Kubernetes FAQ
Learn Kubernetes by answering simple questions about it!
Flashcards included for spaced repetition.
Table of Contents
- Admission
- Auditing
- Authentication
- Authorization
- Cluster Architecture
- Cluster Security
- Configuration
- Container Security
- Deployments
- Nodes
- Pods
- Services
- Storage
- etcd
Admission
Admission Control Modules are software modules that can _____ or _____ requests.
modify rejectAdmission Control Modules can access the contents of the Kubernetes object that is being _____ or _____.
created modifiedCan Admission controllers act on requests that create an object?
YesCan Admission controllers act on requests that delete an object?
YesCan Admission controllers act on requests that connect (proxy) to an object?
YesCan Admission controllers act on requests that read an object?
NoAn admission controller module rejects a request. What happens to the request?
It is immediately rejected.Can admission controllers set complex defaults for fields?
YesDoes the admission or validation of a request happen first?
admissionCan resource quotas improve security by preventing internal denial of service attacks?
YesOpen Policy Agent can manage your _____ controllers in order to block K8S features (like being able to run containers as root) from multiple teams.
admissionIs admission control's NodeRestriction enabled by default?
No!Auditing
Kubernetes _____ provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system.
auditingEach request on each stage of its execution generates an audit _____, which is then pre-processed according to a certain policy and written to a backend.
eventAudit logging usually _____ the memory consumption of the API server because some context required for auditing is stored for each request.
increasesAudit _____ objects define rules about what events should be recorded and what data they should include.
policyWhen an event is processed, it's compared against the list of Audit Policy rules in order. The first matching rule sets the "_____" of the event.
audit levelThe four audit levels are: _____ - don't log these events._____ - log request metadata (requesting user, timestamp, resource, verb, etc.) _____ - log event metadata and request body._____ - log event metadata, request body and response bodies.
None Metadata Request RequestResponseAudit _____ persist audit events to an external storage.
backendsThe _____ audit backend writes event to a disk
logCan you use log collectors like fluentd to collect/distribute Kubernetes audit events from log files?
YesCan you use log collectors like logstash to collect/distribute Kubernetes audit events from the webhook audit backend?
YesKubernetes _____ allows cluster administrators to learn about the context of clusters events: What happened, when, where, who initiated it and from where.
auditingThe audit _____ determines what events are recorded and which backends (logs or webhooks) persist the records.
policyThe _____ audit backend sends events to an external API.
webhook_____ failures might suggest a misconfigured service account, or the presence of an attacker.
RBAC auditWhat are some tools with which clusters can be audited?
SonobuoyAuthentication
Suppose you have several clusters, and your users and components authenticate in a variety of ways. For example:- A running kubelet might authenticate using certificates.
- A user might authenticate using tokens.
- Administrators might have sets of certificates that they provide to individual users.
With _____ files, you can organize your clusters, users, contexts, and namespaces.
kubeconfig
A file that is used to configure access to clusters is called a _____ file
kubeconfigA _____ element in a kubeconfig file is used to group access parameters under a convenient name.
contextThe KUBECONFIG environment variable holds a list of _____
kubeconfig filesThe command _____ finds the clusters available to you inside your kubeconfig file.
kubectl config get-contextsKubernetes authentication examines the incoming HTTP request's _____ and _____.
headers certificateAre Client Certificates a valid authentication module?
YesAre passwords a valid Kubernetes authentication module?
YesAre plain, bootstrap and JWT tokens a valid Kubernetes authentication module?
YesIf a request cannot be authenticated, it is rejected with status code _____
401Although Kubernetes uses "_____" for access control decisions and logging, it does not store or even define any concrete "user" object.
usernamesKubernetes has two categories of users: _____ and _____.
normal users and service accountsCan normal users be added to a cluster through an API call?
NoWhat is the Kubernetes API object that represents a normal user?
There is none!Any request that presents a valid certificate signed by _____ is considered authenticated.
the cluster's certificate authority (CA)_____ are users managed by the Kubernetes API.
Service accountsAre service accounts bound to specific namespaces?
YesService accounts are tied to a set of credentials stored as _____, which are mounted into _____ allowing in-cluster processes to talk to the Kubernetes API.
Secrets podsAPI requests are tied to either a normal user or a service account, or are treated as _____.
anonymous requestsAre client certificates a valid authentication method?
YesAre bearer tokens a valid authentication method?
YesAre authentication proxies a valid authentication method?
YesIs basic auth a valid authentication method?
Yes_____ are a set of strings, each of which indicates the user's membership in a named logical collection of users.
GroupsYou can enable multiple authentication methods at once. You should usually use at least two methods: one for _____ and one for _____.
normal usersservice accounts
The _____ group is included in the list of groups for all authenticated users.
system:authenticatedAuthentication protocols (LDAP, SAML, Kerberos, etc) can be integrated by using an _____ or _____
authenticating proxy authentication webhookBy default, requests to the kubelet's HTTPS endpoint that are not rejected by other configured authentication methods are treated as _____ requests.
anonymousYour cluster user credentials can be found in _____ on your local machine.
kubeconfigYour current, in-use cluster is stored in _____ on your local machine.
the kubeconfig fileYour current, in-use cluster namespace is stored in _____ on your local machine.
the kubeconfig fileKubernetes determines the username of an incoming request from the common name field in the subject field of the _____ (e.g., "/CN=IcelynJennings")
certificateThe command _____ lists service accounts.
kubectl get saAuthorization
A better alternative to applying RBAC resources, is the command _____. It causes semantically-aware merging of rules and subjects. Missing objects/namespaces are created if required.
kubectl auth reconcileThe _____ and _____ Objects contain sets of additive authorization permissions
Role and ClusterRoleA _____ grants a role's permissions to a set of users, groups or service accounts.
RoleBindingPods that need to connect to the apiserver can automatically inject the _____ certificate and valid _____ into themselves via a service account.
public root bearer tokenAfter the request is authenticated as coming from a specific user, the request must be _____.
authorizedA request must include the _____ of the requester, the requested _____, and the _____ affected by the action.
username action objectWhen an administrator creates a cluster, they configure the authorization modules that should be used in the API server. The default ones are _____, _____, and _____.
ABAC RBAC WebhookIf a request is authorized by an authorization module, does it get checked by other authorization modules before proceeding?
No - it's immediately authorized.Does a user need a Role and RoleBinding to access Kubernetes resources?
YesKubernetes authorizes API requests at the _____
kube-apiserverAn attacker authorized to create objects can escalate their privileges further by creating _____ that can read secrets and edit their privileges, or that run under a _____ with greater permissions.
pods serviceaccountIs Kubelet RBAC enabled by default?
No!!!A request is authorized if an existing policy declares that the user has permissions to complete the requested _____.
actionAn authorization request is denied with status code _____
403Pods that do not need to use the api server should have their default _____ disabled for security.
service accountIs RBAC enabled for a new cluster by default?
No!Cluster Architecture
An object's _____ status field denotes its parent object. If empty, the child object will be garbage collected and removed.
metadata.ownerReferenceManaging multiple clusters as one known as _____, requires many considerations to implement, such as cross-cluster DNS, service discovery, loadbalancing and resource sync.
Cluster federationAn object's _____ field is a list of string items which must be removed the list before the object can ever be deleted from the cluster. The permission to remove these items is explicitly given to desired actors.
metadata.finalizersClusterRoles can be created by combining other ClusterRoles using an _____
aggregationRuleSelectable and attachable Key/Value pairs on objects such as pods are called _____
LabelsA _____ is an extension of the Kubernetes API. Many core Kubernetes functions are now built using them, making Kubernetes more modular.
custom resourceEach of a Service's ports can specify the application protocol to use via the _____ field.
