CKA - Networking
CKA-Ingress NetworkingCoreDNS in KubernetesExplore EnvironmentNetworking WeaveService & Networkingcni
1
Kubernetes
목록 보기
13/19
Explore Environment
1
How many nodes are part of this cluster?
Including the controlplane and worker nodes.$ k get node2
What is the Internal IP address of the controlplane node in this cluster?$ k describe node controlplane | grep -i internal3
What is the network interface configured for cluster connectivity on the controlplane node?
node-to-node communication$ ip a | grep -B2 192.8.99.64
What is the MAC address of the interface on the controlplane node?$ ip link show eth05
What is the IP address assigned to node01?$ k get node -o wide6
What is the MAC address assigned to node01?$ ssh node01
$ ip a | grep -B2 192.9.24.67
We use Containerd as our container runtime. What is the interface/bridge created by Containerd on the controlplane node?$ ip a show type bridge8
If you were to ping google from the controlplane node, which route does it take?
What is the IP address of the Default Gateway?$ ip route show default9
What is the port the kube-scheduler is listening on in the controlplane node?$ netstat -nplt | grep scheduler10
Notice that ETCD is listening on two ports. Which of these have more client connections established?$ netstat -anp | grep etcd | grep 2379 | wc -l
63
$ netstat -anp | grep etcd | grep 2380 | wc -l
1CNI
1
Inspect the kubelet service and identify the container runtime endpoint value is set for Kubernetes.$ ps -aux | grep -i kubelet | grep -i container2
What is the path configured with all binaries of CNI supported plugins?/opt/cni/bin3
Identify which of the below plugins is not available in the list of available CNI plugins on this host?$ cd /opt/cni/bin && ls -l4
What is the CNI plugin configured to be used on this kubernetes cluster?$ cd /etc/cni/net.d/ && ls -l5
What binary executable file will be run by kubelet after a container and its associated namespace are created?$ cat 10-flannel.conflistNetworking Weave
1
What is the Networking Solution used by this cluster?$ cd /etc/cni/net.d/ && ls2
How many weave agents/peers are deployed in this cluster?$ k get pod -n kube-system | grep -i weave3
On which nodes are the weave peers present?$ k get pod -o wide -n kube-system | grep -i weave4
Identify the name of the bridge network/interface created by weave on each node.$ ip a show type bridge5
What is the POD IP address range configured by weave?$ k logs -n kube-system weave-net-9shgr6
What is the default gateway configured on the PODs scheduled on node01?
Try scheduling a pod on node01 and check ip route output$ k run busybox --image=busybox --dry-run=client -o yaml -- sleep 1000 > busybox.yaml
busybox.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: busybox
name: busybox
spec:
nodeName: node01
containers:
- args:
- sleep
- "1000"
image: busybox
name: busybox
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
$ k apply -f busybox.yaml
$ k exec -it busybox -- ip routeService Networking
1
What network range are the nodes in the cluster part of?$ k get pod -o wide -n kube-system
$ ipcalc -b 192.9.182.12
Network: 192.9.182.0/242
What is the range of IP addresses configured for PODs on this cluster?$ k logs -n kube-system weave-net-c5gj9
ipalloc-range:10.244.0.0/163
What is the IP Range configured for the services within the cluster?$ cd /etc/kubernetes/manifests
$ cat kube-apiserver.yaml | grep cluster-ip-range4
What type of proxy is the kube-proxy configured to use?$ k logs -n kube-system kube-proxy-2lhnw
I0216 05:53:59.156374 1 server_others.go:551] "Using iptables proxy"CoreDNS in Kubernetes
1
Identify the DNS solution implemented in this cluster.$ k get pod -n kube-system2
What is the name of the service created for accessing CoreDNS?$ k get svc -n kube-system 3
What is the IP of the CoreDNS server that should be configured on PODs to resolve services?$ k describe svc -n kube-system kube-dns4
Where is the configuration file located for configuring the CoreDNS service?$ ps -aux | grep -i coredns5
What is the name of the ConfigMap object created for Corefile?$ k get cm -n kube-system coredns6
What is the root domain/zone configured for this kubernetes cluster?$ k describe cm -n kube-system coredns 7
We just deployed a web server - webapp - that accesses a database mysql - server. However the web server is failing to connect to the database server. Troubleshoot and fix the issue.
They could be in different namespaces. First locate the applications. The web server interface can be seen by clicking the tab Web Server at the top of your terminal.$ k edit deploy webapp
spec:
containers:
- env:
- name: DB_Host
value: mysql.payroll
8
From the hr pod nslookup the mysql service and redirect the output to a file /root/CKA/nslookup.outkubectl exec -it hr -- nslookup mysql.payroll > /root/CKA/nslookup.outCKA-Ingress Networking-1
1
Which namespace is the Ingress Controller deployed in?$ k get all -A2
What is the name of the Ingress Controller Deployment?$ k get deploy -n ingress-nginx3
Which namespace are the applications deployed in?$ k get pod -A4
Which namespace is the Ingress Resource deployed in?$ k get ingress -A5
What is the Host configured on the Ingress Resource?
The host entry defines the domain name that users use to reach the application like www.google.com$ k describe ingress -n app-space ingress-wear-watch6
What backend is the /wear path on the Ingress configured with?7
You are requested to change the URLs at which the applications are made available.
Make the video application available at /stream.$ k edit ingress -n app-space ingress-wear-watch
spec:
rules:
- http:
paths:
- backend:
service:
name: wear-service
port:
number: 8080
path: /wear
pathType: Prefix
- backend:
service:
name: video-service
port:
number: 8080
path: /stream
pathType: Prefix8
You are requested to add a new path to your ingress to make the food delivery application available to your customers.
Make the new application available at /eat$ k edit ingress -n app-space ingress-wear-watch
- backend:
service:
name: food-service
port:
number: 8080
path: /eat
pathType: Prefix9
A new payment service has been introduced. Since it is critical, the new application is deployed in its own namespace.
Identify the namespace in which the new application is deployed.$ k get deploy -A10
You are requested to make the new application available at /pay.
Identify and implement the best approach to making this application available on the ingress controller and test to make sure its working. Look into annotations: rewrite-target as well.$ k get svc -n critical-space
NAME PORT(S)
pay-service 8282/TCP
$ k get ingress -n app-space -o yaml > ingress-pay.yaml
$ vi ingress-pay.yaml
piVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-redirect: "false"
name: ingress-pay
namespace: critical-space
spec:
rules:
- http:
paths:
- backend:
service:
name: pay-service
port:
number: 8282
path: /pay
pathType: Prefix
$ k apply -f ingress-pay.yamlCKA-Ingress Networking-2
1
Let us now deploy an Ingress Controller. First, create a namespace called ingress-nginx.
We will isolate all ingress related objects into its own namespace.$ k create ns ingress-nginx2
The NGINX Ingress Controller requires a ConfigMap object. Create a ConfigMap object with name ingress-nginx-controller in the ingress-nginx namespace.
No data needs to be configured in the ConfigMap.$ k create cm ingress-nginx-controller -n ingress-nginx3
The NGINX Ingress Controller requires two ServiceAccounts. Create both ServiceAccount with name ingress-nginx and ingress-nginx-admission in the ingress-nginx namespace.$ k create sa ingress-nginx -n ingress-nginx && k create sa ingress-nginx-admission -n ingress-nginx4
Let us now deploy the Ingress Controller. Create the Kubernetes objects using the given file.
The Deployment and it's service configuration is given at /root/ingress-controller.yaml. There are several issues with it. Try to fix them.
Note: Do not edit the default image provided in the given file. The image validation check passes when other issues are resolved.
Deployed in the correct namespace.
Replicas: 1
Use the right image
Namespace: ingress-nginx
Service name: ingress-nginx-controller
NodePort: 30080$ vi ingress-controller.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
replicas: 1
minReadySeconds: 0
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
spec:
containers:
- args:
- /nginx-ingress-controller
- --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- --election-id=ingress-controller-leader
- --watch-ingress-without-class=true
- --default-backend-service=app-space/default-http-backend
- --controller-class=k8s.io/ingress-nginx
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: registry.k8s.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: controller
ports:
- name: http
containerPort: 80
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
- containerPort: 8443
name: webhook
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 100m
memory: 90Mi
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
runAsUser: 101
volumeMounts:
- mountPath: /usr/local/certificates/
name: webhook-cert
readOnly: true
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: ingress-nginx-admission
---
apiVersion: v1
kind: Service
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
nodePort: 30080
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: NodePort5
Create the ingress resource to make the applications available at /wear and /watch on the Ingress service.
Also, make use of rewrite-target annotation field: -
nginx.ingress.kubernetes.io/rewrite-target: /
Ingress resource comes under the namespace scoped, so don't forget to create the ingress in the app-space namespace.
Path: /wear
Path: /watch
Configure correct backend service for /wear
Configure correct backend service for /watch
Configure correct backend port for /wear service
Configure correct backend port for /watch service$ vi ingress-wear-watch.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-wear-watch
namespace: app-space
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- http:
paths:
- path: /wear
pathType: Prefix
backend:
service:
name: wear-service
port:
number: 8080
- path: /watch
pathType: Prefix
backend:
service:
name: video-service
port:
number: 8080
$ k apply -f ingress-wear-watch.yaml
Cloud Engineer / DevOps Engineer