├── .github
└── workflows
│ └── ci.yml
├── README.md
├── docs
├── cluster-architecture.md
├── containers.md
├── favicon.png
├── index.md
├── jobs.md
├── networking.md
├── nodes.md
├── security.md
├── storage.md
├── topology.md
└── workloads.md
├── mkdocs.yml
└── overrides
└── main.html
/.github/workflows/ci.yml:
--------------------------------------------------------------------------------
1 | name: ci
2 | on:
3 | push:
4 | branches:
5 | - master
6 | - main
7 | jobs:
8 | deploy:
9 | runs-on: ubuntu-latest
10 | steps:
11 | - uses: actions/checkout@v2
12 | - uses: actions/setup-python@v2
13 | with:
14 | python-version: 3.x
15 | - run: pip install mkdocs-material
16 | - run: mkdocs gh-deploy --force
17 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # k8s-faq
2 |
3 | Test your knowledge of Kubernetes. Anki-compatible flashcards can be downloaded [**here**](https://github.com/koletyst/kubernetes-faq/releases/latest).
4 |
5 | ## Table of Contents:
6 |
7 | **Hint: [**View in GitHub Pages!**](https://koletyst.github.io/kubernetes-faq)**
8 |
9 | 1. [Cluster Architecture](./docs/cluster-architecture.md) (46 questions)
10 | 1. [Containers](./docs/containers.md) (62 questions)
11 | 1. [Jobs](./docs/jobs.md) (16 questions)
12 | 1. [Networking](./docs/networking.md) (60 questions)
13 | 1. [Nodes](./docs/nodes.md) (59 questions)
14 | 1. [Security](./docs/security.md) (193 questions)
15 | 1. [Storage](./docs/storage.md) (89 questions)
16 | 1. [Topology](./docs/topology.md) (20 questions)
17 | 1. [Workloads](./docs/workloads.md) (125 questions)
18 |
19 | #### Like this project?
20 |
21 | * [Star it](https://github.com/koletyst/kubernetes-faq/stargazers)!
22 | * Follow [@koletyst](https://twitter.com/koletyst) on Twitter
23 |
--------------------------------------------------------------------------------
/docs/cluster-architecture.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | An object's metadata._____ status field denotes its parent object. If empty, the child object will be garbage collected and removed.
4 |
5 | ownerReference
6 |
7 |
8 |
9 |
10 | A _____ API object stores confidential key-value pairs. Pods can consume them as environment variables, command-line arguments, or mount them as volumes.
11 |
12 | Secret
13 |
14 |
15 |
16 |
17 | _____ are key-value pairs that identify resources, and can be matched by the Selectors of other resources.
18 |
19 | Labels
20 |
21 |
22 |
23 |
24 | In clusters that mount tens of thousands unique Secrets/ConfigMaps to Pods or more, Secrets and Configmaps can be configured as _____ to significantly increase performance, as kube-apiserver will no longer watch for secrets or config maps.
25 |
26 | immutable
27 |
28 |
29 |
30 |
31 | An API Object's _____.finalizers field holds a list of strings, all of which must be explicitly removed before the object can be deleted from the cluster.
32 |
33 | metadata
34 |
35 |
36 |
37 |
38 | _____ enables cloud providers to release features at a different pace compared to the main Kubernetes project.
39 |
40 | cloud-controller-manager
41 |
42 |
43 |
44 |
45 | In Kubernetes request/limit terms, 1 CPU equals _____ on bare-metal Intel processors.
46 |
47 | 1 hyperthread
48 |
49 |
50 |
51 |
52 | A custom resource is _____.
53 |
54 | an extension of the Kubernetes API
55 |
56 |
57 |
58 |
59 | If the data you want to store are confidential, use a _____ rather than a ConfigMap.
60 |
61 | Secret
62 |
63 |
64 |
65 |
66 | An object's _____.ownerReference status field denotes its parent object. If empty, the child object will be garbage collected and removed.
67 |
68 | metadata
69 |
70 |
71 |
72 |
73 | A ResourceQuota may constraint aspects of a _____ such as maximum resource consumption or maximum allowed number of Objects of a specific Kind.
74 |
75 | namespace
76 |
77 |
78 |
79 |
80 | A ConfigMap API object stores non-confidential key-value pairs. Pods can consume them as environment variables, command-line arguments, or as _____.
81 |
82 | volumes
83 |
84 |
85 |
86 |
87 | _____ allow you to create your own custom Kubernetes objects, to store any data you wish.
88 |
89 | CustomResourceDefinitions (CRDs)
90 |
91 |
92 |
93 |
94 | A Secret API object stores confidential key-value pairs. Pods can consume them as _____, command-line arguments, or mount them as volumes.
95 |
96 | environment variables
97 |
98 |
99 |
100 |
101 | An API Object's metadata.finalizers field holds a list of strings, all of which must be explicitly removed before the object can be _____ from the cluster.
102 |
103 | deleted
104 |
105 |
106 |
107 |
108 | A ConfigMap API object stores non-confidential key-value pairs. Pods can consume them as environment variables, _____, or as volumes.
109 |
110 | command-line arguments
111 |
112 |
113 |
114 |
115 | A Secret API object stores confidential key-value pairs. Pods can consume them as environment variables, command-line arguments, or mount them as _____.
116 |
117 | volumes
118 |
119 |
120 |
121 |
122 | A Secret API object stores confidential key-value pairs. Pods can consume them as environment variables, _____, or mount them as volumes.
123 |
124 | command-line arguments
125 |
126 |
127 |
128 |
129 | An object's metadata.ownerReference status field denotes its parent object. If empty, the child object will be _____.
130 |
131 | garbage collected and removed
132 |
133 |
134 |
135 |
136 | A _____ API object is set per namespace
137 |
138 | LimitRange
139 |
140 |
141 |
142 |
143 | _____ are key/value pairs you may write in the metadata of objects.
144 |
145 | Labels
146 |
147 |
148 |
149 |
150 | The _____ namespace holds the public data of a Kubernetes cluster.
151 |
152 | kube-public
153 |
154 |
155 |
156 |
157 | A LimitRange API object is set per _____
158 |
159 | namespace
160 |
161 |
162 |
163 |
164 | A _____ is an extension of the Kubernetes API.
165 |
166 | custom resource
167 |
168 |
169 |
170 |
171 | ConfigMaps are mounted to a Pod via its .spec._____ field
172 |
173 | volumes
174 |
175 |
176 |
177 |
178 | A LimitRange API Object can enforce a ratio between requests and limits for _____ in a namespace.
179 |
180 | containers
181 |
182 |
183 |
184 |
185 | A _____ can enforce minimum and maximum resource usage per Pod or Container in a namespace.
186 |
187 | LimitRange
188 |
189 |
190 |
191 |
192 | A LimitRange API Object can enforce a ratio between requests and _____ for containers in a namespace.
193 |
194 | limits
195 |
196 |
197 |
198 |
199 | metrics-server provides metrics via the resource metrics API, used by _____s to collect metrics.
200 |
201 | Horizontal Pod Autoscaler
202 |
203 |
204 |
205 |
206 | A _____ API object stores non-confidential key-value pairs. Pods can consume them as environment variables, command-line arguments, or as volumes.
207 |
208 | ConfigMap
209 |
210 |
211 |
212 |
213 | You can enforce minimum and maximum storage request per PersistentVolumeClaim in a namespace using a _____
214 |
215 | LimitRange
216 |
217 |
218 |
219 |
220 | A _____ API Object can enforce a ratio between requests and limits for containers in a namespace.
221 |
222 | LimitRange
223 |
224 |
225 |
226 |
227 | A _____ may constraint aspects of a namespace such as maximum resource consumption or maximum allowed number of Objects of a specific Kind.
228 |
229 | ResourceQuota
230 |
231 |
232 |
233 |
234 | When a ConfigMap is updated, the projected keys inside the Pod which mount the ConfigMap are _____. The kubelet periodically checks that every mounted ConfigMap is fresh, though it also uses its own local configurable cache for getting the current value of the ConfigMap.
235 |
236 | eventually updated
237 |
238 |
239 |
240 |
241 | When teams share a cluster with limited resources, one team could use more than its fair share. _____ objects address this concern.
242 |
243 | ResorceQuota
244 |
245 |
246 |
247 |
248 | metrics-server provides metrics via the _____ API, used by Horizontal Pod Autoscalers to collect metrics.
249 |
250 | resource metrics
251 |
252 |
253 |
254 |
255 | A ConfigMap API object stores non-confidential key-value pairs. Pods can consume them as _____, command-line arguments, or as volumes.
256 |
257 | environment variables
258 |
259 |
260 |
261 |
262 | Labels are key-value pairs that identify resources, and can be matched by the _____ of other resources.
263 |
264 | Selectors
265 |
266 |
267 |
268 |
269 | _____ provides metrics via the resource metrics API, used by Horizontal Pod Autoscalers to collect metrics.
270 |
271 | metrics-server
272 |
273 |
274 |
275 |
276 | If too many Pods run with high priority, lower priority Pods may start being _____.
277 |
278 | evicted or unschedulable
279 |
280 |
281 |
282 |
283 | The _____ namespace holds Kubernetes system processes.
284 |
285 | kube-system
286 |
287 |
288 |
289 |
290 | Labels are key/value pairs you may write in the _____ of objects.
291 |
292 | metadata
293 |
294 |
295 |
296 |
297 | The _____ daemon embeds the core control loops of Kubernetes.
298 |
299 | kube-controller-manager
300 |
301 |
302 |
303 |
304 | When a ConfigMap is updated, the projected keys inside the Pod which mount the ConfigMap are eventually updated. The _____ periodically checks that every mounted ConfigMap is fresh, though it also uses its own local configurable cache for getting the current value of the ConfigMap.
305 |
306 | kubelet
307 |
308 |
309 |
310 |
311 | A LimitRange API Object can enforce a ratio between requests and limits for containers in a _____.
312 |
313 | namespace
314 |
315 |
316 |
317 |
318 | An API Object's metadata._____ field holds a list of strings, all of which must be explicitly removed before the object can be deleted from the cluster.
319 |
320 | finalizers
321 |
322 |
323 |
324 |
325 | In Kubernetes request/limit terms, _____ equals 1 hyperthread on bare-metal Intel processors.
326 |
327 | 1 CPU
328 |
329 |
330 |
331 |
332 | A LimitRange API Object can enforce a ratio between _____ and limits for containers in a namespace.
333 |
334 | requests
335 |
336 |
337 |
--------------------------------------------------------------------------------
/docs/containers.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | The VerticalPodAutoscaler API Object adjusts the _____ of a container.
4 |
5 | resource requests and limits
6 |
7 |
8 |
9 |
10 | A container is in the Terminated state when it has _____.
11 |
12 | completed execution, with or without success
13 |
14 |
15 |
16 |
17 | If the node where a Pod is running has enough of a resource available, a container is allowed to use more resources than its resource _____.
18 |
19 | requests
20 |
21 |
22 |
23 |
24 | A container's available ImagePullPolicy options are Always, Never and _____
25 |
26 | IfNotPresent (default)
27 |
28 |
29 |
30 |
31 | Default _____ for containers can be set on a namespace via a LimitRange
32 |
33 | requests/limits
34 |
35 |
36 |
37 |
38 | A container's probes will not run until its _____Probe succeeds.
39 |
40 | startup
41 |
42 |
43 |
44 |
45 | "Readiness gates are determined by the current state of a Pod's .status._____ fields. If the field isn't found, the status of the condition defaults to ""False"""
46 |
47 | conditions
48 |
49 |
50 |
51 |
52 | A _____Probe indicates whether a container is ready to service requests.
53 |
54 | readiness
55 |
56 |
57 |
58 |
59 | To troubleshoot a Container's bug, inspect its state or run some arbitrary commands, you may execute an _____ Container inside the enclosing Pod, from which further commands can be ran.
60 |
61 | ephemeral
62 |
63 |
64 |
65 |
66 | The preStop hook is executed before a container enters _____ state.
67 |
68 | Terminated
69 |
70 |
71 |
72 |
73 | Do ephemeral containers guarantee execution? _____
74 |
75 | No
76 |
77 |
78 |
79 |
80 | If the startupProbe fails, the container is killed by the kubelet, then subjected to the container's _____ policy.
81 |
82 | restart
83 |
84 |
85 |
86 |
87 | A container's process is stuck, consuming 100% of its CPU and it won't reply to Readiness probes. If it doesn't have a _____, it will keep infinitely consuming resources, while serving no requests.
88 |
89 | livenessProbe
90 |
91 |
92 |
93 |
94 | Is running backups a valid use case for a sidecar container inside a Pod? _____
95 |
96 | Yes
97 |
98 |
99 |
100 |
101 | A _____Probe restarts your container when it's stuck, for example when it's running an infinite loop, where there is no way for the process to seek help externally, or even exit by itself.
102 |
103 | liveness
104 |
105 |
106 |
107 |
108 | When a container's livenessProbe and readinessProbe point to the same endpoint, the container will be detached from its Service and deleted at the same time. Is this fine? _____
109 |
110 | No - it will cause connection drops because the container is given no time to drain its current connections before being deleted.
111 |
112 |
113 |
114 |
115 | A process with one thread cannot consume more than _____ per second. The more threads, the less time it takes to consume it.
116 |
117 | 1 CPU second
118 |
119 |
120 |
121 |
122 | A container's available ImagePullPolicy options are _____, Never and IfNotPresent (default)
123 |
124 | Always
125 |
126 |
127 |
128 |
129 | Containers run with unbounded compute resources on a Kubernetes cluster by default. To alleviate this, using _____, LimitRanges and ResourceQuotas is recommended.
130 |
131 | Limits
132 |
133 |
134 |
135 |
136 | A container's available ImagePullPolicy options are Always, _____ and IfNotPresent (default)
137 |
138 | Never
139 |
140 |
141 |
142 |
143 | The _____ hook is executed immediately after a Container is Created.
144 |
145 | postStart
146 |
147 |
148 |
149 |
150 | Containers run with unbounded compute resources on a Kubernetes cluster by default. To alleviate this, using Limits, _____ and ResourceQuotas is recommended.
151 |
152 | LimitRanges
153 |
154 |
155 |
156 |
157 | A _____ is used for recovery when a Container's process is not responsive.
158 |
159 | livenessProbe
160 |
161 |
162 |
163 |
164 | To find why a container is in Terminated state, check its state's Reason and _____ fields.
165 |
166 | Exit Code
167 |
168 |
169 |
170 |
171 | A pod or container could monopolize all available resources in a cluster. A _____ API object constrains resource allocations to pods or containers in a namespace.
172 |
173 | LimitRange
174 |
175 |
176 |
177 |
178 | When a container's livenessProbe fails, the container is _____ by the kubelet, then subjected to the container's restart policy.
179 |
180 | killed
181 |
182 |
183 |
184 |
185 | Is running authentication proxies a valid use case for a sidecar container inside a Pod? _____
186 |
187 | Yes
188 |
189 |
190 |
191 |
192 | A container is in _____ state when it is pulling images, applying secrets, etc.
193 |
194 | Waiting
195 |
196 |
197 |
198 |
199 | To find why a container is in Terminated state, check its state's _____ and Exit Code fields.
200 |
201 | Reason
202 |
203 |
204 |
205 |
206 | Do ephemeral containers have guaranteed resources? _____
207 |
208 | No
209 |
210 |
211 |
212 |
213 | If you don't set limits for a container, they may be inferred from the namespace's _____, if set.
214 |
215 | LimitRange
216 |
217 |
218 |
219 |
220 | A container's _____ field allows you to store credentials for a container image registry.
221 |
222 | imagePullSecrets
223 |
224 |
225 |
226 |
227 | The _____ hook is executed before a container enters Terminated state.
228 |
229 | preStop
230 |
231 |
232 |
233 |
234 | Default requests/limits for containers can be set on a namespace via a _____
235 |
236 | LimitRange
237 |
238 |
239 |
240 |
241 | A container's available _____ options are Always, Never and IfNotPresent (default)
242 |
243 | ImagePullPolicy
244 |
245 |
246 |
247 |
248 | To define default CPU/memory limit and requests for containers started with no CPU/memory settings in their specs, you could use _____.
249 |
250 | LimitRange
251 |
252 |
253 |
254 |
255 | If a Pod's _____Probe fails, the Pod's IP address is removed all Services that match the Pod.
256 |
257 | readiness
258 |
259 |
260 |
261 |
262 | If a container should only be sent traffic when a probe succeeds, the _____Probe can be used achieve this behaviour.
263 |
264 | readiness
265 |
266 |
267 |
268 |
269 | Containers run with _____ compute resources on a Kubernetes cluster by default. To alleviate this, using Limits, LimitRanges and ResourceQuotas is recommended.
270 |
271 | unbounded
272 |
273 |
274 |
275 |
276 | Container probes result in _____ if the container passed the diagnostic, Failure if it hasn't. If the diagnostic failed altogether, the probe's result is Unknown.
277 |
278 | Success
279 |
280 |
281 |
282 |
283 | When a process in a container tries to consume more than the allowed amount of memory, the system kernel terminates the process that attempted the allocation, with an _____ error
284 |
285 | OOM (Out of Memory)
286 |
287 |
288 |
289 |
290 | A container is in the _____ state when it has completed execution, with or without success.
291 |
292 | Terminated
293 |
294 |
295 |
296 |
297 | Container probes result in Success if the container passed the diagnostic, _____ if it hasn't. If the diagnostic failed altogether, the probe's result is Unknown.
298 |
299 | Failure
300 |
301 |
302 |
303 |
304 | The _____ API Object adjusts the resource requests and limits of a container.
305 |
306 | VerticalPodAutoscaler
307 |
308 |
309 |
310 |
311 | Does a Pod's restartPolicy apply to all its containers? _____
312 |
313 | Yes
314 |
315 |
316 |
317 |
318 | When a container's livenessProbe fails, the container is killed by the kubelet, then subjected to the container's _____ policy.
319 |
320 | restart
321 |
322 |
323 |
324 |
325 | The postStart hook is executed immediately after a Container is _____.
326 |
327 | Created
328 |
329 |
330 |
331 |
332 | A container is not allowed to use more than its resource _____.
333 |
334 | limits
335 |
336 |
337 |
338 |
339 | A container's _____Probe indicates whether the application in the container has started.
340 |
341 | startup
342 |
343 |
344 |
345 |
346 | To find out why a container is in Waiting state, you can check its state's _____ field
347 |
348 | Reason
349 |
350 |
351 |
352 |
353 | If the _____Probe fails, the container is killed by the kubelet, then subjected to the container's restart policy.
354 |
355 | startup
356 |
357 |
358 |
359 |
360 | Container probes result in Success if the container passed the diagnostic, Failure if it hasn't. If the diagnostic failed altogether, the probe's result is _____.
361 |
362 | Unknown
363 |
364 |
365 |
366 |
367 | A container has no livenessProbe, readinessProbe nor startupProbe. With this configuration, the result on each of these probes will be _____.
368 |
369 | Success!
370 |
371 |
372 |
373 |
374 | Will an ephemeral container ever automatically restart? _____
375 |
376 | No
377 |
378 |
379 |
380 |
381 | A container is in the _____ state when it is executing without issues.
382 |
383 | Running
384 |
385 |
386 |
387 |
388 | When a container's _____Probe fails, the container is killed by the kubelet, then subjected to the container's restart policy.
389 |
390 | liveness
391 |
392 |
393 |
394 |
395 | "Readiness gates are determined by the current state of a Pod's .status.conditions fields. If the field isn't found, the status of the condition defaults to ""_____"""
396 |
397 | False
398 |
399 |
400 |
401 |
402 | "A temporary ""_____"" container may be ran in an existing Pod to accomplish user-initiated actions such as troubleshooting and inspecting services."
403 |
404 | ephemeral
405 |
406 |
407 |
408 |
409 | "A container without a readinessProbe is considered ready for traffic once it starts. The problem with this is that _____"
410 |
411 | the application inside the container might need more time to start than its enclosing container. Requests sent to the container will fail, because the container was deemed ""Ready"" before the application actually started.
412 |
413 |
414 |
415 |
416 | When a process in a container tries to consume more than the allowed amount of memory, the system kernel _____ the process that attempted the allocation, with an OOM (Out of Memory) error
417 |
418 | terminates
419 |
420 |
421 |
422 |
423 | "The ""_____"" container inside each Pod reserves and holds the network namespace (netns), enabling containers to communicate with each other and retaining the Pod's IP address."
424 |
425 | pause
426 |
427 |
428 |
429 |
430 | Is running database synchronisation a valid use case for a sidecar container inside a Pod? _____
431 |
432 | Yes
433 |
434 |
435 |
436 |
437 | Containers run with unbounded compute resources on a Kubernetes cluster by default. To alleviate this, using Limits, LimitRanges and _____ is recommended.
438 |
439 | ResourceQuotas
440 |
441 |
442 |
--------------------------------------------------------------------------------
/docs/favicon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/katademy/kubernetes/82a57ca908dcf1c9c9c3a289903aacf0b6f7cc9f/docs/favicon.png
--------------------------------------------------------------------------------
/docs/index.md:
--------------------------------------------------------------------------------
1 | We aim to be the most comprehensive repository for Kubernetes flashcards and interview questions. All flashcards in this project can be downloaded in Anki format [**here**](https://github.com/koletyst/kubernetes-faq/releases/latest).
2 |
3 | ## Table of Contents:
4 |
5 | 1. [Cluster Architecture](./cluster-architecture.md) (46 questions)
6 | 1. [Containers](./containers.md) (62 questions)
7 | 1. [Jobs](./jobs.md) (16 questions)
8 | 1. [Networking](./networking.md) (60 questions)
9 | 1. [Nodes](./nodes.md) (59 questions)
10 | 1. [Security](./security.md) (193 questions)
11 | 1. [Storage](./storage.md) (89 questions)
12 | 1. [Topology](./topology.md) (20 questions)
13 | 1. [Workloads](./workloads.md) (125 questions)
14 |
15 | #### Like this project?
16 |
17 | * [Star it](https://github.com/koletyst/kubernetes-faq/stargazers)
18 | * Follow [@koletyst](https://twitter.com/koletyst) on Twitter
19 |
20 | Saw an error? [Open an Issue](https://github.com/koletyst/kubernetes-faq/issues/new)!
21 |
--------------------------------------------------------------------------------
/docs/jobs.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | A CronJob is counted as _____ if its concurrencyPolicy is set to Forbid, and it attempted to be scheduled when there was a previous schedule still running.
4 |
5 | missed
6 |
7 |
8 |
9 |
10 | A job's _____ is the number of Pods it may run at the same time. By default, it is set to 1.
11 |
12 | parallelism
13 |
14 |
15 |
16 |
17 | If a Job's parallelism is set to 0, the Job is _____.
18 |
19 | paused until Parallelism is increased
20 |
21 |
22 |
23 |
24 | Every dependent (i.e. owned) object has a metadata._____ field that points to the owning object (usually a Controller). You can specify relationships between owners and dependents by manually setting the field.
25 |
26 | ownerReferences
27 |
28 |
29 |
30 |
31 | A _____ runs a Pod periodically at specified times.
32 |
33 | CronJob
34 |
35 |
36 |
37 |
38 | All CronJob schedules are based on the timezone of the _____.
39 |
40 | kube-controller-manager
41 |
42 |
43 |
44 |
45 | "A CronJob is counted as ""_____"" if it has failed to be created at its scheduled time."
46 |
47 | missed
48 |
49 |
50 |
51 |
52 | A _____ run a Pod a specified number of times before completing.
53 |
54 | Job
55 |
56 |
57 |
58 |
59 | A _____ creates one or more Pods and ensures that a specified number of them successfully terminate. The minimum required number of completions is configured via the Job's .spec.completions field.
60 |
61 | Job
62 |
63 |
64 |
65 |
66 | A CronJob is counted as missed if its concurrencyPolicy is set to _____, and it attempted to be scheduled when there was a previous schedule still running.
67 |
68 | Forbid
69 |
70 |
71 |
72 |
73 | Jobs on a repeating schedule are called _____
74 |
75 | CronJobs
76 |
77 |
78 |
79 |
80 | A single _____ object is similar to a single line of a crontab file.
81 |
82 | CronJob
83 |
84 |
85 |
86 |
87 | A job's parallelism is the number of _____ it may run at the same time. By default, it is set to 1.
88 |
89 | Pods
90 |
91 |
92 |
93 |
94 | A Job creates one or more Pods and ensures that a specified number of them successfully terminate. The minimum required number of completions is configured via the Job's .spec._____ field.
95 |
96 | completions
97 |
98 |
99 |
100 |
101 | If a Job's parallelism is set to _____, the Job is paused until Parallelism is increased.
102 |
103 | 0
104 |
105 |
106 |
107 |
108 | A single CronJob object is similar to a single line of a _____ file.
109 |
110 | crontab
111 |
112 |
113 |
--------------------------------------------------------------------------------
/docs/networking.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | You may deploy several Ingress Controllers within one cluster. Just annotate your Ingress objects with a reference to the _____ indicating which Ingress Controller should implement it.
4 |
5 | IngressClass
6 |
7 |
8 |
9 |
10 | "In each _____ of a cluster, an internal ""Kubernetes"" Service is configured with a virtual IP address that redirects to kube-apiserver via kube-proxy."
11 |
12 | namespace
13 |
14 |
15 |
16 |
17 | The controller that creates Services, Endpoints and updates to iptables on nodes is _____
18 |
19 | kube-proxy
20 |
21 |
22 |
23 |
24 | "In each namespace of a cluster, an internal ""Kubernetes"" Service is configured with a virtual IP address that redirects to _____ via kube-proxy."
25 |
26 | kube-apiserver
27 |
28 |
29 |
30 |
31 | Does a Pod have its own network namespace inside? _____
32 |
33 | Yes
34 |
35 |
36 |
37 |
38 | Headless services have no _____, proxying, load-balancing and are not handled by kube-proxy.
39 |
40 | ClusterIP
41 |
42 |
43 |
44 |
45 | "_____ services are created by setting the Service's .spec.clusterIP field to ""None"""
46 |
47 | Headless
48 |
49 |
50 |
51 |
52 | The kubernetes components running inside a worker node are: kubelet, kube-proxy and the _____
53 |
54 | container runtime
55 |
56 |
57 |
58 |
59 | "Headless services are created by setting the Service's .spec._____ field to ""None"""
60 |
61 | clusterIP
62 |
63 |
64 |
65 |
66 | A Service of type _____ exposes a cluster-internal IP, making it only reachable from within the cluster.
67 |
68 | ClusterIP
69 |
70 |
71 |
72 |
73 | Does a Pod have its own virtual ethernet connection? _____
74 |
75 | Yes
76 |
77 |
78 |
79 |
80 | The kubernetes components running inside a worker node are: kubelet, _____ and the container runtime
81 |
82 | kube-proxy
83 |
84 |
85 |
86 |
87 | "Headless services are created by setting the Service's .spec.clusterIP field to _____"
88 |
89 | ""None""
90 |
91 |
92 |
93 |
94 | "In each namespace of a cluster, an internal ""Kubernetes"" Service is configured with a virtual IP address that redirects to kube-apiserver via _____."
95 |
96 | kube-proxy
97 |
98 |
99 |
100 |
101 | EndpointSlices support three address types: _____, IPv6, Fully Qualified Domain Name
102 |
103 | IPv4
104 |
105 |
106 |
107 |
108 | The _____ service type exposes a Service on each Node's IP at a static port.
109 |
110 | NodePort
111 |
112 |
113 |
114 |
115 | You may deploy several Ingress Controllers within one cluster. Just annotate your _____ objects with a reference to the IngressClass indicating which Ingress Controller should implement it.
116 |
117 | Ingress
118 |
119 |
120 |
121 |
122 | When a request incoming to the cluster is matched by several equal-length Ingress paths, precedence is given to paths with the _____ path type over prefix path type.
123 |
124 | exact
125 |
126 |
127 |
128 |
129 | A Service's ports can specify the application protocol to use via the _____ field.
130 |
131 | AppProtocol
132 |
133 |
134 |
135 |
136 | An Ingress' TLS secret must contain a certificate (tls.crt) and _____.
137 |
138 | private key (tls.key)
139 |
140 |
141 |
142 |
143 | An _____ Object routes incoming requests to different Services depending on a set of rules.
144 |
145 | Ingress
146 |
147 |
148 |
149 |
150 | A Service of type _____ maps the Service to the contents of the ExternalName field (e.g. foo.bar.example.com), by returning a CNAME record.
151 |
152 | ExternalName
153 |
154 |
155 |
156 |
157 | An Ingress' TLS secret must contain a _____ and private key (tls.key).
158 |
159 | certificate (tls.crt)
160 |
161 |
162 |
163 |
164 | An _____ is full once it reaches 100 endpoints (by default), at which point additional slices will be created.
165 |
166 | EndpointSlice
167 |
168 |
169 |
170 |
171 | An Ingress Object routes incoming requests to different _____ depending on a set of rules.
172 |
173 | Services
174 |
175 |
176 |
177 |
178 | A _____ object is a network abstraction that allows routing to workloads in the cluster.
179 |
180 | Service
181 |
182 |
183 |
184 |
185 | Every Kubernetes node runs kube-proxy which implements a form of Virtual IP for Services (except ExternalName and _____ services)
186 |
187 | headless
188 |
189 |
190 |
191 |
192 | EndpointSlices are a scalable alternative to _____, distributing network endpoints across multiple resources.
193 |
194 | Endpoints
195 |
196 |
197 |
198 |
199 | If none of the hosts or paths match the HTTP request in any of your Ingress objects, traffic is routed to _____, typically implemented by the Ingress Controller.
200 |
201 | the default backend
202 |
203 |
204 |
205 |
206 | Every Kubernetes node runs _____ which implements a form of Virtual IP for Services (except ExternalName and headless services)
207 |
208 | kube-proxy
209 |
210 |
211 |
212 |
213 | Headless services have no ClusterIP, proxying, _____ and are not handled by kube-proxy.
214 |
215 | load-balancing
216 |
217 |
218 |
219 |
220 | Ingress API objects define traffic routing as _____.
221 |
222 | rules
223 |
224 |
225 |
226 |
227 | The .spec.HostAliases field adds entries to a Pod's /etc/_____ file, overriding its internal hostname resolution. This is useful when DNS and other routing options are unavailable.
228 |
229 | hosts
230 |
231 |
232 |
233 |
234 | A global allocation map in _____ is updated with a unique IP for each newly created Service.
235 |
236 | etcd
237 |
238 |
239 |
240 |
241 | Can Ingress API Objects terminate TLS connections for your application? _____
242 |
243 | Yes
244 |
245 |
246 |
247 |
248 | A Service of type NodePort exposes itself on each Node’s IP at a specified, static port. A _____ to which it routes is automatically created.
249 |
250 | ClusterIP
251 |
252 |
253 |
254 |
255 | When a request incoming to the cluster is matched by several equal-length Ingress paths, precedence is given to paths with the exact path type over _____ path type.
256 |
257 | prefix
258 |
259 |
260 |
261 |
262 | In a LoadBalancer service, the _____ annotation removes the double-hop problem by allowing users to define their own balancing.
