CKA, former CKAD Flashcards
Ingress vs egress ?
Ingress enables external traffic to reach containers, while egress enables containers to reach external resources. Ingress is typically used for exposing web applications and APIs to the outside world, while egress is used for accessing databases and other services outside of the cluster.
why do i do need livenessprobe?
Caution: Liveness probes can be a powerful way to recover from application failures, but they should be used with caution. Liveness probes must be configured carefully to ensure that they truly indicate unrecoverable application failure, for example a deadlock.
ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
whats special when configured using goproxy?
it need to come with readinessProbe of its own cause its a 2-step rocket
Difference in CKA vs CKAD exam allowed doc. sources?
CKA or CKAD: use the browser within the VM to access the following documentation:
https://kubernetes.io/docs/, https://kubernetes.io/blog/ and their subdomains. This includes all available language translations of these pages (e.g. https://kubernetes.io/zh/docs/)
CKAD only: https://helm.sh/docs
See here for all details: https://docs.linuxfoundation.org/tc-docs/certification/certification-resources-allowed#certified-kubernetes-administrator-cka-and-certified-kubernetes-application-developer-ckad
a tip how to search for multiple container pod yaml in the allowed documentation?
search two containers maybe? i found nginx and debian container in one pod yaml!
Which of the following commands will run a command inside an active container?
A. kubectl exec
B. kubectl run
C. kubectl create
D. kubectl describe
kubectl exec -i -t my-pod –container main-app – /bin/bash.
what does nodeSelector can be good for?
The nodeSelector: entry in the podspec could use this label to cause a pod to be deployed on a particular node with an entry such as:
P.s. Poor mans affinity option from what i understood later.
Can you name some built-in object labels?
There are several built-in object labels. For example nodes have labels such as the arch, hostname, and os, which could be used for assigning pods to a particular node, or type of node.
whats an ambassador in kubernetes?
It is “an open source, Kubernetes-native API gateway for microservices built on Envoy”.
It allows for access to the outside world without having to implement a service or another entry in an ingress controller: proxy local connection, reverse proxy, limits HTTP requests, re-route from the main container to the outside world.
Whats an initContainer?
The use of an initContainer allows one or more containers to run only if one or more previous containers run and exit successfully. For example, you could have a checksum verification scan container and a security scan container check the intended containers. Only if both containers pass the checks would the following group of containers be attempted. You can see a simple example below:
spec:
containers:
- name: intended
image: workload
initContainers:
- name: scanner
image: scanapp
Can k8s deployments be described in other terms?
This controller, or operator, is an agent to create and manage one or more instances of a specific stateful application. We have worked with built-in controllers such for Deployments and other resources.
The addition of a Custom Resource Definition can be handled through exactly what?
The addition of a Custom Resource Definition will be added to the cluster API path, currently under apiextensions.k8s.io/v1.
What does An option spec field is .spec.concurrencyPolicy used for?
An option spec field is .spec.concurrencyPolicy which determines how to handle existing jobs, should the time segment expire. If set to Allow, the default, another concurrent job will be run, and twice as many pods would be running. If set to Forbid, the current job continues and the new job is skipped. A value of Replace cancels the current job and the controlled pods, and starts a new job in its place.
Q. lab 4.1????: Verify your nodes are using a CNI plugin. Read through the startup process of CNI. Each message begins with a type ofmessage and a time stamp, followed by the details of the message. UseTABto complete for your node name. Examineboth the controller and one of your proxy pods
Those are the messages, dont see any type of message in the begining: I1212 11:23:19.028798 1 replica_set.go:205] Starting replicationcontroller controller
I1212 11:23:19.028813 1 shared_informer.go:252] Waiting for caches to sync for ReplicationC
ontroller
how many layers are there in the context of k8s CNI and what are their names?
1) physical is not talked about according to chatgpt
2) Layer 2 - Data Link Layer: This layer is responsible for node-to-node data transfer and handles things like MAC addressing, Ethernet framing, VLAN tagging, and error detection. CNI plugins operating at this layer manage how data is transferred within the same network segment or VLAN.
Layer 3 - Network Layer: This layer deals with IP addressing and routing. It is responsible for moving packets across network boundaries. CNI plugins operating at this layer are involved in routing and IP address assignment for pods.
Layer 4 - Transport Layer: While not directly managed by CNI plugins, this layer, which handles protocols like TCP and UDP, is relevant in the overall Kubernetes networking picture, particularly in services, ingress, and egress operations.
how is OSI organised?
Layer 1 - Physical Layer: This is the most fundamental layer, dealing with the transmission of raw bits over a physical medium. It includes things like cable types, electrical signals, and data rates. It’s the foundation upon which all higher layers are built.
Layer 2 - Data Link Layer: This layer is responsible for node-to-node data transfer and operates on frames. It handles things like physical addressing (MAC addresses), error detection and correction, and defines the protocol to establish and terminate a connection between two physically connected devices.
Layer 3 - Network Layer: The Network Layer is concerned with the routing of packets across different networks. It deals with logical addressing (IP addresses) and determines how data is sent to its destination through routing.
Layer 4 - Transport Layer: This layer provides end-to-end communication services for applications. It ensures complete data transfer and is responsible for error recovery and flow control. Protocols like TCP and UDP operate at this layer.
Layer 5 - Session Layer: This layer manages sessions between applications. It establishes, manages, and terminates connections between applications.
Layer 6 - Presentation Layer: It translates data between the application layer and the network. It’s responsible for data encryption, decryption, compression, and conversion.
Layer 7 - Application Layer: The highest layer of the OSI model, it provides services directly to user applications. It deals with network services that support applications.
Come up with questions about support of these features in k8s CNI projects: about support for vxlands, which layer is supported, network policies support, support for encryption of tcp and udp trafic and more? Here is what chatgpt 4 said:
Enhanced Kubernetes CNI Providers Comparison
Calico
Network Layer Support: Layer 3.
VXLAN Support: Yes, offers both VXLAN and IP-in-IP encapsulation.
Network Policies: Advanced network policy enforcement.
Encryption Support: Supports WireGuard for encrypting traffic.
