본문 바로가기
쿠버네티스

[쿠버네티스] CKA - Mock Exam2 정리

코딩질문자 2025. 1. 18. 20:17
728x90

Kubernetes Task Summary and Solutions

Q1: Backup the etcd Cluster

Task

Backup the etcd cluster and save it to /opt/etcd-backup.db.

Solution

cat /etc/kubernetes/manifests/etcd.yaml
export ETCDCTL_API=3 etcdctl snapshot save --endpoints https://[127.0.0.1]:2379 \ 
--cacert /etc/kubernetes/pki/etcd/ca.crt \ 
--cert /etc/kubernetes/pki/etcd/server.crt \ 
--key /etc/kubernetes/pki/etcd/server.key \ 
/opt/etcd-backup.db
 

Details

  • Backup Completed: /opt/etcd-backup.db

Q2: Create a Pod with emptyDir Volume

Task

Create a Pod named redis-storage using image redis:alpine with a Volume of type emptyDir.

Solution

apiVersion: v1
kind: Pod
metadata:
  name: redis-storage
spec:
  containers:
    - name: redis-storage
      image: redis:alpine
      volumeMounts:
        - mountPath: "/data"
          name: redis-volume
  volumes:
    - name: redis-volume
      emptyDir: {}

Details

  • Pod Name: redis-storage
  • Image: redis:alpine
  • Volume: emptyDir (lifetime of the Pod)

Q3: Create a Pod with SYS_TIME Capability

Task

Create a Pod super-user-pod with image busybox:1.28. Allow it to set system_time. The container should sleep for 4800 seconds.

Solution

apiVersion: v1
kind: Pod
metadata:
  name: super-user-pod
spec:
  containers:
    - name: super-user-pod
      image: busybox:1.28
      command: ["sleep", "4800"]
      securityContext:
        capabilities:
          add: ["SYS_TIME"]
  restartPolicy: Always
 

Details

  • Pod Name: super-user-pod
  • Capability: SYS_TIME
  • Sleep Time: 4800 seconds

Q4: Create a Pod with Persistent Volume Claim

Task

Create a PersistentVolumeClaim (PVC) and a Pod using it.

Solution

PVC Manifest:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: my-pvc
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Mi
 

Pod Manifest:

apiVersion: v1
kind: Pod
metadata:
  name: use-pv
spec:
  containers:
    - name: use-pv
      image: nginx
      volumeMounts:
        - mountPath: "/data"
          name: mypd
  volumes:
    - name: mypd
      persistentVolumeClaim:
        claimName: my-pvc
 

Details

  • PVC Name: my-pvc
  • Pod Name: use-pv
  • Mount Path: /data

Q5: Create and Upgrade a Deployment

Task

Create a Deployment nginx-deploy with image nginx:1.16. Upgrade it to 1.17 using a rolling update.

Solution

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deploy
  labels:
    app: nginx-deploy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx-deploy
  template:
    metadata:
      labels:
        app: nginx-deploy
    spec:
      containers:
        - name: nginx
          image: nginx:1.16
          ports:
            - containerPort: 80
 
# Apply the deployment
kubectl apply -f deploy.yaml --record

# Upgrade the image to nginx:1.17
kubectl set image deployment/nginx-deploy nginx=nginx:1.17 --record

# Check rollout history
kubectl rollout history deployment/nginx-deploy

 

Details

  • Deployment Name: nginx-deploy
  • Initial Image: nginx:1.16
  • Upgraded Image: nginx:1.17

Q6: Create a User and Assign Permissions

Task

Create a user john with access to create, list, get, update, and delete Pods in the development namespace.

