CKA

Onboarding

Welcome What Runs Here Overview of Kubernetes Certifications

Kubernetes Basics

What Is Kubernetes Cluster Architecture Overview Control Plane Components Node Components

Yaml And Objects

The Kubernetes Object Model Anatomy of a Manifest Generating Manifests from the CLI Object Names, UIDs, and DNS Rules

Kubectl Essentials

Imperative vs Declarative Viewing Resources Logs and Exec Creating and Editing Resources Delete and Cleanup Formatting Output and Tips

Pods

What Is a Pod Pod Structure Creating Your First Pod Pod Lifecycle and Phases Container Restart Policies Editing Pods

Namespaces

What Are Namespaces The Default Namespaces Working Across Namespaces When to Use Multiple Namespaces

Labels And Annotations

What Are Labels Label Selectors Annotations Recommended Labels

Cluster Architecture Deep

etcd-deep-dive kube-apiserver-internals kube-scheduler-internals kube-controller-manager container-runtime-interface

Cluster Installation

installation-options-overview kubeadm-master-node-setup kubeadm-worker-node-join high-availability-considerations

Cluster Maintenance

os-upgrades-and-drain version-skew-policy cluster-upgrade-process taint-based-evictions version-skew-and-safe-upgrade-flow

Backup And Restore

backup-strategies etcd-backup-with-etcdctl restore-from-snapshot etcdutl etcd-restore-drill-end-to-end

Commands And Args

docker-cmd-vs-entrypoint command-and-args-in-kubernetes practical-override-scenarios

Configmaps

what-is-a-configmap creating-configmaps using-via-environment-variables using-via-volume-mounts immutable-configmaps

Secrets

what-is-a-secret types-of-secrets creating-and-using-secrets encrypting-secrets-at-rest security-best-practices

Resource Management

resource-requests-and-limits how-scheduling-uses-requests what-happens-when-limits-are-exceeded qos-classes limitranges-and-resourcequotas in-place-resize-operational-considerations

Replicasets

Why ReplicaSets Creating a ReplicaSet Scaling and Self-Healing Limitations of ReplicaSets

Deployments

What Is a Deployment Creating a Deployment Rolling Updates Rollback and Revision History Update Strategies

Daemonsets

what-is-a-daemonset typical-use-cases daemonset-scheduling updating-daemonsets

Multi Container Pods

why-multiple-containers sidecar-pattern ambassador-and-adapter-patterns init-containers native-sidecar-patterns

Scheduling Basics

taints-and-tolerations node-selectors node-affinity taints-vs-node-affinity

Advanced Scheduling

manual-scheduling static-pods priority-classes multiple-schedulers scheduler-profiles

Probes

why-probes-matter liveness-probes readiness-probes startup-probes probe-types-and-configuration startup-probe-for-slow-apps

Jobs

what-is-a-job job-parallelism-and-completions backoff-and-retry cronjobs

Autoscaling

introduction-to-autoscaling horizontal-pod-autoscaler hpa-stabilization-and-behavior vertical-pod-autoscaler in-place-resize-of-pods event-driven-scaling-concepts

Statefulsets

stateful-vs-stateless statefulset-fundamentals headless-services storage-in-statefulsets ordering-and-updates

Services

Why Services Services and Endpoints ClusterIP NodePort LoadBalancer Named Ports

Dns

DNS in Kubernetes Service DNS Records Pod DNS Records DNS Debugging

Gateway API and Envoy Gateway

What Is Kubernetes Gateway API? The Controller Behind the Gateway Routing Traffic with Gateway and HTTPRoute Securing Traffic with TLS Termination Portable Traffic Manipulation with HTTPRoute Filters

Gateway Api

introduction-to-gateway-api gateway-api-structure practical-gateway-api tls-with-gateway-api mapping-ingress-to-gateway-api gatewayclass-and-controller-operations httproute-basics weighted-routing-canary

Network Policies

What Are Network Policies? NetworkPolicy Structure Ingress Rules Egress Rules Advanced NetworkPolicy Patterns

Networking Fundamentals

switching-and-routing dns-fundamentals network-namespaces docker-networking

Kubernetes Networking

cni-concepts pod-networking service-networking cluster-networking-configuration ipam cni-troubleshooting-method

Volumes

Why Volumes? emptyDir hostPath ConfigMap and Secret Volumes

Persistent Storage

PersistentVolumes and PersistentVolumeClaims Creating a PersistentVolume Creating a PersistentVolumeClaim Using PVCs in Pods Access Modes and Reclaim Policies

Storage Classes

static-vs-dynamic-provisioning what-is-a-storageclass dynamic-provisioning-in-practice container-storage-interface

Authentication

Kubernetes Security Fundamentals How Kubernetes Authenticates Identities Users vs ServiceAccounts

Service Accounts

What Is a ServiceAccount Creating and Assigning ServiceAccounts Token Projection and Automount ServiceAccount Practical Scenarios Projected ServiceAccount Tokens

Kubeconfig

What Is a Kubeconfig File Clusters, Users, and Contexts Switching Contexts Creating a Kubeconfig from Scratch

Tls Certificates

TLS and PKI Basics How Kubernetes Uses TLS Creating Certificates Viewing Certificate Details The Kubernetes Certificates API