AppProtocolWhen a process in the container tries to consume more than the allowed amount of memory, the system kernel _____ the process that attempted the allocation, with an _____ error
terminatesOOM (Out of Memory)
_____ are key-value pairs that identify resources, and can be used with _____ to match a specified group of resources.
Labels SelectorsThe Kubernetes Master is a collection of three processes that run on a single node in your cluster. These processes are _____
kube-apiserver, scheduler, kube-controller-managerBy decoupling the interoperability logic between Kubernetes and the underlying cloud infrastructure, _____ enables cloud providers to release features at a different pace compared to the main Kubernetes project.
cloud-controller-managerThe _____ is the only way to access ExternalName Services.
Kubernetes DNS serverEven though health checks are not exposed directly through the Ingress, there exist parallel concepts in Kubernetes such as _____ that allow you to achieve the same end result.
readinessProbesIn a LoadBalancer service, the _____ annotation removes the double-hop problem by allowing users to define their own balancing.
OnlyLocalIn a Kubernetes cluster, the components on the worker nodes - kubelet and kube-proxy - need to communicate with Kubernetes master components, specifically _____.
kube-apiserver_____ allow you to create your own custom Kubernetes objects, to store any data you wish.
Custom Resource Definitions (CRDs)A _____ is like a virtual cluster inside the Kubernetes cluster.
namespaceKubernetes system processes are inside the _____ namespace
kube-systemPublic data in the Kubernetes cluster is inside the _____ namespace.
kube-publicCan you use K8S resources across namespaces?
No - except Services.The command kubectl _____ shows global (non-namespaced) resources.
kubectl api-resources --namespaced=falseFor some Services, you need to expose more than one port. Kubernetes lets you configure multiple port definitions on a Service object. When using multiple ports for a Service, you must give all of your ports _____ so that these are unambiguous.
namesThe _____ service type exposes the Service externally using a cloud provider�s load balancer.
LoadBalancerThe component that creates, annotates, destroys nodes and gets their information (like hostname, address or health) is called the...
Node controllerThe _____ is a daemon that embeds the core control loops shipped with Kubernetes.
kube-controller-managerAll API usage from nodes and pods terminate at the following control plane components:
apiserver only.A Service can map any incoming port to a _____. By default and for convenience, it has the same value as the port field.
targetPortCluster Security
Nodes should be provisioned with valid client credentials and a _____ certificate to connect to the apiserver.
public root certificateDoes the apiserver verify the kubelet's serving certificate by default?
No. The connection is subject to MITM attacks by default.The kubelet uses _____ for authenticating to the Kubernetes API.
certificates (with 1 year expiration)kubelet _____ is a feature that automatically generates a new key and requests a new certificate from the Kubernetes API before the current certificate's expiration.
certificate rotationThe _____ kubelet flag controls its automatic certificate rotation.
--rotate-certificatesThe command _____ views the status of certificate signing requests.
kubectl get csrA kubelet's certificate signing request (CSR) will initially have a status of Pending
. If the CSR meets specific criteria, it will become Approved
by the _____
kube controller manager
Whenever a kubelet retrieves a new signed certificate from the Kubernetes API it will write it to the _____
diskWhen a kubelet starts, it looks for its _____ file, retrieves the _____ URL and credentials (normally a TLS key and signed cert), then attempts to communicate to it.
kubeconfig kube-apiserverA kubelet's kubeconfig file requires _____ inside it to connect to kube-apiserver.
a key and a certDoes a kubelet's kubeconfig require a certificate signed by a CA (Certificate Authority) trusted by kube-apiserver?
YesDo you need to distribute a CA certificate to each kubelet?
No - only the master nodes where kube-apiserver is running.Do you need to distribute a key and signed certificate for each kubelet?
Yes - ideally unique ones.A Certificate Authority _____ and _____ are required to sign kubelet certificates.
key and certificateA kubelet's initial bootstrap credentials for TLS can be either authentication file _____, or "bootstrap".
tokensWhen TLS bootstrapping, the kubelet must be able to authenticate as a user with the rights to create and retrieve _____
CSRsIn order to approve CSRs, you allow the _____ to approve them.
kube-controller-managerKubelet's _____ kubeconfig field points to a CA file used to validate the server certificate presented by kube-apiserver.
certificate-authorityThe command _____ approves a CSR.
kubectl certificate approve <cert>The command _____ denies a CSR.
kubectl certificate deny <cert>Once Cluster TLS is established, incoming requests can begin the _____ step when trying to communicate to the cluster.
AuthenticationWhen a request reaches kube-api-server, it goes through several stages: _____, _____, and _____
Authentication, Authorization, Admission ControlThe _____ resource type allows a client to ask for an X.509 certificate be issued, based on a signing request.
CertificateSigningRequestA _____ resource is used to request that a certificate be signed by a denoted signer, after which the request may be approved or denied before finally being signed.
CertificateSigningRequest (CSR)The CertificateSigningRequest object includes a _____-encoded PKCS#10 signing request in the spec.request
field.
PEM
The CertificateSigningRequest denotes the _____ (the recipient that the request is being made to) using the spec.signerName
field.
signer
Once created, a CertificateSigningRequest must be approved before it can be _____.
signedA normal user must have a certificate issued by the Kubernetes Cluster, and then present it to the API call as the Certificate _____, or through the kubectl.
HeaderA CSR object requires a request value, which can be generated via _____ for example.
opensslKubernetes requires _____ certificates for authentication over TLS.
PKIPKI certificates are usually stored in the _____ directory.
/etc/kubernetes/pkiCan network segmentation improve Kubernetes security?
YesThe API server should have a _____ restricting it to be accessible only by specific IPs.
firewallShould you rotate your kubelet certs periodically?
YesA _____ like Istio can trace and profile requests inside a cluster. An administrator can then disable the possibility to make requests that aren't expect to ever happen.
service meshCan service meshes encrypt in-cluster traffic (and automatically rotate certificates)?
YesTools like _____ can benchmark your cluster.
kube-benchOnce an attacker has control of your Kubernetes node, can they potentialy access the cloud provider's _____ to exfiltrate credentials to your cloud account.
user and metadata APIsWhich K8S object can prevent an attacker inside a pod from running the services of another pod?
NetworkPolicyA public image registry might be compromised, so it is useful to use _____ registries.
dedicated, privateDoes a service mesh make your workloads more isolated by default?
Yes_____ objects require a specific backend running in the cluster that implements them, such as Calico or Flannel.
NetworkPolicyA _____ object can divide your apps into in-cluster network tiers, locking them by default, with the ability specifically allow communication between them, or between namespaces.
NetworkPolicyA NetworkPolicy uses _____ to specify how groups of pods are allowed to communicate with each other and other network endpoints.
labelsNetworkPolicies don't usually conflict each other. If several policies select a pod, it becomes restricted to what is allowed by the _____ of those policies' ingress/egress rules.
unionOnce there is any _____ in a namespace selecting a particular pod, that pod will reject any connections that are not allowed by it.
NetworkPolicyYou can secure an Ingress by specifying a Secret that contains a TLS _____ and _____.
private key and certificateConfiguration
The resources for storing sensitive information in Kubernetes are _____
SecretsOne cpu, in Kubernetes request/limit terms, is equivalent to 1 _____ on bare-metal Intel processors.
hyperthreadThere is a concern that one Pod or Container could monopolize all available resources. A _____ is a policy to constrain resource allocations (to Pods or Containers) in a namespace.