Solution

CSR Manifest:

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: john-developer
spec:
  signerName: kubernetes.io/kube-apiserver-client
  request: BASE64_ENCODED_CSR
  usages:
    - digital signature
    - key encipherment
    - client auth
 

Role and RoleBinding:

# Create Role
kubectl create role developer --resource=pods --verb=create,list,get,update,delete --namespace=development

# Bind Role to User
kubectl create rolebinding developer-role-binding --role=developer --user=john --namespace=development
Verify Access:
kubectl auth can-i update pods --as=john --namespace=development

 

Details

  • User: john
  • Namespace: development
  • Access: Create, List, Get, Update, Delete Pods

 

1. Role YAML

kubectl create role developer --resource=pods --verb=create,list,get,update,delete --namespace=development --dry-run=client -o yaml > role.yaml
 
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: developer
  namespace: development
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["create", "list", "get", "update", "delete"]

 

2. RoleBinding YAML

명령어:

kubectl create rolebinding developer-role-binding --role=developer --user=john --namespace=development --dry-run=client -o yaml > rolebinding.yaml
 

출력 YAML:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: developer
  namespace: development
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["create", "list", "get", "update", "delete"]

Verify Access:

kubectl auth can-i update pods --as=john --namespace=development
 

Details

  • User: john
  • Namespace: development
  • Access: Create, List, Get, Update, Delete Pods

Q7: Create Pod and Test DNS Resolution

Task

Create a Pod nginx-resolver and expose it with a Service nginx-resolver-service. Test DNS resolution from within the cluster.

Solution

 
# Create Pod
kubectl run nginx-resolver --image=nginx

# Expose Pod with a Service
kubectl expose pod nginx-resolver --name=nginx-resolver-service --port=80 --target-port=80 --type=ClusterIP

# Test DNS Resolution
kubectl run test-nslookup --image=busybox:1.28 --rm -it --restart=Never -- nslookup nginx-resolver-service > /root/CKA/nginx.svc

# Get Pod IP
kubectl get pod nginx-resolver -o wide

# Test Pod DNS Resolution
kubectl run test-nslookup --image=busybox:1.28 --rm -it --restart=Never -- nslookup <POD_IP.default.pod> > /root/CKA/nginx.pod
 

 

Details

  • Pod Name: nginx-resolver
  • Service Name: nginx-resolver-service
  • DNS Resolution: Recorded in /root/CKA/nginx.svc and /root/CKA/nginx.pod

2. Pod를 노출하는 Service YAML

명령어:

kubectl expose pod nginx-resolver --name=nginx-resolver-service --port=80 --target-port=80 --type=ClusterIP --dry-run=client -o yaml > service-nginx-resolver.yaml

출력 YAML:

apiVersion: v1
kind: Service
metadata:
  name: nginx-resolver-service
spec:
  selector:
    run: nginx-resolver
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80
  type: ClusterIP​

Details

  • Pod Name: nginx-resolver
  • Service Name: nginx-resolver-service
  • DNS Resolution: Recorded in /root/CKA/nginx.svc and /root/CKA/nginx.pod

Q8: Create a Static Pod

Task

Create a static Pod nginx-critical on node01 using image nginx.

Solution

  1. Generate YAML: 
    kubectl run nginx-critical --image=nginx --dry-run=client -o yaml > static.yaml
     
  2. Transfer File to node01:
     
    scp static.yaml node01:/root/
  3. On node01: 
    mkdir -p /etc/kubernetes/manifests cp /root/static.yaml /etc/kubernetes/manifests/
     
  4. Verify Pod:
kubectl get pods

Details

  • Pod Name: nginx-critical
  • Static Pod Path: /etc/kubernetes/manifests/

 

오답노트

Q.6

Task:

Create a CertificateSigningRequest (CSR) for a user john-developer with appropriate permissions for managing Pods in the development namespace using the developer Role. Ensure the CSR is approved, and the user has access.

