9 |
11 |
13 |
90 |
91 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Creative Commons Legal Code
2 |
3 | CC0 1.0 Universal
4 |
5 | CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
6 | LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
7 | ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
8 | INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
9 | REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
10 | PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
11 | THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
12 | HEREUNDER.
13 |
14 | Statement of Purpose
15 |
16 | The laws of most jurisdictions throughout the world automatically confer
17 | exclusive Copyright and Related Rights (defined below) upon the creator
18 | and subsequent owner(s) (each and all, an "owner") of an original work of
19 | authorship and/or a database (each, a "Work").
20 |
21 | Certain owners wish to permanently relinquish those rights to a Work for
22 | the purpose of contributing to a commons of creative, cultural and
23 | scientific works ("Commons") that the public can reliably and without fear
24 | of later claims of infringement build upon, modify, incorporate in other
25 | works, reuse and redistribute as freely as possible in any form whatsoever
26 | and for any purposes, including without limitation commercial purposes.
27 | These owners may contribute to the Commons to promote the ideal of a free
28 | culture and the further production of creative, cultural and scientific
29 | works, or to gain reputation or greater distribution for their Work in
30 | part through the use and efforts of others.
31 |
32 | For these and/or other purposes and motivations, and without any
33 | expectation of additional consideration or compensation, the person
34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she
35 | is an owner of Copyright and Related Rights in the Work, voluntarily
36 | elects to apply CC0 to the Work and publicly distribute the Work under its
37 | terms, with knowledge of his or her Copyright and Related Rights in the
38 | Work and the meaning and intended legal effect of CC0 on those rights.
39 |
40 | 1. Copyright and Related Rights. A Work made available under CC0 may be
41 | protected by copyright and related or neighboring rights ("Copyright and
42 | Related Rights"). Copyright and Related Rights include, but are not
43 | limited to, the following:
44 |
45 | i. the right to reproduce, adapt, distribute, perform, display,
46 | communicate, and translate a Work;
47 | ii. moral rights retained by the original author(s) and/or performer(s);
48 | iii. publicity and privacy rights pertaining to a person's image or
49 | likeness depicted in a Work;
50 | iv. rights protecting against unfair competition in regards to a Work,
51 | subject to the limitations in paragraph 4(a), below;
52 | v. rights protecting the extraction, dissemination, use and reuse of data
53 | in a Work;
54 | vi. database rights (such as those arising under Directive 96/9/EC of the
55 | European Parliament and of the Council of 11 March 1996 on the legal
56 | protection of databases, and under any national implementation
57 | thereof, including any amended or successor version of such
58 | directive); and
59 | vii. other similar, equivalent or corresponding rights throughout the
60 | world based on applicable law or treaty, and any national
61 | implementations thereof.
62 |
63 | 2. Waiver. To the greatest extent permitted by, but not in contravention
64 | of, applicable law, Affirmer hereby overtly, fully, permanently,
65 | irrevocably and unconditionally waives, abandons, and surrenders all of
66 | Affirmer's Copyright and Related Rights and associated claims and causes
67 | of action, whether now known or unknown (including existing as well as
68 | future claims and causes of action), in the Work (i) in all territories
69 | worldwide, (ii) for the maximum duration provided by applicable law or
70 | treaty (including future time extensions), (iii) in any current or future
71 | medium and for any number of copies, and (iv) for any purpose whatsoever,
72 | including without limitation commercial, advertising or promotional
73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
74 | member of the public at large and to the detriment of Affirmer's heirs and
75 | successors, fully intending that such Waiver shall not be subject to
76 | revocation, rescission, cancellation, termination, or any other legal or
77 | equitable action to disrupt the quiet enjoyment of the Work by the public
78 | as contemplated by Affirmer's express Statement of Purpose.
79 |
80 | 3. Public License Fallback. Should any part of the Waiver for any reason
81 | be judged legally invalid or ineffective under applicable law, then the
82 | Waiver shall be preserved to the maximum extent permitted taking into
83 | account Affirmer's express Statement of Purpose. In addition, to the
84 | extent the Waiver is so judged Affirmer hereby grants to each affected
85 | person a royalty-free, non transferable, non sublicensable, non exclusive,
86 | irrevocable and unconditional license to exercise Affirmer's Copyright and
87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the
88 | maximum duration provided by applicable law or treaty (including future
89 | time extensions), (iii) in any current or future medium and for any number
90 | of copies, and (iv) for any purpose whatsoever, including without
91 | limitation commercial, advertising or promotional purposes (the
92 | "License"). The License shall be deemed effective as of the date CC0 was
93 | applied by Affirmer to the Work. Should any part of the License for any
94 | reason be judged legally invalid or ineffective under applicable law, such
95 | partial invalidity or ineffectiveness shall not invalidate the remainder
96 | of the License, and in such case Affirmer hereby affirms that he or she
97 | will not (i) exercise any of his or her remaining Copyright and Related
98 | Rights in the Work or (ii) assert any associated claims and causes of
99 | action with respect to the Work, in either case contrary to Affirmer's
100 | express Statement of Purpose.
