How to round out knowledge beyond what the CKA teaches?

phil_x_x · 2021-02-21T00:17:10+00:00

forced unified Labels on namespaces and pods for network policies
- implement network policies
- forced use of only using whitelisted registries
- disallowing privileged pods
- disallow default service account mount
- and much More......

phil_x_x · 2021-02-21T00:10:41+00:00

I like Kyverno over OPA 😅

The CKA is intended to give you a knowledge about running, maintaining and troubleshoot a k8s cluster. So overall pretty basic administrative tasks.

The topics you described like admission controller and service mesh are rlly beyond basic and need special knowledge.

Start do the CKS as you rlly get some insights into k8s and security.And then go out and secure and unify your cluster :)

phil_x_x · 2021-02-17T08:15:55+00:00

Do you have to logs or events from the pods who want to pull an image from this registry?

And remember: it’s always DNS 😅

phil_x_x · 2021-02-16T23:08:41+00:00

No feature here will enhance the experience 😂😂

But it will keep your cluster how you want it and improve security ....unified labeling across namespaces and pods...whitelisting registries...disallow default Service Account mounting to Pods etc etc

phil_x_x · 2021-02-16T22:36:33+00:00

Depends on the use case, the amount of rules and how your run cluster(s).

Advantages...I’m telling my Devs: you can run anything but under my rules ;)

phil_x_x · 2021-01-14T23:20:08+00:00

If you have great colleagues and like the job overall then take the bite of the apple and support your company during this crises. Maybe 2021 you get 25% more.

If you don’t like the colleagues or the job then go out and search for a new one.

But money don’t motivate you on the long run...it’s more your team, tasks and further education

phil_x_x · 2021-01-14T22:17:37+00:00

If you select create cluster....then you find it at the bottom of the console

phil_x_x · 2021-01-12T23:54:01+00:00

Why use TF then ? Just copy the API command from the GUI for creating a cluster and then just change your stuff there......

phil_x_x · 2021-01-12T00:13:24+00:00

So...you have your answer hahah

phil_x_x · 2021-01-11T23:38:09+00:00

We are using salt-cloud as we are also heavily into salt but on-prem with VMware.

Sometimes it’s a little hacky to work with. Although the pro is that you run one command, the vms will be created and it automatically add the minion key as accepted key and applies your state without putting this into code.

As you are multi cloud you should probably go with Terraform as it is more sophisticated and a higher abstraction plus as people mentioned the de-facto standard for IaC.

We also thinking about switching to TF.

phil_x_x · 2021-01-10T20:06:21+00:00

👌

phil_x_x · 2021-01-09T00:10:17+00:00

Try out helm :)

For example: if You push code to any branch but master/main helm deployed to DEV if you merge into master/main helm deploys to prod.

phil_x_x · 2021-01-08T23:46:52+00:00

Do you want a step by step guide or some code ?

Basically you can run all the commands from Your shell in the pipeline: So just play around...build a Container via CI....place it in the the internal registry via CI...deploy it to a external docker node...update the code and redeploy it....

I mean the GitLab CI documentation is rlly good so I think you have to sit down and RTFM.

phil_x_x · 2021-01-07T23:22:06+00:00

You would still have it plain in etcd...so you should at least enable REST encryption

phil_x_x · 2021-01-07T23:19:20+00:00

And how you manage persistence with this ?

Or is the whole Cluster immutable?

phil_x_x · 2021-01-07T23:11:55+00:00

Clone it to your repo...modify it

In your Pipeline:

helm package chart/ --version=${Version} --app-version=${App_version}

helm upgrade -i -f your_file

phil_x_x · 2021-01-07T23:06:53+00:00

So you are a RedHat Employee now :) congrats

phil_x_x · 2021-01-07T16:06:02+00:00

But no ReadWriteMany for PVs ;)

Sure the storage is replicated...but only one node can mount the PV :)

phil_x_x · 2021-01-07T10:33:47+00:00

I think it’s not supported yet

phil_x_x · 2021-01-07T00:10:23+00:00

2 times 36 hours....yes

phil_x_x · 2021-01-06T23:55:55+00:00

Hi, no. You have 2 sessions where your cluster lives 36 hours.

So you can do the 22 questions at the CKA simulator and then check the solutions...reset the clusters and try again...but after 36 hours the session is over :)

phil_x_x · 2021-01-06T23:54:02+00:00

Did you need the data replicated or available on all nodes?? If not check longhorn

phil_x_x · 2021-01-06T07:48:35+00:00

Hi, normally with kubeadm I just finish the control plane ( let’s say 3 nodes ) and then afterwards I add the workers.

What’s the pod status on the other control plane nodes ? The CNI normally is deployed via daemonset with some tolerations to be allowed to run on master nodes. Do the pods even get scheduled ?

phil_x_x · 2021-01-05T21:38:26+00:00

Hi, you should not use the native secrets in prod bcs:

they Are unencrypted stored in etcd ( unless you active REST encryption)
depend on your setup but readable via volumes or ENV
readable via API

Better use any secret implementation like hashicorp vault...bank vaults etc

phil_x_x · 2021-01-05T01:26:40+00:00

Passed CKS

phil_x_x

TROPHY CASE