k8s Basics

Question 1

Namespaces

Answer 1

Namespace is kind of a virtual cluster where u can deploy your objects.

By default kubectl interacts with “default” namespace

To reference objects in other namespaces
Use : kubectl –namespace=mystuff

To list objects in all namespaces
Ex:_ kubectl get pods –all-namespaces

Question 2

How to change to another namespace ?

Answer 2

We need to use a context.
it gets recorded in configuration file /.kube/config

$kubectl config set-context my-context –namespace=mystuff

After this to use the newly created context
$ kubectl config use-context my-context

Note: contexts can also be used to manage different clusters , users with set-context

Question 3

Get detailed information on a kubernetes object

Answer 3

$ kubectl describe

Ex.

$kubectl describe pod nginx

Question 4

Create update and destroy k8s objects

Answer 4

Create k8s object
$ kubectl apply -f obj.yaml

To print the object to console
$kubectl apply -f object.yaml –dry-run

To a YAML file
$kubectl apply -f object.yaml –dry-run -o yaml > object.yaml

Interactive edits instead of editing file
$ kubectl edit

View last applied configuration
$kubectl apply -f object.yaml view-last-applied

Delete object
$ kubectl delete -f object.yaml

Question 5

extract a pod definition into YAML

pod : webserver

Answer 5

$ kubectl get po webserver -o yaml > pod.yaml

$ vi pod.yaml [edit what u want here , delete the webserver POD , then create new POD using kubectl create -f pod.yaml ]

Question 6

edit a deployment

deployment name : webapp-deploy

Answer 6

you do not need to necessarily delete a deployment to edit it

$ kubectl edit deploy webapp-deploy

Question 7

imperative commands use:

Deploy a redis pod using the redis:alpine image with the labels set to tier=db.

Answer 7

$ kubectl run redis –image=redis:alpine -l tier=db

Question 8

Create a new pod called custom-nginx using the nginx image and expose it on container port 8080

Answer 8

$ kubectl run custom-nginx –image=nginx –port=8080

Question 9

Create a new namespace called dev-ns

Answer 9

$ kubectl create namespace dev-ns
or
$ kubectl create ns dev-ns

Question 10

Create a new deployment called redis-deploy in the dev-ns namespace with the redis image. It should have 2 replicas.

Answer 10

$ kubectl create deploy redis-deploy -n dev-ns –image=redis –replicas=2

Question 11

Create a pod called httpd using the image httpd:alpine in the default namespace. Next, create a service of type ClusterIP by the same name (httpd). The target port for the service should be 80.

Answer 11

$ kubectl run po http –image=httpd:alpine

$ kubectl expose po httpd –port=80

Question 12

How to check how many Namespaces exist on the system?

Answer 12

$ kubectl get namespace –no-headers | wc -l

Question 13

1. check pods in a namespace ‘love’
2. create pod in namespace ‘love’
   image: redis
   name: redis-pod

Answer 13

1.
$ kubectl get po -n love

2.
$ k run redis-pod –images=redis -n love

Question 14

how to find a POD using POD name in which namespace it exists ?

Answer 14

$ kubectl get po –all-namespaces

Question 15

how to access a service ex: db-service if it exists in same namespace and also suppose it exists in different namespace say namespace=dev

Answer 15

1. If db-service exists in same namespace
   you can access it using the service name itself
   here db-service
2. If db-service exists in another namespace
   you need to provide the FQDN(fully-qualified domain name ) of the namespace it exists

db-service.dev.svc.cluster.local

Question 16

In dockerfile , how do you specify commands and arguments

Answer 16

CMD [“sleep” , “5”]
the first argument should be an executable
like sleep , kubectl etc…

Question 17

what is ENTRYPOINT instruction in Dockerfile

Answer 17

it is a command which makes u to run an executable/job etc.. at the start of a container

example :
image name: ubuntu
Dockerfile:

…
ENTRYPOINT [“sleep”]

container : ubuntu-sleeper

we can run docker run ubuntu-sleeper 10
and it will take command as sleep 10

Question 18

how to override entrypoint command at docker startup

Answer 18

$ docker run –entrypoint=<> <> <>

Question 19

how do you give args in mainifest files in k8s?

