Giters

zeevallin / kubernetes-faq

Learn @kubernetes 🌈

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Kubernetes FAQ

Learn Kubernetes by answering simple questions about it!

Flashcards included for spaced repetition.

Table of Contents

  1. Admission
  2. Auditing
  3. Authentication
  4. Authorization
  5. Cluster Architecture
  6. Cluster Security
  7. Configuration
  8. Container Security
  9. Deployments
  10. Nodes
  11. Pods
  12. Services
  13. Storage
  14. etcd

Admission

Admission Control Modules are software modules that can _____ or _____ requests. modify reject
Admission Control Modules can access the contents of the Kubernetes object that is being _____ or _____. created  modified
Can Admission controllers act on requests that create an object? Yes
Can Admission controllers act on requests that delete an object? Yes
Can Admission controllers act on requests that connect (proxy) to an object? Yes
Can Admission controllers act on requests that read an object? No
An admission controller module rejects a request. What happens to the request? It is immediately rejected.
Can admission controllers set complex defaults for fields? Yes
Does the admission or validation of a request happen first? admission
Can resource quotas improve security by preventing internal denial of service attacks? Yes
Open Policy Agent can manage your _____ controllers in order to block K8S features (like being able to run containers as root) from multiple teams. admission 
Is admission control's NodeRestriction enabled by default? No!

Auditing

Kubernetes _____ provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system. auditing
Audit records begin their lifecycle inside the _____ Kubernetes component. kube-apiserver
Each request on each stage of its execution generates an audit _____, which is then pre-processed according to a certain policy and written to a backend. event
Audit logging usually _____ the memory consumption of the API server because some context required for auditing is stored for each request. increases 
Audit _____ objects define rules about what events should be recorded and what data they should include. policy
When an event is processed, it's compared against the list of Audit Policy rules in order. The first matching rule sets the "_____" of the event. audit level
The four audit levels are: _____ - don't log these events._____ - log request metadata (requesting user, timestamp, resource, verb, etc.) _____ - log event metadata and request body._____ - log event metadata, request body and response bodies. None Metadata Request RequestResponse
Audit _____ persist audit events to an external storage. backends
The _____ audit backend writes event to a disk log
Can you use log collectors like fluentd to collect/distribute Kubernetes audit events from log files? Yes
Can you use log collectors like logstash to collect/distribute Kubernetes audit events from the webhook audit backend? Yes
Kubernetes _____ allows cluster administrators to learn about the context of clusters events: What happened, when, where, who initiated it and from where. auditing
The audit _____ determines what events are recorded and which backends (logs or webhooks) persist the records. policy 
The _____ audit backend sends events to an external API. webhook
_____ failures might suggest a misconfigured service account, or the presence of an attacker. RBAC audit
What are some tools with which clusters can be audited? Sonobuoy

Authentication

Suppose you have several clusters, and your users and components authenticate in a variety of ways. For example:
  • A running kubelet might authenticate using certificates.
  • A user might authenticate using tokens.
  • Administrators might have sets of certificates that they provide to individual users.
With _____ files, you can organize your clusters, users, contexts, and namespaces. kubeconfig
A file that is used to configure access to clusters is called a _____ file kubeconfig
A _____ element in a kubeconfig file is used to group access parameters under a convenient name. context
The KUBECONFIG environment variable holds a list of _____ kubeconfig files
The command _____ finds the clusters available to you inside your kubeconfig file. kubectl config get-contexts
Kubernetes authentication examines the incoming HTTP request's _____ and _____. headers certificate
Are Client Certificates a valid authentication module? Yes
Are passwords a valid Kubernetes authentication module? Yes
Are plain, bootstrap and JWT tokens a valid Kubernetes authentication module? Yes
If a request cannot be authenticated, it is rejected with status code _____ 401
Although Kubernetes uses "_____" for access control decisions and logging, it does not store or even define any concrete "user" object. usernames 
Kubernetes has two categories of users: _____ and _____. normal users and service accounts
Can normal users be added to a cluster through an API call? No
What is the Kubernetes API object that represents a normal user? There is none!
Any request that presents a valid certificate signed by _____ is considered authenticated.  the cluster's certificate authority (CA)
_____ are users managed by the Kubernetes API. Service accounts
Are service accounts bound to specific namespaces? Yes
Service accounts are tied to a set of credentials stored as _____, which are mounted into _____ allowing in-cluster processes to talk to the Kubernetes API. Secrets pods
API requests are tied to either a normal user or a service account, or are treated as _____. anonymous requests
Are client certificates a valid authentication method? Yes
Are bearer tokens a valid authentication method? Yes
Are authentication proxies a valid authentication method? Yes
Is basic auth a valid authentication method? Yes
_____ are a set of strings, each of which indicates the user's membership in a named logical collection of users. Groups 
You can enable multiple authentication methods at once. You should usually use at least two methods: one for _____ and one for _____. normal users

service accounts

The _____ group is included in the list of groups for all authenticated users. system:authenticated 
Authentication protocols (LDAP, SAML, Kerberos, etc) can be integrated by using an _____ or _____ authenticating proxy authentication webhook
By default, requests to the kubelet's HTTPS endpoint that are not rejected by other configured authentication methods are treated as _____ requests. anonymous
Your cluster user credentials can be found in _____ on your local machine. kubeconfig
Your current, in-use cluster is stored in _____ on your local machine. the kubeconfig file
Your current, in-use cluster namespace is stored in _____ on your local machine. the kubeconfig file
Kubernetes determines the username of an incoming request from the common name field in the subject field of the _____ (e.g., "/CN=IcelynJennings") certificate
The command _____ lists service accounts. kubectl get sa

Authorization

A better alternative to applying RBAC resources, is the command _____. It causes semantically-aware merging of rules and subjects. Missing objects/namespaces are created if required. kubectl auth reconcile
The _____ and _____ Objects contain sets of additive authorization permissions Role and ClusterRole
A _____ grants a role's permissions to a set of users, groups or service accounts. RoleBinding
Pods that need to connect to the apiserver can automatically inject the _____ certificate and valid _____ into themselves via a service account.  public root bearer token
After the request is authenticated as coming from a specific user, the request must be _____. authorized
A request must include the _____ of the requester, the requested _____, and the _____ affected by the action.  username  action object
When an administrator creates a cluster, they configure the authorization modules that should be used in the API server. The default ones are _____, _____, and _____.  ABAC RBAC Webhook
If a request is authorized by an authorization module, does it get checked by other authorization modules before proceeding? No - it's immediately authorized.
Does a user need a Role and RoleBinding to access Kubernetes resources? Yes
Kubernetes authorizes API requests at the _____ kube-apiserver
An attacker authorized to create objects can escalate their privileges further by creating _____ that can read secrets and edit their privileges, or that run under a _____ with greater permissions. pods  serviceaccount
Is Kubelet RBAC enabled by default? No!!!
A request is authorized if an existing policy declares that the user has permissions to complete the requested _____. action
An authorization request is denied with status code _____ 403
Pods that do not need to use the api server should have their default _____ disabled for security. service account
Is RBAC enabled for a new cluster by default? No!

