Linux Foundation Certified Kubernetes Application Developer (CKAD) Free Practice Test
Question 1
You're tasked with deploying a containerized application that handles sensitive customer datm The security policy mandates that only containers With specific security profiles can access the dat a. How would you implement Pod Security Standards (PSS) in your Kubernetes cluster to enforce this requirement?
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Define Pod Security Policies:
- Create a Pod Security Policy (PSP) resource using a YAML file.
- Define the allowed security profiles based on your security requirements.
- You can restrict things like:
- Container privileges (root or non-root)
- Allowed capabilities (e.g., 'SYS_ADMINS)
- Security context constraints (e.g., read-only root filesystem)
- Access to host resources (e.g., devices, networking)
2. Apply the Pod Security Policy: - Use 'kubectl apply -f sensitive-data-psp.yamr to apply the PSP to your cluster. 3. Modify Your Deployment (or other workload) to IJse the PSP: - Update the Deployment (or other workload) YAML file to include a 'securitycontext' field that references the PSP you created. - Ensure that the container image and configuration adhere to the constraints defined in the PSP.
4. Verify Deployment: - Use ' kubectl get pods -l app=sensitive-data-app' to ensure your pods are running. - The poos should now adhere to the specified security constraints defined by the PSP 5. Enforcement: - Kubernetes will prevent pods from running if they violate the constraints defined in the PSP - This provides a layer of security enforcement for sensitive applications. Note: PSPs are deprecated in Kubernetes 1.25 and are replaced by Pod Security Admission. For newer Kubernetes versions, you would use Pod Security Admission to enforce these security constraints. ]
Explanation:
Solution (Step by Step) :
1. Define Pod Security Policies:
- Create a Pod Security Policy (PSP) resource using a YAML file.
- Define the allowed security profiles based on your security requirements.
- You can restrict things like:
- Container privileges (root or non-root)
- Allowed capabilities (e.g., 'SYS_ADMINS)
- Security context constraints (e.g., read-only root filesystem)
- Access to host resources (e.g., devices, networking)
2. Apply the Pod Security Policy: - Use 'kubectl apply -f sensitive-data-psp.yamr to apply the PSP to your cluster. 3. Modify Your Deployment (or other workload) to IJse the PSP: - Update the Deployment (or other workload) YAML file to include a 'securitycontext' field that references the PSP you created. - Ensure that the container image and configuration adhere to the constraints defined in the PSP.
4. Verify Deployment: - Use ' kubectl get pods -l app=sensitive-data-app' to ensure your pods are running. - The poos should now adhere to the specified security constraints defined by the PSP 5. Enforcement: - Kubernetes will prevent pods from running if they violate the constraints defined in the PSP - This provides a layer of security enforcement for sensitive applications. Note: PSPs are deprecated in Kubernetes 1.25 and are replaced by Pod Security Admission. For newer Kubernetes versions, you would use Pod Security Admission to enforce these security constraints. ]
Question 2
Set Configuration Context:
[student@node-1] $ | kubectl
Config use-context k8s
Context
A container within the poller pod is hard-coded to connect the nginxsvc service on port 90 . As this port changes to 5050 an additional container needs to be added to the poller pod which adapts the container to connect to this new port. This should be realized as an ambassador container within the pod.
Task
* Update the nginxsvc service to serve on port 5050.
* Add an HAproxy container named haproxy bound to port 90 to the poller pod and deploy the enhanced pod.
Use the image haproxy and inject the configuration located at /opt/KDMC00101/haproxy.cfg, with a ConfigMap named haproxy-config, mounted into the container so that haproxy.cfg is available at /usr/local/etc
/haproxy/haproxy.cfg. Ensure that you update the args of the poller container to connect to localhost instead of nginxsvc so that the connection is correctly proxied to the new service endpoint. You must not modify the port of the endpoint in poller's args . The spec file used to create the initial poller pod is available in /opt
/KDMC00101/poller.yaml
Correct Answer:
See the solution below.