LimitRangeA _____ provides constraints that limit aggregate resource consumption per namespace. It can limit the quantity of objects that can be created in a namespace by type, as well as the total amount of compute resources that may be consumed by resources in that project.
ResourceQuotaDo containers run with unbounded compute resources on a Kubernetes cluster?
By default - yes. Limits and ResourceQuotas are recommended.You can enforce minimum and maximum compute resources usage per Pod or Container in a namespace using a _____
LimitRangeYou can enforce minimum and maximum storage request per PersistentVolumeClaim in a namespace using a _____
LimitRangeYou can enforce a ratio between request and limit for a resource in a namespace using a _____
LimitRangeYou can set default request/limit for compute resources in a namespace and automatically inject them to Containers at runtime using a _____
LimitRangeThe _____ is the primary object for storing configuration data in Kubernetes. You can supply that data to an application either by creating a file in the Pod, or by injecting it into the Pod�s environment.
ConfigMapThe Kubernetes alpha feature _____ provides an option to set individual Secrets and ConfigMaps as immutable. For clusters that extensively use ConfigMaps (at least tens of thousands of unique ConfigMap to Pod mounts)
Immutable Secrets and ConfigMapsYou can significantly reduce load on kube-apiserver and improve cluster performance by closing watches for secrets or config maps and, setting them as _____.
immutableIf the node where a Pod is running has enough of a resource available, it's allowed for a container to use more resources than defined in its resource _____. However, a container is not allowed to use more than its resource _____.
request limitThe administrator creates one LimitRange per _____.
namespaceTo define default CPU limit and request to 150m and memory default request to 300Mi for Containers started with no cpu and memory requests in their specs, you could use...
LimitRangeOne cpu, in Kubernetes request/limit terms, is equivalent to 1 _____ for cloud providers.
coreWhen a config map currently consumed in a volume is updated, are projected keys inside the Pods eventually updated as well?
Yes The kubelet checks whether the mounted config map is fresh on every periodic sync. However, the kubelet also uses its local configurable cache for getting the current value of the ConfigMap.When several users or teams share a cluster with a fixed number of nodes, there is a concern that one team could use more than its fair share of resources. _____ is a tool to address this concern.
ResorceQuotaA malicious user could create Pods at the highest possible priorities, causing other Pods to be evicted/not get scheduled. An administrator can use _____ to prevent users from creating pods at high priorities.
ResourceQuotaIf the data you want to store are confidential, use a _____ rather than a ConfigMap
SecretA _____ is an API object used to store non-confidential data in key-value pairs. Pods can consume them as environment variables, command-line arguments, or as configuration files in a volume.
ConfigMapMounting ConfigMaps in a Pod is done in its .spec._____
volumesThe command ______ creates a new Kubernetes Secret.
kubectl create secretShould you set resource limits for all containers?
YesOutside CPU-intensive jobs, it's good to set container CPU requests up to _____
1 CPUA CPU limit of 1 means 1 CPU second per _____
secondA process with one thread cannot consume more than _____. The more threads, the less time it takes to consume it.
1 CPU second per secondIs it necessary to set CPU limits for your app?
Usually no. https://medium.com/@betz.mark/understanding-resource-limits-in-kubernetes-cpu-time-9eff74d3161bIf you don't set limits for each container, the limits will be inferred from the namespace's _____, if set.
LimitRangeContainer Security
The 4C's of Cloud Native security are _____, _____, _____ and _____.
Cloud, Clusters, Containers and Code_____ allow defining privilege and access controls per-Pod or per-container.
securityContextsThe three PodSecurityPolicy types are _____, _____ and Default.
Privileged, Restricted, Default_____ objects contain sensitive aspects of pod specification, such as the conditions they must meet or their default fields.
PodSecurityPolicyCan Snyk improve container security?
YesAppArmor profiles are specified per _____
containerTo specify the AppArmor profile to run a Pod container with, add the profile-specifying _____ into the Pod's metadata.
annotationDo AppArmor profiles have to be loaded onto the host before applying the annotation?
Yes - except the container runtime's default profile.The command _____ verifies that a container's root process is running the correct AppArmor profile by checking its /proc/1/attr/current file.
kubectl exec <pod> cat /proc/1/attr/currentDo you usually need to upload AppArmor profiles to all of your nodes?
Yes - since you don't know which node the pod will be scheduled to.Containers in production should be running as a non-root user, which is set in their securityContext via _____
runAsNonRoot: trueYou can improve a container's security by dropping Linux _____ such as "all", "CHOWN", "NET_RAW", "SETPCAP" via the securityContext.
capabilitiesContainers should ideally run with read-only root filesystems, set in their security contexts via _____
readOnlyRootFilesystem: trueDoes container/host operating system scanning improve security?
YesShould you enforce image signing in production?
YesOnce an attacker gets control of a container, they might obtain control of the _____ it runs on, and then the internal network.
nodeBy default, any Pod in a cluster gets a service account with certain permissions allowing it to communicate with the API server. These service account should be disabled for Pods that never need to talk to the API server, as an attacker could otherwise steal the _____.
auth tokenAttackers can break out of the container by exloiting the _____, _____, etc.
container runtime kernelSetting securityContext._____ to False makes it harder to escalate privileges inside a container.
allowPrivilegeEscalationTools like _____ or _____ are able to sandbox Pods from each other on the same host, giving you two additional layers of isolation - the Sandbox and the Container Linux Kernel.
gVisor kata containers_____ is a user space kernel that can intercept and implement syscalls in userspace, effectively sandboxing the Pod to an environment with low capabilities and restricted seccomp filters.
gVisorTrue or False? Kubernetes obviously automatically applies its own container runtime's default seccomp and AppArmor profiles to Pods, so no extra annotations must be applied to them.
FALSE! A Kubernetes Pod has LESS default restrictions applied than if it were ran directly from a container runtime.A Pod has free access to the Internet. Can an attacker use this to download exploits?
YesA container has network access to a /metrics endpoint. Could an attacker potentially find almost everything about the cluster from inside the container by reading cAdvisor/Heapster output at the endpoint?
YesTools like _____ audit the OS, container runtime, K8S, configuration using CIS benchmarks.
kube-auto-analyzer, kube-benchCan maintaining standard, secure base images for all containers improve overall workload security?
YesTo improve security, you could ideally collect logs from all containers - but especially _____ access/deny logs.
RBACThe default Pod service account can be disabled by setting _____
autonomousServiceAccountToken: falseCluster-wide _____ objects can enforce container restrictions, thus protecting the node they run on.
PodSecurityPolicyPodSecurityPolicies are _____-level resources.
ClusterA _____ is a cluster-level resource that controls security sensitive aspects of the Pod specification.
Pod Security PolicyShould you minimise user privilege inside your containers in production?
YesDeployments
Jobs on a repeating schedule are called _____
CronJobsOne CronJob object is like one line of a _____ file. It runs a job periodically on a given schedule, written in Cron format.
crontabCan CronJobs be used for running backups?
YesBecause it is not guaranteed only one job will launch per execution time of its schedule, Jobs should be _____
idempotentA CronJob is counted as _____ if it has failed to be created at its scheduled time.
missedA job's default parallelism value is 1. If it is set to _____ instead, then the Job is paused until it is increased.
0A job's _____ is the number of Job pods running at any instant.
parallelismA Kubernetes resource which ensures that all (or some) Nodes run a copy of a Pod is the _____
DaemonSetWhat will happen to ReplicaSet pods inside a node when that node gets deleted?