Answer 19

let’s say a POD def file

pod.yaml

apiVersion: v1
kind:Pod
metadata:
  name:ubuntu-sleeper
spec:
  containers:
     - name: ubuntu-sleeper
        image: ubuntu-sleeper
        args: ["10"]

above will add the arg to the command in DOckerfile let’s say ENTRYPOINT [“sleep”]

then the command totally becomes sleep 10

but if you want to override the ENTRYPOINT itself in Dockerfile

utilize commands field

...
spec:
  containers:
     - name: ubuntu-sleeper
        image: ubuntu-sleeper
        command: ["sleep2.0"]
        args: ["10"]

…

so args field in yaml overrides CMD in docker file and
command field in yaml overrides ENTRYPOINT field in Dockerfile

Question 20

can we edit the running pod and deployment ?

Answer 20

for POD , only a few instructions can be changed
other than that , put your pod into a manifest if not present
delete the previous pod and create a new one using the new YAML manifest

for deployment , we can edit as PODs will be re-checked and changed to desired state if they are not

$kubectl edit deploy webapp-deploy

Question 21

how to check what command is used in a POD

Answer 21

$ kubectl describe po pod_name

go to Command: field and check for it

Question 22

how to set environment variables in manifest file of POD

Answer 22

pod. yaml
- –

...
spec:
  containers:
  - name: webapp-container
    image: webapp
    ports:
      - containerPort: 8080
    env:
      - name: DB_HOST    #namewillAvailable to be used
        value: postgres

Question 23

what are different types of environment variables we can set

Answer 23

1. plain key-value
  ...
    env: 
      - name: DB_PASSWORD
        value: YPO4reh=

2. configMap
    ...
    env: 
      - name: DB_PASSWORD
        valueFrom: 
             configMapKeyRef: 

3.  secrets
    ...
    env: 
      - name: DB_PASSWORD
        valueFrom: 
             secretMapKeyRef:

Question 24

create a configmap imperatively

Answer 24

we can add as many –from-literal
$ kubectl create configmap app-config –from-literal=DB_HOST=postgres /
–from-literal=ENV=e1

or we can use a .properties file and load it into configmap

app.properties
____________
DB_HOST=postgres
ENV=e1

$kubectl create configmap app-config –from-file=app.properties

Question 25

create configmap declaratively

Answer 25

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  DB_HOST: postgres
  ENV: e1

note: data instead of spec
name your configmaps appropriately

Question 26

create secrets imperatively

Answer 26

$ kubectl create secret generic –from-literal=password= –from-literal=DB_HOST=mysql

or use a file

$ kubectl create secret generic –from-file=app_secrets.properties

Question 27

create secrets declaratively

Answer 27

apiVersion: v1
kind: Secret
metadata:
name: app-secret
data:
DB_HOST: YWRtaW4=
ENV: YWRtaW4=
password: YWRtaW4=

note: hashed values are present above
to get hashed value on linux =>
encode : echo -n “admin” | base64
decode: echo -n “YWRtaW4=” | base64 –decode

...
3 ways :-
1. 
spec:
  containers:
  - name: webapp
    image: redis
    ports:
    - containerports: 6379
    envFrom:
      - secretRef: 
           name: app-secret

2. as single env variable

…

env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: app-secret
key: DB_password

3. as volumes ( inject into POD )
   …

volumes:
- name: app-secret-volume
secret:
secretName: app-secret

…
note: each secret property inside app-secret will be added a single file into the POD (container)

Question 28

what can ROOT user do on linux system

?

Answer 28

root user has the highest privileges on a system
~ modifying/restricting permissions on files/folders
~ setting user IDs
~ network related operations ( port binding etc..)
~ system operations like rebooting the host etc..
~ manipulating system clocks etc…………………
etc….

Question 29

set security context on a POD

Answer 29

for whole POD
…
spec:
securityContext:
runAsUser: 1000

for only one container :
spec:
  containers:
   - name: web-pod
      image: ubuntu
      command: ["sleep" , "3600"]
      securityContext:
        runAsUser: 1000
      capabilities:
         add: ["MAC_ADMIN"]

Question 30

check the user in a container/pod

Answer 30

$ kubectl exec ubuntu-sleeper – whoami

Question 31

security context:

set SYS_TIME capability to root user on a container

Answer 31

containers:
   - name: web-pod
      image: ubuntu
      command: ["sleep" , "3600"]
      securityContext:
         capabilities:
            add: ["MAC_ADMIN"]

Question 32

difference between user account and service account ?