Cluster Architecture

An object's _____ status field denotes its parent object. If empty, the child object will be garbage collected and removed. metadata.ownerReference
Managing multiple clusters as one known as _____, requires many considerations to implement, such as cross-cluster DNS, service discovery, loadbalancing and resource sync. Cluster federation
An object's _____ field is a list of string items which must be removed the list before the object can ever be deleted from the cluster. The permission to remove these items is explicitly given to desired actors. metadata.finalizers
ClusterRoles can be created by combining other ClusterRoles using an _____ aggregationRule
Selectable and attachable Key/Value pairs on objects such as pods are called _____ Labels
A _____ is an extension of the Kubernetes API. Many core Kubernetes functions are now built using them, making Kubernetes more modular. custom resource
Each of a Service's ports can specify the application protocol to use via the _____ field. AppProtocol
When a process in the container tries to consume more than the allowed amount of memory, the system kernel _____ the process that attempted the allocation, with an _____ error terminates

OOM (Out of Memory)

_____ are key-value pairs that identify resources, and can be used with _____ to match a specified group of resources. Labels Selectors
The Kubernetes Master is a collection of three processes that run on a single node in your cluster. These processes are _____ kube-apiserver, scheduler, kube-controller-manager
By decoupling the interoperability logic between Kubernetes and the underlying cloud infrastructure, _____ enables cloud providers to release features at a different pace compared to the main Kubernetes project. cloud-controller-manager
The _____ is the only way to access ExternalName Services. Kubernetes DNS server
Even though health checks are not exposed directly through the Ingress, there exist parallel concepts in Kubernetes such as _____ that allow you to achieve the same end result.  readinessProbes
In a LoadBalancer service, the _____ annotation removes the double-hop problem by allowing users to define their own balancing. OnlyLocal
In a Kubernetes cluster, the components on the worker nodes - kubelet and kube-proxy - need to communicate with Kubernetes master components, specifically _____. kube-apiserver
_____ allow you to create your own custom Kubernetes objects, to store any data you wish.  Custom Resource Definitions (CRDs)
A _____ is like a virtual cluster inside the Kubernetes cluster. namespace
Kubernetes system processes are inside the _____ namespace kube-system
Public data in the Kubernetes cluster is inside the _____ namespace. kube-public
Can you use K8S resources across namespaces? No - except Services.
The command kubectl _____ shows global (non-namespaced) resources. kubectl api-resources --namespaced=false
For some Services, you need to expose more than one port. Kubernetes lets you configure multiple port definitions on a Service object. When using multiple ports for a Service, you must give all of your ports _____ so that these are unambiguous. names
The _____ service type exposes the Service externally using a cloud provider�s load balancer. LoadBalancer
The component that creates, annotates, destroys nodes and gets their information (like hostname, address or health) is called the... Node controller
The _____ is a daemon that embeds the core control loops shipped with Kubernetes.  kube-controller-manager
All API usage from nodes and pods terminate at the following control plane components: apiserver only.
A Service can map any incoming port to a _____. By default and for convenience, it has the same value as the port field. targetPort

Cluster Security

Nodes should be provisioned with valid client credentials and a _____ certificate to connect to the apiserver. public root certificate
Does the apiserver verify the kubelet's serving certificate by default? No. The connection is subject to MITM attacks by default.
The kubelet uses _____ for authenticating to the Kubernetes API. certificates (with 1 year expiration)
kubelet _____ is a feature that automatically generates a new key and requests a new certificate from the Kubernetes API before the current certificate's expiration. certificate rotation
The _____ kubelet flag controls its automatic certificate rotation. --rotate-certificates
The command _____ views the status of certificate signing requests. kubectl get csr
A kubelet's certificate signing request (CSR) will initially have a status of Pending. If the CSR meets specific criteria, it will become  Approved by the _____ kube controller manager
Whenever a kubelet retrieves a new signed certificate from the Kubernetes API it will write it to the _____ disk
When a kubelet starts, it looks for its _____ file, retrieves the _____ URL and credentials (normally a TLS key and signed cert), then attempts to communicate to it. kubeconfig kube-apiserver
A kubelet's kubeconfig file requires _____ inside it to connect to kube-apiserver. a key and a cert
Does a kubelet's kubeconfig require a certificate signed by a CA (Certificate Authority) trusted by kube-apiserver? Yes
Do you need to distribute a CA certificate to each kubelet? No - only the master nodes where kube-apiserver is running.
Do you need to distribute a key and signed certificate for each kubelet? Yes - ideally unique ones.
A Certificate Authority _____ and _____ are required to sign kubelet certificates. key and certificate
A kubelet's initial bootstrap credentials for TLS can be either authentication file _____, or "bootstrap". tokens
When TLS bootstrapping, the kubelet must be able to authenticate as a user with the rights to create and retrieve _____ CSRs
In order to approve CSRs, you allow the _____ to approve them. kube-controller-manager
Kubelet's _____ kubeconfig field points to a CA file used to validate the server certificate presented by kube-apiserver. certificate-authority
The command _____ approves a CSR. kubectl certificate approve <cert>
The command _____ denies a CSR. kubectl certificate deny <cert>
Once Cluster TLS is established, incoming requests can begin the _____ step when trying to communicate to the cluster. Authentication
When a request reaches kube-api-server, it goes through several stages: _____, _____, and _____ Authentication, Authorization, Admission Control
The _____ resource type allows a client to ask for an X.509 certificate be issued, based on a signing request. CertificateSigningRequest
A _____ resource is used to request that a certificate be signed by a denoted signer, after which the request may be approved or denied before finally being signed. CertificateSigningRequest (CSR)
The CertificateSigningRequest object includes a _____-encoded PKCS#10 signing request in the spec.request field. PEM
The CertificateSigningRequest denotes the _____ (the recipient that the request is being made to) using the spec.signerName field. signer 
Once created, a CertificateSigningRequest must be approved before it can be _____. signed
A normal user must have a certificate issued by the Kubernetes Cluster, and then present it to the API call as the Certificate _____, or through the kubectl. Header
A CSR object requires a request value, which can be generated via _____ for example. openssl
Kubernetes requires _____ certificates for authentication over TLS. PKI 
PKI certificates are usually stored in the _____ directory. /etc/kubernetes/pki
Can network segmentation improve Kubernetes security? Yes
The API server should have a _____ restricting it to be accessible only by specific IPs. firewall
Should you rotate your kubelet certs periodically? Yes
A _____ like Istio can trace and profile requests inside a cluster. An administrator can then disable the possibility to make requests that aren't expect to ever happen. service mesh
Can service meshes encrypt in-cluster traffic (and automatically rotate certificates)? Yes
Tools like _____ can benchmark your cluster. kube-bench
Once an attacker has control of your Kubernetes node, can they potentialy access the cloud provider's _____ to exfiltrate credentials to your cloud account. user and metadata APIs
Which K8S object can prevent an attacker inside a pod from running the services of another pod? NetworkPolicy
A public image registry might be compromised, so it is useful to use _____ registries. dedicated, private
Does a service mesh make your workloads more isolated by default? Yes
_____ objects require a specific backend running in the cluster that implements them, such as Calico or Flannel. NetworkPolicy
A _____ object can divide your apps into in-cluster network tiers, locking them by default, with the ability specifically allow communication between them, or between namespaces. NetworkPolicy
A NetworkPolicy uses _____ to specify how groups of pods are allowed to communicate with each other and other network endpoints. labels
NetworkPolicies don't usually conflict each other. If several policies select a pod, it becomes restricted to what is allowed by the _____ of those policies' ingress/egress rules. union
Once there is any _____ in a namespace selecting a particular pod, that pod will reject any connections that are not allowed by it. NetworkPolicy
You can secure an Ingress by specifying a Secret that contains a TLS _____ and _____. private key and certificate