Use Cases: High-performance, security-focused environments; advanced policy management.
Calico with Canal
Network Layer Support: Combines Layer 2 (Flannel) and Layer 3 (Calico).
VXLAN Support: Inherits VXLAN support from both Calico and Flannel.
Network Policies: Advanced, from Calico.
Encryption Support: Supports encryption via Calico (WireGuard).
Use Cases: Environments needing both simple setup (Flannel) and advanced policy control (Calico).
Flannel
Network Layer Support: Primarily Layer 2.
VXLAN Support: Yes, focuses on simplicity in VXLAN implementation.
Network Policies: Basic support, not as advanced as Calico.
Encryption Support: Does not natively support encryption of traffic.
Use Cases: Smaller, simpler Kubernetes setups; focus on ease of deployment.
Cilium
Network Layer Support: Layer 3, with eBPF-based networking.
VXLAN Support: Yes, along with other encapsulation formats.
Network Policies: Highly advanced, with eBPF-powered security features.
Encryption Support: Strong support for encryption, including transparent encryption of traffic.
Use Cases: Security-centric deployments; environments requiring detailed network visibility and control.
Kube-router
Network Layer Support: Layer 3 focused.
VXLAN Support: Limited or no native support for VXLAN.
Network Policies: Basic to moderate policy support.
Encryption Support: No native support for traffic encryption.
Use Cases: Balances performance and simplicity; suitable for medium-scale environments
What are some ways containers can communicate within the same pod?
IPC, loopback or shared filesystem access
Tips for the exam!
second: k should already be an alias, otherwise; alias k=kubectl
third: dont ever click on links not allowed or u will get disqualified. for that exit maximum window and see what are the links before clicking
fourth: Use :set paste or even better vim ~./.vimrc and put these there:
syntax on
autocmd FileType yaml setlocal ts=2 sts=2 sw=2 expandtab
What does those options stand for? autocmd FileType yaml setlocal ts=2 sts=2 sw=2 expandtab
autocmd FileType yaml: This part tells Vim to automatically execute the following commands whenever a file of the ‘yaml’ file type is opened. Vim detects the file type based on the file extension or sometimes the file content.
setlocal: This command sets options locally for the current buffer. It ensures that the changes made apply only to the YAML file you’re working on, not globally across all open files in Vim.
ts=2: This sets the ‘tabstop’ (ts) option to 2. The ‘tabstop’ option specifies the number of spaces that a tab in the file counts for. In this case, each tab character will be displayed as two spaces.
sts=2: This sets the ‘softtabstop’ (sts) option to 2. When you’re entering text, the ‘softtabstop’ setting makes Vim behave as though the tab character is 2 spaces wide. It affects how text is inserted and how the Tab and Backspace keys work.
sw=2: This sets the ‘shiftwidth’ (sw) option to 2. The ‘shiftwidth’ setting determines the number of spaces to use for each step of (auto)indent. It controls how many spaces are inserted for indentation.
expandtab: This option, when enabled, makes Vim insert spaces instead of tabs when the Tab key is pressed. Combined with the settings above, it means that each time you press Tab, it will insert two spaces.
Name possible memory settings in the pod yaml
Requests is what Kubernetes guarantees as available for the container.
Limits is the maximum amount of memory the container is allowed to use.
Args (“–vm-bytes”, “250M”) is specific to the stress tool used inside the container for testing and is not a Kubernetes resource allocation setting.
How do you aproach this on the exam? you need to know cron, its the linux 5 places cron thats used and which place is which:
Create a new cronjob which runs busybox and the sleep 30 command. Have the cronjob run every three minutes. View the job status to check your work. Change the settings so the pod runs 10 minutes from the current time, every week. For example, if the current time was 2:14PM, I would configure the job to run at 2:24PM, every Monday.
Obs! remember its 5parts cron and they are MHDMDofweek
What is the ambassador in Kubernetes?
Ambassador is a Kubernetes-native API Gateway built on Envoy Proxy. Managed entirely via Kubernetes Custom Resource Definitions, Ambassador provides powerful capabilities for traffic management, authentication, and observability.
Which of the following are helper container types? Choose all answers that apply: Ambassador, Adapter,ProbeHelper,Sidecar
All except Probehelper. can u give example of those?
If a Pod uses more CPU than allowed, it will be evicted. True or False?
False! But its true for memory and disk!
howdo you find port of your local registry?
You just need to list your k8s services: kubectl get svc
Write the list of all DbBackup objects into /root/db-backups .
kubectl get db-backups -A
k get crd to get a list of all, and then take the part before the first dot.
What does this 3 term mean? Helm Chart, Helm Release, Helm Values ?
Helm Chart: Kubernetes YAML template-files combined into a single package, Values allow customisation
Helm Release: Installed instance of a Chart
Helm Values: Allow to customise the YAML template-files in a Chart when creating a Release
Write the list of all Helm releases in the cluster into /root/releases .
helm ls -A > /root/releases
Obs. helm list -h helps!
How to get to know Api Group of k8s Deployments ?
The answer is “Apps”. Two ways to find out:
1) kubectl api-resources| grep -i deploy
deployments deploy apps/v1 true Deployment
2) k explain deploy
GROUP: apps
KIND: Deployment
VERSION: v1
P.s. Remember, group is like groupid in maven: [groupId]:[artifactId]:[type]:[version]
your best way to know the actual version of some api thing?
kubectl api-resources| grep -i
1) What is the official doc reference link for all the special annotations? 2) what is it for namespaces?
- https://kubernetes.io/docs/reference/labels-annotations-taints/. 2. kubernetes.io/metadata.name
Whats inside a basic Dockerfile that just ping a website?
FROM node:lts-alpine
WORKDIR /app
COPY . .
RUN yarn install –production
CMD [“node”, “src/index.js”]
EXPOSE 3000
Obs! remember command parts separated with comma. Also lower/uppercase in FROM matters.
