Kubernetes (CKA / CKAD) cheat sheet

I could pass the CKA first time with these notes 😊

Note 1:

“If you see ”🟢”, it signifies advice relevant to the Certified Kubernetes Administrator (CKA) exam.”
“If you see ”🟠”, it indicates a topic not covered in the CKA exam, but you can quickly glance at it for additional information.”

Note 2:

🟢 When preparing for the CKA exam, it’s advisable to utilize the alias k="kubectl" command. This alias not only shortens your commands but is also conveniently preconfigured for you during the exam. So, make sure to take advantage of it! 😊
I’ll be incorporating this alias throughout this cheatsheet for your reference.

Note 3:

🟢 During the Certified Kubernetes Administrator (CKA) exam, personal notes are not permitted; however, you do have access to the official documentation at https://k8s.io. Consequently, in this cheat sheet, I will provide numerous references from the documentation.

K8S Architecture

Manager
- API Server: This component is responsible for managing and controlling the entire cluster. It serves as the entry point for administrators, users, and external components to interact with Kubernetes.
- Scheduler: The Scheduler is responsible for efficiently distributing containers across worker nodes within the cluster. It calculates where each pod should run based on resource requirements and constraints.
- Controller Manager: The Controller Manager monitors the state of nodes, pods, and other resources in the cluster. It ensures that the desired state is maintained and takes corrective actions if necessary.
- ETCD: ETCD is a key/value database that serves as the brain of the cluster. It stores all configuration data, ensuring consistency and high availability for the entire Kubernetes system.
Worker
- Container runtime (like containerd or Docker): These software components are responsible for running containers on worker nodes. They manage the execution and lifecycle of containers.
- Kubelet: The Kubelet is the Kubernetes agent running on each worker node. It ensures that containers are running as expected by interacting with the container runtime. Kubelet also communicates with the Kubernetes control plane to receive pod specifications and ensure their correct execution.
- KubeProxy: KubeProxy operates on each worker node and plays a crucial role in forwarding network traffic to the appropriate pods based on their IP addresses and port numbers. It enables essential functionalities such as load balancing, service discovery, and network routing within the Kubernetes cluster.

Kubernetes Concepts

Node: A server in the Kubernetes cluster, which can be a physical machine or a virtual instance.
Deployment: Used to manage the deployment of applications. For example, you can create a deployment like this: kubectl create deploy nginx-deploy --image=nginx. Deployments are handy for rolling updates and ensuring that the desired number of replicas are running.
ReplicaSet: A controller used to maintain a specified number of replicas of pods running in the cluster. It ensures the desired pod count is maintained even in the case of failures.
Pod: The smallest and simplest unit in Kubernetes, representing one or more containers. You can create a pod like this: kubectl run [name] --image=nginx. Pods are the lowest level of abstraction in Kubernetes.
Service: A Kubernetes abstraction that provides a stable network identity and connectivity to one or more pods. Services come in different types:
- NodePort: Exposes the service on a static port on each node, making it accessible externally. It’s useful for scenarios where you need to access services from outside the cluster.
  - port: The service port that external clients use.
  - targetPort: The port on which the container inside the pod is listening.
  - nodePort: A port on the node that acts as a bridge to the service.
- ClusterIP: Exposes the service with an internal cluster IP, typically used for inter-service communication within the cluster.
  - port: The service port for communication within the cluster.
- Ingress: Manages external access to services within the cluster, often used for routing traffic based on domain names. It serves as a powerful way to expose services to external users and is particularly useful for HTTP and HTTPS routing.
Secret: A Kubernetes resource for storing sensitive information such as API keys, passwords, and tokens. Secrets are encoded and can be used by pods securely.
ConfigMap: A Kubernetes resource for storing configuration data separately from application code. ConfigMaps allow you to decouple configuration settings from your application code, making it easier to manage and update configuration across different environments.

File structure

Headers and Metadata: This section includes the following key information:
- API Version
- Kind
- Name
- Namespace Location
- Labels
Spec: The content of this section varies depending on the “Kind” of resource. Refer to the relevant Kubernetes documentation for details on the specific resource you are working with.
Status: This section is automatically generated by Kubernetes and is used to calculate the difference between the previous and current states of the resource.

