├── README.md └── kubernetes_interview_questions.md /README.md: -------------------------------------------------------------------------------- 1 | # 2 | # Interview Questions Set for Kubernetes 3 | # 4 | ## Mamun Rashid 5 | ## 6 | ## https://www.linkedin.com/in/mamunrashid/ 7 | ## 8 | #### Please follow me OR connect with me on Linkedin 9 | ## 10 | #### Numbers of questions: 289 (as of 2023.02.05) 11 | #### 12 | -------------------------------------------------------------------------------- /kubernetes_interview_questions.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # ................... 288 Kubernetes Interview Questions .................... 4 | 5 | ## By Mamun Rashid :: https://www.linkedin.com/in/mamunrashid/ 6 | 7 | ### Last Updated: 2023.02.05 8 | 9 | ## 10 | 11 | #### 1. So, what have you done with Kubernetes? This question comes up all the time! 12 | 13 | ##### Answer: 14 | 15 | ##### While this seems easy, a prepared and practiced answer is significantly better than an impromptu one. 16 | 17 | ##### You answer would be uniqe to your experience, but, here are some possibilities. 18 | 19 | 20 | ###### a. created clusters 21 | ###### b. upgarde master and nodepool versions 22 | ###### c. upgraded legacy monitoring 23 | ###### d. added Istio (Kiali) 24 | ###### e. added weave 25 | ###### f. deployed via helm charts 26 | ###### h. healthcheck scripts for various workloads 27 | ###### g. deployed spinnaker 28 | ###### h. configured HPA 29 | ###### i. day to day: configmps, secrets, PVs, PVCs 30 | ###### j. troubleshot operational issues 31 | ###### k. stateful sets 32 | ###### l. created CSRs and signed certificates 33 | 34 | 35 | ## ........ 36 | 37 | #### 2. You have 2 different contexts (A and B). Context A has a secret named foo. Context B does not. What would be a quick way to create the same exact secret in Context B? 38 | 39 | Answer: 40 | 1. Switch to Context A 41 | 2. kubetcl get secret foo -o yaml > foo.yaml 42 | 3. Switch to Context B 43 | 4. kubectl apply -f foo.yaml 44 | 45 | ## . 46 | 47 | 48 | 49 | ## ...... 50 | 51 | #### 3. There are more than one way to implement Ingress? What did you use to implement Ingress? 52 | 53 | Answer: So, ingress is IMPLEMENTED by Ingress Controllers. There are at least 12. 54 | Most common is a Load Balancer (GCP/AWS). 55 | Another popular one is Nginx Ingress Controller. 56 | See below for a longer list. (Question #8) 57 | 58 | ## . 59 | 60 | 61 | 62 | ## ...... 63 | 64 | #### 4. Why do we need Kubernetes? What problems does it solve? 65 | 66 | Answer: As soon as we decide to use docker/container as platform, we run into new issues such as: 67 | a. orchestration 68 | b. inter-container communication 69 | c. autoscaling 70 | d. observibility 71 | e. security 72 | f. persistent and/or shared volumes 73 | and more 74 | 75 | Kubernetes solves these problems. 76 | 77 | 78 | ## . 79 | 80 | 81 | ## ..... 82 | 83 | #### 5. What is the difference between Ingress and Ingress Controller: 84 | 85 | Answer: Ingress Controller FULFILLS ingress requirements 86 | Defining and ingress has no actual impact on traffic. 87 | Traffic is only acted upon once you have created an Ingress Controller (e.g. Load Balancer or Nginx Ingress Controller) 88 | 89 | ## . 90 | 91 | 92 | ## ..... 93 | 94 | #### 6. Most common type of Ingress Controller? 95 | 96 | Answer: Load Balancers 97 | 98 | ## . 99 | 100 | 101 | ## ..... 102 | 103 | #### 7. Kubernetes as a project supports and maintains which 3 Ingress Controllers? 104 | 105 | Answer: AWS, GCE, and nginx ingress controllers. 106 | (This is straight from Kubernetes documentation) 107 | 108 | ## . 109 | 110 | 111 | ## ..... 112 | 113 | #### 8. Besides those 3, what other ingress controllers are there? 114 | 115 | Answer: From: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/ 116 | 117 | a. HA Proxy 118 | b. Istio Ingress 119 | c. Traefik kubernetes Ingress Provider 120 | d. Skipper 121 | e. Voyager 122 | f. Tyk Operator 123 | g. Gloo (open source) 124 | h. AKS Application Gateway Ingress Controller (Azure) 125 | i. Ambassador (envoy-based) 126 | j. Enroute (another envoy-based Ingress Controller) 127 | (and more) 128 | 129 | ## . 130 | 131 | 132 | ## .,... 133 | 134 | #### 9. How would one start up a Kubernetes cluster to deploy containers/pods on (in GCP)? 135 | 136 | Answer: 137 | a. via GCP GUI OR 138 | b. via GCP cloud shell window OR 139 | c. gcloud CLI 140 | d. Terraform 141 | e. Google Deployment Manager 142 | 143 | 144 | ## . 145 | 146 | 147 | 148 | ## ...... 149 | 150 | #### 10. If a container keeps crashing, how do you troubleshoot? 151 | 152 | Answer: You can use --previous option with logs command to see the logs of a crashed container. 153 | (kubectl logs --previous) 154 | 155 | ## . 156 | 157 | 158 | ## ...... 159 | 160 | #### 11. What happens to containers if they use too much cpu or memory? 161 | 162 | Answer: if they use too much memory, they are evicted. 163 | if they use too much cpu, they are throttled. 164 | 165 | ## . 166 | 167 | 168 | ## ...... 169 | 170 | #### 12. How do you manage scaling in Kubernetes? 171 | 172 | Answer: 173 | This artcile answers it very well: 174 | https://www.replex.io/blog/kubernetes-in-production-best-practices-for-cluster-autoscaler-hpa-and-vpa 175 | 176 | a. hpa for pods (horizontal pod autoscaler) 177 | b. vpa for pods (vertical pod autoscaler) 178 | c. Cluster Autoscaler: 179 | The cluster autoscaler is a Kubernetes tool that increases or decreases the size of a Kubernetes cluster (by adding or removing nodes), based on the presence of pending pods and node utilization metrics 180 | 181 | ## . 182 | 183 | 184 | 185 | ## ...... 186 | 187 | #### 13. How have you used RBAC with Kubernetes ? 188 | 189 | Answer: Answer will depend on your use case. One possible answer is to have Service accounts that do certain things within the cluster. 190 | By the way, RBAC in Kubernetes is just AWS IAM Policies and Bindings. In RBAC, you have subjects (who gets the permission), verbs (what can the subject actually do), and rolebinding (subject linking to roles) and roles. 191 | 192 | 193 | ## . 194 | 195 | 196 | ## ...... 197 | 198 | #### 14. If you have 200 micro-services in your clusters, how do you manage security of each one? How do you avoid toil? 199 | 200 | Answer: RBAC is the answer. You define roles. And you place subjects in those roles. Each role then will have access to X Y Z etc. This is really no different than AWS or AD. 201 | 202 | ## . 203 | 204 | 205 | ## ...... 206 | 207 | #### 15. Tell me about the hardest production Kubernetes issue you solved or faced? 208 | 209 | Answer: 210 | 211 | Your answer will be unique to your experience. But, here is a hypothetical answer. 212 | 213 | There are N micro-services. One of them gets a new version. But, the HPA for those pods are set wrong. Container keep crashing. This causes cascading failures for many other micro-services. 214 | Solution: Fix the HPA settings and add circuit-breakers in the consuming micro-services. 215 | 216 | ## . 217 | 218 | 219 | ## ...... 220 | 221 | #### 16. You want to know how to make yaml files for making PODs and you have no access to internet. What do you do? 222 | 223 | Answer: kubectl explain pod --recursive 224 | 225 | It will show you all fields in a mapped kind of fromat so you exacly what field go where 226 | 227 | Simillarly: kubectl explain pv --recursive (for PVs) 228 | 229 | ## . 230 | 231 | ## ...... 232 | 233 | #### 17. How can you have SSL certificates in Kubernetes? 234 | 235 | Answer: SSL cert can be a secret. Then that secret can be mounted on a pod and that pod can whatever it wants with it (e.g. host a SSL web site) 236 | 237 | ## . 238 | 239 | 240 | ## ...... 241 | 242 | #### 18. Opensource Tool to switch contexts easily: 243 | 244 | Answer: kubectx 245 | 246 | ## . 247 | 248 | 249 | ## ...... 250 | 251 | #### 19. Opensource menu-driven text-based flexible Tool to manage Kubernetes everything: 252 | 253 | Answer: k9s 254 | 255 | ## . 256 | 257 | 258 | ## ...... 259 | 260 | #### 20. "kubectl explain" command is great, but you must know the exact name of the resource (e.g. pod/services/persistentvolume) to get the details, unless you do recursive. How do you get the names of these resources from command line? 261 | 262 | Answer: kubectl api-resources (gives you a list and shortnames and more) 263 | 264 | ## . 265 | 266 | ## ...... 267 | 268 | #### 21. Name some of the other verbs that kubectl has besides "run" "create" or "apply" ? 269 | 270 | Answer: There are many! Some examples below: 271 | 272 | expose, set , explain, get, edit, delete, rollout, scale, autoscale 273 | certificate, cluster-info, top, cordon, uncordon, drain, taint 274 | describe, logs, attach, exec, port-forward, proxy, cp, auth, debug 275 | diff, apply, patch, replace, wait, kustomize, label, annotate, 276 | completion, api-resources, api-versions, config, plugin, version 277 | 278 | Some of more frequently used ones are: logs, get, port-forward and label. 279 | 280 | ## . 281 | 282 | 283 | 284 | 285 | ## ...... 286 | 287 | #### 22. What might you get when you run kubectl api-resources? 288 | 289 | Answer: api-resources is fancy term. Basically you get stuff like pods/secrets/config-maps all that stuff. 290 | 291 | ## . 292 | 293 | 294 | 295 | ## ...... 296 | 297 | ##### 23. How else can you get help with kubectl? (besides kubectl explain command) 298 | 299 | Answer: kubectl --help is actaully better than kubectl explain in my opinion. 300 | 301 | ## . 302 | 303 | 304 | 305 | 306 | ## ...... 307 | 308 | #### 24. You ran "kubectl --help" , but you want a little more help. What to do? 309 | 310 | 311 | Answer: 312 | kubectl get --help 313 | kubectl top --help 314 | kubectl describe --help 315 | 316 | ## . 317 | 318 | 319 | 320 | 321 | ## ...... 322 | 323 | #### 25. Outline the steps to deploy additional scheduler on a Kubernetes cluster (not GKE) 324 | 325 | Answer: 326 | Package the new scheduler in a docker image 327 | Put that image in a registry 328 | Create a deploymentment file with type: deployment and component: scheduler (in namespace kube-system) 329 | Deploy the the scheduler with apply -f scheduler.yaml command 330 | 331 | ## . 332 | 333 | 334 | 335 | ## ...... 336 | 337 | #### 26. List out 2 use cases for Daemonsets and explain why it is more appropriate to use daemonset than deployment for those use case: 338 | 339 | Answer: 340 | 1. Pod that collects logs. Better to use daemonsets for this because you can logs to be fed from all pods (e.g. to kibana). Otherwise you have to make this part of EVERY deployment which would be annoying and repetitive. 341 | 2. Pod that runs monitoring (e.g. dynatrace or datadog). Reason is the same as above. 342 | 343 | ## . 344 | 345 | 346 | 347 | ## ...... 348 | 349 | #### 27. How to move workload to new nodepool? 350 | 351 | Answer: cordon and drain 352 | 1. cordon means: dont add any more pods to this nodepool 353 | 2. drain means: move current pods out of it 354 | 355 | ## . 356 | 357 | 358 | ## ...... 359 | 360 | #### 28. Is ClusterIP private or public? 361 | 362 | Ans: Private 363 | 364 | ## . 365 | 366 | ## ...... 367 | 368 | #### 29. Which one will allow to access your services from internet: cluster ip or nodeport? 369 | 370 | Answer: nodeport. confirmed! 371 | why? Because NODE is a VM with an external IP and thus can be reached. 372 | Cluster IP is 10.x IP (internal) 373 | 374 | ## . 375 | 376 | ## ...... 377 | 378 | #### 30. For a service, when we use nodeport, EVERY node does what? 379 | 380 | Answer: Gives that service an IP and proxy's it. confirmed 381 | 382 | ## . 383 | 384 | 385 | ## ...... 386 | 387 | #### 31. What does it mean when we say that a node proxy's a service? 388 | 389 | Answer: The node forwards the traffic to a pod that is part of the service. 390 | 391 | ## . 392 | 393 | 394 | ## ...... 395 | 396 | #### 32. 2 ways to let container have access to a secret: 397 | 398 | Answer: Volume and ENV variable 399 | 400 | ## . 401 | 402 | 403 | ## ...... 404 | 405 | #### 33. How can a container have access to secret via ENV variable? 406 | 407 | Answer: You can define a ENV in yaml file just like everyhing else and container can just do echo $WHATEVER 408 | 409 | ## . 410 | 411 | ## ...... 412 | 413 | ### 34. One-liner kubectl commad to run a pod with nginx:alpine 414 | 415 | Answer: k run nginx-pod --image=nginx:alpine 416 | 417 | (nginx-pod is arbitrary pod name) 418 | 419 | ## . 420 | 421 | ## ...... 422 | 423 | #### 35. One liner command to run a pod with a label 424 | 425 | Answer: kubectl run foobar --image=redis:alpine -l label1:foo 426 | 427 | ## . 428 | 429 | 430 | ## ...... 431 | 432 | #### 36. kubectl command to show labels of all pods in default namespace: 433 | 434 | Answer: kubectl get pods --show-labels 435 | 436 | ## . 437 | 438 | ## ...... 439 | 440 | #### 37. Whenever you run a kubectl command, it runs in the the default namespace. How do you make in run in a different namespace? 441 | 442 | Answer: use -n namespace_name (to whatever kubectl command you are running.) 443 | 444 | ## . 445 | 446 | ## ...... 447 | 448 | #### 38. Command to create a namespace: 449 | 450 | Answer: kubectl create ns foobar # create a namespace 451 | 452 | ## . 453 | 454 | ## ...... 455 | 456 | #### 39. When using kubectl command, how do you to get output in json format? 457 | 458 | Answer: kubectl get nodes -o json # json format 459 | 460 | ## . 461 | 462 | 463 | ## ...... 464 | 465 | #### 40. kubectl expose command: port VS targetport: (which one is which ?) 466 | 467 | Answer: 468 | port : on the cluster 469 | targetport: on the container (just like ALB) 470 | 471 | ## . 472 | 473 | 474 | 475 | 476 | ## ...... 477 | 478 | #### 41. Command to expose a pod as a service 479 | 480 | Answer: kubectl expose pod foobarpod --name foobarservice --port 6379 --target-port 6379 # expose a pod as a service 481 | (NOTE servicename is specified: foobarservice) 482 | 483 | ## . 484 | 485 | 486 | 487 | ## ...... 488 | 489 | #### 42. Command to get details of a service : 490 | 491 | Answer: kubectl describe svc foobarservice # get details of that service 492 | 493 | ## . 494 | 495 | 496 | 497 | ## ...... 498 | 499 | #### 43. Command to create a deployment from image: foobar/webapp-color 500 | 501 | Answer: kubectl create deployment foobardeployment --image=foobar/webapp-color 502 | 503 | ## . 504 | 505 | 506 | 507 | ## ...... 508 | 509 | #### 44. Command to scale deploayment named foobardeployment to 2 replicas 510 | 511 | Answer: kubectl scale deployment foobardeployment --replicas=2 # scale that to 2 replicas 512 | 513 | ## . 514 | 515 | 516 | 517 | ## ...... 518 | 519 | 520 | #### 45. Can you scale a kubernetes service? 521 | 522 | Answer: No. You can scale deployments and replicasets 523 | 524 | ## . 525 | 526 | 527 | ## ...... 528 | 529 | #### 46. If you want your kubernetes command to have a scope of ALL namespaces, how do you do that? 530 | 531 | Answer: add -A to the command 532 | 533 | ## . 534 | 535 | 536 | 537 | 538 | ## ...... 539 | 540 | #### 47. Are environment variables encrypted in Kubernetes? 541 | 542 | Answer: No 543 | 544 | ## . 545 | 546 | 547 | 548 | 549 | ## ...... 550 | 551 | #### 48. By default, can a pod in one namespace talk to another pod in another namespace? 552 | 553 | Answer: Yes. 554 | 555 | ## . 556 | 557 | 558 | 559 | ## ...... 560 | 561 | #### 49. How to generate a yaml file from an imperative command you know works ? 562 | 563 | Answer: add: --dry-run=client -o yaml 564 | 565 | ## . 566 | 567 | 568 | 569 | 570 | ## ...... 571 | 572 | ##### 50. Write a kubectl command to Create a static pod, have it run a command (so it does not exit). dryrun so that you get yaml file saved : 573 | 574 | Answer: kubectl run static-busybox --image=busybox --command sleep 1000 --dry-run=client -o yaml > static-pod-busybox.yaml 575 | 576 | ## . 577 | 578 | 579 | 580 | ## ...... 581 | 582 | #### 51. By default, where does yaml files for static POD files go: 583 | 584 | Answer: /etc/kubernetes/manifests/ (on the node) 585 | 586 | ## . 587 | 588 | 589 | 590 | 591 | ## ...... 592 | 593 | #### 52. What is a static pod? 594 | 595 | Answer: This is from official documentation. Static Pods are managed directly by the kubelet daemon on a specific node, without the API server observing them. 596 | 597 | ## . 598 | 599 | 600 | ## ...... 601 | 602 | #### 53. Kubectl command to take all the details for a.yaml file and create the resource it tells API to crate: 603 | 604 | Answer: kubectl apply -f a.yaml 605 | 606 | ## . 607 | 608 | 609 | 610 | ## ...... 611 | 612 | #### 54. Kubectl command to list all the pods in foo namespace: 613 | 614 | Answer: kubectl get pods -n foo 615 | 616 | ## . 617 | 618 | 619 | 620 | ## ...... 621 | 622 | #### 55. There is pod named foo. it is in crashloopbackoff state. How to find the cause using a kubectl command? 623 | 624 | Answer: kubectl describe pod foo 625 | 626 | # to see why it is in crashlookpbackoff state 627 | 628 | What you might see is for example, container's "command" has a mispelling in it. (Just an example) 629 | 630 | ## . 631 | 632 | 633 | 634 | ## ...... 635 | 636 | #### 56. Scenario Question: You have a container that keeps crashing because its "command" section has a misspelling. How do you fix this? 637 | 638 | Answer: 639 | 1. generate the yaml file, 640 | 2. fix it, 641 | 3. kill the pod, 642 | 4. re-run with the correct yaml file (kubectl apply -f) 643 | 644 | ## . 645 | 646 | 647 | 648 | ## ....... 649 | 650 | #### 57. How to get a yaml file out of running/crashing pod? 651 | 652 | Answer: kubectl get pod foo -o yaml > foo.yaml 653 | 654 | ## . 655 | 656 | 657 | 658 | ## ....... 659 | 660 | #### 58. How to terminate a running pod? 661 | 662 | Answer: kubectl delete pod foo 663 | 664 | ## . 665 | 666 | 667 | 668 | ## ...... 669 | 670 | #### 59. Command to see a list of running pods in the default namespace: 671 | 672 | Answer: kubectl get pods 673 | 674 | ## . 675 | 676 | 677 | 678 | ## ...... 679 | 680 | #### 60. Kubectl command to make a new yaml file for a service by exposing a already running deployment that runs a pod. Name of the deployment: foo. 681 | 682 | Answer: Kubectl expose deployment foo --name foo-service --type=NodePort --port 8080 --target-port=8080 --dry-run=client -o yaml > svc.yaml 683 | 684 | ## . 685 | 686 | 687 | 688 | ## ...... 689 | 690 | #### 61. jsonpath example of getting "everything" (about nodes) . This is not really an interview question. But, its goog to know this in case JSON PATH topic comes up. 691 | 692 | Answer: kubetcl get nodes -o jsonpath='{.items[*]}' # everything, so tons of data 693 | * Thing to remember is syntax starts out like awk (single quote and swiggly bracket and then follows dots for JSON levels and [] for lists. 694 | 695 | ## . 696 | 697 | 698 | 699 | ## ...... 700 | 701 | #### 62. jsonpath example of getting just the level "status" for all nodes 702 | 703 | Answer: kubectl get nodes -o jsonpath='{.items[*].status}' # quite a bit of data comes back 704 | 705 | ## . 706 | 707 | 708 | 709 | ## ...... 710 | 711 | #### 63. jsonpath comamnd to get only status.nodeInfo of each node . This is not really an interview question. But, its goog to know this in case JSON PATH topic comes up. 712 | 713 | Answer: kubectl get nodes -o jsonpath='{.items[*].status.nodeInfo}' # better, more managable amount of data 714 | 715 | ## . 716 | 717 | 718 | 719 | ## ....... 720 | 721 | #### 64: Your computer has no access to internet. Which kubectl command can you use to find out syntax of making a pv.yaml : 722 | 723 | Answer: kubectl explain pv --recursive # to find out syntax of making a pv.yaml 724 | 725 | ## . 726 | 727 | 728 | ## ...... 729 | 730 | #### 65. What is the different between PV and PVC? 731 | 732 | Answer: PV is basically a disk volume of some sort. PVC is a link between that volume and a pod. 733 | 734 | ## . 735 | 736 | 737 | 738 | ## ...... 739 | 740 | #### 66. Kubectl command to get a list of PVs 741 | 742 | Answer: kubectl get pv 743 | 744 | ## . 745 | 746 | 747 | ## ...... 748 | 749 | #### 67. Kubectl command to get detail about a PV 750 | 751 | Answer: kubectl describe pv foo 752 | 753 | ## . 754 | 755 | 756 | ## ....... 757 | 758 | #### 68. How does the Master server authenticate itself to etcd ? 759 | 760 | Answer: It makes a call etcd (runs on localhost in most cases). To do that, it authorizes itself with etcd using 2 certs and 1 key. 761 | AND sends commands to etcd. 762 | On the master node, the file that has these configs is at : /etc/kubernetes/manifests/etcd.yaml 763 | That file in turn , points to the 2 cert files and 1 key file. 764 | 765 | ## . 766 | 767 | 768 | 769 | ## ....... 770 | 771 | #### 69. Some example of commands the master server can send to etcd (once authenticated with certs and key): 772 | 773 | Answer: 774 | member list 775 | snapshot save /tmp/etcd-backup.db 776 | snapshot status /tmp/etcd-backup.db -w table 777 | 778 | ## . 779 | 780 | 781 | ## ....... 782 | 783 | #### 70. Steps to create a pod called foo with image redis with CPU Request set to 2 CPU and Request as 400MiB 784 | 785 | 786 | Answer: 787 | a. first create a yaml file: (dry-run command) 788 | kubectl run --generator=run-pod/v1 foo --image=redis --dry-run -o yaml > foo.yaml 789 | b. edit the yaml file: 790 | in the resources section of "spec" section: 791 | cpu: 2 792 | memory: 400MiB 793 | c. kubectl apply -f ./foo.yaml 794 | 795 | ## . 796 | 797 | 798 | 799 | ## ...... 800 | 801 | #### 71. True or False: POD DEFINITION (yaml) ONLY points to PVC (claim), it does not refer to the PV anywhere. 802 | 803 | Answer: True 804 | 805 | ## . 806 | 807 | 808 | ## ....... 809 | 810 | #### 72. Kubectl command to create deployment with busybox version 1.13 811 | 812 | Answer: kubectl create deployment foo-deploy --image=busybox:1:13 --replica=1 --record # create deployment w busybox 1.13 813 | 814 | ## . 815 | 816 | 817 | ## ...... 818 | 819 | #### 73. kubectl command to look at deployment's history: 820 | 821 | Answer: kubectl rollout history deployment foo-deploy # look at deployment's history 822 | 823 | ## . 824 | 825 | 826 | ## ...... 827 | 828 | #### 74. kubectl command to change the image version of a deployment on the fly: 829 | 830 | Answer: kubectl set image deployment/foo-deploy busybox:latest --record # CHANGE THE IMAGE VERSION 831 | 832 | ## . 833 | 834 | 835 | ## ...... 836 | 837 | #### 75. Kubectl command to a list of existing deploymnets 838 | 839 | Answer: kubectl get deployments 840 | 841 | ## . 842 | 843 | 844 | 845 | ## ...... 846 | 847 | #### 76. Why do you need certificates in Kubernetes, anyway? 848 | 849 | Answer: For one thing, the API server won't talk to you , if you don't have a signed client certificate. So, any client who wants to do ANYTHING with the API server (e.g. even kubectl) better have a signed certificate! 850 | 851 | Please read: https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/ 852 | 853 | ## . 854 | 855 | 856 | ## ...... 857 | 858 | #### 77. Why are .csr files have CSR extension? What is CSR all about? 859 | 860 | Answer: CSR = Certificate Signing Request. 861 | For example A needs B to give A a signed certificate SO THAT A can later talk to B using that certificate. 862 | A will send a CSR (Certificate Signing Request) to B. The file that A sends to be will be CSR and thus will have .csr extension. 863 | 864 | Please read: https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/ 865 | 866 | ## . 867 | 868 | 869 | 870 | ## ...... 871 | 872 | #### 78. Why does Kubernetes have certificate API ? 873 | 874 | Answer: So that the certificate signing process can be automated end to end. 875 | 876 | ## . 877 | 878 | 879 | ## ...... 880 | 881 | #### 79. What's an easy way lookup kubernetes documenation on the fly simply using kubectl command? 882 | 883 | Answer: kubectl explain 884 | 885 | ## . 886 | 887 | 888 | ## ...... 889 | 890 | #### 80. Kubernetes Security: How are some of the ways you can protect your container images? 891 | 892 | Answer: 893 | a. Update them (to get latest security patches at the OS level) 894 | b. Scan them regularly 895 | c. Sign them digitally 896 | 897 | ## . 898 | 899 | 900 | 901 | ## ...... 902 | 903 | #### 81. Can you think of some general areas of Kubernetes where you would want to think about security: 904 | 905 | Answer: 906 | a. Your container images 907 | b. Your container registry 908 | c. Your kubernetes run time infrastructure (e.g. etcd) 909 | d. Hosts (where Kubernetes nodes are running) 910 | e. Kubernetes Secrets 911 | f. Kubernetes Certificates 912 | g. RBAC entities 913 | 914 | ## . 915 | 916 | 917 | 918 | ## ...... 919 | 920 | #### 82. Processes within a container: How to they (security-wise) talk to API server running on the master node? 921 | 922 | Answer: Using a Kubernetes Service Account 923 | 924 | ## . 925 | 926 | 927 | ## ...... 928 | 929 | #### 83. What does base64 command do? 930 | 931 | Answer: it "encodes" a file or strings. 932 | 933 | Note: The reason why this is related to Kubernetes is that sometimes you use this command to encode soemthing before putting it in the yaml file. 934 | 935 | ## . 936 | 937 | 938 | ## ...... 939 | 940 | 941 | #### 84. How do you generate a CSR within the Kubernetes system? 942 | 943 | Answer: 944 | a. create a .csr file using openssl command (and a private key, but does not matter to Kubernetes) 945 | b. encode it 946 | c. create a yaml file (Kind: CertificateSigningRequest) using the encoded CSR 947 | d. kubectl apply -f CertificateSigningRequest.yaml 948 | 949 | ## . 950 | 951 | 952 | ## ...... 953 | 954 | #### 85. If you have created CertificateSigningRequest, but you have not approved it yet, what status do you get if you run "kubectl get csr" command? 955 | 956 | Answer: You will see that the request is in "pending state" 957 | 958 | ## . 959 | 960 | 961 | ## ....... 962 | 963 | #### 86. Command to approve a CSR? 964 | 965 | Answer: kubectl certificate approve foo-csr 966 | 967 | Example output: certificatesigningrequest.certificate.k8s.io/foo-csr approved 968 | 969 | ## . 970 | 971 | 972 | ## ...... 973 | 974 | #### 87. Kubectl command to create role: 975 | 976 | Answer: kubetcl create role 977 | 978 | A detailed example: kubectl create role foo --resource=pods --verb=create,list,get,update,delete --namespace=development 979 | role.rbac.authorization.k8s.io/foo created 980 | 981 | ## . 982 | 983 | 984 | 985 | ## ...... 986 | 987 | 988 | #### 88. Command to describe a role: 989 | 990 | Answer: kubectl describe role foo -n foo_namespace 991 | 992 | ## . 993 | 994 | 995 | ## ...... 996 | 997 | #### 89. Why is important to keep etcd secure and encrypted? 998 | 999 | Answer: etcd data store all your Kubernetes data including Kubernetes secrets 1000 | 1001 | ## . 1002 | 1003 | 1004 | ## ...... 1005 | 1006 | #### 90. Which component of Kubernetes has to have "certificate authority" ? 1007 | 1008 | Answer: Master Node (because clients will authenticate with the API server using client certificates) 1009 | 1010 | ## . 1011 | 1012 | 1013 | ## ....... 1014 | 1015 | #### 91. 3 Steps for creating a CA (Certificate Authority) on master node? 1016 | 1017 | Answer: (On a managed Kubernetes like GKE and EKS, you don't need to do this): 1018 | a. create a private key 1019 | b. create CSR 1020 | c. self-sign the CSR 1021 | 1022 | ## . 1023 | 1024 | 1025 | 1026 | ## ....... 1027 | 1028 | #### 92. Can you run etcd over HTTP? 1029 | 1030 | Answer: Yes, but horrible idea, basically all traffic do and from etcd will not be encrypted 1031 | 1032 | ## . 1033 | 1034 | 1035 | ## ....... 1036 | 1037 | ### 93. Command to insert and Key-Value (foo=bar) pair into etcd? 1038 | 1039 | Answet: etcdctl put foo "bar" 1040 | 1041 | ## . 1042 | 1043 | 1044 | ## ...... 1045 | 1046 | #### 94. When you tell Kubernetes to run a pod, who decides which node gets that pod? 1047 | 1048 | Answer: Scheduler 1049 | 1050 | ## . 1051 | 1052 | 1053 | ## ...... 1054 | 1055 | #### 95. What if you don't like the default scheduler that comes with Kubernetes? 1056 | 1057 | Answer: You can always run your own schdeluer 1058 | 1059 | ## . 1060 | 1061 | 1062 | ## ....... 1063 | 1064 | #### 96. If a node has taint, what you have to do to your pod, for it to be able to run on that node? 1065 | 1066 | Answer: You have to give the pod the same toleration 1067 | 1068 | ## . 1069 | 1070 | 1071 | ## ...... 1072 | 1073 | #### 97. If you want a pod to run on specific node, which feature do you have to use? 1074 | 1075 | Answer: Node Affinity 1076 | 1077 | ## . 1078 | 1079 | 1080 | ## ...... 1081 | 1082 | #### 98. If we already have a liveness probe, why do we need a readiness probe? 1083 | 1084 | Answer: There are times, when a container fails liveness probe and yet we do not want to container to be killed. For example, if a container takes time to ready (loads large data set). In this case, liveness probe would fail and (without a readiness probe), Kubernetes would kill the container. A readiness probe tell Kubernetes to wait for the container finish doing all its prep work. 1085 | 1086 | ## . 1087 | 1088 | 1089 | ## ...... 1090 | 1091 | #### 99. What does it mean for Kubernetes to drop support for Docker? 1092 | 1093 | Answer: Best answer is given here: https://kubernetes.io/blog/2020/12/02/dont-panic-kubernetes-and-docker/ . Summary is that, you would have switch to other run time (e.g. containerd or CRI-O) by the time Kubernetes 1.22 comes around. 1094 | 1095 | ## . 1096 | 1097 | 1098 | ## ....... 1099 | 1100 | #### 100. What is "logging driver" ? 1101 | 1102 | Answer: Docker has the ability to send logs to various places (e.g. awslogs or fluent and many more). Each one of these is a logging driver. 1103 | 1104 | ## . 1105 | 1106 | 1107 | ## ...... 1108 | 1109 | #### 101. Which component collects and aggregates the metrics ? 1110 | 1111 | Answer: cAdvisor (which is part of kubelet on worker nodes) 1112 | Those are then sent to Metric Server (running on master nodes). 1113 | Metrics Server exposes them via kube-api (also running on the master node) 1114 | 1115 | ## . 1116 | 1117 | 1118 | ## ....... 1119 | 1120 | #### 102. When you run "kubetcl top", which component are you talking to? 1121 | 1122 | Answer: kube-api (which gets its data from metric server) 1123 | 1124 | ## . 1125 | 1126 | 1127 | ## ...... 1128 | 1129 | #### 103. By default, conatiner runs with with what UID? 1130 | 1131 | Answer: 0 (i.e. root). This can be potentially bad, in case container is somehow able to get a hold of the host OS. 1132 | 1133 | ## . 1134 | 1135 | 1136 | 1137 | ## ....... 1138 | 1139 | #### 104. What is the idea behind "Security Context" ? 1140 | 1141 | Answer: Security Context is what level of permissions we give the container as it runs. BY default, it runs with UID 0, which is potentially bad. Be using runAsUser, runAsGroup and fsGroup, 1142 | we can limit what can the container do on the host. This is "Security Context" 1143 | 1144 | ## . 1145 | 1146 | 1147 | ## ....... 1148 | 1149 | #### 105. What is "Ambassador Pattern" ? 1150 | 1151 | Answer: When the sidecar proxy's the connections from the main container to the outside world. 1152 | 1153 | ## . 1154 | 1155 | 1156 | ## ....... 1157 | 1158 | #### 106. What is "Adapter Pattern" ? 1159 | 1160 | Answer: When the sidecar re-formats the output of the application running on the main container to another desired format. 1161 | This way, you don't have to re-write the application code when there is need to re-format the output for some other system to consume. 1162 | 1163 | ## . 1164 | 1165 | 1166 | ## ...... 1167 | 1168 | #### 107. Can you describe a use-case where the ambassador pattern can be of use? 1169 | 1170 | Answer: If you have legacy application which cannot be modified, BUT you have a need to change to the port on which this app needs to listen on, the ambassador container can listen on the new port and pass on the traffic to the old port which did not get modified. 1171 | 1172 | ## . 1173 | 1174 | 1175 | ## ....... 1176 | 1177 | #### 108. What is the difference between a label and selector? 1178 | 1179 | Answer: Labels are basically tags. Selectors use key-value pairs to pick out objects (e.g. pods) to work on. 1180 | 1181 | ## . 1182 | 1183 | 1184 | 1185 | ## ...... 1186 | 1187 | #### 109. What is a network policy in Kubernetes? 1188 | 1189 | Answer: A network policy is equivalent to a Security Group in AWS. You define who can talk to who via network policy. 1190 | 1191 | ## . 1192 | 1193 | 1194 | ## ....... 1195 | 1196 | #### 110. Network Policies often rely on what? 1197 | 1198 | Answer: labels and selectors 1199 | 1200 | ## . 1201 | 1202 | 1203 | ## ...... 1204 | 1205 | #### 111. When do maxSurge and maxUnavailable come in to play? 1206 | 1207 | Answer: In Rolling Updates of Deployments. 1208 | maxSurge tells Kubernetes how many (or percent) extra pods it can create during rolling update. 1209 | mxUnavailable tells Kubernetes how many (or percent) pods can be unavailable during the rolling uodate. 1210 | 1211 | ## . 1212 | 1213 | 1214 | ## ...... 1215 | 1216 | #### 112. Why do we need HPA when we already have maxSurge and maxUnavailable? 1217 | 1218 | Answer: HPA is an autoscaling thing. maxSurge and maxUnavailable only apply during rolling updates. 1219 | 1220 | ## . 1221 | 1222 | 1223 | 1224 | ## ...... 1225 | 1226 | #### 113. Difference between Service Port and Target Port? 1227 | 1228 | Answer: Service Port is where users come to get the micro-service. Target Port is the port of the container/pod where the application listens and exposes. 1229 | 1230 | ## . 1231 | 1232 | 1233 | ## ...... 1234 | 1235 | #### 114. You are configuring a service and you have made a mistake with labels and/or selectors. How does this manifest itself often? 1236 | 1237 | Answer: You will see the service and there will be no endpoint. 1238 | 1239 | ## . 1240 | 1241 | 1242 | ## ...... 1243 | 1244 | #### 115. You are logged in to conext via kubectl on your Mac. How can you see if you have permission to update pods? 1245 | 1246 | Answer: kubectl auth can-i update pods 1247 | (You get back: yes) 1248 | 1249 | ## . 1250 | 1251 | 1252 | 1253 | ## ...... 1254 | 1255 | #### 116. Let's say you manage 100 GKE Clusters. You want to run a kubectl command. How do you make sure your command will be executed on the right cluster? 1256 | 1257 | Answer: You will have 100 contexts (one for each cluster you have logged in to). You must switch to to the right context before running the command. There is a open-source CLI tool called kubectx that helps you with this. 1258 | 1259 | ## . 1260 | 1261 | 1262 | ## ...... 1263 | 1264 | #### 117. What is a super quick way to create a service? 1265 | 1266 | Answer: Using a kubectl expose command 1267 | 1268 | Example: kubectl expose pod foopod --name=fooservice --port=80 --target-port=80 --type=ClusterIP 1269 | :: service/ngnix-resolver-service exposed 1270 | 1271 | ## . 1272 | 1273 | 1274 | 1275 | ## ...... 1276 | 1277 | #### 118. How does Kubernetes do DNS interally? 1278 | 1279 | Ans: kube-system namespace has pod(pods) that DNS servers. 1280 | You can see them by running: kubectl get po -A | grep dns 1281 | 1282 | ## . 1283 | 1284 | 1285 | ## ....... 