Skip to content

CKAD

Implementing and Configuring Liveness and Readiness Probes in Kubernetes

CKAD
Overview

Liveness and readiness probes are crucial for maintaining the health and efficiency of applications in Kubernetes, implemented using HTTP requests or command executions within the container.

Documentation

Configure Liveness, Readiness and Startup Probes.

Implementing HTTP Get Probes

  1. Liveness Probe with HTTP Get

    Ensures the nginx container is alive. Restarts the container upon probe failure.

    livenessProbe:
  httpGet:
    path: /
    port: 80
  initialDelaySeconds: 3
  periodSeconds: 3

    HTTP Get Probes Documentation.

  2. Readiness Probe with HTTP Get

    Assesses if the container is ready to accept traffic.

    readinessProbe:
  httpGet:
    path: /
    port: 80
  initialDelaySeconds: 15
  periodSeconds: 5

    Readiness Probes Documentation.

Implementing Command-Based Probes

Command-based probes are another method to determine container status:

  1. Liveness Probe with Command

    Executes a command inside the container, restarting it upon failure.

    livenessProbe:
  exec:
    command:
    - cat
    - /tmp/healthy
  initialDelaySeconds: 15
  periodSeconds: 20

    Command Probes Documentation.

  2. Readiness Probe with Command

    Checks container readiness through a command execution.

    readinessProbe:
  exec:
    command:
    - cat
    - /tmp/ready
  initialDelaySeconds: 5
  periodSeconds: 10

    Command Probes Documentation.

Example Pod Configuration

Here's an example of a Pod using both HTTP Get and Command probes:

apiVersion: v1
kind: Pod
metadata:
  name: probe-pod
spec:
  containers:
  - name: nginx-container
    image: nginx:1.20.1
    ports:
    - containerPort: 80
    livenessProbe:
      httpGet:
        path: /
        port: 80
      initialDelaySeconds: 3
      periodSeconds: 3
    readinessProbe:
      exec:
        command:
        - cat
        - /usr/share/nginx/html/index.html
      initialDelaySeconds: 5
      periodSeconds: 10

In this configuration, the nginx container employs an HTTP Get liveness probe and a command-based readiness probe verifying the index.html file's presence.

Conclusion

Effectively utilizing liveness and readiness probes in Kubernetes is vital for ensuring applications run correctly and are prepared for traffic. These probes enable Kubernetes to manage containers based on real-time status, boosting application reliability and availability.

Performing Rolling Updates in Kubernetes Deployments

CKAD

Overview

Learn how to perform rolling updates in Kubernetes Deployments, allowing for zero-downtime updates. This guide outlines the steps for updating a Deployment while ensuring continuous service availability.

Note

Before proceeding, ensure you have a basic understanding of Kubernetes Deployments and Services. Visit Kubernetes Documentation for more information.

Steps for a Rolling Update

Rolling updates replace old Pods with new ones, seamlessly updating your application without downtime.

1. Initiate the Rolling Update

Start by updating the Deployment's pod template, typically by changing the image version.

Example:

kubectl set image deployment/my-deployment nginx=nginx:1.16.1

2. Monitor the Rollout

Check the status of the update to ensure it's progressing correctly.

kubectl rollout status deployment/my-deployment

3. Undo the Update if Needed

If problems arise during the update, you can revert to the previous state.

kubectl rollout undo deployment/my-deployment

Tip

Always test updates in a staging environment and monitor the deployment closely during the rollout. Be prepared to rollback if any issues are detected. Performing Rolling Updates in Kubernetes Deployments

Conclusion

Rolling updates in Kubernetes provide a robust mechanism for updating applications without service interruption. By following these steps, you can maintain high availability while deploying new versions or configurations.

Certified Kubernetes Application Developer (CKAD) Exam Tasks

CKAD

Domains & Competencies

Category Percentage
Application Design and Build 20%
Application Deployment 20%
Application Observability and Maintenance 15%
Application Environment, Configuration and Security 25%
Services and Networking 20%

Application Design and Build

Application Deployment

Application Observability and Maintenance

Application Environment, Configuration, and Security

Services and Networking

Accessing and Analyzing Container Logs in Kubernetes

CKAD
Overview

Accessing and analyzing container logs is a fundamental aspect of Kubernetes application observability and maintenance. Kubernetes provides various tools and commands, like kubectl logs, to retrieve and manage logs effectively.

Documentation

Accessing Container Logs.

Accessing Container Logs

Kubernetes maintains logs for every container in its Pods. These logs are crucial for understanding the behavior of applications and troubleshooting issues.

  1. Using kubectl logs

    Retrieve logs from a specific container in a Pod:

    kubectl logs [POD_NAME] -n [NAMESPACE]

    Pods with multiple containers, specify the container:

    kubectl logs [POD_NAME] -n [NAMESPACE] -c [CONTAINER_NAME]

  2. Streaming Logs

    To continuously stream logs:

    kubectl logs -f [POD_NAME] -n [NAMESPACE]
Analyzing Logs
  • Pattern Recognition: Look for error messages, exceptions, or specific log patterns that indicate problems.
  • Timestamps: Use timestamps in logs to correlate events and understand the sequence of operations.
  • Log Aggregation Tools: For a more comprehensive analysis, use log aggregation tools like ELK Stack (Elasticsearch, Logstash, Kibana) or similar.
Retrieving Logs from a Pod
# Retrieve logs from a specific pod in the 'default' namespace
kubectl logs my-app-pod -n default

# Stream logs from a container named 'web-container' in the 'my-app-pod'
kubectl logs -f my-app-pod -n default -c web-container
Conclusion

Effectively accessing and analyzing container logs in Kubernetes is vital for monitoring application health and diagnosing issues. Utilizing kubectl logs and other logging tools helps maintain the operational integrity of applications running in Kubernetes clusters.

Using Custom Resources (CRD)

CKAD
Overview

Custom Resources extend the Kubernetes API. A CustomResourceDefinition (CRD) is used to define these custom resources.

Documentation

Extend the Kubernetes API with CustomResourceDefinitions.

Example CRD

In this example, we define a CronTab resource as described in the Kubernetes documentation.

apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: crontabs.stable.example.com
spec:
  group: stable.example.com
  versions:
    - name: v1
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              type: object
              properties:
                cronSpec:
                  type: string
                image:
                  type: string
                replicas:
                  type: integer
  scope: Namespaced
  names:
    plural: crontabs
    singular: crontab
    kind: CronTab
    shortNames:
    - ct
Steps to Use CRDs

  1. Create the CRD Definition

    Define your custom resource in a YAML file using the structure above. Save this file as crontab-crd.yaml.

  2. Apply the CRD

    Use kubectl to create the CRD in your cluster:

    kubectl apply -f crontab-crd.yaml

  3. Define a Custom Resource

    Once the CRD is applied, you can define custom resources based on it. Example:

    apiVersion: "stable.example.com/v1"
kind: CronTab
metadata:
  name: my-new-cron-object
spec:
  cronSpec: "* * * * */5"
  image: my-awesome-cron-image
  replicas: 1

    Save this as my-new-cron-object.yaml.

  4. Create the Custom Resource

    Apply the custom resource to your cluster:

    kubectl apply -f my-new-cron-object.yaml

  5. Interact with the Custom Resource

    Use standard Kubernetes commands to interact with your custom resource: To get the resource:

    kubectl get crontab

    To describe the resource:

    kubectl describe crontab my-new-cron-object
Conclusion

Custom Resources in Kubernetes are a powerful way to introduce new API objects tailored to your application's needs, enhancing the flexibility and functionality of your Kubernetes cluster.

Documentation

Custom Resources Defination

Debugging Common Issues in a Kubernetes Application

CKAD

Overview

Debugging Kubernetes applications requires understanding various CLI tools for effective troubleshooting. This guide covers the essential commands and techniques.

