KA 模拟题库 | 1. 权限控制RBAC
设置配置环境
kubectl config use-context k8s
Context
为部署流水线创建一个新的 ClusterRole 并将其绑定到范围为特定的 namespace 的特定 ServiceAccount 。
Task
创建一个名为 deployment-clusterrole 且仅允许创建以下资源类型的新 ClusterRole :
DeploymentStatefulSetDaemonSet
在现有的 namespace app-team1 中创建一个名为 cicd-token 的新 ServiceAccount。 限于 namespace app-team1 中,将新的 ClusterRole deployment-clusterrole 绑定到新的 ServiceAccount cicd-token
参考
kubectl create clusterrole -h
kubectl create rolebinding -h
https://kubernetes.io/zh-cn/docs/reference/access-authn-authz/rbac/
解答
考试的时候务必记住切换集群, 注意集群名称 kubectl config use-context k8s
kubectl config use-context k8s |
# 创建clusterrole |
检查(考试时,可以不检查的)
kubectl -n app-team1 describe rolebinding cicd-token-rolebinding |
本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来源 Hao DevSecOps!
微信
相关推荐
2023-01-09
CKA 模拟真题 Killer.sh | Question 1 | Contexts
Task weight: 1% You have access to multiple clusters from your main terminal through kubectl contexts. Write all those context names into /opt/course/1/contexts . Next write a command to display the current context into /opt/course/1/context_default_kubectl.sh , the command should use kubectl. Finally write a second command doing the same thing into /opt/course/1/context_default_no_kubectl.sh , but without the use of kubectl. 译文你可以通过 kubectl contexts 从你的主终端访问多个集群。把所有这些上下文的名字写进 ...
2023-01-10
CKA 模拟真题 Killer.sh | Question 24 | NetworkPolicy
Task weight: 9% Use context: kubectl config use-context k8s-c1-H There was a security incident where an intruder was able to access the whole cluster from a single hacked backend Pod. To prevent this create a NetworkPolicy called np-backend in Namespace project-snake . It should allow the backend-* Pods only to: connect to db1-* Pods on port 1111 connect to db2-* Pods on port 2222 Use the app label of Pods in your policy. After implementation, connections from backend-* Pods to vault-* Pods...
2023-01-02
CKA 模拟题库 | 3. 网络策略 NetworkPolicy
模拟题目设置配置环境: kubectl config use-context hk8s Task在现有的 namespace my-app 中创建一个名为 allow-port-from-namespace 的新 NetworkPolicy确保新的 NetworkPolicy 允许 namespace echo 中的 Pods 连接到 namespace my-app 中的Pods的9000 端口。进一步确保新的 NetworkPolicy : 不允许对没有在监听 端口9000的Pods的访问 不允许非来自 namespace echo中的Pods的访问 双重否定就是肯定,所以最后两句话的意思就是: 仅允许端口为 9000 的 pod 访问。 仅允许 echo 命名空间中的 pod 访问。 参考https://kubernetes.io/zh-cn/docs/concepts/services-networking/network-policies/概念 –> 服务 负载均衡和联网 –> 网络策略 解答 考试的时候务必记住切换集群, 注意集群名称...
2023-01-09
CKA 模拟真题 Killer.sh | Question 7 | Node and Pod Resource Usage
Use context: kubectl config use-context k8s-c1-H The metrics-server has been installed in the cluster. Your college would like to know the kubectl commands to: show Nodes resource usage show Pods and their containers resource usage Please write the commands into /opt/course/7/node.sh and /opt/course/7/pod.sh . 译文在集群中已经安装了metrics-server。你们学院想知道使用 kubectl 的命令获取如下信息。 显示节点资源使用情况 显示Pod和其容器的资源使用情况 请将这些命令写入/opt/course/7/node.sh 和 /opt/course/7/pod.sh 。 解答参考: kubectl top node -h kubectl top...
2023-01-09
CKA 模拟真题 Killer.sh | Question 8 | Get Controlplane Information
Use context: kubectl config use-context k8s-c1-H Ssh into the controlplane node with ssh cluster1-controlplane1 . Check how the controlplane components kubelet, kube-apiserver, kube-scheduler, kube-controller-manager and etcd are started/installed on the controlplane node. Also find out the name of the DNS application and how it’s started/installed on the controlplane node. Write your findings into file /opt/course/8/controlplane-components.txt . The file should be structured...
2023-01-09
CKA 模拟真题 Killer.sh | Question 11 | DaemonSet on all Nodes
Use context: kubectl config use-context k8s-c1-H Use Namespace project-tiger for the following. Create a DaemonSet named ds-important with image httpd:2.4-alpine and labels id=ds-important and uuid=18426a0b-5f59-4e10-923f-c0e078e82462 . The Pods it creates should request 10 millicore cpu and 10 mebibyte memory. The Pods of that DaemonSet should run on all nodes, also controlplanes. 译文在命名空间 project-tiger 进行如下操作。创建一个名为 ds-important 的 DaemonSet ,镜像为 httpd:2.4-alpine ,标签 id=ds-important ,...
评论