1286 | 1287 | #### 119. If you are on a node, how do you look for running container? 1288 | 1289 | Answer: docker ps | grep nginx (for example) 1290 | (Just like you would on your Mac or pc) 1291 | 1292 | ## . 1293 | 1294 | 1295 | ## ...... 1296 | 1297 | #### 120. Let's say you know how to run a pod via command line. You can do this very easily because you have done it many times. Given that, how can you quickly generate a YAML file for doing the same thing? 1298 | 1299 | Answer: add -o yaml AND --dry-run options to the same command. 1300 | This will spit out the YAML file on your terminal. 1301 | You can also redirect that to a file. 1302 | 1303 | ## . 1304 | 1305 | 1306 | ## ...... 1307 | 1308 | #### 121. You ran: kubectl get po foo -o yaml > foo.yaml . The problem is that this YAML file has lots on info about the running pod in addition to the "core" yaml content need. How do you get a clean YAML file out of this? 1309 | 1310 | Answer: You can delete most of those lines (e.g. the status fields and many others) 1311 | 1312 | ## . 1313 | 1314 | 1315 | ## ....... 1316 | 1317 | #### 122. What is a clusterrolebinding? 1318 | 1319 | Answer: It is valid Kubernetes object that links a subject (e.g. an user) to a role. 1320 | This is how a user gets all the permissions that role has. (Much like AWS) 1321 | 1322 | ## . 1323 | 1324 | 1325 | ## ....... 1326 | 1327 | 1328 | #### 123. If you want a pod to be associated with a service account name, how do you do it in yaml file? 1329 | 1330 | Answer: In the "spec" section, add: serviceAccountName foobarserviceaccount 1331 | (Much like in AWS, an ec2 can "assume role", here a pod gets the permissions that the Service Account has) 1332 | 1333 | ## . 1334 | 1335 | 1336 | 1337 | ## ...... 1338 | 1339 | #### 124. What does a YAML file for a pod that has 2 containers look like? 1340 | 1341 | Answer: "containers" section is an array. So, you can define as many containers as you like using dashes. 1342 | Here is an example: 1343 | apiversion v1 1344 | kind pod 1345 | metadata 1346 | name foo2containers 1347 | spec 1348 | containers 1349 | - image nginx 1350 | name ONE 1351 | env 1352 | - name ONE 1353 | value foo 1354 | - image busybox 1355 | name TWO 1356 | command sleep 1000 1357 | 1358 | ## . 1359 | 1360 | 1361 | ## ..... 1362 | 1363 | #### 125. How to see what network policies you have in default namespace? 1364 | 1365 | Answer: kubectl get netpol 1366 | 1367 | ## . 1368 | 1369 | 1370 | 1371 | ## ........ 1372 | 1373 | #### 126. Can you use pod selctors in ingres network policy? 1374 | 1375 | Answer: Yes. 1376 | 1377 | ## . 1378 | 1379 | 1380 | 1381 | ## ....... 1382 | 1383 | #### 127. What is the deal with "api-versions". What is the context for this? 1384 | 1385 | Answer: Kubernetes is not one API. It is set of APIs. As in the case of any large scale development project, each api is it's stage of maturity. This is why 1. you see so many Kubernetes APIs 1386 | and 2. Each has different versions (alpha, beta etc.) 1387 | 1388 | ## . 1389 | 1390 | 1391 | ## ...... 1392 | 1393 | #### 128. How to see the correct network api version to use in neteork policy yaml file? 1394 | 1395 | Answer: kubectl api-versions | grep -i network 1396 | 1397 | ## . 1398 | 1399 | 1400 | ## ...... 1401 | 1402 | #### 129. On a Mac or PC, Where is the default kubectl configuration file? 1403 | 1404 | Answer: Is located at ~/. kube/config and is referred to as the kubeconfig file 1405 | 1406 | ## . 1407 | 1408 | 1409 | ## ....... 1410 | 1411 | #### 130. You have a deployment named foo. How can you scale it up via cli: (imperative way) ? 1412 | 1413 | Answer: kubectl scale deployment foo --replicas=10 1414 | 1415 | ## . 1416 | 1417 | 1418 | ## ...... 1419 | 1420 | #### 131. You suspect something is wrong with the control plane pods. What should your run? 1421 | 1422 | Answer: kubectl -n kube-system get pods 1423 | (to see if any the pods in that namespace is having problems) 1424 | 1425 | ## . 1426 | 1427 | 1428 | 1429 | ## ....... 1430 | 1431 | #### 132. You see that a pod is in "imagepullbackoff" state (ie not running), 1432 | what should you look at? 1433 | 1434 | Answer: You should see which image that pod is configured to use. 1435 | "imagepullbackoff" means that, for some reason, Kubernetes could not pull the docker image. 1436 | This could be because image is not there OR there are permission issues prohibiting the download of that image. 1437 | 1438 | ## . 1439 | 1440 | 1441 | 1442 | ## ....... 1443 | 1444 | #### 133. Scenario Question: You issued the command to scale up a deployment to 3 replicas. it is stuck at 3 desired and 1 running. 1445 | You found out that the controller-manager pod on the master had issues. You fixed that so, controller-manager pod 1446 | is now running. What do you have to do next so that scaling finally happens? 1447 | 1448 | Answer: Nothing! controller-manager starts and does its job 1449 | 1450 | ## . 1451 | 1452 | 1453 | ## ...... 1454 | 1455 | #### 134. How do you list out all pods running in the namespace foo? 1456 | 1457 | Answer: kubectl get pods -namespace=foo 1458 | 1459 | ## . 1460 | 1461 | 1462 | ## ........ 1463 | 1464 | #### 135. What does imperative vs declarative provisioning means in provisioning resources for Kubernetes? 1465 | 1466 | Answer: 1467 | Imperative: Basically via commands 1468 | Declarative: basically via yaml files 1469 | 1470 | ## . 1471 | 1472 | 1473 | ## ....... 1474 | 1475 | #### 136. Assume that you are connected to the cluster and context, how do you quickly create an NGINX pod using an imperative approach? 1476 | 1477 | Answer: kubectl run nginx --image=nginx 1478 | 1479 | ## . 1480 | 1481 | 1482 | ## ........ 1483 | 1484 | #### 137. Describe what is namespace in Kubernetes and why is it used? 1485 | 1486 | Answer: 1487 | It's like an isolation process. e.g. If you namespaces dev and prod, you can have pods named foo in both namespaces and there is no conflict. (In the same cluster) 1488 | In Kubernetes, you can have the dev team their own namespace and prod can have its own namespace. 1489 | 1490 | ## . 1491 | 1492 | 1493 | ## ........ 1494 | 1495 | #### 138. You deploy an application to a GKE cluster by applying kubectl -f deployment.yaml. After deployment you check the pods status and see that the pods are in CrashLoopBack mode. 1496 | Outline the steps that you use to troubleshoot and the kubectl command you use to diagnose the problem. 1497 | 1498 | Answer: 1499 | Step 1: run the describe pod command and read through events 1500 | Step 2: run the kubectl logs -p podname and see what is going on with pods (use --previous option, since pod has already crashed) 1501 | 1502 | ## . 1503 | 1504 | 1505 | ## ...... 1506 | 1507 | #### 139. What are the functions of Kubernetes control plane? Where do those functions reside? 1508 | 1509 | Answer: Api server + etcd + scheduler + kube-control-manager + cloud-control-manager 1510 | They run on the master node. 1511 | 1512 | ## 1513 | 1514 | #### 140. What are the components of the worker node? 1515 | 1516 | Answer: Docker (runtime engine) + kubelet + kube-proxy 1517 | 1518 | ## . 1519 | 1520 | 1521 | ## ....... 1522 | 1523 | #### 141. Which component of Kubernetes is responsible for tainting and placement of pods on the nodes. 1524 | 1525 | Answer: scheduler 1526 | 1527 | ## . 1528 | 1529 | 1530 | 1531 | ## ....... 1532 | 1533 | #### 142. When a new GKE cluster is created, what are the main namespaces created? 1534 | 1535 | Answer: Default and kube-system 1536 | 1537 | ## . 1538 | 1539 | 1540 | ## ........ 1541 | 1542 | #### 143. What do you use labels and selectors for in Kubernets? 1543 | 1544 | Answer: So that you can select something based on those labels. They are like tags in AWS. Let's say I want to use node-affinity. We can use labels to select (selector argument in yaml or command) the ones desired. 1545 | 1546 | ## . 1547 | 1548 | 1549 | ## ....... 1550 | 1551 | #### 144. Examples of slapping labels on pods 1552 | 1553 | Answer: 1554 | kubetcl label pods pod1 owner=mamun 1555 | kubectl label pods pod2 owner=foo 1556 | 1557 | ## . 1558 | 1559 | 1560 | ## ....... 1561 | 1562 | #### 145. Examples of using selectors to get pods: 1563 | 1564 | Answer: 1565 | kubetcl get pods --selector owner=mamun 1566 | kubectl get get pods -l owner=foo 1567 | 1568 | ## . 1569 | 1570 | 1571 | 1572 | ## ........ 1573 | 1574 | #### 146. What are annotations use for in Kubernetes and how are they different from labels and selectors 1575 | 1576 | Answer: Non-identifying metadata (e.g. contact info). Almost like comments 1577 | You can't select based on annotations. You can select based on labels. 1578 | 1579 | ## . 1580 | 1581 | 1582 | ## ....... 1583 | 1584 | #### 147. Is deployment and service the same - Explain the difference or the sameness between the 2 concepts 1585 | 1586 | 1587 | Answer: No. 1588 | Deployment is like terraform apply (of pods) that you can run a bunch of time with changing configurations (Kubernetes keeps track and so you can roll back). 1589 | Service is basically an entrypoint for users to hit the pods with the right application. Users only know about service and not the pods behind it. 1590 | 1591 | ## . 1592 | 1593 | 1594 | ## ........ 1595 | 1596 | #### 148. How do pods and service relate to each other. 1597 | 1598 | Answer: Service = pods + some ip and ports (there are 3 different kinds, nodeport, clusterip and LB) 1599 | Another way to look at it: service is a persistent front-door to 1 or more pods that can come and go. 1600 | 1601 | ## . 1602 | 1603 | 1604 | 1605 | ## ......... 1606 | 1607 | #### 149. What are the 3 main characteristics you should focus on to troubleshoot what can go wrong between pods and services? 1608 | 1609 | Answer: Target port (port on containers), labels and selectors 1610 | 1611 | ## . 1612 | 1613 | 1614 | 1615 | ## ......... 1616 | 1617 | #### 150. What are the mechanisms to expose an application running in Kubernetes to the outside world? 1618 | 1619 | Answer: pods ---> service ---> Public IP ---> DNS ---> External Users 1620 | 1621 | ## . 1622 | 1623 | 1624 | ## ......... 1625 | 1626 | #### 151. How do you check to see if the deployments are ready? 1627 | 1628 | Answer: kubectl get deployments 1629 | 1630 | ## . 1631 | 1632 | 1633 | ## .......... 1634 | 1635 | #### 152. List some useful commands to troubleshoot Pods issues: (These will come in handy on various interview questions) 1636 | 1637 | Answer: 1638 | Kubectl describe pod 1639 | Kubectl port-forward podname 3000:80 (example) 1640 | Kubectl get pods -o wide 1641 | Kubectl logs podname 1642 | Kubectl get pod podname 1643 | Kubectl exec -ti podname bash 1644 | 1645 | 1646 | ## . 1647 | 1648 | 1649 | ## ....... 1650 | 1651 | #### 153. What is port-forwarding? 1652 | 1653 | Answer: You make a link between a port on your Mac or PC (localhost) and a port on a pod. 1654 | For example, pod is open on port 443. If you set up port-forward to you localhost port 4430, you can get to the web server on pod via https://localhost:4430 1655 | 1656 | ## . 1657 | 1658 | 1659 | 1660 | ## ........ 1661 | 1662 | #### 154. Pods can have startup and runtime errors - Explain what some of these errors mean and 2-3 common culprits (These wil come in handy for various interview questions) 1663 | Imagine the interviewer asking you about each specific one and you having explain that one. 1664 | 1665 | 1666 | Answer: 1667 | ImagePullBackOff 1668 | : the docker image could not be gotten 1669 | Registry name is bad or not reachable 1670 | Docker image name is bad or image no longer exists 1671 | 1672 | CrashLoopBackOff 1673 | : container comes up and crashes/exists 1674 | Container has nothing to do, so it shuts down 1675 | Initial value of readiness probe is too small compared to what is needed by container¿s tasks 1676 | 1677 | RunContainerError 1678 | : container could not be kicked off 1679 | Pod network solution is not working 1680 | Authorization Issues 1681 | 1682 | Pods in Pending State 1683 | : waiting for scheduling for one reason or another 1684 | Not enough resources on node(s) 1685 | Worker node cannot reach master node 1686 | 1687 | Pods in a not Ready State 1688 | : pod has been scheduled, but it has not finished coming up for one reason or another 1689 | There is a readiness probe that's failing 1690 | 1691 | ## . 