Key Documentation

Additional details can be found in Kubernetes documentation on Troubleshooting Applications and Application Introspection and Debugging.

Essential CLI Tools for Debugging

Checks the status of all Pods in a Namespace.
  kubectl get pods
Provides detailed information about Kubernetes objects.
  kubectl describe <resource> <resource-name>
Retrieves container logs for diagnosing issues.
  kubectl logs <pod-name>

Additional Tips

If initial investigations do not reveal the problem, consider checking cluster-level logs for more comprehensive insights.

Conclusion

Familiarity with these Kubernetes CLI tools is crucial for efficient debugging and maintaining applications. Regular practice will enhance your troubleshooting capabilities.

Understanding Kubernetes Authentication and Authorization

CKAD
Overview

Kubernetes authentication and authorization are critical for securing access to the Kubernetes API and ensuring that users and services have the correct permissions to perform actions.

Documentation

Kubernetes Authentication and Authorization.

Authentication Methods
  • Normal Users: Usually authenticate using client certificates. They are typically managed by an external, independent service.
  • ServiceAccounts: Use tokens for authentication, which are automatically managed by Kubernetes.
Authorization with RBAC

Role-Based Access Control (RBAC) is used in Kubernetes to manage authorization. It involves defining roles and binding them to users or ServiceAccounts.

  1. Roles and ClusterRoles

    A Role defines a set of permissions within a specific namespace.

    A ClusterRole defines permissions that are applicable across the entire cluster.

  2. RoleBindings and ClusterRoleBindings

    A RoleBinding grants the permissions defined in a Role to a user or set of users within a specific namespace.

    A ClusterRoleBinding grants the permissions defined in a ClusterRole across the entire cluster.

Steps to Configure RBAC for Kubernetes Auth

  1. Define Roles or ClusterRoles

    Create a Role or ClusterRole to specify permissions.

    Example for a Role
    apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "watch", "list"]

  2. Bind Roles to Users/ServiceAccounts

    Use a RoleBinding or ClusterRoleBinding to grant these permissions to users or ServiceAccounts.

    Example for a RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
subjects:
  - kind: User
    name: jane
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

  3. Apply the Configuration

    Use kubectl apply to create these roles and bindings in the Kubernetes cluster.

  4. Verify Permissions

    Verify that the users or ServiceAccounts have the appropriate permissions as defined by the roles and bindings.

Conclusion

Understanding and correctly implementing Kubernetes authentication and authorization are essential for maintaining the security and proper functioning of a Kubernetes cluster. RBAC provides a flexible and powerful way to control access to resources in Kubernetes, allowing administrators to precisely define and manage who can do what within the cluster.

Apply SecurityContexts to Enforce Security Policies in Pods

CKAD
Overview

SecurityContexts in Kubernetes allow you to enforce security policies in Pods. They enable you to control permissions, privilege levels, and other security settings for Pods and their containers.

Documentation

Configure a Security Context for a Pod or Container.

Security Context

Here's an example of a Pod with a defined SecurityContext, as found in the Kubernetes documentation:

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsUser: 1000
    fsGroup: 2000
  containers:
  - name: sec-ctx-demo
    image: busybox
    command: ["sh", "-c", "sleep 1h"]
    securityContext:
      runAsUser: 2000
      capabilities:
        add: ["NET_ADMIN", "SYS_TIME"]
      readOnlyRootFilesystem: true
Steps to Apply SecurityContexts

  1. Define the SecurityContext

    Include the SecurityContext in your Pod YAML file, as shown in the example.

  2. Apply the SecurityContext

    Save the YAML file with a name like security-context-demo.yaml. Deploy it to your cluster using kubectl apply -f security-context-demo.yaml.

  3. Verify Security Settings

    Confirm the enforcement of security settings by inspecting the running Pod: Use commands like kubectl exec to examine process permissions and filesystem access.

Conclusion

SecurityContexts are essential for maintaining security in Kubernetes Pods. They provide granular control over security aspects such as user identity, privilege levels, and filesystem access, thus enhancing the overall security posture of Kubernetes applications.

