Udemy Labs - Certified Kubernetes Administrator with Practice Tests - Mock Exam - 2 문제 풀이
Kubernetes
목록 보기
3/53
문제 1
Weight: 10
Take a backup of the etcd cluster and save it to /opt/etcd-backup.db.
Backup Completed
docs
- etcd backup
정답
- etcd 파일 위치 외우기: /etc/kubernetes/manifests/etcd.yaml
- etcd 파일의 내용을 확인한 후 docs 1의 명령어를 채운다
controlplane ~ ➜ cat /etc/kubernetes/manifests/etcd.yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
kubeadm.kubernetes.io/etcd.advertise-client-urls: https://192.14.71.3:2379
creationTimestamp: null
labels:
component: etcd
tier: control-plane
name: etcd
namespace: kube-system
spec:
containers:
- command:
- etcd
- --advertise-client-urls=https://192.14.71.3:2379
- --cert-file=/etc/kubernetes/pki/etcd/server.crt
- --client-cert-auth=true
- --data-dir=/var/lib/etcd
- --experimental-initial-corrupt-check=true
- --experimental-watch-progress-notify-interval=5s
- --initial-advertise-peer-urls=https://192.14.71.3:2380
- --initial-cluster=controlplane=https://192.14.71.3:2380
- --key-file=/etc/kubernetes/pki/etcd/server.key
- --listen-client-urls=https://127.0.0.1:2379,https://192.14.71.3:2379
- --listen-metrics-urls=http://127.0.0.1:2381
- --listen-peer-urls=https://192.14.71.3:2380
- --name=controlplane
- --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt
- --peer-client-cert-auth=true
- --peer-key-file=/etc/kubernetes/pki/etcd/peer.key
- --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
- --snapshot-count=10000
- --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
image: registry.k8s.io/etcd:3.5.10-0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 8
httpGet:
host: 127.0.0.1
path: /health?exclude=NOSPACE&serializable=true
port: 2381
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
name: etcd
resources:
requests:
cpu: 100m
memory: 100Mi
startupProbe:
failureThreshold: 24
httpGet:
host: 127.0.0.1
path: /health?serializable=false
port: 2381
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
volumeMounts:
- mountPath: /var/lib/etcd
name: etcd-data
- mountPath: /etc/kubernetes/pki/etcd
name: etcd-certs
hostNetwork: true
priority: 2000001000
priorityClassName: system-node-critical
securityContext:
seccompProfile:
type: RuntimeDefault
volumes:
- hostPath:
path: /etc/kubernetes/pki/etcd
type: DirectoryOrCreate
name: etcd-certs
- hostPath:
path: /var/lib/etcd
type: DirectoryOrCreate
name: etcd-data
status: {}
controlplane ~ ✖ ETCDCTL_API=3 etcdctl --endpoints=https://127.0.0.1:2379 \
--cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key \
snapshot save /opt/etcd-backup.db
Snapshot saved at /opt/etcd-backup.db문제 2
Weight: 10
Create a Pod called redis-storage with image: redis:alpine with a Volume of type emptyDir that lasts for the life of the Pod.
Specs on the below.
Pod named 'redis-storage' created
Pod 'redis-storage' uses Volume type of emptyDir
Pod 'redis-storage' uses volumeMount with mountPath = /data/redis
docs
정답
controlplane ~ ➜ cat > 2.yaml
apiVersion: v1
kind: Pod
metadata:
name: redis-storage
spec:
containers:
- image: redis:alpine
name: redis-storage
volumeMounts:
- mountPath: /data/redis
name: cache-volume
volumes:
- name: cache-volume
emptyDir:
sizeLimit: 500Mi
controlplane ~ ➜ k apply -f 2.yaml
pod/redis-storage created문제 3
Weight: 8
Create a new pod called super-user-pod with image busybox:1.28. Allow the pod to be able to set system_time.
The container should sleep for 4800 seconds.
Pod: super-user-pod
Container Image: busybox:1.28
Is SYS_TIME capability set for the container?
docs
- sleep
- SYS_TIME
정답
- sleep과 4800에 각각 "" 쌍따옴표로 묶어줘야 함
controlplane ~ ➜ cat > 3.yaml
apiVersion: v1
kind: Pod
metadata:
name: super-user-pod
spec:
containers:
- name: super-user-pod
image: busybox:1.28
command: ["sleep", "3600"]
securityContext:
capabilities:
add: ["SYS_TIME"]
controlplane ~ ➜ k apply -f 3.yaml
pod/super-user-pod created문제 4
Weight: 12
A pod definition file is created at /root/CKA/use-pv.yaml. Make use of this manifest file and mount the persistent volume called pv-1. Ensure the pod is running and the PV is bound.
mountPath: /data
persistentVolumeClaim Name: my-pvc
persistentVolume Claim configured correctly
pod using the correct mountPath
pod using the persistent volume claim?
docs
- claim as a volume
- mount path
정답
- 문제에서 제시한 파드 파일 확인 및 pv, pvc 존재여부 확인
controlplane / ✖ cat /root/CKA/use-pv.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: use-pv
name: use-pv
spec:
containers:
- image: nginx
name: use-pv
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
controlplane / ➜ k get pv
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS VOLUMEATTRIBUTESCLASS REASON AGE
pv-1 10Mi RWO Retain Available <unset> 10m
controlplane / ➜ k get pvc
No resources found in default namespace.- 문제에서 언급된 pv-1이라는 pv는 있지만 pvc가 없음
- docs1을 참고해서 pvc를 만들어준다
- 이때 storage는 pv-1과 같아야 함
controlplane ~ ➜ cat > my-pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: my-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Mi
controlplane ~ ➜ k apply -f my-pvc.yaml
persistentvolumeclaim/my-pvc created
- docs1을 참고해서 use-pv.yaml파일을 업데이트한 뒤 apply해준다
- 이때 mountPath에 경로를 ""로 묶어준다
controlplane ~ ➜ cat > 4.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: use-pv
name: use-pv
spec:
containers:
- image: nginx
name: use-pv
resources: {}
volumeMounts:
- mountPath: "/data"
name: mypd
volumes:
- name: mypd
persistentVolumeClaim:
claimName: my-pvc
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
controlplane ~ ➜ k apply -f 4.yaml
pod/use-pv created문제 5
Weight: 15
Create a new deployment called nginx-deploy, with image nginx:1.16 and 1 replica. Next upgrade the deployment to version 1.17 using rolling update.
Deployment : nginx-deploy. Image: nginx:1.16
Image: nginx:1.16
Task: Upgrade the version of the deployment to 1:17
Task: Record the changes for the image upgrade
docs
- rolling update
정답
- 먼저 1.16버전의 파드를 만들고 docs1의 커맨드를 참고해서 1.17로 업데이트해준다
controlplane ~ ➜ k create deployment nginx-deploy --image=nginx:1.16 --replicas=1
deployment.apps/nginx-deploy created
controlplane ~ ➜ kubectl set image deployment/nginx-deploy nginx=nginx:1.17
deployment.apps/nginx-deploy image updated문제 6
Weight: 15
Create a new user called john. Grant him access to the cluster. John should have permission to create, list, get, update and delete pods in the development namespace . The private key exists in the location: /root/CKA/john.key and csr at /root/CKA/john.csr.
Important Note: As of kubernetes 1.19, the CertificateSigningRequest object expects a signerName.
Please refer the documentation to see an example. The documentation tab is available at the top right of terminal.
