Networking
Updated Dec 29, 2023 ·
Some of the scenario questions here are based on Kodekloud's CKA course labs.
NOTE
CKAD and CKA can have similar scenario questions. It is recommended to go through the CKAD practice tests.
Shortcuts
First run the two commands below for shortcuts.
export do="--dry-run=client -o yaml"
export now="--force --grace-period=0"
Questions
-
What is the Internal IP address of the controlplane node in this cluster?
controlplane ~ ➜ k get no
NAME STATUS ROLES AGE VERSION
controlplane Ready control-plane 15m v1.27.0
node01 Ready <none> 14m v1.27.0Answer
controlplane ~ ➜ k describe no controlplane | grep -i ip
flannel.alpha.coreos.com/public-ip: 192.2.53.9
InternalIP: 192.2.53.9 -
What is the network interface configured for cluster connectivity on the controlplane node?
controlplane ~ ➜ k get no
NAME STATUS ROLES AGE VERSION
controlplane Ready control-plane 15m v1.27.0
node01 Ready <none> 14m v1.27.0Answer
controlplane ~ ➜ k get no -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
controlplane Ready control-plane 20m v1.27.0 192.2.120.9 <none> Ubuntu 20.04.6 LTS 5.4.0-1106-gcp containerd://1.6.6
node01 Ready <none> 19m v1.27.0 192.2.120.12 <none> Ubuntu 20.04.5 LTS 5.4.0-1106-gcp containerd://1.6.6
controlplane ~ ➜ ip addr | grep -B2 192.2
13036: eth0@if13037: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default
link/ether 02:42:c0:02:78:09 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.2.120.9/24 brd 192.2.120.255 scope global eth0 -
What is the MAC address assigned to node01?
controlplane ~ ➜ k get no
NAME STATUS ROLES AGE VERSION
controlplane Ready control-plane 15m v1.27.0
node01 Ready <none> 14m v1.27.0Answer
Need to ssh to node01.
controlplane ~ ➜ ssh node01
root@node01 ~ ➜ ip addr | grep -B2 192.2
13945: eth0@if13946: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default
link/ether 02:42:c0:02:78:0c brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.2.120.12/24 brd 192.2.120.255 scope global eth0 -
We use Containerd as our container runtime. What is the interface/bridge created by Containerd on the controlplane node?
Answer
controlplane ~ ✖ ip link show | grep -i cni
3: cni0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc noqueue state UP mode DEFAULT group default qlen 1000
4: vethcb46d51e@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc noqueue master cni0 state UP mode DEFAULT group default
link/ether 46:15:1c:5b:93:f2 brd ff:ff:ff:ff:ff:ff link-netns cni-3f59b276-21d3-2b70-df1a-514e9f7eb6cb
5: veth35f1d3bb@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc noqueue master cni0 state UP mode DEFAULT group default
link/ether 96:21:56:39:34:10 brd ff:ff:ff:ff:ff:ff link-netns cni-d15387ac-89be-7f41-ecb3-79879ae016f1 -
If you were to ping google from the controlplane node, which route does it take?
controlplane ~ ➜ k get no
NAME STATUS ROLES AGE VERSION
controlplane Ready control-plane 15m v1.27.0
node01 Ready <none> 14m v1.27.0Answer
controlplane ~ ➜ ip route
default via 172.25.0.1 dev eth1 -
What is the port the kube-scheduler is listening on in the controlplane node?
Answer
controlplane ~ ➜ netstat -tulpn | grep -i sched
tcp 0 0 127.0.0.1:10259 0.0.0.0:* LISTEN 3706/kube-scheduler -
Notice that ETCD is listening on two ports. Which of these have more client connections established?
Answer
2379 is the port of ETCD to which all control plane components connect to. 2380 is only for etcd peer-to-peer connectivity when you have multiple controlplane nodes.
controlplane ~ ➜ netstat -tulpn | grep -i etc
tcp 0 0 192.2.120.9:2379 0.0.0.0:* LISTEN 3723/etcd
tcp 0 0 127.0.0.1:2379 0.0.0.0:* LISTEN 3723/etcd
tcp 0 0 192.2.120.9:2380 0.0.0.0:* LISTEN 3723/etcd
tcp 0 0 127.0.0.1:2381 0.0.0.0:* LISTEN 3723/etcd
controlplane ~ ➜ netstat -anp | grep etc | grep 2379 | wc -l
63
controlplane ~ ➜ netstat -anp | grep etc | grep 2380 | wc -l
1
controlplane ~ ➜ netstat -anp | grep etc | grep 2381 | wc -l
1 -
Inspect the kubelet service and identify the container runtime endpoint value is set for Kubernetes.
