Certified Kubernetes Administrator (CKA) Study Guide (Benjamin Muschko) (Z-Library)

Benjamin Muschko Certified Kubernetes Administrator (CKA) Study Guide In-Depth Guidance and Practice C ertified Kub ernetes A d m inistra tor (C K A ) Stud y G uid e C ertified Kub ernetes A d m inistra tor (C K A ) Stud y G uid e

KUBERNETES ”There are many things to learn with Kubernetes, and you can get distracted with interesting tangents. Benjamin Muschko nails it in this guide to keep you focused on the important features needed to ace your certification.” —Jonathan Johnson Independent Software Architect ”Certified Kubernetes Administrator (CKA) Study Guide is a beautifully concise look at the technical skills needed to pass the Certified Kubernetes Administrator Exam.” —Kaslin Fields CNCF Ambassador, Developer Advocate at Google Certified Kubernetes Administrator (CKA) Study Guide US $59.99 CAN $74.99 ISBN: 978-1-098-10722-2 Twitter: @oreillymedia linkedin.com/company/oreilly-media youtube.com/oreillymedia The ability to administer and monitor a Kubernetes cluster is in high demand today. To meet this need, the Cloud Native Computing Foundation developed a certification exam to establish an administrator’s credibility and value in the job market to confidently work in a Kubernetes environment. The Certified Kubernetes Administrator (CKA) certification exam is different from the typical multiple-choice format of other professional certifications. Instead, the CKA is a performance- based exam that requires deep knowledge of the tasks under immense time pressure. This study guide walks you through all the topics covered to fully prepare you for the exam. Author Benjamin Muschko also shares his personal experience with preparing for all aspects of the exam. With this book, you will: • Learn when and how to apply Kubernetes concepts to administer and troubleshoot a production-grade cluster • Understand the objectives, abilities, and tips and tricks needed to pass the CKA exam • Explore the ins and outs of the kubectl command-line tool • Demonstrate competency to perform the responsibilities of a Kubernetes administrator • Solve real-world Kubernetes problems in a hands-on command-line environment • Effectively navigate and solve questions during the CKA exam Benjamin Muschko is a software engineer, consultant, and trainer with more than 20 years of experience in the industry. He’s passionate about project automation, testing, and continuous delivery. Along with the Certified Kubernetes Administrator (CKA) Study Guide, Ben is the author of Gradle in Action. He holds the CKA and CKAD certifications. C ertified Kub ernetes A d m inistra tor (C K A ) Stud y G uid e C ertified Kub ernetes A d m inistra tor (C K A ) Stud y G uid e

978-1-098-10722-2 [LSI] Certified Kubernetes Administrator (CKA) Study Guide by Benjamin Muschko Copyright © 2022 Automated Ascent, LLC. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com. Acquisitions Editor: John Devins Development Editor: Michele Cronin Production Editor: Beth Kelly Copyeditor: Kim Wimpsett Proofreader: Amnet Systems LLC Indexer: Potomac Indexing, LLC Interior Designer: David Futato Cover Designer: Karen Montgomery Illustrator: Kate Dullea June 2022: First Edition Revision History for the First Edition 2022-06-09: First Release See http://oreilly.com/catalog/errata.csp?isbn=9781098107222 for release details. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Certified Kubernetes Administrator (CKA) Study Guide, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc. The views expressed in this work are those of the author, and do not represent the publisher’s views. While the publisher and the author have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the author disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.

Table of Contents Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix 1. Exam Details and Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Exam Objectives 1 Curriculum 2 Cluster Architecture, Installation, and Configuration 2 Workloads and Scheduling 3 Services and Networking 3 Storage 3 Troubleshooting 3 Involved Kubernetes Primitives 4 Exam Environment and Tips 4 Candidate Skills 6 Time Management 7 Command-Line Tips and Tricks 7 Setting a Context and Namespace 7 Using an Alias for kubectl 8 Using kubectl Command Auto-Completion 8 Internalize Resource Short Names 8 Deleting Kubernetes Objects 9 Finding Object Information 9 Discovering Command Options 10 Practicing and Practice Exams 11 Summary 12 2. Cluster Architecture, Installation, and Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Role-Based Access Control 14 RBAC High-Level Overview 14 Creating a Subject 15 iii

Listing ServiceAccounts 17 Rendering ServiceAccount Details 18 Assigning a ServiceAccount to a Pod 18 Understanding RBAC API Primitives 19 Default User-Facing Roles 19 Creating Roles 20 Listing Roles 21 Rendering Role Details 21 Creating RoleBindings 22 Listing RoleBindings 22 Rendering RoleBinding Details 23 Seeing the RBAC Rules in Effect 23 Namespace-wide and Cluster-wide RBAC 24 Aggregating RBAC Rules 24 Creating and Managing a Kubernetes Cluster 26 Installing a Cluster 27 Managing a Highly Available Cluster 31 Upgrading a Cluster Version 32 Backing Up and Restoring etcd 38 Backing Up etcd 39 Restoring etcd 41 Summary 42 Exam Essentials 43 Sample Exercises 44 3. Workloads. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Managing Workloads with Deployments 45 Understanding Deployments 46 Creating Deployments 47 Listing Deployments and Their Pods 48 Rendering Deployment Details 49 Deleting a Deployment 50 Performing Rolling Updates and Rollbacks 51 Rolling Out a New Revision 51 Rolling Back to a Previous Revision 52 Scaling Workloads 53 Manually Scaling a Deployment 53 Manually Scaling a StatefulSet 54 Autoscaling a Deployment 56 Creating Horizontal Pod Autoscalers 56 Listing Horizontal Pod Autoscalers 57 Rendering Horizontal Pod Autoscaler Details 58 Using the Beta API Version of an Horizontal Pod Autoscaler 58 iv | Table of Contents

Defining and Consuming Configuration Data 60 Creating a ConfigMap 61 Consuming a ConfigMap as Environment Variables 62 Mounting a ConfigMap as a Volume 63 Creating a Secret 64 Consuming a Secret as Environment Variables 66 Mounting a Secret as a Volume 66 Summary 67 Exam Essentials 68 Sample Exercises 68 4. Scheduling and Tooling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Understanding How Resource Limits Affect Pod Scheduling 71 Defining Container Resource Requests 72 Defining Container Resource Limits 74 Defining Container Resource Requests and Limits 76 Managing Objects 77 Declarative Object Management Using Configuration Files 77 Declarative Object Management Using Kustomize 80 Common Templating Tools 88 Using the YAML Processor yq 88 Using Helm 90 Summary 93 Exam Essentials 93 Sample Exercises 94 5. Services and Networking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Kubernetes Networking Basics 95 Connectivity Between Containers 96 Connectivity Between Pods 97 Understanding Services 99 Service Types 100 Creating Services 100 Listing Services 101 Rendering Service Details 102 Port Mapping 103 Accessing a Service with Type ClusterIP 103 Accessing a Service with Type NodePort 105 Accessing a Service with Type LoadBalancer 107 Understanding Ingress 108 Ingress Rules 109 Creating Ingresses 110 Defining Path Types 110 Table of Contents | v

Listing Ingresses 111 Rendering Ingress Details 111 Accessing an Ingress 112 Using and Configuring CoreDNS 113 Inspecting the CoreDNS Pod 113 Inspecting the CoreDNS Configuration 114 Customizing the CoreDNS Configuration 115 DNS for Services 115 Resolving a Service by Hostname from the Same Namespace 115 Resolving a Service by Hostname from a Different Namespace 116 DNS for Pods 118 Resolving a Pod by Hostname 118 Choosing an Appropriate Container Network Interface Plugin 119 Summary 120 Exam Essentials 121 Sample Exercises 121 6. Storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Understanding Volumes 124 Volume Types 124 Creating and Accessing Volumes 125 Understanding Persistent Volumes 126 Static vs. Dynamic Provisioning 127 Creating PersistentVolumes 127 Configuration Options for a PersistentVolume 128 Volume Mode 128 Access Mode 129 Reclaim Policy 129 Creating PersistentVolumeClaims 130 Mounting PersistentVolumeClaims in a Pod 131 Understanding Storage Classes 132 Creating Storage Classes 133 Using Storage Classes 133 Summary 134 Exam Essentials 135 Sample Exercises 136 7. Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Evaluating Cluster and Node Logging 137 Cluster Logging 138 Node Logging 140 Monitoring Cluster Components and Applications 140 Troubleshooting Application Failures 142 vi | Table of Contents

Troubleshooting Pods 142 Opening an Interactive Shell 144 Troubleshooting Services 145 Troubleshooting Cluster Failures 146 Troubleshooting Control Plane Nodes 147 Troubleshooting Worker Nodes 148 Summary 152 Exam Essentials 153 Sample Exercises 153 8. Wrapping Up. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Appendix. Answers to Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Table of Contents | vii

