Some of the scenario questions here are based on Kodekloud's CKAD course labs.
Note
CKAD and CKA can have similar scenario questions. It is recommended to go through the CKA practice tests.
Shortcuts
First run the two commands below for shortcuts.
export do="--dry-run=client -o yaml"
export now="--force --grace-period=0" Questions
-
How many container images are in the host?
Answer
$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE redis latest eca1379fe8b5 8 months ago 117MB mysql latest 8189e588b0e8 8 months ago 564MB nginx latest 6efc10a0510f 8 months ago 142MB postgres latest ceccf204404e 8 months ago 379MB nginx alpine 8e75cbc5b25c 9 months ago 41MB alpine latest 9ed4aefc74f6 9 months ago 7.04MB ubuntu latest 08d22c0ceb15 10 months ago 77.8MB kodekloud/simple-webapp-mysql latest 129dd9f67367 5 years ago 96.6MB kodekloud/simple-webapp latest c6e3cd9aae36 5 years ago 84.8MB
-
Build a docker image using the Dockerfile and name it webapp-color. No tag to be specified.
$ ls -l total 4 drwxr-xr-x 4 root root 4096 Jan 6 04:18 webapp-color $ ls -l webapp-color/ total 16 -rw-r--r-- 1 root root 113 Jan 6 04:18 Dockerfile -rw-r--r-- 1 root root 2259 Jan 6 04:18 app.py -rw-r--r-- 1 root root 5 Jan 6 04:18 requirements.txt drwxr-xr-x 2 root root 4096 Jan 6 04:18 templates
Answer
$ docker build -t webapp-color webapp-color/ Sending build context to Docker daemon 125.4kB Step 1/6 : FROM python:3.6 ---> 54260638d07c Step 2/6 : RUN pip install flask ---> Using cache ---> 94c3f6b51c29 Step 3/6 : COPY . /opt/ ---> Using cache ---> cd1ff9e242bb Step 4/6 : EXPOSE 8080 ---> Using cache ---> 95dbaf915fbe Step 5/6 : WORKDIR /opt ---> Using cache ---> fb1706a0b0fc Step 6/6 : ENTRYPOINT ["python", "app.py"] ---> Using cache ---> ea2b85406064 Successfully built ea2b85406064 Successfully tagged webapp-color:latest $ $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE webapp-color latest ea2b85406064 About a minute ago 913MB redis latest eca1379fe8b5 8 months ago 117MB mysql latest 8189e588b0e8 8 months ago 564MB
-
Run an instance of the image webapp-color and publish port 8080 on the container to 8282 on the host.
$ docker images | grep webapp webapp-color latest ea2b85406064 2 minutes ago 913MBAnswer
Use docker run, and then for exposing the port:
docker run -p <host-port>:<container:port>
$ docker run -p 8282:8080 webapp-color This is a sample web application that displays a colored background. A color can be specified in two ways. 1. As a command line argument with --color as the argument. Accepts one of red,green,blue,blue2,pink,darkblue 2. As an Environment variable APP_COLOR. Accepts one of red,green,blue,blue2,pink,darkblue 3. If none of the above then a random color is picked from the above list. Note: Command line argument precedes over environment variable. No command line argument or environment variable. Picking a Random Color =green * Serving Flask app 'app' (lazy loading) * Environment: production WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead. * Debug mode: off * Running on all addresses. WARNING: This is a development server. Do not use it in a production deployment. * Running on http://172.12.0.2:8080/ (Press CTRL+C to quit)
-
What is the base Operating System used by the python:3.6 image?
$ docker images | grep python python 3.6 54260638d07c 2 years ago 902MBAnswer
$ docker run python:3.6 cat /etc/*release* PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/"
-
Build a new smaller docker image by modifying the same Dockerfile and name it webapp-color and tag it lite.
Find a smaller base image for python:3.6. Make sure the final image is less than 150MB.
Hint: Use python:3.6-alpine
$ cd webapp-color/ $ ls -l total 16 -rw-r--r-- 1 root root 113 Jan 6 04:18 Dockerfile -rw-r--r-- 1 root root 2259 Jan 6 04:18 app.py -rw-r--r-- 1 root root 5 Jan 6 04:18 requirements.txt drwxr-xr-x 2 root root 4096 Jan 6 04:18 templates $ $ cat Dockerfile FROM python:3.6 RUN pip install flask COPY . /opt/ EXPOSE 8080 WORKDIR /opt ENTRYPOINT ["python", "app.py"]
Answer
Edit the Dockerfile.
