Learn Kubernetes.
From Pods to production.

You'll learn

• The problem containers don't solve alone
• Declarative vs. imperative orchestration
• When K8s is the wrong answer

You'll learn

• API server, scheduler, controller manager, etcd, kubelet
• The reconcile loop, explained plainly
• How nodes join and leave

You'll learn

• Shared network & IPC namespaces
• Init containers & sidecars (with real examples)
• Pod phases and when you actually care

You'll learn

• What's scoped vs. cluster-wide
• When to split by team, env, or app
• ResourceQuota basics

You'll learn

• Equality- vs. set-based selectors
• Recommended label conventions (app.kubernetes.io/*)
• When to reach for an annotation

You'll learn

• Kubeconfig: contexts, clusters, users
• JSONPath, go-template, and -o wide
• Debug commands you wish you knew sooner

You'll learn

• Choosing kind vs. minikube vs. k3d
• Multi-node clusters on one laptop
• Loading local images without a registry

You'll learn

• apiVersion, kind, metadata, spec, status
• kubectl apply semantics & last-applied
• Kustomize vs. Helm vs. raw manifests

You'll learn

• How ReplicaSets underpin every Deployment
• Configure rolling update speed with maxSurge & maxUnavailable
• Roll back to any previous revision in one command
• Scale declaratively and with HPA

You'll learn

• Why databases need StatefulSets, not Deployments
• Per-pod PVCs via volumeClaimTemplates
• Headless Services and stable DNS per pod
• Ordered scale-up/down and partition-based rollouts

You'll learn

• When DaemonSets beat Deployments for infrastructure agents
• Target specific nodes with nodeSelector and affinity
• Tolerate tainted control-plane and not-ready nodes
• Host network, hostPath, and why they require care

You'll learn

• How Jobs differ from Deployments — completions, not replicas
• Parallel batch processing with parallelism + completions
• backoffLimit, activeDeadlineSeconds, and cleanup
• CronJob schedule syntax and concurrency policies

You'll learn

• How requests drive scheduling and limits cap runtime usage
• CPU throttling vs memory OOMKill — the asymmetry that matters
• QoS classes and eviction order under memory pressure
• LimitRange defaults and ResourceQuota namespace caps

You'll learn

• The HPA control loop and scaling formula
• Why CPU requests are required for HPA to work
• Scale-up/down behavior and stabilisation windows
• Custom metrics via prometheus-adapter

You'll learn

• Why liveness, readiness, and startup solve different problems
• httpGet, tcpSocket, exec, and gRPC mechanisms
• How readiness probes gate rolling updates
• The five most dangerous probe misconfiguration patterns

You'll learn

• How kube-proxy rewrites traffic via iptables DNAT rules
• ClusterIP for internal, NodePort for dev, LoadBalancer for cloud
• ExternalName DNS aliases and headless Services for StatefulSets
• Inspect endpoints to debug traffic routing

You'll learn

• Why Ingress beats a LoadBalancer per service
• How the Ingress Controller reads rules and routes traffic
• Host-based and path-based routing with pathType
• TLS termination, cert-manager, and annotation pitfalls

You'll learn

• How CoreDNS resolves short names using search domains
• Service FQDN: <svc>.<ns>.svc.cluster.local
• Headless services return per-pod A records instead of a VIP
• ndots:5 and why it causes extra lookups for external names

You'll learn

• Why pods are fully open by default and how to close them down
• podSelector, namespaceSelector, and ipBlock filtering
• AND vs OR in from/to lists — the indentation trap
• Default-deny pattern and DNS egress gotcha

You'll learn

• Why Ingress annotation sprawl led to Gateway API
• Three-layer ownership: cluster admin, infra team, app team
• Traffic splitting with weights for canary deployments
• HTTPRoute, GRPCRoute, TCPRoute — protocols beyond HTTP

You'll learn

• The Kubernetes flat networking model and why CNI implements it
• Per-node IPAM subnets and how pod IPs are allocated
• VXLAN overlay vs BGP underlay — tradeoffs
• Flannel (simple), Calico (policy), Cilium (eBPF + observability)

You'll learn

• spec.volumes declarations and container volumeMounts wiring
• emptyDir for sidecar log-shipping and shared scratch space
• ConfigMap/Secret volumes update live; env vars don't
• subPath mounts and why they break live-reload