Answer
Answer is unix:///var/run/containerd/containerd.sock.
controlplane ~ ➜ ps -aux | grep kubelet | grep container
root 4685 0.0 0.0 3702540 101388 ? Ssl 20:02 0:12 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --container-runtime-endpoint=unix:///var/run/containerd/containerd.sock --pod-infracontainer-image=registry.k8s.io/pause:3.9 -
What is the path configured with all binaries of CNI supported plugins?
Answer
controlplane ~ ➜ ls -la /opt/cni
total 20
drwxr-xr-x 1 root root 4096 Nov 2 11:33 .
drwxr-xr-x 1 root root 4096 Nov 2 11:38 ..
drwxrwxr-x 1 root root 4096 Dec 30 20:02 bin
controlplane ~ ➜ ls -la /opt/cni/bin/
total 71424
drwxrwxr-x 1 root root 4096 Dec 30 20:02 .
drwxr-xr-x 1 root root 4096 Nov 2 11:33 ..
-rwxr-xr-x 1 root root 3859475 Jan 16 2023 bandwidth
-rwxr-xr-x 1 root root 4299004 Jan 16 2023 bridge
-rwxr-xr-x 1 root root 10167415 Jan 16 2023 dhcp
-rwxr-xr-x 1 root root 3986082 Jan 16 2023 dummy
-rwxr-xr-x 1 root root 4385098 Jan 16 2023 firewall
-rwxr-xr-x 1 root root 2474798 Dec 30 20:02 flannel
-rwxr-xr-x 1 root root 3870731 Jan 16 2023 host-device
-rwxr-xr-x 1 root root 3287319 Jan 16 2023 host-local
-rwxr-xr-x 1 root root 3999593 Jan 16 2023 ipvlan
-rwxr-xr-x 1 root root 3353028 Jan 16 2023 loopback
-rwxr-xr-x 1 root root 4029261 Jan 16 2023 macvlan
-rwxr-xr-x 1 root root 3746163 Jan 16 2023 portmap
-rwxr-xr-x 1 root root 4161070 Jan 16 2023 ptp
-rwxr-xr-x 1 root root 3550152 Jan 16 2023 sbr
-rwxr-xr-x 1 root root 2845685 Jan 16 2023 static
-rwxr-xr-x 1 root root 3437180 Jan 16 2023 tuning
-rwxr-xr-x 1 root root 3993252 Jan 16 2023 vlan
-rwxr-xr-x 1 root root 3586502 Jan 16 2023 vrf -
What is the CNI plugin configured to be used on this kubernetes cluster?
Answer
controlplane ~ ➜ ls -la /etc/cni/
total 20
drwx------ 1 root root 4096 Nov 2 11:33 .
drwxr-xr-x 1 root root 4096 Dec 30 20:02 ..
drwx------ 1 root root 4096 Dec 30 20:02 net.d
controlplane ~ ➜ ls -la /etc/cni/net.d/
total 16
drwx------ 1 root root 4096 Dec 30 20:02 .
drwx------ 1 root root 4096 Nov 2 11:33 ..
-rw-r--r-- 1 root root 292 Dec 30 20:02 10-flannel.conflist -
What binary executable file will be run by kubelet after a container and its associated namespace are created?
-
What binary executable file will be run by kubelet after a container and its associated namespace are created?
Answer
controlplane ~ ➜ ls -l /etc/cni/
total 4
drwx------ 1 root root 4096 Dec 30 20:02 net.d
controlplane ~ ➜ ls -l /etc/cni/net.d/
total 4
-rw-r--r-- 1 root root 292 Dec 30 20:02 10-flannel.conflistThe answer is flannel.
controlplane ~ ✖ cat /etc/cni/net.d/10-flannel.conflist
{
"name": "cbr0",
"cniVersion": "0.3.1",
"plugins": [
{
"type": "flannel",
"delegate": {
"hairpinMode": true,
"isDefaultGateway": true
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": true
}
}
]
} -
Deploy weave-net networking solution to the cluster.
NOTE: - We already have provided a weave manifest file under the /root/weave directory.
Answer
The pod cannot start because networking is not yet configured.
controlplane ~ ➜ k get po
NAME READY STATUS RESTARTS AGE
app 1/1 ContainerCreating 0 3m7sInstall weavenet via the weave manifest.
controlplane ~ ➜ ls -la /root/weave/
total 20
drwxr-xr-x 2 root root 4096 Dec 30 20:21 .
drwx------ 1 root root 4096 Dec 30 20:20 ..