Answer 32

user account:- admin or developer can utilize this to get into cluster or deploy your pods etc..

service account :- is used by an application /system
for example prometheus polls k8s api for metrics etc..
or jenkins uses its automated build to deploy applications on a cluster

Question 33

create service account imperatively

Answer 33

$ kubectl create serviceaccount webapp-sa

when a service account is created , it automatically creates a token and this token has to be used by external application to authenticate into the k8s

note: if the external application is inside the cluster itself , all you need to do is mount the secret as volume inside the pod which is hosting the external application

Question 34

what is difference between Mibibyte ( Mi) Vs Megabyte ( MB) ; 1Gi Vs 1 G ; 1 Ki Vs 1 K

Answer 34

1 G (Gigabytes)    = 10^9 bytes
1 M (Megabytes)  = 10^6 bytes
1 K (Kilobytes)      = 10 ^3 bytes 

1 Gi (Gibibytes)   = 1,073,741,824 bytes
1 Mi (Mibibytes)  = 1,048,576 bytes
1 Ki (Kibibytes)    = 1024 bytes

Question 35

The status ‘OOMKilled; means

?

Answer 35

Out of memory for a POD to be deployed on a node.
for ex: POD consumes 15 Mi memory and limit on POD resources is put as 10 Mi then it shows status as
OOMKilled

Question 36

Taints are set on ________ and Tolerations are set on ______ ?

Answer 36

Taints are set on nodes and tolerations are set on PODS

Question 37

imperative commands :

set taint on a node

set toleration on a POD

Answer 37

set taint on Node :
1. $ kubectl taint nodes node-name key=value:taint-effect
taint-effect : 3 types
- NoSchedule
- NoExecute (no new pods are put on POD and any existing pods will be evicted )
- PreferNoSchedule (prefers not to schedule any pod
but that is not guranteed )

Question 38

add tolerations to POD

Answer 38

suppose: taint on node is
$ kubectl taint nodes node1 app=blue:NoSchedule

then tolerations

pod. yaml
- –

...
spec:
 ...
  tolerations: 
  - key: "app"
    operator: "Equal"
    value: "blue"
     effect: "NoSchedule"

Question 39

remove a taint from a node

Answer 39

remember the - hyphen which say to remove the taint

$ kubectl taint nodes node-name <>-

for example remove taint on master node::

$ kubectl taint nodes master node-role.kubernetes.io/master:NoSchedule-

Question 40

Create a taint on node01 with key of ‘spray’, value of ‘mortein’ and effect of ‘NoSchedule’

Answer 40

$ kubectl taint nodes node01 spray=mortein:NoSchedule

Question 41

Node selectors how to add label to a node

Answer 41

suppose you want to add label size=Large on a node

you can add $ kubectl label nodes node01 size=Large

then u can add nodeSelector on POD .

…
nodeSelector:
size: Large

…

Question 42

different types of multi-container pods

Answer 42

1. Adapter
2. Side-car [ ex:- logging server]
3. ambassador

sidecar will get the logs from the app container and will send to Adapter container which will take/transform the logs and send it to central server

suppose there are DBs which are in diff env ( Dev,test, prod ) , we can add an ambassador container which the main app can use as a localhost but the ambassador container knows the DB(it will proxy to right DB)

note: these are patterns , but when u use on pod definition files , it will be just another container added

Question 43

define POD life cycle

Answer 43

when the POD is first created it will be in PENDING state
. kube-scheduler will schedule the POD onto a node which is available
once the POD is scheduled , it will pull all the images inside the POD - ContainerCreating state

once you have the images pulled and containers are run .it will go into RUNNING state

Question 44

what are liveness and readinessprobes ?

Answer 44

liveness probe helps to see if the container is able to serve requests

readiness probe helps to see at the start of application , if the application is ready to serve requests which are routed through a service

Question 45

container logging command

Answer 45

if only one container is present
$ kubectl logs -f pod-name

if multiple containers are present
$ kubectl logs -f pod-name container-name

Question 46

how monitoring works on k8s

Answer 46

• k8s doesnt have in-built metrics in it
• it utilizes 3rd party services like METRICS SERVER , Prometheus , dynatrace etc…
• every node has kubelet , which contains cAdvisor-which retrieves performance metrics and exposes it through an API
• any metrics server can utilize these metrics

Question 47

1. command for knowing metrics of nodes

2. command for knowing metrics of POD/s

Answer 47

1. $ kubectl top node

2. $ kubectl top pod

Question 48

what is clusterIP Vs NodePort Vs LoadBalancer Vs TargetPort

Answer 48

clusterIP: exposes a service on cluster’s internal IP

nodePort: exposes a service on each Node’s IP (static port)

load balancer : will create an external Load Balancer (AWS Classic LB), “behind it” automatically will create a NodePort, then ClusterIP and in this way will route traffic from the Load Balancer to a pod in a cluster

TargetPort: it is where service will send requests to.your application will be listening on this port

Question 49

what is endpoint in kubernetes ?