You'll learn

• PV/PVC binding: storageClass, accessMode, capacity must all match
• Reclaim policies — Retain keeps the disk; Delete removes it
• RWO allows multiple pods same-node; use RWOP for true exclusivity
• Released PVs need claimRef cleared before they rebind

You'll learn

• Dynamic provisioning: StorageClass calls cloud API, creates PV automatically
• WaitForFirstConsumer prevents EBS/PD cross-AZ scheduling failures
• Default reclaimPolicy is Delete — dangerous for production databases
• allowVolumeExpansion: grow a PVC without downtime

You'll learn

• Volume mounts update live; env vars require pod restart
• subPath mounts don't propagate updates — avoid for live config
• Secrets are base64, not encrypted — enable etcd encryption at rest
• External Secrets Operator syncs from Vault, AWS SM, GCP SM

You'll learn

• volumeClaimTemplates give each StatefulSet pod its own PVC
• RWO disk attachment delays when a node fails (6–10 min)
• Volume snapshots: point-in-time PVC copies via CSI
• Velero for full cluster backup and namespace restore

You'll learn

• Role (namespace) vs ClusterRole (cluster-wide) and when each applies
• ClusterRole + RoleBinding = namespace-scoped from a shared template
• list secrets = reads all values; scope to resourceNames instead
• kubectl auth can-i to test permissions without guessing

You'll learn

• Three PSS levels: privileged, baseline, restricted — what each blocks
• Enforce, audit, warn modes — run all three during migration
• securityContext fields required to pass restricted level
• Migrating away from removed PodSecurityPolicy

You'll learn

• Why K8s Secrets are not secret by default
• External Secrets Operator — sync from Vault, AWS SM, GCP SM
• Sealed Secrets — encrypt for git-safe storage
• Rotation: file mounts update live, env vars do not

You'll learn

• Trivy scanning in CI — fail on CRITICAL before push
• Cosign keyless signing tied to GitHub Actions OIDC
• Kyverno policy to verify signatures at admission time
• Distroless and scratch images — reduce CVE surface to near zero

You'll learn

• Default K8s network is unencrypted and unauthenticated
• mTLS: both sides present certs — identity + encryption in one
• Istio STRICT mode — reject all plain-text pod-to-pod connections
• AuthorizationPolicy: SPIFFE identity-based layer-7 access control

You'll learn

• SLSA levels 1–4 — what each requires and gives you
• SBOMs: answer "which images have log4j?" in seconds
• Sigstore keyless signing tied to GitHub Actions OIDC identity
• Kyverno SLSA provenance attestation verification at admission

You'll learn

• Container stdout → node log file → aggregator pipeline
• Fluent Bit DaemonSet config — tail, K8s metadata filter, Loki output
• LogQL basics — stream, filter, JSON parse, rate queries
• Filter health-check noise before shipping to cut volume 20–40%

You'll learn

• Metrics Server: real-time snapshot for HPA and kubectl top
• Prometheus: time-series DB — install via kube-prometheus-stack Helm
• kube-state-metrics: deployment replicas, pod phase, node conditions
• ServiceMonitor CRD — scrape your app's /metrics without editing configs

You'll learn

• Trace = tree of spans; W3C traceparent propagates context between services
• OTel Operator injects SDK — no code changes for Java/Python/Node
• Tail sampling: always record errors and slow traces, sample the rest
• Click a log line → jump to the exact trace span in Grafana

You'll learn

• Four golden signals: rate, errors, latency, saturation as first row
• Variables for namespace/deployment — one dashboard per team
• Deploy annotations: spot if the latency spike correlates with a rollout
• ConfigMap provisioning — dashboards survive pod restarts

You'll learn

• kubectl get events — the first place to look, expires after 1h
• Alertmanager: group, route by team label, inhibit child alerts
• SLO burn-rate: page when budget burns 14× faster, not on arbitrary thresholds
• 5-step triage: what changed → where broken → pod state → resources → connectivity

You'll learn

• Kubelet can be 3 minor versions behind apiserver — workers upgrade last
• Upgrade one minor version at a time — no skipping 1.28 → 1.30
• kubeadm upgrade plan → apply → drain → node upgrade → uncordon
• Pre-upgrade: pluto for deprecated API detection, etcd snapshot

