CKA 대비 Killercoda 실습 내용 정리

OneDayDev·2023년 1월 24일
0

K8s

목록 보기
11/12

CKA

자격 정보 : CKA

killercoda

Vim Setup

vim ~/.vimrc
set expandtab
set tabstop=2
set shiftwidth=2

expandtab: use spaces for tab
tabstop: amount of spaces used for tab
shiftwidth: amount of spaces used during indentation

Apiserver Misconfigured

log locations to check:

  • /var/log/pods
  • /var/log/containers
  • crictl ps + crictl logs (crictl은 CRI-호환 컨테이너 런타임에 사용할 수 있는 커맨드라인 인터페이스이다.)
  • kubelet logs: /var/log/syslog or journalctl

Troubleshooting 과정

  1. 위의 경로와 명령어를 이용해 log를 확인해보고
  2. /etc/kubernetes/manifests/kube-apiserver.yaml 파일 수정
  3. service kubelet restart명령으로 재시작해서 제대로 되는지 확인 안되면 1번부터 다시 진행한다.

Application Misconfigured

kubectl logs
kubectl describe

명령으로 application 상태 확인하고

kubectl edit

으로 수정하자

Application Multi Container Issue

컨테이너의 모든 로그를 /root/logs.log에 작성하라는 문제
먼저 deployment의 컨테이너를 확인하기 위해
describe 명령으로 확인해보면 컨테이너를 확인할 수 있다
다음처럼 log를 저장할 수 있다.

k -n management logs deploy/collect-data -c nginx >> /root/logs.log
k -n management logs deploy/collect-data -c httpd >> /root/logs.log

ConfigMap Access in Pods

Configmap 설정 관련 문제 : 참고

Ingress Create

  1. expose port
    kubectl expose deploy deployment-name --port port-number
  2. Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: world
  namespace: world
  annotations:
    # this annotation removes the need for a trailing slash when calling urls
    # but it is not necessary for solving this scenario
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  ingressClassName: nginx # k get ingressclass
  rules:
  - host: "world.universe.mine"
    http:
      paths:
      - path: /europe
        pathType: Prefix
        backend:
          service:
            name: europe
            port:
              number: 80
      - path: /asia
        pathType: Prefix
        backend:
          service:
            name: asia
            port:
              number: 80

NetworkPolicy Namespace Selector

참고: 정식 문서

NetworkPolicy를 다룬다.

RBAC ServiceAccount Permissions

  1. 각 네임스페이스에 sa 만들기
k -n ns1 create sa pipeline
k -n ns2 create sa pipeline
  1. role binding
k get clusterrole view 
k create clusterrolebinding pipeline-view --clusterrole view --serviceaccount ns1:pipeline --serviceaccount ns2:pipeline
  1. 새로 clusterrole 생성
k create clusterrole pipeline-deployment-manager --verb create,delete --resource deployments
  1. role binding
k -n ns1 create rolebinding pipeline-deployment-manager --clusterrole pipeline-deployment-manager --serviceaccount ns1:pipeline
k -n ns2 create rolebinding pipeline-deployment-manager --clusterrole pipeline-deployment-manager --serviceaccount ns2:pipeline
  1. 확인해보기
# namespace ns1 deployment manager
k auth can-i delete deployments --as system:serviceaccount:ns1:pipeline -n ns1 # YES
k auth can-i create deployments --as system:serviceaccount:ns1:pipeline -n ns1 # YES
k auth can-i update deployments --as system:serviceaccount:ns1:pipeline -n ns1 # NO
k auth can-i update deployments --as system:serviceaccount:ns1:pipeline -n default # NO

# namespace ns2 deployment manager
k auth can-i delete deployments --as system:serviceaccount:ns2:pipeline -n ns2 # YES
k auth can-i create deployments --as system:serviceaccount:ns2:pipeline -n ns2 # YES
k auth can-i update deployments --as system:serviceaccount:ns2:pipeline -n ns2 # NO
k auth can-i update deployments --as system:serviceaccount:ns2:pipeline -n default # NO

# cluster wide view role
k auth can-i list deployments --as system:serviceaccount:ns1:pipeline -n ns1 # YES
k auth can-i list deployments --as system:serviceaccount:ns1:pipeline -A # YES
k auth can-i list pods --as system:serviceaccount:ns1:pipeline -A # YES
k auth can-i list pods --as system:serviceaccount:ns2:pipeline -A # YES
k auth can-i list secrets --as system:serviceaccount:ns2:pipeline -A # NO (default view-role doesn't allow)

RBAC User Permissions

  1. role, rolebinding 생성해 applications 네임스페이스에서 smoke 유저에게 smoke 롤을 롤바인딩.
k -n applications create role smoke --verb create,delete --resource pods,deployments,sts
k -n applications create rolebinding smoke --role smoke --user smoke
  1. kube-system을 제외한 네임스페이스에서 클러스터롤인 view를 롤바인딩
k get ns # 네임 스페이스 확인 후 아래처럼 각각 롤바인딩
k -n applications create rolebinding smoke-view --clusterrole view --user smoke
k -n default create rolebinding smoke-view --clusterrole view --user smoke
k -n kube-node-lease create rolebinding smoke-view --clusterrole view --user smoke
k -n kube-public create rolebinding smoke-view --clusterrole view --user smoke

Scheduling Priority

  1. Find the Pod with the highest priority in Namespace management.
k -n management get pod -o yaml | grep -i priority -B 20
  1. Create new Pod named important of image nginx:1.21.6-alpine in the same Namespace. It should request 1Gi memory resources.
    Assign a higher priority to the new Pod so it's scheduled instead of the existing one.

다음 명령어로 템플릿 생성

k -n lion run important --image=nginx:1.21.6-alpine -oyaml --dry-run=client > pod.yaml

기존에 있던 파드의 우선순위 확인(describe) 후에 템플릿에 요구사항 반영

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: important
  name: important
  namespace: lion
spec:
  priorityClassName: level3
  containers:
  - image: nginx:1.21.6-alpine
    name: important
    resources:
      requests:
        memory: 1Gi
  dnsPolicy: ClusterFirst
  restartPolicy: Always
profile
안녕하세요. Django 백엔드 개발하고 있습니다.

0개의 댓글