Kubernetes

Question 1

container runtime

Answer 1

a k8s component, the underlying software that is used to run containers, e.g. docker

Question 2

pod is what of k8s

Answer 2

k8s object

Question 3

to see each pod’s node

Answer 3

kubectl get po -o wide

Question 4

create yml of pod quickly

Answer 4

kubectl run redis –image=redis123 –dry-run=client -o yaml

Question 5

edit pod

Answer 5

1. use existing yml
2. extract into yml and recreate pod
3. k edit only for below properties
   spec.containers[].image
   spec.initContainers[].image
   spec.activeDeadlineSeconds
   spec.tolerations
   spec.terminationGracePeriodSeconds
   spec.replica

Question 6

Replica Set (prev. replication controller)
difference of above two?

Answer 6

1. high availability
2. load balancer across nodes

selector: use to allow for managing pod that not created by replicaSet directly

Question 7

edit replicaset

Answer 7

k replace -f xxx.yml
k scale –replicas=6 -f rs-definition.yml
k scale –replicas=6 replicaset my-rs

Question 8

get version of a k object

Answer 8

k explain replicaset

Question 9

quick delete multiple pods

Answer 9

in a line: k delete po po1 po2 po3 po4

Question 10

deployment vs rs

Answer 10

deployment contains replicaset, rs contains pod

Question 11

–all-namespaces
–label

Answer 11

short -A
-l=”tier=db”

Question 12

Cert Tip: Imperative Command

Question 13

Run an instance of the image webapp-color and publish port 8080 on the container to 8282 on the host.

Answer 13

docker run -p 8282:8080 webapp-color

Question 14

light version docker image

Answer 14

python:3.6-alpine on alpine not debian

Question 15

Practice test Docker images

Answer 15

answer is missing

Question 16

docker ps vs docker ps -a

Answer 16

-a list all containers including the stopped ones
container automatically exit when its task/process is done, which is defined by “CMD”. The process has to be things like web server, db server but not “bash”

Question 17

docker run ubuntu

Answer 17

will exit but
docker run ubuntu [cmd]
docker run ubuntu sleep 5 will lasts for 5 secs
or:
CMD sleep 5
CMD [“sleep”, “5”]

or:
ENTRYPOINT [“sleep”]
docker run ubuntu-sleeper 10

or:
ENTRYPOINT [“sleep”]
CMD [“5”] -> default value

or: modify during runtime
docker run –entrypoint sleep2.0 ubuntu-sleeper 10

Question 18

k replace –force -f x.yml

Answer 18

replace pods

Question 19

docker run –name ubuntu-container –entrypoint sleep2.0 ubuntu-sleeper 10 in pod definition

Answer 19

command:

args: [“10”]

Question 20

imperative vs declarative

Answer 20

k create configmap
k create -f xxx.yml

Question 21

convert base64

Answer 21

echo -n ‘paswrd’ | base64
echo -n ‘paswrd’ | base64 –decode

Question 22

ubuntu install

Answer 22

apt-get install

Question 23

list processes on docker host / inside container

security context

Answer 23

ps aux
PID for different containers on the host are different -> process isolation
by default process run as root, but root user inside container is not like it on the host

change root’s capability,
docker run –add-cap MAC_ADMIN
or –drop-cap
–privilege

Question 24

get user inside pod

Answer 24

k exec po po-name – whoami

Question 25

resource CPU unit

memory unit 1G vs 1Gi

Answer 25

1 vCPU
0.1 == 100 m vCPU mili vCPU
minimal 1m vCPU

1 G = gigabyte 1,000,000,000 bytes
1 Gi = gibibyte about 1073,000,000 bytes (2 to the power of 30)

Question 26

can cpu or mem exceed the limit

Answer 26

CPU not, it is throttled. Mem yes, in the end it will be terminated with OOM (OOM kill)

Question 27

what is the resource require and limit by default
best CPU configure:

Answer 27

no limit

with requests but no limit

Question 28

when no request but limit set? what is request then?