These pods will be replaced on another node, or nodes.Like a Deployment, a StatefulSet manages Pods that are based on an identical container spec. Unlike a Deployment, a StatefulSet maintains a _____ for each of their Pods
sticky identityAn application requires several of the following:- Stable, unique network identifiers.
- Stable, persistent storage.
- Ordered, graceful deployment and scaling.
- Ordered, automated rolling updates.
Which workload object could work best?
StatefulSet
Will deleting or scaling a StatefulSet down also delete the volumes associated with it?
NoA ReplicaSet is linked to its Pods via their _____ field. It's through this link that the ReplicaSet knows of the state of the Pods it is maintaining and plans accordingly.
metadata.ownerReferences_____ is an object which can own ReplicaSets and update them and their Pods via declarative, server-side rolling updates.
DeploymentIs running a logs collection daemon on every node a valid DaemonSet use case?
YesCan you perform a rolling update on a DaemonSet?
YesThe _____ provides a TTL (time to live) mechanism to limit the lifetime of resource objects that have finished execution.
TTL controllerAll CronJob schedules are based on the timezone of _____
the kube-controller-manager.If a CronJob's concurrencyPolicy
is set to Forbid,
and it attempted to be scheduled when there was a previous schedule still running, then it would count as _____.
missed
The number of old ReplicaSets to retain for rollback is defined in a deployment's .spec._____
revisionHistoryLimitStatefulSet manages the deployment and scaling of a set of Pods, and provides guarantees about the _____ and _____of these Pods
ordering and uniquenessIf an application doesn't require any stable identifiers or ordered deployment, you should deploy your application using a _____ - a workload object that provides a set of stateless replicas.
DeploymentA ReplicaSet identifies new Pods to acquire by using its _____. If there is a Pod that has no OwnerReference or the OwnerReference is not a Controller and the _____ matches, it will be immediately acquired by said ReplicaSet.
selectorIs running a cluster storage daemon on every node a valid DaemonSet use case?
YesPods waiting to be scheduled are usually created in Pending state. Are DaemonSet pods created in Pending state?
No - it is an inconsistency due to being scheduled by the DaemonSet controller.When Pod preemption is enabled, does the DaemonSet controller consider pod priority and preemption when making scheduling decisions?
No - Pod preemption is handled by the default scheduler, DaemonSet pods are scheduled by the DaemonSet controller.If node labels are changed, the DaemonSet will _____ Pods to newly matching nodes.
AddIf node labels are changed, the DaemonSet will _____ Pods from newly not-matching nodes.
DeleteCan CronJobs be used for sending e-mails?
YesThe Job Controller counts how many jobs had missed in the last X seconds, but only if a CronJob's _____ field is set.
startingDeadlineSecondsA _____ creates one or more Pods and ensures that a specified number of them successfully terminate. As pods successfully complete, it tracks the successful completions until a certain number of successful completions is reached.
JobFor a fixed completion count Job, you should set its .spec._____ field
completionsA _____ ensures that all (or some) Nodes run a copy of a Pod.
DaemonSetWhat will happen (by default) to DaemonSet pods inside a node when that node gets deleted?
These pods will be garbage collectedIf you want to use storage volumes to provide persistence for your workload, you can use a _____. Although its Pods are susceptible to failure, the persistent Pod identifiers make it easier to match existing volumes to the new Pods that replace any that have failed.
StatefulSetStatefulSets do not provide any guarantees on the termination of pods when a StatefulSet is deleted. To achieve ordered and graceful termination of the pods in the StatefulSet, it is possible to...
scale the StatefulSet down to 0 prior to deletionIs running a node monitoring daemon on every node a valid DaemonSet use case?
YesNormally, the node that a Pod runs on is selected by the Kubernetes scheduler. However, DaemonSet pods are created and scheduled by _____ instead.
the DaemonSet controllerDaemonSets are similar to Deployments in that they both...
create Pods, with processes which are not expected to terminate (web servers, storage servers etc).Every dependent (i.e. owned) object has a metadata._____ field that points to the owning object. The owning object is usually a Job, CronJob, Deployment, DaemonSet, StatefulSet, ReplicationController, ReplicaSet.
ownerReferencesIdentical Pods in a deployment are referred to as _____
Replicas_____ run a Pod a specified number of times before completing. _____ run a Pod periodically at specified times.
Jobs CronJobsA Deployment is supposed to have 5 pods at any given time, with .spec.replicas: 5.
If a PodDisruptionBudget allows for there to be 4 at a time, then how many pods at a time are allowed to be voluntarily disrupted by the Eviction API?
One
Are controllers (like deployment or statefulset) limited by PDBs when doing rolling updates?
No! The handling of failures during application updates is configured in the controller spec.When deleting a DaemonSet with kubectl, you can specify the flag _____, then the Pods will remain on the nodes.
--cascade=falseGiven that you can start daemon processes on a node directly via systemd, why use a DaemonSet?
- Ability to monitor and manage logs for daemons in the same way as applications.
- Same config language and tools (e.g. Pod templates,
kubectl
) for daemons and applications. - Running daemons in containers with resource limits increases isolation between daemons from app containers. However, this can also be accomplished by running the daemons in a container but not in a Pod (e.g. start directly via Docker).
_____ allow you to schedule one copy of a Pod on every node (for example, a logging agent).
DaemonSets_____ start and stop Pod replicas in a specific numbered sequence, allowing you to address each by a predictable DNS name. This is ideal for clustered applications, such as databases.
StatefulSetsDoes deleting deployments or pods bypass PodDisruptionBudgets?
YesMinimum time in seconds for which a new pod should be ready to be considered available is defined in deployment.spec._____
minReadySecondsThe count of hash collisions for a deployment is stored in its deployment.deploymentstatus._____ status field. It is used for collision avoidance.
collisionCount_____ differ from Deployments in that Pods are created sequentially, each given an incrementing index number.
StatefulSetsNodes
The 3 possible values for volume.spec.accessMode are: _____ - Can be used by 1 node_____ - Can be used by many nodes_____ - Can be read from many nodes
ReadWriteOnce ReadWriteMany ReadOnlyMany_____ allow a node to repel a set of Pods, based on certain properties of the node.
TaintsA _____ is a worker machine in Kubernetes and may be either a virtual or a physical machine, depending on the cluster.
NodeTo prevent a kubelet from self-registering the node in the control-plane, you could pass the _____ flag.
--register-node=falseA node's _____ condition is True when its disk capacity is low
DiskPressureA Node's _____ condition is True when the node's memory is low
MemoryPressureA Node's _____ condition is True when there are too many processes running.
PIDPressureA Node's _____ condition is True when its network is not correctly configured
NetworkUnavailableNode heartbeats are sent by...
kubeletThe .spec.____ field is a preference-order list of Node labels, which will be used to sort endpoints when accessing this Service. Traffic will be directed to a Node whose value for the first label matches the originating Node's value for that label. If there is no backend for the Service on a matching Node, then the second label will be considered, and so forth, until no labels remain.
topologyKeysA Node's "Ready" status is False when...
It's unhealthy and not accepting podsA _____ is a VM or a physical computer that serves as a worker machine in a Kubernetes cluster.
NodeA node's _____ contains four domains of information - its Addresses, Conditions, Capacity/Allocatable and Info.
statusAddresses in a node's status include...
HostName, InternalIP, ExternalIPCapacity fields describe the total amount of _____ that a Node has
resourcesThe Kubernetes control plane component that manages various aspects of nodes is the...