FROM python:3.6-alpine RUN pip install flask COPY . /opt/ EXPOSE 8080 WORKDIR /opt ENTRYPOINT ["python", "app.py"]
Build the image.
$ docker build -t webapp-color:lite . Sending build context to Docker daemon 125.4kB Step 1/6 : FROM python:3.6-alpine 3.6-alpine: Pulling from library/python 59bf1c3509f3: Pull complete 8786870f2876: Pull complete acb0e804800e: Pull complete 52bedcb3e853: Pull complete b064415ed3d7: Pull complete $ docker images | grep lite webapp-color lite a56a7c8ff6ff 15 seconds ago 51.9MB
-
Run an instance of the new image webapp-color:lite and publish port 8080 on the container to 8383 on the host.
$ docker images | grep lite webapp-color lite a56a7c8ff6ff About a minute ago 51.9MBAnswer
docker run -p 8383:8080 webapp-color:lite
-
I would like to use the dev-user to access test-cluster-1. Set the current context to the right one so I can do that.
controlplane ~ ➜ k config get-contexts --kubeconfig my-kube-config CURRENT NAME CLUSTER AUTHINFO NAMESPACE aws-user@kubernetes-on-aws kubernetes-on-aws aws-user research test-cluster-1 dev-user * test-user@development development test-user test-user@production production test-user
Answer
controlplane ~ ➜ k config use-context research --kubeconfig my-kube-config Switched to context "research". controlplane ~ ➜ k config get-contexts --kubeconfig my-kube-config CURRENT NAME CLUSTER AUTHINFO NAMESPACE aws-user@kubernetes-on-aws kubernetes-on-aws aws-user * research test-cluster-1 dev-user test-user@development development test-user test-user@production production test-user
-
Inspect the environment and identify the authorization modes configured on the cluster.
Answer
controlplane ~ ✦ ➜ k get po -n kube-system NAME READY STATUS RESTARTS AGE coredns-5d78c9869d-5vk8b 1/1 Running 0 8m31s coredns-5d78c9869d-snn5g 1/1 Running 0 8m31s etcd-controlplane 1/1 Running 0 8m38s kube-apiserver-controlplane 1/1 Running 0 8m46s kube-controller-manager-controlplane 1/1 Running 0 8m42s kube-proxy-65s6j 1/1 Running 0 8m31s kube-scheduler-controlplane 1/1 Running 0 8m43sAnswer
controlplane ~ ✦ ✖ k describe -n kube-system po kube-apiserver-controlplane | grep -i auth --authorization-mode=Node,RBAC --enable-bootstrap-token-auth=true
-
What are the resources the kube-proxy role in the kube-system namespace is given access to?
Answer
controlplane ~ ✦ ➜ k get roles -A | grep kube-proxy kube-system kube-proxy 2024-01-06T04:39:22Z controlplane ~ ✦ ➜ k describe role -n kube-system kube-proxy Name: kube-proxy Labels: <none> Annotations: <none> PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- configmaps [] [kube-proxy] [get]
-
Which account is the kube-proxy role assigned to?
Answer
controlplane ~ ✦ ➜ k get rolebinding -A | grep kube-proxy kube-system kube-proxy Role/kube-proxy 12m controlplane ~ ✦ ➜ k describe rolebinding -n kube-system kube-proxy Name: kube-proxy Labels: <none> Annotations: <none> Role: Kind: Role Name: kube-proxy Subjects: Kind Name Namespace ---- ---- --------- Group system:bootstrappers:kubeadm:default-node-token
-
Create the necessary roles and role bindings required for the dev-user to create, list and delete pods in the default namespace. Use the given spec:
-
Role: developer
-
Role Resources: pods
-
Role Actions: list
-
Role Actions: create
-
Role Actions: delete
-
RoleBinding: dev-user-binding
-
RoleBinding: Bound to dev-user
Answer
controlplane ~ ✦ ➜ k create role developer --verb "list,create,delete" --resource "pods" $do apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: creationTimestamp: null name: developer rules: - apiGroups: - "" resources: - pods verbs: - list - create - delete controlplane ~ ✦ ➜ k create role developer --verb "list,create,delete" --resource "pods" role.rbac.authorization.k8s.io/developer created controlplane ~ ✦ ➜ k create rolebinding dev-user-binding --role developer --user dev-user $do apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: null name: dev-user-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: developer subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: dev-user controlplane ~ ✦ ➜ k create rolebinding dev-user-binding --role developer --user dev-user rolebinding.rbac.authorization.k8s.io/dev-user-binding created
-
-
Which admission controller is enabled by default?