Howto build and list a simple docker/podman image?
podman build -t pinger .
podman image ls
howto run a simple docker/podman image?
podman run –name my-ping pinger
This is the 4 ingredients of Dockerfile. What 2 would i use to create an image that pings a webside:
FROM ubuntu:22.04
COPY . /app
RUN make /app
CMD python /app/app.py
FROM bash
CMD [“ping”, “killercoda.com”]
What was the biggest surprise when i did killerkoda ingress task?
ingressClass! P.s. seems i can see it here kubectl get ingress test-ingress
- What is a command to create a container just by a command? 2. Where in official doc do i find that info
- kubectl run nginx –image=nginx 2. reference > kubectl > generated > kubectl_run
Howto get kubectl events sorted by time?
kubectl get events –sort-by=’.lastTimestamp’
What are 4 servicetypes?
Service type
For some parts of your application (for example, frontends) you may want to expose a Service onto an external IP address, one that’s accessible from outside of your cluster.
Kubernetes Service types allow you to specify what kind of Service you want.
The available type values and their behaviors are:
ClusterIP
Exposes the Service on a cluster-internal IP. Choosing this value makes the Service only reachable from within the cluster. This is the default that is used if you don’t explicitly specify a type for a Service. You can expose the Service to the public internet using an Ingress or a Gateway.
NodePort
Exposes the Service on each Node’s IP at a static port (the NodePort). To make the node port available, Kubernetes sets up a cluster IP address, the same as if you had requested a Service of type: ClusterIP.
LoadBalancer
Exposes the Service externally using an external load balancer. Kubernetes does not directly offer a load balancing component; you must provide one, or you can integrate your Kubernetes cluster with a cloud provider.
ExternalName
Maps the Service to the contents of the externalName field (for example, to the hostname api.foo.bar.example). The mapping configures your cluster’s DNS server to return a CNAME record with that external hostname value. No proxying of any kind is set up.
How do you expose deployment using service?
kubectl expose deployment/kubernetes-bootcamp –type=”NodePort” –port 8080
How am i supposed to find info about exposing a deployment?
Searching for “service expose deployment” gave 2 main type of results that are useful: 1) tutorial pages that are still under kubernetes.io 2) under tasks/access-application-cluster/service-access-application-cluster/
howto create secret from command with 3 data strings?
- either base64 each parameter and put in in yaml or 2. kubectl create secret generic db-secret-xxdf –from-literal=DB_Host=sql01 –from-literal=DB_User=root –from-literal=DB_Password=password123
howto label deployment?
kubectl label deployment my-deployment unhealthy=true
what do u do if u need to configure pod to run as root user?
root is the default user, no action needed!
how do u restart a pod?
A pod is the smallest unit in Kubernetes (K8S). They should run until they are replaced by a new deployment. Because of this, there is no way to restart a pod, instead, it should be replaced.
There is no kubectl restart [podname] command for use with K8S (with Docker you can use docker restart [container_id] ), so there are a few different ways to achieve a pod ‘restart’ with kubectl
Are you familiar with all of these shortcuts?
rs,deploy,svc,ns,netpol,pvc,sa
netpol = network policy, sa = service account
- how do u replace multiple lines in VIM? how do u indent multiple lines?
- kom ihåg procent tecken :%s/foo/bar/g
- 5jj (5 för antal rader , j och sen j igen tror jag)
difference readinessprobe and livenessProbe? example how it look like?
livenessProbe:
exec:
command:
- cat
- /tmp/healthy
how do you permanently save the namespace for all subsequent kubectl commands in that context?
kubectl config set-context –current –namespace=ggckad-s2
How do you quickly see if a pod have some volumemounts?
k exec pod1 – ls /etc/birke
When the exam say to create container from dockerfile, do they mean k8s or docker/podman container?
apparently they mean a docker container!
Howto Tag the Docker/Podman image, which is currently tagged as pinger , also as local-registry:5000/pinger?
Howto also then push the image into the local registry?
podman tag pinger local-registry:5000/pinger
podman image ls
podman push local-registry:5000/pinger
What does maxSurge mean in the context of deployments? and how can it be measured?
maxSurge: The number of pods that can be created above the desired amount of pods during an update. This can be an absolute number or percentage of the replicas count. The default is 25%.
What did i forget when trying to use your own CRD?
1) You create yaml by yourself, not template generator!
2) The mandatory first 5 lines start according to abbreviation “AKMnS”
3) !!! Most important cause i made it wrong!! The first A which is apiversion comes from CRD groupid/version, that is “apiVersion: beta.killercoda.com/v1” with or without citation!!!
Whats interesting about this?
controlplane $ k get shopping-items
NAME AGE
bananas 8m26s
shopping-items.beta.killercoda.com 10m
controlplane $ k delete bananas
error: the server doesn’t have a resource type “bananas”
controlplane $ k delete crd bananas
Error from server (NotFound): customresourcedefinitions.apiextensions.k8s.io “bananas” not found
controlplane $ k delete crd shopping-items.beta.killercoda.com
customresourcedefinition.apiextensions.k8s.io “shopping-items.beta.killercoda.com” deleted
Strange that i could not remove banas here!? Also it seems when i remove CRD, i remove the instance of it too!
if i need to search for helm chart “nginx-stable/nginx-ingress”, where can i search and where did i actually find it?
helm search hub - search for charts in the Artifact Hub or your own hub instance
helm search repo - search repositories for a keyword in charts
i found it in the repo! P.s. luckily i did not have to care about that when i just tried to install it by: helm install devserver nginx-stable/nginx-ingress -n team-yellow
Whats The key difference between Blue-Green and Canary rollouts in Kubernetes ?
The key difference between Blue-Green and Canary rollouts in Kubernetes lies in their approach to releasing new versions:
Blue-Green Rollout: This involves two identical environments: Blue (current production) and Green (new version). Once the Green environment is ready and tested, traffic is switched from Blue to Green. If issues arise, you can switch back to Blue. It’s a more straightforward approach with less risk and easier rollback, but requires double the resources.
Canary Rollout: This is a more gradual process where the new version (Canary) is slowly rolled out to a small subset of users. The new version’s performance and stability are monitored, and if no issues are detected, the rollout continues gradually until the canary version replaces the old version completely. This method allows for more detailed monitoring and reduces risk but can be more complex to manage.
