Hello Techie's,
Step 1 -Inital Setup - SSH
user name & password for the workbench server will be given in the information.
we need to login only to the workstation or workbench url.
Only cluster Admin can add or remove cluster Admin role to users.
Self-provisioner role can create new projects, In our condition all oauth mapped users are under group (system:authenticated:oauth) so they have self-provisioner role. we will need to remove the self-provisioner role from the whole group.
· Step 1: Assign cluster-admin role to user
o oc adm policy add-cluster-role-to-user cluster-admin bob - assigning cluster-admin role to the mentioned user. By default kubeadmin is the cluster-admin user. Only cluster-admin user can give cluster-admin access
· Step 2: Remove appropriate cluster role from the group, so that other than the mentioned user cannot create new projects
o oc describe clusterrolebindings self-provisioners - self-provisioners is the cluster-role that provides access to create new projects.
o oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth - remove self-provisioners from the cluster so that only the mentioned user can have access
· Step 3: Assign appropriate cluster role so that only the mentioned user can create new projects
o oc adm policy add-cluster-role-to-user self-provisioner john - assign self-provisioners to the mentioned user
o since the self-provisioners has been removed from the cluster and assigned only to John Qwerty user by default won’t have access to create new project.
· Step 4: Validation
o oc login -u qwerty -p catalog - login as qwerty
o oc new-project test1 - should get an error and should not be able to create a project
o oc login -u john -p jon123 - login as john – user with the self-provisioner role
o oc new-project test1 – project should be created successfully.
o oc login -u bob -p indionce - login as bob - newly assigned cluster-admin
o oc get nodes - these commands should work
o oc get pv - these commands should work
o oc whoami - making sure logged in as bob - before deleting the kubeadmin user
· Step 5: Delete the kubeadmin user
o oc delete secret/kubeadmin -n kube-system - deleting the kubeadmin
-------------------------------------------------------------------------------------------Points to note, before attending this question
o Apollo
o Test
o Demo
⁃ natasha user can only view the resources of apollo and test project
⁃ harry user can edit project demo
· Step 1: Create new projects
o oc new-project apollo - repeat 3 times and create all the 3 projects as mentioned
· Step 2: Assign appropriate roles to the users
o oc policy add-role-to-user view natasha -n apollo - assign the view access to the specified project
o oc policy add-role-to-user view natasha -n test - assign the view access to the specified project
o oc policy add-role-to-user edit harry -n demo - assign the edit access to the specified project
· Step 3: Validation
o oc get projects – make sure the newly created projects are listed
o use the OpenShift console and navigate to the project – rolebindings and make sure the roles for the projects are assigned to the correct user.
- Create groups with named site-users and guest-users
- add qwerty user in guest-users-group
- add harry and susan users in site-users
- Give edit permission to site-users groups on test project
- Give view permission to guest-users groups on demo project
· Step 1: Create groups
o oc adm groups new <group-name> - repeat 2 times to create the mentioned groups
· Step 2: Add users to the group
o oc adm groups add-users <group-name> <user-name> - repeat and assign user as mentioned in the question
· Step 3: Add roles to the group
o oc policy add-role-to-group edit site-users -n test - assign roles to the group as mentioned in the question
o oc policy add-role-to-group view guest-users -n demo - assign roles to the group as mentioned in the question
· Step 4: Validation
Create LimitRange for project rocky:
- Set the pod memory limit between 5Mi and 300Mi
- Set the container memory limit between 5Mi and 300Mi
- Set the pod cpu limit between 5m and 300m
- Set the container cpu limit between 5m and 300m
- Set the container default limit for memory and cpu to 100Mi and 100m respectively
· Step 1: Switch to the project
o oc project rocky - to switch to the mentioned project
· Step 2: Create Limit Range
o oc get limitrange - to make sure limitranges does not exist for this project
o oc explain limitrange.spec.limits - to get the syntax for the yaml file
