Kubernetes CKA Configuration: Master Core Concepts with Flashcards

Q: What is the difference between ConfigMaps and Secrets in Kubernetes configuration?

ConfigMaps and Secrets both store configuration data but serve different purposes. ConfigMaps store non-sensitive data like application properties, feature flags, or settings files as plain text in YAML. Secrets store sensitive information like passwords, API tokens, or TLS certificates using base64 encoding. Note: base64 is encoding, not encryption. Enable encryption-at-rest in production for real security. Both resources support two mounting approaches: mount as volumes or inject as environment variables. The key distinction is intent and security level. Use ConfigMaps for non-sensitive configuration and Secrets for sensitive information. For CKA exams, know how to create both via kubectl commands and understand that modifying ConfigMaps doesn't automatically restart Pods using them via volumes. Pods see stale data until manual restart.

Q: How do resource requests and limits affect Pod scheduling in Kubernetes?

Resource requests and limits directly impact scheduling and runtime behavior. Requests define the guaranteed minimum resources a container needs. The scheduler uses requests to determine if a node has sufficient capacity for the Pod. If a Pod's total requests exceed available resources on all nodes, the Pod enters Pending status indefinitely. Limits define maximum resource consumption. Containers exceeding memory limits are terminated. Containers exceeding CPU limits experience throttling, not termination. If you don't specify requests, the scheduler has no constraint information and may overcommit nodes, causing resource starvation. Properly configured requests and limits improve cluster stability. For CKA exams, understand that requests affect scheduling (placement) while limits affect runtime behavior (enforcement). Both must be specified together for effective resource management. ResourceQuotas complement this by enforcing namespace-level limits on total resource consumption.

Q: What are NetworkPolicies and how do they secure Kubernetes clusters?

NetworkPolicies are Kubernetes resources controlling traffic flow between Pods at the network layer. They implement microsegmentation and zero-trust security by restricting Pod communication. By default, all Pods can communicate with all other Pods. A NetworkPolicy defines ingress and egress rules using label selectors to target specific Pods and allow or deny traffic. Example: a NetworkPolicy allows only frontend Pods to send traffic to backend Pods on port 8080, blocking all other connections. Ingress rules default-deny unless explicitly allowed. You can combine pod selectors with namespace selectors for cross-namespace communication. NetworkPolicies require a compatible CNI plugin like Calico or Cilium. For CKA exams, understand that policies operate on Pods matching the policy's selector. Design NetworkPolicies by understanding your application architecture to identify trust boundaries between services.

By FluentFlash Research Team·Updated 2026-04-30

The Certified Kubernetes Administrator (CKA) exam heavily tests configuration management. This domain covers declarative YAML manifests, ConfigMaps, Secrets, resource quotas, network policies, and RBAC settings that secure and scale production clusters.

Configuration requires memorizing YAML syntax, API resource fields, and kubectl commands under exam pressure. Flashcards break down these complex concepts into bite-sized cards, helping you build muscle memory for common patterns.

By studying configuration with spaced repetition, you rapidly recall solutions when exam questions require quick, accurate cluster setup.

Key Takeaways

•Kubernetes configuration uses declarative YAML with consistent structure: apiVersion, kind, metadata, and spec fields defining desired state for Pods, Deployments, Services, ConfigMaps, and Secrets.
•ConfigMaps store non-sensitive configuration, Secrets store sensitive data with base64 encoding. Both mount as volumes or environment variables, but ConfigMaps don't trigger Pod restarts when updated.
•Resource requests guarantee minimum resources for scheduling decisions, limits enforce maximum usage. Both must be specified for effective resource management and proper Pod placement on nodes.
•RBAC secures Kubernetes using Roles and ClusterRoles defining permissions, with RoleBindings and ClusterRoleBindings connecting them to users and service accounts with specific verbs and resources.
•NetworkPolicies implement zero-trust security by restricting Pod-to-Pod traffic using ingress and egress rules with label selectors, requiring compatible CNI plugins like Calico.
•CKA configuration questions combine multiple concepts (creating service accounts, defining RBAC, mounting Secrets, setting resource limits) requiring comprehensive understanding of component interactions.

Core Configuration Resources and YAML Structure

Kubernetes relies on declarative YAML manifests that define desired state for cluster resources. Every manifest requires four foundational fields: apiVersion, kind, metadata, and spec.

Essential Resources for CKA

Master these core resources:

Pods: Smallest deployable units containing containers with image, ports, and resource specifications
Deployments: Manage Pod replicas through ReplicaSets with rolling updates
Services: Provide stable networking endpoints using selectors
ConfigMaps: Store non-sensitive key-value configuration data
Secrets: Store sensitive data like passwords and tokens in base64 encoding
PersistentVolumes: Cluster storage resources independent of Pod lifecycle
PersistentVolumeClaims: Pod requests for persistent storage

How Resources Interact

Exam questions test resource relationships. A Deployment references a Pod template that may reference ConfigMaps and Secrets for configuration. Understanding these connections helps you answer scenario-based questions.