Configuration

The resources for storing sensitive information in Kubernetes are _____ Secrets
One cpu, in Kubernetes request/limit terms, is equivalent to 1 _____ on bare-metal Intel processors. hyperthread 
There is a concern that one Pod or Container could monopolize all available resources. A _____ is a policy to constrain resource allocations (to Pods or Containers) in a namespace. LimitRange
A _____ provides constraints that limit aggregate resource consumption per namespace. It can limit the quantity of objects that can be created in a namespace by type, as well as the total amount of compute resources that may be consumed by resources in that project. ResourceQuota
Do containers run with unbounded compute resources on a Kubernetes cluster? By default - yes. Limits and ResourceQuotas are recommended.
You can enforce minimum and maximum compute resources usage per Pod or Container in a namespace using a _____ LimitRange
You can enforce minimum and maximum storage request per PersistentVolumeClaim in a namespace using a _____ LimitRange
You can enforce a ratio between request and limit for a resource in a namespace using a _____ LimitRange
You can set default request/limit for compute resources in a namespace and automatically inject them to Containers at runtime using a _____ LimitRange
The _____ is the primary object for storing configuration data in Kubernetes. You can supply that data to an application either by creating a file in the Pod, or by injecting it into the Pod�s environment. ConfigMap
The Kubernetes alpha feature _____ provides an option to set individual Secrets and ConfigMaps as immutable. For clusters that extensively use ConfigMaps (at least tens of thousands of unique ConfigMap to Pod mounts) Immutable Secrets and ConfigMaps
You can significantly reduce load on kube-apiserver and improve cluster performance by closing watches for secrets or config maps and, setting them as _____. immutable
If the node where a Pod is running has enough of a resource available, it's allowed for a container to use more resources than defined in its resource _____. However, a container is not allowed to use more than its resource _____. request limit
The administrator creates one LimitRange per _____. namespace
To define default CPU limit and request to 150m and memory default request to 300Mi for Containers started with no cpu and memory requests in their specs, you could use... LimitRange
One cpu, in Kubernetes request/limit terms, is equivalent to 1 _____ for cloud providers. core
When a config map currently consumed in a volume is updated, are projected keys inside the Pods eventually updated as well? Yes The kubelet checks whether the mounted config map is fresh on every periodic sync. However, the kubelet also uses its local configurable cache for getting the current value of the ConfigMap. 
When several users or teams share a cluster with a fixed number of nodes, there is a concern that one team could use more than its fair share of resources. _____ is a tool to address this concern. ResorceQuota
A malicious user could create Pods at the highest possible priorities, causing other Pods to be evicted/not get scheduled. An administrator can use _____ to prevent users from creating pods at high priorities. ResourceQuota
If the data you want to store are confidential, use a _____ rather than a ConfigMap Secret
A _____ is an API object used to store non-confidential data in key-value pairs. Pods can consume them as environment variables, command-line arguments, or as configuration files in a volume. ConfigMap
Mounting ConfigMaps in a Pod is done in its .spec._____ volumes
The command ______ creates a new Kubernetes Secret. kubectl create secret
Should you set resource limits for all containers? Yes
Outside CPU-intensive jobs, it's good to set container CPU requests up to _____ 1 CPU
A CPU limit of 1 means 1 CPU second per _____ second
A process with one thread cannot consume more than _____. The more threads, the less time it takes to consume it. 1 CPU second per second
Is it necessary to set CPU limits for your app? Usually no. https://medium.com/@betz.mark/understanding-resource-limits-in-kubernetes-cpu-time-9eff74d3161b
If you don't set limits for each container, the limits will be inferred from the namespace's _____, if set. LimitRange

Container Security

The 4C's of Cloud Native security are _____, _____, _____ and _____. Cloud, Clusters, Containers and Code
_____ allow defining privilege and access controls per-Pod or per-container. securityContexts
The three PodSecurityPolicy types are _____, _____ and Default. Privileged, Restricted, Default
_____ objects contain sensitive aspects of pod specification, such as the conditions they must meet or their default fields. PodSecurityPolicy
Can Snyk improve container security? Yes
AppArmor profiles are specified per _____ container
To specify the AppArmor profile to run a Pod container with, add the profile-specifying _____ into the Pod's metadata. annotation 
Do AppArmor profiles have to be loaded onto the host before applying the annotation? Yes - except the container runtime's default profile.
The command _____ verifies that a container's root process is running the correct AppArmor profile by checking its /proc/1/attr/current file. kubectl exec <pod> cat /proc/1/attr/current
Do you usually need to upload AppArmor profiles to all of your nodes? Yes - since you don't know which node the pod will be scheduled to.
Containers in production should be running as a non-root user, which is set in their securityContext via _____ runAsNonRoot: true
You can improve a container's security by dropping Linux _____ such as "all", "CHOWN", "NET_RAW", "SETPCAP" via the securityContext. capabilities 
Containers should ideally run with read-only root filesystems, set in their security contexts via _____  readOnlyRootFilesystem: true
Does container/host operating system scanning improve security? Yes
Should you enforce image signing in production? Yes
Once an attacker gets control of a container, they might obtain control of the _____ it runs on, and then the internal network. node
By default, any Pod in a cluster gets a service account with certain permissions allowing it to communicate with the API server. These service account should be disabled for Pods that never need to talk to the API server, as an attacker could otherwise steal the _____. auth token
Attackers can break out of the container by exloiting the _____, _____, etc. container runtime kernel
Setting securityContext._____ to False makes it harder to escalate privileges inside a container. allowPrivilegeEscalation
Tools like _____ or _____ are able to sandbox Pods from each other on the same host, giving you two additional layers of isolation - the Sandbox and the Container Linux Kernel. gVisor  kata containers
_____ is a user space kernel that can intercept and implement syscalls in userspace, effectively sandboxing the Pod to an environment with low capabilities and restricted seccomp filters. gVisor
True or False? Kubernetes obviously automatically applies its own container runtime's default seccomp and AppArmor profiles to Pods, so no extra annotations must be applied to them. FALSE! A Kubernetes Pod has LESS default restrictions applied than if it were ran directly from a container runtime.
A Pod has free access to the Internet. Can an attacker use this to download exploits? Yes
A container has network access to a /metrics endpoint. Could an attacker potentially find almost everything about the cluster from inside the container by reading cAdvisor/Heapster output at the endpoint? Yes
Tools like _____ audit the OS, container runtime, K8S, configuration using CIS benchmarks. kube-auto-analyzer, kube-bench
Can maintaining standard, secure base images for all containers improve overall workload security? Yes
To improve security, you could ideally collect logs from all containers - but especially _____ access/deny logs. RBAC
The default Pod service account can be disabled by setting _____ autonomousServiceAccountToken: false
Cluster-wide _____ objects can enforce container restrictions, thus protecting the node they run on. PodSecurityPolicy 
PodSecurityPolicies are _____-level resources. Cluster
A _____ is a cluster-level resource that controls security sensitive aspects of the Pod specification. Pod Security Policy
Should you minimise user privilege inside your containers in production? Yes