Preface Kubernetes, as a runtime and orchestration environment for microservices, is widely used among startups and large enterprises alike. As your organization ramps up on the number of applications, managing the Kubernetes clusters becomes a full-time job. That’s the role of a Kubernetes administrator. The person responsible for this job ensures that each cluster is an operational state, scales up the cluster by onboarding nodes, upgrades the Kubernetes version of the nodes to incorporate patches and new features, and is in charge of a backup strategy for crucial cluster data. To help job seekers and employers have a standard means to demonstrate and evaluate proficiency in developing with a Kubernetes environment, the Cloud Native Comput‐ ing Foundation (CNCF) developed the Certified Kubernetes Administrator (CKA) program. To achieve this certification, you need to pass an exam. There are two other Kubernetes certifications you can find on the CNCF web page. The Certified Kubernetes Application Developer (CKAD) focuses on the developer- centric application of Kubernetes. The Certified Kubernetes Security Specialist (CKS) was created to verify the competence on security-based topics and requires a success‐ ful pass of the CKA exam before you can register. Passing the CKAD and CKS are not mandatory for taking the CKA exam. In this study guide, I will explore the topics covered in the CKA exam to fully prepare you to pass the certification exam. We’ll look at determining when and how you should apply the core concepts of Kubernetes to manage an application. We’ll also examine the kubectl command-line tool, a mainstay of the Kubernetes engineer. I will also offer tips to help you better prepare for the exam and share my personal experience with getting ready for all aspects of it. The CKA is different from the typical multiple-choice format of other certifications. It’s completely performance based and requires you to demonstrate deep knowledge of the tasks at hand under immense time pressure. Are you ready to pass the test on the first go? ix

Who This Book Is For The primary target group for this book is administrators who want to prepare for the CKA exam. The “exam details and resources” content covers all aspects of the exam curriculum, though basic knowledge of the Kubernetes architecture and its concepts is expected. If you are completely new to Kubernetes, I recommend reading Kuber‐ netes Up & Running by Brendan Burns, Joe Beda, Kelsey Hightower, and Lachlan Evenson (O’Reilly) or Kubernetes in Action by Marko Lukša (Manning Publications) first. What You Will Learn The content of the book condenses the most important aspects relevant to the CKA exam. Cloud-provider-specific Kubernetes implementations like AKS or GKE do not need to be considered. Given the plethora of configuration options available in Kubernetes, it’s almost impossible to cover all use cases and scenarios without duplicating the official documentation. Test takers are encouraged to reference the Kubernetes documentation as the go-to compendium for broader exposure. The outline of the book follows the CKA curriculum to a T. While there might be a more natural, didactical structure for learning Kubernetes in general, the curriculum outline will help test takers prepare for the exam by focusing on specific topics. As a result, you will find yourself cross-referencing other chapters of the book depending on your existing knowledge level. Be aware that this book covers only the concepts relevant to the CKA exam. Certain primitives that you may expect to be covered by the certification curriculum—for example, the API primitive Ingress—are not discussed. Refer to the Kubernetes documentation or other books if you want to dive deeper. Practical experience with Kubernetes is key to passing the exam. Each chapter con‐ tains a section named “Sample Exercises” with practice questions. Solutions to those questions can be found in the Appendix. Conventions Used in This Book The following typographical conventions are used in this book: Italic Indicates new terms, URLs, and email addresses. Constant width Used for filenames, file extensions, and program listings, as well as within paragraphs to refer to program elements such as variable or function names, databases, data types, environment variables, statements, and keywords. x | Preface

Constant width bold Shows commands or other text that should be typed literally by the user. Constant width italic Shows text that should be replaced with user-supplied values or by values deter‐ mined by context. This element signifies a tip or suggestion. This element signifies a general note. This element indicates a warning or caution. Using Code Examples The source code for all examples and exercises in this book is available on GitHub. The repository is distributed under the Apache License 2.0. The code is free to use in commercial and open source projects. If you encounter an issue in the source code or if you have a question, open an issue in the GitHub issue tracker. I’ll be happy to have a conversation and fix any issues that might arise. This book is here to help you get your job done. In general, if example code is offered with this book, you may use it in your programs and documentation. You do not need to contact us for permission unless you’re reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing examples from O’Reilly books does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of example code from this book into your product’s documentation does require permission. We appreciate, but generally do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN. For example: “Cer‐ tified Kubernetes Administrator (CKA) Study Guide by Benjamin Muschko (O’Reilly). Copyright 2022 Some Benjamin Muschko, 978-1-098-10722-2.” Preface | xi