101 |
102 | 4. Limitations and Disclaimers.
103 |
104 | a. No trademark or patent rights held by Affirmer are waived, abandoned,
105 | surrendered, licensed or otherwise affected by this document.
106 | b. Affirmer offers the Work as-is and makes no representations or
107 | warranties of any kind concerning the Work, express, implied,
108 | statutory or otherwise, including without limitation warranties of
109 | title, merchantability, fitness for a particular purpose, non
110 | infringement, or the absence of latent or other defects, accuracy, or
111 | the present or absence of errors, whether or not discoverable, all to
112 | the greatest extent permissible under applicable law.
113 | c. Affirmer disclaims responsibility for clearing rights of other persons
114 | that may apply to the Work or any use thereof, including without
115 | limitation any person's Copyright and Related Rights in the Work.
116 | Further, Affirmer disclaims responsibility for obtaining any necessary
117 | consents, permissions or other rights required for any use of the
118 | Work.
119 | d. Affirmer understands and acknowledges that Creative Commons is not a
120 | party to this document and has no duty or obligation with respect to
121 | this CC0 or use of the Work.
122 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Beyond Kubernetes Certification - Challenges
2 |
3 | To keep myself updated and involved with K8S, I will be exploring K8S beyond the certification topics and create challenges here on my findings. These challenges are `good-to-know` and might be `overkill` for CKA/CKAD based certifications.
4 |
5 | I just mentioned few tips and nothing else for `CKA,CKAD` certifications as the internet is flooded with many different blogs, repos, videos, training, exercises to prepare for all 3 Kubernetes certifications.
6 |
7 | If you are looking for `CKS` resources, scroll to the bottom of this page.
8 |
9 | **Note** - Please feel free to make a pull request if there's something wrong, should be added, or updated.
10 |
11 | ## Sections
12 | 1. [CKA and CKAD - Beyond Certification Challeneges](https://github.com/sidd-harth/kubernetes#cka-ckad-challenges)
13 | 2. [CKA and CKAD Exam Tips](https://github.com/sidd-harth/kubernetes#cka-ckad-exam-tips)
14 | - [Using aliases](https://github.com/sidd-harth/kubernetes#using-aliases)
15 | - [VIM editor changes](https://github.com/sidd-harth/kubernetes#vim-editor-changes)
16 | - [Bookmarks](https://github.com/sidd-harth/kubernetes#bookmarks)
17 | 3. [CKS Resources](https://github.com/sidd-harth/kubernetes#cks-resources)
18 |
19 | ## CKA CKAD Challenges
20 | - Challenge 1 - [Encrypting Secret Data at Rest](https://github.com/sidd-harth/kubernetes/blob/main/challenges/01%20-%20Encrypting%20Secret%20Data%20at%20Rest.md)
21 | - Challenge 2 - [Expanding PVC Storage Size](https://github.com/sidd-harth/kubernetes/blob/main/challenges/02%20-%20Expanding%20PVC%20Storage%20Size.md)
22 | - Challenge 3 - [Startup Probe](https://github.com/sidd-harth/kubernetes/blob/main/challenges/03%20-%20Startup%20Probe.md)
23 | - Challenge 4 - [Check ServiceAccount Permissions](https://github.com/sidd-harth/kubernetes/blob/main/challenges/04%20-%20Check%20ServiceAccount%20Permissions.md)
24 |
25 | ## CKA CKAD Exam Tips
26 | Kubectl `aliases`
27 | ```
28 | alias k=kubectl
29 | alias kn='k config set-context --current --namespace '
30 | alias kd='k -o yaml --dry-run=client'
31 | alias kall='k get all -o wide --show-labels'
32 | alias kc='k config get-contexts'
33 | ```
34 | #### Using `aliases`
35 | In the exam, every question has a `context` given, we need to switch over to that context. Some questions are expected to work on specific `namespaces`. Sometimes we tend to forget adding `-n` argument to create resources in a specific namespace.
36 |
37 | These `aliases` will help in quickly changing the `namespace` and also checking the `current context` before answering/debugging the questions.
38 |
39 | - Example -
40 | - Create a Deployment name `nginx-frontend`
41 | - Expose it using a Service named `nginx-svc`
42 | - Write the output of all Service `Endpoints` to /opt/INC002/endpoints.txt
43 | - Everything needs to be done in `rs67` namespace.