1692 | 1693 | 1694 | ## ........ 1695 | 1696 | #### 155. Can you schedule regular pods on the master node (general Kubernetes, not GKE). 1697 | 1698 | Answer: Yes. BUT, the noschedule taint (which is there by default) has to be removed first. 1699 | 1700 | ## . 1701 | 1702 | 1703 | 1704 | ## ......... 1705 | 1706 | #### 156. You have a node A with taint=blue. You have a Pod X with toleration for taint=blue. Would pod X always be placed on Node A. Explain your answer in detail (Why yes or no) 1707 | 1708 | Answer: 1709 | Taint is a barrier. The fact that pod X has toleration for blue means that it CAN be scheduled on node A. 1710 | However, if there are other nodes with no taint or taint of blue, X can land there too. 1711 | 1712 | ## . 1713 | 1714 | 1715 | ## ........... 1716 | 1717 | 1718 | #### 157. What is the use case for node affinity vs nodeSelector? 1719 | 1720 | Answer: 1721 | nodeSelector is simplistic based on labels whereas node affinity allows much more complex matching, soft-matching and un-matching. 1722 | nodeSelector use cases: pods belonging to a team go on the same node(s). Pods belonging to an environment (e.g. dev) go on the same node(s). 1723 | node affinity use cases: geographic location. Pods go on nodes where some pods live (OR do not live) 1724 | 1725 | ## . 1726 | 1727 | 1728 | ## ........ 1729 | 1730 | #### 158. How do you find out what image of the running container (in a pod)? 1731 | 1732 | Answer: kubectl describe pod podname | grep -i image 1733 | 1734 | ## . 1735 | 1736 | 1737 | ## ....... 1738 | 1739 | #### 159. Command used to find out what node the pods are running on: 1740 | 1741 | Answer: kubectl get pods -o wide 1742 | 1743 | ## . 1744 | 1745 | 1746 | 1747 | ## ........ 1748 | 1749 | #### 160. What does the READY column in the output column of the "kubectl get pods" command indicate? 1750 | 1751 | Answer: How many containers are supposed to run in the pod and how many are actually running. 1752 | 1753 | ## . 1754 | 1755 | 1756 | ## ........ 1757 | 1758 | #### 161. What happens if all master nodes are unavailable on (GKE) ? would that impact workloads running on the worker nodes? 1759 | 1760 | Answer: Workloads will keep running. However, no new deployments can be pushed. No fault tolerance using replicasets 1761 | (scheduler is down) will happen. This is the same as Hadoop. 1762 | 1763 | ## . 1764 | 1765 | 1766 | ## ...... 1767 | 1768 | #### 162. Why are worker nodes spread out on multiple availability zones in GKE? 1769 | 1770 | Answer: 1771 | If Google Cloud has an outage in one AZ, application will still be available. 1772 | 1773 | ## . 1774 | 1775 | 1776 | ## ....... 1777 | 1778 | #### 163. What is the difference between setting up a GKE cluster as regional versus zonal. This will require you read up on GKE implementation of K8s 1779 | 1780 | Answer: 1781 | Multi-zonal cluster: master is present in only one zone + nodes are in N zones 1782 | Regional cluster: masters are present in N zones + nodes are in N zone 1783 | So, In Regional cluster, master is HA at the regional level, whereas in Multi-zonal cluster, it is not. 1784 | 1785 | ## . 1786 | 1787 | 1788 | ## ...... 1789 | 1790 | #### 164. What is the difference between a daemonset and a deployment? 1791 | 1792 | Answer: Sometimes there is a need to have some pods on EVERY node (e.g. DNS server or a log collector). One can deploy these ¿sets¿ as a daemon set on each node. 1793 | Deployment is a declarative definition of replicasets/pods. You define what needs to go on (how many, what type etc) and the deployment controller ensures that the "desired state" is always there. 1794 | 1795 | ## . 1796 | 1797 | 1798 | ## ........ 1799 | 1800 | #### 165. What is the default deployment strategy of a Kubernetes deployment? 1801 | 1802 | Answer: Default is Rolling Update. 1803 | Some other are: 1804 | Blue-green deployment 1805 | Canary deployment 1806 | A/B testing 1807 | 1808 | ## . 1809 | 1810 | 1811 | ## ....... 1812 | 1813 | #### 166. In a replica set definition how do we tell the replica set that a set of pods is part of the replica set? 1814 | 1815 | Answer: Using Selectors: 1816 | e.g. 1817 | spec: 1818 | replicas: 3 1819 | selector: 1820 | matchLabels 1821 | ## . 1822 | 1823 | 1824 | ## ....... 1825 | 1826 | #### 167. How to add a node pool? (in GCP) 1827 | 1828 | Answer: gcloud container node-pools create $NAME --cluster $CLUSTER --region $REGION 1829 | 1830 | ## . 1831 | 1832 | 1833 | ## ....... 1834 | 1835 | #### 168. What namespace does kube-scheduler reside in? 1836 | 1837 | Answer: kube-system 1838 | 1839 | ## . 1840 | 1841 | 1842 | 1843 | ## ........ 1844 | 1845 | #### 169. Does "kubectl pods -help" work? 1846 | 1847 | Answer: no, because kubectl does not recognize "pods" as valid 2nd level command 1848 | 1849 | ## . 1850 | 1851 | 1852 | 1853 | ## ....... 1854 | 1855 | #### 170. What are the benefits of the resource limits in Kubernetes ? 1856 | 1857 | Answer: 1858 | This is the way to make sure the containers do not consume more resources than desired. This way, 2 things can happen: 1859 | Runaway containers do no affect others 1860 | We get alerted when resource increase over time does not reach a certain limit. 1861 | 1862 | ## . 1863 | 1864 | 1865 | ## ........ 1866 | 1867 | #### 171. True/False: Resource limits are set on per-pods basis in Kubernetes 1868 | 1869 | Answer: False. They are set at container level. 1870 | 1871 | ## . 1872 | 1873 | 1874 | ## ....... 1875 | 1876 | #### 172. Explain what is meant by resource request and resource limits setting. 1877 | 1878 | Answer: 1879 | Request: amount of resources a container asks for and scheduler only schedules IF that amount IS available on a node. ("entrypoint") 1880 | Limit: container is killed or throttled IF a container ever tries to get this much resource.("bad boy level") 1881 | 1882 | ## . 1883 | 1884 | 1885 | ## ........ 1886 | 1887 | #### 173. How to filter "kubectl get pods" output by label? 1888 | 1889 | Answer: kubectl get pods -l env=dev 1890 | (to filter by label env matching "dev") 1891 | 1892 | ## . 1893 | 1894 | 1895 | 1896 | ## ....... 1897 | 1898 | #### 174. How to "deploy" 3 exact same pods (via YAML file) 1899 | 1900 | Answer: In the spec section of the yaml: (for pod) 1901 | spec: 1902 | replicas: 3 1903 | 1904 | ## . 1905 | 1906 | 1907 | ## ........ 1908 | 1909 | #### 175. True/False: A POD is not a scalable unit (imperatively). A Deployment that schedules PODs is. 1910 | 1911 | Answer: True 1912 | 1913 | ## . 1914 | 1915 | 1916 | ## ....... 1917 | 1918 | #### 176. Why would you have many Deployments work together in the virtual network of the cluster? 1919 | 1920 | Answer: There are many use cases for this. One example would be to deploy many micro-services. Each micro-service would be a deployment. 1921 | 1922 | ## . 1923 | 1924 | 1925 | ## ...... 1926 | 1927 | #### 177. To expose a pod so that users can get to it, you need to create ________ ? 1928 | 1929 | Answer: Service 1930 | 1931 | ## . 1932 | 1933 | 1934 | 1935 | ## ....... 1936 | 1937 | #### 178. You can think of Ingress as ________ 1938 | 1939 | Answer: Layer 7 LB (or AWS API Gateway) 1940 | 1941 | ## . 1942 | 1943 | 1944 | ## ....... 1945 | 1946 | #### 179. Deployments are meant to contain stateless services. If you need to store a state you need to create ________ instead (e.g. for a database service). 1947 | 1948 | Answer: StatefulSet 1949 | 1950 | ## . 1951 | 1952 | 1953 | ## ....... 1954 | 1955 | #### 180. How do you see which pods or nodes are using the most resources? 1956 | 1957 | Answer: kubectl top pod OR 1958 | kubectl top nodes 1959 | 1960 | ## . 1961 | 1962 | 1963 | ## ....... 1964 | 1965 | #### 181. Can a POD span more than 1 "node" ? 1966 | 1967 | Answer: No 1968 | 1969 | ## . 1970 | 1971 | 1972 | ## ....... 1973 | 1974 | #### 182. Does a Pod always get an IP? 1975 | 1976 | Answer: Yes 1977 | 1978 | ## . 1979 | 1980 | 1981 | 1982 | ## ....... 1983 | 1984 | #### 183. Let's say that you want to add a "sleep" command to your container. Where does that go in the YAML file? 1985 | 1986 | Answer: in spec section: command: ['sleep'] 1987 | 1988 | ## . 1989 | 1990 | 1991 | ## ........ 1992 | 1993 | #### 184. What is the format for ConfigMap? 1994 | 1995 | Answer: key-value pair (just like almost anything else :-) ) 1996 | 1997 | ## . 1998 | 1999 | 2000 | ## ........ 2001 | 2002 | #### 185. Can you edit any live object using "kubectl edit" command? 2003 | 2004 | Answer: No 2005 | 2006 | ## . 2007 | 2008 | 2009 | 2010 | ## ........ 2011 | 2012 | #### 186. Command to edit the configuration of a live pod: 2013 | 2014 | Answer: kubectl edit pod foo 2015 | ## . 2016 | 2017 | 2018 | ## ........ 2019 | 2020 | #### 187. Command to delete a running pod: 2021 | 2022 | Answer: kubectl delete foo 2023 | 2024 | ## . 2025 | 2026 | 2027 | ## ...... 2028 | 2029 | #### 188. What dictates how much resources does a container get? 2030 | 2031 | Answer: request and limit parameters 2032 | 2033 | ## . 2034 | 2035 | 2036 | 2037 | ## ....... 2038 | 2039 | #### 189. Pods come and go. So, how in the world, does Kubernetes provide any real service? 2040 | 2041 | Answer: Service's IP NEVER changes. You can point DNS to it. Behind the "service" are the ephemeral pods. 2042 | 2043 | ## . 2044 | 2045 | 2046 | 2047 | ## ........ 2048 | 2049 | #### 190. (Real Interview Question asked 2022): You run "k get po" and you ass a pod that is in "completed" state. What does that mean? 2050 | 2051 | Answer: This means that pod came up, did its job and finished. It did not crash. It is not running. You can still get to its logs 2052 | 2053 | 2054 | ## . 2055 | 2056 | 2057 | ## ....... 2058 | 2059 | #### 191. (Real Interview Question asked 2022): What kind of troubleshooting have you done in Kubernetes? 2060 | 2061 | Answer: This depends on your experience, but some ideas include ingress, capacity, pods crashing, slow service, certificate expiring etc. 2062 | 2063 | ## . 2064 | 2065 | 2066 | 2067 | ## ........ 2068 | 2069 | #### 192. (Real Interview Question asked 2022): How is Anthos Service Mesh compared to Istio? 2070 | 2071 | Answer: Anthos Service Mesh is managed service. It is cheap ($50 a month for 100 endpoints per cluster as of Jan 2022). It comes with dashboards automatically. So, definitely a good choice. Also, no more hassles of upgrading Istio. 2072 | 2073 | ## . 2074 | 2075 | 2076 | ## ......... 2077 | 2078 | #### 193. Who manages virtual IPs of services? 2079 | 2080 | Answer: kube-proxy 2081 | 2082 | ## . 2083 | 2084 | 2085 | ## ......... 2086 | 2087 | #### 194. What component of Kubernetes is basically a crude Load Balancer? 2088 | 2089 | Answer: service 2090 | 2091 | ## . 2092 | 2093 | 2094 | ## .......... 2095 | 2096 | #### 195. in GKE, how is Ingress implemented by default? 2097 | 2098 | Answer: a Load Balancer behind the scene 2099 | 2100 | ## . 2101 | 2102 | 2103 | ## ........ 2104 | 2105 | #### 196. Ingress works at which OSI layer? 2106 | 2107 | Answer: Layer 7 (HTTP or HTTPS) 2108 | 2109 | ## . 2110 | 2111 | 2112 | ## ........... 2113 | 2114 | #### 197. Validating YAML file is a pain? How do you do that? 2115 | 2116 | Answer: Open Source Tools like Terrasan or Kubeval work great. 2117 | 2118 | ## . 2119 | 2120 | 2121 | ## .......... 2122 | 2123 | #### 198. Where does kube-proxy run? 2124 | 2125 | Answer: On each node. You can think of this as any other network proxy (e.g. HAProxy or Nginx or Squid) running on each node managing traffic in and out of nodes. 2126 | 2127 | ## . 2128 | 2129 | 2130 | ## ......... 2131 | 2132 | #### 199. Why are there 3 versions of NGINX ingress controller for Kubernetes? 2133 | 2134 | Answer: 1. One made by Kubernetes Community 2135 | 2. One made by Nginx (Open Source) 2136 | 3. One made by Nginx (NOT Free) 2137 | 2138 | 2139 | ## . 2140 | 2141 | 2142 | ## ....... 2143 | 2144 | #### 200. Why would you go with Nginx Ingress Controller (and not the Kubernetes Community One) 2145 | 2146 | Answer: With Nginx one, you get HTTP Load Balancing (You don't get with community one) 2147 | Source: https://www.youtube.com/watch?v=OM_N0jjghqI 2148 | 2149 | ## . 2150 | 2151 | 2152 | ## ............ 2153 | 2154 | #### 201. When impleneting Prometheus, why is it best use the Adapter pattern? 2155 | 2156 | Answer: Because otherwise, you will have re-write each application "data" to the format that Prometheus expects. The prometheus sidecar will do that and send the data along w/o you having to modify the application container. 2157 | 2158 | ## . 2159 | 2160 | 2161 | ## ............ 2162 | 2163 | #### 202. What is Kubelet and where does it run? 2164 | 2165 | Answer: Main agent on the worker nodes 2166 | 2167 | ## . 2168 | 2169 | 2170 | 2171 | ## ........... 2172 | 2173 | #### 203. (Actual interview question 2022): What is the difference between Docker Compose and Kubernetes ? 2174 | 2175 | Answer: Docker Compose: Simple way to run multi-container Docker Applications (defined in YAML file) 2176 | Kubernetes: It is a full-fledge Orchestration Tool 2177 | 2178 | ## . 2179 | 2180 | 2181 | 2182 | ## ........ 2183 | 2184 | #### 204. What is kubeadm used for? 2185 | 2186 | Answer: To deploy Kubernetes on existing VMs kind of by hand (running commands for master node and worker nodes) 2187 | 2188 | ## . 2189 | 2190 | 2191 | 2192 | ## .......... 2193 | 2194 | #### 205. When we run "kubectl run pods" , that gets to the API server on the master node. What does the API server do with that request? 2195 | 2196 | Answer: It gives it to the kubelet on one worker node 2197 | 2198 | ## . 2199 | 2200 | 2201 | ## .......... 2202 | 2203 | #### 206. How do you combine kubectl and jsonpath to get the info you need? 2204 | 2205 | Answer: You use -o=jsonpath="......blah...." to basically query the output that you get from kubectl to get precisely what you need. 2206 | 2207 | ## . 2208 | 2209 | ## .......... 2210 | 2211 | #### 207. How do you deploy a stateless application on Kubernetes? 2212 | 2213 | Answer: Simply use "deployments" (Not statefulset or replicasets) 2214 | 2215 | ## . 2216 | 2217 | 2218 | ## .......... 2219 | 2220 | #### 208. What is an endpoint in Kubernetes? 2221 | 2222 | Answer: Nothing but an IP and a port. That's it. 2223 | 2224 | ## . 2225 | 2226 | 2227 | ## .......... 2228 | 2229 | #### 209. What is the relationship between a Service and Endpoint? 2230 | 2231 | Answer: When a client hits a Service, Service needs to know where to send the request to (much like a Load Balancer). It forwards it to an Endpoint. 2232 | When a Service is created based on a "match" with a pod (or pods), Kubernetes automatically creates an Endpoint to the pod's IP and port. 2233 | SERVICE ---> ENDPOINT (automaticlaly created) --> POD'S IP and PORT 2234 | 2235 | ## . 2236 | 2237 | 2238 | ## .......... 2239 | 2240 | #### 210. How can you access the kubelet API? 2241 | 2242 | Answer: Two ways: 2243 | 1. Using a curl command and pointing to 10250 port of a worker node OR 2244 | 2. Opensource tool called kubeletctl 2245 | 2246 | ## . 2247 | 2248 | 2249 | ## .......... 2250 | 2251 | #### 211. How can you verify that your binary executables (Kubernetes) have not been corrupted? 2252 | 2253 | Answer: Create SHA256 Hash of the binary and compare the message digest with the one given on the official web site. 2254 | 2255 | ## . 2256 | 2257 | 2258 | ## .......... 2259 | 2260 | #### 212. (Not really an interview question, more a real life question) . You are trying to run a pod with "kubectl run" command, but running into issues with exact formats and options, what do you do (besides googling)? 2261 | 2262 | Answer: kubectl run -h 2263 | 2264 | ## . 2265 | 2266 | 2267 | ## .......... 2268 | 2269 | #### 213. (Not really an interview question, more a real life question) . When you are creating a pod using "kubectl run" command, How can you supply a command to run on the container (like sleep 3600) 2270 | 2271 | Answer: Simply supply the command with --command -- option. 2272 | e.g. kubectl run foo --image=nginx --command -- sh -c "sleep 3600" 2273 | 2274 | ## . 2275 | 2276 | 2277 | ## .......... 2278 | 2279 | #### 214. How can you login into a pod (assuming it only has 1 container) ? 2280 | 2281 | Answer: kubectl exec foo -it /bin/bash 2282 | 2283 | ## . 2284 | 2285 | 2286 | ## .......... 2287 | 2288 | #### 215. When you create a pod you can give it 3 restart options. What are they? 2289 | 2290 | Answer: 1. Always 2291 | 2. Never 2292 | 3. OnFailure 2293 | 2294 | ## . 2295 | 2296 | 2297 | ## .......... 2298 | 2299 | #### 216. When you create a pod you can give it 3 restart options. What are the use cases for each? 2300 | 2301 | Answer: 1. Always (for Deployments or Replicasets) 2302 | 2. Never (for one time pod runners e.g. via command line) 2303 | 3. OnFailure (for "jobs") 2304 | 2305 | ## . 2306 | 2307 | 2308 | ## .......... 2309 | 2310 | #### 217. If there is a pod already running and you want to restart using a DIFFERENT image, how do you do that using command line? 2311 | 2312 | 2313 | Answer: kubectl set image command 2314 | 2315 | ## . 2316 | 2317 | 2318 | ## .......... 2319 | 2320 | #### 217. When your run k get pods , how do you sort by name? 2321 | 2322 | Answer: k get pods --sort-by=.metadata.name 2323 | (Credit Bachina Labs) 2324 | 2325 | ## . 2326 | 2327 | 2328 | ## .......... 2329 | 2330 | #### 218. When your run k get pods , how do you sort by creationtime? 2331 | 2332 | Answer: k get pods --sort-by=.metadata.creationTimestamp 2333 | (Credit Bachina Labs) 2334 | (Now you get the idea that you can sort by almost any metadata) 2335 | 2336 | ## . 2337 | 2338 | 2339 | ## .......... 2340 | 2341 | #### 219. In the YAML file for a pod that has more than 1 containers, how do they container specs show up? 2342 | 2343 | Answer: As a array. Each element of that array is a container specs. 2344 | 2345 | ## . 2346 | 2347 | 2348 | ## .......... 2349 | 2350 | #### 220. In the YAML file , what is always the first line? 2351 | 2352 | Answer: apiVersion: 2353 | 2354 | ## . 2355 | 2356 | 2357 | 2358 | ## .......... 2359 | 2360 | #### 221. In the YAML file , how do you define what you are building (pod. replicaset, secret, etc.) ? 2361 | 2362 | Answer: Second Line has kind: (e.g. kind: pod) 2363 | 2364 | ## . 2365 | 2366 | 2367 | ## .......... 2368 | 2369 | #### 222. How to get logs from a container (not a pod) via command line? 2370 | 2371 | Answer: (An example): kubetcl get logs foopod -c foocontainer 2372 | 2373 | ## . 2374 | 2375 | 2376 | ## .......... 2377 | 2378 | #### 223. What does an "operator" pod do? 2379 | 2380 | Answer: Imagine if you had a set of pods that did MYSQL for you. You would have a leader pod and several read-only pods etc. If a reader pod crashed, a human will have to 2381 | go in and restart it. If the leader pod carshed, a human would find a way to get it up and running or promote a read-only pod to a leader pod. In Kubernetes stateful sets, an operator 2382 | pod would do all of that automatically. 2383 | 2384 | Often a vendor sells you a pod-based solution that requires stateful sets, vendor would include such an operator pod so that you (user/client) will not have to worry about the inner 2385 | workings on the setup. (I have seen this first hand at companies) 2386 | 2387 | ## . 2388 | 2389 | 2390 | ## .......... 2391 | 2392 | #### 224. What is CRD? 2393 | 2394 | Answer: Custom Resource Definition. You wanted to create your own type of resource (like pod, rs, depployments etc), you use CRD to define your own resource type. 2395 | Operators use CRD. 2396 | 2397 | ## . 2398 | 2399 | 2400 | ## .......... 2401 | 2402 | #### 225. Command to get a list of contexts you have defined: 2403 | 2404 | Answer: kubectl config get-contexts 2405 | 2406 | ## . 2407 | 2408 | 2409 | ## .......... 2410 | 2411 | #### 226. Which file holds your context definitions? 2412 | 2413 | Answer: ~/.kube/config 2414 | 2415 | ## . 2416 | 2417 | 2418 | ## .......... 2419 | 2420 | #### 227. By default, pod A in namesapce A can talk to pod B in Namespace B. True? 2421 | 2422 | Answer: Yes 2423 | 2424 | ## . 2425 | 2426 | 2427 | ## .......... 2428 | 2429 | #### 228. What is the esiest quickest way to create a service for a running pod? 2430 | 2431 | Answer: Use the kubetcl expose command 2432 | 2433 | ## . 2434 | 2435 | 2436 | ## .......... 2437 | 2438 | #### 229. What is a Headless service in Kubernetes? 2439 | 2440 | Answer: A headless service is a service with a service IP but instead of load-balancing it will return the IPs of our associated Pods. 2441 | Source: https://dev.to/kaoskater08/building-a-headless-service-in-kubernetes-3bk8 2442 | 2443 | ## . 2444 | 2445 | ## .......... 2446 | 2447 | #### 230. If you are using minikube or kubeadm etc., what is a big limitation in terms or Load Balancing? 2448 | 2449 | Answer: There is no integrated load balancers (as you would have in AWS or GCP) 2450 | 2451 | ## . 2452 | 2453 | 2454 | ## .......... 2455 | 2456 | #### 231. When does Kubernetes pull new version of image upon Pod creation ? 2457 | 2458 | Answer: if either 2459 | 1. Using images tagged :latest 2460 | 2. imagePullPolicy: Always is specified 2461 | 2462 | Source: https://stackoverflow.com/questions/33112789/how-do-i-force-kubernetes-to-re-pull-an-image 2463 | 2464 | 2465 | ## . 2466 | 2467 | ## .......... 2468 | 2469 | #### 232. What is super quick way to create a service pointing to a running pod? 2470 | 2471 | Answer: kubectl expose command 2472 | 2473 | ## . 2474 | 2475 | 2476 | ## .......... 2477 | 2478 | #### 232. capabilities configuration in XML file, goes where? Pod or Containers? 2479 | 2480 | Answer: Conatiners 2481 | 2482 | ## . 2483 | 2484 | 2485 | 2486 | ## .......... 2487 | 2488 | #### 233. Why do we need Ingress when we alrady have "service" that can send traffic to many pods of the same type? 2489 | 2490 | Answer: One big reason is this: Without Ingress, you would have to have a Load Balancer for every single web application you are hosting in your cluster. 2491 | That can get very expensive and hard to manage. 2492 | With Ingress , you can have ONE load balancer that can take in traffic for many web applications and forward them to the right pods. 2493 | 2494 | ## . 2495 | 2496 | 2497 | ## .......... 2498 | 2499 | #### 234. In the kube confi file, what does the URL point to? (for each context) 2500 | 2501 | Answer: URL of the API Server (port is almost always :6443) 2502 | 2503 | ## . 2504 | 2505 | 2506 | ## .......... 2507 | 2508 | #### 235. For deployments, the default replica count is ___ ? 2509 | 2510 | Answer: 1. (If you want 1, then you cna leave out that option in an imperative command) 2511 | 2512 | ## . 2513 | 2514 | 2515 | ## .......... 2516 | 2517 | #### 236. How can you update the image of a running deployment using an imperative command ? 2518 | 2519 | Answer: kubectl set image command 2520 | 2521 | ## . 2522 | 2523 | 2524 | ## .......... 