CKS: lab-mock-exam-1 question:8

Kubernetes
#1

Hello, I am referring to the question lab-mock-exam-1 (CKS). The solution you provided is not clear to me perfectly, it seems to be very confusing for me, and I couldn’t make it complete. Could you please double-check this solution and explain it simply?

Screenshot 2023-08-26 at 00.07.00
Screenshot 2023-08-26 at 00.07.00760×934 132 KB

Solutions:

Create the below admission-configuration inside /root/CKS/ImagePolicy directory in the controlplane node:

apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: ImagePolicyWebhook
  configuration:
    imagePolicy:
      kubeConfigFile: /etc/admission-controllers/admission-kubeconfig.yaml
      allowTTL: 50
      denyTTL: 50
      retryBackoff: 500
      defaultAllow: false

The /root/CKS/ImagePolicy is mounted at the path /etc/admission-controllers directory in the kube-apiserver. So, you can directly place the files under /root/CKS/ImagePolicy.

Here is a snippet of the volume and volumeMounts (already added to apiserver config):

  containers:
  .
  .
  .
  volumeMounts:
  - mountPath: /etc/admission-controllers
      name: admission-controllers
      readOnly: true

  volumes:
  - hostPath:
      path: /root/CKS/ImagePolicy/
      type: DirectoryOrCreate
    name: admission-controllers

Next, update the kube-apiserver command flags and add ImagePolicyWebhook to the enable-admission-plugins flag. Use the configuration file that was created in the previous step as the value of admission-control-config-file.

Note: Remember, this command will be run inside the kube-apiserver container, so the path must be /etc/admission-controllers/admission-configuration.yaml (mounted from /root/CKS/ImagePolicy in controlplane).

    - --admission-control-config-file=/etc/admission-controllers/admission-configuration.yaml
    - --enable-admission-plugins=NodeRestriction,ImagePolicyWebhook

Example of Confusing point:

  1. from where did you get this “kubeConfigFile: /etc/admission-controllers/admission-kubeconfig.yaml” ?
  2. If we create admission-configuration inside ‘/root/CKS/ImagePolicy’ directory, what will be the name of file and how this file will be linked to the kube-API server?

Thanks in advance.

#2

See solution here

https://kodekloud.com/community#solutions-1

#3

where is your previous task? can you provide the exact location?

#4

Sorry, typo issue

I just add the link to the solution you provide

#5

@rob_kodekloud can you please reply on this? it’s been a week no reply. thanks

#6

I too am struggling to get solve this question:
Has anyone else been able to answer this question successfully?

Ive done everything exactly as the exam solution suggests and my kube-apiserver is still down. Cant figure out where Im going wrong.

@mhkabir -

Question 1: The kubecConfig file is located at /root/CKS/ImagePolicy/admission-kubeconfig.yaml and is already set up for us:
The /root/CKS/ImagePolicy is mounted as a volume on the pod (points to the actual directory on the Node). The volume mount (mounts that directory on the container) maps the files in /root/CKS/ImagePolicy on the container and makes them available at /etc/admission-controllers in the container.

Volumes/volumemounts are essentially mappings that allow the container to access the kubeconfig file which lives on the node, but at the location specified in the container volumemount (/etc/admission-controllers)

Question2: The admission-configuration.yaml file name will be the same whatever its location. It will be linked to the kube-apiserver through the kubeConfigFile property on the AdmissionCOnfiguration object which should point to the kubeconfig file, but keep in mind the volume/volumemount mapping that maps everything to etc/admission-controllers on the container that lives at location /root/CKS/ImagePolicy/

Hope that helps

1 Like