[CKA] mock exam 03

문제01

Create a new service account with the name pvviewer. Grant this Service account access to list all PersistentVolumes in the cluster by creating an appropriate cluster role called pvviewer-role and ClusterRoleBinding called pvviewer-role-binding.
Next, create a pod called pvviewer with the image: redis and serviceAccount: pvviewer in the default namespace.

• ServiceAccount: pvviewer
• ClusterRole: pvviewer-role
• ClusterRoleBinding: pvviewer-role-binding
• Pod: pvviewer
• Pod configured to use ServiceAccount pvviewer ?

[나의 풀이]

root@controlplane:~# kubectl create sa pvviewer
serviceaccount/pvviewer created

 

root@controlplane:~# cat role.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pvviewer-role
rules:
- apiGroups: [""]
  resources: ["persistentvolumes"]
  verbs: [ "list"]

 

root@controlplane:~# kubectl create rolebinding pvviewer-role-binding --clusterrole=pvviewer-role --serviceaccount=default:pvviewer
rolebinding.rbac.authorization.k8s.io/pvviewer-role-binding created

 

kubectl run pvviewer --image=redis --dry-run=client -o yaml > pod.yaml
vi pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: pvviewer
spec:
  containers:
  - image: redis
    name: pvviewer
  serviceAccountName: pvviewer
kubectl apply -f pod.yaml

 

[정답]

Pods authenticate to the API Server using ServiceAccounts. If the serviceAccount name is not specified, the default service account for the namespace is used during a pod creation.
Reference: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

Now, create a service account pvviewer:

kubectl create serviceaccount pvviewer

To create a clusterrole:

kubectl create clusterrole pvviewer-role --resource=persistentvolumes --verb=list

To create a clusterrolebinding:

kubectl create clusterrolebinding pvviewer-role-binding --clusterrole=pvviewer-role --serviceaccount=default:pvviewer

Solution manifest file to create a new pod called pvviewer as follows:

---
apiVersion: v1
kind: Pod
metadata:
  labels:
    run: pvviewer
  name: pvviewer
spec:
  containers:
  - image: redis
    name: pvviewer
  # Add service account name
  serviceAccountName: pvviewer

 

 

문제02

List the InternalIP of all nodes of the cluster. Save the result to a file /root/CKA/node_ips.

Answer should be in the format: InternalIP of controlplane<space>InternalIP of node01 (in a single line)

 

[나의 풀이]

root@controlplane:~# kubectl get nodes -o jsonpath='{.items[*].status.addresses[?(@.type=="InternalIP")].address}' > /root/CKA/node_ips

https://kubernetes.io/docs/reference/kubectl/cheatsheet/

kubectl Cheat Sheet

 

 

문제03

Create a pod called multi-pod with two containers.
Container 1, name: alpha, image: nginx
Container 2: name: beta, image: busybox, command: sleep 4800

Environment Variables:
container 1:
name: alpha

Container 2:
name: beta

• Pod Name: multi-pod
• Container 1: alpha
• Container 2: beta
• Container beta commands set correctly?
• Container 1 Environment Value Set
• Container 2 Environment Value Set

[나의 풀이]

root@controlplane:~# cat multiple-pod.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: multi-pod
spec:
  containers:
  - name: alpha
    image: nginx
    ports:
    - containerPort: 80
    env:
    - name: alpha
  - name: beta
    image: busybox
    command: ["sleep", "4800"]
    env:
    - name: beta

 

[정답]

Solution manifest file to create a multi-container pod multi-pod as follows:

---
apiVersion: v1
kind: Pod
metadata:
  name: multi-pod
spec:
  containers:
  - image: nginx
    name: alpha
    env:
    - name: name
      value: alpha
  - image: busybox
    name: beta
    command: ["sleep", "4800"]
    env:
    - name: name
      value: beta

 

문제04

Create a Pod called non-root-pod , image: redis:alpine
runAsUser: 1000
fsGroup: 2000

• Pod non-root-pod fsGroup configured
• Pod non-root-pod runAsUser configured

[나의 풀이]

root@controlplane:~# cat non-root-pod.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: non-root-pod
  name: non-root-pod
spec:
  securityContext:
    runAsUser: 1000
    fsGroup: 2000
  containers:
  - image: redis:alpine
    name: non-root-pod
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

 

문제05

We have deployed a new pod called np-test-1 and a service called np-test-service. Incoming connections to this service are not working. Troubleshoot and fix it.
Create NetworkPolicy, by the name ingress-to-nptest that allows incoming connections to the service over port 80.

Important: Don't delete any current objects deployed.

 

• Important: Don't Alter Existing Objects!
• NetworkPolicy: Applied to All sources (Incoming traffic from all pods)?
• NetWorkPolicy: Correct Port?
• NetWorkPolicy: Applied to correct Pod?