YAML Mastery Through Flashcards

Practicing YAML syntax via flashcards internalizes field names, valid values, and indentation rules. You avoid documentation lookups during the exam, saving precious time.

ConfigMaps and Secrets: Storing Application Configuration

ConfigMaps and Secrets separate configuration from container images. This lets the same image run across different environments without rebuilding.

ConfigMaps: Non-Sensitive Data

ConfigMaps store application properties, feature flags, and configuration files. Create them using three approaches:

Literal values: kubectl create configmap myconfig --from-literal=key=value
Files: kubectl create configmap myconfig --from-file=path/to/file
Directories: kubectl create configmap myconfig --from-file=path/to/directory

Pods mount ConfigMaps as environment variables or volumes for runtime access.

Secrets: Sensitive Data

Secrets store passwords, API tokens, and certificates using base64 encoding (not encrypted by default). Common types include:

Opaque: Arbitrary sensitive data
docker-registry: Container registry credentials
tls: Certificate and key pairs

Create Secrets with: kubectl create secret generic mysecret --from-literal=password=secret123

Mounting Both Resources

Exam scenarios test mounting both ConfigMaps and Secrets correctly. Mount ConfigMaps as volumes at specific paths, or inject as environment variables using valueFrom with configMapKeyRef. Same approach applies to Secrets.

Critical detail: Modifying ConfigMaps does not automatically restart Pods using them via volumes. Kubernetes doesn't watch for changes, so applications see stale data until manual Pod restart.

Resource Requests, Limits, and Namespace Quotas

Resource management appears extensively in CKA exams. Every Pod container should define requests and limits for CPU and memory.

Requests vs. Limits

Requests represent minimum guaranteed resources. The scheduler uses requests to place Pods on nodes with sufficient capacity. Without requests, the scheduler cannot constrain placement.

Limits define maximum resource usage. Containers exceeding memory limits face OOMKilled termination. Containers exceeding CPU limits experience throttling, not termination.

CPU uses millicores (1000m equals 1 full CPU). Memory uses bytes with units like Mi (mebibytes) and Gi (gibibytes). Example: a container with requests of 100m CPU and 128Mi memory, limits of 500m CPU and 256Mi memory.

ResourceQuotas and LimitRanges

ResourceQuotas enforce resource usage across entire namespaces. A quota might limit a namespace to 10 total CPUs and 20Gi memory across all Pods.

LimitRanges provide per-container or per-Pod constraints. You can enforce minimum requests of 50m CPU and maximum limits of 2 CPU per container.

Critical Interaction

ResourceQuotas require containers to specify requests. Containers without requests may not schedule on constrained nodes. CKA exams test creating these resources via YAML and diagnosing scheduling failures from insufficient resources.

Flashcards help memorize specific API fields: requests, limits, cpu, memory, and unit conventions for each resource type.

RBAC: Role-Based Access Control Configuration

Role-Based Access Control (RBAC) secures Kubernetes by restricting actions for users, service accounts, and applications.

Four Primary RBAC Resources

The CKA exam requires understanding these resources:

Role: Namespace-scoped permissions defining allowed verbs on resources
ClusterRole: Cluster-wide permissions for cluster-scoped resources or all namespaces
RoleBinding: Connects a Role to subjects (users, groups, service accounts) within a namespace
ClusterRoleBinding: Connects ClusterRoles to subjects cluster-wide

Permission Structure

Roles specify three components in rules:

apiGroups: Empty string for core API, "apps" for Deployments
resources: pods, deployments, services, etc.
verbs: create, get, list, watch, update, patch, delete

Example: a developer Role allows create, get, list, and watch on Pods but denies deletion.

Service Accounts and Bindings

Service accounts are Kubernetes identities for applications. Every Pod runs with a service account. You can mount the account's authentication token to allow Pod applications to call the Kubernetes API.

Typical exam pattern: create a ServiceAccount, define a ClusterRole with specific permissions, create a RoleBinding granting that role to the service account.

Verification and Testing

Test permissions with: kubectl auth can-i create pods --as=system:serviceaccount:default:myapp-sa. This command verifies if a service account has specific permissions.

Flashcards help memorize RoleBinding YAML structure and RBAC verb syntax.

Network Policies and Security Best Practices for Configuration

NetworkPolicies control traffic flow between Pods at the network layer, implementing zero-trust security. By default, Kubernetes allows all Pod-to-Pod communication.

How NetworkPolicies Work

NetworkPolicies use label selectors to target Pods and specify allowed traffic. They implement ingress rules (incoming traffic) and egress rules (outgoing traffic).

Example: create a NetworkPolicy allowing only frontend Pods to send traffic to backend Pods on port 5432, blocking all others.

Ingress rules define which source Pods or external IPs can reach targeted Pods. Egress rules define where Pods can send traffic. If you specify ingress rules, all other ingress traffic is denied by default.

