Kubernetes & GKE

Question 1

What is a Pod?

Answer 1

A pod is a scheduling unit that contains one or more containers guaranteed to be co-located on the same node.

Pods have an unique IP address within their cluster that allows applications to connection with them.

Within a pod, all containers can reference each other.

Question 2

What is a service?

Answer 2

A service is a collection of pods that work together.

The pods used in the service are defined by a label selector.

Question 3

What are the two modes of service discovery?

Answer 3

Kubernetes DNS and environment variables.

Question 4

What is service discovery?

Answer 4

The process of automatically detecting devices and services on a network.

Question 5

How does service discovery work in Kubernetes?

Answer 5

It assigns a service an unchanging IP and DNS name, and loads balances traffic across the service pods using round robin.

Question 6

What is a volume?

Answer 6

A volume is a persistent filesystem for pods.

It lasts as long as the pod does and can be accessed by the containers in a pod.

Question 7

What is a label?

Answer 7

A label is key/tag used to identify an API object (Nodes, pods, etc).

Question 8

What is a label selector?

Answer 8

A label selector is a query against labels to find matchings objects.

Question 9

What is a workload?

Answer 9

A workload is a high-level abstraction to make managing pods simpler.

Question 10

What is a ReplicaSet?

Answer 10

A ReplicaSet is a workload that manages a stable set of replica pods.

It is defined using a label selector which, when evaluated, will identify all the pods related to it.

Question 11

What is a ReplicationController?

Answer 11

A ReplicationController is the predecessor of a ReplicaSet. It works in the same way, but has been deprecated to make use of label selectors.

Question 12

What is a Deployment?

Answer 12

A Deployment is a higher-level management tool for ReplicaSets.

It controls what happens to a ReplicaSet (whether it needs to updated or rolled bac, etc).

When a Deployment scales vertically, the declaration of the ReplicaSet changes and this change is managed by the ReplicaSet.

Question 13

What is an Ingress object?

Answer 13

An Ingress object is an API object that exposes and manages access to a service (within a cluster) to outside the cluster, typically via HTTP/S.

Ingress may provide load balancing, SSL termination and name-based virtual hosting.

Ingress requires an Ingress Controller to work. Just creating one won’t do anything.

Question 14

What are the two ways of handling configuration information in Kubernetes?

Answer 14

ConfigMaps and Secrets.

Question 15

What is a ConfigMap?

Answer 15

A ConfigMap is an API object used to store non-confidential config data in a key/value pair.

They can be used as environment variables, command-line arguments, or configuration files in a Volume.

Question 16

What is a Secret?

Answer 16

A Secret is an API object that contains sensitive data (e.g., password, OAuth token, etc).

They are meant for holding sensitive data, but are not encrypted at rest. In addition, anyone with API access or access to etcd are view the Secret’s value.

Question 17

How do you protect a Secret?

Answer 17

By
1) Enabling Encryption at Rest for Secrets
2) Enabling/Configuring RBAC rules with least-privilege access to Secrets
3) Restrict Secret access to specific containers
4) Using external Secret store Providers

Question 18

What is GKE Application-layer Secrets Encryption?

Answer 18

Application-layer Secrets Encryption is an GKE offering that uses Keys from Cloud KMS to encrypt sensitive data stored in etcd.

Question 19

What is etcd?

Answer 19

A consistent and highly-available key-value store used as a backing store for cluster data.

You will need a data backup plan for the etcd data.

Question 20

What is a network policy?

Answer 20

An construct that specifies how a pod communicates with various network entities(endpoints, services, etc) over a network.

Network policies apply to connections with pods at either end only.

Question 21

What are the three identifiers used to define the entities a NetworkPolicy permits connection to?

Answer 21

Other pods
Namespaces
IP blocks

Question 22

What are the selectors to define the allowed pods in a NetworkPolicy?

Answer 22

Label Selectors for pod and namespace based policies.

IP ranges for IP-Block based policies.

Question 23

What are the pre-requisites of NetworkPolicies?

Answer 23

A network plugin thst supports NetworkPolicy.
Otherwise, creating a policy has no effect.

Question 24

What GKE Ingress?

Answer 24

GKE Ingress is a built-in and managed Ingress controller. This controller implements Ingress resources as Google Cloud load balancers for HTTP(S) workloads in GKE.

Question 25

What is GKE workload identity?

Answer 25

Workload identity is an offering that allows a Kubernetes service account pose as a IAM service account.

Pods that use the Kubernetes service account will automatically authenticate as the IAM service account when accessing GC APIs.

Question 26

What are the pre-requisites to use Workload Identity?

Answer 26

1. Enable Google Kubernetes Engine API
2. Ensure the IAM Service Account
   Credentials API is enabled.
3. Ensure you have the roles needed for this (roles/container.main & roles/iam.serviceAccountAdmin)
4. Enable Workload identity on the clusters

Question 27

What is a Node in Kuberbetes?

Answer 27

A node is a physical or virtual machine. They’re controlled by the control plane and contain services to run Pods.

Nodes make up a cluster.

Question 28

What is a control plane in Kubernetes?

Answer 28

The container orchestration layer that exposes the API and interfaces to define, deploy, and manage the lifecycle of containers.

Src - https://kubernetes.io/docs/reference/glossary/?all=true#term-control-plane

Question 29

What is a data plane in Kubernetes?

Answer 29

The layer that provides capacity such as CPU, memory, network, and storage so that the containers can run and connect to a network.

Src - https://kubernetes.io/docs/reference/glossary/?all=true#term-data-plane

Question 30

What is a DaemonSet?

Answer 30

A DaemonSet is a workload resource that ensures some or all Nodes are running a copy of a Pod.

Deleting a DaemonSet will clean up the Pods it created.

Question 31

What is a ResourceQuota?

Answer 31

An object that limits how many resources a namespace can use.

Question 32

What is a LimitRange?

Answer 32

An Object that limits how much resources objects within a Namespace can use.

Question 33

What is a Namespace?

Answer 33

A mechanism to isolate groups of resources in a cluster.

Names in a Namespace need to be unique within the Namespace only.

Question 34

What is a StatefulSet?

Answer 34

StatefulSet is the workload API object used to manage stateful applications.

Manages the deployment and scaling of a set of Pods, and provides guarantees about the ordering and uniqueness of these Pods.

Like a Deployment, a StatefulSet manages Pods that are based on an identical container spec. Unlike a Deployment, a StatefulSet maintains a sticky identity for each of its Pods. These pods are created from the same spec, but are not interchangeable: each has a persistent identifier that it maintains across any rescheduling.

If you want to use storage volumes to provide persistence for your workload, you can use a StatefulSet as part of the solution. Although individual Pods in a StatefulSet are susceptible to failure, the persistent Pod identifiers make it easier to match existing volumes to the new Pods that replace any that have failed.

Question 35

What is a VPC-Native Cluster?

Answer 35

A cluster that uses alias IP address ranges.

Source - https://cloud.google.com/kubernetes-engine/docs/concepts/alias-ips

Question 36

What is a Routes-Based Cluster?

Answer 36

A cluster that uses custom static routes in a VPC network.

Source - https://cloud.google.com/kubernetes-engine/docs/concepts/alias-ips