Source: https://github.com/cncf/curriculum/blob/master/CKA_Curriculum_V1.14.1.pdf
Last active
October 12, 2019 21:50
-
-
Save juniorz/ad0ecb669c641ac7581961a5b3a21854 to your computer and use it in GitHub Desktop.
Valid for 3 years and can be revoked "Performance-based" test (practical)
- 3 hours duration, 74% score required, total of 24 questions.
- 6 kubernetes clusters w/ varying numbers of containers
- Allowed to access:
- It is your responsibility to not click on a domain that is not allowed.
-
Master
- API server: exposes API
- Scheduler: schedule pods
- Controller Manager (+ cloud controller mgr):
- etcd: datastore
-
Worker
- kubelet
- kube-proxy
- container runtime (implements CRI)
-
Addons
- DNS (required) -
coredns
- network (required?) -
calico
/flannel
/loopback
- DNS (required) -
Get nodes: kubectl get nodes
Get control plane status: kubectl get componenestatus
Get control plane components: kubectl get all -n kube-system
Every object has:
- apiVersion
- Kind
- metadata
- spec
- status
kubectl
is used to interact with the API server, who is the gateway to the data store (etcd).
- Pods have an IP assigned
- Endpoints group IPs of pods targeted by a Service.
- Endpoints are automatically created iff the service has a
selector
. - One can also manually create an Endpoint that matches a service name to route to non-virtual IPs.
- Endpoints are automatically created iff the service has a
- Services decouple consumers from replicated pods, and also have an IP assigned (at creation time).
- Label selectors define the target set of pods
- Ports define destination ports for the service IP
- Types
Type=ClusterIP
: assigns a virtual IP ("cluster IP")Type=NodePort
: reserve a port on every node (regardless of having a pod targetet by the service) and route that port on each node's IP to the service's endpoints.Type=LoadBalancer
: users cloud-controller to create an ELB and assign a nodeport to the service.
kube-proxy
implements a form of virtual IP for Services
. 3 proxy modes are supported (v1.8+): userspace
, iptables
(default), and ipvs
.
kube-proxy
in iptables mode watches for addition/removal of Service
and Endpoint
and manages iptable rules to redirect traffic to one of the pods at random.
Useful docs:
- https://kubernetes.io/docs/concepts/services-networking/service/
- https://kubernetes.io/docs/concepts/services-networking/service/#proxy-mode-iptables
-
users:
- service account: managed via API server
- external: everything else
-
apiserver
- secure port (
--secure-port
default6443
): authentication, authorization, admission, validation, storage - insecure port (
--insecure-port
default8080
): admission, validation, storage - for each request: transport, authentication, authorization, admission, validation
- transport: TLS with self-signed certificate (usually)
- authentication:
- X509:
--client-ca-file
configured- username: cert's subject Common Name (CN)
- group(s): cert's subject Organization (O)
- Static token
--token-auth-file
is a CSV file contiaing:token, user, uid, "group-1, group-N"
token
is sent as a bearer token (Authorization: Bearer <token>
)
- Bootstrap Tokens (beta)
--enable-bootstrap-token-auth
configured andTokenCleaner
controller enabled.token
is sent as a bearer token (Authorization: Bearer <token>
)token
are secret withtype=bootstrap.kubernetes.io/token
, and usually managed viakubeadm token
- can be used to sign a
ConfigMap
withcluster-info
config to bootstrap (TLS) trust
- Static password
--basic-auth-file
is a CSV file containing:password, user, uid, "group-1, group-N"
user/password
is sent via HTTP Basic Auth (Authorization: Basic BASE64ENCODED(<user>:<password>)
)
- X509:
- authentication:
- authentication:
- authorization:
- admission:
- validation:
- persistence:
- secure port (
- Flannel
- Calico
- Loopback
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment