CKAD Mock Exam 2 ex 12

Certified Kubernetes Application Developer
#1

I was flagged as not having addressed 2 items for exercise 12:

  1. is the policy netpol-ckad-allow created
  2. does (the) policy allows (sic) traffic from pod with label criteria=allow?

I don’t feel those are correct results.

I have confirmed that I am in the right cluster: cluster1
I have confirmed I’m in the correct namespace: nginx-deployment

student-node ~ ➜  k run host-without-criteria-allow --image nginx
pod/host-without-criteria-allow created

student-node ~ ➜  k run host-with-criteria-allow --image nginx --labels criteria=allow
pod/host-with-criteria-allow created

student-node ~ ➜  k get svc
NAME                   TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
nginx-ckad11-service   ClusterIP   10.43.148.58   <none>        80/TCP    46m

student-node ~ ➜  k exec -it host-with-criteria-allow -- /bin/sh -c "curl http://10.43.148.58:80"
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

student-node ~ ➜  k exec -it host-without-criteria-allow -- /bin/sh -c "curl http://10.43.148.58:80"
 
curl: (7) Failed to connect to 10.43.148.58 port 80 after 0 ms: Couldn't connect to server
command terminated with exit code 7

student-node ~ ✖ k get netpol
NAME                POD-SELECTOR       AGE
netpol-ckad-allow   app=nginx-ckad11   44m

student-node ~ ✖ k config view | grep current-context
current-context: cluster1

student-node ~ ➜  k config view | grep -A4 'cluster: cluster1'
    cluster: cluster1
    namespace: nginx-deployment
    user: cluster1
  name: cluster1
- context:

I feel I correctly completed this exercise, but is there something I’m missing that I don’t see?

Thanks

#2

This one’s tricky.

  • The deployment has an unusual label used.
  • If the label’s wrong, you’ll get everything else wrong as well.

So:

  • What’s the YAML for the deployment?
  • what’s your netpol?

There is an issue with the validation – the “allow” check is not picking up right – but we’ve already logged this in our system for fixing. You should get only that one wrong right now, until we do.

#3

Yes, but I did have the label configured correctly. The output I provided further above was my testing of the configuration.

With the label set to criteria-allow I am able to reach the service.
Without the label, I am not able to reach the service.

It sounds like it would’ve passed were the ‘allow’ check working. (?)