├── README.md
├── etcd-backup-and-restore.md
└── tls-bootstrap-worker-node-2


/README.md:
--------------------------------------------------------------------------------
1 | # certified-kubernetes-administrator-course-answers
2 | Practice question answers for Certified Kubernetes Administrator course
3 | 
4 | This repository contains answers for the practice tests hosted on the course [Certified Kubernetes Administrators Course](https://kodekloud.com/p/certified-kubernetes-administrator-with-practice-tests)
5 | 


--------------------------------------------------------------------------------
/etcd-backup-and-restore.md:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | # 1. Get etcdctl utility if it's not already present.
 4 | 
 5 | Reference: https://github.com/etcd-io/etcd/releases
 6 | 
 7 | ```
 8 | ETCD_VER=v3.3.13
 9 | 
10 | # choose either URL
11 | GOOGLE_URL=https://storage.googleapis.com/etcd
12 | GITHUB_URL=https://github.com/etcd-io/etcd/releases/download
13 | DOWNLOAD_URL=${GOOGLE_URL}
14 | 
15 | rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
16 | rm -rf /tmp/etcd-download-test && mkdir -p /tmp/etcd-download-test
17 | 
18 | curl -L ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz -o /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
19 | tar xzvf /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz -C /tmp/etcd-download-test --strip-components=1
20 | rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
21 | 
22 | /tmp/etcd-download-test/etcd --version
23 | ETCDCTL_API=3 /tmp/etcd-download-test/etcdctl version
24 | 
25 | mv /tmp/etcd-download-test/etcdctl /usr/bin
26 | ```
27 | 
28 | # 2. Backup
29 | 
30 | ```
31 | ETCDCTL_API=3 etcdctl --endpoints=https://[127.0.0.1]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt \
32 |      --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key \
33 |      snapshot save /tmp/snapshot-pre-boot.db
34 | ```
35 | 
36 | # -----------------------------
37 | # Disaster Happens
38 | # -----------------------------
39 | 
40 | # 3. Restore ETCD Snapshot to a new folder
41 | 
42 | ```
43 | ETCDCTL_API=3 etcdctl --endpoints=https://[127.0.0.1]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt \
44 |      --name=master \
45 |      --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key \
46 |      --data-dir /var/lib/etcd-from-backup \
47 |      --initial-cluster=master=https://127.0.0.1:2380 \
48 |      --initial-cluster-token etcd-cluster-1 \
49 |      --initial-advertise-peer-urls=https://127.0.0.1:2380 \
50 |      snapshot restore /tmp/snapshot-pre-boot.db
51 | ```
52 | 
53 | # 4. Modify /etc/kubernetes/manifests/etcd.yaml
54 | 
55 | Update ETCD POD to use the new data directory and cluster token by modifying the pod definition file at `/etc/kubernetes/manifests/etcd.yaml`. When this file is updated, the ETCD pod is automatically re-created as thisis a static pod placed under the `/etc/kubernetes/manifests` directory.
56 | 
57 | Update --data-dir to use new target location
58 | 
59 | ```
60 | --data-dir=/var/lib/etcd-from-backup
61 | ```
62 | 
63 | Update new initial-cluster-token to specify new cluster
64 | 
65 | ```
66 | --initial-cluster-token=etcd-cluster-1
67 | ```
68 | 
69 | Update volumes and volume mounts to point to new path
70 | 
71 | ```
72 |     volumeMounts:
73 |     - mountPath: /var/lib/etcd-from-backup
74 |       name: etcd-data
75 |     - mountPath: /etc/kubernetes/pki/etcd
76 |       name: etcd-certs
77 |   hostNetwork: true
78 |   priorityClassName: system-cluster-critical
79 |   volumes:
80 |   - hostPath:
81 |       path: /var/lib/etcd-from-backup
82 |       type: DirectoryOrCreate
83 |     name: etcd-data
84 |   - hostPath:
85 |       path: /etc/kubernetes/pki/etcd
86 |       type: DirectoryOrCreate
87 |     name: etcd-certs
88 | ```
89 | 
90 | > Note: You don't really need to update data directory and volumeMounts.mountPath path above. You could simply just update the hostPath.path in the volumes section to point to the new directory. But if you are not working with a kubeadm deployed cluster, then you might have to update the data directory. That's why I left it as is. 
