Configuration

Question 1

What is the ENTRYPOINT statement of a Dockerfile?

Answer 1

Defines the command that is run at startup of the container

Question 2

What is the CMD statement of a Dockerfile

Answer 2

an array of parameters that are passed to the container as arguments at startup

Question 3

What Dockerfile statement is equivalent to spec.containers[].command of a kubernetes Pod specification

Answer 3

spec.containers[].command is equivalent to the ENTRYPOINT statement in a Dockerfile

Question 4

What Dockerfile statement is equivalent to spec.containers[].args of a kubernetes Pod specification

Answer 4

spec.containers[].args is equivalent to the CMD statement in a Dockerfile

Question 5

In Pod spec.containers[], what parameter sets the environment variables

Answer 5

spec.containers[].env is an array of name-value objects, e.g.:

spec: containers: - env: - name: FOO value: bar

Question 6

What are three different ways of setting environment variables for a container in kubernetes

Answer 6

1. spec.containers[].env property of Pod (or pod template in replicaset or deployment)
2. configmap
3. secrets

Question 7

How to reference a single environment variable value from a configmap in a Pod definition file

Answer 7

spec: containers: - env: - name: FOO valueFrom: configMapKeyRef: name: config-map-name key: config-map-key-name

Question 8

How to reference an environment variable value from a secret within a Pod definition file

(e.g. a secret key with name my-secret)

Answer 8

spec: containers: - env: - name: FOO valueFrom: secretKeyRef: my-secret

Question 9

How to reference an entire configmap as environment variables in a Pod definition file

Answer 9

spec: containers: - envFrom: - configMapRef: name: config-map-name

Question 10

What is the apiVersion of a configmap?

Answer 10

v1

Question 11

In a ConfigMap definition, how is a key created?

(e.g. a config map of name my-configmap including a key with name foo and valuebar)

Answer 11

apiVersion: v1 kind: ConfigMap metadata: name: my-configmapdata: foo: bar

Question 12

What is the imperative command for getting a list of ConfigMaps

Answer 12

kubectl get cm

Question 13

What is the imperative command for viewing the contents of a ConfigMap cm1

Answer 13

kubectl describe cm cm1

Question 14

What is the imperative command for viewing the contents of all ConfigMaps

Answer 14

kubectl describe cm

Question 15

What is the purpose of a ConfigMap?

Answer 15

A ConfigMap is an API object used to store non-confidential data in key-value pairs.

Question 16

What is the purpose of Secrets

Answer 16

Kubernetes Secrets let you store and manage sensitive information

Question 17

What is the apiVersion of a Secret

Answer 17

v1

Question 18

In a Secret specification, what are the four top-level keys?

Answer 18

apiVersion: v1kind: Secretmetadata: {}data: {}

Question 19

What is the imperative command for creating a secret named FOO with sensitive data BAR

Answer 19

kubectl create secret mysecret1 --from-literal=FOO=$(echo BAR | base64)

Question 20

How to encode a value BAR into a kubernetes secret

Answer 20

echo BAR | base64

Question 21

How to decode a kubernetes secret

Answer 21

echo QkFSCg== | base64 -d

Question 22

How to reference all values within a secret as environment variables within a Pod definition file

Answer 22

spec: containers: - envFrom: - secretRef: name: secret-name

Question 23

In a Pod specification, spec.containers[], how do you run the container as user 1000?

Answer 23

spec: containers: - securityContext: runAsUser: 1000

Question 24

In a Pod specification, spec.containers[], how do you give user 1000 MAC_ADMIN capabilities?

Answer 24

spec: containers: - securityContext: runAsUser: 1000 capabilities: add: ["MAC_ADMIN"]

Question 25

What is the purpose of a ServiceAccount?

Answer 25

A service account provides an identity for processes that run in a Pod. Processes in containers inside pods can contact the apiserver. When they do, they are authenticated as a particular Service Account.

Question 26

What is the apiVersion of ServiceAccount?

Answer 26

v1

Question 27

What is the imperative command for creating a ServiceAccount named sa1?

Answer 27

`kubectl create sa sa1`

Question 28

What is the imperative command for listing all ServiceAccounts?

Answer 28

`kubectl get sa`

Question 29

When a ServiceAccount is created, what happens and how is it connected to a pod

Answer 29

A ServiceAccount creates a Secret, which stores a token which can be used to access the ApiServer. The token is available to pods by mounting the secret as a volume.

Question 30

In a pod specification, how do we define we should use the sa1 ServiceAccount?

Answer 30

`spec: containers: [] serviceAccount: sa1`

Question 31

If a ServiceAccount is not specified in a pod (or pod template), what happens?

Answer 31

The default serviceAccount is mounted.

Question 32

How can you prevent the default ServiceAccount from being mounted to a pod?

Answer 32

`spec: automountServiceAccountToken: false`

Question 33

What is the default minimum resource request for a Pod assumed by Kubernetes?

Answer 33

0.5 CPU 256Mi memory

Question 34

In Pod definition file how do you request a minimum of 1Gi memory and 1 CPU?

Answer 34

`spec: containers: - resources: requests: memory: "1Gi" cpu: 1`

Question 35

What is the lowest value of CPU that can be requested for a Pod?

Answer 35

0.1 CPU. (= 100m CPU)

Question 36

What is 1 CPU equivalent to in AWS?

Answer 36

1 AWS vCPU

Question 37

In Pod definition, how do you request a limit of 2Gi memory and 2CPU?

Answer 37

`spec: containers: - resources: limits: memory: "2Gi" cpu: 2`

Question 38

What happens if a pod uses more CPU than its limit?

Answer 38

It is throttled

Question 39

What happens if a pod uses more memory than its limit?

Answer 39

It can temporarily use more memory, but if it is persistently using more memory then it is terminated

Question 40

On what kubernetes entity are taints applied?

Answer 40

Nodes

Question 41

On what kubernetes entity are tolerations applied?

Answer 41

Pods

Question 42

What is the imperative command to apply a taint?

Answer 42

`kubectl taint nodes node-name key=value:taint-effect`

Question 43

What are the different types of taint effect?

Answer 43

* NoSchedule * PreferNoSchedule * NoExecute

Question 44

How do NoSchedule and NoExecute taints differ?

Answer 44

NoSchedule prevents new pods being scheduled and run on a node, but does not effect existing ones. NoExecute will also apply NoSchedule and will evict existing pods which cannot tolerate the taint.

Question 45

In the Pod definition, how are tolerations applied? (e.g. for taint foo=bar with taint effect NoSchedule)

Answer 45

`spec: tolerations: - key: "foo" operator: "Equal" value: "bar" effect: "NoSchedule"` NB. All values have to be quoted

Question 46

What taint is present on the master node which prevents Pods being scheduled there?

Answer 46

`node-role.kubernetes.io/master:NoSchedule`

Question 47

In the Pod definition file, how are Pods limited to only run on a particular node given a single label?

Answer 47

`spec: nodeSelector: node-label-key: node-label-value`

Question 48

What is the imperative command to label a node? (e.g. node-name with key foo and value bar)

Answer 48

`kubectl label nodes node-name foo=bar`

Question 49

What are the limitations of nodeSelector?

Answer 49

Only matches a single label and value, cannot match complex matching rules (e.g. OR, or NOT)

Question 50

In the Pod definition, create an affinity for nodes with label foo=bar

Answer 50

`spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: foo operator: In values: - bar`

Question 51

In the Pod definition, create an affinity for nodes with label foo=bar OR foo=buzz

Answer 51

`spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: foo operator: In values: - bar - buzz`

Question 52

In the Pod definition, create an anti-affinity for nodes with label foo=bar

Answer 52

`spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: foo operator: NotIn values: - bar`

Question 53

In the Pod definition, create an affinity for any node labelled with a key of foo and any value

Answer 53

`spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: foo operator: Exists`

Question 54

What are the two current types of node affinities?

Answer 54

* requiredDuringSchedulingIgnoredDuringExecution * preferredDuringSchedulingIgnoredDuringExecution

Question 55

What is the planned type of node affinity?

Answer 55

requiredDuringSchedulingRequiredDuringExecution

Question 56

How are taints, tolerations, and affinity used together?

Answer 56

taints prevent non-tolerant pods being scheduled on a node, but they do not guarantee that a tolerant pod will be scheduled on the node. affinity ensures that a pod will be scheduled on a matching node, but does not guarantee that other pods will not also be scheduled on that node. Together, affinity ensures a pod is scheduled on a matching node and taints ensure non-tolerant pods are not scheduled on that pod.

Question 57

In the Pod definition, how do you run a shell script? e.g. run `while true; do echo hello; sleep 10;done`

Answer 57

`spec: containers: - command: - "/bin/sh" args: - "-c" - "while true; do echo hello; sleep 10;done"`

Question 58

What is the imperative command for creating a resourcequota? | (e.g. CPU of 1, memory of 1Gi, and 2 pods)

Answer 58

`kubectl create quota myrq --hard=cpu=1,memory=1G,pods=2`