2525 | 2526 | #### 237. What is the default update method for deoloyments ? 2527 | 2528 | Answer: Rolling Update 2529 | 2530 | ## . 2531 | 2532 | 2533 | ## .......... 2534 | 2535 | #### 238. In the definition of a service what is "port" and what is "Target Port"? 2536 | 2537 | Answer: Port : Port on the incoming requests 2538 | Target Port: Port on the pod where the trafic ends up 2539 | (Just like a Load Balancer Configuration) 2540 | 2541 | ## . 2542 | 2543 | 2544 | ## .......... 2545 | 2546 | #### 239. Your pod uses a Config Map. How Can you automatically restart pod if the Config Map changes? 2547 | 2548 | Answer: For this, you have to use deployment. In the config of the deployment, use the CM. 2549 | When CM changes, and the new CM values breaks things, Deployment is smart enough NOT to scale down. 2550 | BUT, if the new CM does NOT break things, deployment will scale down and up with the new value. 2551 | 2552 | ## . 2553 | 2554 | 2555 | ## .......... 2556 | 2557 | #### 240. How do you secure kubernetes? 2558 | 2559 | Answer: Big Topic, but 7 major parts: 2560 | 1. Application Security (Ingress, access to pods etc.) 2561 | 2. Devsecops (CICD Pipeline, who gets to deploy where and under what conditions) 2562 | 3. User access (RBAC) etc 2563 | 4. Data Compliance (HIPPA, SOX etc.) 2564 | 5. Keeping the secrets secure 2565 | 6. Patching Nodes (OS Level) 2566 | 7. Container Image Scanning (automated and regular) 2567 | 2568 | ## . 2569 | 2570 | 2571 | 2572 | ## .......... 2573 | 2574 | #### 241. How to you manage costs on Kubernetes? 2575 | 2576 | Answer: 3 parts 2577 | 1. Control Pane (Not much you can do) 2578 | 2. Worker Nodes (making sure you are autoscaling) 2579 | 3. Optimal usage of cpu/memory by pods (use Metrics Server or open source tool kubecost) 2580 | 2581 | ## . 2582 | 2583 | 2584 | ## .......... 2585 | 2586 | #### 242. What is rehrydating? 2587 | 2588 | Answer: (For example , when you are moving to a newer version of Kubernetes), running the same cluster using NEW nodes which is running newer version of Kubernetes and THEN running the pods on the new nodes 2589 | (Opposite of draining) 2590 | 2591 | ## . 2592 | 2593 | 2594 | ## .......... 2595 | 2596 | #### 243. Command to drain a node? 2597 | 2598 | Answer: kubectl drain ...... 2599 | 2600 | ## . 2601 | 2602 | 2603 | ## .......... 2604 | 2605 | #### 244. How did you monitor your Kubernetes Clusters? 2606 | 2607 | Answer: Prometheus and Kibana Combinaion is very common (open source) 2608 | Other paid options: 2609 | Dynatrace & Datadog 2610 | 2611 | ## . 2612 | 2613 | 2614 | ## .......... 2615 | 2616 | #### 245. How do containers on the same pod communicate? 2617 | 2618 | Answer: Over localhost! 2619 | 2620 | ## . 2621 | 2622 | 2623 | ## .......... 2624 | 2625 | #### 246. What are 4 components of the Control Pane? 2626 | 2627 | Answer: 1. API Server 2628 | 2. Scheduler 2629 | 3. etcd 2630 | 4. Controller Manager 2631 | 2632 | ## . 2633 | 2634 | ## .......... 2635 | 2636 | #### 247. What does Controller Manager do? 2637 | 2638 | Answer: Runs the un-ending Kubernetes Loop 2639 | 2640 | ## . 2641 | 2642 | 2643 | ## .......... 2644 | 2645 | #### 248. If you create an ingress , how will the traffic be impacted? 2646 | 2647 | Answer: Nothing! Until you have a Ingress Controller , an ingress rule does nothing. 2648 | 2649 | ## . 2650 | 2651 | 2652 | ## .......... 2653 | 2654 | #### 249. Does Ingress Controller need to read packets? 2655 | 2656 | Answer: Yes, it needs to read the headers 2657 | 2658 | ## . 2659 | 2660 | 2661 | ## .......... 2662 | 2663 | #### 250. How do you create an Ingress Controller? Provide an example. 2664 | 2665 | Answer: You can create a deployment using nginx image. That would be one ay of doing it. 2666 | 2667 | ## . 2668 | 2669 | 2670 | ## .......... 2671 | 2672 | #### 251. How do you tell an Ingress to use an Ingress Controller? 2673 | 2674 | Answer: In the Spec section, there is a configuration item called "backend". There you can point to a service (e.g. based on nginx deployment) 2675 | 2676 | ## . 2677 | 2678 | 2679 | ## .......... 2680 | 2681 | #### 252. When to use Docker Compose? 2682 | 2683 | Answer: When you need to run multiple containers (locally or or on cluster) , and you do not want to keep typing "docker run ....". 2684 | By the way, these containers can share a volume. 2685 | 2686 | ## . 2687 | 2688 | 2689 | 2690 | ## .......... 2691 | 2692 | #### 253. How does a pod get any permission do anything? 2693 | 2694 | Answer: Every pod comes with default service account , which in turns gives the pod a token. Whatever permissions that token has, that is what a pod can do. 2695 | 2696 | ## . 2697 | 2698 | 2699 | 2700 | ## .......... 2701 | 2702 | #### 254. What is the relationship between a Service Account and a Secret? 2703 | 2704 | Answer: Every Service Account automatically gets a secret (no different than any other secret). So, when you create a Service Account, if you do "kubectl get secrets", you will see one for that Service Account. 2705 | 2706 | ## . 2707 | 2708 | 2709 | 2710 | ## .......... 2711 | 2712 | #### 255. When you create Nginx Ingress Controller via YAML file, what would be the "Kind" ? (e.g. pod, secret, service ....) 2713 | 2714 | Answer: LoadBalancer (You can also run a "Deployment" of those for roubustness" 2715 | 2716 | ## . 2717 | 2718 | 2719 | ## .......... 2720 | 2721 | #### 256. How can you create an YAML file on the fly without creating a resource ? 2722 | 2723 | Answer: Use --dry-run option with -o yaml option (kubectl) 2724 | 2725 | ## . 2726 | 2727 | 2728 | ## .......... 2729 | 2730 | #### 257. How do you deploy 3rd-party applications (built on Kubernetes) to your cluster? 2731 | 2732 | Answer: Helm Charts. It has become industry standard for deploying 3rd party applications. For deploying your own apps to your own Kubernetes Cluster, you may choose something else because Helm is very easy to use. 2733 | Theere is a learning curve. 2734 | 2735 | ## . 2736 | 2737 | 2738 | 2739 | ## .......... 2740 | 2741 | ## 258. What if you want to GitOps adn you want you "desired" kubernetes configs in your git repo AND you want to have a pipeline for deploying kubernetes Infrastructure as soon as new Merge happens? How do you do that? 2742 | 2743 | Answer: There two tools for doing this: ArgoCD or flux 2744 | 2745 | ## . 2746 | 2747 | 2748 | ## .......... 2749 | 2750 | ## 259. Managing certificates for all domains for all the apps that live on your cluster is a pain. How do manage those certs and their expirations? 2751 | 2752 | Answer: (Example answer: cert-manager.io) 2753 | 2754 | ## . 2755 | 2756 | 2757 | ## .......... 2758 | 2759 | ## 260. You have Kubernetes ANd other items like databases etc. How do you deploy these as Infrastructure as Code? 2760 | 2761 | Answer: Best tool for this is Crossplane . 2762 | 2763 | ## . 2764 | 2765 | 2766 | 2767 | ## .......... 2768 | 2769 | ## 261. How did you implement Observability into your Kubernetes Cluster(s)? 2770 | 2771 | Answer: There are many options: 2772 | 1. Prometheus and Grafana 2773 | 2. Datadog 2774 | 3. Dynatrace 2775 | 2776 | ## . 2777 | 2778 | 2779 | ## .......... 2780 | 2781 | ## 262. How did you collects from your Kubernetes Cluster? 2782 | 2783 | Answer: Example answer: Promtail 2784 | Datadog can do it, too. 2785 | 2786 | ## . 2787 | 2788 | 2789 | ## .......... 2790 | 2791 | ## 263. Where did your ship your logs to? 2792 | 2793 | Answer: Example answers: 2794 | Loki 2795 | Datadog 2796 | 2797 | ## . 2798 | 2799 | 2800 | ## .......... 2801 | 2802 | ## 264. Tools for Policy Management via Admission Controllers: 2803 | 2804 | 2805 | Answer: Kyverno 2806 | OPA Gatekeeper 2807 | 2808 | 2809 | ## . 2810 | 2811 | 2812 | ## .......... 2813 | 2814 | ## 265. You are setting a new image for deployment imperatively. How can you make sure you can rollback if needed? 2815 | 2816 | 2817 | Answer: Use the --record option 2818 | 2819 | 2820 | ## . 2821 | 2822 | 2823 | ## .......... 2824 | 2825 | ## 266. What is THE key difference between deployments and StateFullSets (besides keeping state)? 2826 | 2827 | 2828 | Answer: StateFulSets use volumeclaimtemplates. That is the key difference. This way, each pod has acccess to the same data. 2829 | 2830 | 2831 | ## ....... 2832 | 2833 | #### 267. You have web application hostend on containers on Kubernetes. This web app is accessed via a domain e.g. foobar.com. You need to add a SSL certificate to somewhere in your Kubernetes infrastructure for this domain. 2834 | Walk me through how you would accomplish that. 2835 | 2836 | Answer: This page does a fantastic job of explaning step by step with lots of details. 2837 | https://devopscube.com/configure-ingress-tls-kubernetes/ 2838 | 2839 | Summary: 2840 | 1. Get a certificate (either self-signed or otherwise) 2841 | 2. deploy the application in Kubernetes cluster (this should already be done) 2842 | 3. create a TLS secret in Kubernetes 2843 | 4. add TLS block to ingress object 2844 | 5. Validate using simple curl command (e.g. curl https://foobar.com -kv ) 2845 | 2846 | ## . 2847 | 2848 | 2849 | 2850 | ## ....... 2851 | 2852 | #### 268. What if you want to to actively prohibit pods of certain type to be created (e.g. previleged containers)? How do you accomplish that? 2853 | 2854 | Answer: 2855 | 2856 | Use admission controllers 2857 | 2858 | ## . 2859 | 2860 | 2861 | ## ....... 2862 | 2863 | 2864 | #### 269. What is an admission controller? 2865 | 2866 | Answer: Essentially a plugin that intercepts requests to API server and takes action based on what is being requested (e.g. creation of pods) 2867 | 2868 | ## . 2869 | 2870 | 2871 | ## ....... 2872 | 2873 | #### 270. What is Pod Security Policy? 2874 | 2875 | Answer: From official docuementation: 2876 | A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to 2877 | be accepted into the system, as well as defaults for the related fields. 2878 | 2879 | ## . 2880 | 2881 | 2882 | ## ...... 2883 | 2884 | #### 271. Can you use password to authenticate to API server? 2885 | 2886 | Answer: Yes, but disabled by default 2887 | 2888 | ## . 2889 | 2890 | ## ...... 2891 | 2892 | #### 272. Can you use x509 certificated to authenticate to API server? 2893 | 2894 | Answer: Yes, but disabled by default 2895 | 2896 | ## . 2897 | 2898 | 2899 | ## ...... 2900 | 2901 | #### 273. Easiest to get a bearer token for Kubernetes API server auth. 2902 | 2903 | Answer: Create a Service Account 2904 | 2905 | ## . 2906 | 2907 | 2908 | ## ...... 2909 | 2910 | #### 274. How to set up authentication for Kubernetes? 2911 | 2912 | Answer: Just use GCP IAM 2913 | 2914 | ## . 2915 | 2916 | 2917 | ## ...... 2918 | 2919 | #### 275. How to rotate your cluster credentials using gcloud CLI? 2920 | 2921 | Answer: gcloud containers cluster foo update ¿start-credentials-rotation 2922 | 2923 | ## . 2924 | 2925 | 2926 | ## ...... 2927 | 2928 | #### 276. How does API Server authenticate a request for object creation in etcd? 2929 | 2930 | Answer: Client Certificate 2931 | 2932 | ## . 2933 | 2934 | 2935 | ## ...... 2936 | 2937 | #### 277. How can you a list of types of resources (like pods, secrets, nodes, services and lot more) 2938 | 2939 | Answer: kubectl get API-resources 2940 | 2941 | ## . 2942 | 2943 | 2944 | ## ...... 2945 | 2946 | ##### 278. What is the MAIN difference between stateless and stateful sets (in terms of what is being used in Kubernetes) ? 2947 | 2948 | 2949 | Answer: Stateful sets use volumeclaimtemplates. That is the key difference. 2950 | 2951 | ## . 2952 | 2953 | 2954 | 2955 | ## ...... 2956 | 2957 | #### 279. What are the main 3 things that a worker node will run? 2958 | 2959 | Answer: 2960 | Kubelet 2961 | Proxy 2962 | Caontainer Run Time Engine 2963 | 2964 | ## . 