Durée estimée : 15 minutes
Objective: Practice inspecting existing Kubernetes resources and generating YAML for new resources without creating them in the cluster.
Context: You are working on a Kubernetes cluster.
Instructions:
utils-pod has been deployed in the default namespace using the image busybox:1.36 and the command sh -c "sleep 3600". Retrieve its full YAML definition and save it to /opt/cka_exercises/Ex1/pod_utils_definition.yaml.
kubectl run utils-pod --image=busybox:1.36 -- sh -c "sleep 3600")web-frontend.
default namespace.nginx:1.27 image./opt/cka_exercises/Ex1/deployment_web-frontend_definition.yaml.pods, deployments). The list should be sorted by resource name. Save this list to /opt/cka_exercises/Ex1/namespaced_api_resources.txt.1. Récupération du YAML du Pod :
Premièrement, assurez-vous que le pod existe (cette étape est pour vos tests, dans un examen il existerait déjà) :
# Cette commande est pour l'auto-test si le pod n'existe pas
kubectl run utils-pod --image=busybox:1.36 -- sh -c "sleep 3600"
# Attendez qu'il soit en cours d'exécution si vous venez de le créer.
Ensuite, récupérez et sauvegardez son YAML :
mkdir -p /opt/cka_exercises/Ex1
kubectl get pod utils-pod -n default -o yaml > /opt/cka_exercises/Ex1/pod_utils_definition.yaml
2. Génération du YAML du Déploiement (Dry Run) :
kubectl create deployment web-frontend --image=nginx:1.27 --replicas=2 --namespace=default \
--dry-run=client -o yaml > /opt/cka_exercises/Ex1/deployment_web-frontend_definition.yaml
3. Liste des ressources API namespacées :
kubectl api-resources --namespaced=true --sort-by=name > /opt/cka_exercises/Ex1/namespaced_api_resources.txt
Durée estimée : 25 minutes
Objective: Configure Role-Based Access Control (RBAC) to grant a user specific permissions within a designated namespace.
Context: A new developer, david.lee, needs permissions to view Pods and their logs, but not modify them, in a new namespace called frontend-apps.
Instructions:
frontend-apps. Save the manifest to /opt/cka_exercises/Ex2/namespace.yaml and apply it.pod-log-viewer within the frontend-apps namespace.
get, list, watch on pods resources.get, list, watch on pods/log resources./opt/cka_exercises/Ex2/role_pod-log-viewer.yaml and apply it.david-access-binding in the frontend-apps namespace.
pod-log-viewer Role to a User named david.lee./opt/cka_exercises/Ex2/rolebinding_david-access.yaml and apply it.david.lee using kubectl auth can-i.
david.lee can list pods in frontend-apps.david.lee can delete pods in frontend-apps.yes or no) in /opt/cka_exercises/Ex2/verification_results.txt.1. Création du Namespace :
Fichier /opt/cka_exercises/Ex2/namespace.yaml:
apiVersion: v1
kind: Namespace
metadata:
name: frontend-apps
Appliquez-le :
mkdir -p /opt/cka_exercises/Ex2
kubectl apply -f /opt/cka_exercises/Ex2/namespace.yaml
2. Création du Rôle pod-log-viewer :
De manière impérative : k create role pod-log-viewer -n frontend-apps -o yaml --dry-run=client --verb "get" --verb "list" --verb "watch" --resource "pods" --resource "pods/ log"
(Déclarative) Fichier /opt/cka_exercises/Ex2/role_pod-log-viewer.yaml:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: frontend-apps
name: pod-log-viewer
rules:
- apiGroups: [""] # Groupe API Core
resources: ["pods", "pods/log"]
verbs: ["get", "list", "watch"]
Appliquez-le :
kubectl apply -f /opt/cka_exercises/Ex2/role_pod-log-viewer.yaml
3. Création du RoleBinding david-access-binding :
Méthode impérative : k create rolebinding david-access-binding -n frontend-apps --role=pod-log-viewer --user=david.lee -o yaml --dry-run=client
Fichier /opt/cka_exercises/Ex2/rolebinding_david-access.yaml:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: david-access-binding
namespace: frontend-apps
subjects:
- kind: User
name: david.lee # Le nom est sensible à la casse
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-log-viewer
apiGroup: rbac.authorization.k8s.io
Appliquez-le :
kubectl apply -f /opt/cka_exercises/Ex2/rolebinding_david-access.yaml
4. Vérification des Permissions :
Créez le fichier de vérification /opt/cka_exercises/Ex2/verification_results.txt avec le contenu suivant (exécutez les commandes et enregistrez la sortie réelle) :
Commande : kubectl auth can-i list pods -n frontend-apps --as david.lee
Attendu : yes (Sortie réelle de la commande)
Commande : kubectl auth can-i delete pods -n frontend-apps --as david.lee
Attendu : no (Sortie réelle de la commande)
Exécutez les commandes :
echo "Commande : kubectl auth can-i list pods -n frontend-apps --as david.lee" > /opt/cka_exercises/Ex2/verification_results.txt
kubectl auth can-i list pods -n frontend-apps --as david.lee >> /opt/cka_exercises/Ex2/verification_results.txt
echo "" >> /opt/cka_exercises/Ex2/verification_results.txt
echo "Commande : kubectl auth can-i delete pods -n frontend-apps --as david.lee" >> /opt/cka_exercises/Ex2/verification_results.txt
kubectl auth can-i delete pods -n frontend-apps --as david.lee >> /opt/cka_exercises/Ex2/verification_results.txt
Durée estimée : 30 minutes
Objective: Create a ServiceAccount, grant it cluster-wide permissions to list Nodes, deploy a Pod using this ServiceAccount, and then monitor the Pod's resource usage.
