CKA Study Sheet

Setting Environement

Starting the exam and setting alias

Alias setup for kubectl command.

alias k=kubectl

Check Kubernetes Cluster Information

Verifies the connection to the Kubernetes cluster and displays cluster endpoints.

kubectl cluster-info

Check Nodes in the Cluster

Lists all nodes in the Kubernetes cluster, verifying connectivity and cluster health.

kubectl get nodes

Check Kubernetes Version

Displays the Kubernetes client and server versions to ensure compatibility and functionality.

kubectl version

Workload & Scheduling

Deployments

Create Deployment

Creates a deployment using a specified container image.

kubectl create deployment <name> --image=<image>

Scale Deployment

Scales the number of replicas in a deployment.

kubectl scale deployment <name> --replicas=<number>

Expose Service

Exposes a deployment as a service on a specified port.

kubectl expose deployment <name> --port=<port>

Update Deployment Image

Updates the container image used in a deployment.

kubectl set image deployment/<deployment-name> <container-name>=<new-image>

Rollout Status

Checks the status of a deployment rollout.

kubectl rollout status deployment/<deployment-name>

Rollback Deployment

Rolls back a deployment to a previous revision.

kubectl rollout undo deployment/<deployment-name>

Delete Deployment

Deletes a deployment.

kubectl delete deployment <name>

Pods

List Pods

Lists all pods in the Kubernetes cluster.

kubectl get pods

Describe Pod

Describes detailed information about a specific pod.

kubectl describe pod <pod-name>

Logs of Pod

Displays the logs of a specific pod.

kubectl logs <pod-name>

Exec into Pod

Opens an interactive shell session inside a specific pod.

kubectl exec -it <pod-name> -- /bin/bash

Delete Pod

Deletes a specific pod.

kubectl delete pod <pod-name>

Jobs

Run Job

Runs a one-time job using a specified container image.

kubectl run <name> --image=<image> --restart=Never

List Jobs

Lists all jobs in the Kubernetes cluster.

kubectl get jobs

Describe Job

Describes detailed information about a specific job.

kubectl describe job <job-name>

Delete Job

Deletes a specific job.

kubectl delete job <job-name>

CronJobs

Create CronJob

Creates a cron job using a specified container image.

kubectl create cronjob <name> --image=<image>

List CronJobs

Lists all cron jobs in the Kubernetes cluster.

kubectl get cronjobs

Describe CronJob

Describes detailed information about a specific cron job.

kubectl describe cronjob <cronjob-name>

Delete CronJob

Deletes a specific cron job.

kubectl delete cronjob <cronjob-name>

Services & Networking

Services

Create Service

Creates a service of a specified type and name, exposing a TCP port.

kubectl create service <type> <name> --tcp=<port>

Get Services

Lists all services in the current namespace.

kubectl get services

Describe Service

Provides detailed information about a specific service.

kubectl describe service <name>

Delete Service

Deletes a specific service.

kubectl delete service <name>

Network Policies

Create NetworkPolicy

Creates a network policy with a specified name, namespace, and specification.

kubectl create networkpolicy <policy-name> --namespace=<namespace> --spec=<spec>

Get NetworkPolicies

Lists all network policies in the current namespace.

kubectl get networkpolicies

Describe NetworkPolicy

Provides detailed information about a specific network policy.

kubectl describe networkpolicy <policy-name>

Delete NetworkPolicy

Deletes a specific network policy.

kubectl delete networkpolicy <policy-name>

Storage

Persistent Volumes (PVs)

Persistent Volumes are a cluster-wide storage resource provisioned by an administrator. They provide storage resources that can be dynamically or statically provisioned.