Answer
controlplane ~ ➜ k describe -n kube-system po kube-apiserver-controlplane | grep -i admission --enable-admission-plugins=NodeRestriction
-
NamespaceExists admission controller enabled which rejects requests to namespaces that do not exist. So, to create a namespace that does not exist automatically, we could enable the NamespaceAutoProvision admission controller
Enable the NamespaceAutoProvision admission controller.
Answer
controlplane ~ ➜ ls -l /etc/kubernetes/manifests/ total 16 -rw------- 1 root root 2399 Jan 6 00:08 etcd.yaml -rw------- 1 root root 3877 Jan 6 00:08 kube-apiserver.yaml -rw------- 1 root root 3393 Jan 6 00:08 kube-controller-manager.yaml -rw------- 1 root root 1463 Jan 6 00:08 kube-scheduler.yaml controlplane ~ ➜ cd /etc/kubernetes/manifests/
Modify the kube-apiserver YAML file.
apiVersion: v1 kind: Pod metadata: annotations: kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 192.7.174.8:6443 creationTimestamp: null labels: component: kube-apiserver tier: control-plane name: kube-apiserver namespace: kube-system spec: containers: - command: - kube-apiserver - --advertise-address=192.7.174.8 - --allow-privileged=true - --authorization-mode=Node,RBAC - --client-ca-file=/etc/kubernetes/pki/ca.crt - --enable-admission-plugins=NodeRestriction,NamespaceAutoProvisionOnce you update kube-apiserver yaml file, please wait for a few minutes for the kube-apiserver to restart completely.
controlplane /etc/kubernetes/manifests ➜ k get po -n kube-system NAME READY STATUS RESTARTS AGE coredns-5d78c9869d-bqnjq 1/1 Running 0 14m coredns-5d78c9869d-wxjg5 1/1 Running 0 14m etcd-controlplane 1/1 Running 0 14m kube-apiserver-controlplane 0/1 Pending 0 8s kube-controller-manager-controlplane 1/1 Running 1 (33s ago) 14m kube-proxy-jld6s 1/1 Running 0 14m kube-scheduler-controlplane 1/1 Running 1 (32s ago) 14m
Verify:
controlplane /etc/kubernetes/manifests ➜ k get ns NAME STATUS AGE default Active 15m kube-flannel Active 15m kube-node-lease Active 15m kube-public Active 15m kube-system Active 15m controlplane /etc/kubernetes/manifests ➜ k run nginx --image nginx -n testing pod/nginx created controlplane /etc/kubernetes/manifests ➜ k get ns NAME STATUS AGE default Active 15m kube-flannel Active 15m kube-node-lease Active 15m kube-public Active 15m kube-system Active 15m testing Active 3s
-
Disable DefaultStorageClass admission controller This admission controller observes creation of PersistentVolumeClaim objects that do not request any specific storage class and automatically adds a default storage class to them. This way, users that do not request any special storage class do not need to care about them at all and they will get the default one.
Answer
apiVersion: v1 kind: Pod metadata: annotations: kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 192.7.174.8:6443 creationTimestamp: null labels: component: kube-apiserver tier: control-plane name: kube-apiserver namespace: kube-system spec: containers: - command: - kube-apiserver - --advertise-address=192.7.174.8 - --allow-privileged=true - --authorization-mode=Node,RBAC - --client-ca-file=/etc/kubernetes/pki/ca.crt - --enable-admission-plugins=NodeRestriction,NamespaceAutoProvision - --disable-admission-plugins=DefaultStorageClass
-
Create TLS secret webhook-server-tls for secure webhook communication in webhook-demo namespace.