 

[나의 풀이]

root@controlplane:~# cat ingress.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: ingress-to-nptest
spec:
  podSelector: {}
  ingress:
  - from:
    ports:
    - protocol: TCP
      port: 80
  policyTypes:
  - Ingress

 

[정답]

https://zgundam.tistory.com/196

Kubernetes Mock Exam 정리(Mock Exam 3)

연결 테스트 방법

kubectl run test-np --image=busybox:1.28 --rm -it -- sh
nc -z -v -w 2 np-test-service 80 

nc: netcat
-z: 스캔 시 사용, 연결되면 바로 닫는 용도
-v: verbose
-w secs: secs 시간 후 타임아웃

[정답]

Solution manifest file to create a network policy ingress-to-nptest as follows:

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: ingress-to-nptest
  namespace: default
spec:
  podSelector:
    matchLabels:
      run: np-test-1
  policyTypes:
  - Ingress
  ingress:
  - ports:
    - protocol: TCP
      port: 80

 

문제06

Taint the worker node node01 to be Unschedulable. Once done, create a pod called dev-redis, image redis:alpine, to ensure workloads are not scheduled to this worker node. Finally, create a new pod called prod-redis and image: redis:alpine with toleration to be scheduled on node01.

key: env_type, value: production, operator: Equal and effect: NoSchedule

• Key = env_type
• Value = production
• Effect = NoSchedule
• pod 'dev-redis' (no tolerations) is not scheduled on node01?
• Create a pod 'prod-redis' to run on node01

[나의 풀이]

root@controlplane:~# kubectl taint nodes node01 env_type=production:NoSchedule

 

oot@controlplane:~# kubectl run dev-redis --image=redis:alpine
pod/dev-redis created

root@controlplane:~# kubectl get pods -o wide
NAME        READY   STATUS    RESTARTS   AGE     IP            NODE           NOMINATED NODE   READINESS GATES
dev-redis   1/1     Running   0          10s     10.50.0.4     controlplane   <none>           <none>
np-test-1   1/1     Running   0          5m32s   10.50.192.1   node01         <none>           <none>

 

root@controlplane:~# cat toleration.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: prod-redis
spec:
  containers:
  - name: redis
    image: redis:alpine
    imagePullPolicy: IfNotPresent
  tolerations:
  - key: "env_type"
    operator: "Equal"
    value: "production"
    effect: "NoSchedule"

 

문제07

Create a pod called hr-pod in hr namespace belonging to the production environment and frontend tier .
image: redis:alpine

Use appropriate labels and create all the required objects if it does not exist in the system already.

• hr-pod labeled with environment production?
• hr-pod labeled with tier frontend?

[나의 풀이]

root@controlplane:~# cat redis.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: hr-pod
    production: environment
    frontend: tier
  name: hr-pod
  namespace: hr
spec:
  containers:
  - image: redis:alpine
    name: hr-pod
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

 

root@controlplane:~# kubectl apply -f redis.yaml 
Error from server (NotFound): error when creating "redis.yaml": namespaces "hr" not found
root@controlplane:~# kubectl create ns hr
namespace/hr created
root@controlplane:~# kubectl apply -f redis.yaml 
pod/hr-pod created

 

[정답]

Create a namespace if it doesn't exist:

kubectl create namespace hr

and then create a hr-pod with given details:

kubectl run hr-pod --image=redis:alpine --namespace=hr --labels=environment=production,tier=fro

 

문제08

A kubeconfig file called super.kubeconfig has been created under /root/CKA. There is something wrong with the configuration. Troubleshoot and fix it.

• Fix /root/CKA/super.kubeconfig

[나의 풀이]

몰라서 실패

 

[정답]

root@controlplane:~/CKA# kubectl cluster-info
Kubernetes control plane is running at https://controlplane:6443
KubeDNS is running at https://controlplane:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

 

root@controlplane:~/CKA# vim super.kubeconfig

 

9999포트를 6443 포트로 변경해준다.

 

문제09

We have created a new deployment called nginx-deploy. scale the deployment to 3 replicas. Has the replica's increased? Troubleshoot the issue and fix it.

• deployment has 3 replicas

[나의 풀이]

root@controlplane:~# kubectl scale deployment nginx-deploy --replicas=3
deployment.apps/nginx-deploy scaled

이유를 못찾겠음

 

[정답]

갯수를 보장해주는 역할을 하는 것은 kube-controller-manager

vi kube-controller-manager.yaml

contro1ler로 되어있는 잘못된 글자를 controller로 변경해준다.

 

Use the command kubectl scale to increase the replica count to 3.

kubectl scale deploy nginx-deploy --replicas=3

The controller-manager is responsible for scaling up pods of a replicaset. If you inspect the control plane components in the kube-system namespace, you will see that the controller-manager is not running.

kubectl get pods -n kube-system

The command running inside the controller-manager pod is incorrect.
After fix all the values in the file and wait for controller-manager pod to restart.
Alternatively, you can run sed command to change all values at once:

sed -i 's/kube-contro1ler-manager/kube-controller-manager/g' /etc/kubernetes/manifests/kube-controller-manager.yaml

This will fix the issues in controller-manager yaml file.
At last, inspect the deployment by using below command:

kubectl get deplo