Some of the scenario questions here are based on Kodekloud's CKA course labs.
Note
CKAD and CKA can have similar scenario questions. It is recommended to go through the CKAD practice tests.
Shortcuts
First run the two commands below for shortcuts.
export do="--dry-run=client -o yaml"
export now="--force --grace-period=0" Questions
-
What is the Internal IP address of the controlplane node in this cluster?
controlplane ~ ➜ k get no NAME STATUS ROLES AGE VERSION controlplane Ready control-plane 15m v1.27.0 node01 Ready <none> 14m v1.27.0
Answer
controlplane ~ ➜ k describe no controlplane | grep -i ip flannel.alpha.coreos.com/public-ip: 192.2.53.9 InternalIP: 192.2.53.9
-
What is the network interface configured for cluster connectivity on the controlplane node?
controlplane ~ ➜ k get no NAME STATUS ROLES AGE VERSION controlplane Ready control-plane 15m v1.27.0 node01 Ready <none> 14m v1.27.0
Answer
controlplane ~ ➜ k get no -o wide NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME controlplane Ready control-plane 20m v1.27.0 192.2.120.9 <none> Ubuntu 20.04.6 LTS 5.4.0-1106-gcp containerd://1.6.6 node01 Ready <none> 19m v1.27.0 192.2.120.12 <none> Ubuntu 20.04.5 LTS 5.4.0-1106-gcp containerd://1.6.6 controlplane ~ ➜ ip addr | grep -B2 192.2 13036: eth0@if13037: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default link/ether 02:42:c0:02:78:09 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 192.2.120.9/24 brd 192.2.120.255 scope global eth0
-
What is the MAC address assigned to node01?
controlplane ~ ➜ k get no NAME STATUS ROLES AGE VERSION controlplane Ready control-plane 15m v1.27.0 node01 Ready <none> 14m v1.27.0
Answer
Need to ssh to node01.
controlplane ~ ➜ ssh node01 root@node01 ~ ➜ ip addr | grep -B2 192.2 13945: eth0@if13946: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default link/ether 02:42:c0:02:78:0c brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 192.2.120.12/24 brd 192.2.120.255 scope global eth0
-
We use Containerd as our container runtime. What is the interface/bridge created by Containerd on the controlplane node?
Answer
controlplane ~ ✖ ip link show | grep -i cni 3: cni0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc noqueue state UP mode DEFAULT group default qlen 1000 4: vethcb46d51e@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc noqueue master cni0 state UP mode DEFAULT group default link/ether 46:15:1c:5b:93:f2 brd ff:ff:ff:ff:ff:ff link-netns cni-3f59b276-21d3-2b70-df1a-514e9f7eb6cb 5: veth35f1d3bb@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc noqueue master cni0 state UP mode DEFAULT group default link/ether 96:21:56:39:34:10 brd ff:ff:ff:ff:ff:ff link-netns cni-d15387ac-89be-7f41-ecb3-79879ae016f1
-
If you were to ping google from the controlplane node, which route does it take?
controlplane ~ ➜ k get no NAME STATUS ROLES AGE VERSION controlplane Ready control-plane 15m v1.27.0 node01 Ready <none> 14m v1.27.0
Answer
controlplane ~ ➜ ip route default via 172.25.0.1 dev eth1
-
What is the port the kube-scheduler is listening on in the controlplane node?
Answer
controlplane ~ ➜ netstat -tulpn | grep -i sched tcp 0 0 127.0.0.1:10259 0.0.0.0:* LISTEN 3706/kube-scheduler
-
Notice that ETCD is listening on two ports. Which of these have more client connections established?
Answer
2379 is the port of ETCD to which all control plane components connect to. 2380 is only for etcd peer-to-peer connectivity when you have multiple controlplane nodes.
controlplane ~ ➜ netstat -tulpn | grep -i etc tcp 0 0 192.2.120.9:2379 0.0.0.0:* LISTEN 3723/etcd tcp 0 0 127.0.0.1:2379 0.0.0.0:* LISTEN 3723/etcd tcp 0 0 192.2.120.9:2380 0.0.0.0:* LISTEN 3723/etcd tcp 0 0 127.0.0.1:2381 0.0.0.0:* LISTEN 3723/etcd controlplane ~ ➜ netstat -anp | grep etc | grep 2379 | wc -l 63 controlplane ~ ➜ netstat -anp | grep etc | grep 2380 | wc -l 1 controlplane ~ ➜ netstat -anp | grep etc | grep 2381 | wc -l 1
-
Inspect the kubelet service and identify the container runtime endpoint value is set for Kubernetes.
Answer
Answer is unix:///var/run/containerd/containerd.sock.
controlplane ~ ➜ ps -aux | grep kubelet | grep container root 4685 0.0 0.0 3702540 101388 ? Ssl 20:02 0:12 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --container-runtime-endpoint=unix:///var/run/containerd/containerd.sock --pod-infracontainer-image=registry.k8s.io/pause:3.9
-
What is the path configured with all binaries of CNI supported plugins?
