[CKAD] Udemy 문제 풀이 과정 중 몰랐던 문제 정리

ㅁ 들어가며

ㅇ CKAD를 공부하면서 Udemy의 실습 문제를 풀고 있다.

ㅇ 이 글은 처음보는 유형의 문제와 모르는 문제들의 솔루션을 정리하는 학습 정리용 글이다.

 

ㅁ Ingress Networking - 1

You are requested to make the new application available at /pay.

Identify and implement the best approach to making this application available on the ingress controller and test to make sure its working. Look into annotations: rewrite-target as well.

ㅇ 새로운 url로 서비스를 연결하기 위해서는 Ingress 생성문을 작성해야 한다.

 

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test-ingress
  namespace: critical-space
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  rules:
  - http:
      paths:
      - path: /pay
        pathType: Prefix
        backend:
          service:
           name: pay-service
           port:
            number: 8282

 

ㅁ Ingress Networking - 2

The NGINX Ingress Controller requires a ConfigMap object. Create a ConfigMap object with name ingress-nginx-controller in the ingress-nginx namespace.
No data needs to be configured in the ConfigMap.

# data가 없는 configmap 생성 명령문
$ k create configmap ingress-nginx-controller -n ingress-nginx 
configmap/ingress-nginx-controller created

 

The NGINX Ingress Controller requires two ServiceAccounts. Create both ServiceAccount with name ingress-nginx and ingress-nginx-admission in the ingress-nginx namespace.
Use the spec provided below.

$ k create serviceaccount ingress-nginx -n ingress-nginx
serviceaccount/ingress-nginx created

$ k create serviceaccount ingress-nginx-admission -n ingress-nginx
serviceaccount/ingress-nginx-admission created

 

ㅁ Persistent Volumes

Configure a volume to store these logs at /var/log/webapp on the host.

# spec
Name: webapp
Image Name: kodekloud/event-simulator
Volume HostPath: /var/log/webapp
Volume Mount: /log

apiVersion: v1
kind: Pod
metadata:
  name: webapp
spec:
  containers:
  - name: event-simulator
    image: kodekloud/event-simulator
    env:
    - name: LOG_HANDLERS
      value: file
    volumeMounts:
    - mountPath: /log
      name: log-volume

  volumes:
  - name: log-volume
    hostPath:
      # directory location on host
      path: /var/log/webapp
      # this field is optional
      type: Directory

참조: hostPath configuration example

  ㄴ https://kubernetes.io/docs/concepts/storage/volumes/#hostpath-configuration-example

 

 

ㅁ Storage Class

What is the name of the Storage Class that does not support dynamic volume provisioning?

ㅇ Dynamic volume이란 클라우드에 의해 provision이 되는 것임.

ㅇ provisioner: kubernetes.io/no-provisioner 인지 체크해야함.

ㅇ Dynamic Volume Provisioning 

   ㄴ  https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/

 

 

 

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: local-pvc
spec:
  storageClassName: local-storage
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 500Mi

ㅇ 작성한 pvc 생성문

ㅇ 참조: Create a PersistentVolumeClaim

    ㄴ https://kubernetes.io/docs/tasks/configure-pod-container/configure-persistent-volume-storage/#create-a-persistentvolumeclaim

 

ㅁ Practice test Docker Images

ㅇ 도커의 베이스 OS를 확인하는 방법은?

What is the base Operating System used by the python:3.6 image?

$ docker run python:3.6 cat /etc/*release* 
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

 

 

ㅇ 도커 용량 경량화 방법은 무엇?

- modify Dockerfile to use python:3.6-alpine image
- build it, $ docker build -t webapp-color:lite .

 

 

ㅇ 도컬 실행

# docker run [option] IMAGE:TAG
$ docker run -d --name=webapp -p 8383:8080 webapp-color:lite

 

ㅁ Practice Test Role Based Access Controls

ㅇ cluster의 authorization mode는?

문제:
Inspect the environment and identify the authorization modes configured on the cluster.

$ k get -n kube-system po kube-apiserver-controlplane -o yaml
~~~~~~~~
spec:
  containers:
  - command:
    - kube-apiserver
    - --advertise-address=192.9.22.3
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC  <++++ 이부분 참조
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --enable-admission-plugins=NodeRestriction
~~~~~~~~

 

ㅇ ROLE 확인

문제:
What are the resources the kube-proxy role in the kube-system namespace is given access to?

