Kubernetes Deep Dive

Question 1

What is the Kubernetes API? What is the Admission Contoller?

Answer 1

Primary interface for users and system components, RESTful API

The Admission Controller enforces policies and modifies resources. It enforces quotas, sets defaults, validates configurations, etc.

Question 2

How can CRD’s be used to extend the Kubernetes API?

Answer 2

Define new resource types (CRDs) which extend existing Kubernetes resources

Question 3

How do you list resource types in a cluster?

Answer 3

kubectl api-resources

Question 4

What is the use of the –authorization-mode?

Answer 4

The –authorization-mode flag is used to specify the method(s) for controlling access and permissions within Kubernetes

If not set, the default is AlwaysAllow

Question 5

What are the main three stages a request will pass through on its journey via the API server?

Answer 5

1. Authentication: such as an API key or Token
2. Authorization: are these permissions allowed (relates to the –authorization-mode
3. Admission Controller

Question 6

For how long must Kubernetes behaviours function after their announced deprecation?

Answer 6

No less than 1 year

Question 7

Which Kubernetes API version is considered to be “high risk” and may be moved out of use without warning?

Answer 7

Alpha

Question 8

Which Kubernetes API version is generally considered “safe” to use despite not being recommended for production due to possible breaking changes?

Answer 8

Beta

Question 9

Which Kubernetes API version is typically disabled by default and has a support window of approximately 9 months before deprecation?

Answer 9

Beta

Question 10

What are Stable (GA) Kubernetes APIs?

Answer 10

Enabled by default and backwards-compatible within a major version

Question 11

What is the role and purpose of RBAC in Kubernetes?

Answer 11

To regulate access to resources in a Kubernetes cluster, enforce policy-based access for users, groups, and Service Accounts, and enhance security

Question 12

What is the Kubernetes Certificate Authority?

Answer 12

A trusted entity used by the K8s cluster for creating and verifying certificates.

It is a core component of K8s and our KubeConfig file will reference the public key of the CA

Question 13

What are Users, Groups, and Service Accounts in K8s?

Answer 13

Users: individuals or applications that interact with the K8s cluster. Not managed by K8s

Groups: also managed outside of K8s. Represents multiple users. When permissions are give to a group all users in the group will be given the permissions

ServiceAccounts: Used by applications running in K8s. They are K8s objects managed by K8s. They are tied to a specific namespace.

Question 14

What ServiceAccount is a pod assigned if none is given?

Answer 14

`default1

Question 15

What does the kubeconfig file contain?

Answer 15

Cluster details and user information

Question 16

What does the command kubectl auth can-i * * check?

Answer 16

If the user has permissions to perform an action on a resource such as :

kubectl auth can-i get pods

Question 17

How are permissions assigned to a user in Kubernetes using RBAC?

Answer 17

Via the user’s membership or group membership assigned by a ClusterRoleBinding

Question 18

What is the Kubernetes Scheduler and its role?

Answer 18

The scheduler schedules applications in the form of pods to run on nodes.

When a pod is created the scheduled will check available resources and identify the best node to run on and assign the pod to the node

Question 19

What is the use of nodeName and nodeSelector? What mechanism of labels does the nodeSelector make use of?

Answer 19

nodeName and nodeSelector are used to control where pods are scheduled within a cluster.

nodeName directly specifies the name of a particular node on which a pod should be scheduled

nodeSelector allows you to schedule pods to nodes that possess specific labels.

Question 20

What are the main operations performed by the scheduler?

Answer 20

Filtering, scoring, and binding

Question 21

What is ephemeral storage? What is persistent storage?

Answer 21

Ephemeral storage does not survive restarts and is used as required. It is discarded after use.
Ex: EmptyDir

Persistent storage survives restarts and the removal of the container

Question 22

What are some examples of CNCF Graduated Storage Solutions

Answer 22

Rook

Ceph - provides object, block, and file storage

Longhorn

OpenEBS

Question 23

What are Retain Policies?

Answer 23

Retain - data kept until the volume is manually deleted

Delete - underlying storage is deleted along with the volume

Question 24

In Kubernetes, what is the significance of setting a volume’s emptyDir.medium to Memory?

Answer 24

Configures the volume as a high-performance cache area

Question 25

What is the purpose of StatefulSets?