Critical Requirement

NetworkPolicies require a compatible container networking interface (CNI) like Calico or Cilium. They don't work with the default kubelet networking. This is essential for exam scenarios.

Broader Security Configuration

Beyond NetworkPolicies, secure configuration involves:

Define resource requests and limits to prevent resource exhaustion attacks
Use RBAC to restrict API access
Implement PodSecurityStandards to enforce container constraints (non-root users, no privileged containers)
Use Secrets with encryption-at-rest enabled for sensitive data
Set security context fields in Pod specs to control privileges, user ID, and filesystem permissions

Exam scenarios combine multiple concepts requiring you to secure entire application deployments across these layers.

Start Studying Kubernetes CKA Configuration

Master ConfigMaps, Secrets, RBAC, NetworkPolicies, and resource management with interactive flashcards. Break down complex configuration concepts into digestible cards, build command-line muscle memory, and pass your CKA exam with confidence.

Create Free Flashcards

Frequently Asked Questions

What is the difference between ConfigMaps and Secrets in Kubernetes configuration?

ConfigMaps and Secrets both store configuration data but serve different purposes. ConfigMaps store non-sensitive data like application properties, feature flags, or settings files as plain text in YAML.

Secrets store sensitive information like passwords, API tokens, or TLS certificates using base64 encoding. Note: base64 is encoding, not encryption. Enable encryption-at-rest in production for real security.

Both resources support two mounting approaches: mount as volumes or inject as environment variables. The key distinction is intent and security level. Use ConfigMaps for non-sensitive configuration and Secrets for sensitive information.

For CKA exams, know how to create both via kubectl commands and understand that modifying ConfigMaps doesn't automatically restart Pods using them via volumes. Pods see stale data until manual restart.

How do resource requests and limits affect Pod scheduling in Kubernetes?

Resource requests and limits directly impact scheduling and runtime behavior. Requests define the guaranteed minimum resources a container needs. The scheduler uses requests to determine if a node has sufficient capacity for the Pod.

If a Pod's total requests exceed available resources on all nodes, the Pod enters Pending status indefinitely. Limits define maximum resource consumption. Containers exceeding memory limits are terminated. Containers exceeding CPU limits experience throttling, not termination.

If you don't specify requests, the scheduler has no constraint information and may overcommit nodes, causing resource starvation. Properly configured requests and limits improve cluster stability.

For CKA exams, understand that requests affect scheduling (placement) while limits affect runtime behavior (enforcement). Both must be specified together for effective resource management. ResourceQuotas complement this by enforcing namespace-level limits on total resource consumption.

How do I create and apply RBAC configurations for service accounts in Kubernetes?

RBAC configuration for service accounts involves three steps: create a ServiceAccount, define a Role or ClusterRole with permissions, and create a RoleBinding connecting them.

Step 1: Create a service account using kubectl create serviceaccount myapp-sa.

Step 2: Define a ClusterRole in YAML with desired permissions. Specify apiGroups, resources, and verbs allowed. Example: allow create, get, list on Pods.

Step 3: Create a RoleBinding in your namespace specifying the ClusterRole and the ServiceAccount as the subject. Pods using this service account inherit its permissions.

For CKA exams, practice both imperative commands and declarative YAML approaches. Verify permissions using: kubectl auth can-i create pods --as=system:serviceaccount:default:myapp-sa. Remember that service accounts are namespace-scoped, so RoleBindings must be in the correct namespace.

Why are flashcards effective for studying Kubernetes CKA configuration topics?

Flashcards excel for CKA configuration because this domain involves memorizing command syntax, YAML field names, API conventions, and resource relationships under time pressure.

Active recall strengthens memory retention compared to passive reading. Flashcards force you to retrieve information from memory, simulating exam conditions. Spaced repetition reviews difficult concepts more frequently, improving retention.

For configuration specifically, create cards like: "What fields must every Kubernetes resource include?" or "What kubectl command creates a ConfigMap from a file?" Kubernetes configuration involves many edge cases and specific details that flashcards capture efficiently.

Flashcards are portable, enabling study during commutes or breaks. Combine flashcards with hands-on practice in a real cluster for comprehensive exam preparation. This combination reinforces syntax and muscle memory.

What are NetworkPolicies and how do they secure Kubernetes clusters?

NetworkPolicies are Kubernetes resources controlling traffic flow between Pods at the network layer. They implement microsegmentation and zero-trust security by restricting Pod communication.

By default, all Pods can communicate with all other Pods. A NetworkPolicy defines ingress and egress rules using label selectors to target specific Pods and allow or deny traffic.

Example: a NetworkPolicy allows only frontend Pods to send traffic to backend Pods on port 8080, blocking all other connections. Ingress rules default-deny unless explicitly allowed. You can combine pod selectors with namespace selectors for cross-namespace communication.

NetworkPolicies require a compatible CNI plugin like Calico or Cilium. For CKA exams, understand that policies operate on Pods matching the policy's selector. Design NetworkPolicies by understanding your application architecture to identify trust boundaries between services.