91 | 


--------------------------------------------------------------------------------
/tls-bootstrap-worker-node-2:
--------------------------------------------------------------------------------
  1 | ## Create Bootstrap Token on Master Node
  2 | 
  3 | This is the solution to the practice test on TLS Bootstrapping hosted [here](https://kodekloud.com/courses/certified-kubernetes-administrator-with-practice-tests/lectures/9833234)
  4 | 
  5 | ```
  6 | cat > bootstrap-token-09426c.yaml <<EOF
  7 | apiVersion: v1
  8 | kind: Secret
  9 | metadata:
 10 |   # Name MUST be of form "bootstrap-token-<token id>"
 11 |   name: bootstrap-token-09426c
 12 |   namespace: kube-system
 13 | 
 14 | # Type MUST be 'bootstrap.kubernetes.io/token'
 15 | type: bootstrap.kubernetes.io/token
 16 | stringData:
 17 |   # Human readable description. Optional.
 18 |   description: "The default bootstrap token generated by 'kubeadm init'."
 19 | 
 20 |   # Token ID and secret. Required.
 21 |   token-id: 09426c
 22 |   token-secret: g262dkeidk3dx21x
 23 | 
 24 |   # Expiration. Optional.
 25 |   expiration: 2020-03-10T03:22:11Z
 26 | 
 27 |   # Allowed usages.
 28 |   usage-bootstrap-authentication: "true"
 29 |   usage-bootstrap-signing: "true"
 30 | 
 31 |   # Extra groups to authenticate the token as. Must start with "system:bootstrappers:"
 32 |   auth-extra-groups: system:bootstrappers:node03
 33 | EOF
 34 | ```
 35 | 
 36 | `master$ kubectl create -f bootstrap-token-09426c.yaml`
 37 | 
 38 | ## Create Cluster Role Binding
 39 | 
 40 | kubectl create clusterrolebinding crb-to-create-csr --clusterrole=system:node-bootstrapper --group=system:bootstrappers
 41 | 
 42 | --------------- OR ---------------
 43 | 
 44 | ```
 45 | cat > crb-to-create-csr <<-EOF
 46 | # enable bootstrapping nodes to create CSR
 47 | kind: ClusterRoleBinding
 48 | apiVersion: rbac.authorization.k8s.io/v1
 49 | metadata:
 50 |   name: crb-to-create-csr
 51 | subjects:
 52 | - kind: Group
 53 |   name: system:bootstrappers
 54 |   apiGroup: rbac.authorization.k8s.io
 55 | roleRef:
 56 |   kind: ClusterRole
 57 |   name: system:node-bootstrapper
 58 |   apiGroup: rbac.authorization.k8s.io
 59 | EOF
 60 | ```
 61 | 
 62 | `master$ kubectl create -f crb-to-create-csr.yaml`
 63 | 
 64 | 
 65 | # Authorize workers(kubelets) to approve CSR
 66 | 
 67 | kubectl create clusterrolebinding crb-to-approve-csr --clusterrole=system:certificates.k8s.io:certificatesigningrequests:nodeclient --group=system:bootstrappers
 68 | 
 69 | --------------- OR ---------------
 70 | 
 71 | ```
 72 | cat > crb-to-approve-csr.yaml <<EOF
 73 | # Approve all CSRs for the group "system:bootstrappers"
 74 | kind: ClusterRoleBinding
 75 | apiVersion: rbac.authorization.k8s.io/v1
 76 | metadata:
 77 |   name: crb-node-autoapprove-csr
 78 | subjects:
 79 | - kind: Group
 80 |   name: system:bootstrappers
 81 |   apiGroup: rbac.authorization.k8s.io
 82 | roleRef:
 83 |   kind: ClusterRole
 84 |   name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
 85 |   apiGroup: rbac.authorization.k8s.io
 86 | EOF
 87 | ```
 88 | 
 89 | `master$ kubectl create -f crb-to-approve-csr.yaml`
 90 | 
 91 | 
 92 | # Auto rotate certificates
 93 | 
 94 | kubectl create clusterrolebinding crb-to-autoapprove-csr --clusterrole=system:certificates.k8s.io:certificatesigningrequests:nodeclient --group=system:bootstrappers
 95 | 
 96 | --------------- OR ---------------
 97 | 
 98 | ```
 99 | cat > crb-to-autoapprove-csr.yaml <<EOF
100 | # Approve renewal CSRs for the group "system:nodes"
101 | kind: ClusterRoleBinding
102 | apiVersion: rbac.authorization.k8s.io/v1
103 | metadata:
104 |   name: crb-to-autoapprove-csr
105 | subjects:
106 | - kind: Group
107 |   name: system:nodes
108 |   apiGroup: rbac.authorization.k8s.io
109 | roleRef:
110 |   kind: ClusterRole
111 |   name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
112 |   apiGroup: rbac.authorization.k8s.io
113 | EOF
114 | ```
115 | 
116 | `master$ kubectl create -f crb-to-autoapprove-csr.yaml`
117 | 
118 | 
119 | # Create bootstrap context on node03
120 | 
121 | ```
122 | kubectl config --kubeconfig=/tmp/bootstrap-kubeconfig set-cluster bootstrap --server='https://172.17.0.65:6443' --certificate-authority=/etc/kubernetes/pki/ca.crt
123 | kubectl config --kubeconfig=/tmp/bootstrap-kubeconfig set-credentials kubelet-bootstrap --token=09426c.g262dkeidk3dx21x
124 | kubectl config --kubeconfig=/tmp/bootstrap-kubeconfig set-context bootstrap --user=kubelet-bootstrap --cluster=bootstrap
125 | kubectl config --kubeconfig=/tmp/bootstrap-kubeconfig use-context bootstrap
126 | ```
127 | 
128 | 
129 | # Create Kubelet Service
130 | 
131 | Create new service file
132 | 
133 | ```
134 | cat > /etc/systemd/system/kubelet.service <<-EOF
135 | [Unit]
136 | Description=Kubernetes Kubelet
137 | Documentation=https://github.com/kubernetes/kubernetes
138 | 
139 | [Service]
140 | ExecStart=/usr/bin/kubelet \
141 |   --bootstrap-kubeconfig=/tmp/bootstrap-kubeconfig \
142 |   --kubeconfig=/var/lib/kubelet/kubeconfig \
143 |   --register-node=true \
144 |   --v=2
145 | Restart=on-failure
146 | StandardOutput=file:/var/kubeletlog1.log
147 | StandardError=file:/var/kubeletlog2.log
148 | RestartSec=5
149 | 
150 | [Install]
151 | WantedBy=multi-user.target
152 | 
153 | EOF
154 | ```
155 | 
156 | Reload service and start kubelet
157 | 
158 | ```
159 | node03$ systemctl daemon-reload
160 | node03$ service kubelet start
161 | ```
162 | 
163 | On master node check csr status and approve:
164 | 
165 | ```
166 | master$ kubectl get csr
167 | master$ kubectl certificate approve node-csr-oJcfudnewY5mcSDHcLseKQ6Oze5YmP9ZdKNRHHdjfJI
168 | ```
169 | 
170 | Verify node has joined the cluster
171 | 
172 | ```
173 | master$ kubectl get nodes
174 | 
175 | ```
176 | 


--------------------------------------------------------------------------------