-rw-r--r-- 1 root root 6259 Dec 30 20:21 weave-daemonset-k8s.yaml
controlplane ~ ➜ k apply -f /root/weave/
serviceaccount/weave-net created
clusterrole.rbac.authorization.k8s.io/weave-net created
clusterrolebinding.rbac.authorization.k8s.io/weave-net created
role.rbac.authorization.k8s.io/weave-net created
rolebinding.rbac.authorization.k8s.io/weave-net created
daemonset.apps/weave-net createdThe app should now be able to run.
controlplane ~ ➜ k get po
NAME READY STATUS RESTARTS AGE
app 1/1 Running 0 3m7s -
What is the Networking Solution used by this cluster?
Answer
controlplane ~ ➜ ls -la /etc/cni/net.d/
total 16
drwx------ 1 root root 4096 Dec 30 22:19 .
drwx------ 1 root root 4096 Nov 2 11:33 ..
-rw-r--r-- 1 root root 318 Dec 30 22:19 10-weave.conflist
controlplane ~ ➜ cat /etc/cni/net.d/10-weave.conflist
{
"cniVersion": "0.3.0",
"name": "weave",
"plugins": [
{
"name": "weave",
"type": "weave-net",
"hairpinMode": true
},
{
"type": "portmap",
"capabilities": {"portMappings": true},
"snat": true
}
]
} -
How many weave agents/peers are deployed in this cluster?
Answer
controlplane ~ ➜ k get po -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-5d78c9869d-g5r7l 1/1 Running 0 24m
coredns-5d78c9869d-kbzrl 1/1 Running 0 24m
etcd-controlplane 1/1 Running 0 24m
kube-apiserver-controlplane 1/1 Running 0 24m
kube-controller-manager-controlplane 1/1 Running 0 24m
kube-proxy-6rzbz 1/1 Running 0 24m
kube-proxy-bqhf2 1/1 Running 0 24m
kube-scheduler-controlplane 1/1 Running 0 24m
weave-net-mq78f 2/2 Running 1 (23m ago) 24m
weave-net-pxrzs 2/2 Running 1 (23m ago) 24m
controlplane ~ ➜ k get po -n kube-system -o wide ñ grep weave
weave-net-mq78f 2/2 Running 1 (24m ago) 24m 192.5.179.12 node01 <none> <none>
weave-net-pxrzs 2/2 Running 1 (24m ago) 24m 192.5.179.9 controlplane <none> <none> -
Identify the name of the bridge network/interface created by weave on each node.
Answer
controlplane ~ ➜ ip addr | grep weave
4: weave: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1376 qdisc noqueue state UP group default qlen 1000
inet 10.244.192.0/16 brd 10.244.255.255 scope global weave
7: vethwe-bridge@vethwe-datapath: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1376 qdisc noqueue master weave state UP group default
10: vethwepl4a7ab64@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1376 qdisc noqueue master weave state UP group default
12: vethwepl6d8c184@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1376 qdisc noqueue master weave state UP group default -
What is the default gateway configured on the PODs scheduled on node01?
Answer
We are interested with the route for weave, which shows default gateway of 10.244.0.1.
root@node01 ~ ➜ ip route
default via 172.25.0.1 dev eth1
10.244.0.0/16 dev weave proto kernel scope link src 10.244.0.1
172.25.0.0/24 dev eth1 proto kernel scope link src 172.25.0.35
192.5.179.0/24 dev eth0 proto kernel scope link src 192.5.179.12 -
What is the range of IP addresses configured for PODs on this cluster? The network is configured with weave.
Answer
Check the pod for weave and see the logs. It should show the ip allocation range.
controlplane ~ ➜ k get po -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-5d78c9869d-9qdz4 1/1 Running 0 28m
coredns-5d78c9869d-qzd27 1/1 Running 0 28m
etcd-controlplane 1/1 Running 0 28m
kube-apiserver-controlplane 1/1 Running 0 28m
kube-controller-manager-controlplane 1/1 Running 0 28m
kube-proxy-gq9zh 1/1 Running 0 28m
kube-proxy-p6fhm 1/1 Running 0 28m
kube-scheduler-controlplane 1/1 Running 0 28m
weave-net-5djnr 2/2 Running 0 28m
weave-net-wcmwp 2/2 Running 1 (28m ago) 28m
controlplane ~ ➜ k logs -n kube-system weave-net-5djnr | grep -i ip
Defaulted container "weave" out of: weave, weave-npc, weave-init (init)
INFO: 2023/12/31 03:24:40.683471 Command line options: map[conn-limit:200 datapath:datapath db-prefix:/weavedb/weave-net docker-api: expect-npc:true http-addr:127.0.0.1:6784 ipalloc-init:consensus=1 ipalloc-range:10.244.0.0/16 metrics-addr:0.0.0.0:6782 name:62:53:38:78:b6:a0 nickname:node01 no-dns:true no-masq-local:true port:6783] -
What is the IP Range configured for the services within the cluster?
