Daniel

Certified Kubernetes Administrator(v1.29)

Cluster Architecture, Installation & Configuration

Manage role based access control(RBAC)

  1. User (RoleBinding is User kind) RBAC with Kubernetes in Minikube 1.1 Generate a key using OpenSSL 
     openssl genrsa -out daniel.key 2048

    1.2 Generate a Client Sign Request, CN must match user, O must match group.

     openssl req -new -key daniel.key -out daniel.csr -subj "/CN=daniel/O=dev"

    1.3 Generate the certificate. (/etc/kubernetes/pki in production env.)

     openssl x509 -req -in daniel.csr -CA ~/.minikube/ca.crt -CAkey ~/.minikube/ca.key -CAcreateserial -out daniel.crt -days 500

    1.4 Set a user entry in kubeconfig

     kubectl config set-credentials daniel --client-certificate=daniel.crt --client-key=daniel.key

    1.5 Set a context entry in kubeconfig

     kubectl config set-context daniel-context --cluster=minikube --user=daniel

    1.6 Test it

     kubectl config use-context daniel-context
 kubectl create ns ns-test
 will return error.

    apply this yaml file. (role-and-binding.yaml)

     apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   namespace: default
   name: pod-reader
 rules:
 - apiGroups: [""]
   resources: ["pods"]
   verbs: ["get","watch","list"]

 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: read-pods
   namespace: default
 subjects:
 - kind: User # !!!!!!!
   name: daniel
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
   name: pod-reader
   apiGroup: rbac.authorization.k8s.io

     kubectl config use-context minikube
 kubectl apply -f role-and-binding.yaml
 kubectl config use-context daniel-context
 kubectl create ns ns-test
 will also return error.

 kubectl get pods
 will return success.
  2. Group (RoleBinding is Group kind) 2.1 Generate a key using OpenSSL 
     openssl genrsa -out daniel.key 2048

    2.2 Generate a Client Sign Request, CN must match user, O must match group.

     openssl req -new -key daniel.key -out daniel.csr -subj "/CN=daniel/O=dev"

    2.3 Generate the certificate. (/etc/kubernetes/pki in production env.)

     openssl x509 -req -in daniel.csr -CA ~/.minikube/ca.crt -CAkey ~/.minikube/ca.key -CAcreateserial -out daniel.crt -days 500

    2.4 Set a user entry in kubeconfig

     kubectl config set-credentials daniel --client-certificate=daniel.crt --client-key=daniel.key

    2.5 Set a context entry in kubeconfig

     kubectl config set-context daniel-context --cluster=minikube --user=daniel

    2.6 Test it

     kubectl config use-context daniel-context
 kubectl create ns ns-test
 will return error.

    apply this yaml file. (role-and-binding.yaml)

     apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   namespace: default
   name: pod-reader
 rules:
 - apiGroups: [""]
   resources: ["pods"]
   verbs: ["get","watch","list"]

 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: read-pods
   namespace: default
 subjects:
 - kind: Group # !!!!!!!
   name: dev
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
   name: pod-reader
   apiGroup: rbac.authorization.k8s.io

     kubectl config use-context minikube
 kubectl apply -f role-and-binding.yaml
 kubectl config use-context daniel-context
 kubectl create ns ns-test
 will also return error.

 kubectl get pods
 will return success.
  3. ServiceAccount (RoleBinding is ServiceAccount kind) Kubernetes Role Based Access Control with Service Account 3.1 Create namespace 
     kubectl create namespace dev

    3.2 Create service account (service-account.yaml)

     apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: daniel
   namespace: dev

     kubectl apply -f service-account.yaml

    3.3 Create role and rolebinding (role-and-binding.yaml)

     apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   namespace: dev
   name: pod-reader
 rules:
 - apiGroups: [""]
   resources: ["pods"]
   verbs: ["get","watch","list"]

 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: read-pods
   namespace: dev
 subjects:
 - kind: ServiceAccount # !!!!!!!
   name: daniel
   namespace: dev
 roleRef:
   kind: Role
   name: pod-reader
   apiGroup: rbac.authorization.k8s.io

     kubectl apply -f role-and-binding.yaml

    3.4 Test it create pod yaml (kubectl-pod.yaml)

     apiVersion: v1
 kind: Pod
 metadata:
   name: kubectl-pod
   namespace: dev
 spec:
   containers:
   - name: kubectl
     image: bibinwilson/docker-kubectl:latest
   serviceAccountName: daniel

     kubectl apply -f kubectl-pod.yaml
 kubectl exec -it -ndev kubectl-pod -- /bin/bash

 root@kubectl-pod:/# kubectl get pods -n dev
 will return success

 root@kubectl-pod:/# kubectl get nodes
 will return error

Use kuberadm to install a basic cluster

Manage a highly-available Kubernetes cluster

Provision underlying infrastructure to deploy a Kubernetes cluster

Perform a version upgrade on a Kubernetes cluster using Kubeadm

Implement etcd backup and restore

  1. install etcdctl Intsall etcdctl
  2. find out kubelet config yaml and staticPodPath /var/lib/kubelet/config.yaml
  3. find out etcd ca, crt, key files path. /etc/kubernetes/manifests/etcd.yaml
  4. backup ETCDCTL_API=3 etcdctl –endpoints=https://127.0.0.1:2379 –cacert=/var/lib/minikube/certs/etcd/ca.crt –cert=/var/lib/minikube/certs/etcd/server.crt –key=/var/lib/minikube/certs/etcd/server.key snapshot save today.db
  5. restart api-server move kube-apiserver.yaml out, then move back
  6. delete etcd data dir in /etc/kubernetes/manifests/etcd.yaml
  7. restore ETCDCTL_API=3 etcdctl –endpoints=https://127.0.0.1:2379 –cacert=/var/lib/minikube/certs/etcd/ca.crt –cert=/var/lib/minikube/certs/etcd/server.crt –key=/var/lib/minikube/certs/etcd/server.key snapshot restore –data-dir=/var/lib/minikube/etcd today.db

Workload & Scheduling

Understand deployments and how to perform rolling update and rollbacks

Use ConfigMaps and Secrets to configure applications

Know how to scale applications