CKA考试准备 - CKA1.21 最新版考试真题 - 《Kubernetes》

CKA 1.20 -2021最新练习题.pdf

1 RBAC

切换 context
kubectl create ns app-team1
kubectl create serviceaccount cicd-token -n app-team1
kubectl create clusterrole deployment-clusterrole --verb=create --
resource=deployment,statefulset,daemonset
kubectl create rolebinding cicd-clusterrole --clusterrole=deployment-clusterrole --
serviceaccount=app-team1:cicd-token

2 设置节点不可用

切换 context
kubectl cordon ek8s-node-1
kubectl drain ek8s-node-1 --ignore-daemonsets --delete-local-data --force

3 升级kubeadm
apt-cache show kubeadm|grep kubeadm=1.20.1-00
kubectl version

切换 context
kubectl get nodes
ssh mk8s-master-0
kubectl cordon mk8s-master-0
kubectl drain mk8s-master-0 --ignore-daemonsets
apt-mark unhold kubeadm kubectl kubelet
apt-get update && apt-get install -y kubeadm=1.20.1-00 kubelet=1.20.1-00
kubectl=1.20.1-00
apt-mark hold kubeadm kubectl kubelet
systemctl daemon-reload
systemctl restart kubelet.service
kubeadm upgrade plan
kubeadm upgrade apply v1.20.1 --etcd-upgrade=false
kubectl -n kube-system rollout history deployment coredns
kubectl rollout undo deployment coredns -n kube-system
kubectl uncordon mk8s-master-0

4 备份还原etcd
实验环境配置
export ETCDCTL_API=3

[rancher@rmaster01 ~]$ docker ps -a |grep etcd 
c93210bbcacc        rancher/rke-tools:v0.1.72              "/docker-entrypoint.…"   3 weeks ago         Up 6 days                                     etcd-rolling-snapshots
e073d4c5266b        rancher/coreos-etcd:v3.4.13-rancher1   "/usr/local/bin/etcd…"   3 weeks ago         Up 6 days                                     etcd
[rancher@rmaster01 ~]$ docker cp e073d4c5266b:/usr/local/bin/etcdctl /usr/local/bin
open /usr/local/bin/etcdctl: permission denied
[rancher@rmaster01 ~]$ exit
logout
[root@rmaster01 ~]# docker cp e073d4c5266b:/usr/local/bin/etcdctl /usr/local/bin

备份：
export ETCDCTL_API=3
ETCDCTL_API=3 etcdctl --endpoints https://172.0.0.1:2379 --cacert=/opt/KUIN00601/ca.crt --cert=/opt/KUIN00601/etcd-client.crt --key=/opt/KUIN00601/etcd-client.key snapshot save /var/lib/backup/etcd-snapshot.db
查看备份
ETCDCTL_API=3 etcdctl --write-out=table snapshot status /var/lib/backup/etcd-snapshot.db
还原：
systemctl stop kubelet
mv /var/lib/etcd/ /var/lib/bak_etcd
ETCDCTL_API=3 etcdctl --endpoints https://172.0.0.1:2379 --cacert=/opt/KUIN00601/ca.crt --cert=/opt/KUIN00601/etcd-client.crt --key=/opt/KUIN00601/etcd-client.key --name k8s-master --data-dir="/var/lib/etcd/" --skip-hash-check --initial-advertise-peer-urls=https://127.0.0.1:2380 --initial-cluster k8s-master=https://127.0.0.1:2380 snapshot restore /var/lib/backup/etcd-snapshot-previous.db
#systemctl start kubelet

5 配置网络策略
https://kubernetes.io/docs/concepts/services-networking/network-policies/

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
        except:
        - 172.17.1.0/24
    - namespaceSelector:
        matchLabels:
          project: myproject
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - protocol: TCP
      port: 6379
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - protocol: TCP
      port: 5978

在命名空间 fubar 中创建网络策略 allow-port-from-namespace
只允许 ns my-app 中的 pod 连上 fubar 中 pod 的 80 端口
注意: 这里有 2 个 ns ，一个为 fubar(目标pod的ns)，另外一个为 my-app(访问源pod的ns)

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-port-from-namespace
  namespace: fubar
spec:
  podSelector:
    matchLabels: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
  - namespaceSelector:
      matchLabels:
        my-app-key: my-app-value
  - podSelector:
      matchLabels: {}
  ports:
  - protocol: TCP
    port: 80

6 创建 service

1）edit front-end ，在containers 中添加如下内容
kubectl edit deployment front-end
ports:
- name: http
 protocol: TCP
 containerPort: 80
2）expose 对应端口
kubectl expose deployment front-end --type=NodePort --port=80 --target-port=80 --name=front-end-svc

