Hi everyone,
I have been preparing a lot for CKAD lately but some hang ups which still confuse me:
- There are two pods, one backend and one frontend pod. Task is to fix the connection between those two. I fixed the selector in service and thought that would be it. But additionally they removed the following part of the egress in the network policy. But this confuses me. The egress defined the correct labels for the frontend pod. So keeping it this way should not be a problem? Because this should mean that the spec.podSelector Pod can access the egress.to[].podSelector[] pods right?
spec:
egress:{} # add this
to: #remove this
podSelector: #remove this
matchLabels: #remove this
app: frontend #remove this
tier: ckad-exam #remove this
podSelector:
matchLabels:
app: backend
tier: ckad-exam
policyTypes: Egress
- I had a mock exam question worded “Expose pod on port 3479”, which is a pretty simple imperative command. The pod uses the nginx image without specifying a containerPort so exec into the pod and calling netstat -ltnp shows that the image listens to 80. But calling k expose pod test --port 3479 --target-port=80 is flagged as false, in the mock exam the solution was just calling it without changing the target port. Why is that? Do we not have to specify the targetPort unless it gets specified in the task or pod itself? Because technically this should not be correct?
- CKAD Mock Exam 6 Exercise 12
I copied this from the solution and there probably was some mistake while copying it over. I am still confused why the egress had to be set to {} if the podSelector targetted the correct pod to access
- CKAD Mock Exam 6 Exercise 15
root@student-node ~ ✖ kubectl config use-context cluster2
Switched to context "cluster2".
root@student-node ~ ➜ k exec -it pod15-ckad-pod -- netstat -ltnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1/nginx: master pro
tcp 0 0 :::80 :::* LISTEN 1/nginx: master pro
CKAD Mock Exam 6 Exercise 12
You say you correctly fixed the service selector, so that’s OK
The completed network policy when the required changes are made will look likle
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend-egress-restricted
namespace: ns-new-ckad
spec:
egress:
- {}
podSelector:
matchLabels:
app: backend
tier: ckad-exam
policyTypes:
- Egress
,…which is a rather silly policy because its effect is the same as not having a policy at all.
egress:
- {}
allows unrestricted egress for pods matching the pod selector.
CKAD Mock Exam 6 Exercise 15
You are correct that the nginx process listens on 80.
However we need to do what the question asks in order to pass it, which is
Create a service svc15-ckad-service that will expose the pod at port 443 .
Note: Use the imperative command for the above scenario.
Clearly it’s not going to work if you try to curl through the service, but the grader wont be doing that test. It will only be checking to see that the created service looks like this
apiVersion: v1
kind: Service
metadata:
labels:
run: pod15-ckad-pod
name: svc15-ckad-service
namespace: default
spec:
ports:
- port: 443
protocol: TCP
targetPort: 443
selector:
run: pod15-ckad-pod
type: ClusterIP
which it will do if created with the imperative command.