If you feel your use of code examples falls outside fair use or the permission given above, feel free to contact us at permissions@oreilly.com. O’Reilly Online Learning For more than 40 years, O’Reilly Media has provided technol‐ ogy and business training, knowledge, and insight to help companies succeed. Our unique network of experts and innovators share their knowledge and expertise through books, articles, and our online learning platform. O’Reilly’s online learning platform gives you on-demand access to live training courses, in-depth learning paths, interactive coding environments, and a vast collection of text and video from O’Reilly and 200+ other publishers. For more information, visit http://oreilly.com. How to Contact Us Please address comments and questions concerning this book to the publisher: O’Reilly Media, Inc. 1005 Gravenstein Highway North Sebastopol, CA 95472 800-998-9938 (in the United States or Canada) 707-829-0515 (international or local) 707-829-0104 (fax) We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at https://oreil.ly/cka-study-guide. Email bookquestions@oreilly.com to comment or ask technical questions about this book. For news and information about our books and courses, visit http://oreilly.com. Find us on LinkedIn: https://linkedin.com/company/oreilly-media Follow us on Twitter: http://twitter.com/oreillymedia Watch us on YouTube: http://youtube.com/oreillymedia Follow the author on Twitter: https://twitter.com/bmuschko Follow the author on GitHub: https://github.com/bmuschko Follow the author’s blog: https://bmuschko.com xii | Preface

Acknowledgments Every book project is a long journey and would not be possible without the help of the editorial staff and technical reviewers. Special thanks go to Jonathon Johnson, Kaslin Fields, and Werner Dijkerman for their detailed technical guidance and feed‐ back. I would also like to thank the editors at O’Reilly Media, John Devins and Michele Cronin, for their continued support and encouragement. Preface | xiii

CHAPTER 1 Exam Details and Resources This introduction chapter addresses the most pressing questions candidates ask when preparing for the Certified Kubernetes Administrator (CKA) exam. We will discuss the target audience for the certification, the curriculum, and the exam environment, as well as tips and tricks and additional learning resources. If you’re already familiar with the certification program, you can directly jump to any of the chapters covering the technical concepts. Exam Objectives Kubernetes clusters need to be installed, configured, and maintained by skilled pro‐ fessionals. That’s the job of a Kubernetes administrator. The CKA certification pro‐ gram verifies a deep understanding of the typical administration tasks encountered on the job, more specifically Kubernetes cluster maintenance, networking, storage solutions, and troubleshooting applications and cluster nodes. Kubernetes version used during the exam At the time of writing, the exam is based on Kubernetes 1.23. All content in this book will follow the features, APIs, and command- line support for that specific version. It’s certainly possible that future versions will break backward compatibility. While preparing for the certification, review the Kubernetes release notes and prac‐ tice with the Kubernetes version used during the exam to avoid unpleasant surprises. 1

Curriculum The following overview lists the high-level sections of the CKA and their scoring weight: • 25%: Cluster Architecture, Installation, and Configuration • 15%: Workloads and Scheduling • 20%: Services and Networking • 10%: Storage • 30%: Troubleshooting The CKA curriculum went through a major overhaul in September 2020. One of the reasons why the exam domains have been reorganized and optimized is the new Certified Kubernetes Security Specialist (CKS) certification. For the most part, security-related topics have been moved to the CKS, while the CKA continues to focus on typical administration activities and features. The outline of the book follows the CKA curriculum to a T. While there might be a more natural, didactical organization structure to learn Kubernetes in general, the curriculum outline will help test takers prepare for the exam by focusing on specific topics. As a result, you will find yourself cross-referencing other chapters of the book depending on your existing knowledge level. Let’s break down each domain in detail in the next sections. Cluster Architecture, Installation, and Configuration This section of the curriculum touches on all things Kubernetes cluster-related. This includes understanding the basic architecture of a Kubernetes clusters such as control plane versus worker nodes, high-availability setups, and the tooling for installing, upgrading, and maintaining a cluster. You will need to demonstrate the process of installing a cluster from scratch, upgrading a cluster version, and backing up/restoring the etcd database. The Cloud Native Computing Foundation (CNCF) also decided to add a somewhat unrelated topic to this section: managing role-based access control (RBAC). RBAC is an important concept every administrator should understand how to set up and apply. 2 | Chapter 1: Exam Details and Resources