Deployments

Jobs on a repeating schedule are called _____ CronJobs
One CronJob object is like one line of a _____ file. It runs a job periodically on a given schedule, written in Cron format. crontab
Can CronJobs be used for running backups? Yes
Because it is not guaranteed only one job will launch per execution time of its schedule, Jobs should be _____  idempotent
A CronJob is counted as _____ if it has failed to be created at its scheduled time. missed
A job's default parallelism value is 1. If it is set to _____ instead, then the Job is paused until it is increased. 0
A job's _____ is the number of Job pods running at any instant. parallelism
A Kubernetes resource which ensures that all (or some) Nodes run a copy of a Pod is the _____ DaemonSet
What will happen to ReplicaSet pods inside a node when that node gets deleted? These pods will be replaced on another node, or nodes.
Like a Deployment, a StatefulSet manages Pods that are based on an identical container spec. Unlike a Deployment, a StatefulSet maintains a _____ for each of their Pods sticky identity
An application requires several of the following:
  • Stable, unique network identifiers.
  • Stable, persistent storage.
  • Ordered, graceful deployment and scaling.
  • Ordered, automated rolling updates.
Which workload object could work best? StatefulSet
Will deleting or scaling a StatefulSet down also delete the volumes associated with it? No
A ReplicaSet is linked to its Pods via their _____ field. It's through this link that the ReplicaSet knows of the state of the Pods it is maintaining and plans accordingly. metadata.ownerReferences
_____ is an object which can own ReplicaSets and update them and their Pods via declarative, server-side rolling updates. Deployment
Is running a logs collection daemon on every node a valid DaemonSet use case? Yes
Can you perform a rolling update on a DaemonSet? Yes
The _____ provides a TTL (time to live) mechanism to limit the lifetime of resource objects that have finished execution. TTL controller
All CronJob schedules are based on the timezone of _____ the kube-controller-manager.
If a CronJob's concurrencyPolicy is set to Forbid, and it attempted to be scheduled when there was a previous schedule still running, then it would count as _____. missed
The number of old ReplicaSets to retain for rollback is defined in a deployment's .spec._____ revisionHistoryLimit
StatefulSet manages the deployment and scaling of a set of Pods, and provides guarantees about the _____ and _____of these Pods ordering and uniqueness
If an application doesn't require any stable identifiers or ordered deployment, you should deploy your application using a _____ - a workload object that provides a set of stateless replicas. Deployment
A ReplicaSet identifies new Pods to acquire by using its _____.  If there is a Pod that has no OwnerReference or the OwnerReference is not a Controller and the _____ matches, it will be immediately acquired by said ReplicaSet. selector
Is running a cluster storage daemon on every node a valid DaemonSet use case? Yes
Pods waiting to be scheduled are usually created in Pending state. Are DaemonSet pods created in Pending state? No - it is an inconsistency due to being scheduled by the DaemonSet controller.
When Pod preemption is enabled, does the DaemonSet controller consider pod priority and preemption when making scheduling decisions? No - Pod preemption is handled by the default scheduler, DaemonSet pods are scheduled by the DaemonSet controller.
If node labels are changed, the DaemonSet will _____ Pods to newly matching nodes. Add
If node labels are changed, the DaemonSet will _____ Pods from newly not-matching nodes. Delete
Can CronJobs be used for sending e-mails? Yes
The Job Controller counts how many jobs had missed in the last X seconds, but only if a CronJob's _____ field is set. startingDeadlineSeconds 
A _____ creates one or more Pods and ensures that a specified number of them successfully terminate. As pods successfully complete, it tracks the successful completions until a certain number of successful completions is reached. Job
For a fixed completion count Job, you should set its .spec._____ field completions
A _____ ensures that all (or some) Nodes run a copy of a Pod. DaemonSet
What will happen (by default) to DaemonSet pods inside a node when that node gets deleted? These pods will be garbage collected
If you want to use storage volumes to provide persistence for your workload, you can use a _____. Although its Pods are susceptible to failure, the persistent Pod identifiers make it easier to match existing volumes to the new Pods that replace any that have failed. StatefulSet 
StatefulSets do not provide any guarantees on the termination of pods when a StatefulSet is deleted.  To achieve ordered and graceful termination of the pods in the StatefulSet, it is possible to... scale the StatefulSet down to 0 prior to deletion
Is running a node monitoring daemon on every node a valid DaemonSet use case? Yes
Normally, the node that a Pod runs on is selected by the Kubernetes scheduler. However, DaemonSet pods are created and scheduled by _____ instead. the DaemonSet controller
DaemonSets are similar to Deployments in that they both... create Pods, with processes which are not expected to terminate (web servers, storage servers etc).
Every dependent (i.e. owned) object has a metadata._____ field that points to the owning object. The owning object is usually a Job, CronJob, Deployment, DaemonSet, StatefulSet, ReplicationController, ReplicaSet. ownerReferences
Identical Pods in a deployment are referred to as _____ Replicas
_____ run a Pod a specified number of times before completing. _____ run a Pod periodically at specified times. Jobs CronJobs
A Deployment is supposed to have 5 pods at any given time, with .spec.replicas: 5. If a PodDisruptionBudget allows for there to be 4 at a time, then how many pods at a time are allowed to be voluntarily disrupted by the Eviction API? One
Are controllers (like deployment or statefulset) limited by PDBs when doing rolling updates? No! The handling of failures during application updates is configured in the controller spec.
When deleting a DaemonSet with kubectl, you can specify the flag _____, then the Pods will remain on the nodes.  --cascade=false
Given that you can start daemon processes on a node directly via systemd, why use a DaemonSet?
  • Ability to monitor and manage logs for daemons in the same way as applications.
  • Same config language and tools (e.g. Pod templates, kubectl) for daemons and applications.
  • Running daemons in containers with resource limits increases isolation between daemons from app containers. However, this can also be accomplished by running the daemons in a container but not in a Pod (e.g. start directly via Docker).

_____ allow you to schedule one copy of a Pod on every node (for example, a logging agent). DaemonSets
_____ start and stop Pod replicas in a specific numbered sequence, allowing you to address each by a predictable DNS name. This is ideal for clustered applications, such as databases. StatefulSets 
Does deleting deployments or pods bypass PodDisruptionBudgets? Yes
Minimum time in seconds for which a new pod should be ready to be considered available is defined in deployment.spec._____ minReadySeconds
The count of hash collisions for a deployment is stored in its deployment.deploymentstatus._____ status field. It is used for collision avoidance. collisionCount
_____ differ from Deployments in that Pods are created sequentially, each given an incrementing index number.  StatefulSets

Nodes

The 3 possible values for volume.spec.accessMode are: _____ - Can be used by 1 node_____ - Can be used by many nodes_____ - Can be read from many nodes ReadWriteOnce ReadWriteMany ReadOnlyMany
_____ allow a node to repel a set of Pods, based on certain properties of the node. Taints
A _____ is a worker machine in Kubernetes and may be either a virtual or a physical machine, depending on the cluster.  Node
To prevent a kubelet from self-registering the node in the control-plane, you could pass the _____ flag. --register-node=false
A node's _____ condition is True when its disk capacity is low DiskPressure
A Node's _____ condition is True when the node's memory is low MemoryPressure  
A Node's _____ condition is True when there are too many processes running. PIDPressure
A Node's _____ condition is True when its network is not correctly configured NetworkUnavailable
Node heartbeats are sent by... kubelet
The .spec.____ field is a preference-order list of Node labels, which will be used to sort endpoints when accessing this Service. Traffic will be directed to a Node whose value for the first label matches the originating Node's value for that label. If there is no backend for the Service on a matching Node, then the second label will be considered, and so forth, until no labels remain. topologyKeys
A Node's "Ready" status is False when... It's unhealthy and not accepting pods
A _____ is a VM or a physical computer that serves as a worker machine in a Kubernetes cluster. Node
A node's _____ contains four domains of information - its Addresses, Conditions, Capacity/Allocatable and Info. status
Addresses in a node's status include... HostName, InternalIP, ExternalIP
Capacity fields describe the total amount of _____ that a Node has resources
The Kubernetes control plane component that manages various aspects of nodes is the... Node controller
The three roles of the Node Controller in a Node's life CIDR block assignment

