Source: https://github.com/cncf/curriculum/blob/master/CKA_Curriculum_V1.14.1.pdf
Last active
October 12, 2019 21:50
-
-
Save juniorz/ad0ecb669c641ac7581961a5b3a21854 to your computer and use it in GitHub Desktop.
Valid for 3 years and can be revoked "Performance-based" test (practical)
- 3 hours duration, 74% score required, total of 24 questions.
- 6 kubernetes clusters w/ varying numbers of containers
- Allowed to access:
- It is your responsibility to not click on a domain that is not allowed.
-
Master
- API server: exposes API
- Scheduler: schedule pods
- Controller Manager (+ cloud controller mgr):
- etcd: datastore
-
Worker
- kubelet
- kube-proxy
- container runtime (implements CRI)
-
Addons
- DNS (required) -
coredns - network (required?) -
calico/flannel/loopback
- DNS (required) -
Get nodes: kubectl get nodes
Get control plane status: kubectl get componenestatus
Get control plane components: kubectl get all -n kube-system
Every object has:
- apiVersion
- Kind
- metadata
- spec
- status
kubectl is used to interact with the API server, who is the gateway to the data store (etcd).
- Pods have an IP assigned
- Endpoints group IPs of pods targeted by a Service.
- Endpoints are automatically created iff the service has a
selector. - One can also manually create an Endpoint that matches a service name to route to non-virtual IPs.
- Endpoints are automatically created iff the service has a
- Services decouple consumers from replicated pods, and also have an IP assigned (at creation time).
- Label selectors define the target set of pods
- Ports define destination ports for the service IP
- Types
Type=ClusterIP: assigns a virtual IP ("cluster IP")Type=NodePort: reserve a port on every node (regardless of having a pod targetet by the service) and route that port on each node's IP to the service's endpoints.Type=LoadBalancer: users cloud-controller to create an ELB and assign a nodeport to the service.
kube-proxy implements a form of virtual IP for Services. 3 proxy modes are supported (v1.8+): userspace, iptables (default), and ipvs.
kube-proxy in iptables mode watches for addition/removal of Service and Endpoint and manages iptable rules to redirect traffic to one of the pods at random.
Useful docs:
- https://kubernetes.io/docs/concepts/services-networking/service/
- https://kubernetes.io/docs/concepts/services-networking/service/#proxy-mode-iptables
-
users:
- service account: managed via API server
- external: everything else
-
apiserver- secure port (
--secure-portdefault6443): authentication, authorization, admission, validation, storage - insecure port (
--insecure-portdefault8080): admission, validation, storage - for each request: transport, authentication, authorization, admission, validation
- transport: TLS with self-signed certificate (usually)
- authentication:
- X509:
--client-ca-fileconfigured- username: cert's subject Common Name (CN)
- group(s): cert's subject Organization (O)
- Static token
--token-auth-fileis a CSV file contiaing:token, user, uid, "group-1, group-N"tokenis sent as a bearer token (Authorization: Bearer <token>)
- Bootstrap Tokens (beta)
--enable-bootstrap-token-authconfigured andTokenCleanercontroller enabled.tokenis sent as a bearer token (Authorization: Bearer <token>)tokenare secret withtype=bootstrap.kubernetes.io/token, and usually managed viakubeadm token- can be used to sign a
ConfigMapwithcluster-infoconfig to bootstrap (TLS) trust
- Static password
--basic-auth-fileis a CSV file containing:password, user, uid, "group-1, group-N"user/passwordis sent via HTTP Basic Auth (Authorization: Basic BASE64ENCODED(<user>:<password>))
- X509:
- authentication:
- authentication:
- authorization:
- admission:
- validation:
- persistence:
- secure port (
- Flannel
- Calico
- Loopback
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment