문제 1

Weight: 12
Create a new service account with the name pvviewer. Grant this Service account access to list all PersistentVolumes in the cluster by creating an appropriate cluster role called pvviewer-role and ClusterRoleBinding called pvviewer-role-binding.
Next, create a pod called pvviewer with the image: redis and serviceAccount: pvviewer in the default namespace.
ServiceAccount: pvviewer
ClusterRole: pvviewer-role
ClusterRoleBinding: pvviewer-role-binding
Pod: pvviewer
Pod configured to use ServiceAccount pvviewer ?

docs

1. service account

• https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#launch-a-pod-using-service-account-token-projection

정답

• 서비스어카운트 만들기

controlplane ~ ➜  k create serviceaccount pvviewer
serviceaccount/pvviewer created

• 클러스터롤 만들기

controlplane ~ ➜  k create clusterrole pvviewer-role --verb=list --resource=persistentvolumes
clusterrole.rbac.authorization.k8s.io/pvviewer-role created

controlplane ~ ➜  k describe clusterrole pvviewer-role 
Name:         pvviewer-role
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources          Non-Resource URLs  Resource Names  Verbs
  ---------          -----------------  --------------  -----
  persistentvolumes  []                 []              [list]

• 클러스터롤바인딩 만들기

controlplane ~ ✖ k create clusterrolebinding pvviewer-role-binding --clusterrole=pvviewer-role --serviceaccount=default:pvviewer
clusterrolebinding.rbac.authorization.k8s.io/pvviewer-role-binding created

• 파드만들기

controlplane ~ ➜  k run pvviewer --image=redis --dry-run=client -o yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: pvviewer
  name: pvviewer
spec:
  containers:
  - image: redis
    name: pvviewer
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

• docs1 참고해서 pod에 서비스어카운트 넣어주기

controlplane ~ ➜  cat > 1.yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: pvviewer
  name: pvviewer
spec:
  serviceAccountName: pvviewer 
  containers:
  - image: redis
    name: pvviewer
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

controlplane ~ ➜  k apply -f 1.yaml
pod/pvviewer created

문제 2

Weight: 12
List the InternalIP of all nodes of the cluster. Save the result to a file /root/CKA/node_ips.
Answer should be in the format: InternalIP of controlplaneInternalIP of node01 (in a single line)
Task Completed

docs

1. InternalIP jsonpath

• https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-type-nodeport

정답

controlplane ~ ✖ kubectl get nodes -o jsonpath='{ $.items[*].status.addresses[?(@.type=="InternalIP")].address }' > /root/CKA/node_ips

controlplane ~ ➜  cat /root/CKA/node_ips
192.24.194.6 192.24.194.9

문제 3

Weight: 12
Create a pod called multi-pod with two containers.
Container 1: name: alpha, image: nginx
Container 2: name: beta, image: busybox, command: sleep 4800
Environment Variables:
container 1:
name: alpha
Container 2:
name: beta
Pod Name: multi-pod
Container 1: alpha
Container 2: beta
Container beta commands set correctly?
Container 1 Environment Value Set
Container 2 Environment Value Set

docs

1. multipe container

• https://kubernetes.io/docs/concepts/workloads/pods/init-containers/#init-containers-in-use

2. environment value

• https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/#define-an-environment-variable-for-a-container

정답

• 문제에 제시된 name:beta는 둘다 env에서 오른쪽 값이된다
• env 밑에 indent 주의
• env 밑에 여러개 있다면 첫번째행에만 -를 붙여줌

controlplane ~ ➜  cat > 3.yaml
apiVersion: v1
kind: Pod
metadata:
  name: multi-pod
spec:
  containers:
  - command: ["sleep", "4800"]
    image: busybox
    name: beta
    env:
    - name: name
      value: beta
  - image: nginx
    name: alpha
    env:
    - name: name
      value: alpha
  
controlplane ~ ➜  k create -f 3.yaml
pod/multi-pod created

문제 4

Weight: 8
Create a Pod called non-root-pod , image: redis:alpine
runAsUser: 1000
fsGroup: 2000
Pod non-root-pod fsGroup configured
Pod non-root-pod runAsUser configured

docs

1. runAsUser

• https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

정답

controlplane ~ ➜  cat > 4.yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: non-root-pod
  name: non-root-pod
spec:
  securityContext:
    runAsUser: 1000
    fsGroup: 2000
  containers:
  - image: redis:alpine
    name: non-root-pod
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

controlplane ~ ➜  k apply -f 4.yaml 
pod/non-root-pod created

문제 5

Weight: 14
We have deployed a new pod called np-test-1 and a service called np-test-service. Incoming connections to this service are not working. Troubleshoot and fix it.
Create NetworkPolicy, by the name ingress-to-nptest that allows incoming connections to the service over port 80.
Important: Don't delete any current objects deployed.
Important: Don't Alter Existing Objects!
NetworkPolicy: Applied to All sources (Incoming traffic from all pods)?
NetWorkPolicy: Correct Port?
NetWorkPolicy: Applied to correct Pod?

docs

1. network policy

• https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-resource

정답

controlplane ~ ➜  k get svc
NAME              TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
kubernetes        ClusterIP   10.96.0.1      <none>        443/TCP   30m
np-test-service   ClusterIP   10.96.92.241   <none>        80/TCP    3m48s

controlplane ~ ➜  k describe svc np-test-service 
Name:              np-test-service
Namespace:         default
Labels:            run=np-test-1
Annotations:       <none>
Selector:          run=np-test-1
Type:              ClusterIP
IP Family Policy:  SingleStack
IP Families:       IPv4
IP:                10.96.92.241
IPs:               10.96.92.241
Port:              <unset>  80/TCP
TargetPort:        80/TCP
Endpoints:         10.244.192.1:80
Session Affinity:  None
Events:            <none>

controlplane ~ ➜  k get networkpolicies.networking.k8s.io 
NAME           POD-SELECTOR   AGE
default-deny   <none>         4m31s

controlplane ~ ➜  k describe networkpolicies.networking.k8s.io default-deny 
Name:         default-deny
Namespace:    default
Created on:   2024-06-06 13:03:48 +0000 UTC
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    <none> (Selected pods are isolated for ingress connectivity)
  Not affecting egress traffic
  Policy Types: Ingress

• pod-selector가 지정되지 않아서 나타난 문제
• 기존 network policy 확인하고 docs1 참고해서 새로운 ingress-to-nptest를 만든다

controlplane ~ ➜  k get networkpolicies.networking.k8s.io default-deny -o yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"networking.k8s.io/v1","kind":"NetworkPolicy","metadata":{"annotations":{},"name":"default-deny","namespace":"default"},"spec":{"podSelector":{},"policyTypes":["Ingress"]}}
  creationTimestamp: "2024-06-06T13:03:48Z"
  generation: 1
  name: default-deny
  namespace: default
  resourceVersion: "2795"
  uid: 03ace7b2-88b3-4b2d-923b-d440cd33eb8b
spec:
  podSelector: {}
  policyTypes:
  - Ingress

• label이랑 policy types를 ingress만 있는것을 확인

controlplane ~ ➜  cat > 5.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  generation: 1
  name: ingress-to-nptest
  namespace: default
spec:
  podSelector:
    matchLabels:
      run: np-test-1
  policyTypes:
  - Ingress
  ingress:
  - ports:
    - protocol: TCP
      port: 80

controlplane ~ ➜  k replace -f 5.yaml --force
networkpolicy.networking.k8s.io/ingress-to-nptest replaced

문제 6

docs

정답

문제 7

docs

정답

문제 8

docs

정답

문제 9

docs

정답