263 |
264 | OnlyLocal
265 |
266 |
267 |
268 |
269 | The _____ service type exposes the Service externally using a cloud provider’s load balancer.
270 |
271 | LoadBalancer
272 |
273 |
274 |
275 |
276 | An incoming request may be matched by multiple host paths within an Ingress Object. Precedence is given to the _____ matching path rule.
277 |
278 | longest
279 |
280 |
281 |
282 |
283 | EndpointSlices support three address types: IPv4, IPv6, _____
284 |
285 | Fully Qualified Domain Name
286 |
287 |
288 |
289 |
290 | Every Kubernetes node runs kube-proxy which implements a form of Virtual IP for Services (except _____ and headless services)
291 |
292 | ExternalName
293 |
294 |
295 |
296 |
297 | A _____ in etcd is updated with a unique IP for each newly created Service.
298 |
299 | global allocation map
300 |
301 |
302 |
303 |
304 | _____ services have no ClusterIP, proxying, load-balancing and are not handled by kube-proxy.
305 |
306 | Headless
307 |
308 |
309 |
310 |
311 | A Service of type _____ exposes itself on each Node’s IP at a specified, static port. A ClusterIP to which it routes is automatically created.
312 |
313 | NodePort
314 |
315 |
316 |
317 |
318 | To reuse an existing DNS entry, or encapsulate legacy systems configured under a specific IP address, a Service may be set with a custom in-cluster IP address via the .spec._____ field.
319 |
320 | clusterIP
321 |
322 |
323 |
324 |
325 | The .spec._____ field adds entries to a Pod's /etc/hosts file, overriding its internal hostname resolution. This is useful when DNS and other routing options are unavailable.
326 |
327 | HostAliases
328 |
329 |
330 |
331 |
332 | _____ are a scalable alternative to Endpoints, distributing network endpoints across multiple resources.
333 |
334 | EndpointSlices
335 |
336 |
337 |
338 |
339 | Ingress objects can be implemented by various Ingress Controllers. Ingress objects can reference an _____ holding the specific configuration, including the name of the specific controller that should implement it.
340 |
341 | IngressClass
342 |
343 |
344 |
345 |
346 | _____ API objects define traffic routing as rules.
347 |
348 | Ingress
349 |
350 |
351 |
352 |
353 | A Service can map any incoming port to a _____. By default it has the same value as the port field.
354 |
355 | targetPort
356 |
357 |
358 |
359 |
360 | EndpointSlices support three address types: IPv4, _____, Fully Qualified Domain Name
361 |
362 | IPv6
363 |
364 |
365 |
366 |
367 | Every Kubernetes node runs kube-proxy which implements a form of _____ for Services (except ExternalName and headless services)
368 |
369 | Virtual IP
370 |
371 |
372 |
373 |
374 | The kubernetes components running inside a worker node are: _____, kube-proxy and the container runtime
375 |
376 | kubelet
377 |
378 |
379 |
380 |
381 | Does each Pod have a unique IP? _____
382 |
383 | Yes
384 |
385 |
386 |
387 |
388 | Headless services have no ClusterIP, proxying, load-balancing and are not handled by _____.
389 |
390 | kube-proxy
391 |
392 |
393 |
394 |
395 | _____ objects provide Services with externally-reachable URLs, load balancing, TLS termination, and name-based virtual hosting.
396 |
397 | Ingress
398 |
399 |
400 |
401 |
402 | Headless services have no ClusterIP, _____, load-balancing and are not handled by kube-proxy.
403 |
404 | proxying
405 |
406 |
407 |
408 |
409 | The _____ Service creates an external IP address. The Service itself does not speak with any Pod IP's; instead, it chooses a Node to send packets to.
410 |
411 | LoadBalancer
412 |
413 |
414 |
415 |
416 | The _____ service type exposes the Service externally using a cloud provider's load balancer.
417 |
418 | LoadBalancer
419 |
420 |
421 |
--------------------------------------------------------------------------------
/docs/nodes.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | A Node's _____ condition is True when its network is not correctly configured
4 |
5 | NetworkUnavailable
6 |
7 |
8 |
9 |
10 | Addresses in a node's status include _____, InternalIP, ExternalIP
11 |
12 | HostName
13 |
14 |
15 |
16 |
17 | Addresses in a node's status include HostName, _____, ExternalIP
18 |
19 | InternalIP
20 |
21 |
22 |
23 |
24 | A node's DiskPressure condition is _____ when its disk capacity is low
25 |
26 | True
27 |
28 |
29 |
30 |
31 | A Node's heartbeats are sent by its _____.
32 |
33 | kubelet
34 |
35 |
36 |
37 |
38 | The _____ master components manages Node Health, assigns CIDR and updates a node's internal list of nodes.
39 |
40 | Node Controller
41 |
42 |
43 |
44 |
45 | When a node is reachable by kube-apiserver, but its Ready condition has remained False or Unknown for longer than the kube-controller-manager's pod-eviction-timeout, all Pods on the node are scheduled for deletion by the _____ controller
46 |
47 | node
48 |
49 |
50 |
51 |
52 | The _____ assigns a Node's a CIDR block, synchronizes its internal list of other Nodes, and monitors its health.
53 |
54 | Node Controller
55 |
56 |
57 |
58 |
59 | Worker node Kubernetes components (_____ and kube-proxy) communicate with Master node components, specifically kube-apiserver.
60 |
61 | kubelet
62 |
63 |
64 |
65 |
66 | A Node's _____ condition is True when the node's memory is low
67 |
68 | MemoryPressure
69 |
70 |
71 |
72 |
73 | A Node's PIDPressure condition is _____ when there are too many processes running.
74 |
75 | True
76 |
77 |
78 |
79 |
80 | _____ node affinities can block a Pod from running on a node. Soft node affinities are suggestions to the scheduler. Both can be combined, and have multiple weights.
81 |
82 | Hard
83 |
84 |
85 |
86 |
87 | A taint's possible effects are PreferNoSchedule, NoSchedule, _____
88 |
89 | NoExecute
90 |
91 |
92 |
93 |
94 | The Kubernetes Master node runs kube-apiserver, _____, kube-controller-manager.
95 |
96 | scheduler
97 |
98 |
99 |
100 |
101 | The two types of Node Heartbeats are _____ and the Lease Object
102 |
103 | NodeStatus updates
104 |
105 |
106 |
107 |
108 | _____ allow a node to repel a set of Pods, based on certain properties of the node.
109 |
110 | Taints
111 |
112 |
113 |
114 |
115 | When a node is reachable by kube-apiserver, but its Ready condition has remained False or Unknown for longer than the _____'s pod-eviction-timeout, all Pods on the node are scheduled for deletion by the node controller
116 |
117 | kube-controller-manager
118 |
119 |
120 |
121 |
122 | "A node is in ""_____"" status when it is healthy and accepts pods."
123 |
124 | Ready
125 |
126 |
127 |
128 |
129 | Node heartbeats are stored inside the _____ namespace.
130 |
131 | kube-node-lease
132 |
133 |
134 |
135 |
136 | Taints are set on _____. Tolerations are set on Pods.
137 |
138 | Nodes
139 |
140 |
141 |
142 |
143 | A taint's possible effects are _____, NoSchedule, NoExecute
144 |
145 | PreferNoSchedule
146 |
147 |
148 |
149 |
150 | A node's status contains information about its Addresses, Conditions, _____ and Info.
151 |
152 | Capacity/Allocatable
153 |
154 |
155 |
156 |
157 | A Node's self-registration into the control plane is done by its _____.
158 |
159 | kubelet
160 |
161 |
162 |
163 |
164 | A _____ is a physical or virtual machine running Kubernetes workloads.
165 |
166 | Node
167 |
168 |
169 |
170 |
171 | Worker node Kubernetes components (kubelet and kube-proxy) communicate with Master node components, specifically _____.
172 |
173 | kube-apiserver
174 |
175 |
176 |
177 |
178 | A Node's MemoryPressure condition is _____ when the node's memory is low
179 |
180 | True
181 |
182 |
183 |
184 |
185 | A node's _____ condition is True when its disk capacity is low
186 |
187 | DiskPressure
188 |
189 |
190 |
191 |
192 | A node's status contains information about its _____, Conditions, Capacity/Allocatable and Info.
193 |
194 | Addresses
195 |
196 |
197 |
198 |
199 | "A Node's ""Ready"" status is Unknown when 40 seconds have passed since _____ has heard from the node."
200 |
201 | the Node Controller
202 |
203 |
204 |
205 |
206 | Pod _____ express a preference for Pods to be scheduled on the same node as a specific group of other Pods.
207 |
208 | affinities
209 |
210 |
211 |
212 |
213 | "A Node's ""Ready"" status is _____ when it's unhealthy and not accepting pods."
214 |
215 | False
216 |
217 |
218 |
219 |
220 | Node _____ attract Pods to nodes or repel Pods from nodes using specified attributes. For example, you can specify that a Pod can only run on a node in a specified availability zone.
221 |
222 | affinities
223 |
224 |
225 |
226 |
227 | The _____ watches for unschedulable pods and tries to consolidate currently deployed pods on a smaller number of nodes.
228 |
229 | cluster autoscaler
230 |
231 |
232 |
233 |
234 | A Node's _____ inform an incoming packet where in the node it should go to.
235 |
236 | iptables
237 |
238 |
239 |
240 |
241 | A node's status contains information about its Addresses, Conditions, Capacity/Allocatable and _____.
242 |
243 | Info
244 |
245 |
246 |
247 |
248 | The two types of Node Heartbeats are NodeStatus updates and _____
249 |
250 | the Lease Object
251 |
252 |
253 |
254 |
255 | A node's _____ describes the amount of resources available to be consumed by Pods.
256 |
257 | Allocatable
258 |
259 |
260 |
261 |
262 | A Pod won’t be scheduled on a Node that has a Taint defined, unless the Pod has a matching _____ defined.
263 |
264 | Toleration
265 |
266 |
267 |
268 |
269 | When a node is reachable by kube-apiserver, but its Ready condition has remained False or Unknown for longer than the kube-controller-manager's _____-timeout, all Pods on the node are scheduled for deletion by the node controller
270 |
271 | pod-eviction
272 |
273 |
274 |
275 |
276 | _____ allow a Pod to be scheduled on nodes with a specific taint. You can use them to run certain Pods only on dedicated nodes.
277 |
278 | Tolerations
279 |
280 |
281 |
282 |
283 | A node's status contains information about its Addresses, _____, Capacity/Allocatable and Info.
284 |
285 | Conditions
286 |
287 |
288 |
289 |
290 | Taints are set on Nodes. Tolerations are set on _____.
291 |
292 | Pods
293 |
294 |
295 |
296 |
297 | A Node's NetworkUnavailable condition is _____ when its network is not correctly configured
298 |
299 | True
300 |
301 |
302 |
303 |
304 | A Node's _____ status field describes general information about it, such as operating system and node component versions
305 |
306 | Info
307 |
308 |
309 |
310 |
311 | Addresses in a node's status include HostName, InternalIP, _____
312 |
313 | ExternalIP
314 |
315 |
316 |
317 |
318 | It's important to place your Pods across several _____ to ensure fault tolerance, as one of them may fail.
319 |
320 | nodes
321 |
322 |
323 |
324 |
325 | A Node's _____ condition is True when there are too many processes running.
326 |
327 | PIDPressure
328 |
329 |
330 |
331 |
332 | The Kubernetes Master node runs _____, scheduler, kube-controller-manager.
333 |
334 | kube-apiserver
335 |
336 |
337 |
338 |
339 | The _____ node runs kube-apiserver, scheduler, kube-controller-manager.
340 |
341 | Kubernetes Master
342 |
343 |
344 |
345 |
346 | A Pod won’t be scheduled on a Node that has a _____ defined, unless the Pod has a matching Toleration defined.
347 |
348 | Taint
349 |
350 |
351 |
352 |
353 | Hard node affinities can block a Pod from running on a node. _____ node affinities are suggestions to the scheduler. Both can be combined, and have multiple weights.
354 |
355 | Soft
356 |
357 |
358 |
359 |
360 | Worker node Kubernetes components (kubelet and _____) communicate with Master node components, specifically kube-apiserver.
361 |
362 | kube-proxy
363 |
364 |
365 |
366 |
367 | The cluster autoscaler watches for unschedulable pods and tries to consolidate currently deployed pods on a smaller number of _____.
368 |
369 | nodes
370 |
371 |
372 |
373 |
374 | The Kubernetes Master node runs kube-apiserver, scheduler, _____.
375 |
376 | kube-controller-manager
377 |
378 |
379 |
380 |
381 | A taint's possible effects are PreferNoSchedule, _____, NoExecute
382 |
383 | NoSchedule
384 |
385 |
386 |
387 |
388 | "A Node's ""Ready"" status is _____ when 40 seconds have passed since the Node Controller has heard from the node."
389 |
390 | Unknown
391 |
392 |
393 |
394 |
395 | The Cluster Autoscaler adjusts the number of _____ of a cluster.
396 |
397 | nodes
398 |
399 |
400 |
401 |
402 | You can prevent a kubelet from self-registering the node in the control-plane with the _____ flag.
403 |
404 | --register-node=false
405 |
406 |
407 |
408 |
409 | The cluster autoscaler watches for _____ pods and tries to consolidate currently deployed pods on a smaller number of nodes.
410 |
411 | unschedulable
412 |
413 |
414 |
--------------------------------------------------------------------------------
/docs/security.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | When multiple _____ objects select the same Pod, it becomes restricted to what is allowed by the union of those policies' ingress/egress rules.
4 |
5 | NetworkPolicy
6 |
7 |
8 |
9 |
10 | A public image registry may be compromised, so it is useful to use _____ registries.
11 |
12 | dedicated, private
13 |
14 |
15 |
16 |
17 | API requests are tied to either a username, a service account, or are treated as _____.
18 |
19 | anonymous requests
20 |
21 |
22 |
23 |
24 | A request to kube-apiserver must include the _____ of the requester, the requested action, and the object affected by the action.
25 |
26 | username
27 |
28 |
29 |
30 |
31 | Can admission controllers set complex defaults for fields? _____
32 |
33 | Yes
34 |
35 |
36 |
37 |
38 | _____ are tied to a set of credentials stored as Secrets, which allow Pods to talk to the Kubernetes API.
39 |
40 | ServiceAccounts
41 |
42 |
43 |
44 |
45 | ServiceAccounts are tied to a set of credentials stored as _____, which allow Pods to talk to the Kubernetes API.
46 |
47 | Secrets
48 |
49 |
50 |
51 |
52 | "Requests in Kubernetes come with ""usernames"" for access control decisions and logging. But how does Kubernetes define a ""user""? _____"
53 |
54 | It doesn't! No concrete representative human ""user"" object exists in Kubernetes.
55 |
56 |
57 |
58 |
59 | The default Pod ServiceAccount can be disabled by setting _____
60 |
61 | autonomousServiceAccountToken: false
62 |
63 |
64 |
65 |
66 | When a request reaches kube-apiserver, it goes through stages: _____, Authorization, Admission Control
67 |
68 | Authentication
69 |
70 |
71 |
72 |
73 | Kubernetes authorizes API requests at the _____
74 |
75 | kube-apiserver
76 |
77 |
78 |
79 |
80 | Can network segmentation improve Kubernetes security? _____
81 |
82 | Yes
83 |
84 |
85 |
86 |
87 | Does the admission or validation of a request happen first? _____
88 |
89 | admission
90 |
91 |
92 |
93 |
94 | The default authorization modules that can be used in the API server are _____, RBAC, and Webhook.