Answer
From here we can see the the servuces are configured in the 10.96.0.x range.
controlplane ~ ➜ k get svc -A
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 31m
kube-system kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 31mWe can also check the manifest for the kub-apiserver.
controlplane ~ ➜ ls -l /etc/kubernetes/manifests/kube-apiserver.yaml
-rw------- 1 root root 3877 Dec 30 22:23 /etc/kubernetes/manifests/kube-apiserver.yaml
controlplane ~ ➜ grep -i ip /etc/kubernetes/manifests/kube-apiserver.yaml
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --service-cluster-ip-range=10.96.0.0/12 -
What type of proxy is the kube-proxy configured to use?
Answer
controlplane ~ ➜ k get po -n kube-system | grep kube-proxy
kube-proxy-gq9zh 1/1 Running 0 35m
kube-proxy-p6fhm 1/1 Running 0 36m
controlplane ~ ➜ k logs -n kube-system kube-proxy-gq9zh | grep -i proxy
I1231 03:24:13.560888 1 server_others.go:551] "Using iptables proxy" -
How does this Kubernetes cluster ensure that a kube-proxy pod runs on all nodes in the cluster?
Answer
kube-proxy is managed through a DaemonSet.
controlplane ~ ➜ k get po -n kube-system | grep kube-pro
kube-proxy-gq9zh 1/1 Running 0 40m
kube-proxy-p6fhm 1/1 Running 0 40m
controlplane ~ ➜ k describe pod -n kube-system kube-proxy-gq9zh | grep -i control
Labels: controller-revision-hash=7b6c5596fc
Controlled By: DaemonSet/kube-proxy -
Identify the DNS solution implemented in this cluster.
Answer
controlplane ~ ✖ k get po -A | grep dns
kube-system coredns-5d78c9869d-9gj8f 1/1 Running 0 5m23s
kube-system coredns-5d78c9869d-gp7z4 1/1 Running 0 5m23s -
What is the IP of the CoreDNS server that should be configured on PODs to resolve services?
Answer
controlplane ~ ➜ k get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 7m2s -
Where is the configuration file located for configuring the CoreDNS service?
Answer
controlplane ~ ➜ k get po -n kube-system | grep dns
coredns-5d78c9869d-9gj8f 1/1 Running 0 10m
coredns-5d78c9869d-gp7z4 1/1 Running 0 10m
controlplane ~ ➜ k describe -n kube-system pod coredns-5d78c9869d-gp7z4 | grep -i file
/etc/coredns/Corefile -
How is the Corefile passed into the CoreDNS POD?
Answer
controlplane ~ ➜ k get po -n kube-system | grep dns
coredns-5d78c9869d-9gj8f 1/1 Running 0 11m
coredns-5d78c9869d-gp7z4 1/1 Running 0 11m
controlplane ~ ➜ k describe -n kube-system pod coredns-5d78c9869d-gp7z4 | grep -i control
Node: controlplane/192.6.107.3
Controlled By: ReplicaSet/coredns-5d78c9869d
node-role.kubernetes.io/control-plane:NoSchedule
Normal Scheduled 11m default-scheduler Successfully assigned kube-system/coredns-5d78c9869d-gp7z4 to controlplane
controlplane ~ ➜ k get rs -n kube-system
NAME DESIRED CURRENT READY AGE
coredns-5d78c9869d 2 2 2 11mWhen we try to check the YAML file for the ReplicaSet, we see that the file is passed as a ConfigMap object.
controlplane ~ ➜ k get rs -n kube-system coredns-5d78c9869d -o yaml | grep -i corefile -B5
topologyKey: kubernetes.io/hostname
weight: 100
containers:
- args:
- -conf
- /etc/coredns/Corefile
--
key: node-role.kubernetes.io/control-plane
volumes:
- configMap:
defaultMode: 420
items:
- key: Corefile
path: Corefile -
Since we know that the Corefile is passed as a ConfigMap object, determine the root domain/zone configured for this kubernetes cluster.
Answer
The root domain is cluster.local.
controlplane ~ ➜ k get cm -n kube-system
NAME DATA AGE
coredns 1 15m
extension-apiserver-authentication 6 16m
kube-apiserver-legacy-service-account-token-tracking 1 16m
kube-proxy 2 15m
kube-root-ca.crt 1 15m
kubeadm-config 1 15m
kubelet-config 1 15m
controlplane ~ ➜ k describe -n kube-system cm coredns
Name: coredns
Namespace: kube-system
Labels: <none>
Annotations: <none>
Data
====
Corefile:
----
.:53 {
errors
health {
lameduck 5s
}
ready
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
fallthrough in-addr.arpa ip6.arpa
ttl 30
}
prometheus :9153
forward . /etc/resolv.conf {
max_concurrent 1000
}
cache 30
loop
reload
loadbalance
}
BinaryData
====
Events: <none> -
What name can be used to access the hr web server from the test Application?