Node controllerThe three roles of the Node Controller in a Node's life
CIDR block assignmentSynchronize internal list of nodes
Node health monitoring
Two types of node Heartbeats
NodeStatus updates Lease ObjectNode Info status field describes general information about a node, such as:
operating system node component versions_____ enables a service to route traffic based upon the Node topology of the cluster.
Service TopologyA Service can specify that traffic be preferentially routed to endpoints that are on the same Node as the client, or in the same availability zone by using _____
Service TopologyA Node's "Ready" status is Unknown when...
40 seconds have passed since the Node Controller has heard from the nodeIn terms of network, the Node Controller assigns a _____ to a Node upon its registration.
CIDR blockWhich Kubernetes component is responsible for a node's self-registration into the control plane?
kubeletA node is reachable by the API server but its Ready condition has remained False or Unknown for longer than the kube-controller-manager's pod-eviction-timeout What happens to the Pods on the node?
All Pods on the node are scheduled for deletion by the node controllerAllocatable describes the amount of the Node's resources that are _____
available to be consumed by PodsIf an incoming Pod has spec.nodeSelector
or spec.affinity.nodeAffinity
defined, nodes not matching them will be...
bypassed
You can control Service traffic routing by specifying the .spec._____ field.
topologyKeysAn EndpointSlice's Endpoints can contain labels about its topology information, such as...
Node - kubernetes.io/hostnameZone - topology.kubernetes.io/zoneRegion - topology.kubernetes.io/regionA Node's "Ready" status is True when...
It's healthy and accepts pods_____ are a way of tagging nodes with specific information; usually, about node problems or failures. By default, Pods won�t be scheduled on nodes with them.
TaintsThe kubernetes components inside a worker node are...
kubelet, kube-proxy, container runtime_____ allow a Pod to be scheduled on nodes with a specific taint. You can use this mechanism to run certain Pods only on dedicated nodes.
TolerationsPod _____ express a preference for Pods to be scheduled on the same node as other Pods, when they benefit from it.
affinitiesIf two Nodes are labelled with one topologyKey and have identical values for that label, the scheduler tries to place a _____ number of Pods into each topology domain
balancedYou can use _____ to control how Pods are spread across your cluster among failure-domains (regions, zones, nodes or user-defined domains).
topology spread constraintstopologyKey is...
The key of node labels.If two Nodes are labelled with one topologyKey and have identical values for that label, the scheduler treats both Nodes as being in the same _____
topology_____ attract or repel Pods to or from nodes with specified attributes. For example, you can specify that a Pod can only run on a node in a specified availability zone.
Node affinitiesWhile _____ can block a Pod from running on a node, _____ are more like suggestions to the scheduler. You can combine multiple, with different weights.
hard node affinities soft node affinitiesThe controller that creates services, endpoints and updates iptables on each node is _____
kube-proxyThe LoadBalancer Service creates an external IP address, but itself does not know any Pod IP's. Instead, it chooses a _____ to send packets to.
NodeA node's _____ tell an incoming packet where in the node to go.
iptablesWhen running several copies of your Pod for the sake of fault tolerance, the _____ they are running on may still fail. It's important to place your Pods across several of them.
nodesRestricting access to your cluster _____ can prevent privilege escalation to your cloud provider.
nodes / VMs (especially master)Node heartbeats are inside the _____ namespace.
kube-node-leaseAre nodes namespaced?
NoWhich taints are tolerated by default by Pods?
NoneTaints are set on _____
nodesTolerations are set on _____
PodsDo taints and tolerations guarantee which node a Pod will be scheduled to?
No - you need Node AffinityEvery node in a Kubernetes cluster runs a _____, responsible for implementing a form of virtual IP for Services of type other than ExternalName.
kube-proxyPods
When you run a Pod on a Node, the Pod itself takes an amount of system resources. These resources are additional to the resources needed to run the container(s) inside the Pod. _____ is a feature for accounting for the resources consumed by the Pod infrastructure on top of the container requests & limits.
Pod OverheadCan a Pod have a single IPv4 and IPv6 address assigned?
Yes - via enabling IPv4/IPv6 dual-stack.Pod Overhead is set at _____ time according to the overhead associated with the Pod's _____. When enabled, it is considered in addition to the sum of container resource requests when scheduling a Pod. Similarly, Kubelet will include the Pod overhead when sizing the Pod cgroup, and when carrying out Pod eviction ranking.
admission RuntimeClassThe _____ ensures a specific number of pod replicas are running at any one time across nodes
replication controllerA Pod can opt out of being modified by PodPresets altogether via the metadata _____ podpreset.admission.kubernetes.io/exclude: "true"
annotationContainers within a single pod share ____ and _____ resources.
storage and networkReady, ContainerReady, lastProbeTime, reason. These are the types of latest variable observations of an object's state called _____, used when the details of an observation are not known apriori, or would not apply to all instances of a given Kind.
ConditionsThe role of the Kubernetes garbage collector is to delete certain objects that once had _____, but no longer have one.
an ownerWhen you delete an object, you can specify whether the object's dependents are also deleted automatically. Deleting dependents automatically is called a _____ deletion.
cascadingWhen configuring a container, the _____ field allows you to pass a secret that contains a Docker (or other) image registry password.
imagePullSecretsDoes a Service load balance traffic across multiple Pods?
YesContainers within a single pod share network resources - _____ and _____
IP address and port spaceA _____ is an API resource for injecting additional runtime requirements into a label-selected Pod at creation time.
Pod PresetA logical group of containers with shared network and storage and specifications for how to run each is called a _____
PodAre containers in a Pod automatically co-located and co-scheduled on the same node?
YesCan a pod's containers share resources, dependencies, communicate with each other and coordinate their lifecycle?
YesA pod's _____ is the high-level summary of where the pod is in its lifecycle.
phaseThe Pod has been bound to a node, and all of the Containers have been created. At least one Container is still running, or is in the process of starting or restarting. This is the _____ phase of a Pod's lifecycle.
Running
List all 5 Pod phases
Pending Running Succeeded Failed UnknownThe six fields of a _____ are reason, status, message, type, lastProbeTime, lastTransitionTime.
PodConditionA Pod's _____ condition field provides a unique, one-word reason for the condition's last transition.
reasonThe four possible values of a Pod's _____ condition field are PodScheduled, Ready, Initialized, ContainersReady
typeIf the _____ probe fails, the Pod's IP address is removed from the endpoints of all Services that match the Pod.
readinessIf the _____ probe fails, the container is killed by the kubelet, then subjected to the container's restart policy.
startupTo find out why a container is in Waiting state, you can check its state's _____ field
ReasonThe _____ hook is executed prior to a container entering its Running state.
postStartOnce bound to a node, will a Pod ever rebound to another node?
NoYou use _____ to specify the Pods to which a given PodPreset applies.
label selectorsWhen a pod creation request occurs, the system does the following:
- Retrieve all
PodPresets
available for use. - Check if the label selectors of any
PodPreset
matches the labels on the pod being created. - Attempt to merge the various resources defined by the
PodPreset
into the Pod being created. - On error, throw an event documenting the merge error on the pod, and create the pod without any injected resources from the
PodPreset
. - Annotate the resulting modified Pod spec to indicate that it has been modified by a
PodPreset
. The annotation is of the formpodpreset.admission.kubernetes.io/podpreset-<pod-preset name>: "<resource version>"
.
The annotation to disable PodPreset for a Specific Pod is...
podpreset.admission.kubernetes.io/exclude: "true"Topology spread constraints rely on _____ to identify the topology domain(s) that each Node is in.
node labelsA _____ limits the number of pods of a replicated application that are down simultaneously from voluntary disruptions.