Answer
controlplane ~ ➜ ls -la /opt/cni total 20 drwxr-xr-x 1 root root 4096 Nov 2 11:33 . drwxr-xr-x 1 root root 4096 Nov 2 11:38 .. drwxrwxr-x 1 root root 4096 Dec 30 20:02 bin controlplane ~ ➜ ls -la /opt/cni/bin/ total 71424 drwxrwxr-x 1 root root 4096 Dec 30 20:02 . drwxr-xr-x 1 root root 4096 Nov 2 11:33 .. -rwxr-xr-x 1 root root 3859475 Jan 16 2023 bandwidth -rwxr-xr-x 1 root root 4299004 Jan 16 2023 bridge -rwxr-xr-x 1 root root 10167415 Jan 16 2023 dhcp -rwxr-xr-x 1 root root 3986082 Jan 16 2023 dummy -rwxr-xr-x 1 root root 4385098 Jan 16 2023 firewall -rwxr-xr-x 1 root root 2474798 Dec 30 20:02 flannel -rwxr-xr-x 1 root root 3870731 Jan 16 2023 host-device -rwxr-xr-x 1 root root 3287319 Jan 16 2023 host-local -rwxr-xr-x 1 root root 3999593 Jan 16 2023 ipvlan -rwxr-xr-x 1 root root 3353028 Jan 16 2023 loopback -rwxr-xr-x 1 root root 4029261 Jan 16 2023 macvlan -rwxr-xr-x 1 root root 3746163 Jan 16 2023 portmap -rwxr-xr-x 1 root root 4161070 Jan 16 2023 ptp -rwxr-xr-x 1 root root 3550152 Jan 16 2023 sbr -rwxr-xr-x 1 root root 2845685 Jan 16 2023 static -rwxr-xr-x 1 root root 3437180 Jan 16 2023 tuning -rwxr-xr-x 1 root root 3993252 Jan 16 2023 vlan -rwxr-xr-x 1 root root 3586502 Jan 16 2023 vrf
-
What is the CNI plugin configured to be used on this kubernetes cluster?
Answer
controlplane ~ ➜ ls -la /etc/cni/ total 20 drwx------ 1 root root 4096 Nov 2 11:33 . drwxr-xr-x 1 root root 4096 Dec 30 20:02 .. drwx------ 1 root root 4096 Dec 30 20:02 net.d controlplane ~ ➜ ls -la /etc/cni/net.d/ total 16 drwx------ 1 root root 4096 Dec 30 20:02 . drwx------ 1 root root 4096 Nov 2 11:33 .. -rw-r--r-- 1 root root 292 Dec 30 20:02 10-flannel.conflist
-
What binary executable file will be run by kubelet after a container and its associated namespace are created?
-
What binary executable file will be run by kubelet after a container and its associated namespace are created?
Answer
controlplane ~ ➜ ls -l /etc/cni/ total 4 drwx------ 1 root root 4096 Dec 30 20:02 net.d controlplane ~ ➜ ls -l /etc/cni/net.d/ total 4 -rw-r--r-- 1 root root 292 Dec 30 20:02 10-flannel.conflist
The answer is flannel.
controlplane ~ ✖ cat /etc/cni/net.d/10-flannel.conflist { "name": "cbr0", "cniVersion": "0.3.1", "plugins": [ { "type": "flannel", "delegate": { "hairpinMode": true, "isDefaultGateway": true } }, { "type": "portmap", "capabilities": { "portMappings": true } } ] }
-
Deploy weave-net networking solution to the cluster.
NOTE: - We already have provided a weave manifest file under the /root/weave directory.
Answer
The pod cannot start because networking is not yet configured.
controlplane ~ ➜ k get po NAME READY STATUS RESTARTS AGE app 1/1 ContainerCreating 0 3m7sInstall weavenet via the weave manifest.
controlplane ~ ➜ ls -la /root/weave/ total 20 drwxr-xr-x 2 root root 4096 Dec 30 20:21 . drwx------ 1 root root 4096 Dec 30 20:20 .. -rw-r--r-- 1 root root 6259 Dec 30 20:21 weave-daemonset-k8s.yaml controlplane ~ ➜ k apply -f /root/weave/ serviceaccount/weave-net created clusterrole.rbac.authorization.k8s.io/weave-net created clusterrolebinding.rbac.authorization.k8s.io/weave-net created role.rbac.authorization.k8s.io/weave-net created rolebinding.rbac.authorization.k8s.io/weave-net created daemonset.apps/weave-net created
The app should now be able to run.
controlplane ~ ➜ k get po NAME READY STATUS RESTARTS AGE app 1/1 Running 0 3m7s
-
What is the Networking Solution used by this cluster?