CSR: john-developer Status:Approved
Role Name: developer, namespace: development, Resource: Pods
Access: User 'john' has appropriate permissions
docs
- CertificateSigningRequest
정답
- 먼저 1을 참고해서 CSR을 만들어야 한다
- request부분에 문제의 john의 csr을 입력해준다
- csr은 base64 인코딩 값을 넣어야하는데, 얻는 방법은 docs1의
cat myuser.csr | base64 | tr -d "\n"명령어를 입력하면 된다
controlplane ~ ➜ cat /root/CKA/john.csr | base64 | tr -d "\n"
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZEQ0NBVHdDQVFBd0R6RU5NQXNHQTFVRUF3d0VhbTlvYmpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRApnZ0VQQURDQ0FRb0NnZ0VCQU1KWS9DNUpvdE1hOWRnWmgzUEhiZnAvWXlRZ1RoZDhBNEtMWFAwT2NjZFZSRnNQCktNaFZ0YlNuM1ZYZVUzdkRtQmxhZ0ZEMHpnNHVwUzVObEFVWU1OOVRTaDhmajVpTUlqSzZFSzkyckJld1h4RVYKSlNuSG5JZHBMemlrNFgrQnI2cWxMRHV1ZGY0OFQrOE1HeFR2ZEcvM2l3UWJIZEZSbTFlM1RXcjQ4cW5yN0gwcQpKcGg4cmF2S2dia0VkZkVlcE4xMzRYWUN1STF1NlZuTTRmMWZPZWpzMUoxN0l2WTFjcy9DdTdpKytMdVV6Y09GCng0Q3FmWGFic1V6NERKZnhXajkyNWtOeGdxbFBiMFFTSG5sb2JLd2VGTnQzWVBsUlB1d1BpRTJYVVF5azFtUkgKVlEzeGRlbTd3aTdNcWNGNmVkM0dnUFJBSEtXUzE5ZVRkcmhpUmhjQ0F3RUFBYUFBTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQzJYUytTNXQ1eTE4cXR2Yk9GMmYwT3RkRGRwRGtZZ3k2M2hoSU5nd2J5T3NkQmRwTnNXZys0Ck9sQ1VGUjd0bG55U1JlR01ZUzlYSVl6T1pkcW05cjV3T3AwOTUzZnREd1dna2tyQzY2aDVXU013c0xpSDE2NmsKOWFHRXhDdUttdWRuNHF6ZTIzdVRaMTROclp0ay9NM0hrM05FZ3JlKytSaHhwdUg4cWJPREt1dlNDQ0FuZHI3Tgp6WnlQWWFVOE1WdStnaVhTbHRLNzNUNThoekF2NjQ5TmY0aDhPSU12MXdzUFB1ZDY0c1lkUWZyUVczMXNZSytDCkxjRnQwVlo1Mk5OSU1Ma3lQZ3p2NUFpQkhESmhRY3JDL2k2OHVGT0hNaG9Zd01MUktnZUY1M2hBY3dsRDIveUMKUnUzWlNrbDFXdVREeGoxV0lzcGZvMVZkcVZhNXJTSXMKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
controlplane ~ ➜ cat > john-csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: john-developer
spec:
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZEQ0NBVHdDQVFBd0R6RU5NQXNHQTFVRUF3d0VhbTlvYmpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRApnZ0VQQURDQ0FRb0NnZ0VCQUxsd0l0bHErdElWdjFEOE1rMzZwa2FYU1ovZzBNVm9Nb1Y4V0Y4Qk1ZN0x3WGNrCnZHYXRWaXBKOElrTTVnYXd1cHhNeG9vb3pzcjYwellRZThGSEYxS3h4ck1wZGcrd0VoV3Z2VWowVlczYUxPM2UKdmVGdmNZdURwNDdkOGR5L25yTDNSTkJpb1A5dUxrNWM0cEN1dGlqYjVnUzBEZnIzcjAzVzZkNnZpUXJsLzd4UwpFRkpCV2h6M3RFR2tFeTZickUrZEhjRHBuZnBDbVQ0NklFNWI3VytxZHNCM0ZDWTI0SFZmcjZRa0NpTXhDbGNzCkExUnMrYUs3eitqVGRCeFJpQWs3KzNhYlQxSVJQZkxudVplSFJxbjZ4SUlxbVFhUzExalF3c1FqWWNhZXZMaTcKdUlIMG5Rak0wR2YxQW1Md2hJK1ZSVUxna3UvOXdKclBDQjBJTjNzQ0F3RUFBYUFBTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0xSdWdCT21iUFp3SUVnNlJaTHdiancrMmNBZ0M3V3g4cGVkM0Fld1c1bGU3ekFKOVRPVUhBCnVRUzF2UXZLMjJUeUdjTEZhTXVGdGx4V3F2U0VvYW1WMGNoeVFRbjgwZE8rYmZ5bWFXQkdpR240UVNlblE2N3oKZjdHVGsxTk5OQUw2aGp5WHVUSm1SMTIwdkhFRDZwZEhrZFBxZ1dqUGtHTmRmVjNOS0cyVUQwNWVYK3dVbmdqQwpNcytQWGMxMW1XV2VFMTUvYzhtbDV3QytTUjZ4VnBFT1kxK0t2ZWc1STRTaFNheDA3cUxvd0NvUWVyNHkvQlhmCnh4SFFMQi94NDZkajBXd2NrcEdaVWxoc2ZQdnc3bk9QMkhXNVhKbmloUzZUbmJpV3U0ck9YZ0Vpcmtjd1ROcy8KZlI3aXUwOFFHUG1ieEl1REhtTXVJd1FDV21CWk5UTjYKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 86400 # one day