44 |
45 | `Without aliases`
46 | ```
47 | k create deploy nginx-frontend --image nginx -n rs67
48 | k expose deploy nginx-frontend --name nginx-svc --port 80 -n rs67
49 | k get ep -n rs67 > /opt/INC002/endpoints.txt
50 | ```
51 | `With aliases`
52 | ```
53 | kn rs67 # changing context to use rs67 namespace
54 | kc # shows the current context and the namespace details
55 |
56 | k create deploy nginx-frontend --image nginx
57 | k expose deploy nginx-frontend --name nginx-svc --port 80
58 | k get ep > /opt/INC002/endpoints.txt
59 |
60 | kn default # I feel it is a good practice to switch back to default namespace after every question
61 | ```
62 |
63 | #### `VIM` Editor changes
64 | These two additions were enough for me to edit/create `YAMLs` using VI
65 | ```
66 | sudo vi /etc/vim/vimrc
67 | set number
68 | set paste
69 | ```
70 |
71 | #### Bookmarks
72 | During the exam, you can keep only one other browser tab open to refer to official documentation. I have uploaded the bookmarks which I have used for 1.19version. These bookmarks can be used for both CKA/CKAD.
73 | | Name | Resource |
74 | | ---- | ------ |
75 | | Bookmark | [Kubernetes-Chrome-Bookmarks](https://github.com/sidd-harth/kubernetes/blob/main/Kubernetes-Chrome-Bookmarks.html) |
76 |
77 | ## CKS Resources
78 | - [Walid Shaari](https://github.com/walidshaari/Certified-Kubernetes-Security-Specialist)
79 | - [ibrahim Jelliti](https://github.com/ibrahimjelliti/CKSS-Certified-Kubernetes-Security-Specialist)
80 | - [Kim Wuestkamp](https://wuestkamp.medium.com/kubernetes-cks-full-course-simulator-3893120baa1d)
81 | - [Kubernetes CKS 2020 Complete Course + Simulator](https://www.udemy.com/course/certified-kubernetes-security-specialist/)
82 |
83 |
--------------------------------------------------------------------------------
/challenges/01 - Encrypting Secret Data at Rest.md:
--------------------------------------------------------------------------------
1 | # Encrypting Secret Data at Rest
2 | - I have used `Kubeadm` based Cluster
3 | - Version - 1.19
4 | - etcd v3.0 or later is required
5 |
6 | ### Create `Secret` and Retreive `plain-text` `Secrets` from `ETCD`
7 |
9 |
10 | 1. Create a new secret called `secretpassword` in the default namespace with `password=s3cR3t!` data:
11 | ```
12 | kubectl create secret generic secretpassword --from-literal=password=s3cR3t!
13 | ```
14 |
15 | 2. Using the `etcdctl` command line, read that `secret` out of `etcd`:
16 | ```
17 | ETCDCTL_API=3 etcdctl get /registry/secrets/default/secretpassword \
18 | --cacert /etc/kubernetes/pki/etcd/ca.crt \
19 | --cert /etc/kubernetes/pki/etcd/server.crt \
20 | --key /etc/kubernetes/pki/etcd/server.key
21 | ```
22 | 
23 |
24 | - Pipe the above command with `hexdump -C`
25 | ```
26 | ETCDCTL_API=3 etcdctl get /registry/secrets/default/secretpassword \
27 | --cacert /etc/kubernetes/pki/etcd/ca.crt \
28 | --cert /etc/kubernetes/pki/etcd/server.crt \
29 | --key /etc/kubernetes/pki/etcd/server.key | hexdump -C
30 | ```
31 | 
32 |
33 | > In both these images, we can see that the secret data is saved as `plain` text. Anyone with access to `etcd` can query and get the data.
34 |
35 |
41 |
42 | 1. Generate a 32-byte random key and base64 encode it.
43 | ```
44 | head -c 32 /dev/urandom | base64
45 | ```
46 | 2. Create a new encryption config file and replace the `
73 |
74 | 1. After the `kube-apiserver` gets restarted, any newly created `secret` will be encrypted.
75 | 2. Data is encrypted when written to etcd. So any previously created `secrets` are still in `plain-text`
76 | 3. Performing an update on the existing `secret` will encrypt that content.
77 | ```
78 | kubectl get secrets --all-namespaces -o json | kubectl replace -f -
79 | ```
80 | 4. Using the `etcdctl` command line, read that `secret` out of `etcd`:
81 | ```
82 | ETCDCTL_API=3 etcdctl get /registry/secrets/default/secretpassword \
83 | --cacert /etc/kubernetes/pki/etcd/ca.crt \
84 | --cert /etc/kubernetes/pki/etcd/server.crt \
85 | --key /etc/kubernetes/pki/etcd/server.key
86 | ```
87 | 
88 |
89 | - Pipe the above command with `hexdump -C`
90 | ```
91 | ETCDCTL_API=3 etcdctl get /registry/secrets/default/secretpassword \
92 | --cacert /etc/kubernetes/pki/etcd/ca.crt \
93 | --cert /etc/kubernetes/pki/etcd/server.crt \
94 | --key /etc/kubernetes/pki/etcd/server.key | hexdump -C
95 | ```
96 | 
97 |
98 | As seen in the above images, the `secret` is encrypted in `etcd`.
99 |
100 | show
8 | show
40 | show
72 |