Answer
controlplane ~ ➜ ls -la /etc/cni/net.d/ total 16 drwx------ 1 root root 4096 Dec 30 22:19 . drwx------ 1 root root 4096 Nov 2 11:33 .. -rw-r--r-- 1 root root 318 Dec 30 22:19 10-weave.conflist controlplane ~ ➜ cat /etc/cni/net.d/10-weave.conflist { "cniVersion": "0.3.0", "name": "weave", "plugins": [ { "name": "weave", "type": "weave-net", "hairpinMode": true }, { "type": "portmap", "capabilities": {"portMappings": true}, "snat": true } ] }
-
How many weave agents/peers are deployed in this cluster?
Answer
controlplane ~ ➜ k get po -n kube-system NAME READY STATUS RESTARTS AGE coredns-5d78c9869d-g5r7l 1/1 Running 0 24m coredns-5d78c9869d-kbzrl 1/1 Running 0 24m etcd-controlplane 1/1 Running 0 24m kube-apiserver-controlplane 1/1 Running 0 24m kube-controller-manager-controlplane 1/1 Running 0 24m kube-proxy-6rzbz 1/1 Running 0 24m kube-proxy-bqhf2 1/1 Running 0 24m kube-scheduler-controlplane 1/1 Running 0 24m weave-net-mq78f 2/2 Running 1 (23m ago) 24m weave-net-pxrzs 2/2 Running 1 (23m ago) 24m controlplane ~ ➜ k get po -n kube-system -o wide ñ grep weave weave-net-mq78f 2/2 Running 1 (24m ago) 24m 192.5.179.12 node01 <none> <none> weave-net-pxrzs 2/2 Running 1 (24m ago) 24m 192.5.179.9 controlplane <none> <none>
-
Identify the name of the bridge network/interface created by weave on each node.
Answer
controlplane ~ ➜ ip addr | grep weave 4: weave: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1376 qdisc noqueue state UP group default qlen 1000 inet 10.244.192.0/16 brd 10.244.255.255 scope global weave 7: vethwe-bridge@vethwe-datapath: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1376 qdisc noqueue master weave state UP group default 10: vethwepl4a7ab64@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1376 qdisc noqueue master weave state UP group default 12: vethwepl6d8c184@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1376 qdisc noqueue master weave state UP group default
-
What is the default gateway configured on the PODs scheduled on node01?
Answer
We are interested with the route for weave, which shows default gateway of 10.244.0.1.
root@node01 ~ ➜ ip route default via 172.25.0.1 dev eth1 10.244.0.0/16 dev weave proto kernel scope link src 10.244.0.1 172.25.0.0/24 dev eth1 proto kernel scope link src 172.25.0.35 192.5.179.0/24 dev eth0 proto kernel scope link src 192.5.179.12
-
What is the range of IP addresses configured for PODs on this cluster? The network is configured with weave.
Answer
Check the pod for weave and see the logs. It should show the ip allocation range.
controlplane ~ ➜ k get po -n kube-system NAME READY STATUS RESTARTS AGE coredns-5d78c9869d-9qdz4 1/1 Running 0 28m coredns-5d78c9869d-qzd27 1/1 Running 0 28m etcd-controlplane 1/1 Running 0 28m kube-apiserver-controlplane 1/1 Running 0 28m kube-controller-manager-controlplane 1/1 Running 0 28m kube-proxy-gq9zh 1/1 Running 0 28m kube-proxy-p6fhm 1/1 Running 0 28m kube-scheduler-controlplane 1/1 Running 0 28m weave-net-5djnr 2/2 Running 0 28m weave-net-wcmwp 2/2 Running 1 (28m ago) 28m controlplane ~ ➜ k logs -n kube-system weave-net-5djnr | grep -i ip Defaulted container "weave" out of: weave, weave-npc, weave-init (init) INFO: 2023/12/31 03:24:40.683471 Command line options: map[conn-limit:200 datapath:datapath db-prefix:/weavedb/weave-net docker-api: expect-npc:true http-addr:127.0.0.1:6784 ipalloc-init:consensus=1 ipalloc-range:10.244.0.0/16 metrics-addr:0.0.0.0:6782 name:62:53:38:78:b6:a0 nickname:node01 no-dns:true no-masq-local:true port:6783]
-
What is the IP Range configured for the services within the cluster?
Answer
From here we can see the the servuces are configured in the 10.96.0.x range.
controlplane ~ ➜ k get svc -A NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE default kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 31m kube-system kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 31m
We can also check the manifest for the kub-apiserver.
controlplane ~ ➜ ls -l /etc/kubernetes/manifests/kube-apiserver.yaml -rw------- 1 root root 3877 Dec 30 22:23 /etc/kubernetes/manifests/kube-apiserver.yaml controlplane ~ ➜ grep -i ip /etc/kubernetes/manifests/kube-apiserver.yaml - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - --service-cluster-ip-range=10.96.0.0/12
-
What type of proxy is the kube-proxy configured to use?