This is a small example:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: my_super_nginx_pod
  name: my_super_nginx_pod
spec:
  containers:
  - image: nginx
    name: my_super_nginx_pod
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

Basic `kubectl` commands

# Demo with "deploy / deployment" object
k create deploy nginx-depl --image=nginx --replicas=3
k create deploy nginx-depl --image=nginx --replicas=3 --dry-run=client -o yaml > depl.yaml
# 🟢 "--dry-run=client -o yaml" is very useful for CKA to avoid searching in the documentation how to create object

k get deploy nginx-depl
k edit deploy nginx-depl
k describe deploy nginx-depl
k delete deploy nginx-deploy

k run super-nginx --image=nginx
k exec -ti super-nginx -- bash

k get all
k get api-resources -o name
k get events

# Count stuff:
k get role --no-headers | wc -l

# Manipulate containers
docker ps
#
crictl ps
crictl rm
crictl inspect <container_id> | grep runtime

k apply -f <file>.yaml
k apply -f <file>.yaml --force --grace-period=0 # 🟢 Useful for CKA to avoid to wait some seconds

kubectl get nodes -o jsonpath='{.items[*].status.addresses[?(@.type=="ExternalIP")].address}' # Complex queries

k get pod -o wide # (get IP address of Pod)
k get pod -n kube-system
k get pod -A # (= all namespaces)
k get pod --watch
k get pod --sort-by="..."
k get pod --show-labels

k top node
k top pod
k top pod --containers=true

#

k scale deployment nginx --replicas=3
# or
k edit deployment nginx # 🟢 I prefer using this method for the CKA. Type "/replica" in VIM, and press "CTRL+A" or "CTRL+X"


k explain replicaset
k describe
k create deploy --help

#

k config view
k config use-context
k config current-context

You can see the exhaustive cheatsheet on the documentation : https://kubernetes.io/docs/reference/kubectl/cheatsheet/

🟢 Note : most of the objects have a shortcut:

k get services
k get svc

These two commands are the same.

Now, let’s see all the useful documentation references for the CKA exam:

Scheduling

Namespace
- https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
🟠 Resource Quotas
- https://kubernetes.io/docs/concepts/policy/resource-quotas/
🟠 Limit Ranges
- https://kubernetes.io/docs/concepts/policy/limit-range/
🟠 Liveness, Readiness and Startup Probes
- https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
Scheduler
- https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodename
Labels
- https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
Taints and toleration
- To put restriction
- Taints = ON NODES
- Toleration = ON PODS
- https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/#concepts
- k describe node node01 | grep Taint
Node affinity
- https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
- Taints/Toleration = Avoid pod to go on some nodes
- Affinity = Force pod to go on some nodes
Resource request
- https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-requests-and-limits-of-pod-and-container
- Request = Minimum resources
- Limit = Maximum resources
- OOM = Out Of Memory
Deployments
- https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
- For stateless apps
🟠 StatefulSets
- https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/
- For applications with:
  - Stable, unique network identifiers.
  - Stable, persistent storage.
  - Ordered, graceful deployment and scaling.
  - Ordered, automated rolling updates.
DaemonSet
- https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
- To always have one copy of the pod on EACH node
Static pod
- https://kubernetes.io/docs/tasks/configure-pod-container/static-pod/
Multiple Scheduler
- https://kubernetes.io/docs/reference/scheduling/config/

Logs & Monitoring

Logs & Monitoring
- Metric server ; Prometheus ; Elastic stack
- k top node
- k top pod
- k logs -f <pod_name> <container_name>

Application Lifecycle Management

Rolling updates
- https://kubernetes.io/docs/tutorials/kubernetes-basics/update/update-intro/
- k rollout status deployment/myapp-depl
- k rollout undo deployment/myapp-depl
- k set image deployment/myapp-depl nginx=nginx:1.9.1
- k rollout history deployment/myapp-depl
Commands
- https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#define-a-command-and-arguments-when-you-create-a-pod
- Tip: you can use sh -c "" if command is very long

command:
    - sh
    - -c
    - "wget ..."

Env
- https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/#define-an-environment-variable-for-a-container
Configmap
- https://kubernetes.io/docs/concepts/configuration/configmap/
- k create configmap name --from-literal=key=value
- k create configmap name --from-file=app.properties
Secrets
- https://kubernetes.io/docs/concepts/configuration/secret/
- k create secret generic name --from-literal=DB_PASS=mysql_password
- echo -n "hi" | base64
- ⚠️ Encryption is not enabled by default
- Encrypt at rest
- https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
Design patterns (🟠 NOT IN CKA but present in CKAD)
- Sidecar: Involves attaching a helper container to a primary application container to provide additional functionality or services, such as logging, monitoring, or security.
- Adapter: Acts as a translator or intermediary between two incompatible interfaces or systems, allowing them to work together seamlessly.
- Ambassador: Represents a single entry point for managing and controlling communication between services, often used for routing, load balancing, and authentication in a microservices architecture.
Init containers
- https://kubernetes.io/docs/concepts/workloads/pods/init-containers/#init-containers-in-use

