参考链接:https://blog.csdn.net/shuoshuo132/article/details/115362867

一 开始介绍

总共17道题目,考试时间2小时,每道题目的分值不同,根据题目的难易程度。满分100分,通过分数为66分。(2021年3月)
题目均为实操题 github官方链接:https://github.com/cncf/curriculum
报名方式,登录linux foundation(有国内版:https://training.linuxfoundation.cn/ )进行报名,报名费用为300美金,当然有时候会有活动减价。购买成功后会有教程说明如何激活考试和预约考试,预约考试时,网站会提供环境检查,包括扫描你的浏览器配置,摄像头等等。购买一年内均可以预约,有一次的补考机会。
考试时浏览器会有一个tag是考试界面,这时我们只被允许再打开另外一个tag,且只能访问以下其中一个:
https://kubernetes.io/docs/home/
https://github.com/kubernetes
https://kubernetes.io/blog/
考试开始前监考官会检查你的考试环境,整体还是比较严格的,建议考试地点要找一个安静,且桌面干净的房间。如果你报名的是CKA-CN,也即系中文监考官的考试,那只需要带上身份证即可。

集群架构,安装和配置:25%	
工作负载和调度:15%	
服务和网络:20%
存储:10%
故障排除:30%

注意事项

在这里插入图片描述

20211129 练习摘要
#新命令 查看所有api 资源 解决 statefuleset 等资源不会写问题

kubectl api-resources | less

难题回顾

# ask
Create a service account name dev-sa in default namespace, dev-sa can create below components in dev namespace

# ans
# 1 创建 sa 在默认命名空间

# 2 创建 role 在 dev 命名空间

# 3 创建 rolebinding 绑定 role 和 sa

# 4 验证命令
kubectl auth can-i create deployment --as=system:serviceaccount:default:dev-sa -n dev

20211130真题训练:https://blog.csdn.net/u011127242/article/details/121388338

第一题:ImagePolicyWebhook 原理:https://www.kubernetes.org.cn/8848.html
题干:

context
A container image scanner is set up on the cluster,but It's not yet fully
integrated into the cluster's configuration When complete,the container image
scanner shall scall scan for and reject the use of vulnerable images.
task
You have to complete the entire task on the cluster master node,where all services and files have been prepared and placed
Glven an incomplete configuration in directory /etc/kubernetes/aa and a functional container image scanner with HTTPS sendpitont http://192.168.26.60:1323/image_policy

1.enable the necessary plugins to create an image policy
2.validate the control configuration and chage it to an implicit deny
3.Edit the configuration to point the provied HTTPS endpoint correctiy

Finally,test if the configurateion is working by trying to deploy the valnerable resource /csk/1/web1.yaml

20211202 练习记录

网址:https://blog.csdn.net/u011127242/article/details/121388338
4 AppArmor 概述:

Context
AppArmor is enabled on the cluster worker node. An AppArmor profile is prepared, but not enforced yet.
You may use your browser to open one additional tab to access theAppArmor documentation.
Task
On the cluster worker node, enforce the prepared AppArmor profile located at /etc/apparmor.d/nginx_apparmor . Edit the prepared manifest file located at /cks/4/pod1.yaml to apply the AppArmor profile.
Finally, apply the manifest file and create the pod specified in it

5 PodSecurityPolicy
题目概述

context
A PodsecurityPolicy shall prevent the creati on of privileged Pods in a specific namespace.
Task
Create a new PodSecurityPolicy named prevent-psp-policy , which prevents the creation of privileged Pods.
Create a new ClusterRole named restrict-access-role , which uses the newly created PodSecurityPolicy prevent psp-policy .
Create a new serviceAccount named psp-denial-sa in the existing namespace development .
Finally, create a new clusterRoleBinding named dany-access-bind , which binds the newlycreated ClusterRole restrict-access-role to the newly created serviceAccount

理解podsecurityPolicy:
https://blog.csdn.net/hxpjava1/article/details/103904747?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522163840555916780271922165%2522%252C%2522scm%2522%253A%252220140713.130102334…%2522%257D&request_id=163840555916780271922165&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2allsobaiduend~default-3-103904747.first_rank_v2_pc_rank_v29&utm_term=PodSecurityPolicy&spm=1018.2226.3001.4187

Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