The information presented here were collected in November/December 2024 and were accurate at that time. However, it is possible that the KCNA content has beed been updated. Please verify the latest details from the official sources and kubernetes documentation.
| **Term** | **Description** |
|---|---|
| K8s | Kubernetes |
| CNCF | Cloud Native Computing Foundation |
| RBAC | Role Based Access Control |
| OCI | Open Container Initiative |
| CRI | Container Runtime Interface |
| CI/CD | Continuous Integration & Continuous Deployment |
During the exams, it is allowed to access the official Kubernetes documentation. Therefore, it is recommended that you study the documentation and familiarize yourself with it. [https://kubernetes.io/docs/home](https://kubernetes.io/docs/home)
**Official KCNA information pages** - [https://training.linuxfoundation.org/certification/kubernetes-cloud-native-associate](https://training.linuxfoundation.org/certification/kubernetes-cloud-native-associate) - [https://github.com/cncf/curriculum/tree/master/kcna](https://github.com/cncf/curriculum/tree/master/kcna) - [https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#-strong-getting-started-strong-) - [https://landscape.cncf.io/](https://landscape.cncf.io/) **Useful courses, notes and on-hand labs** - [https://killercoda.com/](https://killercoda.com/) - [https://www.exampro.co/kcna](https://www.exampro.co/kcna) ([https://www.youtube.com/watch?v=AplluksKvzI&t=43597s](https://www.youtube.com/watch?v=AplluksKvzI&t=43597s)) - [https://github.com/bradmccoydev/Kubernetes-and-Cloud-Native-Associate-KCNA/tree/main](https://github.com/bradmccoydev/Kubernetes-and-Cloud-Native-Associate-KCNA/tree/main) - [https://www.civo.com/academy](https://www.civo.com/academy) - [https://diveinto.com/p/dive-into-cloud-native-containers-kubernetes-and-the-kcna](https://diveinto.com/p/dive-into-cloud-native-containers-kubernetes-and-the-kcna) - [https://collabnix.github.io/kubelabs/](https://collabnix.github.io/kubelabs/) - [https://labs.play-with-k8s.com/](https://labs.play-with-k8s.com/) **More helpful and interesting linksx** - [https://minikube.sigs.k8s.io](https://minikube.sigs.k8s.io/docs/start/?arch=%2Fwindows%2Fx86-64%2Fstable%2F.exe+download) - [https://k3s.io/](https://k3s.io/) - [https://kodekloud.com/pages/educational-resources/kubernetes-elements-map](https://kodekloud.com/pages/educational-resources/kubernetes-elements-map) # Kubernetes Fundamentals # Kubernetes Resources In Kubernetes, resources are like building blocks used to create and manage your cluster. Each resource is an object with metadata (such as names and labels) and a desired state that defines its behavior. All objects in Kubernetes are managed by an API and stored in the etcd database. For example, a Pod resource defines how to run a group of containers, while a Service resource manages network access to those containers. Everything you can manage with [```kubectl```](https://kubernetes.io/docs/reference/kubectl/#resource-types) or the Kubernetes API - like workloads, storage, or configuration - is a resource, making them essential for defining and controlling your cluster's behavior. The following command lists all the resources that can be managed in a Kubernetes cluster, including their names, short names, API versions, and whether they are namespaced: ```bash kubectl api-resources ``` The most relevant resources for the KCNA exam are marked red #### Resource Overview You can link to the table here ****Core Resources**** - **Pod** - **Service** - **ConfigMap** - **Secret** - **Namespace** - PersistentVolume - PersistentVolumeClaim - ServiceAccount - Binding - ComponentStatus - **Endpoints** - Event - LimitRange - PodTemplate - ReplicationController - ResourceQuota ****Workloads**** - **Deployment** - **ReplicaSet** - **DaemonSet** - StatefulSet - **CronJob** - **Job** - ControllerRevision ****Networking**** - **Ingress** - NetworkPolicy - IngressClass ****RBAC (Role-Based Access Control)**** - **Role** - **RoleBinding** - ClusterRole - ClusterRoleBinding ****Storage**** - **StorageClass** - CSIDriver - CSINode - CSIStorageCapacity - VolumeAttachment ****Admission Control**** - MutatingWebhookConfiguration - ValidatingWebhookConfiguration ****API Extensions**** - CustomResourceDefinition - APIService ****Authentication and Authorization**** - TokenReview - LocalSubjectAccessReview - SelfSubjectAccessReview - SelfSubjectRulesReview - SubjectAccessReview ****Autoscaling**** - **HorizontalPodAutoscaler** ****Certificates**** - CertificateSigningRequest ****Coordination**** - Lease ****Discovery**** - EndpointSlice ****Events**** - Event ****Flow Control**** - FlowSchema - PriorityLevelConfiguration ****Node Management**** - RuntimeClass ****Policies**** - PodDisruptionBudget - PodSecurityPolicy ****Scheduling**** - PriorityClass # Kubernetes Architecture ### **Control Plane:** 1. API Server (`kube-apiserver`) 2. etcd 3. Controller Manager (`kube-controller-manager`) 4. Scheduler (`kube-scheduler`) 5. Cloud Controller Manager (optional) ### **Node (Worker Node):** 1. Kubelet 2. Kube Proxy 3. Container Runtime (z. B. containerd, CRI-O, Docker) [](https://book.tikkle.de/uploads/images/gallery/2024-11/image.png) # Kubernetes API Kubernetes is an object based system - everything is managed and stored in objects, and it also provides the tools to manage those objects. Each object contains of three parts: 1. **Metadata**: Information about the object, like its name and labels. 2. **Specification (spec)**: What you want Kubernetes to do—your "desired state." For example, "run 3 replicas of my app." 3. **Status**: What's actually happening right now—Kubernetes updates this as it works to match the current state to the desired state. This interaction with objects happens through the Kubernetes API, which is the core interface of Kubernetes. The Kubernetes API provides a universal way for users, automation tools, and Kubernetes itself to interact with the objects stored in the system. It allows you to create, update, delete, and retrieve information about the various object resources (like Pods, Deployments, Services, etc.) within a Kubernetes cluster. [](https://book.tikkle.de/uploads/images/gallery/2024-11/image-1732368449137.png) # Containers - **What is a Container?** - Lightweight and portable. - OS-level virtualization (compared to VMs). - Runs applications and dependencies in an isolated environment. - **Container Runtime:** - OCI standards for container image format. - Examples: `containerd`, `CRI-O`, `runc`, Docker. - How Kubernetes interacts with container runtimes through the Container Runtime Interface (CRI). - **Container Images:** - Layers and image composition. - Building images using Dockerfile. - Storing and retrieving images from registries (Docker Hub, Artifact Registry, etc.). - **Container Lifecycle:** - Creation, running, stopping containers. - Restart policies in Kubernetes (Always, OnFailure, Never). - **Security:** - Image scanning and vulnerability management. - Running containers with least privilege (user ID and group). - Container isolation using namespaces and cgroups. - **Networking:** - Container Network Interface (CNI) plugins. - Port mapping and exposing services. - Container-to-container and container-to-host communication. - **Storage:** - Ephemeral storage (temporary storage for containers). - Persistent storage (using volumes in Kubernetes). - Mounting and sharing volumes between containers. # Scheduling - **What is Scheduling?** - Process of assigning Pods to Nodes in a Kubernetes cluster. - **Kubernetes Scheduler:** - The component responsible for deciding which Node a Pod should run on. - Works based on the available resources and the Pod's resource requirements. - **Node Selection:** - Factors considered by the scheduler: - CPU, memory resources. - Node affinity. - Taints and tolerations. - Pod affinity and anti-affinity. - Resource requests and limits. - **Scheduling Policies:** - Default scheduling behavior. - Priority scheduling (priority classes). - Custom scheduling policies (e.g., using `kube-scheduler` with custom rules). - **Affinity and Anti-Affinity:** - **Node Affinity:** Constraints that allow or prevent Pods from being scheduled on specific nodes. - **Pod Affinity:** Ensures that Pods are scheduled on nodes where other specific Pods are running. - **Pod Anti-Affinity:** Ensures Pods are not scheduled on the same node as other specified Pods. - **Taints and Tolerations:** - **Taints:** Applied to Nodes to prevent Pods from being scheduled unless they tolerate the taint. - **Tolerations:** Allow Pods to be scheduled on Nodes with specific taints. - **Resource Requests and Limits:** - **Requests:** Minimum amount of resources a Pod needs (scheduler uses this to place Pods). - **Limits:** Maximum amount of resources a Pod can use (enforced during execution). - **Preemption:** - When a Pod with higher priority displaces lower-priority Pods to be scheduled. - **Scheduler Extenders:** - Custom schedulers or extender mechanisms to modify default scheduling decisions. - **Pod Disruption Budgets (PDB):** - Used to manage voluntary disruptions (like upgrades) to ensure availability during disruptions. # Container Orchestration # Container Orchestration Fundamentals - **Need for Orchestration:** - Scaling applications. - Self-healing of workloads. - Load balancing. - Resource optimization. - **Kubernetes as an Orchestration Tool:** - Managing containerized workloads. - Scheduling containers on nodes. - Ensuring desired state (via Deployments, ReplicaSets). - **Core Orchestration Features in Kubernetes:** - Automatic scaling (Horizontal Pod Autoscaler). - Rolling updates and rollbacks. - Service discovery and networking. - Persistent storage management. - **Workload Orchestration Concepts:** - Pods as the smallest deployable unit. - Running multiple containers in a Pod (e.g., sidecar pattern). # Runtime 1. **What is Container Runtime?** - A container runtime is software responsible for running containers, managing their lifecycle (start, stop, execute), and interacting with the operating system to create and manage containers. 2. **Kubernetes and Container Runtime:** - Kubernetes interacts with the container runtime through the **Container Runtime Interface (CRI)**. - The container runtime is responsible for pulling container images, creating containers, running them, and managing their lifecycle on a node. 3. **Popular Container Runtimes in Kubernetes:** - **Docker** (historically the most common, though deprecated in Kubernetes as of v1.20+ in favor of other runtimes). - **containerd**: A high-performance container runtime used by Kubernetes, focused on running containers. - **CRI-O**: A lightweight container runtime specifically built for Kubernetes, adhering strictly to the Kubernetes Container Runtime Interface (CRI). - **runc**: The low-level container runtime that creates and runs containers based on the OCI (Open Container Initiative) standards; often used by containerd and CRI-O. 4. **Container Runtime Interface (CRI):** - A Kubernetes API that allows the kubelet to communicate with various container runtimes. - Ensures that Kubernetes can support multiple runtimes (e.g., Docker, containerd, CRI-O) by abstracting runtime-specific details. 5. **Runtime Features:** - **Container Image Management:** Pulling, caching, and running images. - **Container Lifecycle Management:** Starting, stopping, and cleaning up containers. - **Namespaces & Cgroups:** Providing isolation for containers (ensuring they have their own process space, network, etc.). 6. **Runtime in Kubernetes Workflow:** - **Kubelet** requests container runtimes to start or stop containers on a node. - **PodSpec** in Kubernetes specifies what containers to run; the runtime manages the execution. 7. **Runtime Security Considerations:** - Using **runtime security tools** to scan container images and ensure compliance with security standards. - Enforcing security policies through runtime, such as restricting container privileges (user IDs, rootless containers). 