Create Persistent Volume

Creates a Persistent Volume using the definition provided in the YAML file <pv-definition.yaml>.

kubectl create -f <pv-definition.yaml>

Get Persistent Volumes

Lists all the Persistent Volumes available in the cluster.

kubectl get pv

Describe Persistent Volume

Provides detailed information about a specific Persistent Volume named <pv-name>.

kubectl describe pv <pv-name>

Delete Persistent Volume

Deletes the Persistent Volume named <pv-name> from the cluster.

kubectl delete pv <pv-name>

Persistent Volume Claims (PVCs)

Persistent Volume Claims are requests for storage by a user. They claim a Persistent Volume and bind it to a pod.

Create Persistent Volume Claim

Creates a Persistent Volume Claim using the definition provided in the YAML file <pvc-definition.yaml>.

kubectl create -f <pvc-definition.yaml>

Get Persistent Volume Claims

Lists all the Persistent Volume Claims in the current namespace.

kubectl get pvc

Describe Persistent Volume Claim

Provides detailed information about a specific Persistent Volume Claim named <pvc-name>.

kubectl describe pvc <pvc-name>

Delete Persistent Volume Claim

Deletes the Persistent Volume Claim named <pvc-name> from the cluster.

kubectl delete pvc <pvc-name>

Storage Classes

Storage Classes provide a way to describe the 'classes' of storage offered by a cluster. Different classes might map to quality-of-service levels, backup policies, or arbitrary policies determined by the cluster administrators.

Get Storage Classes

Lists all the Storage Classes available in the cluster.

kubectl get storageclass

Create Storage Class

Creates a Storage Class using the definition provided in the YAML file <storageclass-definition.yaml>.

kubectl create -f <storageclass-definition.yaml>

Describe Storage Class

Provides detailed information about a specific Storage Class named <storageclass-name>.

kubectl describe storageclass <storageclass-name>

Delete Storage Class

Deletes the Storage Class named <storageclass-name> from the cluster.

kubectl delete storageclass <storageclass-name>

Troubleshooting

Troubleshooting in Kubernetes involves identifying and resolving issues with the various resources and workloads running in the cluster. Here are the imperative commands that are particularly useful for troubleshooting:

Logs

Fetches and displays the logs of a specific pod, which is useful for debugging and understanding the behavior of the applications running in the pod.

kubectl logs <pod-name>

Get Logs of a Specific Container

Fetches and displays the logs of a specific container within a pod.

kubectl logs <pod-name> -c <container-name>

Stream Logs

Streams the logs of a pod, useful for monitoring logs in real-time.

kubectl logs -f <pod-name>

Events

Displays detailed information about a specific resource, including events associated with it.

kubectl describe <resource> <name>

List Events

Lists all events in the current namespace, providing an overview of what has happened in the cluster.

kubectl get events

Exec into Container

Executes a command in a container within a pod, allowing interactive access (such as a bash shell) for troubleshooting.

kubectl exec -it <pod-name> -- /bin/bash

Execute a Command in a Specific Container

Executes a command in a specific container within a pod, useful when dealing with multi-container pods.

kubectl exec -it <pod-name> -c <container-name> -- /bin/bash

Port Forwarding

Forwards a local port to a port on a pod, allowing access to a pod's service on the local machine.

kubectl port-forward <pod-name> <local-port>:<remote-port>

Port Forwarding for a Service

Forwards a local port to a port on a service, useful for accessing a service locally.

kubectl port-forward svc/<service-name> <local-port>:<remote-port>

Describe Pod

Displays detailed information about a pod, including its status, events, and resource usage.

kubectl describe pod <pod-name>

Describe Node

Displays detailed information about a node, which can help diagnose node-specific issues.

kubectl describe node <node-name>

Get Pod Info

Retrieves detailed YAML representation of a pod, useful for understanding its configuration and current state.

kubectl get pod <pod-name> -o yaml

Get Node Info

Retrieves detailed YAML representation of a node, useful for understanding its configuration and current state.

kubectl get node <node-name> -o yaml

Debugging a Pod with Debug Container

Attaches a debug container to a running pod for in-depth troubleshooting.

kubectl debug pod/<pod-name> -it --image=<debug-image> --target=<container-name>

View System Logs with journalctl

Fetches and displays logs for a specific system service managed by systemd.