usages:
- client auth
controlplane ~ ➜
controlplane ~ ➜ k create -f john-csr.yaml
certificatesigningrequest.certificates.k8s.io/john-developer created
controlplane ~ ➜ k get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
csr-msqqm 18m kubernetes.io/kube-apiserver-client-kubelet system:node:controlplane <none> Approved,Issued
csr-tsvpx 17m kubernetes.io/kube-apiserver-client-kubelet system:bootstrap:eo6mgs <none> Approved,Issued
john-developer 3s kubernetes.io/kube-apiserver-client kubernetes-admin 24h Pending- 상태가 pending상태이므로 csr을 승인해준다
- 승인 커맨드는 docs1에서 확인 가능
controlplane ~ ➜ k certificate approve john-developer
certificatesigningrequest.certificates.k8s.io/john-developer approved
- 다음으로는 role을 만들어줘야 하는데 role을 만드는 커맨드는 --help로 찾아서 참고할 수 있다
controlplane ~ ➜ k create role --help
Create a role with single rule.
Examples:
# Create a role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods
# Create a role named "pod-reader" with ResourceName specified
kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod
# Create a role named "foo" with API Group specified
kubectl create role foo --verb=get,list,watch --resource=rs.apps
# Create a role named "foo" with SubResource specified
kubectl create role foo --verb=get,list,watch --resource=pods,pods/status
Options:
--allow-missing-template-keys=true:
If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to
golang and jsonpath output formats.
--dry-run='none':
Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without
sending it. If server strategy, submit server-side request without persisting the resource.
--field-manager='kubectl-create':
Name of the manager used to track field ownership.
-o, --output='':
Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath,
jsonpath-as-json, jsonpath-file).
--resource=[]:
Resource that the rule applies to
--resource-name=[]:
Resource in the white list that the rule applies to, repeat this flag for multiple items
--save-config=false:
If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will
be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
--show-managed-fields=false:
If true, keep the managedFields when printing objects in JSON or YAML format.
--template='':
Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format
is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
--validate='strict':
Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate
the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation
is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will
warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled
on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema
validation, silently dropping any unknown or duplicate fields.
--verb=[]:
Verb that applies to the resources contained in the rule
Usage:
kubectl create role NAME --verb=verb --resource=resource.group/subresource [--resource-name=resourcename]
[--dry-run=server|client|none] [options]
Use "kubectl options" for a list of global command-line options (applies to all commands).
controlplane ~ ➜ k create role developer --verb=create,list,get,update,delete --resource=pods -n development
role.rbac.authorization.k8s.io/developer created
controlplane ~ ➜ k describe role -n development developer
Name: developer
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods [] [] [create list get update delete]- auth can-i get 커맨드를 통해서 사용자가 할 수 있는 것들을 먼저 확인할 수 있다
- 지금은 user인 john과 role인 developer가 rolebinding이 안되었으므로 get pods가 불가하다
controlplane ~ ➜ k auth can-i get --help
Check whether an action is allowed.
VERB is a logical Kubernetes API verb like 'get', 'list', 'watch', 'delete', etc. TYPE is a Kubernetes resource.
Shortcuts and groups will be resolved. NONRESOURCEURL is a partial URL that starts with "/". NAME is the name of a
particular Kubernetes resource. This command pairs nicely with impersonation. See --as global flag.
Examples:
# Check to see if I can create pods in any namespace
kubectl auth can-i create pods --all-namespaces
# Check to see if I can list deployments in my current namespace
kubectl auth can-i list deployments.apps
# Check to see if service account "foo" of namespace "dev" can list pods
# in the namespace "prod".
# You must be allowed to use impersonation for the global option "--as".
kubectl auth can-i list pods --as=system:serviceaccount:dev:foo -n prod
# Check to see if I can do everything in my current namespace ("*" means all)
kubectl auth can-i '*' '*'
# Check to see if I can get the job named "bar" in namespace "foo"
kubectl auth can-i list jobs.batch/bar -n foo
# Check to see if I can read pod logs
kubectl auth can-i get pods --subresource=log
# Check to see if I can access the URL /logs/
kubectl auth can-i get /logs/
# List all allowed actions in namespace "foo"
kubectl auth can-i --list --namespace=foo
Options:
-A, --all-namespaces=false:
If true, check the specified action in all namespaces.
--list=false:
If true, prints all allowed actions.
--no-headers=false:
If true, prints allowed actions without headers
-q, --quiet=false:
If true, suppress output and just return the exit code.
--subresource='':
SubResource such as pod/log or deployment/scale
Usage:
kubectl auth can-i VERB [TYPE | TYPE/NAME | NONRESOURCEURL] [options]
Use "kubectl options" for a list of global command-line options (applies to all commands).
controlplane ~ ➜ k auth can-i get pods -n development --as john
no
controlplane ~ ✖ k create rolebinding --help
Create a role binding for a particular role or cluster role.
Examples:
# Create a role binding for user1, user2, and group1 using the admin cluster role
kubectl create rolebinding admin --clusterrole=admin --user=user1 --user=user2 --group=group1
# Create a role binding for serviceaccount monitoring:sa-dev using the admin role
kubectl create rolebinding admin-binding --role=admin --serviceaccount=monitoring:sa-dev
Options:
--allow-missing-template-keys=true:
If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to
golang and jsonpath output formats.
--clusterrole='':
ClusterRole this RoleBinding should reference
--dry-run='none':
Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without
sending it. If server strategy, submit server-side request without persisting the resource.
--field-manager='kubectl-create':
Name of the manager used to track field ownership.
--group=[]:
Groups to bind to the role. The flag can be repeated to add multiple groups.
-o, --output='':
Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath,
jsonpath-as-json, jsonpath-file).
--role='':
Role this RoleBinding should reference
--save-config=false:
If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will
be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
--serviceaccount=[]:
Service accounts to bind to the role, in the format <namespace>:<name>. The flag can be repeated to add
multiple service accounts.
--show-managed-fields=false:
If true, keep the managedFields when printing objects in JSON or YAML format.
--template='':
Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format
is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
--user=[]:
Usernames to bind to the role. The flag can be repeated to add multiple users.
--validate='strict':
Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate
the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation
is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will
warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled
on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema
validation, silently dropping any unknown or duplicate fields.