When the questiono ask “Write the Api Group of Deployments into /root/group “ what do they mean? individual deploy property or a high level logical group for deploy?
The later! So the answer is “apps” , here is how u get it:
k explain deploy
This will show VERSION: apps/v1 .
The version is displayed as VERSION: {group}/{version}.
echo apps > /root/group
Obs! Dont make a mistake and look at individual deploys!
If the task is: “There is a FlowSchema file at /apps/flowschema.yaml which uses a deprecated Api version.
Update the file to use the non deprecated one.” How would u find out what to use?
Try to apply it and see kubectl say its not the latest one. Obs! It will suggest the latest one!!!
2 selfcheck questions for an exam question which goes: “Write all Admission Controller Plugins, which are enabled in the kube-apiserver manifest, into /root/admission-plugins .” 1) how to do it ? 2)what is it verifying actually
1) cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep admission-plugins 2) It verifies that i know they are mounted locally for me to use. Obs! ps aux | grep kube-apiserver shows it too.
obs! Dont get excited when you find this in documentation “kube-apiserver -h | grep enable-admission-plugins” because it gets u “admission plugins that SHOULD BE enabled in addition to default enabled ones”
how do you view all logs using a certain label?
kubectl logs -l app=elasticsearch
how do u spec a netpol so it allows port on a certain trafic? block, allow or just port spec?
just port spec:
egress:
- ports:
- port: 53
protocol: TCP
- port: 53
protocol: UDP
How do u verify that u blocked access to a certain host?
These should work
k -n space1 exec app1-0 – nslookup killercoda.com
these should not work
k -n space1 exec app1-0 – curl -m 1 tester.default.svc.cluster.local
k -n space1 exec app1-0 – curl -m 1 killercoda.com
how do u use namespace selector by name? not labels but name!!!
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: space2
There was one qn ask was to creating cpu limit not beyond the NS QUOTA. but when I can’t find any quota on namespace
The q was in a comment under https://www.youtube.com/watch?v=h9-6K8v3wHM`
obs! chatgpt said no automatic way to make ns limits are not exceeeded by all pods, needs to be checked manually!
What is CPU resource units, the quantity expression 0.1 is equivalent to when expressed differently?
For CPU resource units, the quantity expression 0.1 is equivalent to the expression 100m, which can be read as “one hundred millicpu”.
how to canary deploy?
No magic! just 2 keys:
1) labels is the key which tie together old deploy, new deploy and service. just dont forget that in a deploy spec same label name is mentioned 3 times!
2) second is just to have right spec.replicas that correspond to the task, 2 (new) and 8(old) for 20/80 with max 10 replicas!
how to see labels attached to a namespace?
k get ns -A –show-labels
how to quickly see in which context you are?
k config get-contexts (look for star *)
or
k config current-context
What objects does not belong to namespace but entire thing?
PVs, StorageClass, CRD, clusterrole and clusterrolebinding, namespace and componentstatus are not bound to any ns.
whats the easiest way to get kubectl within namespace and context to do anything?
kubectl –context=<other-context-name> -n <other-namespace> <command></command></other-namespace></other-context-name>
when creating new deployment to fulfill canary deployment 80/20 of total 10 replicas, how many elements of deploy have label app: wonderful?
3: metadata.label, spec.selector.matchLabels, spec.template.metadata
p.s. for seamless transition between green and blue deployment you can use labels. And service allows seamless transitions when applied. Thats what chatgpt says:
Apply the updated Service configuration using kubectl apply -f <service-file>.yaml. Kubernetes Services are designed to provide a seamless transition of traffic from one set of Pods to another when the selector labels are updated, allowing for zero downtime.</service-file>
When setting the context, i need to have 4 params of which 2 are probably the same as in other contexts and 2 are probably new. what are they?
kubectl config set-context dev –namespace=development \
–cluster=lithe-cocoa-92103_kubernetes \
–user=lithe-cocoa-92103_kubernetes
obs! ingen förkortning på namespace!!!
And then kubectl config use-context dev
where are manifest files located?
/etc/kubernetes/manifests/. Remember E.K.M like ekg but M in the end.
whats a container hostname from within the cluster?
podName.nsName.svc.cluster.local
What are PV mount options?
Retain - meaning the PV, until deleted, is kept alive.
Recycle - meaning the data can be restored later after getting scrubbed.
Delete - associated storage assets (such as AWS EBS, GCE PD, Azure Disk, and OpenStack Cinder volumes) are deleted.
Name one way to troubleshoot fluentd logging?
Check the queued log messages
You can check the buffer directory if Fluent Bit is configured to buffer queued log messages to disk instead of in memory. (You can configure it through the InputTail fluentbit config, by setting the storage.type field to filesystem.)
kubectl exec -it logging-demo-fluentbit-9dpzg ls /buffers
Ref: https://kube-logging.dev/docs/operation/troubleshooting/fluentbit/
What does it mean if, in deployment spec, under spec: i have the following:
tolerations:
- effect: NoSchedule
operator: Exists
it seems like it means no schedule unless there is a matching toleration!
howto get the name of the serviceaccount your pod is using?
kubectl get pods/<podname> -o yaml
In the output, you see a field spec.serviceAccountName. Kubernetes automatically sets that value if you don't specify it when you create a Pod.
Obs! This is about how an application running inside a Pod can access the Kubernetes API!</podname>
What does it mean if a task require “Set the security context for a Pod”
It seems its this part:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
Obs! it can be set both on pod and container level!
What are all the bookmarks pointing to?
“kubectl commands” generated, tasks, reference, concepts, tutorials, helm.sh
how do i found out if a node have taints?
k get nodes controlplane -o json| grep -i10 taints
why would a pod be scheduled on a node despite the taint?
A pod might be scheduled on a node with a taint for several reasons, despite the general expectation that taints should prevent pods from being scheduled unless they tolerate the taint. Here are some common scenarios:
Tolerations: The most likely reason is that the pod has a toleration that matches the taint on node01. Tolerations allow pods to schedule onto nodes with matching taints. If a pod’s toleration key, value, and effect match those of a taint on a node, the scheduler allows the pod to be placed on that node.
Taint Effect: The effect of the taint on the node may allow the scheduling of the pod under certain conditions. For example, a taint with the PreferNoSchedule effect might not strictly prevent all pods from being scheduled on the node; instead, it will try to avoid placing pods on the node but isn’t guaranteed to prevent it.
DaemonSets: Pods created by DaemonSets are scheduled on all nodes that match the DaemonSet’s node selector, ignoring most taints by default. This is because DaemonSets often represent system-level functions that need to run on all nodes.
Critical System Pods: Some critical system pods might be scheduled on any node regardless of taints to ensure the stability and functionality of the cluster. These could include pods related to Kubernetes system components like networking or DNS.
Changes to Taints or Tolerations: The taint on node01 might have been added after the pod was already scheduled and running on the node. Similarly, the tolerations for the pod might have been added or modified after the pod was created, allowing it to be scheduled on a tainted node.
Administrative Override: A cluster administrator can manually schedule a pod on a node regardless of taints, using specific commands or configurations that bypass the usual scheduling constraints.
If you are encountering a situation where pods are being scheduled on a node with a taint and it’s not clear why it’s important to review the pod’s tolerations, the taints on the node, and any administrative actions that might have affected scheduling decisions.
1.What does it mean to remove a taint? 2. whatsup with removing taint ?
1.Removing a taint from a node removes the restriction, allowing any pod (even those without a toleration for the taint) to be scheduled on the node.
2.its the same as adding, just a minus in the end
kubectl taint nodes controlplane node-role.kubernetes.io/control-plane:NoSchedule-
Can you label both pod and node? and if so how?
k label node node01 color=blue
how to find out what node consumes most cpu or mem?
k top node! P.s. similar as for pod k top pod.
how do you see the status of init container using describe pod command?
Its under init-containers/state! Its ABSOLUTELY NOT in the bottom where its says running and started even though those rows are about init container.
if a pod have a init container with these command, what does it say about the pods availability?
Command:
sh
-c
sleep 600
That the pod will be available after 10min: 60sek * 10
it does not make sense that if node taint condition match pod toleration with condition NoSchedule, its something positive?
Its because NoSchedule is basically abbreviation for NoScheduleUnlessTheAboveRuleMatch!
how to know if i should use podaffinity with labelSelector vs nodeAffinity with nodeSelectorTerms?
For starters the example actually specified NodeAffinity!
Whats the differences between node affinity and pod affinity?
When to Use Each
Use Case Affinity Type
Run pods on nodes with SSD storage Node Affinity
Co-locate frontend and backend pods Pod Affinity
Spread pods across availability zones Pod Anti-Affinity
how to get explanation for any structure?
kubectl explain deployment.spec.template.spec.affinity ; k explain deployment.spec.template.spec.affinity
whats topologyKey ?
topologyKey is the key of node labels. If two Nodes are labelled with this key and have identical values for that label, the scheduler treats both Nodes as being in the same topology. The scheduler tries to place a balanced number of Pods into each topology domain.
Whats the difference of applying nodeAffinity/podAffinity/podAntiAffinity on a pod vs deployment?
For pod its spec.affinity.nodeAffinity.reuiredDuring.. structure and for deployment its spec.template.spec.affinity.nodeAffinity.requiredDuring… structure
How do i find out How many DIFFERENT OBJECTS are in the prod environment including PODs, ReplicaSets and any other objects?
k get all –selector env=prod
p.s. selelctor seems like equal of label: -l env=prod
how do i Identify the POD which is part of the prod environment, the finance BU and of frontend tier?
i comma-separate the labels rather than putting -l in front of each one as in: k get pod -o wide -l tier=frontend,env=prod,bu=finance
whats the Relationship Between spec.selector.matchLabels and spec.template.metadata.labels ?
The labels defined in spec.template.metadata.labels must match the selector defined in spec.selector.matchLabels. This is how Kubernetes knows which Pods are managed by which Deployment (or other workload resources).
When a Deployment creates new Pods, it adds the labels from spec.template.metadata.labels to those Pods. The Deployment’s selector (spec.selector.matchLabels) must be able to match these labels, or else the Deployment will not recognize the Pods as its own.
This relationship ensures that the Deployment only manages the Pods that it’s supposed to manage, according to the labels and selectors you define.
Same goes for Replicaset, E.g.:
apiVersion: apps/v1
kind: ReplicaSet
metadata:
name: replicaset-1
spec:
replicas: 2
selector:
matchLabels:
tier: front-end
template:
metadata:
labels:
tier: front-end
spec:
containers:
- name: nginx
image: nginx
can you please explain why the these command produce errors when trying to apply generated yaml: k create job throw-dice-job –image=kodekloud/throw-dice –dry-run=server -o yaml > q2of9.yaml
Its due to the usage of –dry-run=server
Chatgpt: The errors you’re encountering when applying the YAML generated with –dry-run=server for a Kubernetes Job are related to the spec.selector and spec.template.metadata.labels fields. When you generate YAML with –dry-run=server, the Kubernetes server populates certain fields that are usually auto-generated during the actual creation of a resource. These fields include unique identifiers and selectors that are intended to be managed by Kubernetes itself and not specified manually.
what parameter do i need to mind on a JOB so it does not quit before it succede?
its spec.backoffLimit of a job yaml!
This is the indicator:
describe job | grep -i Succeeded
Pods Statuses: 0 Active (0 Ready) / 1 Succeeded / 0 Failed
What would you put in the JOB spec so it completes 3 times successfully out of randomly many required attempts?
spec:
completions: 3
backoffLimit: 25 # This is so the job does not quit before it succeeds.
How do you know how many endpoints exist for a given system
? i answered 1 because there were no Subsets and it was correct!
Obs! The exam tip: Run the command: kubectl describe service and look at the Endpoints
Endpoints is a collection of endpoints that implement the actual service. Example:
Name: “mysvc”,
Subsets: [
{
Addresses: [{“ip”: “10.10.1.1”}, {“ip”: “10.10.2.2”}],
Ports: [{“name”: “a”, “port”: 8675}, {“name”: “b”, “port”: 309}]
},
{
Addresses: [{“ip”: “10.10.3.3”}],
Ports: [{“name”: “a”, “port”: 93}, {“name”: “b”, “port”: 76}]
},
]
how do you know which type of traffic is the netpol affecting?
k describe netpol payroll-policy. There is a type there!
how do you create entirely different Egress rules for different pods?
You have multiple “- to” blocks. E.g.:
egress:
- to:
- podSelector:
matchLabels:
name: mysql
ports:
- protocol: TCP
port: 3306
- to:
Obs! ports under “-to” part is described by same explain as just “to” without leading dash!
how would you know which namespace is the Ingress Controller deployed in?
Actually, its not trivial. The answer was the namepace of the service deployment.apps/ingress-nginx-controller and not the namespace i see in when i run these: k get ingress -A
whats service port vs. targetport?
The primary distinction between port and targetPort is that port specifies the Service‘s listening port for incoming traffic. The targetPort field specifies the port number for routing traffic to the Service‘s pods.
when do i use rewrite-target in a new ingress instead of just adding mapping to an existing ingress?
It could be appropriate in several scenarios, particularly when you need to manage how URLs are rewritten and directed to your backend services in a way that’s distinct from the existing mappings. Here’s an example use case:
One of these applications, let’s call it AppX, is designed to handle requests under a specific path, say /appx/*. However, AppX is developed to expect requests that do not include the /appx prefix in the URI path.
Another reason maybe security, need for ssl termination.
Guess why this ingress i constructed myself from official doc did not work?
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: minimal-ingress
namespace: critical-space
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx-example
rules:
- http:
paths:
- path: /pay
pathType: Prefix
backend:
service:
name: pay-service
port:
number: 8282
IngressClassName should not be there at all! P.s. i guess in that case default one is used.
p.s. wrong namespace was the thirst error.
how do you delete label from service?
The same minus in the end!:
kubectl label service my-service app-
what comes to mind when creating ingress for existing two servicec on the exam?
Ingress resource comes under the namespace scoped, so don’t forget to create the ingress in the same namespace as the services this is applied to!
p.s. ports of the services is not what you see on the surface by: get svc - o wide but inside the decription
what can be done instead of deleting a pod when you added a volume but forgot to add it under container?
i can use the force flag.
p.s. replace instead of apply and then –force flag, but apply actually also worked but only with –force flag
Sometimes its not straightforward to find example definitions for some objects, e.g. pvc. Whats a more straighforward way to search for it?
“kind: PersistentVolumeClaim”
why was the pvc not bound but pending in kodecloud lab?
its because the access mode was a mismatch with the pv.
p.s. i created PV first and PVC second
Whats interesting about capacity when the PV was just claimed and bound and PV was 100Mi and PVC was 50Mi ?
Checking capactiy under k get pvc showed 100!!!
Det finns 2 fel med CronJob i lightning-lab-2-2/
1) completions,backoffLimit,activeDeadlineSeconds skulle sitta på spec.jobTemplate.spec och inte på spec 2) restartPolicy: Never
when you want to expose a deployment as a service, how do you do that when the deployment is in different namespace?
k -n yourNS expose deploy europe –port 80
Obs! k expose deploy -h does not saying anything about namespace, so its important to remember its kubectl itself that have that parameter!
What do you derive out of a CKAD saying following:
There are two existing Deployments in Namespace world which should be made accessible via an Ingress.
First: create ClusterIP Services for both Deployments for port 80 . The Services should have the same name as the Deployments.
- you should run expose command
- ingress does not exist and dont even need to exist?????
- BOTTOMLINE: you should run the following for each:
k -n world expose deploy europe –port 80
see first exercise here: https://killercoda.com/nginx-ingress/scenario/ingress-create
what would be one thing i can easily mess up when creating ingress? Based on excercise nr 2 here https://killercoda.com/nginx-ingress/scenario/ingress-create
These part:
spec:
ingressClassName: nginx
rules:
- host: “world.universe.mine”
Tips1: ingress class name can be looked up like: get ingressclasses
Tips2: host comes w/o port and in these case reflected in /etc/hosts
Nämn alla ställen att kolla på vid api server crash enligt https://killercoda.com/killer-shell-cka/scenario/apiserver-crash
/var/log/pods
/var/log/containers
crictl ps + crictl logs
docker ps + docker logs (in case when Docker is used)
kubelet logs: /var/log/syslog or journalctl
kubernetes manifest location
/etc/kubernetes/manifests
how to check logs for all containers in the same deployment?
kubectl logs –all-containers deploy/collect-data
are these equivalent? is these configs separated by — not equivalent?
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: space2
—
egress:
- to:
- namespaceSelector:
matchExpressions:
- key: namespace
operator: In
values: [“space2”]
First matches namespaces that have a label with the exact key-value pair.
Second matchExpressions:
Matches namespaces based on more complex conditions, using a logical expression.
key: namespace: Matches namespaces that have the label key namespace.
operator: In: Matches if the label’s value is in the list of values.
values: [“space2”]: The specific value to match.
howto find answer to that error :
k apply -f /apps/flowschema.yaml –dry-run=client
error: resource mapping not found for name: “health-for-strangers” namespace: “” from “/apps/flowschema.yaml”: no matches for kind “FlowSchema” in version “flowcontrol.apiserver.k8s.io/v1beta2”
kubectl api-versions | grep flow
how do i find admission control plugin names?
cat /etc/kubernetes/manifests/kube-apiserver.yaml OR ELSE ps aux | grep kube-apiserver
1.how do i disable an admission controller plugin? 2. and why would i do that?
1.Although it does not exist per default i add it in the same /etc/kubernetes/manifests/kube-apiserver.yaml
2. I do it because i am crazy and want to delete default namespace
whats tricky for my mind in these way to select namespace?:
namespaceSelector:
matchExpressions:
- key: namespace
operator: In
values: [“space2”]
i assume its about name of the namespace while, according to chatgpt, it matches namespaces where the LABEL NAMESPACE exists and its value is space2. !!! What???