95 |
96 | ABAC
97 |
98 |
99 |
100 |
101 | The Role and _____ Objects contain sets of additive authorization permissions
102 |
103 | ClusterRole
104 |
105 |
106 |
107 |
108 | Audit policies determine what events are recorded and which _____ persist the records.
109 |
110 | backends
111 |
112 |
113 |
114 |
115 | Admission Control Modules can modify or _____ requests.
116 |
117 | reject
118 |
119 |
120 |
121 |
122 | Can _____ help prevent internal denial of service attacks? Yes
123 |
124 | ResourceQuotas
125 |
126 |
127 |
128 |
129 | A _____ uses labels to specify the groups of pods allowed to communicate with each other, and other network endpoints.
130 |
131 | NetworkPolicy
132 |
133 |
134 |
135 |
136 | Admission Control Modules can access contents of Kubernetes objects that are being _____ or modified.
137 |
138 | created
139 |
140 |
141 |
142 |
143 | "Tools like gVisor or _____ can ""sandbox"" Pods on the same host from each other, giving you an extra layer of isolation."
144 |
145 | kata containers
146 |
147 |
148 |
149 |
150 | Setting securityContext.allowPrivilegeEscalation to _____ makes it harder to escalate privileges inside a Container.
151 |
152 | False
153 |
154 |
155 |
156 |
157 | Is RBAC enabled for a new cluster by default? _____
158 |
159 | No!!!
160 |
161 |
162 |
163 |
164 | The _____ audit backend sends events to an external API.
165 |
166 | webhook
167 |
168 |
169 |
170 |
171 | Pods that do not need to use kube-apiserver should have their _____ disabled.
172 |
173 | default ServiceAccount
174 |
175 |
176 |
177 |
178 | When _____ starts, it looks for its kubeconfig file and its credentials (normally a TLS key and signed certificate), then retrieves the kube-apiserver URL and attempts to communicate with it.
179 |
180 | kubelet
181 |
182 |
183 |
184 |
185 | Audit allows cluster administrators to learn about the context of a cluster _____: when it happened, where, who initiated it and what it did.
186 |
187 | event
188 |
189 |
190 |
191 |
192 | A CertificateSigningRequest's _____ field denotes the recipient that the request is being made to.
193 |
194 | spec.signerName
195 |
196 |
197 |
198 |
199 | Can attackers remove a NetworkPolicy from within etcd? _____
200 |
201 | Yes
202 |
203 |
204 |
205 |
206 | Nodes must be provisioned with valid client credentials and a _____ to connect to kube-apiserver.
207 |
208 | public root certificate
209 |
210 |
211 |
212 |
213 | Authentication protocols (such as LDAP, SAML, Kerberos, etc) can be integrated into Kubernetes by using an _____ or authenticating webhook.
214 |
215 | authenticating proxy
216 |
217 |
218 |
219 |
220 | A RoleBinding grants a role's permissions to a set of users, _____ or service accounts.
221 |
222 | groups
223 |
224 |
225 |
226 |
227 | Can service meshes encrypt in-cluster traffic (and automatically rotate certificates)? _____
228 |
229 | Yes
230 |
231 |
232 |
233 |
234 | Restricting access to _____ prevents an attacker from modifying the desired cluster state.
235 |
236 | etcd
237 |
238 |
239 |
240 |
241 | Are authentication proxies a valid authentication method? _____
242 |
243 | Yes
244 |
245 |
246 |
247 |
248 | The default authorization modules that can be used in the API server are ABAC, _____, and Webhook.
249 |
250 | RBAC
251 |
252 |
253 |
254 |
255 | A NetworkPolicy uses _____ to specify the groups of pods allowed to communicate with each other, and other network endpoints.
256 |
257 | labels
258 |
259 |
260 |
261 |
262 | "A kubelet's initial bootstrap credentials for TLS can be either authentication file tokens, or _____ tokens."
263 |
264 | ""bootstrap""
265 |
266 |
267 |
268 |
269 | Can normal users be added to a cluster through an API call? _____
270 |
271 | No
272 |
273 |
274 |
275 |
276 | You should usually use at least two methods of authentication in your cluster: one for _____ and one for service accounts.
277 |
278 | human users
279 |
280 |
281 |
282 |
283 | Are Client Certificates a valid authentication module? _____
284 |
285 | Yes
286 |
287 |
288 |
289 |
290 | When kubelet starts, it looks for its kubeconfig file and its credentials (normally a TLS key and signed certificate), then retrieves the _____ URL and attempts to communicate with it.
291 |
292 | kube-apiserver
293 |
294 |
295 |
296 |
297 | The four audit levels are: None - don't log these events. Metadata - log a request's user, timestamp, resource, verb, etc. Request - log event metadata and request body. _____
298 |
299 | RequestResponse - log event metadata, request body and response bodies.
300 |
301 |
302 |
303 |
304 | Kubernetes authentication examines the incoming HTTP request's headers and _____.
305 |
306 | certificate
307 |
308 |
309 |
310 |
311 | Does kube-apiserver verify the kubelet's serving certificate by default? _____
312 |
313 | No. The connection is subject to MITM attacks by default.
314 |
315 |
316 |
317 |
318 | Can attackers manipulate cluster data in etcd, bypassing kube-apiserver completely? _____
319 |
320 | Yes
321 |
322 |
323 |
324 |
325 | Does Container/Operating System scanning improve cluster security? _____
326 |
327 | Yes
328 |
329 |
330 |
331 |
332 | When multiple NetworkPolicy objects select the same _____, it becomes restricted to what is allowed by the union of those policies' ingress/egress rules.
333 |
334 | Pod
335 |
336 |
337 |
338 |
339 | A kubelet's kubeconfig requires a certificate to communicate with kube-apiserver. This certificate must be signed by a _____ trusted by kube-apiserver.
340 |
341 | Certificate Authority
342 |
343 |
344 |
345 |
346 | A _____ object can divide your workloads into network tiers, locking them by default, with the ability specifically allow communication between them, or between their namespaces.
347 |
348 | NetworkPolicy
349 |
350 |
351 |
352 |
353 | A Certificate Authority _____ and certificate are required to sign kubelet certificates.
354 |
355 | key
356 |
357 |
358 |
359 |
360 | securityContext allows defining privilege and access controls per Pod or per _____.
361 |
362 | Container
363 |
364 |
365 |
366 |
367 | Authentication protocols (such as LDAP, SAML, Kerberos, etc) can be integrated into Kubernetes by using an authenticating proxy or _____.
368 |
369 | authenticating webhook
370 |
371 |
372 |
373 |
374 | _____ are usually stored in the /etc/kubernetes/pki directory.
375 |
376 | PKI certificates
377 |
378 |
379 |
380 |
381 | By default, Pods in a cluster come with a _____ with permissions allowing it to communicate with kube-apiserver. This should be disabled for Pods that are never expected to need to talk to kube-apiserver, as an attacker could otherwise steal the auth token.
382 |
383 | service account
384 |
385 |
386 |
387 |
388 | With _____ files, you can organize your clusters, users, contexts, and namespaces.
389 |
390 | kubeconfig
391 |
392 |
393 |
394 |
395 | Do you need to upload AppArmor profiles to ALL of your Nodes? _____
396 |
397 | Yes - since you don't know which Node your Pod may be scheduled to.
398 |
399 |
400 |
401 |
402 | The default authorization modules that can be used in the API server are ABAC, RBAC, and _____.
403 |
404 | Webhook
405 |
406 |
407 |
408 |
409 | To specify which AppArmor profile a Container should run with, specify the profile as an _____ in the Pod's metadata.
410 |
411 | annotation
412 |
413 |
414 |
415 |
416 | Once created, a CertificateSigningRequest must be _____ before it can be signed.
417 |
418 | approved
419 |
420 |
421 |
422 |
423 | _____ is a file used to configure access to clusters
424 |
425 | kubeconfig
426 |
427 |
428 |
429 |
430 | A request was authorized by a single Authorization Module. Does it also get evaluated by other available Authorization Modules before being authorized? _____
431 |
432 | No
433 |
434 |
435 |
436 |
437 | Are plain, bootstrap and JWT tokens a valid Kubernetes authentication module? _____
438 |
439 | Yes
440 |
441 |
442 |
443 |
444 | A CertificateSigningRequest will initially have Pending status. If it meets specific criteria, it will be promoted by the kube-controller-manager to _____ status.
445 |
446 | Approved
447 |
448 |
449 |
450 |
451 | Does a user need a Role and RoleBinding to access Kubernetes resources? _____
452 |
453 | Yes
454 |
455 |
456 |
457 |
458 | A RoleBinding grants a role's permissions to a set of users, groups or _____.
459 |
460 | service accounts
461 |
462 |
463 |
464 |
465 | Each request on each stage of its execution generates an audit _____, which is then pre-processed according to a certain audit.k8s.io/v1 Policy object and written to a backend.
466 |
467 | event
468 |
469 |
470 |
471 |
472 | The _____ environment variable holds a list of kubeconfig files
473 |
474 | KUBECONFIG
475 |
476 |
477 |
478 |
479 | _____ objects require a specific backend running in the cluster that implements them, such as Calico or Flannel.
480 |
481 | NetworkPolicy
482 |
483 |
484 |
485 |
486 | _____ allows cluster administrators to learn about the context of a cluster event: when it happened, where, who initiated it and what it did.
487 |
488 | Audit
489 |
490 |
491 |
492 |
493 | A kubelet's kubeconfig file requires a _____ and a cert to connect to kube-apiserver.
494 |
495 | key
496 |
497 |
498 |
499 |
500 | "The root (""/"") filesystem on containers should be set as read-only via securityContext._____, because an attacker may escalate privileges by editing operating system files."
501 |
502 | readOnlyRootFilesystem: true
503 |
504 |
505 |
506 |
507 | A RoleBinding grants a role's permissions to a set of _____, groups or service accounts.
508 |
509 | users
510 |
511 |
512 |
513 |
514 | The _____ and ClusterRole Objects contain sets of additive authorization permissions
515 |
516 | Role
517 |
518 |
519 |
520 |
521 | Kubernetes requires PKI certificates for _____ over TLS.
522 |
523 | authentication
524 |
525 |
526 |
527 |
528 | To specify which AppArmor profile a Container should run with, specify the profile as an annotation in the Pod's _____.
529 |
530 | metadata
531 |
532 |
533 |
534 |
535 | Containers in production should run under a Linux non-root user. This is set in _____ via runAsNonRoot: true
536 |
537 | securityContext
538 |
539 |
540 |
541 |
542 | A Certificate Authority key and _____ are required to sign kubelet certificates.
543 |
544 | certificate
545 |
546 |
547 |
548 |
549 | The default _____ that can be used in the API server are ABAC, RBAC, and Webhook.
550 |
551 | authorization modules
552 |
553 |
554 |
555 |
556 | The four audit levels are: _____ Metadata - log a request's user, timestamp, resource, verb, etc. Request - log event metadata and request body. RequestResponse - log event metadata, request body and response bodies.
557 |
558 | None - don't log these events.
559 |
560 |
561 |
562 |
563 | ServiceAccounts are tied to a set of credentials stored as Secrets, which allow _____ to talk to the Kubernetes API.
564 |
565 | Pods
566 |
567 |
568 |
569 |
570 | Once created, a _____ must be approved before it can be signed.
571 |
572 | CertificateSigningRequest
573 |
574 |
575 |
576 |
577 | You can combine ClusterRoles using an _____
578 |
579 | aggregationRule
580 |
581 |
582 |
583 |
584 | Audit _____ determine what events are recorded and which backends persist the records.
585 |
586 | policies
587 |
588 |
589 |
590 |
591 | Is basic auth a valid authentication method? _____
592 |
593 | Yes
594 |
595 |
596 |
597 |
598 | _____ is a user-space kernel that can intercept and implement syscalls in userspace, effectively sandboxing the Pod to an environment with low capabilities and restricted seccomp filters.
599 |
600 | gVisor
601 |
602 |
603 |
604 |
605 | You can secure an Ingress by specifying a Secret that contains a TLS _____ and certificate
606 |
607 | private key
608 |
609 |
610 |
611 |
612 | Do you need to distribute a key and signed certificate for each kubelet? _____
613 |
614 | Yes - ideally unique ones.
615 |
616 |
617 |
618 |
619 | CertificateSigningRequest objects include a PEM-encoded PKCS#10 signing request in the spec._____ field.
620 |
621 | request
622 |
623 |
624 |
625 |
626 | A request to kube-apiserver must include the username of the requester, the requested action, and the _____ affected by the action.
627 |
628 | object
629 |
630 |
631 |
632 |
633 | Your current, in-use cluster context is stored in the _____ file on your local machine.
634 |
635 | kubeconfig
636 |
637 |
638 |
639 |
640 | Any request that presents a valid _____ signed by the cluster's Certificate Authority is considered authenticated.
641 |
642 | certificate
643 |
644 |
645 |
646 |
647 | When an attacker has control of a Kubernetes _____, they may be able to access the cloud provider's user and metadata APIs to exfiltrate credentials of your cloud account.
648 |
649 | Node
650 |
651 |
652 |
653 |
654 | Any request that presents a valid certificate signed by the cluster's _____ is considered authenticated.
655 |
656 | Certificate Authority
657 |
658 |
659 |
660 |
661 | The _____ resource type allows a client to ask for an X.509 certificate be issued, based on a signing request.
662 |
663 | CertificateSigningRequest
664 |
665 |
666 |
667 |
668 | PKI certificates are usually stored in the /etc/kubernetes/_____ directory.
669 |
670 | pki
671 |
672 |
673 |
674 |
675 | _____ (such as LDAP, SAML, Kerberos, etc) can be integrated into Kubernetes by using an authenticating proxy or authenticating webhook.
676 |
677 | Authentication protocols
678 |
679 |
680 |
681 |
682 | Do AppArmor profiles have to be manually downloaded into the Node before applying the annotation? _____
683 |
684 | Yes - except the container runtime's default AppArmor profile.
685 |
686 |
687 |
688 |
689 | The kubelet's _____ flag controls its automatic certificate rotation. It can automatically generate a new key and request a new certificate from the Kubernetes API before the current certificate's expiration.
690 |
691 | --rotate-certificates
692 |
693 |
694 |
695 |
696 | Can Admission controllers act on requests that connect (proxy) to an object? _____
697 |
698 | Yes
699 |
700 |
701 |
702 |
703 | "A kubelet's initial bootstrap credentials for TLS can be either authentication _____ tokens, or ""bootstrap"" tokens."
704 |
705 | file
706 |
707 |
708 |
709 |
710 | Each request on each stage of its execution generates an audit event, which is then pre-processed according to a certain audit.k8s.io/v1 Policy object and written to a _____.
711 |
712 | backend
713 |
714 |
715 |
716 |
717 | Each _____ on each stage of its execution generates an audit event, which is then pre-processed according to a certain audit.k8s.io/v1 Policy object and written to a backend.
718 |
719 | request
720 |
721 |
722 |
723 |
724 | Can Admission controllers act on requests that delete an object? _____
725 |
726 | Yes
727 |
728 |
729 |
730 |
731 | A request to kube-apiserver must include the username of the requester, the requested _____, and the object affected by the action.
732 |
733 | action
734 |
735 |
736 |
737 |
738 | If a request cannot be authenticated, it is _____
739 |
740 | rejected with status code 401
741 |
742 |
743 |
744 |
745 | _____ objects define rules about what events should be recorded and what data they should include.
746 |
747 | audit.k8s.io/v1 kind: Policy
748 |
749 |
750 |
751 |
752 | AppArmor profiles are specified per _____
753 |
754 | Container
755 |
756 |
757 |
758 |
759 | When TLS bootstrapping, the _____ must be able to authenticate as a user with the rights to create and retrieve CertificateSigningRequests
760 |
761 | kubelet
762 |
763 |
764 |
765 |
766 | etcd should have authentication, be firewalled and _____ at rest.
