- 분류 전체보기 (580)
Notice
Recent Posts
Recent Comments
Link
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 |
Tags
- kubectl 설치
- Linux
- 정보처리기사 실기
- Spring
- Kubernetes 자격증
- Kubernetes
- PETERICA
- minikube dashboard
- 정보처리기사 실기 기출문제
- IntelliJ
- mysql 튜닝
- k9s
- Pinpoint
- Redis 모니터링
- minikube
- CKA
- kubernetes tool
- skaffold
- 정보처리기사실기 기출문제
- MySQL
- CloudWatch
- 공부
- 기록으로 실력을 쌓자
- APM
- 쿠버네티스
- AWS EKS
- CKA 기출문제
- aws
- AWS EBS
- Java
Archives
- Today
- Total
피터의 개발이야기
[CKA] Udemy 실습문제풀이 - Mock Test 2 본문
반응형
ㅁ 들어가며
Udemy, certified-kubernetes-administrator-with-practice-tests > Mock test 과정을 정리하였습니다.
git 문제풀이 Solution
1. Take a backup of the etcd cluster and save it to /opt/etcd-backup.db
ㅇ kube doc: etcd backup 검색 > Backing up an etcd cluster
# kube doc: etcd backup > Backing up an etcd cluster 참조
ETCDCTL_API=3 etcdctl --endpoints $ENDPOINT snapshot save snapshotdb
# etcd snapshot save help 참조
$ ETCDCTL_API=3 etcdctl snapshot save -h
NAME:
snapshot save - Stores an etcd node backend snapshot to a given file
USAGE:
etcdctl snapshot save <filename>
GLOBAL OPTIONS:
--cacert="" verify certificates of TLS-enabled secure servers using this CA bundle
--cert="" identify secure client using this TLS certificate file
--command-timeout=5s timeout for short running command (excluding dial timeout)
--debug[=false] enable client-side debug logging
--dial-timeout=2s dial timeout for client connections
-d, --discovery-srv="" domain name to query for SRV records describing cluster endpoints
--endpoints=[127.0.0.1:2379] gRPC endpoints
--hex[=false] print byte strings as hex encoded strings
--insecure-discovery[=true] accept insecure SRV records describing cluster endpoints
--insecure-skip-tls-verify[=false] skip server certificate verification
--insecure-transport[=true] disable transport security for client connections
--keepalive-time=2s keepalive time for client connections
--keepalive-timeout=6s keepalive timeout for client connections
--key="" identify secure client using this TLS key file
--user="" username[:password] for authentication (prompt if password is not supplied)
-w, --write-out="simple" set the output format (fields, json, protobuf, simple, table)
# endpoint 확인
$ cat /etc/kubernetes/manifests/etcd.yaml | grep listen
- --listen-client-urls=https://127.0.0.1:2379,https://192.1.71.11:2379
# 인증서 정보 확인
$ cat /etc/kubernetes/manifests/etcd.yaml | grep file
- --cert-file=/etc/kubernetes/pki/etcd/server.crt
- --key-file=/etc/kubernetes/pki/etcd/server.key
- --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt
- --peer-key-file=/etc/kubernetes/pki/etcd/peer.key
- --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
- --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
seccompProfile:
# 명령문 작성
$ ETCDCTL_API=3 etcdctl --endpoints 127.0.0.1:2379 snapshot save /opt/etcd-backup.db \
--cacert=/etc/kubernetes/pki/etcd/ca.crt \
--cert=/etc/kubernetes/pki/etcd/server.crt \
--key=/etc/kubernetes/pki/etcd/server.key
Snapshot saved at /opt/etcd-backup.db
2. Create a Pod called redis-storage with image: redis:alpine with a Volume of type emptyDir that lasts for the life of the Pod.
