1번
Create a StorageClass named local-sc with the following specifications
and set it as the default storage class:
- The provisioner should be kubernetes.io/no-provisioner
- The volume binding mode should be WaitForFirstConsumer
- Volume expansion should be enabled
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: local-sc
annotations:
storageclass.kubernetes.io/is-default-class: "true"
provisioner: kubernetes.io/no-provisioner
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
2번
Create a deployment named logging-deployment in the namespace logging-ns with 1 replica,
with the following specifications:
The main container should be named app-container, use the image busybox,
and should run the following command to simulate writing logs:
sh -c "while true; do echo 'Log entry' >> /var/log/app/app.log; sleep 5; done"
Add a sidecar container named log-agent that also uses the busybox image and runs the command:
tail -f /var/log/app/app.log
log-agent logs should display the entries logged by the main app-container
- 기본 yaml 생성
- k create deploy logging-deployment -n logging-ns --image=busybox --replicas=1 --dry-run=client -o yaml > b.yaml
- vi b. yaml
- Sidecar가 먼저 떠서 로그 파일을 읽으려는 경우를 방지하기 위해 initcontainer 사용
# logger-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: logging-deployment
namespace: logging-ns
spec:
replicas: 1
selector:
matchLabels:
app: logger
template:
metadata:
labels:
app: logger
spec:
volumes:
- name: log-volume
emptyDir: {}
initContainers:
- name: log-agent
image: busybox
command:
- sh
- -c
- "touch /var/log/app/app.log; tail -f /var/log/app/app.log"
volumeMounts:
- name: log-volume
mountPath: /var/log/app
restartPolicy: Always
containers:
- name: app-container
image: busybox
command:
- sh
- -c
- "while true; do echo 'Log entry' >> /var/log/app/app.log; sleep 5; done"
volumeMounts:
- name: log-volume
mountPath: /var/log/app
3번
A Deployment named webapp-deploy is running in the ingress-ns namespace
and is exposed via a Service named webapp-svc.
Create an Ingress resource called webapp-ingress in the same namespace
that will route traffic to the service. The Ingress must:
- Use pathType: Prefix
- Route requests sent to path / to the backend service
- Forward traffic to port 80 of the service
- Be configured for the host kodekloud-ingress.app
- Test app availablility using the following command:
- curl -s http://kodekloud-ingress.app/
- ingressClassName은 임의로 설정한 후 apply시킴
- k get ingress 에서 나오는 name을 ingressClassName으로 변경
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: webapp-ingress
namespace: ingress-ns
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
rules:
- host: kodekloud-ingress.app
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: webapp-svc
port:
number: 80
4번
Create a new deployment called nginx-deploy, with image nginx:1.16 and 1 replica.
Next, upgrade the deployment to version 1.17 using rolling update.
5번
Create a new user called john. Grant him access to the cluster using a csr named john-developer.
Create a role developer which should grant John the permission to create,
list, get, update and delete pods in the development namespace.
The private key exists in the location: /root/CKA/john.key and csr at /root/CKA/john.csr.
Important Note: As of kubernetes 1.19, the CertificateSigningRequest object expects a signerName.
Please refer to the documentation to see an example.
The documentation tab is available at the top right of the terminal.
- certificateSigningRequest 만들기
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: john-developer
spec:
request: $(cat server.csr | base64 | tr -d '\n')
signerName: kubernetes.io/kube-apiserver-client
usages:
- digital signature
- key encipherment
- server auth
- 적용 및 확인
- k apply -f yamlfile.yaml
- k get csr -A
- approve
- kubectl certificate approve my-svc.my-namespace
- role 생성(developer namespace로 정해졌으므로 role로 생성)
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: development
name: developer
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "create", "list","update","delete"]
apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "jane" to read pods in the "default" namespace.
# You need to already have a Role named "pod-reader" in that namespace.
kind: RoleBinding
metadata:
name: role-bind
namespace: development
subjects:
# You can specify more than one "subject"
- kind: User
name: john # "name" is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
# "roleRef" specifies the binding to a Role / ClusterRole
kind: Role #this must be Role or ClusterRole
name: developer # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
- test
- k auth can-i create pods --as=john -n development
- 참고 docs
6번
Create an nginx pod called nginx-resolver using the image nginx and
expose it internally with a service called nginx-resolver-service.
Test that you are able to look up the service and pod names from within the cluster.
Use the image: busybox:1.28 for dns lookup.
Record results in /root/CKA/nginx.svc and /root/CKA/nginx.pod
- pod 생성
- k run nginx-resolver --image=nginx --restart=Never
- expose svc
- k expose pod nginx-resolver --name=nginx-resolver-service --port=80
- test용 pod 임시 생성, nslookup 확인
- k run test-pod --image=busybox:1.28 --restart=Never --rm -it -- nslookup nginx-resolver-service
- /root/CKA/nginx.svc and /root/CKA/nginx.pod 파일에 저장
- svc : k run test-pod --image=busybox:1.28 --restart=Never --rm -it -- nslookup nginx-resolver-service > /root/CKA/nginx.svc
- pod : k run test-pod --image=busybox:1.28 --restart=Never --rm -it -- nslookup 172-1-1-1.default.pod > /root/CKA/nginx.pod
- 참고 docs : https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/
7번
Create a static pod on node01 called nginx-critical with the image nginx.
Make sure that it is recreated/restarted automatically in case of a failure.
For example, use /etc/kubernetes/manifests as the static Pod path.
8번
Create a Horizontal Pod Autoscaler with name backend-hpa for the deployment named backend-deployment
in the backend namespace with the webapp-hpa.yaml file located under the root folder.
Ensure that the HPA scales the deployment based on memory utilization,
maintaining an average memory usage of 65% across all pods.
Configure the HPA with a minimum of 3 replicas and a maximum of 15.
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: webapp-hpa
namespace: backend
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: kkapp-deploy
minReplicas: 3
maxReplicas: 15
metrics:
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 65
9번
Modify the existing web-gateway on cka5673 namespace to handle HTTPS traffic
on port 443 for kodekloud.com, using a TLS certificate stored in a secret named kodekloud-tls.
- gateway확인 후, spec.listners.port, hostname, tls 수정
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: web-gateway
namespace: cka5673
spec:
gatewayClassName: kodekloud
listeners:
- name: https
protocol: HTTPS
port: 443
hostname: kodekloud.com
tls:
certificateRefs:
- name: kodekloud-tls
10번
On the cluster, the team has installed multiple helm charts on a different namespace.
By mistake, those deployed resources include one of the vulnerable images called kodekloud/webapp-color:v1. Find out the release name and uninstall it.
- helm list -A 수행 후 모든 helm charts에 대해 아래 명령 수행
- helm get manifest name -n namespace | grep -i webapp-color:v1
- 해당 helm uninstall
- helm uninstall name -n namespace
11번
You are requested to create a NetworkPolicy to allow traffic from frontend apps located in the frontend namespace,to backend apps located in the backend namespace, but not from the databases in the databases namespace. There are three policies available in the /root folder. Apply the most restrictive policy from the provided YAML files to achieve the desired result. Do not delete any existing policies.
- 3개의 yaml파일 확인 후 조건에 맞는 yaml 찾기
- kubeclt apply -f yaml