Answer 25

A workload API that manages stateful applications where: - Each ReplicaSet has its own ID - The pod names are randomized - Deployments are stateless - Each pod creates its own PVC

Question 26

What are the differences / similarities between StatefulSets and Deployments

Answer 26

StatefulSets provide a sticky identity for each pod meaning every pod has a unique and persistent identity that is maintained even if the pod is restarted or rescheduled

Question 27

What is the StatefulSet relation / dependency on Services for naming

Answer 27

A StatefulSet uses a serviceName to define a headless service for network identity

Question 28

What are Network Policies? What does it mean that they are cumulative?

Answer 28

Used to limit access to other pods, namespaces, and/or IP blocks. They are cumulative meaning that if you apply multiple policies to a set of pods, they are added together.

Question 29

What are Pod Disruption Budgets?

Answer 29

A Pod Disruption Budget (PDB) is a Kubernetes resource that limits the number of pods for an application that can be down simultaneously during voluntary disruptions, ensuring a minimum level of availability.

Question 30

Which Kubernetes command is used to make a node un-schedulable?

Answer 30

kubectl cordon

Question 31

What is the difference between PDBs and replicas in Kubernetes?

Answer 31

Replicas ensure availability during normal operations while PDBs protect during disruptions

Question 32

What are some of the Security Tools and their function including Falco and Open Policy Agent

Answer 32

Falco is a runtime security tool for detecting threats in real-time OPA is a general-purpose policy engine for enforcing policies across a software stack

Question 33

What is Kubescape? How is it used in relation to NSA and CISA standards?

Answer 33

Kubescape is an open-source security platform that scans Kubernetes clusters and configurations for vulnerabilities and misconfigurations against frameworks like the NSA-CISA guidelines.

Question 34

What is OpenID Connect (OIDC)? What is its purpose?

Answer 34

OpenID Connect (OIDC) is an identity and access management protocol built on top of OAuth 2.0 that allows users to log in to an application by verifying their identity with an identity provider, such as Google or Microsoft. Its purpose is to provide a secure, standardized way for applications to authenticate users without having to manage their passwords

Question 35

What are PodSecurityPolicies? What do they do?

Answer 35

Pod Security Policies manage Clusters and Namespaces at runtime

Question 36

What are the 4 C's of Cloud Native Security?

Answer 36

Code Container Cluster Cloud

Question 37

In the Kubernetes security context example, what is the outcome of setting allowPrivilegeEscalation: false in the container's security context?

Answer 37

Prevents the escalation of privileges in containers

Question 38

What happens when a node stops reporting?

Answer 38

It first becomes NotReady Existing workloads may keep running on the Node if the circumstances permit After ~5 minutes, the Node Controller evicts Pods and reschedules them onto healthy nodes A kubectl describe on the Node, will show this Node Ready Status as Unknown

Question 39

What is Kubernetes Garbage Collection?

Answer 39

Kubernetes uses GC to automatically clean up a wide range of resource types, including: Terminated Pods Completed Jobs Objects without an owner reference (orphaned objects) Unused containers and images Dynamically provisioned PersistentVolumes (with ReclaimPolicy: Delete) Expired CertificateSigningRequests (CSRs) Deleted Nodes (in scenarios managed by a cloud controller or similar addon) Node Lease objects

Question 40

What are Kubernetes probes?

Answer 40

Liveness Probe The kubelet checks if the container is still alive. 👉 If it fails, the kubelet restarts the container. Readiness Probe The kubelet checks if the container is ready to serve traffic. 👉 If it fails, the kubelet tells the API server to remove the Pod from Service endpoints (but does not restart it). Startup Probe The kubelet checks if the application inside the container has successfully started. 👉 While this probe is running, liveness and readiness checks are paused. Once it succeeds, the other probes take over.

Question 41

What is Helm? What is required for its plugin installation?

Answer 41

A package management tool to simplify the management of Kubernetes applications git is required

Question 42

What is the purpose of Service Meshes? What are the main components, Proxy and Data Plane?

Answer 42

Service Meshes allow for efficient, reliable, and secure communication. They are useful as the scale and complexity of your app grows. The "data plane" is responsible for handling traffic between services while the "control plane" manages and configures the behaviour of proxies in the data plane. The "data plane" commonly uses the sidecar pattern

Question 43

What are some common open source offerings for service meshes?

Answer 43

- Traefik Mesh - Istio - Linkerd

Question 44

What is one of the key security features provided by a Service Mesh?

Answer 44

Mutual TLS

Question 45

What is the role of the SMI?

Answer 45

SMI = Service Mesh Interface It is a specification that defines a common interface or service meshes, allowing for different implementations.