- Pod named 'redis-storage' created
- Pod 'redis-storage' uses Volume type of emptyDir
- Pod 'redis-storage' uses volumeMount with mountPath = /data/redis
# 명령문 작성
$ k run redis-storage --image=redis:alpine --dry-run=client -o yaml > redis-storage.yaml
$ cat redis-storage.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: redis-storage
name: redis-storage
spec:
containers:
- image: redis:alpine
name: redis-storage
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
# emptyDir 문법 검색 > (emptyDir configuration example)
volumes:
- name: cache-volume
emptyDir:
sizeLimit: 500Mi
# redis-storage.yaml 완성
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: redis-storage
name: redis-storage
spec:
containers:
- image: redis:alpine
name: redis-storage
resources: {}
volumeMounts:
- mountPath: /data/redis
name: cache-volume
dnsPolicy: ClusterFirst
restartPolicy: Always
volumes:
- name: cache-volume
emptyDir: {}
status: {}
# create
$ k create -f redis-storage.yaml
pod/redis-storage createdㅇ kube doc 검색: pod volume > emptyDir. emptyDir configuration example
3. Create a new pod called super-user-pod with image busybox:1.28. Allow the pod to be able to set system_time.
- The container should sleep for 4800 seconds.
# sample yaml 생성
$ k run super-user-pod --image=busybox:1.28 --dry-run=client -o yaml > super-user-pod.yaml
$ cat super-user-pod.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: super-user-pod
name: super-user-pod
spec:
containers:
- image: busybox:1.28
name: super-user-pod
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
# security 참조 검색. security capability > Set the security context for a Container
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-4
spec:
containers:
- name: sec-ctx-4
image: gcr.io/google-samples/node-hello:1.0
securityContext:
capabilities:
add: ["NET_ADMIN", "SYS_TIME"]
# yaml 완성
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: super-user-pod
name: super-user-pod
spec:
containers:
- image: busybox:1.28
name: super-user-pod
command: ["sleep", "4800"]
securityContext:
capabilities:
add: ["SYS_TIME"]
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
# create
$ k create -f super-user-pod.yaml
pod/super-user-pod created
# pod 확인 및 describe에서 command sleep 적용확인 ㅇ 참조
- Set capabilities for a Container
4. A pod definition file is created at /root/CKA/use-pv.yaml.
Make use of this manifest file and mount the persistent volume called pv-1.
Ensure the pod is running and the PV is bound.
- mountPath: /data
# yaml 파일 확인
$ cat /root/CKA/use-pv.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: use-pv
name: use-pv
spec:
containers:
- image: nginx
name: use-pv
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
# pv 생성 여부 확인
$ k get pv
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
pv-1 10Mi RWO Retain Available 7m30s
# pvc 생성 여부 확인
$ k get pvc
No resources found in default namespace.
# sample yaml 탐색
# kube doc: pvc > Persistent Volumes > PersistentVolumeClaims 선택
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: myclaim
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 8Gi
# pvc.yaml 작성
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: my-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Mi
# create
$ k create -f pvc.yaml
persistentvolumeclaim/my-pvc created
# 확인
$ k get pvc
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
my-pvc Bound pv-1 10Mi RWO 4s
# Claims As Volumes 참조
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: myfrontend
image: nginx
volumeMounts:
- mountPath: "/var/www/html"
name: mypd
volumes:
- name: mypd
persistentVolumeClaim:
claimName: myclaim
# /root/CKA/use-pv.yaml 수정
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: use-pv
name: use-pv
spec:
containers:
- image: nginx
name: use-pv
resources: {}
volumeMounts:
- mountPath: "/data"
name: mypd
volumes:
- name: mypd
persistentVolumeClaim:
claimName: my-pvc
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}ㅇ 참조
5. Create a new deployment called nginx-deploy, with image nginx:1.16
and 1 replica. Next upgrade the deployment to version 1.17 using rolling update.