Using ServiceAccounts in Kubernetes

CKAD
Overview

ServiceAccounts in Kubernetes provide identities for processes running in Pods, enabling them to authenticate with the Kubernetes API server.

Documentation

Kubernetes Service Accounts.

Example ServiceAccount Creation

Here's how to create a ServiceAccount:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-serviceaccount
automountServiceAccountToken: true
Steps to Create and Use ServiceAccounts

  1. Create the ServiceAccount

    Define your ServiceAccount in a YAML file as shown above. Save this file as my-serviceaccount.yaml. Apply it with kubectl apply -f my-serviceaccount.yaml.

  2. Assign the ServiceAccount to a Pod

    Specify the ServiceAccount in the Pod's specification. Example:

    apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  serviceAccountName: my-serviceaccount
  containers:
  - name: my-container
    image: nginx

    Save this as my-pod.yaml and apply it with kubectl apply -f my-pod.yaml.

  3. Location of the Mounted Token

    The ServiceAccount token is automatically mounted at /var/run/secrets/kubernetes.io/serviceaccount in each container.

    This directory contains: - token: The ServiceAccount token. - ca.crt: Certificate for TLS communication with the API server. - namespace: The namespace of the Pod.

  4. Using the Token for API Authentication

    Applications in the container can use the token for Kubernetes API server authentication. The token can be accessed at /var/run/secrets/kubernetes.io/serviceaccount/token.

Accessing the Kubernetes API from a Pod

Here’s how a container might use the token to communicate with the Kubernetes API.

apiVersion: v1
kind: Pod
metadata:
  name: api-communicator-pod
spec:
  serviceAccountName: my-serviceaccount
  containers:
  - name: api-communicator
    image: busybox  
    command: ["sh", "-c", "curl -H \"Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" https://kubernetes.default.svc"]
Conclusion

ServiceAccounts in Kubernetes facilitate the secure operation of processes within Pods by providing a means of authenticating with the Kubernetes API server. The automatic mounting of ServiceAccount tokens into Pods simplifies the process of managing secure communications and access controls within a Kubernetes environment.

Detailed Guide on Kubernetes Ingress

CKAD
1. Introduction to Kubernetes Ingress
  • Purpose: Kubernetes Ingress manages external access to applications running within the cluster.
  • Functionality: It routes traffic to one or more Kubernetes Services and can offer additional features like SSL termination.
2. Understanding Ingress in Kubernetes
  • Ingress vs. Service: While Services provide internal routing, Ingress allows external traffic to reach the appropriate Services.
  • Ingress Controller: Essential for implementing the Ingress functionality. The choice of controller affects how the Ingress behaves and is configured.
3. Creating a NodePort Service for Ingress
  • Objective: Set up a NodePort Service that the Ingress will route external traffic to.

  • Service YAML Example:

    apiVersion: v1
kind: Service
metadata:
  name: service-for-ingress
spec:
  type: NodePort
  selector:
    app: web-app
  ports:
    - protocol: TCP
      port: 8080
      targetPort: 80
      nodePort: 30080

  • Explanation: This Service, service-for-ingress, is exposed externally on port 30080 and routes traffic to pods labeled app: web-app.

4. Defining an Ingress to Expose the Service
  • Objective: Expose the service-for-ingress externally using an Ingress.

  • Ingress YAML Example:

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
spec:
  rules:
    - http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: service-for-ingress
                port:
                  number: 8080

  • Explanation: The example-ingress directs external HTTP traffic to the service-for-ingress at the specified path /.

5. Verifying Ingress Functionality
  • Testing Access: Use external HTTP requests to the Ingress to ensure it routes traffic correctly to the service-for-ingress.
  • SSL Termination (Optional): Configure SSL termination on the Ingress for secure traffic (if applicable).
6. Summary
  • Effective Use of Ingress: Understanding how to configure and use Ingresses is crucial for managing external access to applications in Kubernetes.