CKA Mock Exam 2: Question 10

Kubernetes
#1

Good day,

Please I need help on why I was marked wrong on this question:



Solve this question on: ssh cluster1-controlplane


Modify the existing web-gateway on cka5673 namespace to handle HTTPS 
traffic on port 443 for kodekloud.com, using a TLS certificate stored in a 
secret named kodekloud-tls.

I have tried to compare the provided yaml with mine and at the moment, I cannot tell that there are any tangible differences. I would greatly appreciate any assistance I can get here.

The provided solution at the end of the exam:

# web-gateway.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: web-gateway
  namespace: cka5673
spec:
  gatewayClassName: kodekloud
  listeners:
    - name: https
      protocol: HTTPS
      port: 443
      hostname: kodekloud.com
      tls:
        certificateRefs:
          - name: kodekloud-tls

This is my yaml manifest from my work (which was marked wrong) below. I would really appreciate any help in figuring out exactly what tangible difference caused me to be marked wrong:

cluster1-controlplane ~ âžś  k get gateway -n cka5673 web-gateway -o yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"gateway.networking.k8s.io/v1","kind":"Gateway","metadata":{"annotations":{},"name":"web-gateway","namespace":"cka5673"},"spec":{"gatewayClassName":"kodekloud","listeners":[{"name":"https","port":80,"protocol":"HTTP"}]}}
  creationTimestamp: "2025-04-29T19:17:47Z"
  generation: 2
  name: web-gateway
  namespace: cka5673
  resourceVersion: "9683"
  uid: cadda2b5-218c-4a13-b0ff-4b5c4ec0f7d3
spec:
  gatewayClassName: kodekloud
  listeners:
  - allowedRoutes:
      namespaces:
        from: Same
    name: https
    port: 443
    protocol: HTTPS
    tls:
      certificateRefs:
      - group: ""
        kind: secret
        name: kodekloud-tls
        namespace: cka5673
      mode: Terminate
status:
  conditions:
  - lastTransitionTime: "1970-01-01T00:00:00Z"
    message: Waiting for controller
    reason: Pending
    status: Unknown
    type: Accepted
  - lastTransitionTime: "1970-01-01T00:00:00Z"
    message: Waiting for controller
    reason: Pending
    status: Unknown
    type: Programmed

cluster1-controlplane ~ âžś
#2

This appears to be a syntax issue with your version. I used the solution, which gets converted internally to:

    tls:
      certificateRefs:
      - group: ""
        kind: Secret
        name: kodekloud-tls
      mode: Terminate

I’m not sure how your deviation from the solution affects either the behavior of the gateway or what the grader does, TBH.

#3

Thanks for the quick response @rob_kodekloud. However, I wanted to get clarification. Are you saying that the examiner maybe was not expecting me to specify the “namespace: cka5673” under the tls?

      certificateRefs:
      - group: ""
        kind: secret
        name: kodekloud-tls
        namespace: cka5673
      mode: Terminate

Also, I don’t know if you think I did the right thing or the wrong thing…lol.

Just cos you said “I’m not sure … what the grader does” :slightly_smiling_face:

#4

It’s difficult to know if this is a problem with the grader or with your code. The docs are frankly unclear. But it’s not necessary to add the namespace key in the certificateRefs blocks, and some reason to believe it might indeed mess things up; look at this note from the Gateway API docs:

In this example, the Gateway is configured to reference a certificate in a different namespace. This is allowed by the ReferenceGrant created in the target namespace. Without that ReferenceGrant, the cross-namespace reference would be invalid.

You’re doing what’s basically an edge case – you’re in the same namespace, but there’s no ReferenceGrant. I expect that what happens is implementation dependent. Better to omit it in this case, in my opinion. Short of testing the answer directly (difficult since the admission controller for the nginx Gateway fabric is not installed in the lab), I don’t see how to do this.

1 Like
#5

I’ll attempt the exam later without specifying the namespace. and I’ll close thread if this works. Thank you so much for taking the time to look.