2965 | 2966 | 2967 | ## ..... 2968 | 2969 | #### 280. Inside a worker node who keeps the desired state? 2970 | 2971 | Answer: kubelet 2972 | 2973 | ## . 2974 | 2975 | 2976 | 2977 | ## ...... 2978 | 2979 | #### 281. kublet receives it¿s work in the form of _______ ? 2980 | 2981 | Answer: YAML 2982 | 2983 | ## . 2984 | 2985 | 2986 | 2987 | ## ...... 2988 | 2989 | ### 282. Kube Proxy runs on each worker node. For all practical purposes, what is it, really? 2990 | 2991 | Answer: It is basiclaly a Load Balancer 2992 | 2993 | 2994 | ## . 2995 | 2996 | 2997 | 2998 | ## ...... 2999 | 3000 | #### 283. How can ONE service expose MULTIPLE deployments ? 3001 | 3002 | Answer: It can do that based on tags? 3003 | 3004 | ## . 3005 | 3006 | 3007 | 3008 | 3009 | ## ....... 3010 | 3011 | ### 284. What does a adapter sidecar do basically ? 3012 | 3013 | Answer: Adapter sidecar changes format of output 3014 | 3015 | ## . 3016 | 3017 | 3018 | 3019 | ## ...... 3020 | 3021 | ### 285. What are nginx ingress controllers , basically? 3022 | 3023 | Answer: Just a "deployment" of modified version of nginx conatiners. 3024 | e.g. https://github.com/kubernetes/ingress-nginx/blob/main/docs/examples/static-ip/nginx-ingress-controller.yaml 3025 | 3026 | ## . 3027 | 3028 | 3029 | 3030 | ## ...... 3031 | 3032 | ### 286. How can you have a VM (kubernetes node ) that is small in size and does not any extra packages (e.g. 100s of MBs instead of Gig+)? 3033 | 3034 | Answer: You can convert a Docker container image (e.g. Ubuntu) and add 2 packages (one of them is a File System package) 3035 | 3036 | ## . 3037 | 3038 | 3039 | ## ...... 3040 | 3041 | ### 287. How can you convert a Docker image to a VM 3042 | 3043 | Answer: ????? 3044 | 3045 | ## . 3046 | 3047 | 3048 | 3049 | ## ...... 3050 | 3051 | ### 288. What is a finalizer in Kubernetes? 3052 | 3053 | Answer: Verbatim from Kubernetes.io 3054 | 3055 | Finalizers are namespaced keys that tell Kubernetes to wait until specific conditions are met before it 3056 | fully deletes resources marked for deletion. Finalizers alert controllers to clean up resources the deleted object owned. 3057 | 3058 | When you tell Kubernetes to delete an object that has finalizers specified for it, the Kubernetes API marks the object for 3059 | deletion by populating .metadata.deletionTimestamp, and returns a 202 status code (HTTP "Accepted"). The target object 3060 | remains in a terminating state while the control plane, or other components, take the actions defined by the finalizers. 3061 | After these actions are complete, the controller removes the relevant finalizers from the target object. When the 3062 | metadata.finalizers field is empty, Kubernetes considers the deletion complete and deletes the object. 3063 | 3064 | ## . 3065 | 3066 | 3067 | 3068 | ## ...... 3069 | 3070 | ### 289. If a client sends a request API server, which component intercepts that request to make sure that the request should be acted upon? 3071 | 3072 | Answer: Admission Controllers. There can be many. Be default, a few of them are already enabled. 3073 | You can your own. 3074 | Admission controllers act AFTER authentication has happened and authorization has been finalized. 3075 | 3076 | ## . 3077 | 3078 | 3079 | 3080 | 3081 | ## ...... 3082 | 3083 | ### 290. If you have a YAML file that has codes for 10 different resources (pods, deployments etc). How can delete all resources made from this YAML file? 3084 | 3085 | Answer: kubectl apply -f filename.yaml 3086 | 3087 | ## . 3088 | 3089 | 3090 | 3091 | ## ...... 3092 | 3093 | ### 291. In order to follow DRY principle, your code should work across all enviroments (dev, staging , prod). How can you do this when you know things will be different across various environments? 3094 | 3095 | Answer: configmaps! (Code remains same , only the values of config-maps differ) 3096 | 3097 | ## . 3098 | 3099 | 3100 | 3101 | ## ...... 3102 | 3103 | ### 292. Why do we need PV and PVC? Why not just PV or just PVC? 3104 | 3105 | Answer: de-coupling. This way, you can define your PVs not knowing when they will be used. Similarly, you can create PVC knowking PV already exists. 3106 | 3107 | ## . 3108 | 3109 | 3110 | ## ...... 3111 | 3112 | ### 293. Why do we need storageclass? 3113 | 3114 | Answer: Again, de-coupling. You can define many kinds of storage (fast, slow, EBS, GCS, NFS, on and on). You can just use them as you see fit. 3115 | 3116 | ## . 3117 | 3118 | 3119 | ## ...... 3120 | 3121 | ### 294. Explain how a container mounts a volume. 3122 | 3123 | Answer: Actually containers depends on the pods to "define" the volume and give it a name. Container then uses that "name" and mounts it on whichever directory it wants to. This way, two conatiners on the SAME pod can mount the same volume on two different mounting locations. 3124 | 3125 | ## . 3126 | 3127 | 3128 | 3129 | ## ...... 3130 | 3131 | ### 295. Explain the flow from a CSR all the way to a user having permission to describe a pod? 3132 | 3133 | Answer: 3134 | 1. CSR is created 3135 | 2. That is submitted to Kubernetes cluster 3136 | 3. Someone approves the csr within Kubernetes. 3137 | 4. That creates a valid certificate which has an embedded user 3138 | 5. On the other side of things, a role is create with certain permissions (e.g. describe a pod) 3139 | 6. That user/certificate is associated with that role via roleBinding. This completes the path. 3140 | 3141 | ## . 3142 | 3143 | 3144 | ## ...... 3145 | 3146 | ### 296. Why do we need Labels? 3147 | 3148 | Answer: Labels are integral part of Kubernetes. Whenever there is need to select one or more out of many, a label is used. For example, you may have 1000 pods. Only 10 of them belong to a deployment or service. This one to many relationship can dynamicaly established by selecting pods based on their labels. 3149 | 3150 | ## . 3151 | 3152 | 3153 | ## ...... 3154 | 3155 | ### 297. You are applying a YAML file. But, you get an error , something like: "expecting X got Y" (e.g. expecting map, got string). How do you fix this? 3156 | 3157 | Answer: Note the line number the error message tells you. See, which attribute is mentioned in that line. Then, use kubectl explain command to see what type of a thing is expected. May there is supposed to be an array of strings. But, because of a typo, to Kubernetes, it looks like a string or map/object. This will give a great clue as to what the typo is. 3158 | 3159 | ## . 3160 | 3161 | 3162 | ## ...... 3163 | 3164 | ### 298. Why do we need Node Pools? 3165 | 3166 | Answer: Node Pools are nodes that share the same configurations (e.g. cpu/memory etc.). What if some of your pods needs more resources and you want those pods to go into only a certian node pool. And, you do not want other normal pods to go into those nodes. In this case, having 2 node pools would be very useful. Node pools can also be used to segment out usage by different teams/environments/departments. 3167 | 3168 | ## . 3169 | 3170 | 3171 | ## ...... 3172 | 3173 | ### 299. What is the connection between values.yaml (Helm) and configmaps? 3174 | 3175 | Answer: values.yaml in Helm charts save all the env specific values (lets say , server type, application name etc.). This way, we cna follow DRY principles of coding when we code for multiple environments. These "values" in turn can "feed" the configmaps in Kubernetes environments. 3176 | 3177 | ## . 3178 | 3179 | 3180 | ## ...... 3181 | 3182 | ### 300. How do you service discovery in Kubernetes? 3183 | 3184 | Answer: 2 Ways: 1. Via DNS or 2. via ENV variable (e.g. SQL_SERVER=1.2.3.4) injected into container via ConfigMap or Secret. 3185 | 3186 | ## . 3187 | 3188 | 3189 | ## ...... 3190 | 3191 | ### 301. Why do you need a "job" in Kubernetes? 3192 | 3193 | Answer: Sometimes there is a need for pod to be created for the sole reason of doing a task ONLY once. "job" is how you define that. 3194 | 3195 | ## . 3196 | 3197 | 3198 | ## ...... 3199 | 3200 | ### 302. Why do you need a "cronjob" in Kubernetes? 3201 | 3202 | Answer: Sometimes there is a need for pod to be created on a regular schedule to do a job. A "cronjob" is great for this use case. 3203 | 3204 | ## . 3205 | 3206 | 3207 | ## ...... 3208 | 3209 | ### 303. Where did you have your hands-on experience on Kubernetes? 3210 | 3211 | Answer: Interviwer may not ask this directly, but he or she will want to know how you have the experience that you have. This is because people's experience with Kubernetes vary widely. Be truthful. If your experience is that you have done labs on your own or as part of certification exam prep, state THAT! If you fake the experience, it will show and you will come across as unauthentic. Be ready for this question. 3212 | 3213 | ## . 3214 | 3215 | 3216 | ## ...... 3217 | 3218 | ### 303. How did you manage logging persistence? 3219 | 3220 | Answer: Will depend on your experience. Here are some possibilities: Prometheus, Datadog, Agents, other 3rd party solutions. 3221 | 3222 | ## . 3223 | 3224 | 3225 | ## ...... 3226 | 3227 | ### 304. You just created a cluster. How do you know what is running there by default? 3228 | 3229 | Answer: k get all -A 3230 | 3231 | ## . 3232 | 3233 | 3234 | ## ...... 3235 | 3236 | ### 305. On a fresh cluster, which namespace holds the system resources like kube-dns? 3237 | 3238 | Answer: kube-system (Here the interviwer is probing for your hands on experience. If you work on Kubernetes regularly, you will know this) 3239 | 3240 | ## . 3241 | 3242 | 3243 | ## ...... 3244 | 3245 | ### 306. Walk me through the steps of how you store password in Kubernetes? (e.g. DB password) 3246 | 3247 | Answer: base64 encoding --> make a secret, "data" section, key-value pair --> mount it on a pod/container 3248 | 3249 | ## . 3250 | 3251 | 3252 | ## ...... 3253 | 3254 | ### 307. All I am giving you a docker image (that runs a web server). You don't even have a cluster. Walk me through how you take this service live. Assume that you don't scaling or HA. 3255 | 3256 | Answer: Create a cluster. Upload the image one GCP container registry. Creat a YAML file that creates a deployment using that image. Create a service (Type Load Balancer) using that deployment. Create a DNS recording pointing to the endpoint of that service. 3257 | 3258 | ## . 3259 | 3260 | 3261 | ## ...... 3262 | 3263 | ### 308. What is the different between ingress and Network Policy? 3264 | 3265 | Answer: Ingress = Like API Gateway in AWS (drive traffic to different services based on path) ; Network Policy: Firewall Rules, basically 3266 | 3267 | ## . 3268 | 3269 | 3270 | 3271 | 3272 | 3273 | 3274 | 3275 | 3276 | 3277 | 3278 | 3279 | More Unformatted questions: 3280 | __________________________ 3281 | You have created a PV using hostpath. How do you know if all is well. ans: describe and status should say "available" 3282 | Can you use 2 PVCs with 1 PV? no! 1:1 3283 | 3 recycle policies for PV: retain, recycle, delete 3284 | If retain , then: pvs goes away, PV will still just sitv there 3285 | Can multiple pods use the same PVC? yes 3286 | Tell me when you will use a label selector 3287 | You have 5 departments on 1 cluster. Each has their own namespace. How can you keep dept1 from using up all the resources? use quota. quota is applied at namespace level. 3288 | Once you have MYSQL pods running, how can you make a service out of them? 3289 | port 3306 3290 | targetport 3306 3291 | use label selector to select pods for backend 3292 | You have 20 nodes. You want to use 10 of then ONLY for production pods. How? taint the nodes 3293 | Pods in pending state. why? nodes tainted or not enough resources left or node affinity set wrong 3294 | 3295 | 3296 | 3297 | --------------------------------------------------------------------------------