CKA

Onboarding

Welcome What Runs Here Overview of Kubernetes Certifications

Kubernetes Basics

What Is Kubernetes Cluster Architecture Overview Control Plane Components Node Components

Yaml And Objects

The Kubernetes Object Model Anatomy of a Manifest Generating Manifests from the CLI Object Names, UIDs, and DNS Rules

Kubectl Essentials

Imperative vs Declarative Viewing Resources Logs and Exec Creating and Editing Resources Delete and Cleanup Formatting Output and Tips

Pods

What Is a Pod Pod Structure Creating Your First Pod Pod Lifecycle and Phases Container Restart Policies Editing Pods

Namespaces

What Are Namespaces The Default Namespaces Working Across Namespaces When to Use Multiple Namespaces

Labels And Annotations

What Are Labels Label Selectors Annotations Recommended Labels

Cluster Architecture Deep

etcd-deep-dive kube-apiserver-internals kube-scheduler-internals kube-controller-manager container-runtime-interface

Cluster Installation

installation-options-overview kubeadm-master-node-setup kubeadm-worker-node-join high-availability-considerations

Cluster Maintenance

os-upgrades-and-drain version-skew-policy cluster-upgrade-process taint-based-evictions version-skew-and-safe-upgrade-flow

Backup And Restore

backup-strategies etcd-backup-with-etcdctl restore-from-snapshot etcdutl etcd-restore-drill-end-to-end

Commands And Args

docker-cmd-vs-entrypoint command-and-args-in-kubernetes practical-override-scenarios

Configmaps

what-is-a-configmap creating-configmaps using-via-environment-variables using-via-volume-mounts immutable-configmaps

Secrets

what-is-a-secret types-of-secrets creating-and-using-secrets encrypting-secrets-at-rest security-best-practices

Resource Management

resource-requests-and-limits how-scheduling-uses-requests what-happens-when-limits-are-exceeded qos-classes limitranges-and-resourcequotas in-place-resize-operational-considerations

Replicasets

Why ReplicaSets Creating a ReplicaSet Scaling and Self-Healing Limitations of ReplicaSets

Deployments

What Is a Deployment Creating a Deployment Rolling Updates Rollback and Revision History Update Strategies

Daemonsets

what-is-a-daemonset typical-use-cases daemonset-scheduling updating-daemonsets

Multi Container Pods

why-multiple-containers sidecar-pattern ambassador-and-adapter-patterns init-containers native-sidecar-patterns

Scheduling Basics

taints-and-tolerations node-selectors node-affinity taints-vs-node-affinity

Advanced Scheduling

manual-scheduling static-pods priority-classes multiple-schedulers scheduler-profiles

Probes

why-probes-matter liveness-probes readiness-probes startup-probes probe-types-and-configuration startup-probe-for-slow-apps

Jobs

what-is-a-job job-parallelism-and-completions backoff-and-retry cronjobs

Autoscaling

introduction-to-autoscaling horizontal-pod-autoscaler hpa-stabilization-and-behavior vertical-pod-autoscaler in-place-resize-of-pods event-driven-scaling-concepts

Statefulsets

stateful-vs-stateless statefulset-fundamentals headless-services storage-in-statefulsets ordering-and-updates

Services

Why Services Services and Endpoints ClusterIP NodePort LoadBalancer Named Ports

Dns

DNS in Kubernetes Service DNS Records Pod DNS Records DNS Debugging

Gateway API and Envoy Gateway

What Is Kubernetes Gateway API? The Controller Behind the Gateway Routing Traffic with Gateway and HTTPRoute Securing Traffic with TLS Termination Portable Traffic Manipulation with HTTPRoute Filters

Gateway Api

introduction-to-gateway-api gateway-api-structure practical-gateway-api tls-with-gateway-api mapping-ingress-to-gateway-api gatewayclass-and-controller-operations httproute-basics weighted-routing-canary

Network Policies

What Are Network Policies? NetworkPolicy Structure Ingress Rules Egress Rules Advanced NetworkPolicy Patterns

Networking Fundamentals

switching-and-routing dns-fundamentals network-namespaces docker-networking

Kubernetes Networking

cni-concepts pod-networking service-networking cluster-networking-configuration ipam cni-troubleshooting-method

Volumes

Why Volumes? emptyDir hostPath ConfigMap and Secret Volumes

Persistent Storage

PersistentVolumes and PersistentVolumeClaims Creating a PersistentVolume Creating a PersistentVolumeClaim Using PVCs in Pods Access Modes and Reclaim Policies

Storage Classes

static-vs-dynamic-provisioning what-is-a-storageclass dynamic-provisioning-in-practice container-storage-interface

Authentication

Kubernetes Security Fundamentals How Kubernetes Authenticates Identities Users vs ServiceAccounts

Service Accounts

What Is a ServiceAccount Creating and Assigning ServiceAccounts Token Projection and Automount ServiceAccount Practical Scenarios Projected ServiceAccount Tokens

Kubeconfig

What Is a Kubeconfig File Clusters, Users, and Contexts Switching Contexts Creating a Kubeconfig from Scratch

Tls Certificates

TLS and PKI Basics How Kubernetes Uses TLS Creating Certificates Viewing Certificate Details The Kubernetes Certificates API

Rbac

Authorization in Kubernetes Roles and RoleBindings ClusterRoles and ClusterRoleBindings Testing Permissions with kubectl auth can-i RBAC Best Practices