journalctl -u <service-name>

Stream System Logs with journalctl

Streams logs for a specific system service in real-time.

journalctl -u <service-name> -f

View Logs for All Services

Displays the systemd logs for all services with detailed debugging information.

journalctl -xe

Security and RBAC

Security in Kubernetes involves managing permissions, roles, and network policies to ensure that only authorized users and services can access resources and perform actions within the cluster. Here are the key imperative commands to manage security-related resources:

Create Role

Creates a role with specific permissions (verbs) for a given resource. Roles are namespaced.

kubectl create role <role-name> --verb=<verb> --resource=<resource>

Get Role

Lists all roles in the current namespace.

kubectl get roles

Describe Role

Displays detailed information about a specific role, including the permissions it grants.

kubectl describe role <role-name>

Delete Role

Deletes a specific role from the current namespace.

kubectl delete role <role-name>

Create Role Binding

Binds a role to a user, granting them the permissions defined in the role within a namespace.

kubectl create rolebinding <binding-name> --role=<role-name> --user=<user>

Get Role Binding

Lists all role bindings in the current namespace.

kubectl get rolebindings

Describe Role Binding

Displays detailed information about a specific role binding, including the role it references and the subjects it binds to.

kubectl describe rolebinding <binding-name>

Delete Role Binding

Deletes a specific role binding from the current namespace.

kubectl delete rolebinding <binding-name>

Create ClusterRole

Creates a cluster-wide role with specific permissions for a given resource.

kubectl create clusterrole <role-name> --verb=<verb> --resource=<resource>

Get ClusterRole

Lists all cluster roles in the cluster.

kubectl get clusterroles

Describe ClusterRole

Displays detailed information about a specific cluster role, including the permissions it grants.

kubectl describe clusterrole <role-name>

Delete ClusterRole

Deletes a specific cluster role from the cluster.

kubectl delete clusterrole <role-name>

Create ClusterRole Binding

Binds a cluster role to a user, granting them the permissions defined in the role cluster-wide.

kubectl create clusterrolebinding <binding-name> --clusterrole=<role-name> --user=<user>

Get ClusterRole Binding

Lists all cluster role bindings in the cluster.

kubectl get clusterrolebindings

Describe ClusterRole Binding

Displays detailed information about a specific cluster role binding, including the role it references and the subjects it binds to.

kubectl describe clusterrolebinding <binding-name>

Delete ClusterRole Binding

Deletes a specific cluster role binding from the cluster.

kubectl delete clusterrolebinding <binding-name>

Create Service Account

Creates a new service account in the current namespace.

kubectl create serviceaccount <name>

Get Service Account

Lists all service accounts in the current namespace.

kubectl get serviceaccounts

Describe Service Account

Displays detailed information about a specific service account.

kubectl describe serviceaccount <name>

Delete Service Account

Deletes a specific service account from the current namespace.

kubectl delete serviceaccount <name>

Cluster Maintenance

Drain Node

Safely evicts all pods from a node to perform maintenance.

kubectl drain <node-name> --ignore-daemonsets --delete-local-data

Cordon Node

Marks a node as unschedulable, preventing new pods from being scheduled on it.

kubectl cordon <node-name>

Uncordon Node

Marks a node as schedulable, allowing new pods to be scheduled on it.

kubectl uncordon <node-name>

Cluster Information

Displays information about the cluster's master and services.

kubectl cluster-info

Backup/Restore

Backup and restore operations are crucial for maintaining data integrity and recoverability. This can be done manually by backing up the etcd database or using kube-apiserver snapshots.

Backup etcd Manually

Creates a snapshot of the etcd database, which can be used for disaster recovery.

ETCDCTL_API=3 etcdctl snapshot save <backup-file> \
  --endpoints=https://127.0.0.1:2379 \
  --cacert=<path-to-cafile> \
  --cert=<path-to-certfile> \
  --key=<path-to-keyfile>

Restore etcd Manually

Restores the etcd database from a snapshot.