Synchronize internal list of nodes Node health monitoring

Two types of node Heartbeats NodeStatus updates Lease Object
Node Info status field describes general information about a node, such as: operating system node component versions
_____ enables a service to route traffic based upon the Node topology of the cluster.  Service Topology
A Service can specify that traffic be preferentially routed to endpoints that are on the same Node as the client, or in the same availability zone by using _____ Service Topology
A Node's "Ready" status is Unknown when... 40 seconds have passed since the Node Controller has heard from the node
In terms of network, the Node Controller assigns a _____ to a Node upon its registration. CIDR block
Which Kubernetes component is responsible for a node's self-registration into the control plane? kubelet
A node is reachable by the API server but its Ready condition has remained False or Unknown for longer than the kube-controller-manager's pod-eviction-timeout What happens to the Pods on the node? All Pods on the node are scheduled for deletion by the node controller
Allocatable describes the amount of the Node's resources that are _____ available to be consumed by Pods
If an incoming Pod has spec.nodeSelector or spec.affinity.nodeAffinity defined, nodes not matching them will be... bypassed
You can control Service traffic routing by specifying the .spec._____ field.  topologyKeys 
An EndpointSlice's Endpoints can contain labels about its topology information, such as... Node - kubernetes.io/hostnameZone - topology.kubernetes.io/zoneRegion - topology.kubernetes.io/region
A Node's "Ready" status is True when... It's healthy and accepts pods
_____ are a way of tagging nodes with specific information; usually, about node problems or failures. By default, Pods won�t be scheduled on nodes with them. Taints
The kubernetes components inside a worker node are... kubelet, kube-proxy, container runtime
_____ allow a Pod to be scheduled on nodes with a specific taint. You can use this mechanism to run certain Pods only on dedicated nodes. Tolerations
Pod _____ express a preference for Pods to be scheduled on the same node as other Pods, when they benefit from it. affinities
If two Nodes are labelled with one topologyKey and have identical values for that label, the scheduler tries to place a _____ number of Pods into each topology domain balanced
You can use _____ to control how Pods are spread across your cluster among failure-domains (regions, zones, nodes or user-defined domains). topology spread constraints
topologyKey is... The key of node labels. 
If two Nodes are labelled with one topologyKey and have identical values for that label, the scheduler treats both Nodes as being in the same _____  topology 
_____ attract or repel Pods to or from nodes with specified attributes. For example, you can specify that a Pod can only run on a node in a specified availability zone. Node affinities
While _____ can block a Pod from running on a node, _____ are more like suggestions to the scheduler. You can combine multiple, with different weights. hard node affinities soft node affinities
The controller that creates services, endpoints and updates iptables on each node is _____ kube-proxy
The LoadBalancer Service creates an external IP address, but itself does not know any Pod IP's. Instead, it chooses a _____ to send packets to. Node
A node's _____ tell an incoming packet where in the node to go. iptables
When running several copies of your Pod for the sake of fault tolerance, the _____ they are running on may still fail. It's important to place your Pods across several of them. nodes
Restricting access to your cluster _____ can prevent privilege escalation to your cloud provider. nodes / VMs (especially master)
Node heartbeats are inside the _____ namespace. kube-node-lease
Are nodes namespaced? No
Which taints are tolerated by default by Pods? None
Taints are set on _____ nodes
Tolerations are set on _____ Pods
Do taints and tolerations guarantee which node a Pod will be scheduled to? No - you need Node Affinity
Every node in a Kubernetes cluster runs a _____, responsible for implementing a form of virtual IP for Services of type other than ExternalName. kube-proxy

Pods

When you run a Pod on a Node, the Pod itself takes an amount of system resources. These resources are additional to the resources needed to run the container(s) inside the Pod. _____ is a feature for accounting for the resources consumed by the Pod infrastructure on top of the container requests & limits. Pod Overhead
Can a Pod have a single IPv4 and IPv6 address assigned? Yes - via enabling IPv4/IPv6 dual-stack.
Pod Overhead is set at _____ time according to the overhead associated with the Pod's _____. When enabled, it is considered in addition to the sum of container resource requests when scheduling a Pod. Similarly, Kubelet will include the Pod overhead when sizing the Pod cgroup, and when carrying out Pod eviction ranking. admission RuntimeClass
The _____ ensures a specific number of pod replicas are running at any one time across nodes replication controller
A Pod can opt out of being modified by PodPresets altogether via the metadata _____ podpreset.admission.kubernetes.io/exclude: "true" annotation
Containers within a single pod share ____ and _____ resources. storage and network
Ready, ContainerReady, lastProbeTime, reason. These are the types of latest variable observations of an object's state called _____, used when the details of an observation are not known apriori, or would not apply to all instances of a given Kind. Conditions
The role of the Kubernetes garbage collector is to delete certain objects that once had _____, but no longer have one. an owner
When you delete an object, you can specify whether the object's dependents are also deleted automatically. Deleting dependents automatically is called a _____ deletion. cascading
When configuring a container, the _____ field allows you to pass a secret that contains a Docker (or other) image registry password. imagePullSecrets 
Does a Service load balance traffic across multiple Pods? Yes
Containers within a single pod share network resources - _____ and _____ IP address and port space
A _____ is an API resource for injecting additional runtime requirements into a label-selected Pod at creation time. Pod Preset
A logical group of containers with shared network and storage and specifications for how to run each is called a _____ Pod
Are containers in a Pod automatically co-located and co-scheduled on the same node? Yes
Can a pod's containers share resources, dependencies, communicate with each other and coordinate their lifecycle? Yes
A pod's _____ is the high-level summary of where the pod is in its lifecycle. phase
The Pod has been bound to a node, and all of the Containers have been created. At least one Container is still running, or is in the process of starting or restarting. This is the _____ phase of a Pod's lifecycle.
 Running
List all 5 Pod phases Pending Running Succeeded Failed Unknown
The six fields of a _____ are reason, status, message, type, lastProbeTime, lastTransitionTime. PodCondition 
A Pod's _____ condition field provides a unique, one-word reason for the condition's last transition. reason 
The four possible values of a Pod's _____ condition field are PodScheduled, Ready, Initialized, ContainersReady type
If the _____ probe fails, the Pod's IP address is removed from the endpoints of all Services that match the Pod. readiness
If the _____ probe fails, the container is killed by the kubelet, then subjected to the container's restart policy. startup
To find out why a container is in Waiting state, you can check its state's _____ field Reason
The _____ hook is executed prior to a container entering its Running state. postStart
Once bound to a node, will a Pod ever rebound to another node? No
You use _____ to specify the Pods to which a given PodPreset applies. label selectors
When a pod creation request occurs, the system does the following:
  1. Retrieve all PodPresets available for use.
  2. Check if the label selectors of any PodPreset matches the labels on the pod being created.
  3. Attempt to merge the various resources defined by the PodPreset into the Pod being created.
  4. On error, throw an event documenting the merge error on the pod, and create the pod without any injected resources from the PodPreset.
  5. Annotate the resulting modified Pod spec to indicate that it has been modified by a PodPreset. The annotation is of the form podpreset.admission.kubernetes.io/podpreset-<pod-preset name>: "<resource version>".

The annotation to disable PodPreset for a Specific Pod is... podpreset.admission.kubernetes.io/exclude: "true"
Topology spread constraints rely on _____ to identify the topology domain(s) that each Node is in. node labels
A _____ limits the number of pods of a replicated application that are down simultaneously from voluntary disruptions. PodDisruptionBudget
Do ephemeral containers guarantee execution? No
You can specify relationships between an owner and dependents by manually setting their .metadata._____ field ownerReference
In _____, Kubernetes deletes the owner object immediately and the garbage collector then deletes the dependents in the background. background cascading deletion
In _____, the root object first enters a "deletion in progress" state. Once the "deletion in progress" state is set, the garbage collector deletes the object's dependents. Once the garbage collector has deleted all dependents, it deletes the owner object. foreground cascading deletion
To control the cascading deletion policy, set the _____ field on the _____ argument when deleting an Object.  propagationPolicy  deleteOptions
If a Pod cannot be scheduled, the scheduler tries to preempt (evict) lower _____ Pods to make scheduling of the pending Pod possible. priority
A _____ is a non-namespaced object that defines a mapping from a priority class name to the integer value of the priority. PriorityClass
Is there currently an API standard for whether a Pod is considered sandboxed? No - Sandbox Pods may be identified by the use of a sandboxed runtime (such as gVisor or Kata Containers), but there is no standard definition of what a sandboxed runtime is.
_____ optimize a given metric (e.g. CPU utilization) across a set of Pods. They increase or decrease the number of replicas to achieve it. Horizontal Pod Autoscalers (HPA)
A _____ allows pod template authors to not have to explicitly provide all information for every pod.  PodPreset
_____ restrict the scheduler�s freedom, trading off one application against another.  Pod affinities
Do pods run a single container each? Not necessarily. They can run multiple containers.
Do Pods each have a unique IP address? Yes, for each address family
Failed phase
All Containers in the Pod have terminated, and at least one Container has terminated in failure. That is, the Container either exited with non-zero status or was terminated by the system.