Solution:

  1. Create CSR YAML File:
    • Generate a private key and certificate signing request for the user john-developer.
    • Save the private key locally and create a CSR YAML file.
    openssl genrsa -out john.key 2048 openssl req -new -key john.key -out john.csr -subj "/CN=john/O=development"
  2. Convert CSR to Base64:
    • Convert the CSR to base64 and embed it into the Kubernetes CSR YAML file.
    cat <<EOF > john-csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: john-developer
spec:
  request: $(cat john.csr | base64 | tr -d '\n')
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 86400
  usages:
  - client auth
EOF
  3. Submit the CSR:
kubectl apply -f john-csr.yaml
  1. Approve the CSR:
     
kubectl certificate approve john-developer

 

  1. Bind the Role:
    • Create a Role that allows access to Pods in the development namespace.
    cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: development
  name: developer
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch", "create", "delete"]
EOF
     
    • Create a RoleBinding to bind the developer Role to the user.
    kubectl create rolebinding john-developer-binding \
  --role=developer \
  --user=john \
  --namespace=development
  2. Test Access:
    • Use the approved certificate to test access.
    • Generate the kubeconfig for the user john: 
      kubectl config set-credentials john \
  --client-certificate=./john.crt \
  --client-key=./john.key
kubectl config set-context john-context \
  --cluster=kubernetes \
  --namespace=development \
  --user=john
kubectl config use-context john-context
       
    • Verify access:
kubectl get pods

Q.7

Task:

Create a nginx-resolver Pod, expose it internally with a service, and perform DNS lookups from a busybox Pod. Record results in /root/CKA/nginx.svc and /root/CKA/nginx.pod.

Solution:

  1. Create nginx-resolver Pod:
     
    kubectl run nginx-resolver --image=nginx
  2. Expose the Pod as a Service: 
    kubectl expose pod nginx-resolver --name=nginx-resolver-service --port=80 --target-port=80 --type=ClusterIP
  3. DNS Lookup for Service: 
    kubectl run test-nslookup --image=busybox:1.28 --rm -it --restart=Never -- nslookup nginx-resolver-service > /root/CKA/nginx.svc
  4. DNS Lookup for Pod:
     
    POD_IP=$(kubectl get pod nginx-resolver -o jsonpath='{.status.podIP}')
kubectl run test-nslookup --image=busybox:1.28 --rm -it --restart=Never -- nslookup ${POD_IP//./-}.default.pod > /root/CKA/nginx.pod
  5. Verify Results:
     
cat /root/CKA/nginx.svc cat /root/CKA/nginx.pod

Q.8

Task:

Create a static Pod on node01 called nginx-critical and ensure it is managed in /etc/kubernetes/manifests and restarted automatically.

Solution:

  1. Generate Static Pod YAML File:
     
    kubectl get pods
  2. Transfer YAML File to node01:
     
    cp /root/static.yaml /etc/kubernetes/manifests/
  3. Connect to node01:
     
    systemctl restart kubelet
  4. Create Static Pod Directory:
     
    staticPodPath: /etc/kubernetes/manifests
  5. Modify Kubelet Configuration:
    • Edit /var/lib/kubelet/config.yaml to include:
       
      mkdir -p /etc/kubernetes/manifests
  6. Restart Kubelet Service:
     
    ssh node01
  7. Move YAML File to Static Pod Path:
     
    scp static.yaml node01:/root/
  8. Verify Pod Status:
    kubectl run nginx-critical --image=nginx --dry-run=client -o yaml > static.yaml

Details Checklist:

  1. Q.6:
    • john-developer CSR approved.
    • User john has access to Pods in the development namespace.
  2. Q.7:
    • Service DNS resolution recorded in /root/CKA/nginx.svc.
    • Pod DNS resolution recorded in /root/CKA/nginx.pod.
  3. Q.8:
    • Static Pod created under /etc/kubernetes/manifests.
    • Pod nginx-critical-node01 is up and running.
728x90
저작자표시

'쿠버네티스' 카테고리의 다른 글

[쿠버네티스] 치트 메모장  (0) 2025.01.21
[쿠버네티스] CKA - Mock Exam 정리  (0) 2025.01.17
[쿠버네티스] pod 심화 과정 - 멀티 컨테이너 생성, 사이드카 파드 생성  (0) 2024.12.28
Kubernetes RBAC(Role-Based Access Control) 정리  (0) 2024.12.22
[쿠버네티스] 아키텍쳐 정리 및 간단한 실습 정리  (4) 2024.12.15

'쿠버네티스' Related Articles

티스토리툴바