Skip to content

Latest commit

 

History

History
246 lines (225 loc) · 8.2 KB

cka.md

File metadata and controls

246 lines (225 loc) · 8.2 KB
Raw

Certified Kubernetes Administrator(v1.29)

Cluster Architecture, Installation & Configuration

Manage role based access control(RBAC)

  1. User (RoleBinding is User kind) RBAC with Kubernetes in Minikube 1.1 Generate a key using OpenSSL

    openssl genrsa -out daniel.key 2048

    1.2 Generate a Client Sign Request, CN must match user, O must match group.

    openssl req -new -key daniel.key -out daniel.csr -subj "/CN=daniel/O=dev"

    1.3 Generate the certificate. (/etc/kubernetes/pki in production env.)

    openssl x509 -req -in daniel.csr -CA ~/.minikube/ca.crt -CAkey ~/.minikube/ca.key -CAcreateserial -out daniel.crt -days 500

    1.4 Set a user entry in kubeconfig

    kubectl config set-credentials daniel --client-certificate=daniel.crt --client-key=daniel.key

    1.5 Set a context entry in kubeconfig

    kubectl config set-context daniel-context --cluster=minikube --user=daniel

    1.6 Test it

    kubectl config use-context daniel-context
kubectl create ns ns-test
will return error.

    apply this yaml file. (role-and-binding.yaml)

    apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get","watch","list"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User # !!!!!!!
  name: daniel
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
    kubectl config use-context minikube
kubectl apply -f role-and-binding.yaml
kubectl config use-context daniel-context
kubectl create ns ns-test
will also return error.

kubectl get pods
will return success.

  2. Group (RoleBinding is Group kind) 2.1 Generate a key using OpenSSL

    openssl genrsa -out daniel.key 2048

    2.2 Generate a Client Sign Request, CN must match user, O must match group.

    openssl req -new -key daniel.key -out daniel.csr -subj "/CN=daniel/O=dev"

    2.3 Generate the certificate. (/etc/kubernetes/pki in production env.)

    openssl x509 -req -in daniel.csr -CA ~/.minikube/ca.crt -CAkey ~/.minikube/ca.key -CAcreateserial -out daniel.crt -days 500

    2.4 Set a user entry in kubeconfig

    kubectl config set-credentials daniel --client-certificate=daniel.crt --client-key=daniel.key

    2.5 Set a context entry in kubeconfig

    kubectl config set-context daniel-context --cluster=minikube --user=daniel

    2.6 Test it

    kubectl config use-context daniel-context
kubectl create ns ns-test
will return error.

    apply this yaml file. (role-and-binding.yaml)

    apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get","watch","list"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: Group # !!!!!!!
  name: dev
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
    kubectl config use-context minikube
kubectl apply -f role-and-binding.yaml
kubectl config use-context daniel-context
kubectl create ns ns-test
will also return error.

kubectl get pods
will return success.

  3. ServiceAccount (RoleBinding is ServiceAccount kind) Kubernetes Role Based Access Control with Service Account 3.1 Create namespace

    kubectl create namespace dev

    3.2 Create service account (service-account.yaml)

    apiVersion: v1
kind: ServiceAccount
metadata:
  name: daniel
  namespace: dev
    kubectl apply -f service-account.yaml

    3.3 Create role and rolebinding (role-and-binding.yaml)

    apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: dev
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get","watch","list"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: dev
subjects:
- kind: ServiceAccount # !!!!!!!
  name: daniel
  namespace: dev
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
    kubectl apply -f role-and-binding.yaml

    3.4 Test it create pod yaml (kubectl-pod.yaml)

    apiVersion: v1
kind: Pod
metadata:
  name: kubectl-pod
  namespace: dev
spec:
  containers:
  - name: kubectl
    image: bibinwilson/docker-kubectl:latest
  serviceAccountName: daniel
    kubectl apply -f kubectl-pod.yaml
kubectl exec -it -ndev kubectl-pod -- /bin/bash

root@kubectl-pod:/# kubectl get pods -n dev
will return success

root@kubectl-pod:/# kubectl get nodes
will return error

Use kuberadm to install a basic cluster

Manage a highly-available Kubernetes cluster

Provision underlying infrastructure to deploy a Kubernetes cluster

Perform a version upgrade on a Kubernetes cluster using Kubeadm

Implement etcd backup and restore

  1. install etcdctl Intsall etcdctl
  2. find out kubelet config yaml and staticPodPath /var/lib/kubelet/config.yaml
  3. find out etcd ca, crt, key files path. /etc/kubernetes/manifests/etcd.yaml
  4. backup ETCDCTL_API=3 etcdctl --endpoints=https://127.0.0.1:2379 --cacert=/var/lib/minikube/certs/etcd/ca.crt --cert=/var/lib/minikube/certs/etcd/server.crt --key=/var/lib/minikube/certs/etcd/server.key snapshot save today.db
  5. restart api-server move kube-apiserver.yaml out, then move back
  6. delete etcd data dir in /etc/kubernetes/manifests/etcd.yaml
  7. restore ETCDCTL_API=3 etcdctl --endpoints=https://127.0.0.1:2379 --cacert=/var/lib/minikube/certs/etcd/ca.crt --cert=/var/lib/minikube/certs/etcd/server.crt --key=/var/lib/minikube/certs/etcd/server.key snapshot restore --data-dir=/var/lib/minikube/etcd today.db

Workload & Scheduling

Understand deployments and how to perform rolling update and rollbacks

Use ConfigMaps and Secrets to configure applications

Know how to scale applications