Unknown phase For some reason the state of the Pod could not be obtained, typically due to an error in communicating with the host of the Pod.
The lastTransitionTime condition field provides... a timestamp for when the Pod last transitioned from one status to another.
The three possible values for the status Pod condition field are... "True" "False" "Unknown"
A probe can have one of three results: SuccessThe Container passed the diagnostic FailureThe Container failed the diagnostic UnknownThe diagnostic failed, so no action should be taken
If a container's _____ probe fails, the container is killed by the kubelet, then subjected to the container's restart policy. liveness 
A container does not provide a livenessProbe, a readinessProbe nor a startupProbe What will be the state of each probe of the container? Success on all of them
A _____ probe indicates whether a container is ready to service requests. readiness 
A process in your Container is able to crash on its own whenever it encounters an issue or becomes unhealthy.  Do you still need a livenessProbe? Not necessarily.  The kubelet will automatically perform the correct action in accordance with the Pod's restartPolicy.
A container is in the _____ state when it has successfully or unsuccessfully completed execution. Terminated
Exited Containers that are restarted by the kubelet are restarted with an _____ delay capped at 5 minutes, and is reset after ten minutes of successful execution. exponential back-off
The degree to which Pods may be unevenly distributed (i.e. the maximum permitted difference between the number of matching Pods in any two topology domains of a given topology type) is called the _____ maxSkew
whenUnsatisfiable possible values: DoNotSchedule  tells the scheduler not to schedule it. ScheduleAnyway  tells the scheduler to still schedule it while prioritizing nodes that minimize the skew
PodDisruptionBudgets cannot prevent involuntary disruptions from occurring. Do involuntary disruptions count against the budget? No
When a pod is evicted using the eviction API, is it gracefully terminated? Yes
A temporary "_____" container may be ran in an existing Pod to accomplish user-initiated actions such as, troubleshooting and inspecting services. ephemeral 
To troubleshoot a hard-to-reproduce bug, you might need to inspect the state of an existing Pod and its containers, or run some arbitrary commands. In these cases you can run _____ inside an existing Pod. an ephemeral container
Do ephemeral containers have guaranteed resources? No
When using ephemeral containers, it's helpful to enable _____ so you can view processes in other containers. process namespace sharing
If you delete an object without deleting its dependents automatically, the dependents are said to become _____ orphaned
PodPresets cannot be used to override a Pod�s own configuration, only to fill in settings which the Pod itself _____  hasn't specified.
_____ can inject bits of common configuration into all selected Pods at creation time. For example, you could use it to mount a particular Volume on all matching Pods. PodPresets 
A quorum-based application must ensure that the number of running replicas is never brought below the minimum required for a quorum. This can be achieved with a _____ PodDisruptionBudget
A pod represents _____ running in your cluster. Processes
In terms of Docker constructs, a Pod is modelled as a group of Docker containers with shared _____ and shared _____ namespaces filesystem volumes
A Pod has been accepted by the Kubernetes system, but one or more of the Container images has not been created, either still being scheduled or download images. This describes a Pod's _____ phase.
 Pending
Succeeded phase
All Containers in the Pod have terminated in success, and will not be restarted.

A Pod's _____ condition field provides a timestamp for when the Pod condition was last probed. lastProbeTime 
The message condition field provides... a human-readable message indicating details about the transition from one status to another.
A container's _____ probe indicates whether the application in the container has started. startup
All other probes are disabled until _____ succeeds. startupProbe
A Pod should only be sent traffic when a probe succeeds. Which probe can achieve this? readinessProbe
A container is _____ when it is neither Running or Terminated. It is likely pulling images, applying secrets etc. Waiting
A container is in the _____ state when it is executing without issues. Running
To tell why a container is in Terminated state, check its state's _____ and _____ fields. Reason and Exit Code
The _____ hook is executed before a container enters Terminated state. preStop
Readiness gates are determined by the current state of the .status._____ fields for the Pod. If such a field isn't found, the status of the condition defaults to "False" conditions
Does a Pod's restartPolicy apply to all its containers? Yes
Does restartPolicy only refer to restarts of the Containers by the kubelet on the same node? Yes
PodPresets are objects for injecting additional runtime requirements into pods at _____ creation time
 When a PodPreset is applied to one or more Pods, Kubernetes modifies their _____ PodSpec
For changes to EnvEnvFrom, and VolumeMounts, Kubernetes modifies _____ The pod's individual container specs
How to deal with a Pod if it doesn't satisfy the topology spread constraint is indicated in the _____ field. whenUnsatisfiable
A PodDisruptionBudget specifies the number of _____ that an application can tolerate having, relative to how many it is intended to have. replicas
Do Pods which are deleted or unavailable due to a rolling upgrade to an application count against the disruption budget? Yes
Will an ephemeral container ever be automatically restarted? No
_____ indicates the importance of a Pod relative to other Pods. Priority
Critical pods rely on scheduler _____ to be scheduled when a cluster is under resource pressure. preemption
The _____ field indicates that the value of this PriorityClass should be used for Pods without a priorityClassName. Only one such PriorityClass can exist in the system. globalDefault
Pods with PreemptionPolicy:_____ will be placed in the scheduling queue ahead of lower-priority pods, but they cannot preempt other pods. It will stay in the scheduling queue, until sufficient resources are free.  Never
PreemptionPolicy defaults to _____, which will allow pods of that PriorityClass to preempt lower-priority pods (as is existing default behavior).  PreemptLowerPriority
_____ repel other Pods instead of attracting. Ex.: One to replicas of the same Pod can help spread your replicas evenly across the cluster. anti-affinity
A web front end might want to ensure that the number of replicas serving load never falls below a certain percentage of the total. This can be achieved via a _____ PodDisruptionBudget
If non-preempting pods cannot be scheduled at a given time, they will be retried with lower frequency, allowing other pods with lower priority to be scheduled before them. This is because non-preempting pods are subject to scheduler... back-off
The kubelet manages the _____ file for each container of a Pod to prevent Docker from modifying it. hosts
The three available ImagePullPolicies of a container are Always, Never and _____ (default) IfNotPresent
kubectl exec was insufficient to interactively troubleshoot a container, because it has crashed, and didn't have any debugging utilities.

To troubleshoot, you can use _____ containers.

 Ephemeral containers / busybox

.spec._____ adds entries to a Pod's /etc/hosts file, overriding its hostname resolution when DNS and other options are not applicable.  HostAliases
A container without a readinessProbe is assumed to be ready for traffic once it starts. What are some potential problems with this?  The containerised application might need time to start after its enclosing container has. All requests to the app will fail throughout this process, because the container was "Ready" before the app started.
If a container crashes inside a pod due to an unrecoverable error (such as a typo in the code), should you signal the liveness probe? No. Let it crash by exiting the process, allowing kubelet to restart it. https://blog.colinbreck.com/kubernetes-liveness-and-readiness-probes-revisited-how-to-avoid-shooting-yourself-in-the-other-foot/#letitcrash
Liveness probes are designed to _____ your containers when stuck, such as in an infinite loop, where there is no way for the process to seek help externally, or even exit. restart
A stuck process consuming 100% CPU won't reply to _____ probes. If you don't have a _____ probe, it will stay uselessly Running, serving no requests and consuming resources. Readiness Liveness
_____ probes are used for recovery when a process is not responsive. Liveness 
Liveness and Readiness probes pointing to the same endpoint inside a container will cause the container to be detached from the Service and deleted at the same time. Is this okay? No - it will cause connection drops due to the unready container running out of time to drain its current connections due to being deleted.
Should readiness probes be allowed to depend on other services (databases, APIs...) to succeed? No https://blog.colinbreck.com/kubernetes-liveness-and-readiness-probes-how-to-avoid-shooting-yourself-in-the-foot/#shootingyourselfinthefootwithreadinessprobes
While it's in its termination grace period, you might want an app to process remaining incoming requests by adding a _____ handler. preStop
Most applications should log to _____ and send errors to _____, which are then aggregated by another service. stdout stderr
Does each Pod have a unique IP? Yes
A _____ is like a machine with its own IP address and ports, running containers inside which can map their ports to it. Pod
Does a Pod have its own network namespace inside? Yes
Does a Pod have its own virtual ethernet connection? Yes
Is running backups a valid use case for a sidecar container inside a Pod? Yes
Is running database synchronisation a valid use case for a sidecar container inside a Pod? Yes
Is running authentication proxies a valid use case for a sidecar container inside a Pod? Yes
The "pause" container (also called sandbox container) inside each Pod reserves and holds the network _____, enabling containers to communicate with each other and retaining the IP address of the pod. namespace (netns)
A _____ is an abstract way to expose on the network an application running on a set of Pods. service
Each Kubernetes Node has its own _____ range from which it assigns its pods unique IPs. CIDR IP block