controlplane ~ ➜ k get po -A
NAMESPACE NAME READY STATUS RESTARTS AGE
default hr 1/1 Running 0 13m
default simple-webapp-1 1/1 Running 0 13m
default simple-webapp-122 1/1 Running 0 13m
default test 1/1 Running 0 13m
kube-flannel kube-flannel-ds-m267z 1/1 Running 0 18m
kube-system coredns-5d78c9869d-9gj8f 1/1 Running 0 18m
kube-system coredns-5d78c9869d-gp7z4 1/1 Running 0 18m
kube-system etcd-controlplane 1/1 Running 0 18m
kube-system kube-apiserver-controlplane 1/1 Running 0 18m
kube-system kube-controller-manager-controlplane 1/1 Running 0 18m
kube-system kube-proxy-hj5vp 1/1 Running 0 18m
kube-system kube-scheduler-controlplane 1/1 Running 0 18m
payroll web 1/1 Running 0 13m
controlplane ~ ➜ k get svc -A
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 18m
default test-service NodePort 10.96.250.160 <none> 80:30080/TCP 13m
default web-service ClusterIP 10.108.205.43 <none> 80/TCP 13m
kube-system kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 18m
payroll web-service ClusterIP 10.96.157.205 <none> 80/TCP 13mAnswer
Remove the -A flag so that it only shows the resources in the default namespace where the hr pod is.
controlplane ~ ➜ k get po
NAME READY STATUS RESTARTS AGE
hr 1/1 Running 0 16m
simple-webapp-1 1/1 Running 0 15m
simple-webapp-122 1/1 Running 0 15m
test 1/1 Running 0 16m
controlplane ~ ➜ k get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 21m
test-service NodePort 10.96.250.160 <none> 80:30080/TCP 16m
web-service ClusterIP 10.108.205.43 <none> 80/TCP 16mRun a curl from within the hr pod.
controlplane ~ ✖ k exec -it hr -- curl web-service:80
This is the HR server! -
Which of the names CANNOT be used to access the HR service from the test pod?
- web-service
- web-service.default
- web-service.default.pod
- web-service.default.svc
controlplane ~ ➜ k get po
NAME READY STATUS RESTARTS AGE
hr 1/1 Running 0 19m
simple-webapp-1 1/1 Running 0 19m
simple-webapp-122 1/1 Running 0 19m
test 1/1 Running 0 19m
controlplane ~ ➜ k get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 24m
test-service NodePort 10.96.250.160 <none> 80:30080/TCP 19m
web-service ClusterIP 10.108.205.43 <none> 80/TCP 19m
Answer
controlplane ~ ➜ k exec -it test -- curl web-service:80
This is the HR server!
controlplane ~ ➜ k exec -it test -- curl web-service.default:80
This is the HR server!
controlplane ~ ➜ k exec -it test -- curl web-service.default.pod:80
curl: (6) Could not resolve host: web-service.default.pod
command terminated with exit code 6
controlplane ~ ➜ k exec -it test -- curl web-service.default.svc:80
This is the HR server!The answer is web-service.default.pod.
-
Which of the below name can be used to access the payroll service from the test application?
- web-service.payroll
- web-service
- web
- web-service.default
controlplane ~ ➜ k get svc -n payroll
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
web-service ClusterIP 10.96.157.205 <none> 80/TCP 26m
controlplane ~ ➜ k get po
NAME READY STATUS RESTARTS AGE
hr 1/1 Running 0 26m
simple-webapp-1 1/1 Running 0 26m
simple-webapp-122 1/1 Running 0 26m
test 1/1 Running 0 26mAnswer
controlplane ~ ➜ k exec -it test -- curl web-service.payroll:80
This is the PayRoll server!
controlplane ~ ➜ k exec -it test -- curl web-service:80
This is the HR server!
controlplane ~ ➜ k exec -it test -- curl web:80
curl: (6) Could not resolve host: web
command terminated with exit code 6
controlplane ~ ✖ k exec -it test -- curl web-service.default:80
This is the HR server!The answers are:
- web-service.payroll
- web-service
- web-service.default
-
We just deployed a web server - webapp - that accesses a database mysql - server. However the web server is failing to connect to the database server. Troubleshoot and fix the issue.
