declaring its own automountServiceAccountToken field.

Quiz

Why is it a good practice to set automountServiceAccountToken: false on Pods that never call the Kubernetes API?

Reveal answer

Because the token is a valid Kubernetes credential. If a container is compromised and the token is present, an attacker can use it to interact with the API server under the Pod’s ServiceAccount identity. Removing the token from Pods that have no reason to use it reduces the blast radius of any container compromise to the container itself, rather than extending it to the cluster.

With token projection and automount fully understood, you are ready to apply these mechanics to realistic workload designs. Lesson 04 walks through two practical scenarios where ServiceAccount decisions have direct security consequences.

~>kubectl apply -f deployment.yaml

deployment.apps/nginx created

~>kubectl get pods

NAME READY STATUS RESTARTS AGE

nginx-7b4c9d8f5-xk2j 1/1 Running 0 12s

nginx-7b4c9d8f5-hn4vw 1/1 Running 0 11s

nginx-7b4c9d8f5-qp9rm 1/1 Running 0 10s

~>█

Get hands-on with Kubernetes

This lesson includes a live terminal with a simulated Kubernetes cluster. Upgrade to Pro to unlock the terminal (free during early access)

Upgrade Try the free crash course