Answer 28

request = limit set automatically by k8s

Question 29

set default resource limit request globally for all newly created pod

Answer 29

limitRange object

Question 30

restrict the total amount of resource

Answer 30

resourceQuota object
like hard limit/requests in the current namespace

Question 31

check reason of failed pod

Answer 31

describe po and check last state and Reason: is there

Question 32

default sa what is it? There’s also way to disable the mounting of sa token

Answer 32

it is automatically mounted to the pod of the ns, it has very restricted permission to run only basic kubectl cmd query. automountSAToken: false in spec

Question 33

how to change the sa of a pod from default? of deployment?

Answer 33

change it in the spec and recreate! For deployment, no need to recreate, just edit

Question 34

latest 1.24 sa token is not automatic created, how to create it?

Answer 34

k create token sa-name, it has by default 1h expiry time
or
(not recomanded, no time boundary)
create a kubernetes.io/s-a-token type secret for the account as before

Question 35

check token of a sa
check taint of a no

Answer 35

describe it and check tokens:
describe and check taints:

Question 36

check sa of a pod/deploy

Answer 36

describe the pod and find Service Account:

Question 37

change sa of deploy from default

Answer 37

go to spec/template/spec/ add ServiceAccountName: sa-name

Question 38

taint nodes
untain no

Answer 38

k taint no no-name app=blue:taint-effect

add a minus in the end

Question 39

what is restricted by the taint and tolerants

Answer 39

it only restrict the no. A pod with a matched toleration will not guaranteed to be scheduled on the tainted node

Question 40

check where is the po

Answer 40

-o wide

Question 41

node-selector
label a node

Answer 41

nodeSelector in pod.spec
(very simple only one label: value)

k label no no-name key=value

Question 42

node affinity

Answer 42

ensure a pod is hosted on a particular node. More advanced than nodeSelector

Question 43

requiredDuringSchedulingIgnoredDuringExectution

Answer 43

during schedule of pod, must find the matched node, if not found, don’t schedule
During the pod execution, if node’s label is changed so that the condition doesn’t match any more, ignore it. if required is defined, pod will be evicted.

Question 44

multi-container pods

Answer 44

logging agent + web server they need to share same lifecycle (volumn, storage, netware)

Question 45

multi-container pod

Answer 45

sidecar (logging server +web server),
adapter: before sending logs to a central server, we adapt the log in to a unified format
ambassador: to connect to different stage db, you may choose to outsource such logic to separate container, such as at local host it connects to a local database, and the new container will proxy that request to other right db

Question 46

check pod conditions

Answer 46

k describe po
check conditions section

Question 47

readiness probes

Answer 47

check if a pod’s ready status is really true or false. it is application relevant, e.g. http test /api/ready. or if a particular TCP socket is listening or just exec a custom script

Question 48

liveness probes

Answer 48

check if a container is health.
http test - /api/healthy or if a particular TCP socket is listening or just exec a custom script

Question 49

docker run -d event-simulator

Answer 49

detach mode without output the log

Question 50

print log of multi-container pod

Answer 50

k logs -f po-name container-name

Question 51

metrics server

Answer 51

1. one for each k8s cluster
2. no historical data, only in-memory

Question 52

with metrics-server, what can do

Answer 52

k top node
k top po

Question 53

get things based on label

get all pod’s label

Answer 53

k get po –selector app=App1

k get po –l app=App1

k get po –show-labels

Question 54

annotation

Answer 54

used to record other details for informationary purpose, phone numbers etc. or may be for other integration purpose

Question 55

check status of each revision

Answer 55

kubectl rollout history deployment nginx –revision=1

record cause:
kubectl set image deployment nginx nginx=nginx:1.17 –record

Question 56

edit deploy

Answer 56

kubectl rollout status deployment nginx

kubectl rollout history deployment nginx

Question 57

set deploy image

Answer 57

k set image deploy frontend simple-webapp=kodecloud/webapp-color:v2

Question 58

use pod to run 3+2, how to get output

Answer 58

k logs po-name

Question 59

job
completion
parallelism

Answer 59

job will create po to run a certain one time task
completion will be the #pod to create, keep create this number of pod until they all successfully completed
parallelism

Question 60

cronjob
schedule
how is the yaml vs job

Answer 60

job can be schedule
schedule: takes cron like format string

spec:
schedule:
jobTemplate:
spec (job’s spec)

Question 61

check job successful history, attemps

Answer 61

describe job and check
Pods Statuses:

Question 62

k8s network : how to access pod’s ip

Answer 62

inside node, accessable the pod’s ip directly

Question 63

k8s service use case

Answer 63

service is in fact a virtual server inside the node, it has its own IP address, it is called cluster IP of the service

NodePort: to listen to a port on the note and forward request on that port to a port on the pod running the web app
clusterIP: virtual ip inside cluster to allow communication between different services, such as frontend to backend
LoadBalancer: service provisions a load balancer for our app in a supported cloud providers, it is to distribute load accross the different web server in your frontend tier

Question 64

nodePort target port, port, node Port

Answer 64

target port: port on the pod
port: port on the service, service is in fact a virtual server inside the node
nodeport: the port on the node for external, between 30000 - 32767

only port is the must, target port by default equals to port

to access: use node ip/port number

Question 65

cluster IP use case, target port, port

Answer 65

between tiers of a web app: frontend, backend, db.
target port is the port of backend exposes.
port is where the service is exposed

Question 67

what is endpoint of a svc

Answer 67

endpoints is another name of the port identified by the label selectors. It can be used to check if our svc’s selector is correctly set

Question 68

describe a frontend backend

Answer 68

There is a web server serving frontend to users, an app server serving backend API and the db server.
user send in request to web server, the web server send request to API server, then the api server get data from db and send it to backend

Question 69

ingress vs egress

Answer 69

the direction of a request, but not that of response. netpol only define on ingress, egress is automatically configured itself for response

if need request out to other server, we need to configure egress rule in the netpol

Question 70

by default connectivity

Answer 70

all allow, all can communicate to others

Question 71

how to restrict

Answer 71

use network policy to only allow access from api-pod on port 3306.

by default everything are connected, but once one netpol is defined for a po, the po is default deny by that type of traffic (in or out)

network policy is not supported by all network solution on k8s, fiannel doesn’t support it, need to check its documentation. You can create, but it won’t work without any error msg

networkpolicy can define ingress from podSelector, namespaceSelector,
ipBlock for server outside of cluster

Question 72

netpol yaml rule

Answer 72

• ports vs portsare different
  each - starts a new rule
  the rule can be defined with ports or to
  they can also combine in one rule start with -

one rule combined with and
- to
ports:

two rules combined with Or
vs
-to:
- ports:

TCP UDP needs to define into seperate protocol inside ports:

Question 73

pod A can ping pod B

Answer 73

ping doesn’t mean connection, it has a special port, with ICMP protocol

Question 74

K8s ingress controller vs load balancer? Vs nginx server?

Answer 74

Ingress controller contains load balancer + nginx server (or any other load balancing solution) + other functions. It is a k8s deploy

Question 75

K8s ingress controller role in k8s?

Answer 75

Ingress controller helps the apps deployed in k8s using a single accessible url that you can configure routes to different services within your cluster based on the url path. It also implement ssl security.

it also has to be published as a nodePort or loadbalancer svc, and it is a one-time config.

Question 76

to inspect ing, logs the ingress pod and find wrong default-backend

Answer 76

–default-backend-service=green-space/default-backend-service

redeploy ingress-controller with above changes

Question 77

Term of ingress rules?

Answer 77

Ingress resources, type Ingress, Ingress rule is defined for each host/domain-name (I call it base url), e.g. http://www.my-store.com/

Question 78

3 types of ingress rule defined by yaml

Answer 78

spec.backend directly
spec.rules.http for each host/domain-name
spec.rules.-host (for multiple host)

Question 79

nginx.ingress.kubernetes.io/rewrite-target: /$2, replace(“/something(/|$)(.*)”, “/$2”)

Answer 79

regular expression capturing group

Question 80

docker copy-on-write mechanism

Answer 80

image layer is read only
container layer is read write,
when modify app.py, you can still modify it but it is copied to container layer firstly.

Question 81

when container is removed, the container layer is gone
to persist data, use volumn

Answer 81

volume mounting:
docker volume create data_volume -> create a volume locally /var/lib/volume
docker run –mount my-volume:/path-in-container mysql

if you don’t run create volume before run container, it will be created automatically

Question 82

external data source?

Answer 82

bind mounting: use the path directly

docker run -v /fullpath-to-data:/path-in-container

latest:
docker run –mount type=bind, source=fullpath-to-data, target=/path-in-container mysql

Question 83

what is doing bind mounting?

what is doing volume mounting

Answer 83

storage driver: e.g. AUFS, ZFS, overlay
volume driver: azure file storage, netApp, rexray
docker run -it –name mysql –volume-driver rexray/ebs –mount src=ebs-vol, target …

Question 84

docker container is meant to be transient

Answer 84

means they meant to last for a short period of time

Question 85

pod.spec.volumes

Answer 85

not nice way: a file path on the node (host) on k8s:
hostpath.type: Directory

better: to use ebs
replace volumes.awsElasticBlockStore

Question 86

persistent volumes

Answer 86

to manage volumes centrally, it is a cluster wide pool of storage volumes configured by admins. The developer can use it by creating PVC.
To bind it, use selector in PVC yaml.
PVC and PV is 1to1 mapping. If no PV available, pvc will be pending.

Question 87

what happens when pvc is deleted

Answer 87

persistentVolumeReclaimPolicy: Retain/Delete/Recycle
retain: pv will be retained and cannot be used by other pvc
delete: pv will be deleted as well
recycle: scrubb the data and reused for other pvc

Question 88

authentication vs authorization of kube apiserver

Answer 88

who can access?
static pwd files, static token file, certs, external identity providers like LDAP
SA

what can they do:
RBAC authorization

Question 89

all communication between the components surrounded by kube apiserver is secured by ???

Answer 89

tls cetificates

Question 90

auth:

Answer 90

Two types account: user, sa
cannot create user, external identity provide is needed for example.
SA can be created

Question 91

kubeconfig

Answer 91

three things:
cluster, context, users
context is the thing which links above two.
k config view: to list it
k config use-context: to change it

Question 92

context

Answer 92

specify namespace along with user and cluster

Question 93

access api groups

Answer 93

curl http://localhost:6443 -k

to list resource group
curl http://localhost:6443/apis -k | grep name

to get more permissions, need to authenticate, –key, –cert –cacert etc.
OR kubectl proxy, it launches a proxy service locally on port 8001 and will use the cred from the kube-config file. No need to auth anymore

Question 94

curl, check a svc

Answer 94

-m 5 set timeout
curl -m 5 jupiter-crew-svc:8080 (svc name:port)

for nodeport:
curl nodeIp:nodeport

Question 95

wget vs curl

Answer 95

do http request
wget -O- frontend:80

-O-: print content

wget focus on downloading file
curl serves more general purpose, by default don’t download things

Question 96

kubectl proxy

Answer 96

a http proxy service created by kubectl utility to access the kube-api server without auth

Question 97

to know preferred version of a api group

Answer 97

k proxy 8001& (& run in the background)
curl localhost:8001/apis/authorization.k8s.io

Question 98

kube-apiserver –authorization-mode=Node, RBAC, Webhook

Answer 98

define the order of authorization option, by default it is alwaysallow

Question 99

role

Answer 99

apiGroups [””] core as empty
resources: [“pod”]
verbs: [get, create]

even to a specific pod
resourceName: [“blue-po”, “red-po”]

Question 100

rolebinding

Answer 100

bind role to a user
subjects: for user detail
roleRef: role detail

Question 101

check my permission
as admin you can check other’s permission

Answer 101

k auth can-i delete nodes

k create po –as dev-user

Question 102

clusterRole

Answer 102

role is namespaced, but there are resources that are not namespaced but cluster scoped, such as node, pv, ns.

clusterRole can also authorize a user to access pods across all ns

Question 103

Get the API groups and resource names

Answer 103

k api-resources

Question 104

get default enabled admission controller

Answer 104

k -n kube-system exec kubeapi-server-pod – kube-apiserver -h | grep enable-admission-plugins

check second paragraph:

admission plugins that should be enabled in addition to default enabled ones (…here all default enabled ones!!!)

to edit in a kubeadm setup when it is running as a po:
vi /etc/kubernetes/manifests/kube-apiserver.yaml

or follow documentation

Question 105

vim search

Answer 105

https://monovm.com/blog/how-to-search-in-vim-editor/#:~:text=Press%20the%20%22%2F%22%20key%20to%20enter%20search%20mode.,occurrence%20of%20the%20character%20string.

Question 106

two type admission controller

Answer 106

mutating: DefaultStorageClass , NamespaceAutoProvision
validate: NamespaceExits

mutate is invoked first followed by validate

Question 107

mutating/validating admission webhook server

Answer 107

two special admission controller to support external admission controller, we need to point it to our own server within or outside k8s cluster to run our own code & logic.

on k8s: kind: ValidatingWebhookConfiguration

webhook will send a AdmissionReview object to the sever for reviewing, the server will return a true or false

Question 108

api version: alpha beta, how to enable?

enable api groups

Answer 108

not enable by default,
in ExecStart=
–runtime-config=batch/v2alpha1

Question 109

beta vs alpha vs GA (stable)

Answer 109

beta has e2e tests, has only minor bugs, commit to move to GA (general availble)

Question 110

what is preferred version

Answer 110

mulitple version can be deployed to a k8s cluster, but when run k get deploy, it only return the preferred version.
To know preferred version:
k explain deploy
or
/apis/batch

storage version: only one version can be defined as storage version. when other version is created, it will be converted to the preferred before storing to edcd version

storage and preferred are usually the same but they don’t necessarily have to be the same

Question 111

api deprecation policy

Answer 111

1. api elements may only be removed by incrementing the version of the API group
2. api objects must be able to round-trip between api versions in a given release without information loss, with the exception of whole REST resources that do not exist in some versions
   4a, beta support at least 9 month or 3 releases
   GA supports 12 months or 3 releases
   5, when a release supports both new and previous version (v1beta2, v1beta1), after 1 release, we can change the storage/preferred version to the new version.
   3: v2alpha won’t deprecate GA v1 version. v2 can deprecate GA v1

Question 112

k convert

Answer 112

k convert -f old-yaml-file –output-version new-version. it outputs new version’s yaml

need to install kubectl convert plugin

Question 113

get short name of resource

Answer 113

k api-resources

Question 114

what happens to etcd db when create resource ? what is controller

Answer 114

the resource is store the object in etcd data store
controller keeps monitoring etcd and create the replica set based on defined.
each resource has a controller, deploy has deploy controller in Go

Question 115

to define a custom resource other than deploy, replicaset etc

Answer 115

use CRD, it only allow you to create resource via k, but it didn’t really does anything. To further do things, custom controller is needed.
scope: namespaced or not
group: define api group, e.g. flights.com
names:
kind: of the resources
singular:
plural:
shortName:
version, schema of its yaml

Question 116

custom controller

Answer 116

loops: monitor and change
usually in Go, as it is easier. It can be in python but it is expensive, it needs to create own queueing and caching mechanism