PodDisruptionBudgetDo ephemeral containers guarantee execution?
NoYou can specify relationships between an owner and dependents by manually setting their .metadata._____ field
ownerReferenceIn _____, Kubernetes deletes the owner object immediately and the garbage collector then deletes the dependents in the background.
background cascading deletionIn _____, the root object first enters a "deletion in progress" state. Once the "deletion in progress" state is set, the garbage collector deletes the object's dependents. Once the garbage collector has deleted all dependents, it deletes the owner object.
foreground cascading deletionTo control the cascading deletion policy, set the _____ field on the _____ argument when deleting an Object.
propagationPolicy deleteOptionsIf a Pod cannot be scheduled, the scheduler tries to preempt (evict) lower _____ Pods to make scheduling of the pending Pod possible.
priorityA _____ is a non-namespaced object that defines a mapping from a priority class name to the integer value of the priority.
PriorityClassIs there currently an API standard for whether a Pod is considered sandboxed?
No - Sandbox Pods may be identified by the use of a sandboxed runtime (such as gVisor or Kata Containers), but there is no standard definition of what a sandboxed runtime is._____ optimize a given metric (e.g. CPU utilization) across a set of Pods. They increase or decrease the number of replicas to achieve it.
Horizontal Pod Autoscalers (HPA)A _____ allows pod template authors to not have to explicitly provide all information for every pod.
PodPreset_____ restrict the scheduler�s freedom, trading off one application against another.
Pod affinitiesDo pods run a single container each?
Not necessarily. They can run multiple containers.Do Pods each have a unique IP address?
Yes, for each address familyFailed phase
All Containers in the Pod have terminated, and at least one Container has terminated in failure. That is, the Container either exited with non-zero status or was terminated by the system. |
Unknown phase
For some reason the state of the Pod could not be obtained, typically due to an error in communicating with the host of the Pod.The lastTransitionTime condition field provides...
a timestamp for when the Pod last transitioned from one status to another.The three possible values for the status Pod condition field are...
"True" "False" "Unknown"A probe can have one of three results:
SuccessThe Container passed the diagnostic FailureThe Container failed the diagnostic UnknownThe diagnostic failed, so no action should be takenIf a container's _____ probe fails, the container is killed by the kubelet, then subjected to the container's restart policy.
livenessA container does not provide a livenessProbe, a readinessProbe nor a startupProbe What will be the state of each probe of the container?
Success on all of themA _____ probe indicates whether a container is ready to service requests.
readinessA process in your Container is able to crash on its own whenever it encounters an issue or becomes unhealthy. Do you still need a livenessProbe?
Not necessarily. The kubelet will automatically perform the correct action in accordance with the Pod's restartPolicy.A container is in the _____ state when it has successfully or unsuccessfully completed execution.
TerminatedExited Containers that are restarted by the kubelet are restarted with an _____ delay capped at 5 minutes, and is reset after ten minutes of successful execution.
exponential back-offThe degree to which Pods may be unevenly distributed (i.e. the maximum permitted difference between the number of matching Pods in any two topology domains of a given topology type) is called the _____
maxSkewwhenUnsatisfiable possible values:
DoNotSchedule
tells the scheduler not to schedule it.
ScheduleAnyway
tells the scheduler to still schedule it while prioritizing nodes that minimize the skew
PodDisruptionBudgets cannot prevent involuntary disruptions from occurring. Do involuntary disruptions count against the budget?
NoWhen a pod is evicted using the eviction API, is it gracefully terminated?
YesA temporary "_____" container may be ran in an existing Pod to accomplish user-initiated actions such as, troubleshooting and inspecting services.
ephemeralTo troubleshoot a hard-to-reproduce bug, you might need to inspect the state of an existing Pod and its containers, or run some arbitrary commands. In these cases you can run _____ inside an existing Pod.
an ephemeral containerDo ephemeral containers have guaranteed resources?
NoWhen using ephemeral containers, it's helpful to enable _____ so you can view processes in other containers.
process namespace sharingIf you delete an object without deleting its dependents automatically, the dependents are said to become _____
orphanedPodPresets cannot be used to override a Pod�s own configuration, only to fill in settings which the Pod itself _____
hasn't specified._____ can inject bits of common configuration into all selected Pods at creation time. For example, you could use it to mount a particular Volume on all matching Pods.
PodPresetsA quorum-based application must ensure that the number of running replicas is never brought below the minimum required for a quorum. This can be achieved with a _____
PodDisruptionBudgetA pod represents _____ running in your cluster.
ProcessesIn terms of Docker constructs, a Pod is modelled as a group of Docker containers with shared _____ and shared _____
namespaces filesystem volumesA Pod has been accepted by the Kubernetes system, but one or more of the Container images has not been created, either still being scheduled or download images. This describes a Pod's _____ phase.
Pending
Succeeded phase
All Containers in the Pod have terminated in success, and will not be restarted. |
A Pod's _____ condition field provides a timestamp for when the Pod condition was last probed.
lastProbeTimeThe message condition field provides...
a human-readable message indicating details about the transition from one status to another.A container's _____ probe indicates whether the application in the container has started.
startupAll other probes are disabled until _____ succeeds.
startupProbeA Pod should only be sent traffic when a probe succeeds. Which probe can achieve this?
readinessProbeA container is _____ when it is neither Running or Terminated. It is likely pulling images, applying secrets etc.
WaitingA container is in the _____ state when it is executing without issues.
RunningTo tell why a container is in Terminated state, check its state's _____ and _____ fields.
Reason and Exit CodeThe _____ hook is executed before a container enters Terminated state.
preStopReadiness gates are determined by the current state of the .status._____ fields for the Pod. If such a field isn't found, the status of the condition defaults to "False"
conditionsDoes a Pod's restartPolicy apply to all its containers?
YesDoes restartPolicy
only refer to restarts of the Containers by the kubelet on the same node?
Yes
PodPresets are objects for injecting additional runtime requirements into pods at _____
creation time When a PodPreset
is applied to one or more Pods, Kubernetes modifies their _____
PodSpec
For changes to Env
, EnvFrom
, and VolumeMounts
, Kubernetes modifies _____
The pod's individual container specs
How to deal with a Pod if it doesn't satisfy the topology spread constraint is indicated in the _____ field.
whenUnsatisfiableA PodDisruptionBudget specifies the number of _____ that an application can tolerate having, relative to how many it is intended to have.
replicasDo Pods which are deleted or unavailable due to a rolling upgrade to an application count against the disruption budget?
YesWill an ephemeral container ever be automatically restarted?
No_____ indicates the importance of a Pod relative to other Pods.
PriorityCritical pods rely on scheduler _____ to be scheduled when a cluster is under resource pressure.
preemptionThe _____ field indicates that the value of this PriorityClass should be used for Pods without a priorityClassName. Only one such PriorityClass can exist in the system.
globalDefaultPods with PreemptionPolicy:_____ will be placed in the scheduling queue ahead of lower-priority pods, but they cannot preempt other pods. It will stay in the scheduling queue, until sufficient resources are free.
NeverPreemptionPolicy defaults to _____, which will allow pods of that PriorityClass to preempt lower-priority pods (as is existing default behavior).
PreemptLowerPriority_____ repel other Pods instead of attracting. Ex.: One to replicas of the same Pod can help spread your replicas evenly across the cluster.
anti-affinityA web front end might want to ensure that the number of replicas serving load never falls below a certain percentage of the total. This can be achieved via a _____
PodDisruptionBudgetIf non-preempting pods cannot be scheduled at a given time, they will be retried with lower frequency, allowing other pods with lower priority to be scheduled before them. This is because non-preempting pods are subject to scheduler...
back-offThe kubelet manages the _____ file for each container of a Pod to prevent Docker from modifying it.
hostsThe three available ImagePullPolicies of a container are Always, Never and _____ (default)
IfNotPresentkubectl exec
was insufficient to interactively troubleshoot a container, because it has crashed, and didn't have any debugging utilities.
