Kubernetes & CKA Exam Language

CrashLoopBackOff is one of the most important Pod status messages in Kubernetes and appears frequently in the CKA exam.

It means the container keeps crashing immediately after start. Kubernetes restarts it automatically, but adds backoff delays: 10s, 20s, 40s, 80s... up to 5 minutes between restarts.

Common causes:
• Application code error on startup
• Missing environment variable or Secret
• Incorrect command or entrypoint
• Missing PVC or ConfigMap volume

Diagnosis command: kubectl logs <pod-name> --previous (shows logs from the crashed container)

Other important Pod statuses:
• Pending — not yet scheduled; check node resources or taints
• ImagePullBackOff — cannot pull container image; check registry credentials
• OOMKilled — out of memory; increase memory limit
• Evicted — node was under pressure, Pod removed

Kubernetes RBAC uses four resources — and the CKA/CKAD exams test this distinction constantly:

Role — grants permissions within a single namespace
ClusterRole — grants permissions cluster-wide or to non-namespaced resources (Nodes, PVs)
RoleBinding — binds a Role (or ClusterRole) to a subject within a namespace
ClusterRoleBinding — binds a ClusterRole to a subject cluster-wide

For namespace-scoped permissions → always Role + RoleBinding.
For cluster-wide permissions → ClusterRole + ClusterRoleBinding.

The subject is the ServiceAccount, User, or Group receiving the permissions.

Quick check: A ClusterRole can be used in a RoleBinding to limit a cluster-wide role to a specific namespace. But a Role can never grant cluster-wide permissions.

A DaemonSet ensures that one copy of a Pod runs on every node (or a subset defined by node selectors). When a new node joins the cluster, Kubernetes automatically schedules the DaemonSet Pod on it. When a node is removed, the Pod is garbage collected.

Classic DaemonSet use cases:
• Log collectors (Fluentd, Filebeat)
• Monitoring agents (Prometheus Node Exporter, Datadog agent)
• Network plugins (Calico, Weave)
• Storage daemons (Ceph, GlusterFS clients)

Deployment — runs N replicas, typically on different nodes, but not necessarily one per node
StatefulSet — ordered, stable identity Pods for databases and stateful applications
ReplicaSet — lower-level than Deployment; manages replicas but has no rolling update strategy

The CKA exam often asks: "how would you ensure a logging agent runs on all nodes?" → DaemonSet.

Kubernetes PersistentVolume access modes control how volumes can be mounted:

ReadWriteOnce (RWO) — can be mounted read-write by one node at a time. Multiple Pods on the same node can all use it.
ReadOnlyMany (ROX) — can be mounted read-only by many nodes simultaneously
ReadWriteMany (RWX) — can be mounted read-write by many nodes simultaneously (requires NFS, CephFS, etc.)
ReadWriteOncePod (RWOP) — can be mounted read-write by a single Pod only (K8s 1.22+)

Exam trap: RWO allows one node, not one Pod. If you deploy 3 replicas on 3 different nodes and use RWO → two Pods will be Pending because the PVC can only attach to one node.

Supported modes depend on the storage class and underlying storage provider.

NetworkPolicy is the Kubernetes resource for pod-level network traffic rules. It's a critical CKA and CKS topic.

Key concepts:
• NetworkPolicies are namespaced
• By default, Pods are non-isolated — all traffic is allowed
• Once any NetworkPolicy selects a Pod, that Pod becomes isolated. Only explicitly allowed traffic passes
• NetworkPolicies require a CNI plugin that supports them (Calico, Cilium, Weave-net)

To block team A → team B:
Create a NetworkPolicy in team B's namespace. The podSelector selects team B's Pods. The ingress rules do NOT include team A's namespace in the namespaceSelector. That drops all ingress from team A.

ResourceQuota — limits CPU/memory/Pod count within a namespace
PodSecurityAdmission — controls Pod security standards (privileged, baseline, restricted)
Headless Service (ClusterIP: None) — removes load balancing, doesn't affect network traffic rules