Answer
controlplane ~ ➜ k get po -n kube-system | grep kube-proxy kube-proxy-gq9zh 1/1 Running 0 35m kube-proxy-p6fhm 1/1 Running 0 36m controlplane ~ ➜ k logs -n kube-system kube-proxy-gq9zh | grep -i proxy I1231 03:24:13.560888 1 server_others.go:551] "Using iptables proxy"
-
How does this Kubernetes cluster ensure that a kube-proxy pod runs on all nodes in the cluster?
Answer
kube-proxy is managed through a DaemonSet.
controlplane ~ ➜ k get po -n kube-system | grep kube-pro kube-proxy-gq9zh 1/1 Running 0 40m kube-proxy-p6fhm 1/1 Running 0 40m controlplane ~ ➜ k describe pod -n kube-system kube-proxy-gq9zh | grep -i control Labels: controller-revision-hash=7b6c5596fc Controlled By: DaemonSet/kube-proxy
-
Identify the DNS solution implemented in this cluster.
Answer
controlplane ~ ✖ k get po -A | grep dns kube-system coredns-5d78c9869d-9gj8f 1/1 Running 0 5m23s kube-system coredns-5d78c9869d-gp7z4 1/1 Running 0 5m23s
-
What is the IP of the CoreDNS server that should be configured on PODs to resolve services?
Answer
controlplane ~ ➜ k get svc -n kube-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 7m2s
-
Where is the configuration file located for configuring the CoreDNS service?
Answer
controlplane ~ ➜ k get po -n kube-system | grep dns coredns-5d78c9869d-9gj8f 1/1 Running 0 10m coredns-5d78c9869d-gp7z4 1/1 Running 0 10m controlplane ~ ➜ k describe -n kube-system pod coredns-5d78c9869d-gp7z4 | grep -i file /etc/coredns/Corefile
-
How is the Corefile passed into the CoreDNS POD?
Answer
controlplane ~ ➜ k get po -n kube-system | grep dns coredns-5d78c9869d-9gj8f 1/1 Running 0 11m coredns-5d78c9869d-gp7z4 1/1 Running 0 11m controlplane ~ ➜ k describe -n kube-system pod coredns-5d78c9869d-gp7z4 | grep -i control Node: controlplane/192.6.107.3 Controlled By: ReplicaSet/coredns-5d78c9869d node-role.kubernetes.io/control-plane:NoSchedule Normal Scheduled 11m default-scheduler Successfully assigned kube-system/coredns-5d78c9869d-gp7z4 to controlplane controlplane ~ ➜ k get rs -n kube-system NAME DESIRED CURRENT READY AGE coredns-5d78c9869d 2 2 2 11m
When we try to check the YAML file for the ReplicaSet, we see that the file is passed as a ConfigMap object.
controlplane ~ ➜ k get rs -n kube-system coredns-5d78c9869d -o yaml | grep -i corefile -B5 topologyKey: kubernetes.io/hostname weight: 100 containers: - args: - -conf - /etc/coredns/Corefile -- key: node-role.kubernetes.io/control-plane volumes: - configMap: defaultMode: 420 items: - key: Corefile path: Corefile
-
Since we know that the Corefile is passed as a ConfigMap object, determine the root domain/zone configured for this kubernetes cluster.
Answer
The root domain is cluster.local.
controlplane ~ ➜ k get cm -n kube-system NAME DATA AGE coredns 1 15m extension-apiserver-authentication 6 16m kube-apiserver-legacy-service-account-token-tracking 1 16m kube-proxy 2 15m kube-root-ca.crt 1 15m kubeadm-config 1 15m kubelet-config 1 15m controlplane ~ ➜ k describe -n kube-system cm coredns Name: coredns Namespace: kube-system Labels: <none> Annotations: <none> Data ==== Corefile: ---- .:53 { errors health { lameduck 5s } ready kubernetes cluster.local in-addr.arpa ip6.arpa { pods insecure fallthrough in-addr.arpa ip6.arpa ttl 30 } prometheus :9153 forward . /etc/resolv.conf { max_concurrent 1000 } cache 30 loop reload loadbalance } BinaryData ==== Events: <none>
-
What name can be used to access the hr web server from the test Application?
controlplane ~ ➜ k get po -A NAMESPACE NAME READY STATUS RESTARTS AGE default hr 1/1 Running 0 13m default simple-webapp-1 1/1 Running 0 13m default simple-webapp-122 1/1 Running 0 13m default test 1/1 Running 0 13m kube-flannel kube-flannel-ds-m267z 1/1 Running 0 18m kube-system coredns-5d78c9869d-9gj8f 1/1 Running 0 18m kube-system coredns-5d78c9869d-gp7z4 1/1 Running 0 18m kube-system etcd-controlplane 1/1 Running 0 18m kube-system kube-apiserver-controlplane 1/1 Running 0 18m kube-system kube-controller-manager-controlplane 1/1 Running 0 18m kube-system kube-proxy-hj5vp 1/1 Running 0 18m kube-system kube-scheduler-controlplane 1/1 Running 0 18m payroll web 1/1 Running 0 13m controlplane ~ ➜ k get svc -A NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE default kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 18m default test-service NodePort 10.96.250.160 <none> 80:30080/TCP 13m default web-service ClusterIP 10.108.205.43 <none> 80/TCP 13m kube-system kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 18m payroll web-service ClusterIP 10.96.157.205 <none> 80/TCP 13m
Answer
Remove the -A flag so that it only shows the resources in the default namespace where the hr pod is.
controlplane ~ ➜ k get po NAME READY STATUS RESTARTS AGE hr 1/1 Running 0 16m simple-webapp-1 1/1 Running 0 15m simple-webapp-122 1/1 Running 0 15m test 1/1 Running 0 16m controlplane ~ ➜ k get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 21m test-service NodePort 10.96.250.160 <none> 80:30080/TCP 16m web-service ClusterIP 10.108.205.43 <none> 80/TCP 16m
Run a curl from within the hr pod.
controlplane ~ ✖ k exec -it hr -- curl web-service:80 This is the HR server!
-
Which of the names CANNOT be used to access the HR service from the test pod?
- web-service
- web-service.default
- web-service.default.pod
- web-service.default.svc
controlplane ~ ➜ k get po NAME READY STATUS RESTARTS AGE hr 1/1 Running 0 19m simple-webapp-1 1/1 Running 0 19m simple-webapp-122 1/1 Running 0 19m test 1/1 Running 0 19m controlplane ~ ➜ k get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 24m test-service NodePort 10.96.250.160 <none> 80:30080/TCP 19m web-service ClusterIP 10.108.205.43 <none> 80/TCP 19m
Answer
controlplane ~ ➜ k exec -it test -- curl web-service:80 This is the HR server! controlplane ~ ➜ k exec -it test -- curl web-service.default:80 This is the HR server! controlplane ~ ➜ k exec -it test -- curl web-service.default.pod:80 curl: (6) Could not resolve host: web-service.default.pod command terminated with exit code 6 controlplane ~ ➜ k exec -it test -- curl web-service.default.svc:80 This is the HR server!
The answer is web-service.default.pod.
-
Which of the below name can be used to access the payroll service from the test application?
- web-service.payroll
- web-service
- web
- web-service.default
controlplane ~ ➜ k get svc -n payroll NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE web-service ClusterIP 10.96.157.205 <none> 80/TCP 26m controlplane ~ ➜ k get po NAME READY STATUS RESTARTS AGE hr 1/1 Running 0 26m simple-webapp-1 1/1 Running 0 26m simple-webapp-122 1/1 Running 0 26m test 1/1 Running 0 26m
Answer
controlplane ~ ➜ k exec -it test -- curl web-service.payroll:80 This is the PayRoll server! controlplane ~ ➜ k exec -it test -- curl web-service:80 This is the HR server! controlplane ~ ➜ k exec -it test -- curl web:80 curl: (6) Could not resolve host: web command terminated with exit code 6 controlplane ~ ✖ k exec -it test -- curl web-service.default:80 This is the HR server!
The answers are:
- web-service.payroll
- web-service
- web-service.default
-
We just deployed a web server - webapp - that accesses a database mysql - server. However the web server is failing to connect to the database server. Troubleshoot and fix the issue.
controlplane ~ ➜ k get po -A NAMESPACE NAME READY STATUS RESTARTS AGE default hr 1/1 Running 0 30m default simple-webapp-1 1/1 Running 0 30m default simple-webapp-122 1/1 Running 0 30m default test 1/1 Running 0 30m default webapp-54b76556d-89b25 1/1 Running 0 30s kube-flannel kube-flannel-ds-m267z 1/1 Running 0 35m kube-system coredns-5d78c9869d-9gj8f 1/1 Running 0 35m kube-system coredns-5d78c9869d-gp7z4 1/1 Running 0 35m kube-system etcd-controlplane 1/1 Running 0 35m kube-system kube-apiserver-controlplane 1/1 Running 0 35m kube-system kube-controller-manager-controlplane 1/1 Running 0 35m kube-system kube-proxy-hj5vp 1/1 Running 0 35m kube-system kube-scheduler-controlplane 1/1 Running 0 35m payroll mysql 1/1 Running 0 30s payroll web 1/1 Running 0 30m
Answer
From the given above, we can see that the web-app and mysql are in different namespaces. There are two options here:
- Make sure both are in the same namespace
- Configure the webapp to point to the mysql at payroll namespace.
We will so the second option.
controlplane ~ ➜ k get deploy NAME READY UP-TO-DATE AVAILABLE AGE webapp 1/1 1 1 7m54s controlplane ~ ➜ k edit deploy webapp
Append the namespace after the hostname.
spec: containers: - env: - name: DB_Host value: mysql.payroll - name: DB_User value: root - name: DB_Password value: paswrd image: mmumshad/simple-webapp-mysql imagePullPolicy: Always name: simple-webapp-mysql ports:
-
From the hr pod nslookup the mysql service and redirect the output to a file /root/CKA/nslookup.out
controlplane ~ ➜ k get po NAME READY STATUS RESTARTS AGE hr 1/1 Running 0 43m simple-webapp-1 1/1 Running 0 43m simple-webapp-122 1/1 Running 0 43m test 1/1 Running 0 43m webapp-6fdb68c84f-wvgd2 1/1 Running 0 2m37s controlplane ~ ➜ k get svc -n payroll NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE mysql ClusterIP 10.96.128.66 <none> 3306/TCP 13m web-service ClusterIP 10.96.157.205 <none> 80/TCP 43m
Answer
controlplane ~ ➜ k exec -it hr -- nslookup mysql.payroll Server: 10.96.0.10 Address: 10.96.0.10#53 Name: mysql.payroll.svc.cluster.local Address: 10.96.128.66 controlplane ~ ➜ k exec -it hr -- nslookup mysql.payroll > /root/CKA/nslookup.out controlplane ~ ➜ ls -la /root/CKA/nslookup.out -rw-r--r-- 1 root root 111 Dec 30 23:53 /root/CKA/nslookup.out controlplane ~ ➜ cat /root/CKA/nslookup.out Server: 10.96.0.10 Address: 10.96.0.10#53 Name: mysql.payroll.svc.cluster.local Address: 10.96.128.66
-
Which namespace is the Ingress Controller deployed in?
Answer
controlplane ~ ➜ k get all -A | grep -i ingress ingress-nginx pod/ingress-nginx-admission-create-ddtp2 0/1 Completed 0 84s ingress-nginx pod/ingress-nginx-admission-patch-nn4hl 0/1 Completed 0 84s ingress-nginx pod/ingress-nginx-controller-5d48d5445f-zwmd9 1/1 Running 0 85s ingress-nginx service/ingress-nginx-controller NodePort 10.103.62.71 <none> 80:30080/TCP,443:32103/TCP 85s ingress-nginx service/ingress-nginx-controller-admission ClusterIP 10.96.188.183 <none> 443/TCP 85s ingress-nginx deployment.apps/ingress-nginx-controller 1/1 1 1 85s ingress-nginx replicaset.apps/ingress-nginx-controller-5d48d5445f 1 1 1 85s ingress-nginx job.batch/ingress-nginx-admission-create 1/1 10s 85s ingress-nginx job.batch/ingress-nginx-admission-patch 1/1 9s 84s
-
What is the name of the ingress resource deployed?
Answer
controlplane ~ ➜ k api-resources | grep -i ingress ingressclasses networking.k8s.io/v1 false IngressClass ingresses ing networking.k8s.io/v1 true Ingress controlplane ~ ➜ k get ing -A NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE app-space ingress-wear-watch <none> * 10.103.62.71 80 4m12s
-
What is the Host configured on the Ingress Resource?
Answer
All Hosts (*)
controlplane ~ ➜ k api-resources | grep -i ingress ingressclasses networking.k8s.io/v1 false IngressClass ingresses ing networking.k8s.io/v1 true Ingress controlplane ~ ➜ k get ing -A NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE app-space ingress-wear-watch <none> * 10.103.62.71 80 4m12s controlplane ~ ➜ k describe -n app-space ingress ingress-wear-watch Name: ingress-wear-watch Labels: <none> Namespace: app-space Address: 10.103.62.71 Ingress Class: <none> Default backend: <default> Rules: Host Path Backends ---- ---- -------- * /wear wear-service:8080 (10.244.0.4:8080) /watch video-service:8080 (10.244.0.5:8080) Annotations: nginx.ingress.kubernetes.io/rewrite-target: / nginx.ingress.kubernetes.io/ssl-redirect: false Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Sync 4m29s (x2 over 4m30s) nginx-ingress-controller Scheduled for sync
-
You are requested to change the URLs at which the applications are made available. Make the change in the given Ingress Controller.
controlplane ~ ➜ k get ing -A NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE app-space ingress-wear-watch <none> * 10.103.62.71 80 7m48s
Answer
controlplane ~ ➜ k edit -n app-space ingress ingress-wear-watch# Please edit the object below. Lines beginning with a '#' will be ignored, # and an empty file will abort the edit. If an error occurs while saving this file will be # reopened with the relevant failures. # apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/rewrite-target: / nginx.ingress.kubernetes.io/ssl-redirect: "false" creationTimestamp: "2023-12-31T04:54:24Z" generation: 1 name: ingress-wear-watch namespace: app-space resourceVersion: "910" uid: 2e334919-c62f-4513-8400-e47ebf0eabf4 spec: rules: - http: paths: - backend: service: name: wear-service port: number: 8080 path: /wear pathType: Prefix - backend: service: name: video-service port: number: 8080 path: /stream pathType: Prefix status: loadBalancer: ingress: - ip: 10.103.62.71
-
You are requested to add a new path to your ingress to make the food delivery application available to your customers.
