k8s管理员认证考试题目答案(cka)
1、rbac授权
kubectl create clusterrole deployment-clusterrole --verb=create --resource=deployments,statefulsets,daemonsets
kubectl create serviceaccount cicd-token -n app-team1
kubectl create rolebinding cicd-token --serviceaccount=app-team1:cicd-token --clusterrole=deplyment-clusterrole -n app-team1
2、设置节点不可用
kubectl cordon ek8s-node-1
kubectl drain ek8s-node-1 --ignore-daemonsets
3、升级k8s版本
kubectl cordon mk8s-master-0
kubectl drain mk8s-master-0 --ignore-daemonsets
ssh mk8s-master-0
sudo -i
apt install kubeadm=1.20.1-00 -y
kubeadm upgrade plan
kubeadm upgrade apply v1.20.1 --etcd-upgrade=false
apt install kubectl=1.20.1-00 kubelet=1.20.1-00 -y
systemctl daemon-reload
systemctl restart kebelet
kubectl uncordon mk8s-master-0
4、etcd备份与恢复
exit
ETCDCTL_API=3 etcdctl snapshot save /data/backup/etcd-snapshot.db --endpoints=https://127.0.0.1:2379 --cacert=/opt/ca.crt --cert=/opt/cert.crt --key=etcd.key
mv /etc/kubernetes/manifests/ /etc/kubernetes/manifests.bak
mv /var/lib/etcd /var/lib/etcd.bak
ETCDCTL_API=3 etcdctl --data-dir=/var/lib/etcd snapshot restore /data/backup/etcd-snapshot-previous.db
mv /etc/kubernetes/manifests.bak /etc/kubernetes/manifests
5、网络策略
kubectl get ns --show-labels
kubectl label namespace my-app project=my-app
kubectl label namespace big-corp project=big-corp
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-port-from-namespace
namespace: my-app
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
project: my-app
ports:
- protocol: TCP
port: 8080
egress:
- to:
- namespaceSelector:
matchLabels:
project: big-corp
ports:
- protocol: TCP
port: 8080
6、SVC暴露应用
kubectl edit deployment front-end
…
containers:
- image: nginx
imagePullPolicy: Always
name: nginx
ports:
- name: https
protocol: TCP
containerPort: 80
kubectl expose deployment front-end --port=80 --target-port=80 --type=NodePort --name=front-end-svc
7、ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: pong
namespace=ing-internal
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- http:
paths:
- path: /hello
pathType: Prefix
backend:
service:
name: hello
port:
number: 5678
8、扩容pod数量
kubectl scale deployment loadbalacer --replicas=5
9、nodeSelector
apiVersion: v1
kind: Pod
metadata:
name: nginx-kusc00401
spec:
containers:
- name: nginx
image: nginx
nodeSelector:
disk: ssd
10、统计准备就绪节点数量
kubectl get node|grep Ready |grep -v master |grep -v NoSchedule |wc -l > /opt/123.txt
11、pod配置多容器
apiVersion: v1
kind: Pod
metadata:
name: kucc4
spec:
containers:
- name: redis
image: redis
- name: memcached
image: memcached
12、创建pv
apiVersion: v1
kind: PersistentVolume
metadata:
name: app-data
spec:
capacity:
storage: 2Gi
accessModes:
- ReadWriteOnce
hostPath:
path: "/svc/app-data"
13、pod使用pvc
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pv-volume
spec:
storageClassName: csi-hostpath-sc
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Mi
apiVersion: v1
kind: Pod
metadata:
name: web-server
spec:
volumes:
- name: data
persistentVolumeClaim:
claimName: pv-volume
containers:
- name: task-pv-container
image: nginx
volumeMounts:
- mountPath: "/usr/share/nginx/html"
name: data
kubectl edit pvc pv-volume --save-config
14、获取pod错误日志
kubectl logs bar |grep unable-to-access-website > /opt/KUTR00101/bar
15、给pod增加一个容器
kubectl get pod big-corp-app -o yaml > big-corp-app.yaml
kubectl delete -f big-corp-app.yaml
vi big-corp-app.yaml
apiVersion: v1
kind: Pod
metadata:
name: big-corp-app
spec:
containers:
- name: big-corp-app
image: busybox:1.28
args:
- /bin/sh
- -c
- >
i=0;
while true;
do
echo "$i: $(date)" >> /var/log/1.log;
echo "$(date) INFO $i" >> /var/log/2.log;
i=$((i+1));
sleep 1;
done
volumeMounts:
- name: varlog
mountPath: /var/log
- name: sidecar
image: busybox
args: [/bin/sh, -c, 'tail -n+1 -f /var/log/big-corp-app.log']
volumeMounts:
- name: varlog
mountPath: /var/log
volumes:
- name: varlog
emptyDir: {}
kubectl apply -f big-corp-app.yaml
16、统计使用cpu最高的pod
kubectl top pod -l name=overloaded-cpu --sort-by="cpu" -A
17、节点notready处理
ssh wk8s-node-0
sudo -i
systemctl status kubelet
systemctl start kubelet
systemctl enable kubelet