Services

A _____ is like a virtual server on your cluster. Service
The service type that exposes a Service on a cluster-internal IP, making it only reachable from within the cluster is _____ ClusterIP
The _____ service type maps the Service to the contents of the _____ field (e.g. foo.bar.example.com), by returning a CNAME record. ExternalName
In order to allow you to choose a port number for your Services, we must ensure that no two Services can collide. Kubernetes does that by allocating each Service its own _____ IP address.
In some cases, multiple paths within an Ingress will match a request. In those cases precedence will be given first to the _____.  longest matching path
In an Ingress, if two paths are still equally matched by a request, precedence will be given to paths with the _____ path type over _____ path type. exact prefix
The 5 possible ServiceTypes for Kubernetes Service are: _____ - Exposes as an in-cluster IP (default)_____ - Exposes as a port on each node_____ - Exposes externally via your cloud provider's LB_____ - Maps to the contents of the ExternalName, returns a CNAME record with the value_____ ClusterIP NodePort LoadBalancer ExternalName Headless
An EndpointSlice is full once it reaches _____ endpoints (by default), at which point additional EndpointSlices will be created. 100
An _____ is responsible for fulfilling the Ingress, usually with a load balancer, though it may also configure your edge router or additional frontends to help handle the traffic. Ingress controller
StatefulSets currently require manually creating a _____ to be responsible for the network identity of the Pods. headless service
A Service for with no ClusterIP, proxying, load-balancing, nor handled by kube-proxy is called _____ headless
The _____ service type exposes a Service on each Node's IP at a static port. NodePort
The _____ service type exposes the Service externally using a cloud provider's load balancer. LoadBalancer
EndpointSlices support three address types: _____, _____, _____. IPv4, IPv6, Fully Qualified Domain Name
_____ resources route requests to different services, depending on a set of rules, for example, matching parts of the request URL.  Ingress
The NodePort type is an extension of the _____ type. So a NodePort service also has a _____ address. ClusterIP
The LoadBalancer service type is an extension of the _____ type. A LoadBalancer Service has a clusterIP address and one or more _____ values. NodePort
_____ provide a more scalable alternative to Endpoints, distributing network endpoints across multiple resources. EndpointSlices
To ensure each Service receives a unique IP, an internal allocator atomically updates a global allocation map in _____ prior to creating each Service. etcd
An Ingress with no rules sends all traffic to a single _____, which is typically a configuration option of the Ingress Controller and is not specified in your Ingress resources. If none of the hosts or paths match the HTTP request in the Ingress objects, the traffic is routed to it. default backend
It takes time for kube-proxy or the Ingress controller to be notified of endpoint changes. Traffic will then remain flowing to a Pod even after its _____. Graceful _____ is required of an app upon its container being sent a SIGTERM signal, stopping it from accepting new requests, and consecutively closing existing connections. termination connection termination

https://freecontent.manning.com/handling-client-requests-properly-with-kubernetes/

An Ingress TLS secret must contain keys named _____ that contain the certificate and private key to use for TLS. tls.crt and tls.key
Can ingress objects terminate TLS connections for your application? Yes
_____ exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the _____ resource. Ingress
An _____ may be configured to give Services externally-reachable URLs, load balance traffic, terminate SSL / TLS, and offer name based virtual hosting. Ingress
The resources that expose deployments on a network are _____ Services
When you don't need load-balancing and a single Service IP, you can create _____ headless services
Headless services are created by setting the Service's .spec._____ field to _____ clusterIP

"None"

The kubernetes service is configured in all namespaces with virtual IP address that is redirected via _____ to the apiserver. kube-proxy
Inside a Kubernetes cluster, you might wish to reuse an existing DNS entry, or have legacy systems that are configured for a specific IP address and difficult to re-configure. A Service can specify its own cluster IP address by setting the .spec._____ field. clusterIP
Ingresses can be implemented by different controllers, often with different configuration. Each Ingress should reference an _____ that contains additional configuration including the name of the controller that should implement it. IngressClass 
You may deploy any number of Ingress controllers within a cluster. When you create an ingress, you should annotate each ingress with the appropriate _____ to indicate which ingress controller should be used if more than one exists within your cluster. ingressClass
The _____ service type exposes the Service on each Node�s IP at a static port. A ClusterIP Service, to which the it routes, is automatically created.  NodePort