Question 117

operator framework

Answer 117

is CRD + custom controller together
operatorHub.io

Question 118

helm concept

Answer 118

package manager for k8s app

Question 119

os

Answer 119

install helm with snap utility
apt-based system such as Debian or ubuntu apt-get
package-based system, pkg install helm

to get version of linux
lsb_release -a

cat /etc/release

Question 120

Chart.yaml

Answer 120

it has info about the helm chart, the version, name etc.
artifacthub.io - chart repository
to search it:
helm search hub wordpress
to search other repo, need to add the repo:
helm repo add bitnami https://charts.bitnami.com/bitnami

to search this repo:
helm search repo wordpress
helm repo list - to list the charts

helm repo update - update chart list from remote

Question 121

to find resource installed by a certain helm release, use selector

Answer 121

kubectl get all -n NAMESPACE –selector=release=RELEASE_NAME

Question 122

helm command install

Answer 122

helm install release-name chart-name/chart-directory:
download the chart, extract, install it locally.
release: each install of a chart is called a release. it is like id
to list package: helm install
to uninstall package: helm uninstall rellease-name
To only download/extract hem chart:
helm pull –untar bitnami/workpress

Question 123

app creation order

Answer 123

pv, pvc, po, svc!
first create pvc

Question 124

remove pvc

Answer 124

delete finalizers in the yaml metadata
use /finalizers to search in vim editor

Question 125

networkpolicy

Answer 125

check connectivity?

root@controlplane:~$ kubectl exec -it webapp-color – sh

/opt # nc -v -z -w 5 secure-service 80

Question 126

create temporary pod

Answer 126

kubectl run tmp –restart=Never –rm –image=nginx:alpine -i – curl http://project-plt-6cc-svc.pluto:3333

–rm: delete po after exits

run not exec!!!

Question 127

exec command in a pod

Answer 127

k -n moon exec web-moon-c77655cc-dc8v4 find /usr/share/nginx/html

Question 128

vim: multiple line edit

Answer 128

ctrl V: select
shit I: insert
esc: save

Question 129

containerPort:

Answer 129

ports : containerPortList of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational!!!
Not specifying a port here DOES NOT prevent that port from being exposed.

Question 130

tcp vs http

Answer 130

http is later higher than tcp. TCP checks basic network connection, http checks app level connection

Question 131

assign po to a no

Answer 131

spec.
nodeSelector with labels
nodeName with name

Question 132

run as root:
add capability

Answer 132

spec.securityContext.runAsUser: 0
spec.container.security.securityContext.capabilities.add

Question 133

echo to log

Answer 133

while true; do echo $(date) Hi i am shell&raquo_space; date.txt;sleep 5; done;

Question 134

kubectl get event –field-selector involvedObject.name=probe-ckad-aom

Answer 134

get events who has label name=probe-ckad-aom, e.g. pod

Question 135

get first field

Answer 135

kubectl get ns | cut -d’ ‘ -f1

Question 136

batch process

Answer 136

k -n sun label pod -l type=runner protected=true # run for label runner and label them all with protected

k get po –selector type=label –no-headers | awk ‘{print $1}’ | xargs -I {} kubectl label po {} protected=true –namespace=sun

Question 137

search po based on text

Answer 137

k describe po | grep happy-shop -A10 -B10
grep before and after 10 lines!

Question 138

cm: –from-env-file vs –from-file

Answer 138

–from-env-file: key-value pairs
–from-file: the whole file content will be the value, the file name will be its key.
OR: –from-file=<my-key-name>=<path-to-file></path-to-file></my-key-name>

Question 139

istio, what is it?

Answer 139

it is a service mesh (pattern), it manages communication between microservices. istio is the implementation

Question 140

what is its function and why?

Answer 140

To make in-cluster security in microservice archtecture.
it introduces a
1. sidecar pattern with evovy proxy: it separates the non-business logic from the microservice. These logic like comunication configuration (COMM), security logic (SEC), retry logic (R), metrics & tracing logic (MT) can be configured once from control plane (istiod) to all microservices (pods)
2. traffic split: canary deployment (90 % new version)

Question 141

how to configure istio?

Answer 141

two crd, virtualservice and destinationrule, both are on istiod. By conifgure istiod, we configure the proxy.

Question 142

istio ingress gateway

Answer 142

entrypoint to your cluster. It is an alternative to nginx ingress controller. configure as crd: gateway