To troubleshoot, you can use _____ containers.
Ephemeral containers / busybox
.spec._____ adds entries to a Pod's /etc/hosts file, overriding its hostname resolution when DNS and other options are not applicable.
HostAliasesA container without a readinessProbe is assumed to be ready for traffic once it starts. What are some potential problems with this?
The containerised application might need time to start after its enclosing container has. All requests to the app will fail throughout this process, because the container was "Ready" before the app started.If a container crashes inside a pod due to an unrecoverable error (such as a typo in the code), should you signal the liveness probe?
No. Let it crash by exiting the process, allowing kubelet to restart it. https://blog.colinbreck.com/kubernetes-liveness-and-readiness-probes-revisited-how-to-avoid-shooting-yourself-in-the-other-foot/#letitcrashLiveness probes are designed to _____ your containers when stuck, such as in an infinite loop, where there is no way for the process to seek help externally, or even exit.
restartA stuck process consuming 100% CPU won't reply to _____ probes. If you don't have a _____ probe, it will stay uselessly Running, serving no requests and consuming resources.
Readiness Liveness_____ probes are used for recovery when a process is not responsive.
LivenessLiveness and Readiness probes pointing to the same endpoint inside a container will cause the container to be detached from the Service and deleted at the same time. Is this okay?
No - it will cause connection drops due to the unready container running out of time to drain its current connections due to being deleted.Should readiness probes be allowed to depend on other services (databases, APIs...) to succeed?
No https://blog.colinbreck.com/kubernetes-liveness-and-readiness-probes-how-to-avoid-shooting-yourself-in-the-foot/#shootingyourselfinthefootwithreadinessprobesWhile it's in its termination grace period, you might want an app to process remaining incoming requests by adding a _____ handler.
preStopMost applications should log to _____ and send errors to _____, which are then aggregated by another service.
stdout stderrDoes each Pod have a unique IP?
YesA _____ is like a machine with its own IP address and ports, running containers inside which can map their ports to it.
PodDoes a Pod have its own network namespace inside?
YesDoes a Pod have its own virtual ethernet connection?
YesIs running backups a valid use case for a sidecar container inside a Pod?
YesIs running database synchronisation a valid use case for a sidecar container inside a Pod?
YesIs running authentication proxies a valid use case for a sidecar container inside a Pod?
YesThe "pause" container (also called sandbox container) inside each Pod reserves and holds the network _____, enabling containers to communicate with each other and retaining the IP address of the pod.
namespace (netns)A _____ is an abstract way to expose on the network an application running on a set of Pods.
serviceEach Kubernetes Node has its own _____ range from which it assigns its pods unique IPs.
CIDR IP blockServices
A _____ is like a virtual server on your cluster.
ServiceThe service type that exposes a Service on a cluster-internal IP, making it only reachable from within the cluster is _____
ClusterIPThe _____ service type maps the Service to the contents of the _____ field (e.g. foo.bar.example.com), by returning a CNAME record.
ExternalNameIn order to allow you to choose a port number for your Services, we must ensure that no two Services can collide. Kubernetes does that by allocating each Service its own _____
IP address.In some cases, multiple paths within an Ingress will match a request. In those cases precedence will be given first to the _____.
longest matching pathIn an Ingress, if two paths are still equally matched by a request, precedence will be given to paths with the _____ path type over _____ path type.
exact prefixThe 5 possible ServiceTypes for Kubernetes Service are: _____ - Exposes as an in-cluster IP (default)_____ - Exposes as a port on each node_____ - Exposes externally via your cloud provider's LB_____ - Maps to the contents of the ExternalName, returns a CNAME record with the value_____
ClusterIP NodePort LoadBalancer ExternalName HeadlessAn EndpointSlice is full once it reaches _____ endpoints (by default), at which point additional EndpointSlices will be created.
100An _____ is responsible for fulfilling the Ingress, usually with a load balancer, though it may also configure your edge router or additional frontends to help handle the traffic.
Ingress controllerStatefulSets currently require manually creating a _____ to be responsible for the network identity of the Pods.
headless serviceA Service for with no ClusterIP, proxying, load-balancing, nor handled by kube-proxy is called _____
headlessThe _____ service type exposes a Service on each Node's IP at a static port.
NodePortThe _____ service type exposes the Service externally using a cloud provider's load balancer.
LoadBalancerEndpointSlices support three address types: _____, _____, _____.
IPv4, IPv6, Fully Qualified Domain Name_____ resources route requests to different services, depending on a set of rules, for example, matching parts of the request URL.
IngressThe NodePort type is an extension of the _____ type. So a NodePort service also has a _____ address.
ClusterIPThe LoadBalancer service type is an extension of the _____ type. A LoadBalancer Service has a clusterIP address and one or more _____ values.
NodePort_____ provide a more scalable alternative to Endpoints, distributing network endpoints across multiple resources.
EndpointSlicesTo ensure each Service receives a unique IP, an internal allocator atomically updates a global allocation map in _____ prior to creating each Service.
etcdAn Ingress with no rules sends all traffic to a single _____, which is typically a configuration option of the Ingress Controller and is not specified in your Ingress resources. If none of the hosts or paths match the HTTP request in the Ingress objects, the traffic is routed to it.
default backendIt takes time for kube-proxy or the Ingress controller to be notified of endpoint changes. Traffic will then remain flowing to a Pod even after its _____. Graceful _____ is required of an app upon its container being sent a SIGTERM signal, stopping it from accepting new requests, and consecutively closing existing connections.
termination connection terminationhttps://freecontent.manning.com/handling-client-requests-properly-with-kubernetes/
An Ingress TLS secret must contain keys named _____ that contain the certificate and private key to use for TLS.
tls.crt and tls.keyCan ingress objects terminate TLS connections for your application?
Yes_____ exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the _____ resource.
IngressAn _____ may be configured to give Services externally-reachable URLs, load balance traffic, terminate SSL / TLS, and offer name based virtual hosting.
IngressThe resources that expose deployments on a network are _____
ServicesWhen you don't need load-balancing and a single Service IP, you can create _____
headless servicesHeadless services are created by setting the Service's .spec._____ field to _____
clusterIP"None"
The kubernetes service is configured in all namespaces with virtual IP address that is redirected via _____ to the apiserver.
kube-proxyInside a Kubernetes cluster, you might wish to reuse an existing DNS entry, or have legacy systems that are configured for a specific IP address and difficult to re-configure. A Service can specify its own cluster IP address by setting the .spec._____ field.
clusterIPIngresses can be implemented by different controllers, often with different configuration. Each Ingress should reference an _____ that contains additional configuration including the name of the controller that should implement it.
IngressClassYou may deploy any number of Ingress controllers within a cluster. When you create an ingress, you should annotate each ingress with the appropriate _____ to indicate which ingress controller should be used if more than one exists within your cluster.
ingressClassThe _____ service type exposes the Service on each Node�s IP at a static port. A ClusterIP Service, to which the it routes, is automatically created.
NodePortStorage
Is a Volume preserved after its Pod's deletion?
NoTo use a volume, a Pod specifies what volumes to provide for the Pod in the _____ field, and where to mount those into Containers in the _____ field.
