└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # RedHat ex280v42 Preparation Guide 2 | 3 | ## What it is 4 | 5 | This preparation guide is written for Red Hat Certified Specialist in OpenShift Administration exam for OpenShift V4.2. 6 | 7 | - Exam format: task based. The exam itself contains a set of tasks (16) that you have to perform, which represents the tasks for an OpenShift administrator. 8 | 9 | - Exam duration: 3 hours 10 | 11 | - Exam passing grade: 70% - you must got 12 questions right out of 16. (note that partial completion of a question is not counted as a correct answer) 12 | 13 | ## Exam objectives 14 | 15 | These objectives was retrieved from [https://www.redhat.com/en/services/training/ex280-red-hat-certified-specialist-in-openshift-administration-exam?section=Objectives](https://www.redhat.com/en/services/training/ex280-red-hat-certified-specialist-in-openshift-administration-exam?section=Objectives). 16 | 17 | To become a Red Hat Certified Specialist in OpenShift Administration, you should be able to perform these tasks: 18 | 19 | - Manage OpenShift Container Platform 20 | - Use the command-line interface to manage and configure an OpenShift cluster 21 | - Use the web console to manage and configure an OpenShift cluster 22 | - Create and delete projects 23 | - Import, export, and configure Kubernetes resources 24 | - Examine resources and cluster status 25 | - View logs 26 | - Monitor cluster events and alerts 27 | - Troubleshoot common cluster events and alerts 28 | - Use product documentation 29 | - Manage users and policies 30 | - Configure the HTPasswd identity provider for authentication 31 | - Create and delete users 32 | - Modify user passwords 33 | - Modify user and group permissions 34 | - Create and manage groups 35 | - Control access to resources 36 | - Define role-based access controls 37 | - Apply permissions to users 38 | - Create and apply secrets to manage sensitive information 39 | - Create service accounts and apply permissions using security context constraints 40 | - Configure networking components 41 | - Troubleshoot software defined networking 42 | - Create and edit external routes 43 | - Control cluster network ingress 44 | - Create a self signed certificate 45 | - Secure routes using TLS certificates 46 | - Configure pod scheduling 47 | - Limit resource usage 48 | - Scale applications to meet increased demand 49 | - Control pod placement across cluster nodes 50 | - Configure cluster scaling 51 | - Manually control the number of cluster workers 52 | - Automatically scale the number of cluster workers 53 | 54 | ## Manage OpenShift Container Platform 55 | 56 | Executing troubleshooting commands: 57 | 58 | - Getting node informations: 59 | ``` 60 | oc get node 61 | oc describe node 62 | ``` 63 | 64 | - Getting busiest nodes 65 | ``` 66 | oc adm top nodes 67 | ``` 68 | 69 | - Getting `journalctl` logs from a node 70 | ``` 71 | oc adm node-logs -u kubelet my-node-name 72 | ``` 73 | 74 | - Running a remote shell for a node 75 | ``` 76 | oc debug node/ 77 | ``` 78 | 79 | - Work with cluster installers 80 | ``` 81 | oc get clusteroperators 82 | oc get clusterversion -o yaml 83 | ``` 84 | 85 | - Getting a pod logs 86 | ``` 87 | oc logs [-c ] [-f] 88 | ``` 89 | 90 | - Debugging a deployment or a pod 91 | ``` 92 | oc debug deployment/ [--as-root] 93 | oc rsh 94 | oc port-forward : 95 | ``` 96 | 97 | - Getting a file from a pod 98 | ``` 99 | oc cp file :/file 100 | oc cp :/file file 101 | ``` 102 | 103 | ## Manage Users and Policies 104 | 105 | Removing the default kubeadmin: 106 | ``` 107 | oc delete secret kubeadmin -n kube-system 108 | ``` 109 | 110 | Working with htpasswd 111 | 112 | - Create: `htpasswd -c -B -b /tmp/htpasswd student redhat123` 113 | - Update: `htpasswd -b /tmp/htpasswd student redhat1234` 114 | 115 | Create a secret: 116 | ``` 117 | oc create secret generic htpasswd-secret \ 118 | > --from-file htpasswd=/tmp/htpasswd -n openshift-config 119 | ``` 120 | 121 | Adding to OAuth: 122 | ``` 123 | apiVersion: config.openshift.io/v1 124 | kind: OAuth 125 | metadata: 126 | name: cluster 127 | spec: 128 | identityProviders: 129 | - name: my_htpasswd_provider 130 | mappingMethod: claim 131 | type: HTPasswd 132 | htpasswd: 133 | fileData: 134 | name: htpasswd-secret 135 | ``` 136 | 137 | Getting users and identities 138 | ``` 139 | oc get users 140 | oc get identity 141 | ``` 142 | 143 | ## Manage Resource Access 144 | 145 | Defining and Applying Permissions Using RBAC 146 | ``` 147 | oc adm policy add-cluster-role-to-user cluster-admin username 148 | oc adm policy remove-cluster-role-from-user cluster-admin username 149 | oc adm policy who-can delete user 150 | oc adm policy add-role-to-user basic-user dev -n wordpress 151 | ``` 152 | 153 | Default roles 154 | - **basic-user** Users with this role have read access to the project. 