controlplane ~ ➜ k get po -A
NAMESPACE NAME READY STATUS RESTARTS AGE
default hr 1/1 Running 0 30m
default simple-webapp-1 1/1 Running 0 30m
default simple-webapp-122 1/1 Running 0 30m
default test 1/1 Running 0 30m
default webapp-54b76556d-89b25 1/1 Running 0 30s
kube-flannel kube-flannel-ds-m267z 1/1 Running 0 35m
kube-system coredns-5d78c9869d-9gj8f 1/1 Running 0 35m
kube-system coredns-5d78c9869d-gp7z4 1/1 Running 0 35m
kube-system etcd-controlplane 1/1 Running 0 35m
kube-system kube-apiserver-controlplane 1/1 Running 0 35m
kube-system kube-controller-manager-controlplane 1/1 Running 0 35m
kube-system kube-proxy-hj5vp 1/1 Running 0 35m
kube-system kube-scheduler-controlplane 1/1 Running 0 35m
payroll mysql 1/1 Running 0 30s
payroll web 1/1 Running 0 30mAnswer
From the given above, we can see that the web-app and mysql are in different namespaces. There are two options here:
- Make sure both are in the same namespace
- Configure the webapp to point to the mysql at payroll namespace.
We will so the second option.
controlplane ~ ➜ k get deploy
NAME READY UP-TO-DATE AVAILABLE AGE
webapp 1/1 1 1 7m54s
controlplane ~ ➜ k edit deploy webappAppend the namespace after the hostname.
spec:
containers:
- env:
- name: DB_Host
value: mysql.payroll
- name: DB_User
value: root
- name: DB_Password
value: paswrd
image: mmumshad/simple-webapp-mysql
imagePullPolicy: Always
name: simple-webapp-mysql
ports: -
From the hr pod nslookup the mysql service and redirect the output to a file /root/CKA/nslookup.out
controlplane ~ ➜ k get po
NAME READY STATUS RESTARTS AGE
hr 1/1 Running 0 43m
simple-webapp-1 1/1 Running 0 43m
simple-webapp-122 1/1 Running 0 43m
test 1/1 Running 0 43m
webapp-6fdb68c84f-wvgd2 1/1 Running 0 2m37s
controlplane ~ ➜ k get svc -n payroll
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
mysql ClusterIP 10.96.128.66 <none> 3306/TCP 13m
web-service ClusterIP 10.96.157.205 <none> 80/TCP 43mAnswer
controlplane ~ ➜ k exec -it hr -- nslookup mysql.payroll
Server: 10.96.0.10
Address: 10.96.0.10#53
Name: mysql.payroll.svc.cluster.local
Address: 10.96.128.66
controlplane ~ ➜ k exec -it hr -- nslookup mysql.payroll > /root/CKA/nslookup.out
controlplane ~ ➜ ls -la /root/CKA/nslookup.out
-rw-r--r-- 1 root root 111 Dec 30 23:53 /root/CKA/nslookup.out
controlplane ~ ➜ cat /root/CKA/nslookup.out
Server: 10.96.0.10
Address: 10.96.0.10#53
Name: mysql.payroll.svc.cluster.local
Address: 10.96.128.66 -
Which namespace is the Ingress Controller deployed in?
Answer
controlplane ~ ➜ k get all -A | grep -i ingress
ingress-nginx pod/ingress-nginx-admission-create-ddtp2 0/1 Completed 0 84s
ingress-nginx pod/ingress-nginx-admission-patch-nn4hl 0/1 Completed 0 84s
ingress-nginx pod/ingress-nginx-controller-5d48d5445f-zwmd9 1/1 Running 0 85s
ingress-nginx service/ingress-nginx-controller NodePort 10.103.62.71 <none> 80:30080/TCP,443:32103/TCP 85s
ingress-nginx service/ingress-nginx-controller-admission ClusterIP 10.96.188.183 <none> 443/TCP 85s
ingress-nginx deployment.apps/ingress-nginx-controller 1/1 1 1 85s
ingress-nginx replicaset.apps/ingress-nginx-controller-5d48d5445f 1 1 1 85s
ingress-nginx job.batch/ingress-nginx-admission-create 1/1 10s 85s
ingress-nginx job.batch/ingress-nginx-admission-patch 1/1 9s 84s -
What is the name of the ingress resource deployed?
Answer
controlplane ~ ➜ k api-resources | grep -i ingress
ingressclasses networking.k8s.io/v1 false IngressClass
ingresses ing networking.k8s.io/v1 true Ingress
controlplane ~ ➜ k get ing -A
NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE
app-space ingress-wear-watch <none> * 10.103.62.71 80 4m12s -
What is the Host configured on the Ingress Resource?