Make the new application available at /eat.
controlplane ~ ➜ k get deploy -n app-space NAME READY UP-TO-DATE AVAILABLE AGE default-backend 1/1 1 1 10m webapp-food 1/1 1 1 13s webapp-video 1/1 1 1 10m webapp-wear 1/1 1 1 10m controlplane ~ ➜ k get svc -n app-space NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE default-backend-service ClusterIP 10.99.131.124 <none> 80/TCP 14m food-service ClusterIP 10.109.123.30 <none> 8080/TCP 4m5s video-service ClusterIP 10.98.228.143 <none> 8080/TCP 14m wear-service ClusterIP 10.109.75.46 <none> 8080/TCP 14m controlplane ~ ➜ k get ing -A NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE app-space ingress-wear-watch <none> * 10.103.62.71 80 11m
Answer
controlplane ~ ➜ k edit -n app-space ingress ingress-wear-watchapiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/rewrite-target: / nginx.ingress.kubernetes.io/ssl-redirect: "false" creationTimestamp: "2023-12-31T04:54:24Z" generation: 3 name: ingress-wear-watch namespace: app-space resourceVersion: "2107" uid: 2e334919-c62f-4513-8400-e47ebf0eabf4 spec: rules: - http: paths: - backend: service: name: wear-service port: number: 8080 path: /wear pathType: Prefix - backend: service: name: video-service port: number: 8080 path: /stream pathType: Prefix - backend: service: name: food-service port: number: 8080 path: /eat pathType: Prefix
-
You are requested to make the new application webapp-pay available at /pay.
Identify and implement the best approach to making this application available on the ingress controller and test to make sure its working. Look into annotations: rewrite-target as well.
controlplane ~ ➜ k get deploy -A NAMESPACE NAME READY UP-TO-DATE AVAILABLE AGE app-space default-backend 1/1 1 1 16m app-space webapp-food 1/1 1 1 7m2s app-space webapp-video 1/1 1 1 16m app-space webapp-wear 1/1 1 1 16m critical-space webapp-pay 1/1 1 1 102s ingress-nginx ingress-nginx-controller 1/1 1 1 16m kube-system coredns 2/2 2 2 20m controlplane ~ ➜ k get svc -n critical-space NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE pay-service ClusterIP 10.106.32.226 <none> 8282/TCP 2m13s controlplane ~ ➜ k get ing -A NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE app-space ingress-wear-watch <none> * 10.103.62.71 80 17m
Answer
Do not modify the existing ingress resource. Simply create a new one.
## ingress-pay.yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: minimal-ingress annotations: nginx.ingress.kubernetes.io/rewrite-target: / spec: ingressClassName: nginx-example rules: - http: paths: - path: /testpath pathType: Prefix backend: service: name: test port: number: 80
controlplane ~ ➜ k apply -f ingress-pay.yaml ingress.networking.k8s.io/pay-ingress created controlplane ~ ➜ k get ing -A NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE app-space ingress-wear-watch <none> * 10.103.62.71 80 25m critical-space pay-ingress <none> * 80 7s
-
Deploy an Ingress Controller.
- First, create a namespace called ingress-nginx.
- The NGINX Ingress Controller requires a ConfigMap object. Create a ConfigMap object with name ingress-nginx-controller in the ingress-nginx namespace.
- The NGINX Ingress Controller requires two ServiceAccounts. Create both ServiceAccount with name ingress-nginx and ingress-nginx-admission in the ingress-nginx namespace. Use the spec provided below.
- Name: ingress-nginx
- Name: ingress-nginx-admission
- The roles, clusterroles, rolebindings, and clusterrolebindings have been created
- Create the Ingress Controller using the /root/ingress-controller.yaml. There are several issues with it. Try to fix them.
- Finally, create the ingress resource to make the applications available at /wear and /watch on the Ingress service. Also, make use of rewrite-target annotation field.
- Path: /wear
- Path: /watch
Answer
controlplane ~ ➜ k create ns ingress-nginx namespace/ingress-nginx created controlplane ~ ➜ k get ns NAME STATUS AGE app-space Active 67s default Active 8m20s ingress-nginx Active 2s kube-flannel Active 8m14s kube-node-lease Active 8m20s kube-public Active 8m20s kube-system Active 8m20s
Create the ConfigMap.
controlplane ~ ➜ k create configmap ingress-nginx-controller --namespace ingress-nginx $do apiVersion: v1 kind: ConfigMap metadata: creationTimestamp: null name: ingress-nginx-controller namespace: ingress-nginx controlplane ~ ➜ k create configmap ingress-nginx-controller --namespace ingress-nginx $do > cm-ingress-nginx-controller.yml controlplane ~ ➜ k create configmap ingress-nginx-controller --namespace ingress-nginx configmap/ingress-nginx-controller created controlplane ~ ➜ k get cm -n ingress-nginx NAME DATA AGE ingress-nginx-controller 0 53s kube-root-ca.crt 1 3m18s
Next, create the service accounts.
controlplane ~ ➜ k create sa ingress-nginx-admission --namespace ingress-nginx $do apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: null name: ingress-nginx-admission namespace: ingress-nginx controlplane ~ ➜ k create sa ingress-nginx-admission --namespace ingress-nginx $do > sa-ingress-nginx-admission.yml controlplane ~ ➜ k create sa ingress-nginx-admission --namespace ingress-nginx serviceaccount/ingress-nginx-admission created controlplane ~ ➜ k create sa ingress-nginx --namespace ingress-nginx serviceaccount/ingress-nginx-admission created controlplane ~ ➜ k get sa -n ingress-nginx NAME SECRETS AGE default 0 8m53s ingress-nginx 0 67s ingress-nginx-admission 0 14s
Fix the ingress-controller.yaml and apply afterwards.
## ingress-controller.yaml apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/version: 1.1.2 helm.sh/chart: ingress-nginx-4.0.18 name: ingress-nginx-controller namespace: ingress-nginx spec: minReadySeconds: 0 revisionHistoryLimit: 10 selector: matchLabels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx template: metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx spec: containers: - args: - /nginx-ingress-controller - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - --election-id=ingress-controller-leader - --watch-ingress-without-class=true - --default-backend-service=app-space/default-http-backend - --controller-class=k8s.io/ingress-nginx - --ingress-class=nginx - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so image: registry.k8s.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - /wait-shutdown livenessProbe: failureThreshold: 5 httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 name: controller ports: - name: http containerPort: 80 protocol: TCP - containerPort: 443 name: https protocol: TCP - containerPort: 8443 name: webhook protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 resources: requests: cpu: 100m memory: 90Mi securityContext: allowPrivilegeEscalation: true capabilities: add: - NET_BIND_SERVICE drop: - ALL runAsUser: 101 volumeMounts: - mountPath: /usr/local/certificates/ name: webhook-cert readOnly: true dnsPolicy: ClusterFirst nodeSelector: kubernetes.io/os: linux serviceAccountName: ingress-nginx terminationGracePeriodSeconds: 300 volumes: - name: webhook-cert secret: secretName: ingress-nginx-admission --- apiVersion: v1 kind: Service metadata: creationTimestamp: null labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/version: 1.1.2 helm.sh/chart: ingress-nginx-4.0.18 name: ingress-nginx-controller namespace: ingress-nginx spec: ports: - port: 80 protocol: TCP targetPort: 80 nodePort: 30080 selector: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx type: NodePort
controlplane ~ ➜ k get -n ingress-nginx po NAME READY STATUS RESTARTS AGE ingress-nginx-admission-create-wtzf6 0/1 Completed 0 7m32s ingress-nginx-controller-cc9f46d74-fmc65 0/1 Running 0 13s controlplane ~ ➜ k get -n ingress-nginx svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx-controller NodePort 10.104.168.175 <none> 80:30080/TCP 18s ingress-nginx-controller-admission ClusterIP 10.105.49.126 <none> 443/TCP 7m37s
Next, create the ingress resource. But first, get the services in the app-space namespace.
controlplane ~ ➜ k get svc -n app-space NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE default-http-backend ClusterIP 10.104.25.24 <none> 80/TCP 29m video-service ClusterIP 10.97.188.119 <none> 8080/TCP 29m wear-service ClusterIP 10.98.183.145 <none> 8080/TCP 29m
## ingress-resource.yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: app-ingress namespace: app-space annotations: nginx.ingress.kubernetes.io/rewrite-target: / spec: ingressClassName: nginx-example rules: - http: paths: - path: /wear pathType: Prefix backend: service: name: wear-service port: number: 8080 - path: /watch pathType: Prefix backend: service: name: video-service port: number: 8080
controlplane ~ ➜ k apply -f ingress-resource.yaml ingress.networking.k8s.io/app-ingress created controlplane ~ ➜ k get ing -n app-space NAME CLASS HOSTS ADDRESS PORTS AGE app-ingress nginx-example * 80 12s