Beruflich Dokumente
Kultur Dokumente
List of resources and notes for passing the Certified Kubernetes Application
Developer (CKAD) exam. Official links below.
Important vi Tips
'dG' - Deletes contents from cursor to end of file. This is very useful when
editing YAML files.
'ZZ' - Save and exit quickly.
kubectl Tips
To set nano as your editor for 'kubectl edit'
export KUBE_EDITOR="nano"
Outline
Right now there are five primary sections to this document.
First, as discussed later, the exam is primarily about speed. With that in mind,
the best way to approach the moderate to complex questions is to generate the
initial YAML via the dry run flag. Then, edit the file with either vi or nano, and
then create the required resource. The steps are outlined below.
The items in this particular repo / page describe and follow the official
curriculum and point back to the various documents at Kubernetes.io. There is a lot
of content on k8s and a lot of it does not pertain to the CKAD exam, so I've pulled
out the sections that are pertinent based on the curriculum. There is a nice
checklist below that you can update once you think you have mastered a particular
topic.
I think the best approach is to fork this repo as a starting point for your
studies, and then use the markdown checklist to ensure you cover all of the
expected material, etc.
Current Progress
The list below is based on the curriculum v1.0. Once you have mastered a section,
check it off and move on to the next. You need to understand them ALL very well.
The Core Concepts piece is kind of vague, but the others are defined well enough
that it is easy to prepare for with a hands-on work through the tasks offered at
kubernetes.io. The rest of this document follows this same outline of curriculum.
In my opinion, and all that is required to pass this test, is to just setup a
gcloud account, and use a two-node GKE cluster for studying. Heck, you can even use
the very nice google cloud shell and not even leave your browser.
Here are commands used to create a two-node cluster for studying. I keep these here
just so I can fire up and destroy a cluster for a few hours each day for study.
Notice that you can tailor the cluster version to match the k8s version for the
exam.
CORE CONCEPTS
The core concepts section covers the core K8s API and its primitives and resources.
It also covers the important concept of a POD. This is the basic unit of deployment
for app developers and so this 'POD' concept is important to understand as well as
how they are managed with kubectl. To me, this is embodied in the kubectl RUN
command.
CONFIGURATION
Configuration covers how run-time 'config' data is provided to your applications
running in k8s. This includes environment variables, config maps, secrets, etc.
Other items that are pertinent to config are the service account and security
contexts used to execute the containers. The below items are covered by this part
of the curriculum.
spec:
containers:
- image: nginx
name: nginx
envFrom:
- configMapRef:
name: app-config
Here is another way to map a specific value to a specific environment variable
value.
containers:
- image: nginx
name: nginx
env:
- name: SPECIAL_APP_KEY
valueFrom:
configMapKeyRef:
name: app-config
key: key123
Now to verify it worked.
These concepts are covered well in the tasks section below, but here is a basic
RunAs example from the doc that shows both pod and container contexts being used.
apiVersion: v1
kind: Pod
spec:
securityContext:
runAsUser: 1000
containers:
- name: sec-ctx-demo
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsUser: 2000
allowPrivilegeEscalation: false
App Resource Requirements
Defining the memory and cpu requirements for your containers is something that
should always be done. It allows for more efficient scheduling and better overall
hygiene for your application environment. Again, covered well in the tasks section
below, but here is a brief snippet for the standard mem/cpu specification.
apiVersion: v1
kind: Pod
spec:
containers:
- name: demo
image: polinux/stress
resources:
limits:
memory: 200Mi
cpu: 200m
requests:
memory: 100Mi
cpu: 100m
Now to verify:
apiVersion: v1
data:
foo: YmFy
kind: Secret
metadata:
creationTimestamp: null
name: my-secret
Now create the secret:
apiVersion: v1
kind: Pod
metadata:
name: secrets-test-pod
spec:
containers:
- image: nginx
name: test-container
volumeMounts:
- mountPath: /etc/secret/volume
name: secret-volume
volumes:
- name: secret-volume
secret:
secretName: my-secret
Service Accounts
When pods are created by K8s they are provided an identify via the service account.
In most cases, pods use the default service account, but it can be specified
directly.
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
serviceAccountName: build-robot
...
MULTI-CONTAINER PODS
This particular section needs additional detail as these concepts are not covered
that well via the tasks provided at kubernetes.io. Actually, the best coverage (for
sidecars) is in the concepts section under logging architecture.
One or more containers running within a pod for enhancing the main container
functionality (logger container, git synchronizer container); These are sidecar
container
One or more containers running within a pod to allow access to application running
within the container (Monitoring container); These are called as adapter
containers-
POD DESIGN
The Pod design section mostly covers deployments, rolling updates, and rollbacks
(and jobs). These are all covered well in the tasks section later in this document.
The primary trick here is to really understand the basic commands for updating a
deployment which causes a new replicaSet to be created for the rollout. Both
replica sets exist as the rollout continues and completes.
Deployment Updates
Below is a quick example of creating a deployment and then updating its image. This
will force a rolling deployment to start. You can then roll it back.
OBSERVABILITY
This part of the curriculum covers the logging, debugging, and metrics of your
running applications.
Container Metrics
Container metrics require that heapster be running, and it is pretty standard on
clusters now.
Services
Services provide a persistent endpoint for a logical set of pods. This endpoint is
typically used to expose a pods services externally. They are quite straight
forward and quick to build and configure, so the concepts are more important than
the 'speed' factor for the exam, IMO. There are several ways to expose a service as
well as the underlying detail of using selectors to ultimately select the target
pods of the service.
spec:
containers:
image: nginx
imagePullPolicy: Always
name: busybox
env:
- name: PORT
value: "80"
ports:
- containerPort: 80
protocol: TCP
Network Policies
Resources use labels to select pods and define rules which specify what traffic is
allowed to the selected pods. So, the pods themselves require certain labels /
selectors to enable network policies.
By default, pods are non-isolated; they accept traffic from any source.
Pods become isolated by having a NetworkPolicy that selects them. Once there is any
NetworkPolicy in a namespace selecting a particular pod, that pod will reject any
connections that are not allowed by any NetworkPolicy. (Other pods in the namespace
that are not selected by any NetworkPolicy will continue to accept all traffic.)
apiVersion: v1
data:
foo: YmFy
kind: Secret
metadata:
creationTimestamp: null
name: my-secret
Tasks from Kubernetes Doc
The following are primarily links to either the 'concepts' or 'tasks' section of
the kubernetes.io documentation. The 'task' items are very useful to use as labs.
I've tied them directly to the curriculum to ensure they are appropriate study
material for the exam.