Introduction#

this section show

  • question 10 ConfigMap
  • question 11 Secret
  • question 12 Security Context
  • question 13 Resource Quota
  • Question 14 Service Account
  • Question 11b Secret

Question 10 ConfigMap#

ckad question 3
  • create a new file named config.txt with environment varialbes as key/value pairs
  • DB_URL=localhost:1443, DB_USERNAME=postgres
  • create a new configmap named db-config
  • create a pod named sqlsrv that uses that environment varialbes from the configmap and runs a container using image of nginx
  • shell into the pod and display the created environment varialbes

create configmap

kubectl create configmap db-config --from-env-file=config.txt

double check

kubectl get configmap db-config

describe the configmap

kubectl describe configmap db-config

create a pod

kubectl create sqlsrv --image=nginx --dry-run=client --output=yaml > q2.yaml

edit to load environment varialbes from configmap

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: sqlsrv
  name: sqlsrv
spec:
  containers:
    - image: nginx
      name: sqlsrv
      resources: {}
      envFrom:
        - configMapRef:
            name: db-config
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

create the pod

kubectl create -f q2.yaml

shell into the pod and echo environment varialbes

kubectl exec sqlsrv -it -- /bin/sh

echo the environment varialbes

echo $DB_URL
echo $DB_USERNAME

another option

kubectl exec sqlsrv -it -- env

delete the sqlsrv pod

kubectl delete -f q2.yaml

delete the config map

kubectl delete configmap db-config

Question 11 Secret#

ckad question 3
  • create a secrete from literal values
  • create a secrete named db-credentials with key/value pair db-password=speed
  • create a pod named sqlsrv that uses the secrete as environment variable named DB_PASSWORD and run the container with the image nginx
  • shell into the pod and print out the created environment variables

create a secrete from literal

kubectl create secret generic db-crendetials --from-literal=db_password=speed

double check

kubectl get secret db-crendetials

create a pod

kubectl run sqlsrv --image=nginx --dry-run=client --output=yaml > q3.yaml

create the DB_PASSWORD environment and refer to the secret variables

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: sqlsrv
  name: sqlsrv
spec:
  containers:
    - image: nginx
      name: sqlsrv
      env:
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: db-credentials
              key: db_password
      resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

double check

kubectl get pods

shell into the pod

kubectl exec sqlsrv -it -- /bin/sh

and echo the DB_PASSWORD

echo $DB_PASSWORD

delete pods

kubectl delete -f q3.yaml

delete credentials the secret in kubectl

kubectl delete secret db-credentials

Question 12 Security Context#

ckad question 3
  • create a pod named secured that uses the image nginx
  • mount an emptyDir volume to the directory /data/app
  • files created on the volume should use the filesystem group ID 3000
  • shell to the running container and create new file named logs.txt in the directory/data/dapp
  • list the contents of the directory and write them down

create a pod

kubectl run secured --image=nginx --dry-run=client --output=yaml > q4.yaml

edit the yaml

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: secured
  name: secured
spec:
  securityContext:
    fsGroup: 3000
  containers:
    - image: nginx
      name: secured
      resources: {}
      volumeMounts:
        - name: data-vol
          mountPath: /data/app
  volumes:
    - name: data-vol
      emptyDir: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

then shell into the pod

kubectl exec secured -it -- /bin/sh

create data in /data/app

cd /data/app

create a file and check

touch logs.txt

check

ls -l logs.txt

delete the pod

kubectl delete -f q4.yaml

Question 13 Resource Quota#

ckad question 3
  • create a resource quota named app under the namespace rq-demo
  • use the file named rq.yaml
  • create a new pod the exceeds the limits of the resource quota be defining 1G of memory
  • note the error
  • change the requests limit to fulfill the requirements to ensure that the pod can be created successfully

create a namespace rq-demo

kubectl create namespace rq-demo

create resource quota

kubectl create quota app --hard=cpu=1,memory=500m,pods=2 --namespace=rq-demo --dry-run=client --output=yaml > rq5.yaml

apply

kubectl create -f rq5.yaml

double check

kubectl get quota rq-demo --namespace=rq-demo

create a pod which exceeds the quota

kubectl run highpod --image=nginx --dry-run=client --output=yaml > q5.yaml

then edit the q5.yaml with resource requests and limit (optional)

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: highpod
  name: highpod
  namespace: rq-demo
spec:
  containers:
    - image: nginx
      name: highpod
      resources:
        requests:
          memory: '256m'
          cpu: '1'
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

create and get error due to exceeds the quota

kubectl create -f q5.yaml --namespace=app

lowever the request in q5.yaml and create the pod again

Question 14 Service Account#

ckad question 14
  • create a new service account named backend-team
  • print out the token for the service account in YAML format
  • create a pod named backend that uses the image nginx and the identity backend-team for running processes
  • shell to the running container and print out the token of the service account

create a service account

kubectl create serviceaccount backend-team

double check

kubectl get serviceaccount

print out token of the serviceaccount

kubectl get serviceaccount --output=yaml

create a pod named backend that uses the image nginx and the identity backend-team for running processes

kubectl run backend --image=nginx --dry-run=client --output=yaml

then update the yaml file

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: backend
  name: backend
spec:
  serviceAccountName: backend-team
  containers:
    - image: nginx
      name: backend
      resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

apply

kubectl create -f q6.yaml

shell into and check

kubectl exec backend -it -- /bin/sh

find the token

cd var/run/secrets/kubernetes.io/serviceaccount

and cat the token

cat token

Question 11b Secret#

  • create a deployment with the name secret service
  • use image of alpine
  • create a secret which uses two variables username=trixie and password=mach5
  • these variables must be added as a volume in the pod
ckad question 14
  • these variables must be added as a volume in the pod

create a deployment yaml

kubectl create deployment secretservice --image=alpine --dry-run=client --output=yaml > q10.yaml

create a secret with two variables

kubectl create secret generic my-secret --from-literal=username=trixie --from-literal=password=mach5

double check

kubectl get secret

describe secret

kubectl describe secret my-secret

update the deployment yaml file

apiVersion: apps/v1
kind: Deployment
metadata:
  creationTimestamp: null
  labels:
    app: secretservice
  name: secretservice
spec:
  replicas: 1
  selector:
    matchLabels:
      app: secretservice
  strategy: {}
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: secretservice
    spec:
      containers:
        - image: alpine
          name: alpine
          command: ['sleep', '10000']
          volumeMounts:
            - name: secret-vol
              mountPath: '/etc/users'
          resources: {}
      volumes:
        - name: secret-vol
          secret:
            secretName: my-secret
status: {}

deploy or apply

kubectl create -f q10.yaml

then double check

kubectl describe deployment secretservice

or shell into the pod

kubectl exec PODNAME -it -- /bin/sh

then find the secret variables in

cd /etc/users

should see password and username here