Facit alt1: that key would have worked: kubernetes.io/metadata.name
Facit alt2: - namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: space2
where would you look for static pod config?
Short answer: typically here /var/lib/kubelet/config.yaml
Long and not entirely covering answere is here: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/
how many cluster or noncluster role bindings do i need if i have 2 serviceaccounts and 1 role?
for clusterrolebinding it seems its 1 and for normal rolebinings its either that or, even more weird,i can create 2 bindings with the same name
why am i still not seeing nodes from the newly joined node althoug i do see it from controlplane and the ask is approved: https://killercoda.com/killer-shell-cka/scenario/cluster-node-join
N/A
how do i know which version of kubeadm is available to upgrade to?
apt-cache madison kubectl or kubeadm or kubelet
what was the very last command in the cluster upgrade procedure? https://killercoda.com/killer-shell-cka/scenario/cluster-upgrade
service kubelet restart
when do i use “kubeadm upgrade node” ?
The kubeadm upgrade node command is used during the process of upgrading Kubernetes worker nodes after the control plane has been upgraded. This step ensures that the worker node components, such as the kubelet and kube-proxy, are updated to match the version of the control plane.
whats interesting about kubeadm upgrade node vs kubeadm upgrade plan on the worker node?
The plan gave error while node seem to have done its job
name all the places to look for when troubleshooting https://killercoda.com/killer-shell-cka/scenario/apiserver-misconfigured
/var/log/pods
/var/log/containers
crictl ps + crictl logs
docker ps + docker logs (in case when Docker is used)
kubelet logs: /var/log/syslog or journalctl
whats complex but i have all the chances to get good at ?
https://killercoda.com/killer-shell-cka/scenario/apiserver-misconfigured
apiservice is not coming up. what service you might have to restart or conf file you might have to check?
either a)move the kube-apiserver.yaml out of the manifests directory and then back again OR b) service kubelet restart
what other file can contain invalid param and stop kubelet from starting and so a node is not ready?
vim /var/lib/kubelet/kubeadm-flags.env .
obs! Dont forget: service kubelet restart;
service kubelet status.
P.s. journalctl or grep kubelet /var/log/syslog should tell you whats not working!
whats the easiest way to find out which port is my etcd is actually running on ?
ps aux | grep etcd. and look for listen-client-urls
what parameter is not available but could be when creating clusterrolebindings?
namespace. its only about connecting sa and cluster role or role; k create clusterrolebinding pipeline-view –clusterrole view –serviceaccount ns1:pipeline –serviceaccount ns2:pipeline
“k get ds -A” did not show restored datastore in https://killercoda.com/chadmcrowell/course/cka/kubernetes-backup-etcd untill i did what?
kubectl -n kube-system rollout restart daemonset/kube-proxy
how do you list linux system services in https://killercoda.com/chadmcrowourse/cka/linux-services
sudo systemctl list-unit-files –type service –all | grep kube > services.csv
how do you see kubelet service status
sudo systemctl status kubelet.service (or without .service in the end)
1) how do i list all kubernetes api resources and 2) how did i find out that command
1)kubectl api-resources > resources.csv 2)k get -h| grep -i api
how do i list taints applied to a node?
k describe no controlplane| grep -i taint
Obs! but i should use jsonpath instead!
Given this is a node taint: dedicated=special-user:NoSchedule and the task is “ Apply the correct toleration to this pod manifest in order for it to successfully get scheduled to node01.”, what should the pod yaml addition be like?
tolerations:
- key: “dedicated”
value: “special-user”
effect: “NoSchedule”
weight is used when in the context of affinity?
when its prefered…
a) what are 2 ways to get busybox pod to print out logs to stdout and b) whats similar for both
b) similar is both put logs logic in args but syntax is different
a1) args: [/bin/sh, -c, ‘while true; do echo $(date); sleep 1; done’]
a2) - args:
- -c
- while true; do echo $(date); sleep 1; done
whats a “while true” command to log something to output using kubectl?
k run pod-logging –image=busybox –dry-run=client -o yaml – /bin/sh -c ‘while true; do echo $(date); sleep 1; done’
what do you do to add empty dir volume mount in pod defintion?
volumeMounts for each container having same name as in volumes, that is varlog:
- name: varlog
emptyDir: {}
what would kubectl command to create an Ingress resource that will allow you to resolve the domain name hello.com to the service named apache-svc over port 80 look like?
kubectl create ingress minimal-ingress \
–class=nginx \
–rule=”hello.com/=apache-svc:80” \
–annotation nginx.ingress.kubernetes.io/rewrite-target=/
What would be the command for these task and whats strange about the solution vs task?: Create a pod named redis-pod that uses the image redis:7 and exposes port 6379 . Use the command redis-server /redis-master/redis.conf to store redis configuration data and store this in an emptyDir volume.
k run redis-pod –image=redis:7 –port 6379 –command ‘redis-server’ ‘/redis-master/redis.conf’ –dry-run=client -o yaml > redis-pod.yaml
Whats strange is that emptydir thing is not visible at all, i mean emptydir volume is still a volume.
what do they mean in the context of ingress description when they say “ssl-redirect” should be configured as false”.
They mean nginx.ingress.kubernetes.io/ssl-redirect: “false” just like it could be nginx.ingress.kubernetes.io/rewrite-target: /
whats peculiar about retrieving ingress class name?