Security Contexts

Container Security: Linux Primitives Pod vs Container Security Context Running Containers as Non-Root Capabilities and Read-Only Root Filesystem

Image Security

Image Naming and Registries Pulling from Private Registries with imagePullSecrets Image Pull Policies

Admission Controllers

What Are Admission Controllers Enabling and Disabling Admission Controllers Validating Admission Webhooks Mutating Admission Webhooks

Pod Security

Pod Security Standards Pod Security Admission Practical PSS Enforcement

Logging And Monitoring

Container Logging Basics Monitoring with Metrics Server Kubernetes Events Monitoring Cluster Component Logs

Troubleshooting

troubleshooting-application-failures troubleshooting-service-connectivity troubleshooting-control-plane troubleshooting-worker-nodes systematic-debugging-methodology debug-distroless-with-kubectl-debug

Api And Versioning

api-groups api-versions api-deprecation-policy field-selectors

Custom Resources

what-are-custom-resources creating-a-crd custom-controllers operator-pattern

Helm

what-is-helm installing-helm working-with-charts values-and-configuration finding-and-using-charts

Users vs ServiceAccounts

Your application is running in a Pod. It needs to call the Kubernetes API. Your instinct might be to create a user for it. But that is not how Kubernetes works, and understanding why reveals something fundamental about how identity is modeled in the platform.

Human users have no Kubernetes object

Start with the most direct test: how do you list all users in the cluster?

kubectl get users

That command fails. There is no users resource in Kubernetes. You cannot create a user, list users, or delete a user with kubectl. A “user” in Kubernetes is just a name extracted from a verified credential at request time. When the certificate or token expires, the user is gone. Kubernetes never stored it.

This is not an oversight. It is the design: human identity is managed externally. The API server verifies a certificate or token presented by the client, extracts the identity from it, and uses that identity for authorization. It does not persist users anywhere. There is no user database.

Quiz

How do you create a Kubernetes user named alice?

kubectl create user alice
Issue a client certificate with CN=alice signed by the cluster CA
kubectl apply -f user.yaml

Reveal answer

Issue a client certificate with CN=alice signed by the cluster CA. Kubernetes has no User resource. The “user” only exists as an identity claim inside a valid credential. There is no YAML for a user, and kubectl create user does not exist.

ServiceAccounts are Kubernetes objects

For workloads running inside Pods, the model is different. Pods need a stable, auditable identity that Kubernetes itself manages, one that can be created, updated, and deleted declaratively. That is what a ServiceAccount is.

Unlike human users, ServiceAccounts are first-class Kubernetes objects. They live in a namespace, they are stored in etcd, and they can be listed:

kubectl get serviceaccounts -n default

You will see at least one entry: default. Kubernetes creates that ServiceAccount automatically in every namespace. It is always there, even before you deploy anything.

kubectl get serviceaccount default -o yaml

The output is a standard Kubernetes manifest: apiVersion, kind: ServiceAccount, metadata. A ServiceAccount is a real resource you can reference in Pod specs and RBAC rules, not an ephemeral identity extracted from a credential.

Quiz

A developer says “I cannot find the user object for the ci-bot account.” What is the most likely explanation?

Reveal answer

There is no user object. If ci-bot authenticates via a client certificate, its identity is encoded in the certificate’s CN field. Kubernetes extracted that name at request time but never stored a user object. If ci-bot is a Pod, its identity is a ServiceAccount, which is a real Kubernetes object you can find with kubectl get serviceaccount.

Why the distinction matters

The two identity types are designed for different lifecycles and different management models.

Human users change jobs, lose devices, and need credentials rotated. Those operations belong to an external system, a certificate authority, an OIDC provider, a corporate directory. Kubernetes staying out of that management makes it composable with existing infrastructure.

ServiceAccounts, by contrast, are part of the cluster itself. When you deploy an application, you create a ServiceAccount for it alongside the Deployment. When the application is removed, the ServiceAccount is removed too. The identity lifecycle is tied to the workload lifecycle.

The other key difference is scope. A ServiceAccount belongs to a namespace. Its identity, and the permissions bound to it, are explicit, auditable, and scoped. A human user can appear in any namespace, their permissions controlled by ClusterRoleBindings or multiple RoleBindings. The two models overlap at authorization time but are otherwise completely separate.

kubectl get serviceaccounts -A

Every namespace in the output has a default ServiceAccount, created automatically. Human users are nowhere in this list, because they have no objects to list.

Quiz

What is the key structural difference between a Kubernetes user and a ServiceAccount?

Reveal answer

A user has no Kubernetes object. It is a name inside a credential, verified at request time and then discarded. A ServiceAccount is a namespaced Kubernetes object stored in etcd. You can create, describe, delete, and reference it in manifests. One is ephemeral and external, the other is persistent and internal.

You now understand the two identity models Kubernetes uses and why they are separate. The next module goes deep on ServiceAccounts: how tokens are projected into Pods, how automounting works, and how to design per-application identities with minimal permissions.

~>kubectl apply -f deployment.yaml

deployment.apps/nginx created

~>kubectl get pods

NAME READY STATUS RESTARTS AGE

nginx-7b4c9d8f5-xk2j 1/1 Running 0 12s

nginx-7b4c9d8f5-hn4vw 1/1 Running 0 11s

nginx-7b4c9d8f5-qp9rm 1/1 Running 0 10s

~>█

Get hands-on with Kubernetes

This lesson includes a live terminal with a simulated Kubernetes cluster. Upgrade to Pro to unlock the terminal (free during early access)

Upgrade Try the free crash course