767 |
768 | encrypted
769 |
770 |
771 |
772 |
773 | Should you run etcd on dedicated nodes? _____
774 |
775 | Yes
776 |
777 |
778 |
779 |
780 | A _____ will initially have Pending status. If it meets specific criteria, it will be promoted by the kube-controller-manager to Approved status.
781 |
782 | CertificateSigningRequest
783 |
784 |
785 |
786 |
787 | After the request is authenticated as coming from a valid user, the request must then be _____ to check if it's allowed.
788 |
789 | authorized
790 |
791 |
792 |
793 |
794 | _____ allows defining privilege and access controls per Pod or per Container.
795 |
796 | securityContext
797 |
798 |
799 |
800 |
801 | If a container has network access to a /metrics endpoint, what does that mean for security? _____
802 |
803 | Attackers could potentially find almost everything about the cluster from inside the container by reading cAdvisor/Heapster output at the endpoint.
804 |
805 |
806 |
807 |
808 | Groups are a set of strings, each of which indicates _____.
809 |
810 | a user's membership
811 |
812 |
813 |
814 |
815 | Logstash can be used to collect/distribute Kubernetes audit events from the _____
816 |
817 | webhook audit backend
818 |
819 |
820 |
821 |
822 | Whenever a kubelet retrieves a new signed certificate from the Kubernetes API it will write it to _____
823 |
824 | the disk
825 |
826 |
827 |
828 |
829 | The KUBECONFIG environment variable holds _____
830 |
831 | a list of kubeconfig files
832 |
833 |
834 |
835 |
836 | Once an attacker controls a container, there is risk they might obtain control of the _____ it runs on, and then the internal cluster network.
837 |
838 | Node
839 |
840 |
841 |
842 |
843 | An attacker may download exploits directly into a container if its Pod has free access to _____.
844 |
845 | the Internet
846 |
847 |
848 |
849 |
850 | A _____ resource is used to request that a certificate be signed by a denoted signer, after which the request may be approved or denied before finally being signed.
851 |
852 | CertificateSigningRequest
853 |
854 |
855 |
856 |
857 | Admission Control Modules can access contents of Kubernetes objects that are being created or _____.
858 |
859 | modified
860 |
861 |
862 |
863 |
864 | In order to approve CertificateSigningRequests, you must allow the _____ to approve them.
865 |
866 | kube-controller-manager
867 |
868 |
869 |
870 |
871 | Audit logging increases the memory consumption of the _____ because some context required for auditing is stored for each request.
872 |
873 | kube-api-server
874 |
875 |
876 |
877 |
878 | "Kubernetes determines the _____ of an incoming request from the common name field in the subject field of the certificate (e.g., ""/CN=katademy"")"
879 |
880 | username
881 |
882 |
883 |
884 |
885 | Admission Control Modules can _____ or reject requests.
886 |
887 | modify
888 |
889 |
890 |
891 |
892 | Kubernetes authentication examines the incoming HTTP request's _____ and certificate.
893 |
894 | headers
895 |
896 |
897 |
898 |
899 | Audit records begin their lifecycle inside the _____ Kubernetes component.
900 |
901 | kube-apiserver
902 |
903 |
904 |
905 |
906 | When a request reaches _____, it goes through stages: Authentication, Authorization, Admission Control
907 |
908 | kube-apiserver
909 |
910 |
911 |
912 |
913 | When a request reaches kube-apiserver, it goes through stages: Authentication, _____, Admission Control
914 |
915 | Authorization
916 |
917 |
918 |
919 |
920 | The kube-apiserver should have a _____ restricting it to be accessible only by specific IPs.
921 |
922 | firewall
923 |
924 |
925 |
926 |
927 | Do you need to distribute a CA certificate to each kubelet? _____
928 |
929 | No - only the master nodes where kube-apiserver is running.
930 |
931 |
932 |
933 |
934 | _____ persist audit events to an external storage.
935 |
936 | Audit backends
937 |
938 |
939 |
940 |
941 | The _____ group represents authenticated users.
942 |
943 | system:authenticated
944 |
945 |
946 |
947 |
948 | A service mesh can trace and profile requests happening inside a cluster. You can then find and disable requests that aren't expected to ever happen, for ex. via a _____.
949 |
950 | NetworkPolicy
951 |
952 |
953 |
954 |
955 | Any request that presents a valid certificate signed by the cluster's Certificate Authority is considered _____.
956 |
957 | authenticated
958 |
959 |
960 |
961 |
962 | Can using standardized, base images for all of your Containers improve overall workload security? _____
963 |
964 | Yes. If the base image is secured by default, child images will inherit these upgrades.
965 |
966 |
967 |
968 |
969 | Should you minimise user privilege inside your containers in production? _____
970 |
971 | Yes
972 |
973 |
974 |
975 |
976 | A _____'s spec.signerName field denotes the recipient that the request is being made to.
977 |
978 | CertificateSigningRequest
979 |
980 |
981 |
982 |
983 | Attackers can break out of the _____ by epxloiting the container runtime, kernel etc.
984 |
985 | Container
986 |
987 |
988 |
989 |
990 | _____ audit failures might suggest a misconfigured service account, or the presence of an attacker.
991 |
992 | RBAC
993 |
994 |
995 |
996 |
997 | A request is authorized if an existing policy declares that the user has permissions to complete the requested _____ on the given object.
998 |
999 | action
1000 |
1001 |
1002 |
1003 |
1004 | A _____ grants a role's permissions to a set of users, groups or service accounts.
1005 |
1006 | RoleBinding
1007 |
1008 |
1009 |
1010 |
1011 | When multiple NetworkPolicy objects select the same Pod, it becomes restricted to what is allowed by the _____ of those policies' ingress/egress rules.
1012 |
1013 | union
1014 |
1015 |
1016 |
1017 |
1018 | Are service accounts bound to specific namespaces? _____
1019 |
1020 | Yes
1021 |
1022 |
1023 |
1024 |
1025 | _____ like fluentd can be used to collect/distribute Kubernetes audit events from log files
1026 |
1027 | Log collectors
1028 |
1029 |
1030 |
1031 |
1032 | Can Admission controllers act on requests that read an object? _____
1033 |
1034 | No
1035 |
1036 |
1037 |
1038 |
1039 | When kubelet starts, it looks for its _____ file and its credentials (normally a TLS key and signed certificate), then retrieves the kube-apiserver URL and attempts to communicate with it.
1040 |
1041 | kubeconfig
1042 |
1043 |
1044 |
1045 |
1046 | Audit backends persist audit events to _____.
1047 |
1048 | an external storage
1049 |
1050 |
1051 |
1052 |
1053 | The _____ audit backend writes event to a disk
1054 |
1055 | log
1056 |
1057 |
1058 |
1059 |
1060 | "The root (""/"") filesystem on containers should be set as read-only via securityContext.readOnlyRootFilesystem: true, because _____."
1061 |
1062 | an attacker may escalate privileges by editing operating system files
1063 |
1064 |
1065 |
1066 |
1067 | Does a service mesh make your workloads more isolated by default? _____
1068 |
1069 | Yes
1070 |
1071 |
1072 |
1073 |
1074 | "Kubernetes determines the username of an incoming request from the common name field in the subject field of the certificate (e.g., ""_____"")"
1075 |
1076 | /CN=katademy
1077 |
1078 |
1079 |
1080 |
1081 | To improve security, you could ideally collect logs from all containers - but especially RBAC _____ logs.
1082 |
1083 | access/deny
1084 |
1085 |
1086 |
1087 |
1088 | Your current, in-use cluster namespace is stored in the _____ file on your local machine.
1089 |
1090 | kubeconfig
1091 |
1092 |
1093 |
1094 |
1095 | Each request on each stage of its execution generates an audit event, which is then pre-processed according to a certain _____ object and written to a backend.
1096 |
1097 | audit.k8s.io/v1 Policy
1098 |
1099 |
1100 |
1101 |
1102 | Pods that need to connect to the apiserver can automatically inject the _____ and valid bearer token into themselves via a service account.
1103 |
1104 | public root certificate
1105 |
1106 |
1107 |
1108 |
1109 | Are passwords a valid Kubernetes authentication module? _____
1110 |
1111 | Yes
1112 |
1113 |
1114 |
1115 |
1116 | Restricting access to your cluster nodes (especially _____ nodes) can prevent further privilege escalation to your cloud provider platform.
1117 |
1118 | master
1119 |
1120 |
1121 |
1122 |
1123 | Should you be able to freely send network traffic to etcd from the cluster? _____
1124 |
1125 | No
1126 |
1127 |
1128 |
1129 |
1130 | A _____ object can prevent an attacker inside one Pod from running the services of another Pod
1131 |
1132 | NetworkPolicy
1133 |
1134 |
1135 |
1136 |
1137 | Audit logging increases the memory consumption of the kube-api-server because some context required for auditing is stored for each _____.
1138 |
1139 | request
1140 |
1141 |
1142 |
1143 |
1144 | "Potentially insecure Linux _____ (such as ""all"", ""CHOWN"", ""NET_RAW"", ""SETPCAP"") can be disabled via securityContext."
1145 |
1146 | capabilities
1147 |
1148 |
1149 |
1150 |
1151 | The four audit levels are: None - don't log these events. Metadata - log a request's user, timestamp, resource, verb, etc. _____ RequestResponse - log event metadata, request body and response bodies.
1152 |
1153 | Request - log event metadata and request body.
1154 |
1155 |
1156 |
1157 |
1158 | "Potentially insecure Linux capabilities (such as ""all"", ""CHOWN"", ""NET_RAW"", ""SETPCAP"") can be disabled via _____."
1159 |
1160 | securityContext
1161 |
1162 |
1163 |
1164 |
1165 | After the request is _____ as coming from a valid user, the request must then be authorized to check if it's allowed.
1166 |
1167 | authenticated
1168 |
1169 |
1170 |
1171 |
1172 | The four audit levels are: None - don't log these events. _____ Request - log event metadata and request body. RequestResponse - log event metadata, request body and response bodies.
1173 |
1174 | Metadata - log a request's user, timestamp, resource, verb, etc.
1175 |
1176 |
1177 |
1178 |
1179 | An Admission Controller Module rejects a request. What happens to the request? _____
1180 |
1181 | It is immediately rejected.
1182 |
1183 |
1184 |
1185 |
1186 | Setting securityContext._____ to False makes it harder to escalate privileges inside a Container.
1187 |
1188 | allowPrivilegeEscalation
1189 |
1190 |
1191 |
1192 |
1193 | By default, requests to the kubelet's HTTPS endpoint that are not rejected by other configured authentication methods are treated as _____ requests.
1194 |
1195 | anonymous
1196 |
1197 |
1198 |
1199 |
1200 | _____ objects include a PEM-encoded PKCS#10 signing request in the spec.request field.
1201 |
1202 | CertificateSigningRequest
1203 |
1204 |
1205 |
1206 |
1207 | Are bearer tokens a valid authentication method? _____
1208 |
1209 | Yes
1210 |
1211 |
1212 |
1213 |
1214 | When an event is processed, it's compared against the list of audit.k8s.io/v1/Policy rules in order. The first matching rule sets the _____ of the event.
1215 |
1216 | audit level
1217 |
1218 |
1219 |
1220 |
1221 | A kubelet's kubeconfig file requires a key and a _____ to connect to kube-apiserver.
1222 |
1223 | cert
1224 |
1225 |
1226 |
1227 |
1228 | True or False? Kubernetes automatically its Container Runtime's default seccomp and AppArmor profiles to Pods and Containers. _____
1229 |
1230 | False!!! A Container running on Kubernetes has FEWER restrictions applied to it by default than if it were ran directly on a Container Runtime. Go set them now!
1231 |
1232 |
1233 |
1234 |
1235 | Are client certificates a valid authentication method? _____
1236 |
1237 | Yes
1238 |
1239 |
1240 |
1241 |
1242 | A CertificateSigningRequest will initially have Pending status. If it meets specific criteria, it will be promoted by the _____ to Approved status.
1243 |
1244 | kube-controller-manager
1245 |
1246 |
1247 |
1248 |
1249 | securityContext allows defining privilege and access controls per _____ or per Container.
1250 |
1251 | Pod
1252 |
1253 |
1254 |
1255 |
1256 | Should you enforce image signing in production? _____
1257 |
1258 | Yes
1259 |
1260 |
1261 |
1262 |
1263 | Once a _____ selects a particular Pod, that Pod will reject any connections that are not explicitly allowed by it.
1264 |
1265 | NetworkPolicy
1266 |
1267 |
1268 |
1269 |
1270 | Kubernetes requires _____ certificates for authentication over TLS.
1271 |
1272 | PKI
1273 |
1274 |
1275 |
1276 |
1277 | Log collectors like fluentd can be used to collect/distribute Kubernetes audit events from _____
1278 |
1279 | log files
1280 |
1281 |
1282 |
1283 |
1284 | Once Cluster TLS is established, incoming requests can begin the _____ step when trying to communicate to the cluster.
1285 |
1286 | Authentication
1287 |
1288 |
1289 |
1290 |
1291 | Pods that need to connect to the apiserver can automatically inject the public root certificate and valid _____ into themselves via a service account.
1292 |
1293 | bearer token
1294 |
1295 |
1296 |
1297 |
1298 | A request is authorized if an existing policy declares that the user has permissions to complete the requested action on the given _____.
1299 |
1300 | object
1301 |
1302 |
1303 |
1304 |
1305 | Can Admission controllers act on requests that create an object? _____
1306 |
1307 | Yes
1308 |
1309 |
1310 |
1311 |
1312 | When a request reaches kube-apiserver, it goes through stages: Authentication, Authorization, _____
1313 |
1314 | Admission Control
1315 |
1316 |
1317 |
1318 |
1319 | "Tools like _____ or kata containers can ""sandbox"" Pods on the same host from each other, giving you an extra layer of isolation."
1320 |
1321 | gVisor
1322 |
1323 |
1324 |
1325 |
1326 | The kubelet uses _____ for authenticating to the Kubernetes API.
1327 |
1328 | certificates (with 1 year expiration)
1329 |
1330 |
1331 |
1332 |
1333 | You can secure an Ingress by specifying a Secret that contains a TLS private key and _____
1334 |
1335 | certificate
1336 |
1337 |
1338 |
1339 |
1340 | Is admission control's NodeRestriction enabled by default? _____
1341 |
1342 | No!
1343 |
1344 |
1345 |
1346 |
1347 | You should usually use at least two methods of authentication in your cluster: one for human users and one for _____.
1348 |
1349 | service accounts
1350 |
1351 |
1352 |
1353 |
1354 | Containers in production should run under a Linux non-root user. This is set in securityContext via _____
1355 |
1356 | runAsNonRoot: true
1357 |
1358 |
1359 |
1360 |
1361 | Is Kubelet RBAC enabled by default? _____
1362 |
1363 | No!!!
1364 |
1365 |
1366 |
--------------------------------------------------------------------------------
/docs/storage.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | A PersistentVolume's reclaim Policy defines what should be done with it after once released from a a PersistentVolumeClaim. By setting this policy, Volumes may either be _____, Recycled or Deleted.
4 |
5 | Retained
6 |
7 |
8 |
9 |
10 | _____ is the unique identifier of the volume created on the storage backend and returned by the CSI driver during the volume creation. This field is required for dynamically provisioning a snapshot. It specifies the volume source of the snapshot.
11 |
12 | volumeHandle
13 |
14 |
15 |
16 |
17 | PersistentVolumes have a specific storage capacity, configured via their _____ attribute.