The command is: kubectl get ingressclass. But k get -h| grep -i ingress does not show anything
What did i forget when crafting command for task: “Verify your ability to perform DNS lookups(use name: test-nslookup ) for the service name from within the cluster using the busybox:1.28 image”
–restart Never
controlplanel node is not ready. how did u fix it here? https://killercoda.com/sachin/course/CKA/etcd-backup-issue
systemctl status kubelet.service
systemctl start kubelet.service
P.s. when i viewed logs by: k -n kube-system logs etcd-controlplane
I saw:
..Jan 25 10:44:49 controlplane systemd[1]: Stopping kubelet: The Kubernetes Node Agent…
Jan 25 10:44:49 controlplane systemd[1]: kubelet.service: Succeeded.
when you are asked “Use port forwarding to service to access..” so you can curl curl http://localhost:8080. How do u fix port forwarding?
kubectl port-forward service/nginx-service 8080:80
P.s. lookup when/how sachin H R (70+ CKA questions on killerkoda) using port forwarding using his google drive answeres: https://drive.google.com/drive/folders/1V7GEsQ64Vhgo92HmQ5inb4bIwtnbBpn6
so how does command to only do nslookup and redirect output to file look like
k run xyz –image busybox -it –rm –restart Never – /bin/sh -c “nslookup kubernetes.default” > out.txt
Whats the quickest way to create replicaset?
create deployment and replace deployment with replicaset, remove strategy, and if desired put command: [“whatever”] under container image.
whats interesting about kubectl port-forward ?
it can be used as a test. “kubectl port-forward service/cka-service 8080:80” is stuck https://killercoda.com/sachin/course/CKA/cronjob-issue
what hasnt goten into my head about ingress route port untill after CKAD attempts and 1 CKA attempt and 1 day after?
That i need to Check the NodePort Service for the Nginx Ingress Controller to see the ports. And use target port there. That is curl will use 30080 but i would not be defining that port if ingress controller exist.
service/ingress-nginx-controller NodePort 10.103.245.223 <none> 80:30080/TCP,443:30443/TCP 32m</none>
How do you make sure that a busybox container not just execute command and stops, making the pod as NotReady or 1/2 containere pod running if its multicontainer pod?
you add “& tail -f /dev/null” in the command or args part which ever is the even of your command instruction.
what made it difficult for me to troubleshoot https://killercoda.com/sachin/course/CKA/pod-issue-2
i thought that not setting storageclass and relying on default be fine but its not!
kubelet service not running in controlplane , it will cause the controlplane in NotReady state. Whats your top 2 vectors to troubleshoot?
- systemctl status/start kubelet
- Check journalctl. E.g.
failed to get kubelet configuration from config file Check if /var/lib/kubelet/config.yaml exists and is correctly formatted.
failed to create kubelet: no API server Ensure the API server is running and Kubelet can connect to it.
TLS certificate expired Renew Kubelet certificates using kubeadm certs renew.
container runtime not running Restart the container runtime (containerd or dockerd).
https://killercoda.com/sachin/course/CKA/sc-pv-pvc-pod took 2 hours. what did it teach me?
- that pvc not necessary have to refer to pv
- u dont necessary have to have Filesystem on both to get it bound together.
- search for volume claim to also get results from docs/tasks and not only docs/concepts
- hostPath is sort of opposite of dynamic.
how do u make sure that your PV gets tied to a certain node?
PV get “nodeAffinity” which does not have “affinity” as parent node and does not have requiredDuring as child node but just required. P.s. dont forget “k explain pv.spec”.
which one exist? “k explain pv.spec.selector” or “k explain pvc.spec.selector”
The later, the longer. P.S Claims can specify a label selector to further filter the set of volumes
what was https://killercoda.com/sachin/course/CKA/kubectl-issue
wrong port in vim ~/.kube/config
why could i not fix this sc,pv,pvc binding issue having, among others, these description: “The volume should be bound to blue-pv-cka “ https://killercoda.com/sachin/course/CKA/sc-pv-pvc
Because untill now i thought that when the pod is not in the picture i basically have to use claimRef on PV pointing to PVC or it somehow magically recognise each other. Now i know PVC can point out PV by volumeName.
what does this error mean: “Defaulted container “nginx-container” out of: nginx-container, init-container (init)” when indentify issue behind pod error: nginx-deployment-74dbdb77f8-2d69b 0/1 Init:CrashLoopBackOff
it suggests that the init container (init-container) is failing, causing the main container (nginx-container) not to start. The busybox command was missing first 2 of 3 command lines, correct syntax is:
- command:
- /bin/sh
- -c
- echo ‘Welcome To KillerCoda!’
how do u refer to env vars from e.g. command args?
like $(YOUR_ENV_VAR)
when looking for node syntax and not finding what should you look for instead?
see if it has children first. e.g. rollingUpdate had children like maxSurge which i did not realise.
whats to think about deployment labels?
That if you are asked to use a certain label and you are doing it manually, its multiple places to set correctly in the spec!
how does a command to test connectivity look like and whats special about that mode of execution?
- k run curltest3 –image busybox –rm -it – /bin/sh -c “wget http://192.168.1.5”
- i cant do dry-run on that
I needed to “Create an Ingress resource that will allow you to resolve the domain name hello.com to the service named apache-svc over port 80 .” What did i miss trying to?https://killercoda.com/nashwan/course/cka/create-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
what 2 mistakes did i do here wrong again one day before exam? https://killercoda.com/killer-shell-cka/scenario/ingress-create
1) ingress is namespace scoped too and so it can not specify namespace when defining backend service
2) i forgot to lookup ingress class and use it
what did i do wrong when defining readiness and liveliness probe here https://killercoda.com/het-tanis/course/Kubernetes-Labs/CKA-Troubleshooting2
used tcpSocket as the basis instead of httpGet
how do i get svc endpoint
kubectl get endpoints <service-name> -n <namespace></namespace></service-name>
when the pod was missing secret, where did i see it
state:
waiting:
message: secret “postgres-db-secret” not found
reason: CreateContainerConfigError
Hur testar man ingress?
Det är faktiskt knepigt om inte man har en host att speca eller det inte finns ingress controller etc…
when they say “upgrade kubelet” on controlplane, how do u see it?
“k get no”. should show new version for your node, e.g. controlpanel
what did i miss when upgrading kubelet 20250211
Part of step 6 which has with apt-mark to do although it seems like it did not matter in the end. And part 7!!!
Step 6: Upgrade the kubelet and kubectl:
apt-mark unhold kubelet kubectl && \
apt-get update && apt-get install -y kubelet=1.27.2-00
kubectl=1.27.2-00 && \
apt-mark hold kubelet kubectl
Step 7: Restart the kubelet:
sudo systemctl daemon-reload
sudo systemctl restart kubelet