Answer
All Hosts (*)
controlplane ~ ➜ k api-resources | grep -i ingress
ingressclasses networking.k8s.io/v1 false IngressClass
ingresses ing networking.k8s.io/v1 true Ingress
controlplane ~ ➜ k get ing -A
NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE
app-space ingress-wear-watch <none> * 10.103.62.71 80 4m12s
controlplane ~ ➜ k describe -n app-space ingress ingress-wear-watch
Name: ingress-wear-watch
Labels: <none>
Namespace: app-space
Address: 10.103.62.71
Ingress Class: <none>
Default backend: <default>
Rules:
Host Path Backends
---- ---- --------
*
/wear wear-service:8080 (10.244.0.4:8080)
/watch video-service:8080 (10.244.0.5:8080)
Annotations: nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-redirect: false
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Sync 4m29s (x2 over 4m30s) nginx-ingress-controller Scheduled for sync -
You are requested to change the URLs at which the applications are made available. Make the change in the given Ingress Controller.
controlplane ~ ➜ k get ing -A
NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE
app-space ingress-wear-watch <none> * 10.103.62.71 80 7m48sAnswer
controlplane ~ ➜ k edit -n app-space ingress ingress-wear-watch# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-redirect: "false"
creationTimestamp: "2023-12-31T04:54:24Z"
generation: 1
name: ingress-wear-watch
namespace: app-space
resourceVersion: "910"
uid: 2e334919-c62f-4513-8400-e47ebf0eabf4
spec:
rules:
- http:
paths:
- backend:
service:
name: wear-service
port:
number: 8080
path: /wear
pathType: Prefix
- backend:
service:
name: video-service
port:
number: 8080
path: /stream
pathType: Prefix
status:
loadBalancer:
ingress:
- ip: 10.103.62.71 -
You are requested to add a new path to your ingress to make the food delivery application available to your customers.
Make the new application available at /eat.
controlplane ~ ➜ k get deploy -n app-space
NAME READY UP-TO-DATE AVAILABLE AGE
default-backend 1/1 1 1 10m
webapp-food 1/1 1 1 13s
webapp-video 1/1 1 1 10m
webapp-wear 1/1 1 1 10m
controlplane ~ ➜ k get svc -n app-space
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default-backend-service ClusterIP 10.99.131.124 <none> 80/TCP 14m
food-service ClusterIP 10.109.123.30 <none> 8080/TCP 4m5s
video-service ClusterIP 10.98.228.143 <none> 8080/TCP 14m
wear-service ClusterIP 10.109.75.46 <none> 8080/TCP 14m
controlplane ~ ➜ k get ing -A
NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE
app-space ingress-wear-watch <none> * 10.103.62.71 80 11mAnswer
controlplane ~ ➜ k edit -n app-space ingress ingress-wear-watchapiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-redirect: "false"
creationTimestamp: "2023-12-31T04:54:24Z"
generation: 3
name: ingress-wear-watch
namespace: app-space
resourceVersion: "2107"
uid: 2e334919-c62f-4513-8400-e47ebf0eabf4
spec:
rules:
- http:
paths:
- backend:
service:
name: wear-service
port:
number: 8080
path: /wear
pathType: Prefix
- backend:
service:
name: video-service
port:
number: 8080
path: /stream
pathType: Prefix
- backend:
service:
name: food-service
port:
number: 8080
path: /eat
pathType: Prefix -
You are requested to make the new application webapp-pay available at /pay.
Identify and implement the best approach to making this application available on the ingress controller and test to make sure its working. Look into annotations: rewrite-target as well.
controlplane ~ ➜ k get deploy -A
NAMESPACE NAME READY UP-TO-DATE AVAILABLE AGE
app-space default-backend 1/1 1 1 16m
app-space webapp-food 1/1 1 1 7m2s
app-space webapp-video 1/1 1 1 16m
app-space webapp-wear 1/1 1 1 16m
critical-space webapp-pay 1/1 1 1 102s
ingress-nginx ingress-nginx-controller 1/1 1 1 16m
kube-system coredns 2/2 2 2 20m
controlplane ~ ➜ k get svc -n critical-space
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
pay-service ClusterIP 10.106.32.226 <none> 8282/TCP 2m13s
controlplane ~ ➜ k get ing -A
NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE
app-space ingress-wear-watch <none> * 10.103.62.71 80 17mAnswer
Do not modify the existing ingress resource. Simply create a new one.
## ingress-pay.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: minimal-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx-example
rules:
- http:
paths:
- path: /testpath
pathType: Prefix
backend:
service:
name: test
port:
number: 80controlplane ~ ➜ k apply -f ingress-pay.yaml
ingress.networking.k8s.io/pay-ingress created
controlplane ~ ➜ k get ing -A
NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE
app-space ingress-wear-watch <none> * 10.103.62.71 80 25m
critical-space pay-ingress <none> * 80 7s -
Deploy an Ingress Controller.
- First, create a namespace called ingress-nginx.
- The NGINX Ingress Controller requires a ConfigMap object. Create a ConfigMap object with name ingress-nginx-controller in the ingress-nginx namespace.