18 |
19 | Capacity
20 |
21 |
22 |
23 |
24 | A persistentVolume with no storageClassName can only be bound to PersistentVolumeClaims that request _____.
25 |
26 | no storageClassName
27 |
28 |
29 |
30 |
31 | Snapshots may be _____ or dynamically provisioned.
32 |
33 | pre-provisioned
34 |
35 |
36 |
37 |
38 | VolumeSnapshotContents represent resources in the cluster, and _____ represent requests for those resources.
39 |
40 | VolumeSnapshots
41 |
42 |
43 |
44 |
45 | Can Volumes have hard links to other Volumes? _____
46 |
47 | No
48 |
49 |
50 |
51 |
52 | A Pod specifies what volumes to provide for its containers in the spec._____ field.
53 |
54 | volumes
55 |
56 |
57 |
58 |
59 | A volume is just a directory with data accessible by _____ when mounted.
60 |
61 | Containers
62 |
63 |
64 |
65 |
66 | It is often necessary to share files between Containers in a Pod. _____ objects are designed to solve this problem.
67 |
68 | Volume
69 |
70 |
71 |
72 |
73 | PersistentVolume and PersistentVolumeClaim Objects are used to provision _____.
74 |
75 | volumes
76 |
77 |
78 |
79 |
80 | In _____ volume provisioning, a cluster administrator creates a number of PersistentVolumes which carry the details of the real storage, and are available for use by cluster users.
81 |
82 | static
83 |
84 |
85 |
86 |
87 | If you delete a PersistentVolumeClaim object while a snapshot of it is being taken, its removal is postponed until the snapshot is readyToUse or _____.
88 |
89 | aborted
90 |
91 |
92 |
93 |
94 | PersistentVolumes that are dynamically created by a StorageClass will have a reclaimPolicy defined, which can be either Delete or _____
95 |
96 | Retain
97 |
98 |
99 |
100 |
101 | A PersistentVolume of a particular storage class can only be bound to _____ requesting that class.
102 |
103 | PersistentVolumeClaim
104 |
105 |
106 |
107 |
108 | A volume has the same lifetime as the _____ that encloses it.
109 |
110 | Pod
111 |
112 |
113 |
114 |
115 | PersistentVolumes support two _____: Filesystem (default) and Block.
116 |
117 | volumeModes
118 |
119 |
120 |
121 |
122 | VolumeSnapshotClass allows you to specify different attributes belonging to a _____.
123 |
124 | VolumeSnapshot
125 |
126 |
127 |
128 |
129 | "PersistentVolume binds are exclusive. Mounting PersistentVolumeClaims with ""Many"" modes (ROX, RWX) is only possible within one _____."
130 |
131 | namespace
132 |
133 |
134 |
135 |
136 | Are PersistentVolume lifecycles dependent on the Pods that use them? _____
137 |
138 | No
139 |
140 |
141 |
142 |
143 | A volume in _____ access mode can be mounted as read-write by many nodes
144 |
145 | ReadWriteMany
146 |
147 |
148 |
149 |
150 | Snapshots may be pre-provisioned or _____.
151 |
152 | dynamically provisioned
153 |
154 |
155 |
156 |
157 | A _____ with no storageClassName can only be bound to PersistentVolumeClaims that request no storageClassName.
158 |
159 | persistentVolume
160 |
161 |
162 |
163 |
164 | A PersistentVolumeClaim to PersistentVolume binding is a bi-directional, one-to-one mapping represented by a _____ field.
165 |
166 | ClaimRef
167 |
168 |
169 |
170 |
171 | A PersistentVolumeClaim is in use by a Pod. A user deletes the PersistentVolumeClaim. Is the PersistentVolumeClaim immediately deleted? _____
172 |
173 | No - it is postponed until the PersistentVolumeClaim is no longer used by any Pods.
174 |
175 |
176 |
177 |
178 | A volume is said to be _____ when the volume has failed its automatic reclamation.
179 |
180 | Failed
181 |
182 |
183 |
184 |
185 | VolumeSnapshot and _____ Objects are used to provision volume snapshots.
186 |
187 | VolumeSnapshotContent
188 |
189 |
190 |
191 |
192 | A PersistentVolume may be provisioned either _____ or dynamically.
193 |
194 | statically
195 |
196 |
197 |
198 |
199 | VolumeSnapshot and VolumeSnapshotContent Objects are used to provision _____.
200 |
201 | volume snapshots
202 |
203 |
204 |
205 |
206 | A Pod's volumes are _____ after their Pod is deleted.
207 |
208 | deleted
209 |
210 |
211 |
212 |
213 | A PersistentVolume can have its StorageClass specified by setting the _____ attribute.
214 |
215 | storageClassName
216 |
217 |
218 |
219 |
220 | If a PersistentVolume was dynamically provisioned for a new PersistentVolumeClaim, the loop will _____ them together.
221 |
222 | bind
223 |
224 |
225 |
226 |
227 | A volume is said to be _____, when the claim has been deleted, but the resource is not yet reclaimed by the cluster.
228 |
229 | Released
230 |
231 |
232 |
233 |
234 | A persistentVolume with no storageClassName can only be bound to _____ that request no storageClassName.
235 |
236 | PersistentVolumeClaims
237 |
238 |
239 |
240 |
241 | PersistentVolumes can be bound to a PersistentVolumeClaim if they both have the same _____.
242 |
243 | StorageClassName
244 |
245 |
246 |
247 |
248 | "A volume with _____ set to ""Block"" represents a raw block device without a filesystem. These volumes provide Pods with the fastest access, but the application must know how to handle a raw block device."
249 |
250 | volumeMode
251 |
252 |
253 |
254 |
255 | A Pod uses a PersistentVolume that has a node affinity towards certain nodes. Whcih node will the Pod be scheduled on? _____
256 |
257 | The node where the PV is available from.
258 |
259 |
260 |
261 |
262 | A _____ Object represents a snapshot of a volume on a storage system.
263 |
264 | VolumeSnapshot
265 |
266 |
267 |
268 |
269 | _____ represent resources in the cluster, and VolumeSnapshots represent requests for those resources.
270 |
271 | VolumeSnapshotContents
272 |
273 |
274 |
275 |
276 | "A deleted PersistentVolumeClaim is subject to a reclaim policy. The ""Retain"" policy allows for manual reclamation of resources in the future - the PersistentVolume remains in existence and is considered ""_____"" but unavailable for another claim while the previous claimant's data remains on the volume."
277 |
278 | Released
279 |
280 |
281 |
282 |
283 | In pre-provisioned binding, a VolumeSnapshot will remain unbound until the requested _____ object is created.
284 |
285 | VolumeSnapshotContent
286 |
287 |
288 |
289 |
290 | Mounted directories accessible from inside containers are called _____
291 |
292 | Volumes
293 |
294 |
295 |
296 |
297 | For volume plugins that support the _____ reclaim policy, deletion removes both the PersistentVolume object and the associated storage asset in the external cloud infrastructure. Volumes that were dynamically provisioned inherit the reclaim policy of their storageClass, which defaults to Delete. Administrators should configure the StorageClass according to users' expectations; otherwise, the PV must be edited or patched after it is created.
298 |
299 | Delete
300 |
301 |
302 |
303 |
304 | When a Container crashes, kubelet will restart it, but its on-disk files will be lost unless stored on a _____.
305 |
306 | Volume
307 |
308 |
309 |
310 |
311 | A volume is said to be _____ when it is free and not yet bound to a claim.
312 |
313 | Available
314 |
315 |
316 |
317 |
318 | A _____ specifies what volumes to provide for its containers in the spec.volumes field.
319 |
320 | Pod
321 |
322 |
323 |
324 |
325 | If you delete a PersistentVolumeClaim object while a snapshot of it is being taken, its removal is postponed until the snapshot is _____ or aborted.
326 |
327 | readyToUse
328 |
329 |
330 |
331 |
332 | PersistentVolumeClaims remain unbound if no matching _____ exists, and will be bound when one becomes available.
333 |
334 | volume
335 |
336 |
337 |
338 |
339 | "A deleted PersistentVolumeClaim is subject to a reclaim policy. The ""_____"" policy allows for manual reclamation of resources in the future - the PersistentVolume remains in existence and is considered ""Released"" but unavailable for another claim while the previous claimant's data remains on the volume."
340 |
341 | Retain
342 |
343 |
344 |
345 |
346 | Is a Volume preserved across Container restarts? _____
347 |
348 | Yes
349 |
350 |
351 |
352 |
353 | In pre-provisioned binding, a _____ will remain unbound until the requested VolumeSnapshotContent object is created.
354 |
355 | VolumeSnapshot
356 |
357 |
358 |
359 |
360 | You can provision a new volume, pre-populated with data from a snapshot, by filling the _____ field in a PersistentVolumeClaim object.
361 |
362 | dataSource
363 |
364 |
365 |
366 |
367 | Can Volumes mount other volumes? _____
368 |
369 | No
370 |
371 |
372 |
373 |
374 | "A volume with volumeMode set to ""_____"" represents a raw block device without a filesystem. These volumes provide Pods with the fastest access, but the application must know how to handle a raw block device."
375 |
376 | Block
377 |
378 |
379 |
380 |
381 | A _____ is just a directory with data accessible by Containers when mounted.
382 |
383 | volume
384 |
385 |
386 |
387 |
388 | A _____ of a particular storage class can only be bound to PersistentVolumeClaim requesting that class.
389 |
390 | PersistentVolume
391 |
392 |
393 |
394 |
395 | Are VolumeSnapshot, VolumeSnapshotContent, and VolumeSnapshotClass part of the core Kubernetes API? _____
396 |
397 | No - they are CustomResourceDefinitions.
398 |
399 |
400 |
401 |
402 | VolumeSnapshot support is only available for _____ drivers.
403 |
404 | CSI
405 |
406 |
407 |
408 |
409 | PersistentVolume and _____ Objects are used to provision volumes.
410 |
411 | PersistentVolumeClaim
412 |
413 |
414 |
415 |
416 | A PersistentVolume may be provisioned either statically or _____.
417 |
418 | dynamically
419 |
420 |
421 |
422 |
423 | You can request that a snapshot to be dynamically taken from a PersistentVolumeClaim by defining a _____ Object with parameters for the snapshot.
424 |
425 | VolumeSnapshotClass
426 |
427 |
428 |
429 |
430 | The Kubernetes control plane watches for new PersistentVolumeClaims, and if it has found a matching PersistentVolume it _____ them.
431 |
432 | binds
433 |
434 |
435 |
436 |
437 | A volume with volumeMode: _____ is mounted into Pods into a directory. If the volume is backed by a block device and the device is empty, Kuberneretes creates a filesystem on the device before mounting it for the first time.
438 |
439 | Filesystem
440 |
441 |
442 |
443 |
444 | A PersistentVolume's _____ Policy defines what should be done with it after once released from a a PersistentVolumeClaim. By setting this policy, Volumes may either be Retained, Recycled or Deleted.
445 |
446 | reclaim
447 |
448 |
449 |
450 |
451 | A volume in _____ access mode can be mounted as read-write by a single node
452 |
453 | ReadWriteOnce
454 |
455 |
456 |
457 |
458 | Dynamic volume provisioning is enabled by creating one or more _____ objects for cluster users.
459 |
460 | StorageClass
461 |
462 |
463 |
464 |
465 | PersistentVolumes support two volumeModes: _____ (default) and Block.
466 |
467 | Filesystem
468 |
469 |
470 |
471 |
472 | A PersistentVolume's _____ constraints what nodes the volume can be accessed from.
473 |
474 | node affinity
475 |
476 |
477 |
478 |
479 | _____ allows you to specify different attributes belonging to a VolumeSnapshot.
480 |
481 | VolumeSnapshotClass
482 |
483 |
484 |
485 |
486 | Once a PersistentVolumeClaim is bound, its PersistentVolume belongs to the user for as long as they need it. Users schedule Pods and access their claimed PersistentVolumes by including a persistentVolumeClaim section in a Pod's _____ field.
487 |
488 | volumes
489 |
490 |
491 |
492 |
493 | Can a volume be mounted using several access modes at a time? _____
494 |
495 | No
496 |
497 |
498 |
499 |
500 | PersistentVolumes support two volumeModes: Filesystem (default) and _____.
501 |
502 | Block
503 |
504 |
505 |
506 |
507 | A _____ object represents a snapshot taken from a volume.
508 |
509 | VolumeSnapshotContent
510 |
511 |
512 |
513 |
514 | PersistentVolumes that are dynamically created by a StorageClass will have a reclaimPolicy defined, which can be either _____ or Retain
515 |
516 | Delete
517 |
518 |
519 |
520 |
521 | The Kubernetes control plane watches for new PersistentVolumeClaims, and if it has found a matching _____ it binds them.
522 |
523 | PersistentVolume
524 |
525 |
526 |
527 |
528 | In static volume provisioning, a cluster administrator creates a number of _____ which carry the details of the real storage, and are available for use by cluster users.
529 |
530 | PersistentVolumes
531 |
532 |
533 |
534 |
535 | _____ and VolumeSnapshotContent Objects are used to provision volume snapshots.
536 |
537 | VolumeSnapshot
538 |
539 |
540 |
541 |
542 | We delete a PersistentVolume bound to a PersistentVolumeClaim. Is the PersistentVolume deleted immediately? _____
543 |
544 | No
545 |
546 |
547 |
548 |
549 | A PersistentVolume's reclaim Policy defines what should be done with it after once released from a a PersistentVolumeClaim. By setting this policy, Volumes may either be Retained, Recycled or _____.
550 |
551 | Deleted
552 |
553 |
554 |
555 |
556 | A Pod specifies where and how to mount its volumes inside its containers in the .spec.containers[*]._____ field.
557 |
558 | volumeMounts
559 |
560 |
561 |
562 |
563 | A PersistentVolumeClaim can be expanded if its storageClass has field _____ set to true. To expand it, edit the PersistentVolumeClaim object and specify a larger size. This triggers expansion of the volume that backs the underlying PersistentVolume. A new PersistentVolume is never created to satisfy the claim. Instead, an existing volume is resized.
564 |
565 | allowVolumeExpansion
566 |
567 |
568 |
569 |
570 | _____ and PersistentVolumeClaim Objects are used to provision volumes.
571 |
572 | PersistentVolume
573 |
574 |
575 |
576 |
577 | A PersistentVolume's reclaim Policy defines what should be done with it after once released from a a PersistentVolumeClaim. By setting this policy, Volumes may either be Retained, _____ or Deleted.
578 |
579 | Recycled
580 |
581 |
582 |
583 |
584 | A PersistentVolumeClaim can request a particular storage class by specifying the name of a StorageClass using the attribute _____.
585 |
586 | storageClassName
587 |
588 |
589 |
590 |
591 | In _____ snapshot provisioning, a cluster administrator creates a number of VolumeSnapshotContents carrying details of the real volume snapshot on the storage system. They exist in the Kubernetes API and are available for consumption.
592 |
593 | pre-provisioned
594 |
595 |
596 |
597 |
598 | A volume in _____ access mode can be mounted read-only by many nodes
599 |
600 | ReadOnlyMany
601 |
602 |
603 |
604 |
605 | PersistentVolume deletion is not immediate. It is postponed until _____
606 |
607 | the PersistentVolume is no longer bound to a PersistentVolumeClaim.
608 |
609 |
610 |
611 |
612 | Can you resize an in-use PersistentVolumeClaim? _____.
613 |
614 | Yes, via ExpandInUsePersistentVolumes
615 |
616 |
617 |
618 |
619 | When no static PersistentVolume matches a PersistentVolumeClaim, the cluster may try to dynamically provision a volume specially for the PersistentVolumeClaim. The PersistentVolumeClaim must request a _____ with dynamic provisioning configured.