8. **Transition from Docker to containerd/CRI-O:** - As of Kubernetes 1.20+, **Docker** is no longer the default container runtime. - Docker is replaced with **containerd** or **CRI-O** for better integration with Kubernetes. In the **KCNA exam**, understanding how Kubernetes interacts with **container runtimes** and the different **runtime options** is essential, particularly focusing on how Kubernetes uses the **Container Runtime Interface (CRI)** to communicate with container runtimes like **containerd** or **CRI-O**. # Security ### **1. Container Security:** - **Image Scanning:** - Ensuring container images are free from vulnerabilities before deployment. - Tools like **Clair**, **Trivy**, or **Anchore** can scan for known vulnerabilities in container images. - **Immutable Images:** - Using read-only images and containers to prevent modification at runtime. ### **2. Pod Security:** - **Pod Security Policies (PSP)** (deprecated in Kubernetes 1.21, but still relevant in older versions): - Define security controls for Pods (e.g., allow or disallow privileged containers, restrict running as root, enforce read-only file systems). - Controls what actions can be performed on Pods, such as running containers as root or accessing sensitive host files. - **Pod Security Standards (PSS):** - New set of security controls for Pods replacing PSP, with three levels: **Privileged**, **Baseline**, and **Restricted**. - **Admission Controllers:** - The **PodSecurityAdmission** (PSA) admission controller enforces the Pod Security Standards (PSS). - You can configure it at the namespace level with annotations that specify which PSS level (Privileged, Baseline, Restricted) is required. ### **3. Role-Based Access Control (RBAC):** - **Roles and RoleBindings:** - Define who can access Kubernetes resources and what operations they can perform. - Granular permissions on resources like Pods, Services, ConfigMaps, and more. - **ClusterRoles and ClusterRoleBindings:** - Used for setting permissions across the entire Kubernetes cluster. ### **4. Service Accounts and Identity Management:** - **Service Accounts:** - Kubernetes uses service accounts to grant applications running in Pods permissions to access Kubernetes API resources. - **Identity and Access Management (IAM):** - Integration with external identity providers (e.g., AWS IAM, Azure AD) to control access to Kubernetes resources. ### **5. Network Security:** - **Network Policies:** - Define rules for controlling the communication between Pods (e.g., allow traffic only from specific Pods, block access from certain networks). - Ensure secure communication within the cluster. - **TLS Encryption:** - Encrypting communication between services and between Pods using **Transport Layer Security (TLS)**. - **Service Mesh (e.g., Istio):** - Provides secure communication between microservices by enforcing mTLS, along with fine-grained access control. ### **6. Secrets Management:** - **Kubernetes Secrets:** - Store sensitive information like API keys, tokens, passwords in Kubernetes resources. - Secrets can be mounted as volumes or injected as environment variables into containers. - **Encryption at Rest:** - Ensuring that Secrets and sensitive data are encrypted when stored in etcd. - **Third-Party Tools for Secret Management:** - Integration with tools like **HashiCorp Vault**, **SealedSecrets**, or **AWS Secrets Manager** for enhanced security. ### **7. Container Runtime Security:** - **Security Contexts:** - Define security settings for Pods and containers (e.g., setting user IDs, restricting privileges, setting capabilities). - **RunAsUser & RunAsGroup:** - Define the user and group ID under which a container should run, limiting privileges. - **Privilege Escalation:** - Prevent containerized applications from gaining escalated privileges (e.g., running as root). ### **8. Audit Logging:** - **Audit Logs:** - Kubernetes provides audit logs to record access and actions performed on the API server. - Helps with monitoring and detecting suspicious or unauthorized access. ### **9. Supply Chain Security:** - **Secure Supply Chain:** - Ensuring security in every step of the container supply chain, from image creation to deployment. - Using signed images (e.g., via **Notary** or **Cosign**) to ensure image integrity. ### **10. Vulnerability Management:** - **Kubernetes Security Contexts:** - Controls around running containers with restricted privileges (e.g., no access to the host network or storage). - **Runtime Security (e.g., Falco):** - Tools like **Falco** that monitor container behavior during runtime to detect security incidents like unauthorized network access or privilege escalation. # Networking