155 | - **cluster-admin** Users with this role have superuser access to the cluster resources. These users can perform any action on the cluster, and have full control of all projects. 156 | - **cluster-status** Users with this role can get cluster status information. 157 | - **self-provisioner** Users with this role can create new projects. 158 | 159 | Default roles that can be added or removed from a project level: 160 | - **admin** Users with this role can manage all project resources, including granting access to other users to the project. 161 | - **edit** Users with this role can create, change, and delete common application resources from the project, such as services and deployment configurations. These users cannot act on management resources such as limit ranges and quotas, and cannot manage access permissions to the project. 162 | - **view** Users with this role can view project resources, but cannot modify project resources. 163 | 164 | System users: system:admin, system:openshift-registry, and system:node:node1.example.com. 165 | 166 | Managing Sensitive Information with Secrets 167 | ``` 168 | oc create secret generic secret_name \ 169 | > --from-literal key1=secret1 \ 170 | > --from-literal key2=secret2 171 | oc secrets add --for mount serviceaccount/serviceaccount-name \ 172 | > secret/secret_name 173 | oc set env dc/demo --from=secret/demo-secret 174 | oc set volume dc/demo \ 175 | > --add \ 176 | > --type=secret \ 177 | > --secret-name=demo-secret \ 178 | > --mount-path=/app-secrets 179 | ``` 180 | 181 | Controlling Application Permissions with Security Context Constraints (SCCs) (anyuid, privileged etc) 182 | ``` 183 | oc adm policy add-scc-to-user anyuid -z default 184 | ``` 185 | 186 | 187 | ## Configure Networking Components 188 | 189 | Service types: ClusterIP, NodePort, LoadBalancer, ExternalService 190 | ``` 191 | oc describe dns.operator/default 192 | ``` 193 | CoreDNS entries: 194 | • A `svcname.namespace.svc.cluster.local` 195 | • SRV `_port-name._port-protocol.svc.namespace.svc.cluster.local` 196 | 197 | ``` 198 | oc get Network.config.openshift.io cluster -o yaml 199 | ``` 200 | 201 | Ingress rule: 202 | ``` 203 | oc get ingress 204 | ``` 205 | 206 | Certificate generation: 207 | ``` 208 | openssl genrsa -out file.key 209 | openssl req -new -subj -out file.req -key file.key 210 | openssl x509 -req -in file.req -out file.crt -signkey file.key 211 | ``` 212 | 213 | Secure route (edge/passthru): 214 | ``` 215 | oc create route edge \ 216 | > --service --hostname .apps.acme.com \ 217 | > --key file.key --cert file.crt 218 | ``` 219 | 220 | ## Configure Pod Scheduling 221 | 222 | I think this topic has the most weight over all the topics in this exam. 223 | 224 | Controlling pod scheduling behavior (factors that can affect on which nodes a pod can or cannot be run) 225 | ``` 226 | oc label node node1.us-west-1.compute.internal env[-|=dev] [--overwrite] 227 | oc get node node2.us-west-1.compute.internal --show-labels 228 | oc get node -L failure-domain.beta.kubernetes.io/region 229 | oc patch deployment/myapp --patch \ 230 | > '{"spec":{"template":{"spec":{"nodeSelector":{"env":"dev"}}}}}' 231 | oc adm new-project demo --node-selector "tier=1" 232 | oc annotate namespace demo \ 233 | > openshift.io/node-selector="tier=2" --overwrite 234 | ``` 235 | 236 | Limiting resource usage (factors that can affect the resources that a pod is allowed use or run) 237 | ``` 238 | oc adm top nodes -l node-role.kubernetes.io/worker 239 | oc set resources deployment hello-world-nginx \ 240 | > --requests cpu=10m,memory=20Mi --limits cpu=80m,memory=100Mi 241 | oc create quota dev-quota --hard services=10,cpu=1300,memory=1.5Gi -n 242 | oc get resourcequota -n 243 | oc describe limitrange dev-limits 244 | ``` 245 | 246 | A violation of LimitRange constraints prevents pod creation, and resulting error messages are displayed. A violation of ResourceQuota constraints prevents a pod from being scheduled to any node. The pod might be created but remain in the pending state 247 | 248 | ``` 249 | oc create clusterquota user-qa \ 250 | > --project-annotation-selector openshift.io/requester=qa \ 251 | > --hard pods=12,secrets=20 252 | oc create clusterquota env-qa \ 253 | > --project-label-selector environment=qa \ 254 | > --hard pods=10,services=5 255 | ``` 256 | 257 | Scaling an Application 258 | ``` 259 | oc scale --replicas 3 deployment/myapp 260 | oc autoscale dc/hello --min 1 --max 10 --cpu-percent 80 261 | oc get hpa 262 | ``` 263 | 264 | ## Configure Cluster Scaling 265 | 266 | Manually Scaling an OpenShift Cluster 267 | ``` 268 | oc scale --replicas=2 \ 269 | > machineset MACHINE-SET -n openshift-machine-api 270 | ``` 271 | 272 | Automatically Scaling an OpenShift Cluster 273 | ``` 274 | oc get clusterautoscaler 275 | oc get machineautoscaler -n openshift-machine-api 276 | ``` 277 | --------------------------------------------------------------------------------