Answer 49

An endpoint is an object that gets IP addresses of individual pods assigned to it. The endpoint object is then in turn referenced by a kubernetes service, so that the service has a record of the internal IPs of pods in order to be able to communicate with them

Question 50

how to get a network policy

Answer 50

$ kubectl get networkpolicy

Question 51

how to get a network policy and how to check to which POD the network policy is added ?

Answer 51

$ kubectl get networkpolicy

to check which pod it is applied to
$ kubectl get networkpolicy and look for pod selector

Question 52

create a network policy

from pod internal to mysql@3306 and payroll@8080

Answer 52

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: internal-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      name: internal
  policyTypes:
  - Egress
  egress:
  - to:
    - podSelector:
        matchLabels:
          name: payroll
    ports:
    - protocol: TCP
      port: 8080
  - to:
    - podSelector:
        matchLabels:
          name: mysql
    ports:
    - protocol: TCP
      port: 3306

Question 53

How would you load balance into different services without ingress

Answer 53

1. you have an online store ( www.online-store.com/store )
   you have service exposing it to outside at 30080,
   a reverse proxy present at port 80 to access the application at www.online-store.com/store[in cloud ex: GCP , we get cloud native load balancer] rather than
   www.online-store.com:30080/store

now

suppose you are scaling your application
-> you added another application ( say vdo streaming app ) which needs to be accessed through the same DNS name

then we need separate loadbalancer(costly) then configure the proxy to route to this and to reverse proxy this , we need to add another proxy above it

Question 54

two types of ingress ?

Answer 54

Ingress controller :- ( underlying can be NGINX , HAProxy , Traefik, Istio etc.. ) ..note that they wont come with k8s , you need to deploy manually..
Ingress controllers also monitors k8s clusters for new Ingress definitions ,resources and configure the underlying solution (NGINX , Isito etc.. ) accordingly

in defintion file , Ingress controller is just a deployment file

Ingress resources:-
set of rules we can configure like TLS , SSL certs , URL routes etc.. [these are defined in definition files .yaml]

Question 55

how do you configure all the settings in a Ingress controller
underlying solution : NGINX

Answer 55

Ingress controller is just a deployment definition file .
you configure nginx-ngress-controller image in the defn file
and to add nginx configurations like
err-logs path , session timeouts , keep-alive , ssl-protocols etc… we can use a configMap and the configuration settings there

then we have to expose this Ingress controller to external world as Service NodePort

also for ingress controllers to monitor for Ingress resources and changes to them , we need to give right set of permissions for Ingress controller
we do that by adding a Service Account(Roles,ClusterRole,RoleBindings )

So for a setup of Ingress controller we need

objects
Deployment : Ingress-controller
Service : expose the controller
configMap : to store the config settings for the controller
ServiceAccount: to give right set of permissions for accessing

Question 56

what is default backend in Ingress resources

Answer 56

If any URL path doesn’t match with the resources we have , then we need to configure a default backend like HTTP 404 page not found.

Question 57

difference between having a host and having simple paths in Ingress resource?

Answer 57

host: it will configure such a way the requests coming from a hostname is forwarded to the host

...
spec:
  rules:
  - host: watch.online-service.com
    http:
      paths:
      - backend: 
           serviceName: watch-service
           servicePort: 80
...

only `paths` : it will just look into the path in the url and route accordingly
...
spec:
  rules:
  - http:
      paths:
      - path: /wear
        backend: 
           serviceName: watch-service
           servicePort: 80
    - http:
        paths:
        - path: /store
          backend: 
            serviceName: store-service
            servicePort: 80

…

Question 58

difference between having a host and having simple paths in Ingress resource?

Answer 58

host: it will configure such a way the requests coming from a hostname is forwarded to the host

...
spec:
  rules:
  - host: watch.online-service.com
    http:
      paths:
      - backend: 
           serviceName: watch-service
           servicePort: 80
...

only `paths` : it will just look into the path in the url and route accordingly [here host: *   means it will accept all routes ]
...
spec:
  rules:
  - http:
      paths:
      - path: /wear
        backend: 
           serviceName: watch-service
           servicePort: 80
    - http:
        paths:
        - path: /store
          backend: 
            serviceName: store-service
            servicePort: 80

…

Question 59

1. get ingress resource in all namespaces

2. get ingress in lobe namespace

Answer 59

1. $ kubectl get ingress –all-namespaces

2. $ kubectl get ingress -n lobe