ETCDCTL_API=3 etcdctl snapshot restore <backup-file> \
  --data-dir=/var/lib/etcd-from-backup

Backup Using kube-apiserver

Fetches critical Kubernetes components' state for backup.

kubectl get --raw /apis/coordination.k8s.io/v1/namespaces/kube-system/leases/kube-controller-manager -o json > kube-controller-manager.json
kubectl get --raw /apis/coordination.k8s.io/v1/namespaces/kube-system/leases/kube-scheduler -o json > kube-scheduler.json

Restore Using kube-apiserver

Restores Kubernetes components' state from backup.

kubectl apply -f kube-controller-manager.json
kubectl apply -f kube-scheduler.json

Upgrade a Cluster with kubeadm

Upgrading a Kubernetes cluster involves several children to ensure a smooth transition to the new version.

Upgrade the Control Plane

Plans and applies the upgrade to the control plane.

kubeadm upgrade plan
kubeadm upgrade apply <version>

Upgrade kubelet and kubectl

Upgrades the kubelet and kubectl binaries on each node.

apt-get update && apt-get install -y kubelet=<version> kubectl=<version>
systemctl restart kubelet

Upgrade Worker Nodes

Drains each worker node, applies the upgrade, and then marks the node as schedulable again.

kubectl drain <node-name> --ignore-daemonsets --delete-local-data
kubeadm upgrade node
kubectl uncordon <node-name>

Helm

Helm Commands and Applying Helm Charts

Helm Install

Installs a Helm chart onto your Kubernetes cluster. `<release-name>`: Specifies the name for the release of the Helm chart. `<chart>`: Specifies the name or path to the Helm chart to install.

helm install <release-name> <chart>

Helm Upgrade

Upgrades an existing Helm release to a new version of a chart or with modified configuration. `<release-name>`: Specifies the name of the release to upgrade. `<chart>`: Specifies the name or path to the new Helm chart or chart archive.

helm upgrade <release-name> <chart>

`kubectl` Command for Applying Helm Charts

Applies the Kubernetes manifests contained in `<helm-chart.yaml>`, which represents the rendered Kubernetes YAML manifests of a Helm chart.

kubectl apply -f <helm-chart.yaml>

Certificates

OpenSSL Commands for Generating Keys and Certificates

Generate a Private Key for the CA

Generates a 2048-bit private key for the CA.

openssl genrsa -out ca.key 2048

Create a Self-Signed Certificate for the CA

Generates a self-signed CA certificate valid for 365 days. You will be prompted to enter information about the CA.

openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 -out ca.crt

Generating Public and Private Keys

Generate a Private Key

Generates a 2048-bit private key.

openssl genrsa -out server.key 2048

Create a Certificate Signing Request (CSR)

Generates a CSR using the private key. You will be prompted to enter information about the certificate.

openssl req -new -key server.key -out server.csr

Sign the CSR with the CA to Create the Certificate

Signs the CSR with the CA’s private key to generate a certificate valid for 365 days.

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256

Viewing the Public Key Information

Generate a Private Key

Generates a 2048-bit private key.

openssl genrsa -out server.key 2048

Create a Certificate Signing Request (CSR)

Generates a CSR using the private key. You will be prompted to enter information about the certificate.

openssl req -new -key server.key -out server.csr

Sign the CSR with the CA to Create the Certificate

Signs the CSR with the CA’s private key to generate a certificate valid for 365 days.

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256

View Public Key Information from the Certificate

Displays the content of the certificate, including the public key information.

openssl x509 -in server.crt -text -noout

Extract the Public Key from the Private Key

Extracts the public key from the private key and saves it to a file.

openssl rsa -in server.key -pubout -out server_public.key

View Public Key Information from the Public Key File

Displays the content of the public key file.

openssl rsa -pubin -in server_public.key -text -noout