620 |
621 | storageClass
622 |
623 |
624 |
--------------------------------------------------------------------------------
/docs/topology.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | If two Nodes are labelled with one _____ and have identical values for that label, the scheduler tries to place a balanced number of Pods into each topology domain
4 |
5 | topologyKey
6 |
7 |
8 |
9 |
10 | Endpoints in an EndpointSlice can contain labels about the slice's topology information, such as the topological Node, Zone or _____.
11 |
12 | Region
13 |
14 |
15 |
16 |
17 | You can control Service traffic routing by specifying the .spec._____ field.
18 |
19 | topologyKeys
20 |
21 |
22 |
23 |
24 | A Service's .spec.topologyKeys field is a preference-order list of _____ labels by which the Service's Endpoints are sorted when accessing it. Traffic is directed to a _____ whose first label matches the originating Node's label value. If no backend for the Service exists on a matching _____, then the second label is evaluated, and so forth.
25 |
26 | Node
27 |
28 |
29 |
30 |
31 | Topology spread constraints rely on node _____ to identify the topology domains each Node belongs to.
32 |
33 | labels
34 |
35 |
36 |
37 |
38 | A Service's .spec.topologyKeys field is a preference-order list of Node labels by which the Service's Endpoints are sorted when accessing it. Traffic is directed to a Node whose first label matches the originating _____ label value. If no backend for the Service exists on a matching Node, then the second label is evaluated, and so forth.
39 |
40 | Node's
41 |
42 |
43 |
44 |
45 | Endpoints in an EndpointSlice can contain labels about the slice's topology information, such as the topological _____, Zone or Region.
46 |
47 | Node
48 |
49 |
50 |
51 |
52 | If a Pod doesn't satisfy its topologySpreadConstraints, the spec.topologySpreadConstraints._____ field defines how to deal with it. The possible values are: DoNotSchedule (the Pod should not be scheduled by the Kubernetes scheduler) or ScheduleAnyway (the Pod is allowed to be scheduled, prioritizing nodes in a way that minimizes skew)
53 |
54 | whenUnsatisfiable
55 |
56 |
57 |
58 |
59 | A Service's .spec.topologyKeys field is a preference-order list of _____ labels by which the Service's Endpoints are sorted when accessing it. Traffic is directed to a _____ whose first label matches the originating Node's label value. If no backend for the Service exists on a matching _____, then the second label is evaluated, and so forth.
60 |
61 | Node
62 |
63 |
64 |
65 |
66 | _____ defines the degree to which Pods may be unevenly distributed across topology domains. It represents the maximum permitted difference between the number of matching Pods in any two topology domains of a given topology type.
67 |
68 | maxSkew
69 |
70 |
71 |
72 |
73 | _____ enables a service to route traffic based on the Node topology of the cluster.
74 |
75 | Service Topology
76 |
77 |
78 |
79 |
80 | You can use _____ to control how Pods are spread across your cluster among failure-domains (regions, zones, nodes or user-defined domains).
81 |
82 | topology spread constraints
83 |
84 |
85 |
86 |
87 | A Service can specify that traffic be preferentially routed to endpoints that are on the same Node as the client, or in the same availability zone by using _____
88 |
89 | Service Topology
90 |
91 |
92 |
93 |
94 | If a Pod doesn't satisfy its topologySpreadConstraints, the spec._____.whenUnsatisfiable field defines how to deal with it. The possible values are: DoNotSchedule (the Pod should not be scheduled by the Kubernetes scheduler) or ScheduleAnyway (the Pod is allowed to be scheduled, prioritizing nodes in a way that minimizes skew)
95 |
96 | topologySpreadConstraints
97 |
98 |
99 |
100 |
101 | If a Pod doesn't satisfy its topologySpreadConstraints, the spec.topologySpreadConstraints.whenUnsatisfiable field defines how to deal with it. The possible values are: _____ or ScheduleAnyway (the Pod is allowed to be scheduled, prioritizing nodes in a way that minimizes skew)
102 |
103 | DoNotSchedule (the Pod should not be scheduled by the Kubernetes scheduler)
104 |
105 |
106 |
107 |
108 | Two Nodes labelled with an identical topologyKey and value, are treated by the _____ as belonging to the same topology.
109 |
110 | scheduler
111 |
112 |
113 |
114 |
115 | A Service's .spec.topologyKeys field is a preference-order list of _____ labels by which the Service's Endpoints are sorted when accessing it. Traffic is directed to a _____ whose first label matches the originating Node's label value. If no backend for the Service exists on a matching _____, then the second label is evaluated, and so forth.
116 |
117 | Node
118 |
119 |
120 |
121 |
122 | If two Nodes are labelled with one topologyKey and have identical values for that label, the scheduler tries to place a balanced number of Pods into each _____
123 |
124 | topology domain
125 |
126 |
127 |
128 |
129 | Two Nodes labelled with an identical _____ and value, are treated by the scheduler as belonging to the same topology.
130 |
131 | topologyKey
132 |
133 |
134 |
135 |
136 | Endpoints in an EndpointSlice can contain labels about the slice's topology information, such as the topological Node, _____ or Region.
137 |
138 | Zone
139 |
140 |
141 |
142 |
143 | A Service's .spec._____ field is a preference-order list of Node labels by which the Service's Endpoints are sorted when accessing it. Traffic is directed to a Node whose first label matches the originating Node's label value. If no backend for the Service exists on a matching Node, then the second label is evaluated, and so forth.
144 |
145 | topologyKeys
146 |
147 |
148 |
149 |
150 | Two Nodes labelled with an identical topologyKey and value, are treated by the scheduler as belonging to the same _____.
151 |
152 | topology
153 |
154 |
155 |
156 |
157 | If a Pod doesn't satisfy its topologySpreadConstraints, the spec.topologySpreadConstraints.whenUnsatisfiable field defines how to deal with it. The possible values are: DoNotSchedule (the Pod should not be scheduled by the Kubernetes scheduler) or _____
158 |
159 | ScheduleAnyway (the Pod is allowed to be scheduled, prioritizing nodes in a way that minimizes skew)
160 |
161 |
162 |
--------------------------------------------------------------------------------
/docs/workloads.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | Can you perform a rolling update on a DaemonSet? _____
4 |
5 | Yes
6 |
7 |
8 |
9 |
10 | A PodDisruptionBudget limits the number of Pods of a workload of that are allowed to be down simultaneously taken down from _____ disruptions.
11 |
12 | voluntary
13 |
14 |
15 |
16 |
17 | The possible values for a Pod's status condition field are _____, False or Unknown.
18 |
19 | True
20 |
21 |
22 |
23 |
24 | Pods in _____ state await to be scheduled onto the cluster by the Kubernetes Scheduler. An to this are Pods running as part of a DaemonSet, which are scheduled by the DaemonSet controller.
25 |
26 | Pending
27 |
28 |
29 |
30 |
31 | A Pod is in its lifecycle's _____ phase if its state could not be obtained, usually due to an error in communicating with its host.
32 |
33 | Unknown
34 |
35 |
36 |
37 |
38 | Pods running as part of a _____ have unique network identifiers, persistent storage, ordered deployment and scaling, and ordered rolling updates.
39 |
40 | StatefulSet
41 |
42 |
43 |
44 |
45 | The _____ API object is implemented as a control loop, with a sync period controlled by the kube-controller-manager's --horizontal-pod-autoscaler-sync-period flag.
46 |
47 | HorizontalPodAutoscaler
48 |
49 |
50 |
51 |
52 | The HorizontalPodAutoscaler API object is implemented as a control loop, with a sync period controlled by the _____'s --horizontal-pod-autoscaler-sync-period flag.
53 |
54 | kube-controller-manager
55 |
56 |
57 |
58 |
59 | Unlike a Deployment, a StatefulSet maintains a _____ for each of its Pods
60 |
61 | sticky identity
62 |
63 |
64 |
65 |
66 | If a Pod's metadata._____ does not link to a workload controller object (i.e. it is an orphanned Pod), it will be acquired by a controller whose selector matches the Pod, or the Pod will be garbage collected.
67 |
68 | OwnerReferences
69 |
70 |
71 |
72 |
73 | A Pod's _____ condition field provides a timestamp for when the Pod condition was last probed.
74 |
75 | lastProbeTime
76 |
77 |
78 |
79 |
80 | Containers are automatically co-located and co-scheduled on the same node when they are ran as part of a _____.
81 |
82 | Pod
83 |
84 |
85 |
86 |
87 | A _____ optimizes a given metric (e.g. CPU utilization) across a set of Pods, increasing or decreasing the number of replicas to achieve it.
88 |
89 | HorizontalPodAutoscaler
90 |
91 |
92 |
93 |
94 | If a Pod's metadata.OwnerReferences does not link to a workload controller object (i.e. it is an orphanned Pod), it will be acquired by a controller whose selector matches the Pod, or the Pod will be _____.
95 |
96 | garbage collected
97 |
98 |
99 |
100 |
101 | A _____ API Object scales the number of Pods in a Deployment, ReplicaSet or StatefulSet based on an observed metric (such as CPU utilization).
102 |
103 | HorizontalPodAutoscaler
104 |
105 |
106 |
107 |
108 | HorizontalPodAutoscaler API Objects do not apply to objects that can't be scaled, such as _____
109 |
110 | DaemonSets
111 |
112 |
113 |
114 |
115 | If non-preempting pods cannot be scheduled at a given time, they will be retried with lower frequency, allowing other pods with lower priority to be scheduled before them. This is because non-preempting pods are subject to _____
116 |
117 | scheduler back-off
118 |
119 |
120 |
121 |
122 | The _____ condition field provides details about the transition from one status to another.
123 |
124 | Message
125 |
126 |
127 |
128 |
129 | A _____ injects bits of common configuration into all selected Pods at creation time. For example, you could use it to mount a particular Volume on all matching Pods.
130 |
131 | PodPreset
132 |
133 |
134 |
135 |
136 | A _____ load balances traffic across multiple Pods.
137 |
138 | Service
139 |
140 |
141 |
142 |
143 | A Pod is in its lifecycle's Failed phase if all its containers have terminated, at least one of which has exited with a _____ exit code, or was terminated by the system.
144 |
145 | non-zero (error)
146 |
147 |
148 |
149 |
150 | A _____ can be used to run a log collection daemon on every node.
151 |
152 | DaemonSet
153 |
154 |
155 |
156 |
157 | When node labels change, the DaemonSet controller will _____ Pods to newly matching nodes and delete Pods from newly not-matching nodes.
158 |
159 | add
160 |
161 |
162 |
163 |
164 | _____ is an object which can own ReplicaSets and update their Pods via declarative, server-side rolling updates.
165 |
166 | Deployment
167 |
168 |
169 |
170 |
171 | "In _____ cascading deletion, the root object enters a ""deletion in progress"" state. The garbage collector then deletes the object's dependents. Once they are gone, it deletes the owner object."
172 |
173 | foreground
174 |
175 |
176 |
177 |
178 | _____, ContainerReady, lastProbeTime, Reason are types of an Object's Conditions.
179 |
180 | Ready
181 |
182 |
183 |
184 |
185 | Containers within a single _____ share IP address and port space
186 |
187 | Pod
188 |
189 |
190 |
191 |
192 | When node labels change, the DaemonSet controller will add Pods to newly matching nodes and _____ Pods from newly not-matching nodes.
193 |
194 | delete
195 |
196 |
197 |
198 |
199 | The values of a Pod's type condition field may equal either PodScheduled, Ready, Initialized or _____
200 |
201 | ContainersReady
202 |
203 |
204 |
205 |
206 | A _____ is a global object that maps a priority class name to the integer value of the Priority.
207 |
208 | PriorityClass
209 |
210 |
211 |
212 |
213 | A _____ API Object injects additional runtime requirements into label-selected Pods at their creation time.
214 |
215 | PodPreset
216 |
217 |
218 |
219 |
220 | _____ cannot prevent involuntary Pod disruptions from occurring, and so they do not count against the budget.
221 |
222 | PodDisruptionBudgets
223 |
224 |
225 |
226 |
227 | If a Pod's metadata.OwnerReferences does not link to a workload controller object (i.e. it is an orphanned Pod), it will be acquired by a controller whose _____ matches the Pod, or the Pod will be garbage collected.
228 |
229 | selector
230 |
231 |
232 |
233 |
234 | The possible values for a Pod's status condition field are True, False or _____.
235 |
236 | Unknown
237 |
238 |
239 |
240 |
241 | The six fields of a PodCondition are reason, status, message, type, _____, lastTransitionTime.
242 |
243 | lastProbeTime
244 |
245 |
246 |
247 |
248 | In _____ cascading deletion, Kubernetes deletes the owner object immediately and the garbage collector then deletes the dependents.
249 |
250 | background
251 |
252 |
253 |
254 |
255 | Minimum time in seconds for which a new pod should be ready to be considered available is defined in deployment.spec._____
256 |
257 | minReadySeconds
258 |
259 |
260 |
261 |
262 | Identical Pods in a workload are referred to as _____
263 |
264 | Replicas
265 |
266 |
267 |
268 |
269 | The HorizontalPodAutoscaler adjusts the number of _____ of an application
270 |
271 | replicas
272 |
273 |
274 |
275 |
276 | A _____ runs one or more Containers.
277 |
278 | Pod
279 |
280 |
281 |
282 |
283 | The HorizontalPodAutoscaler controller operates on the ratio between current and _____ metric values.
284 |
285 | desired
286 |
287 |
288 |
289 |
290 | "In foreground cascading deletion, the root object enters a ""deletion in progress"" state. The garbage collector then deletes the object's _____. Once they are gone, it deletes the owner object."
291 |
292 | dependents
293 |
294 |
295 |
296 |
297 | The number of old ReplicaSets retained for rollback purposes is defined in a Deployment's .spec._____ field.
298 |
299 | revisionHistoryLimit
300 |
301 |
302 |
303 |
304 | The _____ adjusts the number of replicas of an application
305 |
306 | HorizontalPodAutoscaler
307 |
308 |
309 |
310 |
311 | When a pod is evicted using the eviction API, is it gracefully terminated? _____
312 |
313 | Yes
314 |
315 |
316 |
317 |
318 | The count of hash collisions for a deployment is stored in its deployment.deploymentstatus._____ status field, and is used for collision avoidance.
319 |
320 | collisionCount
321 |
322 |
323 |
324 |
325 | Pods in Pending state await to be scheduled onto the cluster by the Kubernetes Scheduler. An to this are Pods running as part of a _____, which are scheduled by the _____ controller.
326 |
327 | DaemonSet
328 |
329 |
330 |
331 |
332 | The six fields of a PodCondition are reason, status, message, _____, lastProbeTime, lastTransitionTime.
333 |
334 | type
335 |
336 |
337 |
338 |
339 | _____ Pods can each be addressed by their uniquely identifiable, predictable DNS names. This is ideal for clustered or quorum-based applications, such as databases.
340 |
341 | StatefulSet
342 |
343 |
344 |
345 |
346 | While it's in its termination grace period, you might want an app to process remaining incoming requests by adding a _____ handler.
347 |
348 | preStop
349 |
350 |
351 |
352 |
353 | The HorizontalPodAutoscaler API object is implemented as a control loop, with a sync period controlled by the kube-controller-manager's _____ flag.
354 |
355 | --horizontal-pod-autoscaler-sync-period
356 |
357 |
358 |
359 |
360 | Pods take an extra amount of a node's resources, additional to the resources taken by the Pod's containers. This is referred to as Pod Overhead and can be configured inside a _____ API object.