You'll learn

• Taint GPU nodes: repel non-ML pods without touching their specs
• Toleration alone doesn't guarantee placement — add nodeAffinity too
• Cluster Autoscaler: HPA creates pods → CA adds nodes to fit them
• Spot nodes: 60–90% cheaper; taint them so stateful workloads don't land

You'll learn

• ResourceQuota: namespace total cap — set 2× expected peak per team
• LimitRange: inject default requests/limits so no pod runs unbounded
• Guaranteed QoS = requests == limits — last evicted under memory pressure
• PriorityClass: production preempts batch when cluster is full

You'll learn

• PDB blocks drain if it would drop below minAvailable — drain waits, not fails
• minAvailable: 100% blocks all drains — never set this
• maxUnavailable: 0 + maxSurge: 1 = true zero-downtime rolling update
• preStop sleep: let load balancer deregister before SIGTERM hits

You'll learn

• Hub-and-spoke: one ArgoCD cluster deploys to all member clusters
• ApplicationSet: one template → one ArgoCD App per cluster automatically
• svc.cluster.local is cluster-scoped — Submariner or Istio for cross-cluster
• kubectx + merged kubeconfig for fast context switching across a fleet

You'll learn

• Git is source of truth — in-cluster agent pulls, CI never pushes
• Flux: source-controller + kustomize-controller + helm-controller
• ArgoCD: Application CRD, selfHeal reverts manual kubectl changes
• SOPS + age: encrypt secrets for git — cluster decrypts at apply time

You'll learn

• etcd snapshot + restore — full control plane state at a point in time
• Velero Schedule CRD — nightly backups with 30-day TTL to S3
• etcd restore is destructive — all state rolls back to snapshot point
• GitOps DR: new cluster + Flux bootstrap = workloads back in 20 min

You'll learn

• kubectl get mydatabase works exactly like kubectl get pods — same API
• Structural schema: type every field — enables pruning and defaulting
• Status subresource: only controllers can update status, not kubectl apply
• Printer columns: kubectl get shows Phase, Engine, Replicas, not just NAME/AGE

You'll learn

• Reconcile() must be idempotent — called any number of times safely
• Owner references: child resources GC'd automatically when CR is deleted
• Finalizers: block deletion until external cleanup (RDS, DNS) is done
• Check operatorhub.io first — cert-manager, postgres-operator already exist

You'll learn

• Mutating runs before validating — shape is final by validation time
• failurePolicy: Fail + webhook down = cluster lockout — exclude kube-system
• CEL ValidatingAdmissionPolicy: no webhook server, no TLS, no process
• cert-manager injects caBundle automatically via annotation

You'll learn

• Filter removes infeasible nodes; Score ranks the rest — Pending = all filtered
• Required affinity is a filter; preferred affinity is a score weight
• NoSchedule repels new pods; NoExecute also evicts running pods
• Topology spread: maxSkew: 1 across zones without hard per-zone limits

You'll learn

• xDS API: Istiod pushes routing config to Envoy sidecars in real time
• VirtualService: route by header, path, weight — independent of replica count
• OutlierDetection: eject backends that return 5xx — automatic circuit breaking
• Fault injection: add 500ms delay to 10% of requests without touching code

You'll learn

• GPU resources go in limits only — requests ignored by scheduler
• Time-slicing: 4 pods share 1 GPU — no memory isolation, shared VRAM
• MIG: A100 split into up to 7 isolated instances with dedicated memory
• Alert when GPU util < 10% for 30 min — expensive idle allocation

You'll learn

• Scale-to-zero: activator buffers requests during cold start (1–3s)
• Knative revision = immutable snapshot; route splits traffic across revisions
• KEDA ScaledObject: 0 → 30 pods based on Kafka lag, no code changes
• Serverless fits bursty webhooks; wrong fit for WebSocket or stateful services

You'll learn

• 6-stage API server pipeline: authn → authz → mutating → validate → validating → etcd
• Informer = List+Watch + local cache — controllers never query API directly
• Work queue deduplicates 100 updates into 1 reconcile — no API storms
• kube-proxy: DNAT in kernel netfilter — no userspace proxy involved