.spec.volumes .spec.containers[*].volumeMountsCan Volumes have hard links to other Volumes?
NoA _____ is a piece of storage in the cluster that has been provisioned by an administrator or dynamically provisioned using Storage Classes. It is a resource in the cluster just like a node is a cluster resource.
PersistentVolumeA _____ is a request for storage by a user.
PersistentVolumeClaimIn _____ provisioning, a cluster administrator creates a number of PVs. They carry the details of the real storage, which is available for use by cluster users. They exist in the Kubernetes API and are available for consumption.
staticA cluster is provisioned with several 50Gi PVs. A PVC requests 100Gi PV. What happens?
Nothing. The PVC can only be bound once a 100Gi PV is added to the cluster.If a user deletes a PVC in active use by a Pod, the PVC is...
not removed immediately.PVC removal is postponed until _____
the PVC is no longer actively used by any Pods.PV removal is postponed until...
the PV is no longer bound to a PVC.A PV or a PVC is protected when its status its metadata.finalizers list includes _____
kubernetes.io/pvc-protectionGenerally, a PV will have a specific storage capacity. This is set using the PV's _____ attribute.
capacityYou can set the value of volumeMode to _____ to use a volume as a raw block device. Such volume is presented into a Pod as a block device, without any filesystem on it. This mode is useful to provide a Pod the fastest possible way to access a volume, without any filesystem layer between the Pod and the volume. On the other hand, the application running in the Pod must know how to handle a raw block device.
BlockReadOnlyMany
the volume can be mounted read-only by many nodesA volume is said to be _____ when the volume has failed its automatic reclamation.
FailedPersistentVolumes binds are exclusive, and since PersistentVolumeClaims are namespaced objects, mounting claims with "Many" modes (ROX
, RWX
) is only possible within _____
one namespace
A _____ is a request for snapshot of a volume by a user. It is similar to a PersistentVolumeClaim.
VolumeSnapshotAre VolumeSnapshot
, VolumeSnapshotContent
, and VolumeSnapshotClass
part of the core API?
No - they are CustomResourceDefinitions.
In volume snapshots, _____ are resources in the cluster. _____ are requests for those resources.
VolumeSnapshotContents VolumeSnapshotsWhile a snapshot is being taken of a PersistentVolumeClaim, that PersistentVolumeClaim is in-use. If you delete a PersistentVolumeClaim API object in active use as a snapshot source, the PersistentVolumeClaim object is not removed immediately. Instead, removal of the PersistentVolumeClaim object is postponed until the snapshot is _____
readyToUse or aborted._____ is the unique identifier of the volume created on the storage backend and returned by the CSI driver during the volume creation. This field is required for dynamically provisioning a snapshot. It specifies the volume source of the snapshot.
volumeHandleYou can provision a new volume, pre-populated with data from a snapshot, by using the _____ field in the PersistentVolumeClaim
object.
dataSource
PersistentVolumes that are dynamically created by a StorageClass will have a _____defined, which can be Delete or Retain
reclaimPolicyTo enable dynamic volume provisioning, a cluster administrator needs to pre-create one or more _____ objects for users.
StorageClassWhen a Container crashes, kubelet will restart it, but its on-disk files will be lost unless stored on a _____
VolumeIf a PV was dynamically provisioned for a new PVC, the loop will always _____ that PV to the PVC.
bindsA Pod uses a PersistentVolume. This PV has a node affinity towards certain nodes. Where will the Pod be scheduled?
To the node where the PV is available from.A volume is said to be _____ when it is free and not yet bound to a claim.
AvailableWhen running Containers together in a Pod
it is often necessary to share files between those Containers. The Kubernetes _____ abstraction solves this problem.
Volume
Is a volume just a directory with data, accessible to the Containers in its enclosing Pod?
YesCan Volumes mount into other volumes?
NoA control loop in the master watches for new PVCs, finds a matching PV (if possible), and _____ them.
bindsYou can only expand a PVC if its storage class's _____ field is set to true. To request a larger volume for a PVC, edit the PVC object and specify a larger size. This triggers expansion of the volume that backs the underlying PersistentVolume. A new PersistentVolume is never created to satisfy the claim. Instead, an existing volume is resized.
allowVolumeExpansionCan you resize an in-use PVC?
Yes - since Kubernetes 1.15. TheExpandInUsePersistentVolumes
feature must be enabled.
Kubernetes supports two _____ of PersistentVolumes: Filesystem and Block.
volumeModesvolumeMode is an optional API parameter. _____ is the default mode used when volumeMode parameter is omitted.
FilesystemA volume with _____ is mounted into Pods into a directory. If the volume is backed by a block device and the device is empty, Kuberneretes creates a filesystem on the device before mounting it for the first time.
volumeMode: FilesystemReadWriteMany
the volume can be mounted as read-write by many nodesA PV can have a class, which is specified by setting the _____ attribute to the name of a StorageClass.
storageClassNameA claim can request a particular class by specifying the name of a StorageClass using the attribute _____.
storageClassNameSimilar to how API resources PersistentVolume and PersistentVolumeClaim are used to provision volumes for users and administrators, _____ and _____ API resources are provided to create volume snapshots for users and administrators.
VolumeSnapshot VolumeSnapshotContentVolumeSnapshot
support is only available for _____ drivers.
CSI
The CRDs and snapshot controller installations are the responsibility of _____
the Kubernetes distributionThe snapshot controller handles the binding of a VolumeSnapshot
object with an appropriate VolumeSnapshotContent
object, in both pre-provisioned and dynamically provisioned scenarios. The binding is a _____ mapping.
In the case of pre-provisioned binding, the VolumeSnapshot will remain unbound until the requested VolumeSnapshotContent object is created.
one-to-one
An administrator can mark a specific StorageClass as default by adding the _____ annotation to it.
storageclass.kubernetes.io/is-default-classCan you attach as many volumes as you want to a node?
No - depends on the cloud provider's permitted limit.A PVC to PV binding is a one-to-one mapping, using a _____ which is a bi-directional binding between the PersistentVolume and the PersistentVolumeClaim.
ClaimRefA PV of a particular class can only be bound to PVCs requesting that class. A PV with no _____ has no class and can only be bound to PVCs that request no particular class.
storageClassNameA volume is called _____ when it is bound to a claim.
BoundA volume is said to be _____, when the claim has been deleted, but the resource is not yet reclaim by the cluster.
ReleasedMounted directories accessible from inside containers are called _____
VolumesA Kubernetes volume has an explicit lifetime - the same as _____
The Pod that encloses itIs a Volume preserved across Container restarts?
YesManaging storage is a distinct problem from managing compute instances. The PersistentVolume subsystem provides an API for users and administrators that abstracts details of how storage is provided from how it is consumed. To do this, we introduce two new API resources: _____ and _____.
PersistentVolume PersistentVolumeClaimDo PersistentVolumes have a lifecycle dependent on the Pods that use the PV?
NoThe two ways that PVs may be provisioned are either _____ or _____.
statically or dynamically.When none of the static PVs the administrator created match a user's PersistentVolumeClaim, the cluster may try to _____ provision a volume specially for the PVC. This provisioning is based on StorageClasses: the PVC must request a storage class and the administrator must have created and configured that class for dynamic provisioning to occur.
dynamicallyOnce bound, PersistentVolumeClaim binds are _____, regardless of how they were bound.
exclusiveOnce a user has a claim and that claim is bound, the bound PV belongs to the user for as long as they need it. Users schedule Pods and access their claimed PVs by including a _____ section in a Pod's _____ block.
persistentVolumeClaim volumes