361 |
362 | RuntimeClass
363 |
364 |
365 |
366 |
367 | _____ within a single Pod share IP address and port space
368 |
369 | Containers
370 |
371 |
372 |
373 |
374 | Pod _____ repels Pods from each other. For example, an _____ to replicas of the same Pod on one Node can help spread your replicas evenly across the cluster.
375 |
376 | anti-affinity
377 |
378 |
379 |
380 |
381 | The role of the _____ is to delete objects that no longer have an owner.
382 |
383 | garbage collector
384 |
385 |
386 |
387 |
388 | _____ cannot be used to override a Pod’s own configuration, only fill in settings the Pod hasn't specified.
389 |
390 | PodPresets
391 |
392 |
393 |
394 |
395 | When deleting a DaemonSet with kubectl, you can specify the flag _____, then the Pods will remain on the nodes.
396 |
397 | --cascade=false
398 |
399 |
400 |
401 |
402 | A Deployment is set to keep 5 Pod replicas running at any given time, and a matching PodDisruptionBudget defines that there must always be 4 replicas running in any moment in time. Therefore, one Pod may be _____ disrupted by the Eviction API at a time.
403 |
404 | voluntarily
405 |
406 |
407 |
408 |
409 | The _____ controller ensures a specific number of pod replicas are running at any one time across nodes
410 |
411 | replication
412 |
413 |
414 |
415 |
416 | Each Kubernetes Node has its own _____ range from which it assigns its pods unique IPs.
417 |
418 | CIDR IP block
419 |
420 |
421 |
422 |
423 | A HorizontalPodAutoscaler API Object scales the number of Pods in a Deployment, ReplicaSet or StatefulSet based on _____.
424 |
425 | an observed metric (such as CPU utilization)
426 |
427 |
428 |
429 |
430 | PodDisruptionBudgets cannot prevent _____ Pod disruptions from occurring, and so they do not count against the budget.
431 |
432 | involuntary
433 |
434 |
435 |
436 |
437 | The _____ field indicates that the value of this PriorityClass should be used for Pods without a priorityClassName. Only one such PriorityClass can exist in the system.
438 |
439 | globalDefault
440 |
441 |
442 |
443 |
444 | The six fields of a PodCondition are _____, status, message, type, lastProbeTime, lastTransitionTime.
445 |
446 | reason
447 |
448 |
449 |
450 |
451 | Pods running as part of a _____ are a set of stateless replicas deployed in random order and given no stable identifiers.
452 |
453 | Deployment
454 |
455 |
456 |
457 |
458 | The six fields of a PodCondition are reason, _____, message, type, lastProbeTime, lastTransitionTime.
459 |
460 | status
461 |
462 |
463 |
464 |
465 | A Pod is in its lifecycle's _____ phase when the Pod has been bound to a Node, all of its Containers have been created and at least one Container is either running, in the process of starting, or restarting.
466 |
467 | Running
468 |
469 |
470 |
471 |
472 | Pods with _____ will be placed in the scheduling queue ahead of lower-priority pods, but they cannot preempt other pods. It will stay in the scheduling queue, until sufficient resources are free.
473 |
474 | PreemptionPolicy: Never
475 |
476 |
477 |
478 |
479 | The six fields of a PodCondition are reason, status, _____, type, lastProbeTime, lastTransitionTime.
480 |
481 | message
482 |
483 |
484 |
485 |
486 | If a Pod cannot be scheduled, the scheduler tries to preempt (evict) lower _____ Pods to make scheduling of the pending Pod possible.
487 |
488 | Priority
489 |
490 |
491 |
492 |
493 | To control the cascading deletion policy, set the _____ field on the deleteOptions argument when deleting an Object.
494 |
495 | propagationPolicy
496 |
497 |
498 |
499 |
500 | A Pod is in its lifecycle's _____ phase if all its containers have terminated, at least one of which has exited with a non-zero (error) exit code, or was terminated by the system.
501 |
502 | Failed
503 |
504 |
505 |
506 |
507 | A Pod's _____ condition field provides a unique reason for the condition's last transition.
508 |
509 | reason
510 |
511 |
512 |
513 |
514 | A _____ allows templating Pod configuration across many Pods.
515 |
516 | PodPreset
517 |
518 |
519 |
520 |
521 | The role of the garbage collector is to delete objects that no longer have an _____.
522 |
523 | owner
524 |
525 |
526 |
527 |
528 | The values of a Pod's type condition field may equal either _____, Ready, Initialized or ContainersReady
529 |
530 | PodScheduled
531 |
532 |
533 |
534 |
535 | A Kubernetes resource which ensures that all matching Nodes run a copy of a Pod is the _____
536 |
537 | DaemonSet
538 |
539 |
540 |
541 |
542 | When Exited Containers are restarted by the kubelet, they are restarted with an _____ delay capped at 5 minutes, reset after ten minutes of successful execution.
543 |
544 | exponential back-off
545 |
546 |
547 |
548 |
549 | A logical group of containers with shared network and storage and specifications for how to run each container is called a _____
550 |
551 | Pod
552 |
553 |
554 |
555 |
556 | When you delete an object, you can specify whether the object's dependents are also deleted. This is referred to as a _____ deletion.
557 |
558 | cascading
559 |
560 |
561 |
562 |
563 | A Deployment is set to keep 5 Pod replicas running at any given time, and a matching _____ defines that there must always be 4 replicas running in any moment in time. Therefore, one Pod may be voluntarily disrupted by the Eviction API at a time.
564 |
565 | PodDisruptionBudget
566 |
567 |
568 |
569 |
570 | Workload controllers like deployment or statefulset are not limited by PodDisruptionBudgets when doing rolling updates, because the handling of failures during application updates is configured in the _____.
571 |
572 | controller's spec
573 |
574 |
575 |
576 |
577 | "In foreground cascading deletion, the root object enters a ""deletion in progress"" state. The garbage collector then deletes the object's dependents. Once they are gone, it deletes _____."
578 |
579 | the owner object
580 |
581 |
582 |
583 |
584 | If you want to use storage volumes to provide persistence for your workload, you can use a _____. The persistent identity of its Pods allows for matching of existing volumes to any new Pods that replace those Pods that fail in the future.
585 |
586 | StatefulSet
587 |
588 |
589 |
590 |
591 | A Pod can have an IPv4 and IPv6 address assigned via enabling _____.
592 |
593 | IPv4/IPv6 dual-stack
594 |
595 |
596 |
597 |
598 | If a _____'s current metric value per replica is 200m, and the desired metric value per replica is 100m, the number of replicas will be doubled.
599 |
600 | HorizontalPodAutoscaler
601 |
602 |
603 |
604 |
605 | The values of a Pod's type condition field may equal either PodScheduled, Ready, _____ or ContainersReady
606 |
607 | Initialized
608 |
609 |
610 |
611 |
612 | Label _____ specify the Pods to which a given PodPreset applies.
613 |
614 | selectors
615 |
616 |
617 |
618 |
619 | A Pod is in its lifecycle's _____ phase when it has been applied to Kubernetes' desired state, but at least one of its Container images has not yet been created, either because the Pod is still being scheduled or is downloading images.
620 |
621 | Pending
622 |
623 |
624 |
625 |
626 | A Pod is in its lifecycle's _____ phase when its containers have terminated in success, and will not be restarted.
627 |
628 | Succeeded
629 |
630 |
631 |
632 |
633 | Critical Pods can be set to rely on scheduler _____ to be scheduled at the cost of less critical Pods when a cluster is under resource pressure.
634 |
635 | preemption
636 |
637 |
638 |
639 |
640 | The possible values for a Pod's status condition field are True, _____ or Unknown.
641 |
642 | False
643 |
644 |
645 |
646 |
647 | Containers within a _____ share storage and network resources.
648 |
649 | Pod
650 |
651 |
652 |
653 |
654 | Once bound to a node, will a Pod ever rebound to another node? _____
655 |
656 | No
657 |
658 |
659 |
660 |
661 | An Object's _____ are latest variable observations of its state, used when the details of an observation are not known apriori, or would not apply to all instances of a given Kind.
662 |
663 | Conditions
664 |
665 |
666 |
667 |
668 | If a deleted Object's dependents were not deleted automatically with their owner, they are considered _____.
669 |
670 | orphaned
671 |
672 |
673 |
674 |
675 | The six fields of a PodCondition are reason, status, message, type, lastProbeTime, _____.
676 |
677 | lastTransitionTime
678 |
679 |
680 |
681 |
682 | When deleting a _____ with kubectl, you can specify the flag --cascade=false, then the Pods will remain on the nodes.
683 |
684 | DaemonSet
685 |
686 |
687 |
688 |
689 | A quorum-based application must ensure that the number of running replicas is never brought below the minimum required for a quorum. This can be achieved with a _____
690 |
691 | PodDisruptionBudget
692 |
693 |
694 |
695 |
696 | A _____ limits the number of Pods of a workload of that are allowed to be down simultaneously taken down from voluntary disruptions.
697 |
698 | PodDisruptionBudget
699 |
700 |
701 |
702 |
703 | _____ indicates the importance of a Pod to be scheduled onto the cluster, relative to other Pods.
704 |
705 | Priority
706 |
707 |
708 |
709 |
710 | Pod Priority and Pod Pre-emption are ignored by Pods scheduled by the _____ controller.
711 |
712 | DaemonSet
713 |
714 |
715 |
716 |
717 | A Deployment is set to keep 5 Pod replicas running at any given time, and a matching PodDisruptionBudget defines that there must always be 4 replicas running in any moment in time. Therefore, _____ Pod may be voluntarily disrupted by the Eviction API at a time.
718 |
719 | one
720 |
721 |
722 |
723 |
724 | A ReplicaSet is linked to its Pods via their metadata._____ field, which allow the ReplicaSet to find the state of its Pods.
725 |
726 | ownerReferences
727 |
728 |
729 |
730 |
731 | A _____ specifies the minimum number of replicas that an application needs running at any given time to work properly.
732 |
733 | PodDisruptionBudget
734 |
735 |
736 |
737 |
738 | StatefulSets do not provide any guarantees on the termination of its pods when a StatefulSet is deleted. To achieve ordered and graceful termination you must _____ before deleting it.
739 |
740 | scale the StatefulSet down to 0
741 |
742 |
743 |
744 |
745 | Pods take an extra amount of a node's resources, additional to the resources taken by the Pod's containers. This is referred to as _____ and can be configured inside a RuntimeClass API object.
746 |
747 | Pod Overhead
748 |
749 |
750 |
751 |
752 | Normally, Pods are scheduled onto nodes by the Kubernetes scheduler -- except _____ Pods which are created and scheduled by their own workload controller.
753 |
754 | DaemonSet
755 |
756 |
757 |
758 |
759 | A HorizontalPodAutoscaler optimizes a given metric (e.g. CPU utilization) across a set of Pods, increasing or decreasing the number of _____ to achieve it.
760 |
761 | replicas
762 |
763 |
764 |
765 |
766 | Pods running as part of a Deployment are a set of stateless replicas deployed in _____ order and given no stable identifiers.
767 |
768 | random
769 |
770 |
771 |
772 |
773 | _____ API Objects do not apply to objects that can't be scaled, such as DaemonSets
774 |
775 | HorizontalPodAutoscaler
776 |
777 |
778 |
779 |
780 | A Pod's _____ condition field provides a timestamp for it has last transitioned from one status to another.
781 |
782 | lastTransitionTime
783 |
784 |
785 |
786 |
787 | A Pod runs one or more _____.
788 |
789 | Containers
790 |
791 |
792 |
793 |
794 | Unlike a Deployment, a _____ maintains a sticky identity for each of its Pods
795 |
796 | StatefulSet
797 |
798 |
799 |
800 |
801 | Normally, Pods are scheduled onto nodes by the Kubernetes _____ -- except DaemonSet Pods which are created and scheduled by their own workload controller.
802 |
803 | scheduler
804 |
805 |
806 |
807 |
808 | The HorizontalPodAutoscaler API object is implemented as a _____, with a sync period controlled by the kube-controller-manager's --horizontal-pod-autoscaler-sync-period flag.
809 |
810 | control loop
811 |
812 |
813 |
814 |
815 | Pods in Pending state await to be scheduled onto the cluster by the Kubernetes Scheduler. An to this are Pods running as part of a _____, which are scheduled by the _____ controller.
816 |
817 | DaemonSet
818 |
819 |
820 |
821 |
822 | Pod _____ repels Pods from each other. For example, an _____ to replicas of the same Pod on one Node can help spread your replicas evenly across the cluster.
823 |
824 | anti-affinity
825 |
826 |
827 |
828 |
829 | The HorizontalPodAutoscaler controller operates on the ratio between _____ and desired metric values.
830 |
831 | current
832 |
833 |
834 |
835 |
836 | If a HorizontalPodAutoscaler's current metric value per replica is 200m, and the desired metric value per replica is 100m, the number of replicas will be _____.
837 |
838 | doubled
839 |
840 |
841 |
842 |
843 | A _____ can run a monitoring daemon on every node.
844 |
845 | DaemonSet
846 |
847 |
848 |
849 |
850 | Pod anti-affinity repels Pods from each other. For example, an anti-affinity to replicas of the same Pod on one _____ can help spread your replicas evenly across the cluster.
851 |
852 | Node
853 |
854 |
855 |
856 |
857 | The values of a Pod's type condition field may equal either PodScheduled, _____, Initialized or ContainersReady
858 |
859 | Ready
860 |
861 |
862 |
863 |
864 | A PodPreset API Object injects additional runtime requirements into label-selected _____ at their creation time.
865 |
866 | Pods
867 |
868 |
869 |
870 |
871 | PreemptionPolicy defaults to _____, which will allow pods of that PriorityClass to preempt lower-priority pods (as is existing default behavior).
872 |
873 | PreemptLowerPriority
874 |
875 |
876 |
877 |
878 | The _____ controller provides a time-to-live mechanism which limits the lifetime of workload objects that have finished execution.
879 |
880 | TTL
881 |
882 |
883 |
884 |
885 | _____ start and stop Pod replicas in a specific order.
886 |
887 | StatefulSets
888 |
889 |
890 |
891 |
892 | A Pod's _____ represents where the Pod is in its lifecycle.
893 |
894 | phase
895 |
896 |
897 |
--------------------------------------------------------------------------------
/mkdocs.yml:
--------------------------------------------------------------------------------
1 | site_name: Kubernetes FAQ
2 | site_url: https://koletyst.github.io/kubernetes-faq
3 | site_author: koletyst
4 | site_description: Learn Kubernetes, flashcards, CKA, CKAD, interview questions.
5 |
6 | repo_url: https://github.com/koletyst/kubernetes-faq/
7 | repo_name: kubernetes-faq
8 |
9 | theme:
10 | favicon: favicon.png
11 | icon:
12 | logo: material/kubernetes
13 | custom_dir: overrides
14 | features:
15 | - header.autohide
16 | name: material
17 | palette:
18 | - scheme: default
19 | toggle:
20 | icon: material/toggle-switch-off-outline
21 | name: Switch to dark mode
22 | - scheme: slate
23 | toggle:
24 | icon: material/toggle-switch
25 | name: Switch to light mode
26 |
27 | extra:
28 | social:
29 | - icon: fontawesome/brands/twitter
30 | link: https://twitter.com/koletyst
31 | name: koletyst on Twitter
32 | - icon: fontawesome/brands/github
33 | link: https://github.com/koletyst
34 | name: koletyst on GitHub
35 | - icon: fontawesome/brands/linkedin
36 | link: https://www.linkedin.com/company/koletyst
37 | name: koletyst on LinkedIn
38 |
39 | copyright: "© 2020-2023 @koletyst"
40 |
--------------------------------------------------------------------------------
/overrides/main.html:
--------------------------------------------------------------------------------
1 | {% extends "base.html" %}
2 |
--------------------------------------------------------------------------------