일 | 월 | 화 | 수 | 목 | 금 | 토 |
---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | 5 | 6 | 7 |
8 | 9 | 10 | 11 | 12 | 13 | 14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 |
22 | 23 | 24 | 25 | 26 | 27 | 28 |
29 | 30 | 31 |
- Spring
- AI
- 공부
- minikube
- kotlin coroutine
- AWS EKS
- Pinpoint
- 정보처리기사 실기
- PETERICA
- CKA
- 티스토리챌린지
- kotlin
- CloudWatch
- MySQL
- Elasticsearch
- kotlin spring
- 정보처리기사실기 기출문제
- 오블완
- Java
- IntelliJ
- Kubernetes
- kotlin querydsl
- 정보처리기사 실기 기출문제
- Linux
- mysql 튜닝
- 코틀린 코루틴의 정석
- CKA 기출문제
- aws
- 기록으로 실력을 쌓자
- APM
- Today
- Total
피터의 개발이야기
[CKAD] Udemy 문제 풀이 과정 중 몰랐던 문제 정리 본문
ㅁ 들어가며
ㅇ CKAD를 공부하면서 Udemy의 실습 문제를 풀고 있다.
ㅇ 이 글은 처음보는 유형의 문제와 모르는 문제들의 솔루션을 정리하는 학습 정리용 글이다.
ㅁ Ingress Networking - 1
You are requested to make the new application available at /pay.
Identify and implement the best approach to making this application available on the ingress controller and test to make sure its working. Look into annotations: rewrite-target as well.
ㅇ 새로운 url로 서비스를 연결하기 위해서는 Ingress 생성문을 작성해야 한다.
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test-ingress
namespace: critical-space
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
rules:
- http:
paths:
- path: /pay
pathType: Prefix
backend:
service:
name: pay-service
port:
number: 8282
ㅁ Ingress Networking - 2
The NGINX Ingress Controller requires a ConfigMap object. Create a ConfigMap object with name ingress-nginx-controller in the ingress-nginx namespace.
No data needs to be configured in the ConfigMap.
# data가 없는 configmap 생성 명령문
$ k create configmap ingress-nginx-controller -n ingress-nginx
configmap/ingress-nginx-controller created
The NGINX Ingress Controller requires two ServiceAccounts. Create both ServiceAccount with name ingress-nginx and ingress-nginx-admission in the ingress-nginx namespace.
Use the spec provided below.
$ k create serviceaccount ingress-nginx -n ingress-nginx
serviceaccount/ingress-nginx created
$ k create serviceaccount ingress-nginx-admission -n ingress-nginx
serviceaccount/ingress-nginx-admission created
ㅁ Persistent Volumes
Configure a volume to store these logs at /var/log/webapp on the host.
# spec
Name: webapp
Image Name: kodekloud/event-simulator
Volume HostPath: /var/log/webapp
Volume Mount: /log
apiVersion: v1
kind: Pod
metadata:
name: webapp
spec:
containers:
- name: event-simulator
image: kodekloud/event-simulator
env:
- name: LOG_HANDLERS
value: file
volumeMounts:
- mountPath: /log
name: log-volume
volumes:
- name: log-volume
hostPath:
# directory location on host
path: /var/log/webapp
# this field is optional
type: Directory
참조: hostPath configuration example
ㄴ https://kubernetes.io/docs/concepts/storage/volumes/#hostpath-configuration-example
ㅁ Storage Class
What is the name of the Storage Class that does not support dynamic volume provisioning?
ㅇ Dynamic volume이란 클라우드에 의해 provision이 되는 것임.
ㅇ provisioner: kubernetes.io/no-provisioner 인지 체크해야함.
ㅇ Dynamic Volume Provisioning
ㄴ https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: local-pvc
spec:
storageClassName: local-storage
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 500Mi
ㅇ 작성한 pvc 생성문
ㅇ 참조: Create a PersistentVolumeClaim
ㅁ Practice test Docker Images
ㅇ 도커의 베이스 OS를 확인하는 방법은?
What is the base Operating System used by the python:3.6 image?
$ docker run python:3.6 cat /etc/*release*
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
ㅇ 도커 용량 경량화 방법은 무엇?
- modify Dockerfile to use python:3.6-alpine image
- build it, $ docker build -t webapp-color:lite .
ㅇ 도컬 실행
# docker run [option] IMAGE:TAG
$ docker run -d --name=webapp -p 8383:8080 webapp-color:lite
ㅁ Practice Test Role Based Access Controls
ㅇ cluster의 authorization mode는?
문제:
Inspect the environment and identify the authorization modes configured on the cluster.
$ k get -n kube-system po kube-apiserver-controlplane -o yaml
~~~~~~~~
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=192.9.22.3
- --allow-privileged=true
- --authorization-mode=Node,RBAC <++++ 이부분 참조
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NodeRestriction
~~~~~~~~
ㅇ ROLE 확인
문제:
What are the resources the kube-proxy role in the kube-system namespace is given access to?
$ k get roles.rbac.authorization.k8s.io -n kube-system kube-proxy -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: "2024-07-31T05:09:44Z"
name: kube-proxy
namespace: kube-system
resourceVersion: "259"
uid: 7ecffac0-3de7-4378-8139-0e7802e5c251
rules:
- apiGroups:
- ""
resourceNames:
- kube-proxy
resources:
- configmaps <++++++++
verbs:
- get
ㅇ Rolebind 확인
문제:
Which account is the kube-proxy role assigned to?
$ kubectl describe rolebinding kube-proxy -n kube-system
Name: kube-proxy
Labels: <none>
Annotations: <none>
Role:
Kind: Role
Name: kube-proxy
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:bootstrappers:kubeadm:default-node-token <+++++++++++++
ㅇ --as {user}
문제:
A user dev-user is created. User's details have been added to the kubeconfig file. Inspect the permissions granted to the user. Check if the user can list pods in the default namespace.
Use the --as dev-user option with kubectl to run commands as the dev-user.
$ k get po --as dev-user
Error from server (Forbidden): pods is forbidden: User "dev-user" cannot list resource "pods" in API group "" in the namespace "default"
ㅇ role 생성 및 rolebinding
Create the necessary roles and role bindings required for the dev-user to create, list and delete pods in the default namespace.
Use the given spec:
Role: developer
Role Resources: pods
Role Actions: list
Role Actions: create
Role Actions: delete
RoleBinding: dev-user-binding
RoleBinding: Bound to dev-user
-------------
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: developer
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list", "create","delete"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dev-user-binding
subjects:
- kind: User
name: dev-user
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: developer
apiGroup: rbac.authorization.k8s.io
참조: RoleBinding and ClusterRoleBinding
ㄴ https://kubernetes.io/docs/reference/access-authn-authz/rbac/#kubectl-create-rolebinding
문제:
Add a new rule in the existing role developer to grant the dev-user permissions to create deployments in the blue namespace.
Remember to add api group "apps".
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: developer
namespace: blue
rules:
- apiGroups:
- apps
resourceNames:
- dark-blue-app
resources:
- pods
verbs:
- get
- watch
- create
- delete
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
ㅁ Practice Test Cluster Roles
What user/groups are the cluster-admin role bound to?
The ClusterRoleBinding for the role is with the same name.
$ kubectl describe clusterrolebinding cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:masters <++++++++++
What level of permission does the cluster-admin role grant?
Inspect the cluster-admin role's privileges.
$ k describe clusterrole cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
[*] [] [*]
A new user michelle joined the team. She will be focusing on the nodes in the cluster.
Create the required ClusterRoles and ClusterRoleBindings so she gets access to the nodes.
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: node-admin
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "watch", "list", "create", "delete"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: michelle-binding
subjects:
- kind: User
name: michelle
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: node-admin
apiGroup: rbac.authorization.k8s.io
michelle's responsibilities are growing and now she will be responsible for storage as well. Create the required ClusterRoles and ClusterRoleBindings to allow her access to Storage.
Get the API groups and resource names from command kubectl api-resources.
Use the given spec:
ClusterRole: storage-admin
Resource: persistentvolumes
Resource: storageclasses
ClusterRoleBinding: michelle-storage-admin
ClusterRoleBinding Subject: michelle
ClusterRoleBinding Role: storage-admin
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: storage-admin
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "watch", "list", "create", "delete"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "watch", "list", "create", "delete"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: michelle-storage-admin
subjects:
- kind: User
name: michelle
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: storage-admin
apiGroup: rbac.authorization.k8s.io
'Kubernetes > CKA&CKAD' 카테고리의 다른 글
[CKA] Udemy 실습문제풀이 - Mock Test 3 (1) | 2024.02.18 |
---|---|
[CKA] 기출문제 정리 (4) | 2024.02.05 |
[CKA] 자격증 합격 후기 및 공부방법 정리 (1) | 2024.02.03 |
[CKA] 개념정리 - nodePort, port, targetPort 정리 (0) | 2024.01.29 |
[CKA] Udemy 실습문제풀이 - Trouble shooting (0) | 2024.01.28 |