Explanation:
Solution:
To update the nginxsvc service to serve on port 5050, you will need to edit the service's definition yaml file.
You can use the kubectl edit command to edit the service in place.
kubectl edit svc nginxsvc
This will open the service definition yaml file in your default editor. Change the targetPort of the service to
5050 and save the file.
To add an HAproxy container named haproxy bound to port 90 to the poller pod, you will need to edit the pod's definition yaml file located at /opt/KDMC00101/poller.yaml.
You can add a new container to the pod's definition yaml file, with the following configuration:
containers:
- name: haproxy
image: haproxy
ports:
- containerPort: 90
volumeMounts:
- name: haproxy-config
mountPath: /usr/local/etc/haproxy/haproxy.cfg
subPath: haproxy.cfg
args: ["haproxy", "-f", "/usr/local/etc/haproxy/haproxy.cfg"]
This will add the HAproxy container to the pod and configure it to listen on port 90. It will also mount the ConfigMap haproxy-config to the container, so that haproxy.cfg is available at /usr/local/etc/haproxy/haproxy.
cfg.
To inject the configuration located at /opt/KDMC00101/haproxy.cfg to the container, you will need to create a ConfigMap using the following command:
kubectl create configmap haproxy-config --from-file=/opt/KDMC00101/haproxy.cfg You will also need to update the args of the poller container so that it connects to localhost instead of nginxsvc. You can do this by editing the pod's definition yaml file and changing the args field to args:
["poller","--host=localhost"].
Once you have made these changes, you can deploy the updated pod to the cluster by running the following command:
kubectl apply -f /opt/KDMC00101/poller.yaml
This will deploy the enhanced pod with the HAproxy container to the cluster. The HAproxy container will listen on port 90 and proxy connections to the nginxsvc service on port 5050. The poller container will connect to localhost instead of nginxsvc, so that the connection is correctly proxied to the new service endpoint.
Please note that, this is a basic example and you may need to tweak the haproxy.cfg file and the args based on your use case.
Explanation:
Solution:
To update the nginxsvc service to serve on port 5050, you will need to edit the service's definition yaml file.
You can use the kubectl edit command to edit the service in place.
kubectl edit svc nginxsvc
This will open the service definition yaml file in your default editor. Change the targetPort of the service to
5050 and save the file.
To add an HAproxy container named haproxy bound to port 90 to the poller pod, you will need to edit the pod's definition yaml file located at /opt/KDMC00101/poller.yaml.
You can add a new container to the pod's definition yaml file, with the following configuration:
containers:
- name: haproxy
image: haproxy
ports:
- containerPort: 90
volumeMounts:
- name: haproxy-config
mountPath: /usr/local/etc/haproxy/haproxy.cfg
subPath: haproxy.cfg
args: ["haproxy", "-f", "/usr/local/etc/haproxy/haproxy.cfg"]
This will add the HAproxy container to the pod and configure it to listen on port 90. It will also mount the ConfigMap haproxy-config to the container, so that haproxy.cfg is available at /usr/local/etc/haproxy/haproxy.
cfg.
To inject the configuration located at /opt/KDMC00101/haproxy.cfg to the container, you will need to create a ConfigMap using the following command:
kubectl create configmap haproxy-config --from-file=/opt/KDMC00101/haproxy.cfg You will also need to update the args of the poller container so that it connects to localhost instead of nginxsvc. You can do this by editing the pod's definition yaml file and changing the args field to args:
["poller","--host=localhost"].
Once you have made these changes, you can deploy the updated pod to the cluster by running the following command:
kubectl apply -f /opt/KDMC00101/poller.yaml
This will deploy the enhanced pod with the HAproxy container to the cluster. The HAproxy container will listen on port 90 and proxy connections to the nginxsvc service on port 5050. The poller container will connect to localhost instead of nginxsvc, so that the connection is correctly proxied to the new service endpoint.
Please note that, this is a basic example and you may need to tweak the haproxy.cfg file and the args based on your use case.