Cluster Maintenance

Cluster maintenance
- https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/#use-kubectl-drain-to-remove-a-node-from-service
- k cordon node01 (no new pod will be scheduled on node01)
- k drain node01 (remove all the pods of node01 and cordon it)
- k uncordon node01 (new pods can be scheduled again on node01)
Version policy
- https://kubernetes.io/releases/version-skew-policy/
Create a K8S cluster
- https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/
Update a K8S cluster
- https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/
- Never have more than 2 minor version a the time (X, X-1, X-2)
- Upgrade a cluster step by step, minor by minor always

Here is an example for CKA :

# 1) Upgrade controlplane
kubectl drain controlplane --ignore-daemonsets
apt update
apt-get install kubeadm=1.27.0-00
kubeadm upgrade plan v1.27.0
kubeadm upgrade apply v1.27.0
apt-get install kubelet=1.27.0-00
systemctl daemon-reload
systemctl restart kubelet
kubectl uncordon controlplane

# 2) Remove the taint of the controlplane
kubectl describe node controlplane | grep -i taint
kubectl taint node controlplane node-role.kubernetes.io/control-plane:NoSchedule-
kubectl describe node controlplane | grep -i taint

#3) Upgrade Node
ssh node
kubectl drain node01 --ignore-daemonsets
apt update
apt-get install kubeadm=1.27.0-00
kubeadm upgrade node
apt-get install kubelet=1.27.0-00
systemctl daemon-reload
systemctl restart kubelet
exit

kubectl uncordon node01
kubectl get pods -o wide | grep super_pod # (make sure this is scheduled on a node)

Backup and restore
- 🟠 k get all --all-namespaces -o yaml > backup.yaml (not this way for the CKA)
1. Backup : Search “ETCD” in the documentation and scroll down - https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#backing-up-an-etcd-cluster
2. Restore
  - 1st step: load the data
  - 2nd step: in /etc/kubernetes/manifest/etcd, change the volume path

Security

ServiceAccounts
- https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting
- k create sa <name>
- Used for service (Prometheus, Jenkins…)
- In pod : /var/run/secrets/kubernetes.io/serviceaccount
Create a user ; csr ; approve ; set a role and rolebinding
- Type “users” in documentation, and in the left bar : “Certificates and Certificate Signing Requests”
- https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#create-private-key
- kubectl auth can-i create deployments --namespace dev
- 🟠 Other auth/permissions methods
  - Node Authorizer = use by kubelet to auth
  - ABAC = Attribute-based access control ; We need to create a policy per user or group
  - Webhook : used to externalize permissions
  - AlwaysAllow
  - AlwaysDeny
RBAC : Role-based access control
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
- 🟢 Always use kubectl when you want to create role/rolebinding for the CKA to avoid mistakes
- k create role --help
- k create rolebinding --help
- …
- k create clusterrole --help
- k create clusterrolebinding --help
- …
- k auth can-i create deployment -n test
- k auth can-i delete nodes --as dev-user
- …
- k create sa sa1
- k create token sa1
Kubeconfig files
- https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/
- k get pod -> look into $HOME/.kube/config if we are authorized
  - Example clusters: Dev, Prod, Google, Playground
  - Example Users: Admin, DevUser, ProdUser
  - Example Contexts: Admin@Production, Dev@Google
Custom images
- https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
- k create secret docker-registry --help
- or add in pod yaml key imagePullSecrets
Security context
- https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
- runAsUser: 1000 | runAsGroup: 3000 | fsGroup: 2000
Network Policies
- https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-resource
- Use case : “ONLY allow backend to communicate with the DB”
- We would put a NP on the DB
- Egress = All connection which go OUT
- Ingress = All connection which go IN

Storage

Simple volume
- https://kubernetes.io/docs/concepts/storage/volumes/#emptydir-configuration-example
- Communication between 2 containers in one pod
- 🟢 Always use emptyDir because it’s easy to configure
Persistent Volumes
- https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistent-volumes
- https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims (same page)
- PV and PVC should have the same accessMode to be bound together
Storage classes
- https://kubernetes.io/docs/concepts/storage/storage-classes/
- With storage classes, no need to create a PV. PV are created automatically.
- Useful when you are using cloud
- Ex: SC silver, SC gold, SC platinium