# deployment 생성
$ k create deployment nginx-deploy --image=nginx:1.16 --replicas=1
deployment.apps/nginx-deploy created
# pod 확인
$ k get pod
NAME READY STATUS RESTARTS AGE
nginx-deploy-7dc9dd795f-jdf2z 1/1 Running 0 41s
# upgrage 시작
# set image help 참조
$ k set image --help
~~
# Set a deployment's nginx container image to 'nginx:1.9.1', and its busybox container image to 'busybox'
kubectl set image deployment/nginx busybox=busybox nginx=nginx:1.9.1
~~
# 명령문 작성 및 실행
$ kubectl set image deployment/nginx-deploy nginx=nginx:1.17
deployment.apps/nginx-deploy image updated
# 확인
$ k describe deployments.apps nginx-deploy | grep 1.17
Image: nginx:1.17
6. Create a new user called john. Grant him access to the cluster.
John should have permission to create, list, get, update and delete pods in the development namespace .
The private key exists in the location: /root/CKA/john.key and csr at /root/CKA/john.csr.
- Important Note: As of kubernetes 1.19, the CertificateSigningRequest object expects a signerName.
- Please refer the documentation to see an example. The documentation tab is available at the top right of terminal.
# Create a CertificateSigningRequest 참조
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: myuser
spec:
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZVzVuWld4aE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQTByczhJTHRHdTYxakx2dHhWTTJSVlRWMDNHWlJTWWw0dWluVWo4RElaWjBOCnR2MUZtRVFSd3VoaUZsOFEzcWl0Qm0wMUFSMkNJVXBGd2ZzSjZ4MXF3ckJzVkhZbGlBNVhwRVpZM3ExcGswSDQKM3Z3aGJlK1o2MVNrVHF5SVBYUUwrTWM5T1Nsbm0xb0R2N0NtSkZNMUlMRVI3QTVGZnZKOEdFRjJ6dHBoaUlFMwpub1dtdHNZb3JuT2wzc2lHQ2ZGZzR4Zmd4eW8ybmlneFNVekl1bXNnVm9PM2ttT0x1RVF6cXpkakJ3TFJXbWlECklmMXBMWnoyalVnald4UkhCM1gyWnVVV1d1T09PZnpXM01LaE8ybHEvZi9DdS8wYk83c0x0MCt3U2ZMSU91TFcKcW90blZtRmxMMytqTy82WDNDKzBERHk5aUtwbXJjVDBnWGZLemE1dHJRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBR05WdmVIOGR4ZzNvK21VeVRkbmFjVmQ1N24zSkExdnZEU1JWREkyQTZ1eXN3ZFp1L1BVCkkwZXpZWFV0RVNnSk1IRmQycVVNMjNuNVJsSXJ3R0xuUXFISUh5VStWWHhsdnZsRnpNOVpEWllSTmU3QlJvYXgKQVlEdUI5STZXT3FYbkFvczFqRmxNUG5NbFpqdU5kSGxpT1BjTU1oNndLaTZzZFhpVStHYTJ2RUVLY01jSVUyRgpvU2djUWdMYTk0aEpacGk3ZnNMdm1OQUxoT045UHdNMGM1dVJVejV4T0dGMUtCbWRSeEgvbUNOS2JKYjFRQm1HCkkwYitEUEdaTktXTU0xMzhIQXdoV0tkNjVoVHdYOWl4V3ZHMkh4TG1WQzg0L1BHT0tWQW9FNkpsYWFHdTlQVmkKdjlOSjVaZlZrcXdCd0hKbzZXdk9xVlA3SVFjZmg3d0drWm89Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 86400 # one day
usages:
- client auth
# csr base64 decord
$ cat john.csr | base64 | tr -d "\n"
# john-csr.yaml 완성
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: john-developer
spec:
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZEQ0NBVHdDQVFBd0R6RU5NQXNHQTFVRUF3d0VhbTlvYmpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRApnZ0VQQURDQ0FRb0NnZ0VCQU9NQkIreHhjd0lOMDkwZUhvc1dmSDVWSmkzQzZTK0l3KzNzaW1idTEyOHFjZk9XCmd0SVJobERYT3hFdGZQUVJPbnl6akIvdTI0OFlML3hZdWptVk9jL3dEUDdZdnBjS1dsa3MrNDhjZUE4bkFwRk8KNWZZRFVlLzlFQ2ExWWtJTGs3ZCtWUExaS016TS9xOHI4WVBIR1NtV1hWUkpGWXBBN2ZZb3BmeFd0WmlrRVFRZgpsUUlUNFBVQUs5cjBGUzNIcFp1dDNsUXJqcnArWUtxczZVb3R5aUpvVTlRK3krMUpqM0lFdXlBTzJwbkFqcXV3CktHeExaamgyQ2lKcThjaUhMeFNVMzdNSkxqRWVKMnRGdkNjNEpmOGk1K1Bad0l2aE1uY1BybGtrSHc0MXVaSGMKTERWWWcwSUNPT25sSjBrWDNaY285bXN4a1FveXdiVnFIVURCN2tFQ0F3RUFBYUFBTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ09CRzhHQmxWYWE0dXEzL0pNdTMwenJqLzdSb0F0U0pKNVQ5MWVlVVpNdEdlaTMrL09PbkpFCmJwckFLM3F1NWlRb1hLSnliYXd1ODFXNUY4U2xSdzZUZWYvV04xZVVUN0lTN0V2VGlVVVlqWmNKWmdsTk5yeFUKZkNMSWdzMzZINUppeGhjRzFrKzJXTllIRlpQZFBUWG5IdCs4V29FYnFSL3RWemwzU2RFb0xJTHVXL0IyRE1yZwoxRVZXVEtCQ2dLWUp2YVg2RENBRENTb3J3VzJhdFR3akhLbk4xOWM3aXRlY1FKcHU1bytyUS9ZOFZ0Nm1TdXJVClpyUFBVUjFPTDg1Uk5xQWcwU05pdlZZOXpzclNaTWZUUlR1RUNwT2lRbmNxcjN3bzMzM3VBanFHS3Y0bHozNTcKUnVvVWU0aUJmNTloMGhjSmNXTERFTGZ3NjZ2WEtlNlAKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 86400 # one day
usages:
- client auth
# create
$ k create -f john-csr.yaml
certificatesigningrequest.certificates.k8s.io/john-developer created
# 확인 및 approve
$ k get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
csr-2sktz 85m kubernetes.io/kube-apiserver-client-kubelet system:bootstrap:elv81r <none> Approved,Issued
csr-8w65f 85m kubernetes.io/kube-apiserver-client-kubelet system:node:controlplane <none> Approved,Issued
john-developer 66s kubernetes.io/kube-apiserver-client kubernetes-admin 24h Pending
$ k certificate approve john-developer
certificatesigningrequest.certificates.k8s.io/john-developer approvedㅇ 참조
- Create a CertificateSigningRequest
# role 생성과정
# 참조 구문 검색
$ k create role --help
~~
# Create a role named "foo" with SubResource specified
kubectl create role foo --verb=get,list,watch --resource=pods,pods/status
~~
# role 명령문 작성
kubectl create role developer --verb=create,get,list,update,delete --resource=pods -n development
# role 적용확인
$ k describe role -n development developer
Name: developer
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods [] [] [create get list update delete]
# Access 권한 확인 시 참조
$ k auth can-i get --help
~~
# Check to see if I can get the job named "bar" in namespace "foo"
kubectl auth can-i list jobs.batch/bar -n foo
~~
# Access 권한 확인
$ k auth can-i get pods -n development --as john
no
$ k auth can-i create pods -n development --as john
no
# rolebinding help
$ k create rolebinding --help
~~
# Create a role binding for user1, user2, and group1 using the admin cluster role
kubectl create rolebinding admin --clusterrole=admin --user=user1 --user=user2 --group=group1
~~
# rolebinding 작성 및 실행
$ kubectl create rolebinding john-developer --role=developer --user=john -n development
rolebinding.rbac.authorization.k8s.io/john-developer created
# 생성 확인
k get rolebindings.rbac.authorization.k8s.io -n development
NAME ROLE AGE
john-developer Role/developer 31s
# 권한 확인
$ k auth can-i get pods -n development --as john
yes
$ k auth can-i create pods -n development --as john
yes
$ k auth can-i watch pods -n development --as john
no
7. Create a nginx pod called nginx-resolver using image nginx,
expose it internally with a service called nginx-resolver-service.