$ k get roles.rbac.authorization.k8s.io -n kube-system kube-proxy -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: "2024-07-31T05:09:44Z"
  name: kube-proxy
  namespace: kube-system
  resourceVersion: "259"
  uid: 7ecffac0-3de7-4378-8139-0e7802e5c251
rules:
- apiGroups:
  - ""
  resourceNames:
  - kube-proxy
  resources:
  - configmaps   <++++++++
  verbs:
  - get

 

ㅇ Rolebind 확인

문제:
Which account is the kube-proxy role assigned to?

$ kubectl describe rolebinding kube-proxy -n kube-system
Name:         kube-proxy
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  Role
  Name:  kube-proxy
Subjects:
  Kind   Name                                             Namespace
  ----   ----                                             ---------
  Group  system:bootstrappers:kubeadm:default-node-token           <+++++++++++++

 

ㅇ --as {user}

문제:
A user dev-user is created. User's details have been added to the kubeconfig file. Inspect the permissions granted to the user. Check if the user can list pods in the default namespace.
Use the --as dev-user option with kubectl to run commands as the dev-user.

$ k get po --as dev-user
Error from server (Forbidden): pods is forbidden: User "dev-user" cannot list resource "pods" in API group "" in the namespace "default"

 

ㅇ role 생성 및 rolebinding

Create the necessary roles and role bindings required for the dev-user to create, list and delete pods in the default namespace.

Use the given spec:
Role: developer
Role Resources: pods
Role Actions: list
Role Actions: create
Role Actions: delete
RoleBinding: dev-user-binding
RoleBinding: Bound to dev-user


-------------
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: developer
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["list", "create","delete"]

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dev-user-binding
subjects:
- kind: User
  name: dev-user
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: developer
  apiGroup: rbac.authorization.k8s.io

참조: RoleBinding and ClusterRoleBinding

  ㄴ https://kubernetes.io/docs/reference/access-authn-authz/rbac/#kubectl-create-rolebinding

 

문제:
Add a new rule in the existing role developer to grant the dev-user permissions to create deployments in the blue namespace.

Remember to add api group "apps".


---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: developer
  namespace: blue
rules:
- apiGroups:
  - apps
  resourceNames:
  - dark-blue-app
  resources:
  - pods
  verbs:
  - get
  - watch
  - create
  - delete
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - create

 

ㅁ Practice Test Cluster Roles

What user/groups are the cluster-admin role bound to?
The ClusterRoleBinding for the role is with the same name.

$ kubectl describe clusterrolebinding cluster-admin
Name:         cluster-admin
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
Role:
  Kind:  ClusterRole
  Name:  cluster-admin
Subjects:
  Kind   Name            Namespace
  ----   ----            ---------
  Group  system:masters             <++++++++++

 

What level of permission does the cluster-admin role grant?
Inspect the cluster-admin role's privileges.

$ k describe clusterrole cluster-admin 
Name:         cluster-admin
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  *.*        []                 []              [*]
             [*]                []              [*]

 

A new user michelle joined the team. She will be focusing on the nodes in the cluster. 
Create the required ClusterRoles and ClusterRoleBindings so she gets access to the nodes.

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: node-admin
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "watch", "list", "create", "delete"]

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: michelle-binding
subjects:
- kind: User
  name: michelle
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: node-admin
  apiGroup: rbac.authorization.k8s.io

 

michelle's responsibilities are growing and now she will be responsible for storage as well. Create the required ClusterRoles and ClusterRoleBindings to allow her access to Storage.
Get the API groups and resource names from command kubectl api-resources. 

Use the given spec:
ClusterRole: storage-admin
Resource: persistentvolumes
Resource: storageclasses
ClusterRoleBinding: michelle-storage-admin
ClusterRoleBinding Subject: michelle
ClusterRoleBinding Role: storage-admin

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: storage-admin
rules:
- apiGroups: [""]
  resources: ["persistentvolumes"]
  verbs: ["get", "watch", "list", "create", "delete"]
- apiGroups: ["storage.k8s.io"]
  resources: ["storageclasses"]
  verbs: ["get", "watch", "list", "create", "delete"]

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: michelle-storage-admin
subjects:
- kind: User
  name: michelle
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: storage-admin
  apiGroup: rbac.authorization.k8s.io