Networking

🟠 Commands for testing
- Switch
  - ip link
  - ip addr
  - ip addr add ip/mask dev eth0
  - ip route
  - ip route add ip/mask via ip
  - cat /proc/sys/net/ipv4/ip-forward
- DNS
  - nslookup
  - dig
- Docker
  - ip netns add <name>
  - ip netns exec <name> ip link or ip -n <name> link
Container Networking
- CNI = Container Network Interface
- 🟠
  - ip a -> get ip / network interface
  - ip link show eth0
  - ip route show default
  - ps -aux
- https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/
- Plugin path: /etc/cni/net.d
Cluster networking
- Search “ports” in the documentation
- https://kubernetes.io/docs/reference/networking/ports-and-protocols/
Pod networking
- 1 pod = 1 IP
- 🟠

./netscript.sh

# Create veth pair
ip link add ...

# Attach veth pair
ip link set ...
ip link set ...

# Assign IP Address
ip -n <namespace> addr add ...
ip -n <namespace> route add ...

Loading graph...

IP Table would be (Network - Gateway) :

10.224.1.0/24 - 192.168.1.11
10.224.2.0/24 - 192.168.1.12
10.224.3.0/24 - 192.168.1.13

Kubelet :

--cni-config-dir=/etc/cni/net.d
--cni-bin-dir=/etc/cni/bin => ./net-script.sh add <container> <namespace>

In ./net-script.sh, we should add switch case:

ADD)
    ...
DEL)
    ip link del ...

That’s why we have to use a CNI plugin
- Example installation :
  - kubectl apply -f https://github.com/weaveworks/weave/releases/download/v2.8.1/weave-daemonset-k8s.yaml
  - It will deploy an agent WeaveWorks on each node with a DaemonSet
- CIDR = Range of IP address
  - /etc/kubernetes/manifests/api-server.yaml -> // Search for range (controlplane)
Service networking
- ClusterIP = IP accessible only INSIDE the cluster
- NodePort = IP accessible INSIDE and OUTSIDE

🟢 Please use k expose pod|deploy <pod|deploymentName> --name=<serviceName> --type=<serviceType>. AVOID to use k create svc [...].

CoreDNS
- https://kubernetes.io/docs/tasks/administer-cluster/coredns/
- Search “dns” on the doc
  - https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#services
  - Ex: data.test.svc.cluster.local
  - https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods
  - Ex: 172-17-0-3.default.pod.cluster.local
  - Used to ping containers accross the cluster
Ingress
- Used to bind a domain to a service
- https://kubernetes.io/docs/concepts/services-networking/ingress/#the-ingress-resource
- It comes with a loadbalancer, SSL support…

Manage cluster

Choosing the infrastructure
- OpenShift
- Cloud Foundry Container Runtime
- VMware Cloud PKS
- Vagrant
High Availability
- Multiple masters (active / stand by)
- ETCD
  - Stacked Topology or External Topology
  - RAFT Algorithm
    - Always use a ODD number of manager server !
    - Majority = Quorum = (n/2)+1
      - Manager=1 - so Majority=1 - so Fault Tolerance=0
      - Manager=2 - so Majority=2 - so Fault Tolerance=0
      - Manager=3 - so Majority=2 - so Fault Tolerance=1
      - Manager=4 - so Majority=3 - so Fault Tolerance=1
      - Manager=5 - so Majority=3 - so Fault Tolerance=2
      - Manager=6 - so Majority=4 - so Fault Tolerance=2
      - Manager=7 - so Majority=4 - so Fault Tolerance=3
    - Fault Tolerance add 1 every odd number of managers
Troubleshooting
- Check about K8S components: k get pod -n kube-system
  - k describe pod <podName>
  - k logs <podName>
- Check about Nodes: k get nodes
  - ssh <failed_node>
  - systemctl status kubelet
  - systemctl start kubelet
  - systemctl status kubelet
  - journalctl -u kubelet -f
  - whereis kubelet
  - ls /var/lib/kubelet
  - ls /etc/systemd/system/
  - k get events
  - tail -1000 /var/log/messages
  - journalctl -xe
- Check about services, if everything is well configured, if labels match…

If replicas=3 doesn’t work, then the failure must be on Scheduler or Controller manager…

Install K8S
- https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#dpkg-k8s-package-repo
JSON Path
- https://kubernetes.io/docs/reference/kubectl/jsonpath/

Even this cheat sheet is very personnal, I hope it proves valuable in helping 😊

🍀🍀🤞🏻🤞🏻 Hard work and Good luck ! 🤞🏻🤞🏻🍀🍀