Test that you are able to look up the service and pod names from within the cluster.
Use the image: busybox:1.28 for dns lookup.
Record results in /root/CKA/nginx.svc and /root/CKA/nginx.pod
# nginx-resolver 생성
$ k run nginx-resolver --image=nginx
pod/nginx-resolver created
# pod 생성확인
$ k get po
NAME READY STATUS RESTARTS AGE
nginx-resolver 1/1 Running 0 3m6s
# 서비스 연결
$ k expose pod nginx-resolver --name=nginx-resolver-service --port=80
service/nginx-resolver-service exposed
# 서비스 확인
$ k get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 79m
nginx-resolver-service ClusterIP 10.111.232.12 <none> 80/TCP 68s
# busybox 생성
$ k run busybox --image=busybox:1.28 -- sleep 4000
pod/busybox created
# nslookup 실행
$ k exec busybox -- nslookup nginx-resolver-service > /root/CKA/nginx.svc
$ cat /root/CKA/nginx.svc
Server: 10.96.0.10
Address 1: 10.96.0.10 kube-dns.kube-system.svc.cluster.local
Name: nginx-resolver-service
Address 1: 10.111.232.12 nginx-resolver-service.default.svc.cluster.local
# pod dns 정보 확인을 위한 IP 체크
$ k get po -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
busybox 1/1 Running 0 5m9s 10.244.192.2 node01 <none> <none>
nginx-resolver 1/1 Running 0 10m 10.244.192.1 node01 <none> <none>
# DNS 체크
# 참조 doc: Pods A/AAAA records
# 172-17-0-3.default.pod.cluster.local
$ k exec busybox -- nslookup 10-244-192-1.default.pod.cluster.local
Server: 10.96.0.10
Address 1: 10.96.0.10 kube-dns.kube-system.svc.cluster.local
Name: 10-244-192-1.default.pod.cluster.local
Address 1: 10.244.192.1 10-244-192-1.nginx-resolver-service.default.svc.cluster.local
$ k exec busybox -- nslookup 10-244-192-1.default.pod.cluster.local > /root/CKA/nginx.svcㅇ 참조 doc : Pods A/AAAA records
8. Create a static pod on node01 called nginx-critical with image nginx
and make sure that it is recreated/restarted automatically in case of a failure.
- Use /etc/kubernetes/manifests as the Static Pod path for example.
# 참조 yaml 생성
$ kubectl run nginx-critical --image=nginx --restart=Always --dry-run=client -o yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx-critical
name: nginx-critical
spec:
containers:
- image: nginx
name: nginx-critical
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
$ cat > /etc/kubernetes/manifests/nginx-critical.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx-critical
name: nginx-critical
spec:
containers:
- image: nginx
name: nginx-critical
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
^C
$ k get po
NAME READY STATUS RESTARTS AGE
busybox 1/1 Running 0 14m
nginx-critical-controlplane 1/1 Running 0 10s
nginx-resolver 1/1 Running 0 19m
반응형
'Kubernetes > CKA' 카테고리의 다른 글
| [CKA] Udemy 실습문제풀이 - Application Lifecycle Management (0) | 2024.01.25 |
|---|---|
| [CKA] 기출문제 - ETCD Backup and Restore (0) | 2023.12.25 |
| [CKA] Udemy 실습문제풀이 - Lightning Lab (0) | 2023.06.22 |
| [CKA] Udemy 실습문제풀이 - Mock Test 1 (0) | 2023.05.29 |
| [CKA 시험공부 노트] 9. Networking (0) | 2023.04.10 |
'Kubernetes/CKA' Related Articles
more
Comments