CKA

Onboarding

Welcome What Runs Here Overview of Kubernetes Certifications

Kubernetes Basics

What Is Kubernetes Cluster Architecture Overview Control Plane Components Node Components

Yaml And Objects

The Kubernetes Object Model Anatomy of a Manifest Generating Manifests from the CLI Object Names, UIDs, and DNS Rules

Kubectl Essentials

Imperative vs Declarative Viewing Resources Logs and Exec Creating and Editing Resources Delete and Cleanup Formatting Output and Tips

Pods

What Is a Pod Pod Structure Creating Your First Pod Pod Lifecycle and Phases Container Restart Policies Editing Pods

Namespaces

What Are Namespaces The Default Namespaces Working Across Namespaces When to Use Multiple Namespaces

Labels And Annotations

What Are Labels Label Selectors Annotations Recommended Labels

Cluster Architecture Deep

etcd-deep-dive kube-apiserver-internals kube-scheduler-internals kube-controller-manager container-runtime-interface

Cluster Installation

installation-options-overview kubeadm-master-node-setup kubeadm-worker-node-join high-availability-considerations

Cluster Maintenance

os-upgrades-and-drain version-skew-policy cluster-upgrade-process taint-based-evictions version-skew-and-safe-upgrade-flow

Backup And Restore

backup-strategies etcd-backup-with-etcdctl restore-from-snapshot etcdutl etcd-restore-drill-end-to-end

Commands And Args

docker-cmd-vs-entrypoint command-and-args-in-kubernetes practical-override-scenarios

Configmaps

what-is-a-configmap creating-configmaps using-via-environment-variables using-via-volume-mounts immutable-configmaps

Secrets

what-is-a-secret types-of-secrets creating-and-using-secrets encrypting-secrets-at-rest security-best-practices

Resource Management

resource-requests-and-limits how-scheduling-uses-requests what-happens-when-limits-are-exceeded qos-classes limitranges-and-resourcequotas in-place-resize-operational-considerations

Replicasets

Why ReplicaSets Creating a ReplicaSet Scaling and Self-Healing Limitations of ReplicaSets

Deployments

What Is a Deployment Creating a Deployment Rolling Updates Rollback and Revision History Update Strategies

Daemonsets

what-is-a-daemonset typical-use-cases daemonset-scheduling updating-daemonsets

Multi Container Pods

why-multiple-containers sidecar-pattern ambassador-and-adapter-patterns init-containers native-sidecar-patterns

Scheduling Basics

taints-and-tolerations node-selectors node-affinity taints-vs-node-affinity

Advanced Scheduling

manual-scheduling static-pods priority-classes multiple-schedulers scheduler-profiles

Probes

why-probes-matter liveness-probes readiness-probes startup-probes probe-types-and-configuration startup-probe-for-slow-apps

Jobs

what-is-a-job job-parallelism-and-completions backoff-and-retry cronjobs

Autoscaling

introduction-to-autoscaling horizontal-pod-autoscaler hpa-stabilization-and-behavior vertical-pod-autoscaler in-place-resize-of-pods event-driven-scaling-concepts

Statefulsets

stateful-vs-stateless statefulset-fundamentals headless-services storage-in-statefulsets ordering-and-updates

Services

Why Services Services and Endpoints ClusterIP NodePort LoadBalancer Named Ports

Dns

DNS in Kubernetes Service DNS Records Pod DNS Records DNS Debugging

Gateway API and Envoy Gateway

What Is Kubernetes Gateway API? The Controller Behind the Gateway Routing Traffic with Gateway and HTTPRoute Securing Traffic with TLS Termination Portable Traffic Manipulation with HTTPRoute Filters

Gateway Api

introduction-to-gateway-api gateway-api-structure practical-gateway-api tls-with-gateway-api mapping-ingress-to-gateway-api gatewayclass-and-controller-operations httproute-basics weighted-routing-canary

Network Policies

What Are Network Policies? NetworkPolicy Structure Ingress Rules Egress Rules Advanced NetworkPolicy Patterns

Networking Fundamentals

switching-and-routing dns-fundamentals network-namespaces docker-networking

Kubernetes Networking

cni-concepts pod-networking service-networking cluster-networking-configuration ipam cni-troubleshooting-method

Volumes

Why Volumes? emptyDir hostPath ConfigMap and Secret Volumes

Persistent Storage

PersistentVolumes and PersistentVolumeClaims Creating a PersistentVolume Creating a PersistentVolumeClaim Using PVCs in Pods Access Modes and Reclaim Policies

Storage Classes

static-vs-dynamic-provisioning what-is-a-storageclass dynamic-provisioning-in-practice container-storage-interface

Authentication

Kubernetes Security Fundamentals How Kubernetes Authenticates Identities Users vs ServiceAccounts

Service Accounts

What Is a ServiceAccount Creating and Assigning ServiceAccounts Token Projection and Automount ServiceAccount Practical Scenarios Projected ServiceAccount Tokens

Kubeconfig

What Is a Kubeconfig File Clusters, Users, and Contexts Switching Contexts Creating a Kubeconfig from Scratch

Tls Certificates

TLS and PKI Basics How Kubernetes Uses TLS Creating Certificates Viewing Certificate Details The Kubernetes Certificates API

Rbac

Authorization in Kubernetes Roles and RoleBindings ClusterRoles and ClusterRoleBindings Testing Permissions with kubectl auth can-i RBAC Best Practices