Question 3
You are building a container image for a Spring Boot application that connects to a MySQL database. The application requires specific environment variables, such as the database nostname, username, password, and port. How would you define these environment variables Within the Docker-file to ensure the application runs correctly in a Kubernetes cluster?
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
1. Define Environment Variables in Docker-file:
- Utilize the 'ENV' instruction within your Dockerfile to set the necessary environment variables.
- These variables will be accessible to your Spring Boot application during runtime.
- Example:
dockerfile
2. Build the Docker Image: - Construct your Docker image using the Docker-file. - Run the following command: 'docker build -t your-image-name 3. Deploy to Kubernetes: - Create a Deployment or Pod in Kubernetes that utilizes your built image. - Ensure the pod's environment variables align with the ones defined in your Dockerfile. - Example (Deployment YAML):
4. Verify Application Functionality: - Access your deployed application in the Kubernetes cluster. - Verify that it connects successfully to the database and operates as expected.
Explanation:
1. Define Environment Variables in Docker-file:
- Utilize the 'ENV' instruction within your Dockerfile to set the necessary environment variables.
- These variables will be accessible to your Spring Boot application during runtime.
- Example:
dockerfile
2. Build the Docker Image: - Construct your Docker image using the Docker-file. - Run the following command: 'docker build -t your-image-name 3. Deploy to Kubernetes: - Create a Deployment or Pod in Kubernetes that utilizes your built image. - Ensure the pod's environment variables align with the ones defined in your Dockerfile. - Example (Deployment YAML):
4. Verify Application Functionality: - Access your deployed application in the Kubernetes cluster. - Verify that it connects successfully to the database and operates as expected.
Question 4
You are tasked with deploying a complex application using Helm. The application consists of multiple microservices, each with its own deployment and service. To simplify the deployment and management of these microservices, you need to implement a mecnanism that allows you to automatically create and manage namespaces based on the name of the Helm release.
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Create a Custom Helm Chart:
- Begin by creating a custom Helm chart named 'my-app-chart' to manage the application's multiple microservices.
2. Implement a Namespace Creation Function:
- Within the 'my-app-chafltemplatesr directory, create a file named 'namespace-yamr and define the namespace creation function.
- This function uses the Helm release name to dynamically generate a namespace with the format '-namespace' 3. Add the Namespace to the Chan: - Modify the 'my-app-chart/templates/service.yamr and 'my-app-chart/templates/deployment_yamr for each microservice to ensure the deployments and services reside within the dynamically created namespace:
4. Deploy the Chart with Different Releases: - Use tne following command to deploy tne chart with different releases, each creating a separate namespace: bash nelm install release1 my-app-chart helm install release2 my-app-chart - This will create namespaces release1-namespace' and release2-namespace , each containing the deployments and services of the respective releases. 5. Manage and Clean Up: - To manage and clean up the deployments and namespaces, you can use regular Helm commands within the context or each namespace: bash kubectl --namespace release1 -namespace get pods helm delete release1 kubectl delete namespace release1-namespace - This approach provides a structured and automated method for managing multiple microservices within separate namespaces using Helm releases.,
Explanation:
Solution (Step by Step) :
1. Create a Custom Helm Chart:
- Begin by creating a custom Helm chart named 'my-app-chart' to manage the application's multiple microservices.
2. Implement a Namespace Creation Function:
- Within the 'my-app-chafltemplatesr directory, create a file named 'namespace-yamr and define the namespace creation function.
- This function uses the Helm release name to dynamically generate a namespace with the format '-namespace' 3. Add the Namespace to the Chan: - Modify the 'my-app-chart/templates/service.yamr and 'my-app-chart/templates/deployment_yamr for each microservice to ensure the deployments and services reside within the dynamically created namespace:
4. Deploy the Chart with Different Releases: - Use tne following command to deploy tne chart with different releases, each creating a separate namespace: bash nelm install release1 my-app-chart helm install release2 my-app-chart - This will create namespaces release1-namespace' and release2-namespace , each containing the deployments and services of the respective releases. 5. Manage and Clean Up: - To manage and clean up the deployments and namespaces, you can use regular Helm commands within the context or each namespace: bash kubectl --namespace release1 -namespace get pods helm delete release1 kubectl delete namespace release1-namespace - This approach provides a structured and automated method for managing multiple microservices within separate namespaces using Helm releases.,
Question 5
You need to implement a mechanism for automatically rolling out new versions of your application pods. This process should be triggered by a change in tne application's container image tag in a Docker Hub repository.