o vi limit-rocky.yaml - creating a yaml file to create the limitranges. Below is the content of the yaml file
apiVersion: v1
kind: LimitRange
metadata:
name: rocky-limits
spec:
limits:
- type: Pod
max:
cpu: 300m
memory: 300Mi
min:
cpu: 5m
memory: 5Mi
- type: Container
default:
cpu: 100m
memory: 100Mi
max:
cpu: 300m
memory: 300Mi
min:
cpu: 5m
memory: 5Mi
o oc create -f limit-rocky.yaml - creating LimitRange from file
· Step 3: Validation
o oc get limitrange - to validate the limitrange created
o oc describe limitrange rocky-limits - to validate the limitrange created Question : 7
Deploy application in the project project1:
- There is one pod already running and
- Application should produce output
· Step 1: Switch to the project
o oc project project1- to switch to the mentioned project
· Step 2: Get the details of the deployment config, pods
o oc get dc - to get the deployment config status
o oc get pods - to get the pod details
o oc describe pod <pod-name> - to check the pod status
· Step 3: Check the application output
o oc get route - to get the application url – access the url and see the output of the application – application should not be accessible
· Step 4: Get the details of the nodes
o oc get nodes -l node-role.kubernetes.io/worker - to get the worker node details
· Step 5: Check for taints
o oc describe nodes <fully qualified name_node> | grep -i taint - to check the node is tainted
· Step 6: Edit nodes
o oc edit node <fully qualified name_node> - to edit the nodes to remove taints info
· Step 7: Validation
o oc get pods - to check the pod status
o oc get route - to get the application url – access the url and see the output of the application – application should be accessible
----------------------------------------------------------------------------------------------------------------------
Category: Control access to resources - Create and apply secrets to manage sensitive information
Create secret with named ex280-secure in secure project
⁃ The key name should be myuser
⁃ The value of key should be asdf234234=
· Step 1: Switch to the project
o oc project secure - to switch to the mentioned project
· Step 2: Create Secret
o oc create secret generic -h - to get the syntax for creating the secret from the literal
o oc create secret generic ex280-secure --from-literal myuser=asdf234234= - to create the secret
· Step 3: Validation
o oc get secret -n secure - to validate
-----------------------------------------------------------------------------------------------------------------------
Question : 11
Category:
Control access to resources - Create and apply secrets to manage sensitive
information
Q11) Use secret in secure project
- There is one pod already exists
- It should use ex280-secure secret
- Application should produce output
· Step 1: Switch to the project
o oc project secure - to switch to the mentioned project
· Step 2: Check the status of the pods
o oc get dc - to get the deployment config status
o oc get pods - to get the pod details – the pod is not in the running status
· Step 3: link the secret created to the deployment
o oc set env --from=secret/ex280-secure dc/<dc_name> - to link the secret to the deployment to rectify the issue
· Step 4: Validation
o oc get pods - to check the pod status - pod should be in running status
o oc get route - to get the application url – access the url and see the output of the application – application should be accessible
Category: Configure
networking components – Create a CA signed certificate
Category: Configure networking components – Secure routes using TLS certificates
Create secure route in quart project
- One application is already running named with hello based on http
- It should run on https with self-signed certificate
- It should use '/CN=quart.apps.domain3.example.com'
- It should run on https with following url: https://quart.apps.domain3.example.com
- Application should produce output
· Step 1: Switch to the project
o oc project secure - to switch to the mentioned project
· Step 2: Check the status of the pods
o oc get dc - to get the deployment config status
o oc get pods - to get the pod details
· Step 3: Create CA-signed certificate
o newcert ”/C=US/ST=NorthCarolina/L=Raleigh/O=RedHat/CN=quart.apps.domain3.example.com” – to create a self-signed certificate – this command will create a .key, .crt and .csr file in the local directory
o ls -lrt – to check if the files has been created.
Category:
Control access to resources – Create service accounts
Create service account(user) in project1
- Service account (user) should be project1-sa
- Service account should be associated with anyuid SCC
· Step 1: Switch to the project
o oc project project1- to switch to the mentioned project
· Step 2: Create Service Account
o oc create serviceaccount project1-sa - to create the mentioned service account
· Step3: Assign RBAC role
o oc adm policy add-scc-to-user anyuid -z project1-sa - to add the RBAC role to the service account created
· Step 4: Validation
o oc get scc - to validate
----------------------------------------------------------------------------------------------------------------------------
Question : 14
Category:
Control access to resources – Apply permissions using security context
constraints
Deploy application in the project project2
- There is one pod already running
- Application should produce output
· Step 1: Switch to the project
o oc project project1- to switch to the mentioned project
· Step 2: Check the status of the pods
o oc get dc - to get the deployment config status
o oc get pods - to get the pod details
· Step 3: Set up SCC
o oc set serviceaccount dc/dcname project1-sa - to set SCC to deployment config
· Step 4: Validation
o oc get route - try to access your application using route name. If application not accessible then check the endpoint in service
o oc get ep - If application not accessible then check the endpoint in service
· Step 5: Get Label Info
o oc get deployment/<deployment-name> -o yaml | less – get label under spec --> template --> metadata --> labels
· Step 6: Edit service
o oc edit svc/<service-name> - add modify the label name under spec --> selector
· Step 7: Validation
o oc get pods - to check the pod status - pod should be in running status
o oc get route - route will be given in the exam - so try access it to see if you can access the application
--------------------------------------------------------------------------------------------------------------------------
Category: Manage
OpenShift Container Platform - Troubleshoot common cluster events and alerts
Category: Configure networking components - Control cluster network ingress
Hint for ingress question – project name will be pathfinder and the application name will be voyager.
Deploy application in project project3
- There is one pod already running
- Application should produce output
· Step 1: Switch to the project
o oc project project1- to switch to the mentioned project
· Step 2: Check the status of the pods
o oc get dc - to get the deployment config status
o oc get pods - to get the pod details - notice pod in pending/error state
· Step 3: Check for the label info in the pod
o oc describe pod <pod name> - get the label info from the pod. ex client=acme
· Step 4: Check the details of the nodes
o oc get nodes -L client - to check the node status - notice client key has different value or maybe there is an issue with case
· Step 5: Fix for node selector in the deployment
o oc edit dc/<dc-name> - modify node selector value under spec --> template --> spec
· Step 6: Validation
o oc get pods - to check the pod status
o oc get route - route will be given in the exam - so try access it to see if you can access the application.
· Step 7: Fix Ingress
o oc get ingress - to get the ingress details
o oc edit ingress <ingress-name> - to edit the ingress details. Edit the hostname and fix the typo error – it should be given as ….app…. change it to apps and save and exit
· Step 8: Validation
o oc get pods - to check the pod status - pod should be in running status
o oc get route - route will be given in the exam - so try access it to see if you can access the application.
----------------------------------------------------------------------------------------------------------------------------
Question : 16
Category:
Manage OpenShift Container Platform - Troubleshoot common cluster events and
alerts
Deploy application in project project4
- There is one pod already running
- Application should produce output
· Step 1: Switch to the project
o oc project project4 - to switch to the mentioned project
· Step 2: Check the status of the pods
o oc get dc - to get the deployment config status
o oc get pods - to get the pod details - notice pod in pending/error state
· Step 3: Check for errors in the pod
o oc describe pod <pod name> - notice there is an error that node doesn’t have sufficient memory
· Step 4: Fix for resources in the deployment
o oc edit dc/<dc-name> - modify resources value under spec --> template --> spec --> containers – reduce the value to a smaller value
· Step 5: Validation
o oc get pods - to check the pod status - pod should be in running status
o oc get route - try to access your application using route name . if application not available.
Are you wondering what are all the questions will be asked in RedHat Openshift D280 Exam ?
well, you are in the right place.
Here you find the questions aswell as the answers, by following this you can clear the Exam like a piece of cake.
Step 1 -Inital Setup - SSH
we need to login only to the workstation or workbench url.
ssh root@workbench.lab.example.com
Step 2 - Login to the Openshift cluster as Kubeadmin
oc login -u kubeadmin -p xxxxxx api_server_connection_url
password will be given in
cat /root/kubeadmin-password
api server connection url - will be provided in the information window.
-------------------------------------------------------------------------------------------
Question : 1
Manage Identiy Providers: (secret name and identiy provider name will be given in the exam)
⁃ Create user bob with password indionce
⁃ Create user qwerty with password catalog
⁃ Create user john with password jon123
⁃ Create user natasha with password natasha123
⁃ Create user harry with password harry123
⁃ Create user susan with password susan123
· Step 1: install httpd-tools or httpd-utils
yum install httpd-tools - in the exam httpd-tools won’t be available so we need to install
· Step 2: Create users
htpasswd -c -b /tmp/htpasswd username password - first time use “-c” to create a htpasswd file and “-b” append an user in the file.
htpasswd -b /tmp/htpasswd username password - subsequent times do not use -c - if used the contents will be overwritten - just use “-b” append an user in the file.
cat /tmp/htpasswd - make sure all the 6 users are created.
· Step 3: Create Secret
oc create secret generic <secret-name> --from-file htpasswd=/tmp/htpasswd -n openshift-config - secret name will be given in the exam
oc get secret -n openshift-config - make sure the secret is created
· Step 4: Linking the secret to the operator
Oath Operator running in Openshift cluster is responsible for allowing user to access the Cluster.
This Operator linstens to to the secret which was created in the project openshift-config
oc edit oauth cluster - This command will help to edit the existing yaml file, add the below content under spec
identityProviders:
- name: <identity-provider-name>
mappingMethod: claim
type: HTPasswd
htpasswd:
fileData:
name: <secret-name>
· Step5: Validation
oc get pods -n open shift-authentatication - the pods should be restarted - for validation.
oc login -u usr1 -p usr1 - need to repeat this step for all the 6 users created and finally login as kubeadmin.
oc get users - only shows the number of logged in users
-------------------------------------------------------------------------------------------
Question: 2
Question : 1
Manage Identiy Providers: (secret name and identiy provider name will be given in the exam)
⁃ Create user bob with password indionce
⁃ Create user qwerty with password catalog
⁃ Create user john with password jon123
⁃ Create user natasha with password natasha123
⁃ Create user harry with password harry123
⁃ Create user susan with password susan123
· Step 1: install httpd-tools or httpd-utils
yum install httpd-tools - in the exam httpd-tools won’t be available so we need to install
· Step 2: Create users
htpasswd -c -b /tmp/htpasswd username password - first time use “-c” to create a htpasswd file and “-b” append an user in the file.
htpasswd -b /tmp/htpasswd username password - subsequent times do not use -c - if used the contents will be overwritten - just use “-b” append an user in the file.
cat /tmp/htpasswd - make sure all the 6 users are created.
· Step 3: Create Secret
oc create secret generic <secret-name> --from-file htpasswd=/tmp/htpasswd -n openshift-config - secret name will be given in the exam
oc get secret -n openshift-config - make sure the secret is created
· Step 4: Linking the secret to the operator
Oath Operator running in Openshift cluster is responsible for allowing user to access the Cluster.
This Operator linstens to to the secret which was created in the project openshift-config
oc edit oauth cluster - This command will help to edit the existing yaml file, add the below content under spec
identityProviders:
- name: <identity-provider-name>
mappingMethod: claim
type: HTPasswd
htpasswd:
fileData:
name: <secret-name>
· Step5: Validation
oc get pods -n open shift-authentatication - the pods should be restarted - for validation.
oc login -u usr1 -p usr1 - need to repeat this step for all the 6 users created and finally login as kubeadmin.
oc get users - only shows the number of logged in users
-------------------------------------------------------------------------------------------
Question: 2
Category: Manage users and policies – modify user permissionsCategory: Control access to resources - Apply permissions to users
Points to note, before attending this question -
Manage user Permissions:
bob user should have cluster administrator rights.
john user can create new projects.
qwerty user cannot create projects..
kubeadmin user should not exist (remove kubeadmin user).
· Step 1: Assign cluster-admin role to user
o oc adm policy add-cluster-role-to-user cluster-admin bob - assigning cluster-admin role to the mentioned user. By default kubeadmin is the cluster-admin user. Only cluster-admin user can give cluster-admin access
· Step 2: Remove appropriate cluster role from the group, so that other than the mentioned user cannot create new projects
o oc describe clusterrolebindings self-provisioners - self-provisioners is the cluster-role that provides access to create new projects.
o oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth - remove self-provisioners from the cluster so that only the mentioned user can have access
· Step 3: Assign appropriate cluster role so that only the mentioned user can create new projects
o oc adm policy add-cluster-role-to-user self-provisioner john - assign self-provisioners to the mentioned user
o since the self-provisioners has been removed from the cluster and assigned only to John Qwerty user by default won’t have access to create new project.
· Step 4: Validation
o oc login -u qwerty -p catalog - login as qwerty
o oc new-project test1 - should get an error and should not be able to create a project
o oc login -u john -p jon123 - login as john – user with the self-provisioner role
o oc new-project test1 – project should be created successfully.
o oc login -u bob -p indionce - login as bob - newly assigned cluster-admin
o oc get nodes - these commands should work
o oc get pv - these commands should work
o oc whoami - making sure logged in as bob - before deleting the kubeadmin user
· Step 5: Delete the kubeadmin user
o oc delete secret/kubeadmin -n kube-system - deleting the kubeadmin
-------------------------------------------------------------------------------------------Points to note, before attending this question
Difference between clusterrole & project role
Clusterrole - oc adm policy
clusteradmin
self-provisioner
Admin
Project role - oc policy
view
edit
Question : 3
Category: Manage users and policies – modify project level permissions
Category: Control access to resources – Apply permissions to users
Category: Manage OpenShift Container Platform – create projects
⁃ Create project with namedCategory: Control access to resources – Apply permissions to users
Category: Manage OpenShift Container Platform – create projects
o Apollo
o Test
o Demo
⁃ natasha user can only view the resources of apollo and test project
⁃ harry user can edit project demo
· Step 1: Create new projects
o oc new-project apollo - repeat 3 times and create all the 3 projects as mentioned
· Step 2: Assign appropriate roles to the users
o oc policy add-role-to-user view natasha -n apollo - assign the view access to the specified project
o oc policy add-role-to-user view natasha -n test - assign the view access to the specified project
o oc policy add-role-to-user edit harry -n demo - assign the edit access to the specified project
· Step 3: Validation
o oc get projects – make sure the newly created projects are listed
o use the OpenShift console and navigate to the project – rolebindings and make sure the roles for the projects are assigned to the correct user.
-----------------------------------------------------------------------------------------------
Category: Manage users and policies – create groups and modify group level permissions
Question : 4
Managing Groups:- Create groups with named site-users and guest-users
- add qwerty user in guest-users-group
- add harry and susan users in site-users
- Give edit permission to site-users groups on test project
- Give view permission to guest-users groups on demo project
· Step 1: Create groups
o oc adm groups new <group-name> - repeat 2 times to create the mentioned groups
· Step 2: Add users to the group
o oc adm groups add-users <group-name> <user-name> - repeat and assign user as mentioned in the question
· Step 3: Add roles to the group
o oc policy add-role-to-group edit site-users -n test - assign roles to the group as mentioned in the question
o oc policy add-role-to-group view guest-users -n demo - assign roles to the group as mentioned in the question
· Step 4: Validation
o oc get groups - this will show the groups, users in the groups
-------------------------------------------------------------------------------------------Category: Configure pod scheduling – create project quota
Question : 5
Create resource quota for project rocky:
-
pods =3
- cpu = 2
- services = 6
- memory = 1Gi
- secrets = 6
- replicationcontroller=5
· Step 1: Switch to the project
o oc project rocky - to switch to the mentioned project
· Step 2: Create quota
o oc create quota -h - to get the syntax of the command
o oc create quota <quota-name> --hard pods=3,limits.cpu=2m,services=6,limits.memory=1Gi,secrets=6,replicationcontrollers=5 - to create quota
· Step 3: Validation
o oc get quota - to validate the quota created
o oc describe quota <quota-name> - to validate the quota created
- cpu = 2
- services = 6
- memory = 1Gi
- secrets = 6
- replicationcontroller=5
· Step 1: Switch to the project
o oc project rocky - to switch to the mentioned project
· Step 2: Create quota
o oc create quota -h - to get the syntax of the command
o oc create quota <quota-name> --hard pods=3,limits.cpu=2m,services=6,limits.memory=1Gi,secrets=6,replicationcontrollers=5 - to create quota
· Step 3: Validation
o oc get quota - to validate the quota created
o oc describe quota <quota-name> - to validate the quota created
-------------------------------------------------------------------------------------------
Question : 6
Category:
Configure pod scheduling – creating LimitRangeCreate LimitRange for project rocky:
- Set the pod memory limit between 5Mi and 300Mi
- Set the container memory limit between 5Mi and 300Mi
- Set the pod cpu limit between 5m and 300m
- Set the container cpu limit between 5m and 300m
- Set the container default limit for memory and cpu to 100Mi and 100m respectively
· Step 1: Switch to the project
o oc project rocky - to switch to the mentioned project
· Step 2: Create Limit Range
o oc get limitrange - to make sure limitranges does not exist for this project
o oc explain limitrange.spec.limits - to get the syntax for the yaml file
o vi limit-rocky.yaml - creating a yaml file to create the limitranges. Below is the content of the yaml file
apiVersion: v1
kind: LimitRange
metadata:
name: rocky-limits
spec:
limits:
- type: Pod
max:
cpu: 300m
memory: 300Mi
min:
cpu: 5m
memory: 5Mi
- type: Container
default:
cpu: 100m
memory: 100Mi
max:
cpu: 300m
memory: 300Mi
min:
cpu: 5m
memory: 5Mi
o oc create -f limit-rocky.yaml - creating LimitRange from file
· Step 3: Validation
o oc get limitrange - to validate the limitrange created
o oc describe limitrange rocky-limits - to validate the limitrange created
------------------------------------------------------------------------------------------------------------------------------
- There is one pod already running and
- Application should produce output
· Step 1: Switch to the project
o oc project project1- to switch to the mentioned project
· Step 2: Get the details of the deployment config, pods
o oc get dc - to get the deployment config status
o oc get pods - to get the pod details
o oc describe pod <pod-name> - to check the pod status
· Step 3: Check the application output
o oc get route - to get the application url – access the url and see the output of the application – application should not be accessible
· Step 4: Get the details of the nodes
o oc get nodes -l node-role.kubernetes.io/worker - to get the worker node details
· Step 5: Check for taints
o oc describe nodes <fully qualified name_node> | grep -i taint - to check the node is tainted
· Step 6: Edit nodes
o oc edit node <fully qualified name_node> - to edit the nodes to remove taints info
· Step 7: Validation
o oc get pods - to check the pod status
o oc get route - to get the application url – access the url and see the output of the application – application should be accessible
----------------------------------------------------------------------------------------------------------------------
Question : 8
Category: Configure
pod scheduling – Manual scaling – Scale applications to meet the increased
demand.
Scale application manually
- scale single-pod replicas to 6 under the project world and make sure all pods should run successfully
· Step 1: Switch to the project
o oc project world - to switch to the mentioned project
· Step 2: Get the details of the deployment config and pods
o oc get dc - to get the deployment config status
o oc get pods - to get the pod details
· Step 3: Manually Scale
o oc scale -h - to get the syntax for manual scalling
o oc scale --replicas 6 dc/<dc-name> - to manually scale the application
· Step 4: Validation
o oc get pods - all the 6 pods should be up and running
o oc get route - to get the application url – access the url and see the output of the application – application should be accessible
---------------------------------------------------------------------------------------------------------------------------
Question : 9
Category: Configure pod scheduling – Auto scaling – Scale applications to meet the increased demand.
Autoscale of Pods in scaling project:
- minimum replicas=2, maximum replicas=9 and cpu percentage=60 %
- default request for container memory should be 100Mi and cpu 50m
· Step 1: Switch to the project
o oc project scaling - to switch to the mentioned project
· Step 2: Get the details of the deployment config and pods
o oc get dc - to get the deployment config status
o oc get pods - to get the pod details
· Step 3: To set resources to the deployment
o oc set resources -h - to get the syntax for setting the resource limits for the deployment
o oc set resources dc/<dc-name> --requests cpu=50m,memory=100Mi - to set resources to the deployment
· Step 4: Autoscale
o oc autoscale -h - to get the syntax for autoscale
o oc autoscale <dc-name> --min 2 --max 9 --cpu-percent 60 - to autoscale the deployment
· Step 5: Validation
o oc get hpa - to validate
o oc get pods - all the pods should be up and running
o oc get route - to get the application url – access the url and see the output of the application – application should be accessible
Scale application manually
- scale single-pod replicas to 6 under the project world and make sure all pods should run successfully
· Step 1: Switch to the project
o oc project world - to switch to the mentioned project
· Step 2: Get the details of the deployment config and pods
o oc get dc - to get the deployment config status
o oc get pods - to get the pod details
· Step 3: Manually Scale
o oc scale -h - to get the syntax for manual scalling
o oc scale --replicas 6 dc/<dc-name> - to manually scale the application
· Step 4: Validation
o oc get pods - all the 6 pods should be up and running
o oc get route - to get the application url – access the url and see the output of the application – application should be accessible
---------------------------------------------------------------------------------------------------------------------------
Question : 9
Category: Configure pod scheduling – Auto scaling – Scale applications to meet the increased demand.
Autoscale of Pods in scaling project:
- minimum replicas=2, maximum replicas=9 and cpu percentage=60 %
- default request for container memory should be 100Mi and cpu 50m
· Step 1: Switch to the project
o oc project scaling - to switch to the mentioned project
· Step 2: Get the details of the deployment config and pods
o oc get dc - to get the deployment config status
o oc get pods - to get the pod details
· Step 3: To set resources to the deployment
o oc set resources -h - to get the syntax for setting the resource limits for the deployment
o oc set resources dc/<dc-name> --requests cpu=50m,memory=100Mi - to set resources to the deployment
· Step 4: Autoscale
o oc autoscale -h - to get the syntax for autoscale
o oc autoscale <dc-name> --min 2 --max 9 --cpu-percent 60 - to autoscale the deployment
· Step 5: Validation
o oc get hpa - to validate
o oc get pods - all the pods should be up and running
o oc get route - to get the application url – access the url and see the output of the application – application should be accessible
---------------------------------------------------------------------------------------------------------------------------------
Question : 10Category: Control access to resources - Create and apply secrets to manage sensitive information
Create secret with named ex280-secure in secure project
⁃ The key name should be myuser
⁃ The value of key should be asdf234234=
· Step 1: Switch to the project
o oc project secure - to switch to the mentioned project
· Step 2: Create Secret
o oc create secret generic -h - to get the syntax for creating the secret from the literal
o oc create secret generic ex280-secure --from-literal myuser=asdf234234= - to create the secret
· Step 3: Validation
o oc get secret -n secure - to validate
-----------------------------------------------------------------------------------------------------------------------
Question : 11
Q11) Use secret in secure project
- There is one pod already exists
- It should use ex280-secure secret
- Application should produce output
· Step 1: Switch to the project
o oc project secure - to switch to the mentioned project
· Step 2: Check the status of the pods
o oc get dc - to get the deployment config status
o oc get pods - to get the pod details – the pod is not in the running status
· Step 3: link the secret created to the deployment
o oc set env --from=secret/ex280-secure dc/<dc_name> - to link the secret to the deployment to rectify the issue
· Step 4: Validation
o oc get pods - to check the pod status - pod should be in running status
o oc get route - to get the application url – access the url and see the output of the application – application should be accessible
------------------------------------------------------------------------------------------------------------------------------
Question : 12Category: Configure networking components – Secure routes using TLS certificates
Create secure route in quart project
- One application is already running named with hello based on http
- It should run on https with self-signed certificate
- It should use '/CN=quart.apps.domain3.example.com'
- It should run on https with following url: https://quart.apps.domain3.example.com
- Application should produce output
· Step 1: Switch to the project
o oc project secure - to switch to the mentioned project
· Step 2: Check the status of the pods
o oc get dc - to get the deployment config status
o oc get pods - to get the pod details
· Step 3: Create CA-signed certificate
o newcert ”/C=US/ST=NorthCarolina/L=Raleigh/O=RedHat/CN=quart.apps.domain3.example.com” – to create a self-signed certificate – this command will create a .key, .crt and .csr file in the local directory
o ls -lrt – to check if the files has been created.
---> Delete the existing route and create new route
· Step4: Create a route edge
o oc create route edge -h – to check the syntax
o oc create route edge --service=<servicename given in the exam> --hostname=<CN_given_in exam – do not use the https://> --cert=<filename>.crt --key=<filename>.key – to create the edge route
· Step5: Validation
o oc get pods - to check the pod status - pod should be in running status
o oc get route - route will be given in the exam - so try access it to see if you can access the application – when the application is accessed you need to accept the risk and continue button in the advanced section so that application can be accessed correctly
---------------------------------------------------------------------------------------------------------------------------
Question : 13
o oc create route edge -h – to check the syntax
o oc create route edge --service=<servicename given in the exam> --hostname=<CN_given_in exam – do not use the https://> --cert=<filename>.crt --key=<filename>.key – to create the edge route
· Step5: Validation
o oc get pods - to check the pod status - pod should be in running status
o oc get route - route will be given in the exam - so try access it to see if you can access the application – when the application is accessed you need to accept the risk and continue button in the advanced section so that application can be accessed correctly
---------------------------------------------------------------------------------------------------------------------------
Question : 13
Create service account(user) in project1
- Service account (user) should be project1-sa
- Service account should be associated with anyuid SCC
· Step 1: Switch to the project
o oc project project1- to switch to the mentioned project
· Step 2: Create Service Account
o oc create serviceaccount project1-sa - to create the mentioned service account
· Step3: Assign RBAC role
o oc adm policy add-scc-to-user anyuid -z project1-sa - to add the RBAC role to the service account created
· Step 4: Validation
o oc get scc - to validate
----------------------------------------------------------------------------------------------------------------------------
Question : 14
Deploy application in the project project2
- There is one pod already running
- Application should produce output
· Step 1: Switch to the project
o oc project project1- to switch to the mentioned project
· Step 2: Check the status of the pods
o oc get dc - to get the deployment config status
o oc get pods - to get the pod details
· Step 3: Set up SCC
o oc set serviceaccount dc/dcname project1-sa - to set SCC to deployment config
· Step 4: Validation
o oc get route - try to access your application using route name. If application not accessible then check the endpoint in service
o oc get ep - If application not accessible then check the endpoint in service
· Step 5: Get Label Info
o oc get deployment/<deployment-name> -o yaml | less – get label under spec --> template --> metadata --> labels
· Step 6: Edit service
o oc edit svc/<service-name> - add modify the label name under spec --> selector
· Step 7: Validation
o oc get pods - to check the pod status - pod should be in running status
o oc get route - route will be given in the exam - so try access it to see if you can access the application
--------------------------------------------------------------------------------------------------------------------------
Question : 15
Category: Configure networking components - Control cluster network ingress
Hint for ingress question – project name will be pathfinder and the application name will be voyager.
Deploy application in project project3
- There is one pod already running
- Application should produce output
· Step 1: Switch to the project
o oc project project1- to switch to the mentioned project
· Step 2: Check the status of the pods
o oc get dc - to get the deployment config status
o oc get pods - to get the pod details - notice pod in pending/error state
· Step 3: Check for the label info in the pod
o oc describe pod <pod name> - get the label info from the pod. ex client=acme
· Step 4: Check the details of the nodes
o oc get nodes -L client - to check the node status - notice client key has different value or maybe there is an issue with case
· Step 5: Fix for node selector in the deployment
o oc edit dc/<dc-name> - modify node selector value under spec --> template --> spec
· Step 6: Validation
o oc get pods - to check the pod status
o oc get route - route will be given in the exam - so try access it to see if you can access the application.
· Step 7: Fix Ingress
o oc get ingress - to get the ingress details
o oc edit ingress <ingress-name> - to edit the ingress details. Edit the hostname and fix the typo error – it should be given as ….app…. change it to apps and save and exit
· Step 8: Validation
o oc get pods - to check the pod status - pod should be in running status
o oc get route - route will be given in the exam - so try access it to see if you can access the application.
----------------------------------------------------------------------------------------------------------------------------
Question : 16
Deploy application in project project4
- There is one pod already running
- Application should produce output
· Step 1: Switch to the project
o oc project project4 - to switch to the mentioned project
· Step 2: Check the status of the pods
o oc get dc - to get the deployment config status
o oc get pods - to get the pod details - notice pod in pending/error state
· Step 3: Check for errors in the pod
o oc describe pod <pod name> - notice there is an error that node doesn’t have sufficient memory
· Step 4: Fix for resources in the deployment
o oc edit dc/<dc-name> - modify resources value under spec --> template --> spec --> containers – reduce the value to a smaller value
· Step 5: Validation
o oc get pods - to check the pod status - pod should be in running status
o oc get route - try to access your application using route name . if application not available.
-----------------------------------------------------------------------------------------------
want to know, How to link secret to service account?
click here - How to link image pull secret to service account in openshift (vichietechie.blogspot.com)
Excellent Documentations..Kudos to Muthu bro,,👍👍👍
ReplyDelete