Security Contexts

Container Security: Linux Primitives Pod vs Container Security Context Running Containers as Non-Root Capabilities and Read-Only Root Filesystem

Image Security

Image Naming and Registries Pulling from Private Registries with imagePullSecrets Image Pull Policies

Admission Controllers

What Are Admission Controllers Enabling and Disabling Admission Controllers Validating Admission Webhooks Mutating Admission Webhooks

Pod Security

Pod Security Standards Pod Security Admission Practical PSS Enforcement

Logging And Monitoring

Container Logging Basics Monitoring with Metrics Server Kubernetes Events Monitoring Cluster Component Logs

Troubleshooting

troubleshooting-application-failures troubleshooting-service-connectivity troubleshooting-control-plane troubleshooting-worker-nodes systematic-debugging-methodology debug-distroless-with-kubectl-debug

Api And Versioning

api-groups api-versions api-deprecation-policy field-selectors

Custom Resources

what-are-custom-resources creating-a-crd custom-controllers operator-pattern

Helm

what-is-helm installing-helm working-with-charts values-and-configuration finding-and-using-charts

What Are Admission Controllers

A developer runs kubectl apply -f pod.yaml. The API server checks who they are (authentication) and whether they are allowed to create a Pod (authorization). Both checks pass. But the Pod spec has no resource limits, runs as root in a privileged container, and pulls an image from an unknown registry. Nothing in authentication or authorization catches any of that. How does the cluster stop this Pod from being stored and scheduled?

That is exactly the problem admission controllers solve.

Where admission controllers sit

Admission controllers are plugins compiled into the kube-apiserver. They intercept every API request after authentication and authorization succeed, but before the object is written to etcd. They are the last gate before persistence.

The pipeline always runs in this order. First every mutating controller runs, then every validating controller runs. If any validating controller rejects the request, the entire operation fails and the object is never stored.

You can see which admission plugins your cluster is running right now:

kubectl get pods -n kube-system

Find the kube-apiserver Pod, then inspect it:

kubectl describe pod kube-apiserver-controlplane -n kube-system

Look for the --enable-admission-plugins flag in the Command section of the output. That list tells you exactly which controllers are active.

Two distinct jobs: mutate and validate

An admission controller can do two different things. A mutating controller modifies the object before it is stored. It might inject a default resource limit that was missing, add a label, or insert a sidecar container. The object that reaches etcd is not the same object the user submitted.

A validating controller can only approve or reject. It sees the object after all mutations have been applied, but it cannot change anything. If it does not like what it sees, it returns a rejection with a reason.

Quiz

What is the key difference between a mutating and a validating admission controller?

Reveal answer

A mutating controller can change the object before it is stored, for example injecting a sidecar or setting default values. A validating controller can only approve or reject. It cannot change anything. Mutating runs first, so validating always sees the final, patched version of the object.

Built-in controllers worth knowing

Kubernetes ships with dozens of admission controllers. A few appear constantly in CKA scenarios and production clusters.

LimitRanger watches for Pods and containers that declare no resource requests or limits. When it finds one, it injects the defaults defined in a LimitRange object in the same namespace. Without LimitRanger, a Pod with no limits could consume all memory on a node.

ResourceQuota checks that creating or updating a resource does not exceed the quota defined in the namespace. If a namespace has a quota of 10 CPUs and a new Pod would push it to 11, ResourceQuota rejects the request before anything reaches etcd.

NamespaceLifecycle prevents resources from being created in a namespace that is currently terminating. Without it, a race condition could let new objects slip into a namespace that the garbage collector is trying to clean up.

PodSecurity enforces Pod Security Standards at the namespace level. A namespace can be labelled with a profile (baseline, restricted) and PodSecurity rejects any Pod that does not conform. The next module covers this in full.

kubectl get namespaces

Labels on namespaces are how PodSecurity and other controllers know which policy to apply. You can inspect them:

kubectl describe namespace default

Not all admission controllers are enabled by default. The set of active controllers depends on the Kubernetes version and how the cluster was bootstrapped. Never assume a controller is running without verifying it in the API server flags. The next lesson shows how to check and change that list.

Quiz

A Pod is submitted with no resource limits. Which built-in admission controller injects default limits, and what must already exist in the namespace for it to do so?

Try it: kubectl describe namespace default

Reveal answer

LimitRanger injects defaults. It reads them from a LimitRange object in the same namespace. If no LimitRange exists, LimitRanger has no defaults to inject and does nothing, even if the plugin is enabled.

Admission controllers are the enforcement layer between a valid API request and persisted cluster state. You now understand where they sit in the pipeline, what mutating and validating mean, and which built-in controllers matter most for CKA preparation. The next lesson shows how to enable and disable these controllers by editing the kube-apiserver configuration, and how to inspect the current active set on any cluster.

~>kubectl apply -f deployment.yaml

deployment.apps/nginx created

~>kubectl get pods

NAME READY STATUS RESTARTS AGE

nginx-7b4c9d8f5-xk2j 1/1 Running 0 12s

nginx-7b4c9d8f5-hn4vw 1/1 Running 0 11s

nginx-7b4c9d8f5-qp9rm 1/1 Running 0 10s

~>█

Get hands-on with Kubernetes

This lesson includes a live terminal with a simulated Kubernetes cluster. Upgrade to Pro to unlock the terminal (free during early access)

Upgrade Try the free crash course