Storage

Is a Volume preserved after its Pod's deletion? No
To use a volume, a Pod specifies what volumes to provide for the Pod in the _____ field, and where to mount those into Containers in the _____ field. .spec.volumes .spec.containers[*].volumeMounts 
Can Volumes have hard links to other Volumes? No
A _____ is a piece of storage in the cluster that has been provisioned by an administrator or dynamically provisioned using Storage Classes. It is a resource in the cluster just like a node is a cluster resource.  PersistentVolume 
A _____ is a request for storage by a user.  PersistentVolumeClaim 
In _____ provisioning, a cluster administrator creates a number of PVs. They carry the details of the real storage, which is available for use by cluster users. They exist in the Kubernetes API and are available for consumption. static
A cluster is provisioned with several 50Gi PVs. A PVC requests 100Gi PV. What happens? Nothing. The PVC can only be bound once a 100Gi PV is added to the cluster.
If a user deletes a PVC in active use by a Pod, the PVC is... not removed immediately.
PVC removal is postponed until _____ the PVC is no longer actively used by any Pods.
 PV removal is postponed until...  the PV is no longer bound to a PVC.
A PV or a PVC is protected when its status its metadata.finalizers list includes _____ kubernetes.io/pvc-protection
Generally, a PV will have a specific storage capacity. This is set using the PV's _____ attribute. capacity 
You can set the value of volumeMode to _____ to use a volume as a raw block device. Such volume is presented into a Pod as a block device, without any filesystem on it. This mode is useful to provide a Pod the fastest possible way to access a volume, without any filesystem layer between the Pod and the volume. On the other hand, the application running in the Pod must know how to handle a raw block device. Block
ReadOnlyMany  the volume can be mounted read-only by many nodes
A volume is said to be _____ when the volume has failed its automatic reclamation. Failed
PersistentVolumes binds are exclusive, and since PersistentVolumeClaims are namespaced objects, mounting claims with "Many" modes (ROXRWX) is only possible within _____ one namespace
A _____ is a request for snapshot of a volume by a user. It is similar to a PersistentVolumeClaim. VolumeSnapshot 
Are VolumeSnapshotVolumeSnapshotContent, and VolumeSnapshotClass part of the core API?  No - they are CustomResourceDefinitions.
In volume snapshots, _____ are resources in the cluster. _____ are requests for those resources.  VolumeSnapshotContents  VolumeSnapshots 
While a snapshot is being taken of a PersistentVolumeClaim, that PersistentVolumeClaim is in-use. If you delete a PersistentVolumeClaim API object in active use as a snapshot source, the PersistentVolumeClaim object is not removed immediately. Instead, removal of the PersistentVolumeClaim object is postponed until the snapshot is _____ readyToUse or aborted.
_____ is the unique identifier of the volume created on the storage backend and returned by the CSI driver during the volume creation. This field is required for dynamically provisioning a snapshot. It specifies the volume source of the snapshot. volumeHandle 
You can provision a new volume, pre-populated with data from a snapshot, by using the _____ field in the PersistentVolumeClaim object. dataSource 
PersistentVolumes that are dynamically created by a StorageClass will have a _____defined, which can be Delete or Retain reclaimPolicy 
To enable dynamic volume provisioning, a cluster administrator needs to pre-create one or more _____ objects for users. StorageClass
When a Container crashes, kubelet will restart it, but its on-disk files will be lost unless stored on a _____ Volume
If a PV was dynamically provisioned for a new PVC, the loop will always _____ that PV to the PVC. binds
A Pod uses a PersistentVolume. This PV has a node affinity towards certain nodes. Where will the Pod be scheduled? To the node where the PV is available from.
A volume is said to be _____ when it is free and not yet bound to a claim. Available
When running Containers together in a Pod it is often necessary to share files between those Containers. The Kubernetes _____ abstraction solves this problem. Volume 
Is a volume just a directory with data, accessible to the Containers in its enclosing Pod? Yes
Can Volumes mount into other volumes? No
A control loop in the master watches for new PVCs, finds a matching PV (if possible), and _____ them.  binds
You can only expand a PVC if its storage class's _____ field is set to true. To request a larger volume for a PVC, edit the PVC object and specify a larger size. This triggers expansion of the volume that backs the underlying PersistentVolume. A new PersistentVolume is never created to satisfy the claim. Instead, an existing volume is resized. allowVolumeExpansion 
Can you resize an in-use PVC? Yes - since Kubernetes 1.15. The ExpandInUsePersistentVolumes feature must be enabled.
Kubernetes supports two _____ of PersistentVolumes: Filesystem and Block. volumeModes 
volumeMode is an optional API parameter. _____ is the default mode used when volumeMode parameter is omitted. Filesystem 
A volume with _____ is mounted into Pods into a directory. If the volume is backed by a block device and the device is empty, Kuberneretes creates a filesystem on the device before mounting it for the first time. volumeMode: Filesystem
ReadWriteMany   the volume can be mounted as read-write by many nodes
A PV can have a class, which is specified by setting the _____ attribute to the name of a StorageClass storageClassName
A claim can request a particular class by specifying the name of a StorageClass using the attribute _____.  storageClassName
Similar to how API resources PersistentVolume and PersistentVolumeClaim are used to provision volumes for users and administrators, _____ and _____ API resources are provided to create volume snapshots for users and administrators. VolumeSnapshot  VolumeSnapshotContent 
VolumeSnapshot support is only available for _____ drivers. CSI 
The CRDs and snapshot controller installations are the responsibility of _____ the Kubernetes distribution
The snapshot controller handles the binding of a VolumeSnapshot object with an appropriate VolumeSnapshotContent object, in both pre-provisioned and dynamically provisioned scenarios. The binding is a _____ mapping.  In the case of pre-provisioned binding, the VolumeSnapshot will remain unbound until the requested VolumeSnapshotContent object is created. one-to-one
An administrator can mark a specific StorageClass as default by adding the _____ annotation to it. storageclass.kubernetes.io/is-default-class
Can you attach as many volumes as you want to a node? No - depends on the cloud provider's permitted limit.
A PVC to PV binding is a one-to-one mapping, using a _____ which is a bi-directional binding between the PersistentVolume and the PersistentVolumeClaim.  ClaimRef
A PV of a particular class can only be bound to PVCs requesting that class. A PV with no _____ has no class and can only be bound to PVCs that request no particular class. storageClassName
A volume is called _____ when it is bound to a claim. Bound
A volume is said to be _____, when the claim has been deleted, but the resource is not yet reclaim by the cluster. Released
Mounted directories accessible from inside containers are called _____ Volumes
A Kubernetes volume has an explicit lifetime - the same as _____ The Pod that encloses it
Is a Volume preserved across Container restarts? Yes
Managing storage is a distinct problem from managing compute instances. The PersistentVolume subsystem provides an API for users and administrators that abstracts details of how storage is provided from how it is consumed. To do this, we introduce two new API resources: _____ and _____. PersistentVolume  PersistentVolumeClaim
Do PersistentVolumes have a lifecycle dependent on the Pods that use the PV? No
The two ways that PVs may be provisioned are either _____ or _____. statically or dynamically.
When none of the static PVs the administrator created match a user's PersistentVolumeClaim, the cluster may try to _____ provision a volume specially for the PVC. This provisioning is based on StorageClasses: the PVC must request a storage class and the administrator must have created and configured that class for dynamic provisioning to occur. dynamically
Once bound, PersistentVolumeClaim binds are _____, regardless of how they were bound.  exclusive
Once a user has a claim and that claim is bound, the bound PV belongs to the user for as long as they need it. Users schedule Pods and access their claimed PVs by including a _____ section in a Pod's _____ block. persistentVolumeClaim volumes 
If an admin deletes a PV that is bound to a PVC, the PV is... not removed immediately.
When a user is done with their volume, they can delete the PVC objects from the API that allows reclamation of the resource. The reclaim policy for a PersistentVolume tells the cluster what to do with the volume after it has been released of its claim. Currently, volumes can either be _____, _____, _____. Retained, Recycled, Deleted.
The _____ reclaim policy allows for manual reclamation of the resource. When the PersistentVolumeClaim is deleted, the PersistentVolume still exists and the volume is considered "released". But it is not yet available for another claim because the previous claimant's data remains on the volume. Retain
For volume plugins that support the _____ reclaim policy, deletion removes both the PersistentVolume object from Kubernetes, as well as the associated storage asset in the external cloud infrastructure. Volumes that were dynamically provisioned inherit the reclaim policy of their StorageClass, which defaults to _____. The administrator should configure the StorageClass according to users' expectations; otherwise, the PV must be edited or patched after it is created. Delete 
ReadWriteOnce  the volume can be mounted as read-write by a single node
Can a volume be mounted using several access modes at a time?  No
A PV can specify _____ to define constraints that limit what nodes this volume can be accessed from.  node affinity
In Kubernetes, a _____ represents a snapshot of a volume on a storage system. VolumeSnapshot
A _____ is a snapshot taken from a volume in the cluster that has been provisioned by an administrator. It is a resource in the cluster just like a PersistentVolume is a cluster resource. VolumeSnapshotContent 
_____ allows you to specify different attributes belonging to a VolumeSnapshot. These attributes may differ among snapshots taken from the same volume on the storage system and therefore cannot be expressed by using the same StorageClass of a PersistentVolumeClaim. VolumeSnapshotClass 
There are two ways snapshots may be provisioned: _____ or _____. pre-provisioned or dynamically provisioned.
A cluster administrator creates a number of VolumeSnapshotContents. They carry the details of the real volume snapshot on the storage system which is available for use by cluster users. They exist in the Kubernetes API and are available for consumption. This is the description of _____ snapshot provisioning. pre-provisioned
Instead of using a pre-existing snapshot, you can request that a snapshot to be _____ taken from a PersistentVolumeClaim. The VolumeSnapshotClass specifies storage provider-specific parameters to use when taking a snapshot. dynamically
Users request dynamically provisioned storage by including a _____ in their PersistentVolumeClaim .spec.storageClassName
Claims will remain _____ indefinitely if a matching volume does not exist, and will be bound as matching volumes become available.  unbound
Only PVs of the requested class, ones with the same _____ as the PVC, can be bound to the PVC. StorageClassName
Are volumes namespaced? No

etcd

Can attackers manipulate cluster data in etcd, bypassing the api server completely? Yes
etcd should have authentication, be firewalled and be _____ at rest. encrypted
Should you be able to freely send network traffic to etcd from the cluster? No
Can attackers remove network policies from within etcd? Yes
Should you run etcd on dedicated nodes? Yes
Restricting access to _____ prevents an attacker from modifying the desired cluster state. etcd

About

Learn @kubernetes 🌈