Context: An internal monitoring application needs to run as a Pod and requires read-only access to Node information across the entire cluster. Metrics Server is assumed to be installed and functioning.
Instructions:
node-reader-sa in the kube-system namespace. Save its YAML definition to /opt/cka_exercises/Ex3/sa_node-reader.yaml and apply it.global-node-viewer that grants get, list, and watch permissions on nodes resources (core API group). Save its YAML definition to /opt/cka_exercises/Ex3/clusterrole_global-node-viewer.yaml and apply it.bind-node-viewer-sa that binds the global-node-viewer ClusterRole to the node-reader-sa ServiceAccount (in the kube-system namespace). Save its YAML definition to /opt/cka_exercises/Ex3/clusterrolebinding_bind-node-viewer.yaml and apply it.node-monitor-app in the kube-system namespace.
busybox:1.36.sh -c "sleep 3600".node-reader-sa ServiceAccount./opt/cka_exercises/Ex3/pod_node-monitor-app.yaml and apply it.node-monitor-app Pod is running, use kubectl top pod to find its CPU and Memory usage. Save this information to /opt/cka_exercises/Ex3/pod_resource_usage.txt. The format should be POD_NAME CPU(cores) MEMORY(bytes) (e.g., node-monitor-app 1m 5Mi).node-reader-sa ServiceAccount indeed has permissions to list nodes cluster-wide. Store the verification command and its expected output in /opt/cka_exercises/Ex3/sa_permission_check.txt.For metrics-server:
kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml--kubelet-insecure-tls1. Création du ServiceAccount node-reader-sa :
Fichier /opt/cka_exercises/Ex3/sa_node-reader.yaml:
apiVersion: v1
kind: ServiceAccount
metadata:
name: node-reader-sa
namespace: kube-system
Appliquez-le :
mkdir -p /opt/cka_exercises/Ex3
kubectl apply -f /opt/cka_exercises/Ex3/sa_node-reader.yaml
2. Création du ClusterRole global-node-viewer :
Fichier /opt/cka_exercises/Ex3/clusterrole_global-node-viewer.yaml:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: global-node-viewer
rules:
- apiGroups: [""] # Groupe API Core
resources: ["nodes"]
verbs: ["get", "list", "watch"]
Appliquez-le :
kubectl apply -f /opt/cka_exercises/Ex3/clusterrole_global-node-viewer.yaml
3. Création du ClusterRoleBinding bind-node-viewer-sa :
Fichier /opt/cka_exercises/Ex3/clusterrolebinding_bind-node-viewer.yaml:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: bind-node-viewer-sa
subjects:
- kind: ServiceAccount
name: node-reader-sa
namespace: kube-system
roleRef:
kind: ClusterRole
name: global-node-viewer
apiGroup: rbac.authorization.k8s.io
Appliquez-le :
kubectl apply -f /opt/cka_exercises/Ex3/clusterrolebinding_bind-node-viewer.yaml
4. Déploiement du Pod node-monitor-app :
Fichier /opt/cka_exercises/Ex3/pod_node-monitor-app.yaml:
apiVersion: v1
kind: Pod
metadata:
name: node-monitor-app
namespace: kube-system
spec:
serviceAccountName: node-reader-sa
containers:
- name: monitor-container
image: busybox:1.36
command: ['sh', '-c', 'sleep 3600']
Appliquez-le :
kubectl apply -f /opt/cka_exercises/Ex3/pod_node-monitor-app.yaml
Assurez-vous que le pod est en cours d'exécution avant de continuer :
kubectl get pod node-monitor-app -n kube-system -w
5. Obtention de l'utilisation des ressources du Pod :
(Attendez une minute que Metrics Server collecte les données si le pod vient de démarrer)
kubectl top pod node-monitor-app -n kube-system --no-headers > /opt/cka_exercises/Ex3/pod_resource_usage.txt
(Note : L'utilisation réelle du CPU/Mémoire variera. La commande sauvegarde la ligne de sortie directe pour ce pod).
6. Vérification des permissions du ServiceAccount :
Créez le fichier /opt/cka_exercises/Ex3/sa_permission_check.txt:
Commande : kubectl auth can-i list nodes --as=system:serviceaccount:kube-system:node-reader-sa
Attendu :
Warning: resource 'nodes' is not namespace scoped
yes
Exécutez la commande :
echo "Commande : kubectl auth can-i list nodes --as=system:serviceaccount:kube-system:node-reader-sa" > /opt/cka_exercises/Ex3/sa_permission_check.txt
kubectl auth can-i list nodes --as=system:serviceaccount:kube-system:node-reader-sa >> /opt/cka_exercises/Ex3/sa_permission_check.txt