-
Certificate : /root/keys/webhook-server-tls.crt
-
Key : /root/keys/webhook-server-tls.key
Answer
controlplane ~ ➜ k create secret tls webhook-server-tls --namespace webhook-demo --cert /root/keys/webhook-server-tls.crt --key /root/keys/webhook-server-tls.key secret/webhook-server-tls created controlplane ~ ➜ k get secrets -n webhook-demo NAME TYPE DATA AGE webhook-server-tls kubernetes.io/tls 2 8s
-
-
Enable the v1alpha1 version for rbac.authorization.k8s.io API group on the controlplane node.
-
Create a custom resource called datacenter and the apiVersion should be traffic.controller/v1.
Set the dataField length to 2 and access permission should be true
Answer
## datacenter.yml kind: Global apiVersion: traffic.controller/v1 metadata: name: datacenter spec: dataField: 2 access: true
controlplane ~ ➜ k apply -f datacenter.yml global.traffic.controller/datacenter createdcontrolplane ~ ➜ k get global NAME AGE datacenter 64s
-
A deployment has been created in the default namespace. What is the deployment strategy used for this deployment?
controlplane ~ ➜ k get deployments.apps NAME READY UP-TO-DATE AVAILABLE AGE frontend 5/5 5 5 95sAnswer
controlplane ~ ➜ k describe deployments.apps frontend | grep -i strategy StrategyType: RollingUpdate RollingUpdateStrategy: 25% max unavailable, 25% max surge
-
What is the selector used by the frontend-service service?
controlplane ~ ➜ k get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE frontend-service NodePort 10.104.213.172 <none> 8080:30080/TCP 2m26s kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 7m27s
Answer
controlplane ~ ➜ k describe svc frontend-service | grep -i selector Selector: app=frontend
-
A new deployment called frontend-v2 has been created in the default namespace using the image kodekloud/webapp-color:v2. This deployment will be used to test a newer version of the same app.
Configure the deployment in such a way that the service called frontend-service routes less than 20% of traffic to the new deployment.
Do not increase the replicas of the frontend deployment.
controlplane ~ ➜ k get deployments.apps NAME READY UP-TO-DATE AVAILABLE AGE frontend 5/5 5 5 4m23s frontend-v2 2/2 2 2 21sAnswer
The frontend deployment currently has 7 replicas The frontend-v2 deployment currently has 2 replicas In total, there are 7 replicas or 7 pods.
The frontend-service distributes the traffice to all 7 pods equally, which means:
-
per 1 pod = 14.28% of the traffic
-
frontend deployment: 5 pods = 71.4% of the traffic
-
frontend-v2 deployment: 2 pods = 28.56% of the traffic
If we want to reduce the percent of traffic being directed to frontend-v2 deployment, scale down the replica to 2, which means:
-
per 1 pod = 16.66% of the traffic
-
frontend deployment: 5 pods = 83.3% of the traffic
-
frontend-v2 deployment: 2 pods = 16.66% of the traffic
Scale down the frontend-v2 to 1 replica.
controlplane ~ ➜ k scale deployment frontend-v2 --replicas 1 deployment.apps/frontend-v2 scaled controlplane ~ ➜ k get deployments.apps NAME READY UP-TO-DATE AVAILABLE AGE frontend 5/5 5 5 5m47s frontend-v2 1/1 1 1 105s
-
-
Search for a wordpress helm chart package from the Artifact Hub.
Answer
controlplane ~ ➜ helm search --help Usage: helm search [command] Available Commands: hub search for charts in the Artifact Hub or your own hub instance repo search repositories for a keyword in charts controlplane ~ ➜ helm search hub --help Usage: helm search hub [KEYWORD] [flags]
helm search hub wordpress
-
Add a bitnami helm chart repository in the controlplane node.
-
name - bitnami
-
chart repo name - https://charts.bitnami.com/bitnami
Answer
controlplane ~ ➜ helm repo add --help add a chart repository Usage: helm repo add [NAME] [URL] [flags] controlplane ~ ➜ helm repo add bitnami https://charts.bitnami.com/bitnami "bitnami" has been added to your repositories controlplane ~ ➜ helm list NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION controlplane ~ ➜ helm repo list NAME URL bitnami https://charts.bitnami.com/bitnami
-
-
What command is used to search for the joomla package from the added repository?
Answer
controlplane ~ ➜ helm repo list NAME URL bitnami https://charts.bitnami.com/bitnami controlplane ~ ➜ helm search --help Search provides the ability to search for Helm charts in the various places they can be stored including the Artifact Hub and repositories you have added. Use search subcommands to search different locations for charts. Usage: helm search [command] Available Commands: hub search for charts in the Artifact Hub or your own hub instance repo search repositories for a keyword in charts controlplane ~ ➜ helm search repo joomla NAME CHART VERSION APP VERSION DESCRIPTION bitnami/joomla 18.0.0 5.0.1 Joomla! is an award winning open source CMS pla...
-
Install drupal helm chart from the bitnami repository.
-
Release name should be bravo.
-
Chart name should be bitnami/drupal.
Answer
controlplane ~ ➜ helm install --help Usage: helm install [NAME] [CHART] [flags] controlplane ~ ➜ helm install bitnami/drupal bravo Error: INSTALLATION FAILED: non-absolute URLs should be in form of repo_name/path_to_chart, got: bravo controlplane ~ ➜ helm install bravo bitnami/drupal NAME: bravo LAST DEPLOYED: Sat Jan 6 02:43:29 2024 NAMESPACE: default STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: CHART NAME: drupal CHART VERSION: 17.0.0 APP VERSION: 10.2.0** Please be patient while the chart is being deployed **
-
-
Uninstall the drupal helm package which was installed in the previous question.
Answer
controlplane ~ ➜ helm uninstall bravo release "bravo" uninstalled
-
Download the bitnami apache package under the /root directory. Note: Do not install the package. Just download it.
controlplane ~ ➜ helm repo list NAME URL bitnami https://charts.bitnami.com/bitnami puppet https://puppetlabs.github.io/puppetserver-helm-chart hashicorp https://helm.releases.hashicorp.comAnswer
controlplane ~ ➜ helm search repo apache NAME CHART VERSION APP VERSION DESCRIPTION bitnami/apache 10.2.4 2.4.58 Apache HTTP Server is an open-source HTTP serve... bitnami/airflow 16.1.10 2.8.0 Apache Airflow is a tool to express and execute... bitnami/apisix 2.2.8 3.7.0 Apache APISIX is high-performance, real-time AP... bitnami/cassandra 10.6.8 4.1.3 Apache Cassandra is an open source distributed ... bitnami/dataplatform-bp2 12.0.5 1.0.1 DEPRECATED This Helm chart can be used for the ... bitnami/flink 0.5.3 1.18.0 Apache Flink is a framework and distributed pro... bitnami/geode 1.1.8 1.15.1 DEPRECATED Apache Geode is a data management pl... bitnami/kafka 26.6.2 3.6.1 Apache Kafka is a distributed streaming platfor... bitnami/mxnet 3.5.2 1.9.1 DEPRECATED Apache MXNet (Incubating) is a flexi... bitnami/schema-registry 16.2.6 7.5.3 Confluent Schema Registry provides a RESTful in... bitnami/solr 8.3.4 9.4.0 Apache Solr is an extremely powerful, open sour... bitnami/spark 8.1.7 3.5.0 Apache Spark is a high-performance engine for l... bitnami/tomcat 10.11.10 10.1.17 Apache Tomcat is an open-source web server desi... bitnami/zookeeper 12.4.1 3.9.1 Apache ZooKeeper provides a reliable, centraliz... controlplane ~ ➜ helm pull --help Retrieve a package from a package repository, and download it locally. Usage: helm pull [chart URL | repo/chartname] [...] [flags] controlplane ~ ➜ helm pull bitnami/apache controlplane ~ ➜ ls -l total 36 -rw-r--r-- 1 root root 35248 Jan 6 02:48 apache-10.2.4.tgz controlplane ~ ➜ tar -xf apache-10.2.4.tgz controlplane ~ ➜ ls -l total 40 drwxr-xr-x 5 root root 4096 Jan 6 02:49 apache -rw-r--r-- 1 root root 35248 Jan 6 02:48 apache-10.2.4.tgz