Rbac

Authorization in Kubernetes Roles and RoleBindings ClusterRoles and ClusterRoleBindings Testing Permissions with kubectl auth can-i RBAC Best Practices

Security Contexts

Container Security: Linux Primitives Pod vs Container Security Context Running Containers as Non-Root Capabilities and Read-Only Root Filesystem

Image Security

Image Naming and Registries Pulling from Private Registries with imagePullSecrets Image Pull Policies

Admission Controllers

What Are Admission Controllers Enabling and Disabling Admission Controllers Validating Admission Webhooks Mutating Admission Webhooks

Pod Security

Pod Security Standards Pod Security Admission Practical PSS Enforcement

Logging And Monitoring

Container Logging Basics Monitoring with Metrics Server Kubernetes Events Monitoring Cluster Component Logs

Troubleshooting

troubleshooting-application-failures troubleshooting-service-connectivity troubleshooting-control-plane troubleshooting-worker-nodes systematic-debugging-methodology debug-distroless-with-kubectl-debug

Api And Versioning

api-groups api-versions api-deprecation-policy field-selectors

Custom Resources

what-are-custom-resources creating-a-crd custom-controllers operator-pattern

Helm

what-is-helm installing-helm working-with-charts values-and-configuration finding-and-using-charts

What Is a ServiceAccount

Your application is running in a Pod. It needs to list other Pods in the same namespace, so it calls the Kubernetes API. But who is making that call? Kubernetes needs to know the identity of the caller before it can decide whether to allow the request. That identity is a ServiceAccount.

Pods have an identity

Unlike human users, who are managed outside Kubernetes through certificates or external providers, workloads running inside Pods have an identity managed directly by Kubernetes. That identity is a ServiceAccount object. It lives in a namespace, just like Pods, ConfigMaps, and Services.

The flow is straightforward. The Pod carries a token that identifies it as a particular ServiceAccount. When the Pod makes an API request, the API server reads that token, resolves the identity, and passes it to the authorization layer. RBAC then decides whether that identity has permission to perform the requested action. If yes, the response comes back. If not, a 403 error is returned.

Quiz

What does a ServiceAccount represent in Kubernetes?

A human user account that developers use to access the cluster
The identity of a workload running inside a Pod
A role that grants permissions to a namespace

Reveal answer

The identity of a workload running inside a Pod. Human users have no corresponding Kubernetes object. A ServiceAccount is specifically the mechanism for Pod-level identity, not human access or permission rules.

Every namespace has a default ServiceAccount

When Kubernetes creates a namespace, it automatically creates a ServiceAccount named default inside it. Inspect the simulated cluster now to see it.

kubectl get serviceaccounts -n default

You will see one entry: default. Every Pod that does not explicitly declare a ServiceAccount is assigned this one automatically. That is a reasonable starting point, but it has consequences explored in the next lesson.

Describe it to see what it looks like at the API level.

kubectl describe serviceaccount default -n default

The output shows the name, namespace, and any associated tokens. In clusters using projected tokens (Kubernetes 1.21+), no long-lived Secret token is listed here because tokens are issued on demand. Lesson 05 covers that mechanism in detail.

Quiz

You create a new namespace called staging. Without any additional steps, how many ServiceAccounts exist in that namespace?

Reveal answer

One. Kubernetes automatically creates the default ServiceAccount whenever a namespace is created. You do not need to create it manually.

ServiceAccounts are namespaced objects

A ServiceAccount named my-app in namespace staging and one named my-app in namespace production are two entirely separate objects with independent permissions. This namespacing is by design: it lets teams control workload identities without interfering with each other.

ServiceAccounts are namespaced. RBAC permissions bound to a ServiceAccount in one namespace do not automatically apply in another. This is a useful isolation boundary for multi-team clusters.

Now run the get serviceaccounts command across all namespaces to see that the default SA exists everywhere.

kubectl get serviceaccounts -A

Every namespace in the output has its own default entry, created automatically at namespace creation time.

If you grant permissions to the default ServiceAccount in a namespace, every Pod in that namespace that does not specify an explicit ServiceAccount inherits those permissions. A developer who adds a permissive RBAC binding to default may inadvertently expose all unnamed workloads. This is one of the main reasons to always assign a dedicated ServiceAccount per application rather than relying on default.

Quiz

Why is it risky to add permissions directly to the default ServiceAccount?

Reveal answer

Because all Pods in the namespace that do not declare an explicit serviceAccountName automatically use default. Any permission granted to default is inherited by all of those Pods, including ones that have no reason to call the API. One misconfigured binding can expose an entire namespace.

You now know what a ServiceAccount is, how Pods acquire one, and why the default ServiceAccount exists in every namespace. The next lesson shows how to create a dedicated ServiceAccount for an application and assign it explicitly in the Pod spec, instead of relying on the shared default.

~>kubectl apply -f deployment.yaml

deployment.apps/nginx created

~>kubectl get pods

NAME READY STATUS RESTARTS AGE

nginx-7b4c9d8f5-xk2j 1/1 Running 0 12s

nginx-7b4c9d8f5-hn4vw 1/1 Running 0 11s

nginx-7b4c9d8f5-qp9rm 1/1 Running 0 10s

~>█

Get hands-on with Kubernetes

This lesson includes a live terminal with a simulated Kubernetes cluster. Upgrade to Pro to unlock the terminal (free during early access)

Upgrade Try the free crash course