7 创建 ingress
https://kubernetes.io/docs/concepts/services-networking/ingress/

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: minimal-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
  - http:
      paths:
      - path: /testpath
        pathType: Prefix
        backend:
          service:
            name: test
            port:
              number: 80

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
   name: ping
   namespace: ing-internal
   annotations:
     nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
  - http:
      paths:
      - path: /hello
      pathType: Prefix
      backend:
         service:
           name: hello
             port:
               number: 5678

8 扩容deployment

kubectl scale deployment --replicas=6 guestbook

9 调度pod 到指定节点
https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/

apiVersion: v1
kind: Pod
metadata:
  name: nginx
  labels:
    env: test
spec:
  containers:
  - name: nginx
    image: nginx
    imagePullPolicy: IfNotPresent
  nodeSelector:
    disktype: ssd

切换 context
apiVersion: v1
kind: Pod
metadata:
  name: nginx-kusc0041
spec:
  containers:
  - name: nginx
  image: nginx
  nodeSelector:
    disk: ssd

【】

[root@master ~]# kubectl label nodes node01 disk=ssd
node/node01 labeled
[root@master ~]# kubectl get nodes --show-labels 
NAME     STATUS   ROLES    AGE   VERSION    LABELS
master   Ready    master   28d   v1.18.17   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=master,kubernetes.io/os=linux,node-role.kubernetes.io/master=
node01   Ready    <none>   28d   v1.18.0    beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,disk=ssd,kubernetes.io/arch=amd64,kubernetes.io/hostname=node01,kubernetes.io/os=linux
node02   Ready    <none>   28d   v1.18.0    beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=node02,kubernetes.io/os=linux
[root@master ~]#
[root@master ~]# kubectl run nginx-kusc0041 --image=nginx --dry-run=client -oyaml > 9.yaml
[root@master ~]# 
修改yaml文件、添加nodeSelector
  nodeSelector:
    disk: ssd
[root@master ~]# cat 9.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: nginx-kusc0041
  name: nginx-kusc0041
spec:
  containers:
  - image: nginx
    name: nginx-kusc0041
    resources: {}
  nodeSelector:
    disk: ssd
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}
[root@master ~]#
[root@master ~]# kubectl get pod  -o wide 
NAME                     READY   STATUS    RESTARTS   AGE   IP               NODE     NOMINATED NODE   READINESS GATES
myapp-687598b8b4-9w6m6   1/1     Running   0          61m   172.16.196.132   node01   <none>           <none>
myapp-687598b8b4-j7b54   1/1     Running   0          61m   172.16.196.133   node01   <none>           <none>
myapp-687598b8b4-wrkm9   1/1     Running   0          61m   172.16.196.134   node01   <none>           <none>
nginx-kusc0041           1/1     Running   0          64s   172.16.196.136   node01   <none>           <none>
[root@master ~]#
删除标签
[root@master ~]# kubectl get nodes node01 --show-labels 
NAME     STATUS   ROLES    AGE   VERSION   LABELS
node01   Ready    <none>   28d   v1.18.0   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,disk=ssd,kubernetes.io/arch=amd64,kubernetes.io/hostname=node01,kubernetes.io/os=linux
[root@master ~]# kubectl label nodes node01 disk-
node/node01 labeled
[root@master ~]#
设置标签给node02 再次验证
[root@master ~]# kubectl label nodes node02 disk=ssd
node/node02 labeled
[root@master ~]# kubectl get pod 
NAME                     READY   STATUS    RESTARTS   AGE
myapp-687598b8b4-9w6m6   1/1     Running   0          66m
myapp-687598b8b4-j7b54   1/1     Running   0          66m
myapp-687598b8b4-wrkm9   1/1     Running   0          66m
nginx-kusc0041           1/1     Running   0          5m49s
[root@master ~]# kubectl delete pod nginx-kusc0041 
pod "nginx-kusc0041" deleted
[root@master ~]# kubectl get pod -o wide 
NAME                     READY   STATUS    RESTARTS   AGE   IP               NODE     NOMINATED NODE   READINESS GATES
myapp-687598b8b4-9w6m6   1/1     Running   0          67m   172.16.196.132   node01   <none>           <none>
myapp-687598b8b4-j7b54   1/1     Running   0          67m   172.16.196.133   node01   <none>           <none>
myapp-687598b8b4-wrkm9   1/1     Running   0          67m   172.16.196.134   node01   <none>           <none>
[root@master ~]# kubectl apply -f  9.yaml 
pod/nginx-kusc0041 created
[root@master ~]# kubectl get pod -o wide 
NAME                     READY   STATUS    RESTARTS   AGE   IP               NODE     NOMINATED NODE   READINESS GATES
myapp-687598b8b4-9w6m6   1/1     Running   0          67m   172.16.196.132   node01   <none>           <none>
myapp-687598b8b4-j7b54   1/1     Running   0          67m   172.16.196.133   node01   <none>           <none>
myapp-687598b8b4-wrkm9   1/1     Running   0          67m   172.16.196.134   node01   <none>           <none>
nginx-kusc0041           1/1     Running   0          4s    172.16.140.76    node02   <none>           <none>
[root@master ~]#