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Configure the Deployment for Rolling Updates:
- IJpdate your application deployment to specify a 'rollinglJpdate' strategy
- Set 'maxunavailable' and 'maxSurge' to control the rolling update process-
- Include a 'strategy.type' to 'Rollingupdates
- Set ' imagePullPolicy' to 'Always' to ensure that new images are always pulled from the Docker Hub repository.
2. Apply the Deployment: - Apply the updated deployment using 'kubectl apply -f your-application-deployment-yamr 3. Push a New Image to Docker Hub: - UPdate your application's container image in the Docker Hub repository and push the new image With a different tag. For example, update the tag from "latest to 'v2'. 4. Monitor the Deployment: - Observe the rolling update process using 'kubectl get pods -l app=your-application'. You should see new pods with the updated image being created and old pods being terminated. 5. Verify the Update: - Once the rolling update is complete, use 'kubectl describe deployment your-application-deployment to verify that the 'updatedReplicas' field matches the 'replicas' field. This confirms that the update was successful. ,
Explanation:
Solution (Step by Step) :
1. Configure the Deployment for Rolling Updates:
- IJpdate your application deployment to specify a 'rollinglJpdate' strategy
- Set 'maxunavailable' and 'maxSurge' to control the rolling update process-
- Include a 'strategy.type' to 'Rollingupdates
- Set ' imagePullPolicy' to 'Always' to ensure that new images are always pulled from the Docker Hub repository.
2. Apply the Deployment: - Apply the updated deployment using 'kubectl apply -f your-application-deployment-yamr 3. Push a New Image to Docker Hub: - UPdate your application's container image in the Docker Hub repository and push the new image With a different tag. For example, update the tag from "latest to 'v2'. 4. Monitor the Deployment: - Observe the rolling update process using 'kubectl get pods -l app=your-application'. You should see new pods with the updated image being created and old pods being terminated. 5. Verify the Update: - Once the rolling update is complete, use 'kubectl describe deployment your-application-deployment to verify that the 'updatedReplicas' field matches the 'replicas' field. This confirms that the update was successful. ,
Question 6
You are building a microservice that requires a specific configuration file to be mounted into the container This configuration file should be updated witnout restarting tne microservice container. How can you achieve this using Kubernetes?
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. use ConfigMaps:
- Create a 'ConfigMap' to store the configuration file.
- Create a YAML file (e.g., 'config.yamIS) with your configuration content:
2. Mount the ConfigMap: - In your 'Deployment definition, mount the 'configMap' into the container using a volume mount
3. Update the Configuration: - IJpdate the 'ConfigMap' directly using ' kubectl patch configmap my-microservice-config -type-merge -p '{"data": {"config-json"' "updated - The changes will be reflected in the mounted volume inside the container. 4. Access the Configuration: - Your microservice code should read the configuration file from the mounted path (e.g., '/etc/config')- Note: This approach avoids restarting the container when you need to update the configuration. The 'ConfigMaps acts as a persistent volume, and changes to its content are automatically reflected in the mounted volume inside the container
Explanation:
Solution (Step by Step) :
1. use ConfigMaps:
- Create a 'ConfigMap' to store the configuration file.