Workloads and Scheduling Administrators need to have a good grasp of Kubernetes concepts used for operating cloud-native applications. The section “Workloads and Scheduling” addresses this need. You need to be familiar with Deployments, ReplicaSets, and configuration data specified by ConfigMaps and Secrets. When creating a new Pod, the Kubernetes scheduler places the object on an available node. Scheduling rules like node affinity and taints/tolerations control and fine-tune the behavior. For the exam, you are only required to understand the effect of Pod resource limits on scheduling. Furthermore, you need to be familiar with imperative and declarative manifest management, as well as common templating tools like Kustomize, yq, and Helm. Services and Networking A cloud-native microservice rarely runs in isolation. In the majority of cases, it needs to interact with other microservices or external systems. Understanding Pod-to-Pod communication, exposing applications outside of the cluster, and configuring cluster networking is extremely important to administrators to ensure a functioning system. In this section of the exam, you need to demonstrate your knowledge of the Kuber‐ netes primitives Service and Ingress. Storage This section covers the different types of volumes for reading and writing data. As an administrator, you need to know how to create and configure them. Persistent volumes ensure permanent data persistence even beyond a cluster node restart. You will need to be familiar with the mechanics and demonstrate how to mount a persistent volume to a path in a container. Make sure you understand the differences between static and dynamic binding. Troubleshooting Naturally, things can go south in production Kubernetes clusters. Sometimes, the application is misbehaving, becomes unresponsive, or even inaccessible. Other times, the cluster nodes may crash or run into configuration issues. It is of upmost impor‐ tance to develop effective strategies for troubleshooting those situations so that they can be resolved as quickly as possible. This section of the exam has the highest scoring weight. You will be confronted with typical scenarios that you need to fix by taking appropriate measures. Curriculum | 3

Involved Kubernetes Primitives The main purpose of the exam is to test your practical knowledge of Kubernetes primitives. It is to be expected that the exam combines multiple concepts in a single problem. Refer to Figure 1-1 as a rough guide to the applicable Kubernetes resources and their relationships. Figure 1-1. Kubernetes primitives relevant to the exam Exam Environment and Tips To take the CKA exam, you must purchase a voucher as registration. A voucher can be acquired on the CNCF training and certification web page. On occasion, the CNCF offers discounts for the voucher (e.g., around the US holiday Thanksgiving). Those discount offers are often announced on the Twitter account @LF_Training. 4 | Chapter 1: Exam Details and Resources

With the voucher in hand, you can schedule a time for the exam. On the day of your scheduled test, you’ll be asked to log into the test platform with a URL provided to you by email. You’ll be asked to enable the audio and video feed on your computer to discourage you from cheating. A proctor will oversee your actions via audio/video feed and terminate the session if she thinks you are not following the rules. Exam attempts The voucher you purchased grants two attempts to pass the CKA exam. I recommend preparing reasonably well before taking the test on the first attempt. It will give you a fair chance to pass the test and provide you with a good impression of the exam environ‐ ment and the complexity of the questions. Don’t sweat it if you do not pass the test on the first attempt. You’ve got another free shot. The CKA has a time limit of two hours. During that time window, you’ll need to solve hands-on problems on a real, predefined Kubernetes cluster. Every question will state the cluster you need to work on. Using a practical approach to gauge a candidate’s skill set is superior to tests with multiple-choice questions as you can translate the knowledge directly on tasks performed on the job. You are permitted to open an additional browser tab to navigate the official Kuber‐ netes documentation assets. Those pages include https://oreil.ly/w0vib, https://oreil.ly/ XLYLj, and https://oreil.ly/1sr3B plus their subdomains. You are allowed to create bookmarks and open them during the exam as long as they fall within the URLs just mentioned. While having the Kubernetes documentation pages at hand is extremely valuable, make sure you know where to find the relevant information within those pages. In preparation for the test, read all the documentation pages from start to end at least one time. Don’t miss out on the search functionality of the official documentation pages. Using the documentation efficiently Using a search term will likely lead you to the right documenta‐ tion pages quicker than navigating the menu items. Copying and pasting code snippets from the documentation into the console of the exam environment works reasonably well. Sometimes you may have to adjust the YAML indentation manually as the proper formatting may get lost in the process. Exam Environment and Tips | 5