10 统计 ready 状态节点数量

切换 context
kubectl get nodes
kubectl describe nodes | grep -i taint | grep NoSchedule
两者数据相减，echo number > /path/file

11 配置多容器
https://kubernetes.io/docs/concepts/workloads/pods/

apiVersion: v1
kind: Pod
metadata:
  name: kucc1
spec:
  containers:
  - name: nginx
  image: nginx
  - name: redis
  image: redis

【】

[root@master ~]# kubectl run kucc1 --image=nginx --dry-run=client -oyaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: kucc1
  name: kucc1
spec:
  containers:
  - image: nginx
    name: kucc1
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}
[root@master ~]#

12 创建pv
https://kubernetes.io/docs/tasks/configure-pod-container/configure-persistent-volume-storage/#create-a-persistentvolume

apiVersion: v1
kind: PersistentVolume
metadata:
  name: task-pv-volume
  labels:
    type: local
spec:
  storageClassName: manual
  capacity:
    storage: 10Gi
  accessModes:
    - ReadWriteOnce
  hostPath:
    path: "/mnt/data"

apiVersion: v1
kind: PersistentVolume
metadata:
  name: app-config
spec:
  capacity:
    storage: 2Gi
  accessModes:
    - ReadWriteMany
  hostPath:
    path: /srv/app-config

【】

[root@master ~]# kubectl apply -f 12.yaml 
persistentvolume/app-config created
[root@master ~]# kubectl get pv 
NAME         CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS      CLAIM   STORAGECLASS   REASON   AGE
app-config   2Gi        RWX            Retain           Available                                   4s
[root@master ~]#

13 创建和绑定pvc
https://kubernetes.io/docs/tasks/configure-pod-container/configure-persistent-volume-storage/#create-a-persistentvolumeclaim

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
   name: pv-volume
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 10Mi
    storageClassName: csi-hostpath-sc

apiVersion: v1
kind: Pod
metadata:
  name: web-server
spec:
  containers:
  - name: nginx
    image: nginx
    volumeMounts:
    - mountPath: "/usr/share/nginx/html"
      name: mypv
   volumes:
      - name: mypv
        persistentVolumeClaim:
        claimName: pv-volume

kubectl edit pvc pv-volume --record

14 监控 pod 日志

切换 context
kubectl logs foobar | grep unable-to-access-website > /opt/KUTR00101/foobar

15 添加 sidecar 容器并输出日志
https://kubernetes.io/docs/concepts/cluster-administration/logging/
kubectl get pod big-corp-app -oyaml >15.yaml

   volumeMounts:
    - name: varlog
      mountPath: /var/log
  - name: count-log-1
    image: busybox
    args: [/bin/sh, -c, 'tail -n+1 -f /var/log/1.log']
    volumeMounts:
    - name: varlog
      mountPath: /var/log
  - name: count-log-2
    image: busybox
    args: [/bin/sh, -c, 'tail -n+1 -f /var/log/2.log']
    volumeMounts:
    - name: varlog
      mountPath: /var/log
  volumes:
  - name: varlog
    emptyDir: {}

volumeMounts:
  - name: varlog
  mountPath: /var/log
  - name: sidecar
  image: busybox
  args: [/bin/sh, -c, 'tail -n+1 -f /var/log/11-factor-app.log']
volumeMounts:
  - name: varlog
  mountPath: /var/log
  volumes:
  - name: varlog
  emptyDir: {}

【】

-name: logs 
mountPath:/var/log
-name: busybox
image: busybox args:[/bin/sh,-c,' tail -n+1-f/var/log/big-corp-app. log]
volumeMounts:
-name: logs mountPath:/var/log

- name: varlog
 emptyDir: {}

16 查看cpu 使用率最高的pod

切换 context
kubectl top pod -l name=cpu-loader -A --sort-by=cpu
echo podName >> /opt/KUTR00401/KUTR00401.txt

17 排查集群中故障节点

切换 context
kubectl get nodes
ssh wk8s-node-0
sudo -i
systemctl status kubelet
systemctl enable kubelet
systemctl restart kubelet
systemctl status kubelet
再次 get nodes， 确保节点恢复 Ready 状态