- Create a YAML file (e.g., 'config.yamIS) with your configuration content:
2. Mount the ConfigMap: - In your 'Deployment definition, mount the 'configMap' into the container using a volume mount
3. Update the Configuration: - IJpdate the 'ConfigMap' directly using ' kubectl patch configmap my-microservice-config -type-merge -p '{"data": {"config-json"' "updated - The changes will be reflected in the mounted volume inside the container. 4. Access the Configuration: - Your microservice code should read the configuration file from the mounted path (e.g., '/etc/config')- Note: This approach avoids restarting the container when you need to update the configuration. The 'ConfigMaps acts as a persistent volume, and changes to its content are automatically reflected in the mounted volume inside the container
Question 7
You are deploying a microservice application consisting of three components: 'frontend' , 'backend' , and 'database'. You want to ensure that the 'backend' service is deployed only after the 'frontend' service has successfully started and is healthy. Additionally, the 'database' service should be deployed only after the 'backend' service is ready. How would you implement this deployment strategy using Kubernetes deployments?
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Define Pre-requisites for Services:
- Create a 'Deployment for each service (frontend', 'backend', and 'database').
- For the 'backend' service, define a 'pre-requisite' in the 'dependencies' section of the 'Deployment' object, specifying that the ' frontend' service needs to be healthy and running. This can be achieved using the 'dependson' field in the 'spec.template.spec_containers' section of the Deployment.
- Similarly, for the 'database service, define a Tre-requisite' specifying that the 'backend' service needs to be healthy and running.
- Example 'frontend' Deployment:
- Example 'backend' Deployment:
- Example 'database' Deployment:
2. Create the Deployments: - Apply the YAML files using 'kubectl apply -f frontend-deployment.yamr , 'kubectl apply -f backend-deployment.yamr , and 'kubectl apply -f database- deployment-yaml. 3. Monitor the Deployment Process: - use 'kubectl get pods -l app=frontend' , 'kubectl get pods -l app=backend' , and 'kubectl get pods -l app=database' to monitor the deployment of the pods. - You will observe that the 'frontend' pods will start first, followed by the 'backend' pods after the 'frontend' pods are healthy. Finally, the 'database' pods will start after the 'backend' pods are healthy. 4. Verify the Deployment Success: - Use 'kubectl describe deployments frontend-deployment', 'kubectl describe deployments backend-deployment , and 'kubectl describe deployments database-deployment' to verify the successful deployment of each service. - Confirm that the 'Ready' status of each pod is true. This strategy ensures that the services are deployed in a predictable and reliable order, ensuring the application's integrity and functionality.,
Explanation:
Solution (Step by Step) :
1. Define Pre-requisites for Services:
- Create a 'Deployment for each service (frontend', 'backend', and 'database').
- For the 'backend' service, define a 'pre-requisite' in the 'dependencies' section of the 'Deployment' object, specifying that the ' frontend' service needs to be healthy and running. This can be achieved using the 'dependson' field in the 'spec.template.spec_containers' section of the Deployment.
- Similarly, for the 'database service, define a Tre-requisite' specifying that the 'backend' service needs to be healthy and running.
- Example 'frontend' Deployment:
- Example 'backend' Deployment:
- Example 'database' Deployment:
2. Create the Deployments: - Apply the YAML files using 'kubectl apply -f frontend-deployment.yamr , 'kubectl apply -f backend-deployment.yamr , and 'kubectl apply -f database- deployment-yaml. 3. Monitor the Deployment Process: - use 'kubectl get pods -l app=frontend' , 'kubectl get pods -l app=backend' , and 'kubectl get pods -l app=database' to monitor the deployment of the pods. - You will observe that the 'frontend' pods will start first, followed by the 'backend' pods after the 'frontend' pods are healthy. Finally, the 'database' pods will start after the 'backend' pods are healthy. 4. Verify the Deployment Success: - Use 'kubectl describe deployments frontend-deployment', 'kubectl describe deployments backend-deployment , and 'kubectl describe deployments database-deployment' to verify the successful deployment of each service. - Confirm that the 'Ready' status of each pod is true. This strategy ensures that the services are deployed in a predictable and reliable order, ensuring the application's integrity and functionality.,
Question 8
Context
You must connect to the correct host . Failure to do so may result in a zero score.
!
[candidate@base] $ ssh ckad00028
Task
A Pod within the Deployment named honeybee-deployment and in namespace gorilla is logging errors.