Usage:
kubectl create rolebinding NAME --clusterrole=NAME|--role=NAME [--user=username] [--group=groupname]
[--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none] [options]
Use "kubectl options" for a list of global command-line options (applies to all commands).- 롤바인딩을 만들어준다
controlplane ~ ➜ k create rolebinding john-developer --role=developer --user=john -n development
rolebinding.rbac.authorization.k8s.io/john-developer created
controlplane ~ ➜ k get rolebindings.rbac.authorization.k8s.io -n development
NAME ROLE AGE
john-developer Role/developer 19s- 다시 한번 권한을 확인해준다
controlplane ~ ➜ k auth can-i get pods -n development --as john
yes문제 7
Weight: 15
Create a nginx pod called nginx-resolver using image nginx, expose it internally with a service called nginx-resolver-service. Test that you are able to look up the service and pod names from within the cluster. Use the image: busybox:1.28 for dns lookup. Record results in /root/CKA/nginx.svc and /root/CKA/nginx.pod
Pod: nginx-resolver created
Service DNS Resolution recorded correctly
Pod DNS resolution recorded correctly
docs
- dns
정답
- 파드만들기
controlplane ~ ➜ k run nginx-resolver --image=nginx
pod/nginx-resolver created
controlplane ~ ➜ k get pod nginx-resolver
NAME READY STATUS RESTARTS AGE
nginx-resolver 1/1 Running 0 24s- 파드를 이용하여 서비스 생성
kubectl expose pod nginx-resolver --name=nginx-resolver-service --port=80 --target-port=80 --type=ClusterIP- dns
controlplane ~ ➜ k get svc -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 28m <none>
nginx-resolver-service ClusterIP 10.111.111.0 <none> 80/TCP 12s run=nginx-resolver
controlplane ~ ➜ kubectl run test-nslookup --image=busybox:1.28 --rm -it --restart=Never -- nslookup 10.111.111.0
Server: 10.96.0.10
Address 1: 10.96.0.10 kube-dns.kube-system.svc.cluster.local
Name: 10.111.111.0
Address 1: 10.111.111.0 nginx-resolver-service.default.svc.cluster.local
pod "test-nslookup" deleted
controlplane ~ ➜ kubectl run test-nslookup --image=busybox:1.28 --rm -it --restart=Never -- nslookup 10.111.111.0 > /root/CKA/nginx.svc
controlplane ~ ➜ kubectl get pod nginx-resolver -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-resolver 1/1 Running 0 108s 10.244.192.1 node01 <none> <none>
controlplane ~ ✖ kubectl run test-nslookup --image=busybox:1.28 --rm -it --restart=Never -- nslookup 10-244-192-1.default.pod.cluster.local > /root/CKA/nginx.pod문제 8
Weight: 15
Create a static pod on node01 called nginx-critical with image nginx and make sure that it is recreated/restarted automatically in case of a failure.
Use /etc/kubernetes/manifests as the Static Pod path for example.
static pod configured under /etc/kubernetes/manifests ?
Pod nginx-critical-node01 is up and running
정답
- static pod는
/etc/kubernetes/manifests경로 밑에 yaml파일을 넣어주면 자동으로 생성됨 - 문제에서 말하는
nginx-critical-node01는 node01 노드의 static pod를 의미하므로 node01의 경로에 넣어줘야 함
controlplane ~ ➜ ssh node01- static pod가 될 yaml 파일을 먼저 만들어준다
controlplane ~ ➜ k run nginx-critical --image=nginx --restart=Always --dry-run=client -o yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx-critical
name: nginx-critical
spec:
containers:
- image: nginx
name: nginx-critical
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
node01 ~ ✖ cat > /etc/kubernetes/manifests/nginx-critical.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: nginx-critical
name: nginx-critical
spec:
containers:
- image: nginx
name: nginx-critical
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
node01 ~ ➜ exit
logout
Connection to node01 closed.
controlplane ~ ➜ k get pod
NAME READY STATUS RESTARTS AGE
nginx-critical-controlplane 1/1 Running 0 3m39s
nginx-critical-node01 1/1 Running 0 15s