- The NGINX Ingress Controller requires two ServiceAccounts. Create both ServiceAccount with name ingress-nginx and ingress-nginx-admission in the ingress-nginx namespace. Use the spec provided below.
- Name: ingress-nginx
- Name: ingress-nginx-admission
- The roles, clusterroles, rolebindings, and clusterrolebindings have been created
- Create the Ingress Controller using the /root/ingress-controller.yaml. There are several issues with it. Try to fix them.
- Finally, create the ingress resource to make the applications available at /wear and /watch on the Ingress service. Also, make use of rewrite-target annotation field.
- Path: /wear
- Path: /watch
Answer
controlplane ~ ➜ k create ns ingress-nginx
namespace/ingress-nginx created
controlplane ~ ➜ k get ns
NAME STATUS AGE
app-space Active 67s
default Active 8m20s
ingress-nginx Active 2s
kube-flannel Active 8m14s
kube-node-lease Active 8m20s
kube-public Active 8m20s
kube-system Active 8m20sCreate the ConfigMap.
controlplane ~ ➜ k create configmap ingress-nginx-controller --namespace ingress-nginx $do
apiVersion: v1
kind: ConfigMap
metadata:
creationTimestamp: null
name: ingress-nginx-controller
namespace: ingress-nginx
controlplane ~ ➜ k create configmap ingress-nginx-controller --namespace ingress-nginx $do > cm-ingress-nginx-controller.yml
controlplane ~ ➜ k create configmap ingress-nginx-controller --namespace ingress-nginx
configmap/ingress-nginx-controller created
controlplane ~ ➜ k get cm -n ingress-nginx
NAME DATA AGE
ingress-nginx-controller 0 53s
kube-root-ca.crt 1 3m18sNext, create the service accounts.
controlplane ~ ➜ k create sa ingress-nginx-admission --namespace ingress-nginx $do
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: null
name: ingress-nginx-admission
namespace: ingress-nginx
controlplane ~ ➜ k create sa ingress-nginx-admission --namespace ingress-nginx $do > sa-ingress-nginx-admission.yml
controlplane ~ ➜ k create sa ingress-nginx-admission --namespace ingress-nginx
serviceaccount/ingress-nginx-admission created
controlplane ~ ➜ k create sa ingress-nginx --namespace ingress-nginx
serviceaccount/ingress-nginx-admission created
controlplane ~ ➜ k get sa -n ingress-nginx
NAME SECRETS AGE
default 0 8m53s
ingress-nginx 0 67s
ingress-nginx-admission 0 14sFix the ingress-controller.yaml and apply afterwards.
## ingress-controller.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
minReadySeconds: 0
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
spec:
containers:
- args:
- /nginx-ingress-controller
- --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- --election-id=ingress-controller-leader
- --watch-ingress-without-class=true
- --default-backend-service=app-space/default-http-backend
- --controller-class=k8s.io/ingress-nginx
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: registry.k8s.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: controller
ports:
- name: http
containerPort: 80
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
- containerPort: 8443
name: webhook
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 100m
memory: 90Mi
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
runAsUser: 101
volumeMounts:
- mountPath: /usr/local/certificates/
name: webhook-cert
readOnly: true
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: ingress-nginx-admission
---
apiVersion: v1
kind: Service
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
nodePort: 30080
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: NodePortcontrolplane ~ ➜ k get -n ingress-nginx po
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create-wtzf6 0/1 Completed 0 7m32s
ingress-nginx-controller-cc9f46d74-fmc65 0/1 Running 0 13s
controlplane ~ ➜ k get -n ingress-nginx svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.104.168.175 <none> 80:30080/TCP 18s
ingress-nginx-controller-admission ClusterIP 10.105.49.126 <none> 443/TCP 7m37sNext, create the ingress resource. But first, get the services in the app-space namespace.
controlplane ~ ➜ k get svc -n app-space
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default-http-backend ClusterIP 10.104.25.24 <none> 80/TCP 29m
video-service ClusterIP 10.97.188.119 <none> 8080/TCP 29m
wear-service ClusterIP 10.98.183.145 <none> 8080/TCP 29m## ingress-resource.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app-ingress
namespace: app-space
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx-example
rules:
- http:
paths:
- path: /wear
pathType: Prefix
backend:
service:
name: wear-service
port:
number: 8080
- path: /watch
pathType: Prefix
backend:
service:
name: video-service
port:
number: 8080controlplane ~ ➜ k apply -f ingress-resource.yaml
ingress.networking.k8s.io/app-ingress created
controlplane ~ ➜ k get ing -n app-space
NAME CLASS HOSTS ADDRESS PORTS AGE
app-ingress nginx-example * 80 12s