Look at the logs to identify error messages.
Look at the logs to identify error messages.
Find errors, including User
"system:serviceaccount:gorilla:default" cannot list resource "pods" [ ... ] in the namespace "gorilla" Update the Deployment honeybee-deployment to resolve the errors in the logs of the Pod.
The honeybee-deployment 's manifest file can be found at
/home/candidate/prompt-escargot/honey bee-deployment.yaml
You must connect to the correct host . Failure to do so may result in a zero score.
!
[candidate@base] $ ssh ckad00028
Task
A Pod within the Deployment named honeybee-deployment and in namespace gorilla is logging errors.
Look at the logs to identify error messages.
Look at the logs to identify error messages.
Find errors, including User
"system:serviceaccount:gorilla:default" cannot list resource "pods" [ ... ] in the namespace "gorilla" Update the Deployment honeybee-deployment to resolve the errors in the logs of the Pod.
The honeybee-deployment 's manifest file can be found at
/home/candidate/prompt-escargot/honey bee-deployment.yaml
Correct Answer:
See the Explanation below for complete solution.
Explanation:
ssh ckad00028
You're seeing RBAC errors like:
User "system:serviceaccount:gorilla:default" cannot list resource "pods" ... in namespace "gorilla" That means the Pod is running as the default ServiceAccount and needs permission to list pods (and possibly also get/watch).
You must fix it by updating the Deployment (via its manifest file) and giving it the proper RBAC.
1) Confirm the error in logs
kubectl -n gorilla get deploy honeybee-deployment
kubectl -n gorilla logs deploy/honeybee-deployment --tail=200
If it's CrashLooping and you need previous logs:
POD=$(kubectl -n gorilla get pods -l app=honeybee -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || kubectl -n gorilla get pods -o jsonpath='{.items[0].metadata.name}') kubectl -n gorilla logs "$POD" --previous --tail=200 You should see the "cannot list resource pods" line.
2) Create a dedicated ServiceAccount for the app
(Using a dedicated SA is standard practice; the task wants you to "resolve the errors".) kubectl -n gorilla create serviceaccount honeybee-sa kubectl -n gorilla get sa honeybee-sa
3) Create RBAC: Role + RoleBinding (namespaced)
This will allow listing pods in namespace gorilla.
cat <<'EOF' > honeybee-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: honeybee-pod-reader
namespace: gorilla
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: honeybee-pod-reader-binding
namespace: gorilla
subjects:
- kind: ServiceAccount
name: honeybee-sa
namespace: gorilla
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: honeybee-pod-reader
EOF
Apply it:
kubectl apply -f honeybee-rbac.yaml
Quick verification (optional but very useful):
kubectl auth can-i list pods -n gorilla --as=system:serviceaccount:gorilla:honeybee-sa Should return yes.
4) Update the Deployment manifest to use the new ServiceAccount
The manifest is at:
/home/candidate/prompt-escargot/honey bee-deployment.yaml
Because there's a space in the filename, quote it.
4.1 Edit the file
cd /home/candidate/prompt-escargot
ls -l
vi "honey bee-deployment.yaml"
In the Deployment YAML, add (or set) this under:
spec.template.spec:
serviceAccountName: honeybee-sa
Example location:
spec:
template:
spec:
serviceAccountName: honeybee-sa
containers:
- name: ...
Save and exit.
4.2 Apply the updated manifest
kubectl apply -f "/home/candidate/prompt-escargot/honey bee-deployment.yaml"
5) Ensure rollout succeeds and errors are gone
kubectl -n gorilla rollout status deploy honeybee-deployment
kubectl -n gorilla logs deploy/honeybee-deployment --tail=200
Also confirm the pods now run with the right ServiceAccount:
kubectl -n gorilla get pods -o jsonpath='{range .items[*]}{.metadata.name}{" sa="}{.spec.
serviceAccountName}{"\n"}{end}'
You should no longer see the RBAC "cannot list pods" errors.
Explanation:
ssh ckad00028
You're seeing RBAC errors like:
User "system:serviceaccount:gorilla:default" cannot list resource "pods" ... in namespace "gorilla" That means the Pod is running as the default ServiceAccount and needs permission to list pods (and possibly also get/watch).
You must fix it by updating the Deployment (via its manifest file) and giving it the proper RBAC.
1) Confirm the error in logs
kubectl -n gorilla get deploy honeybee-deployment
kubectl -n gorilla logs deploy/honeybee-deployment --tail=200
If it's CrashLooping and you need previous logs:
POD=$(kubectl -n gorilla get pods -l app=honeybee -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || kubectl -n gorilla get pods -o jsonpath='{.items[0].metadata.name}') kubectl -n gorilla logs "$POD" --previous --tail=200 You should see the "cannot list resource pods" line.
2) Create a dedicated ServiceAccount for the app
(Using a dedicated SA is standard practice; the task wants you to "resolve the errors".) kubectl -n gorilla create serviceaccount honeybee-sa kubectl -n gorilla get sa honeybee-sa
3) Create RBAC: Role + RoleBinding (namespaced)
This will allow listing pods in namespace gorilla.
cat <<'EOF' > honeybee-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: honeybee-pod-reader
namespace: gorilla
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: honeybee-pod-reader-binding
namespace: gorilla
subjects:
- kind: ServiceAccount
name: honeybee-sa
namespace: gorilla
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: honeybee-pod-reader
EOF
Apply it:
kubectl apply -f honeybee-rbac.yaml
Quick verification (optional but very useful):
kubectl auth can-i list pods -n gorilla --as=system:serviceaccount:gorilla:honeybee-sa Should return yes.
4) Update the Deployment manifest to use the new ServiceAccount
The manifest is at:
/home/candidate/prompt-escargot/honey bee-deployment.yaml
Because there's a space in the filename, quote it.
4.1 Edit the file
cd /home/candidate/prompt-escargot
ls -l
vi "honey bee-deployment.yaml"
In the Deployment YAML, add (or set) this under:
spec.template.spec:
serviceAccountName: honeybee-sa
Example location:
spec:
template:
spec:
serviceAccountName: honeybee-sa
containers:
- name: ...
Save and exit.
4.2 Apply the updated manifest
kubectl apply -f "/home/candidate/prompt-escargot/honey bee-deployment.yaml"
5) Ensure rollout succeeds and errors are gone
kubectl -n gorilla rollout status deploy honeybee-deployment
kubectl -n gorilla logs deploy/honeybee-deployment --tail=200
Also confirm the pods now run with the right ServiceAccount:
kubectl -n gorilla get pods -o jsonpath='{range .items[*]}{.metadata.name}{" sa="}{.spec.
serviceAccountName}{"\n"}{end}'
You should no longer see the RBAC "cannot list pods" errors.
Question 9
You're building a microservice architecture that uses a load balancer to distribute traffic across multiple instances of a service. You want to implement a health check mechanism that ensures only healthy instances receive traffic. Design a solution using Kubernetes Liveness probes and a service With a health check configuration.
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Define a Liveness Probe in the Deployment:
- Replace 'my-service-image:latest' with your service image. - Replace '8080' with the port your service listens on. - Adjust the probe settings as needed. 2. Create a Service with Health Check Configuration:
- 'healthCheckNodePort' is optional, but can be used for external health checks against the service. 3. Apply the YAML Files: - Apply the Deployment and Service using 'kubectl apply -f deployment_yamr and ' kubectl apply -f service.yaml'. 4. Verify the Health Checks: - Check the service logs for liveness probe results. - If a pod becomes unhealthy, it should be restarted by the liveness probe. - You can also use 'kubectl get pods -I app=my-service' to check the pod status. 5. Advanced Configuration: - Use 'exec' or 'httpGet' probes for more complex health check requirements. - Configure the 'failureThreshold' and "successThreshold' to adjust the probe's sensitivity. - Add a 'readinessProbe' to the Deployment for readiness checks that determine when a pod is ready to receive traffic. ,
Explanation:
Solution (Step by Step) :
1. Define a Liveness Probe in the Deployment:
- Replace 'my-service-image:latest' with your service image. - Replace '8080' with the port your service listens on. - Adjust the probe settings as needed. 2. Create a Service with Health Check Configuration:
- 'healthCheckNodePort' is optional, but can be used for external health checks against the service. 3. Apply the YAML Files: - Apply the Deployment and Service using 'kubectl apply -f deployment_yamr and ' kubectl apply -f service.yaml'. 4. Verify the Health Checks: - Check the service logs for liveness probe results. - If a pod becomes unhealthy, it should be restarted by the liveness probe. - You can also use 'kubectl get pods -I app=my-service' to check the pod status. 5. Advanced Configuration: - Use 'exec' or 'httpGet' probes for more complex health check requirements. - Configure the 'failureThreshold' and "successThreshold' to adjust the probe's sensitivity. - Add a 'readinessProbe' to the Deployment for readiness checks that determine when a pod is ready to receive traffic. ,
Question 10
You are building a data processing pipeline that involves multiple steps. Each step is implemented as a separate container image. The pipeline snould run only once, and it should nandle errors gracefully by retrying failed steps. How can you design this pipeline using Kubernetes Jobs, and how would you handle error handling and retries?
Correct Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Define a Pipeline with Multiple Jobs:
- Create a Job for each stage in your data processing pipeline.
- Each Job should have a dedicated container image specific to its processing step.
2. Implement Error Handling:
- Retry Mechanism Use the 'backoffLimit' and 'retries' settings within each Job's 'spec-template-spec-containers' to specify the number of retries and the delay between retries for each step.
- Error Logging: Ensure each Job logs errors to a centralized location (e.g., a persistent volume) for debugging and analysis. You can use a sidecar container to collect and process logs.
3. Chain Jobs:
- Use a Kubernetes 'Job' to chain the individual steps, ensuring that each step runs successfully before moving to the next.
- For example, use a script within the first Job's container to trigger the next Job once it completes.
4. Example Code (Simplified):
5. Execute the Pipeline: - Run the first Job ('data-extraction'). - If it fails, it will retry up to 'backoffLimit' times. - Once successful, it can trigger the second Job ('data-transformation') using a script in its container or by creating a dependent Job. 6. Monitoring and Logging: - Use Kubernetes dashboards to monitor the progress of each Job. - Check logs for error messages and debug failures. - Implement a centralized logging solution to collect logs from all Jobs. Note: For more complex pipelines, you can consider using tools like Argo Workflows or Tekton Pipelines for more advanced orchestration and error handling capabilities.,
Explanation:
Solution (Step by Step) :
1. Define a Pipeline with Multiple Jobs:
- Create a Job for each stage in your data processing pipeline.
- Each Job should have a dedicated container image specific to its processing step.
2. Implement Error Handling:
- Retry Mechanism Use the 'backoffLimit' and 'retries' settings within each Job's 'spec-template-spec-containers' to specify the number of retries and the delay between retries for each step.
- Error Logging: Ensure each Job logs errors to a centralized location (e.g., a persistent volume) for debugging and analysis. You can use a sidecar container to collect and process logs.
3. Chain Jobs:
- Use a Kubernetes 'Job' to chain the individual steps, ensuring that each step runs successfully before moving to the next.
- For example, use a script within the first Job's container to trigger the next Job once it completes.
4. Example Code (Simplified):
5. Execute the Pipeline: - Run the first Job ('data-extraction'). - If it fails, it will retry up to 'backoffLimit' times. - Once successful, it can trigger the second Job ('data-transformation') using a script in its container or by creating a dependent Job. 6. Monitoring and Logging: - Use Kubernetes dashboards to monitor the progress of each Job. - Check logs for error messages and debug failures. - Implement a centralized logging solution to collect logs from all Jobs. Note: For more complex pipelines, you can consider using tools like Argo Workflows or Tekton Pipelines for more advanced orchestration and error handling capabilities.,