RedHat Red Hat Certified Specialist in OpenShift Administration - EX280무료 덤프문제 풀어보기
Configure limits
Configure your OpenShift cluster to use limits in the bluebook project with the following requirements:
The name of the LimitRange resource is: ex280-limits
The amount of memory consumed by a single pod is between 5Mi and 300Mi The amount of memory consumed by a single container is between 5Mi and
300Mi with a default request value of 100Mi
The amount of CPU consumed by a single pod is between 10m and 500m
The amount of CPU consumed by a single container is between 10m and 500m with a default request value of
100m
Configure your OpenShift cluster to use limits in the bluebook project with the following requirements:
The name of the LimitRange resource is: ex280-limits
The amount of memory consumed by a single pod is between 5Mi and 300Mi The amount of memory consumed by a single container is between 5Mi and
300Mi with a default request value of 100Mi
The amount of CPU consumed by a single pod is between 10m and 500m
The amount of CPU consumed by a single container is between 10m and 500m with a default request value of
100m
정답:
See the solution below in Explanation.
Explanation:
Solution:
$ vim limit.yaml
# Edit the yaml file like below mentioned
apiVersion: "v1" kind: "LimitRange" metadata:
name: "resource-limits" spec:
limits:
- type: "Pod"
max:
cpu: "500m" memory: "300Mi"
min:
cpu: "10m" memory: "5Mi"
- type: "Container" max:
cpu: "500m" memory: "300Mi"
min:
cpu: "10m" memory: "5Mi"
defaultRequest: cpu: "100m" memory: "100Mi"
$ oc create -f limit.yaml --save-config -n bluebook
$ oc describe limitranges -n bluebook
Explanation:
Solution:
$ vim limit.yaml
# Edit the yaml file like below mentioned
apiVersion: "v1" kind: "LimitRange" metadata:
name: "resource-limits" spec:
limits:
- type: "Pod"
max:
cpu: "500m" memory: "300Mi"
min:
cpu: "10m" memory: "5Mi"
- type: "Container" max:
cpu: "500m" memory: "300Mi"
min:
cpu: "10m" memory: "5Mi"
defaultRequest: cpu: "100m" memory: "100Mi"
$ oc create -f limit.yaml --save-config -n bluebook
$ oc describe limitranges -n bluebook
Configure an identity provider
Configure your OpenShift cluster to use an HTPasswd identity provider with the following requirements:
The name of the identity provider is: ex280-htpasswd The name of the secret is: ex280-idp-secret The user account armstrong=indionce The user account collins=veraster The user account aldrin=roonkere The user account jobs=sestiver The user account wozniak=glegunge
Configure your OpenShift cluster to use an HTPasswd identity provider with the following requirements:
The name of the identity provider is: ex280-htpasswd The name of the secret is: ex280-idp-secret The user account armstrong=indionce The user account collins=veraster The user account aldrin=roonkere The user account jobs=sestiver The user account wozniak=glegunge
정답:
See the solution below in Explanation.
Explanation:
Solution:
$ sudo yum install httpd-tools -y
$ htpasswd -c -B -b htpasswd-file-upload armstrong indionce
$ htpasswd -B -b htpasswd-file collins veraster
$ htpasswd -B -b htpasswd-file aldrin roonkere
$ htpasswd -B -b htpasswd-file jobs sestiver
$ htpasswd -B -b htpasswd-file wozniak glegunge
$ oc create secret generic ex280-idp-secret --from-file
htpasswd=htpasswd-file -n openshift-config
$ oc get oauth/cluster -o yaml > oauth.yaml
$ vim oauth.yaml
$
esc-- > type :set paste -- > enter -- > insert -- > then paste the content for correct indent pasting spec:
identityProviders:
- name: ex280-htpasswd mappingMethod: claim type: HTPasswd htpasswd:
fileData:
name: ex280-idp-secret
$ oc replace -f oauth.yaml
$ oc login -u armstrong -p indionce
$ oc login -u collins -p veraster
$ oc login -u aldrin roonkere
$ oc login -u jobs sestiver
$ oc login -u wozniak -p glegunge
#This below part of operation is completely optional and done just for handy login purpose
$ alias _kube="oc login -u kubeadmin -p ${kube_pass} ${api_url}"
$ alias _armstrong="oc login -u armstrong -p ${armstrong}
${api_url}"
$ alias _collins="oc login -u collins -p ${collins} ${api_url}"
$ alias _aldrin="oc login -u aldrin -p ${aldrin} ${api_url}"
$ alias _jobs="oc login -u jobs -p ${jobs} ${api_url}"
$ alias _wozniak="oc login -u wozniak -p ${wozniak} ${api_url}"
$ _armstrong;_armstrong;_collins;_aldrin;_jobs;_wozniak;
Explanation:
Solution:
$ sudo yum install httpd-tools -y
$ htpasswd -c -B -b htpasswd-file-upload armstrong indionce
$ htpasswd -B -b htpasswd-file collins veraster
$ htpasswd -B -b htpasswd-file aldrin roonkere
$ htpasswd -B -b htpasswd-file jobs sestiver
$ htpasswd -B -b htpasswd-file wozniak glegunge
$ oc create secret generic ex280-idp-secret --from-file
htpasswd=htpasswd-file -n openshift-config
$ oc get oauth/cluster -o yaml > oauth.yaml
$ vim oauth.yaml
$
esc-- > type :set paste -- > enter -- > insert -- > then paste the content for correct indent pasting spec:
identityProviders:
- name: ex280-htpasswd mappingMethod: claim type: HTPasswd htpasswd:
fileData:
name: ex280-idp-secret
$ oc replace -f oauth.yaml
$ oc login -u armstrong -p indionce
$ oc login -u collins -p veraster
$ oc login -u aldrin roonkere
$ oc login -u jobs sestiver
$ oc login -u wozniak -p glegunge
#This below part of operation is completely optional and done just for handy login purpose
$ alias _kube="oc login -u kubeadmin -p ${kube_pass} ${api_url}"
$ alias _armstrong="oc login -u armstrong -p ${armstrong}
${api_url}"
$ alias _collins="oc login -u collins -p ${collins} ${api_url}"
$ alias _aldrin="oc login -u aldrin -p ${aldrin} ${api_url}"
$ alias _jobs="oc login -u jobs -p ${jobs} ${api_url}"
$ alias _wozniak="oc login -u wozniak -p ${wozniak} ${api_url}"
$ _armstrong;_armstrong;_collins;_aldrin;_jobs;_wozniak;
Create Network Policy
Task information Details:
Create a NetworkPolicy named mysql-db-conn that permits ingress to database pods only from pods matching the specified labels in namespaces labeled team=devsecops , on TCP port 3306 .
Task information Details:
Create a NetworkPolicy named mysql-db-conn that permits ingress to database pods only from pods matching the specified labels in namespaces labeled team=devsecops , on TCP port 3306 .
정답:
See the solution below in Explanation.
Explanation:
Solution:
* Create a file named mysql-db-conn.yaml:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: mysql-db-conn
spec:
podSelector:
matchLabels:
networking.k8s.io/v1/network: database
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
team: devsecops
podSelector:
matchLabels:
deployment: my-web-mysql
ports:
- protocol: TCP
port: 3306
* Apply it:
oc apply -f mysql-db-conn.yaml
* Verify:
oc get networkpolicy
oc describe networkpolicy mysql-db-conn
This task tests namespace/pod label selection and application isolation using OpenShift networking policy controls.
Explanation:
Solution:
* Create a file named mysql-db-conn.yaml:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: mysql-db-conn
spec:
podSelector:
matchLabels:
networking.k8s.io/v1/network: database
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
team: devsecops
podSelector:
matchLabels:
deployment: my-web-mysql
ports:
- protocol: TCP
port: 3306
* Apply it:
oc apply -f mysql-db-conn.yaml
* Verify:
oc get networkpolicy
oc describe networkpolicy mysql-db-conn
This task tests namespace/pod label selection and application isolation using OpenShift networking policy controls.
Manage Cluster Project and Permission
Task information Details:
Create projects apollo , test , and demo .
Grant bob the cluster-admin role.
Prevent ordinary authenticated users from self-provisioning projects.
Allow john to create projects.
Give natasha view-only access to test and apollo .
Give armstrong admin access to apollo .
Remove the kubeadmin user secret.
Task information Details:
Create projects apollo , test , and demo .
Grant bob the cluster-admin role.
Prevent ordinary authenticated users from self-provisioning projects.
Allow john to create projects.
Give natasha view-only access to test and apollo .
Give armstrong admin access to apollo .
Remove the kubeadmin user secret.
정답:
See the solution below in Explanation.
Explanation:
Solution:
* Create the projects:
oc new-project apollo
oc new-project test
oc new-project demo
* Grant cluster-admin to bob:
oc adm policy add-cluster-role-to-user cluster-admin bob
* Disable normal self-provisioning for authenticated users:
oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth
* Allow john to self-provision:
oc adm policy add-cluster-role-to-user self-provisioner john
* Give natasha view access in test and apollo:
oc policy add-role-to-user view natasha -n test
oc policy add-role-to-user view natasha -n apollo
* Give armstrong admin in apollo:
oc policy add-role-to-user admin armstrong -n apollo
* Remove kubeadmin secret:
oc delete secret kubeadmin -n kube-system
* Verify permissions:
oc adm policy who-can create projectrequests
oc describe rolebinding.rbac -n apollo
oc describe rolebinding.rbac -n test
This task tests core OpenShift administration around project lifecycle control, cluster-level RBAC, and decommissioning default bootstrap credentials.
Explanation:
Solution:
* Create the projects:
oc new-project apollo
oc new-project test
oc new-project demo
* Grant cluster-admin to bob:
oc adm policy add-cluster-role-to-user cluster-admin bob
* Disable normal self-provisioning for authenticated users:
oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth
* Allow john to self-provision:
oc adm policy add-cluster-role-to-user self-provisioner john
* Give natasha view access in test and apollo:
oc policy add-role-to-user view natasha -n test
oc policy add-role-to-user view natasha -n apollo
* Give armstrong admin in apollo:
oc policy add-role-to-user admin armstrong -n apollo
* Remove kubeadmin secret:
oc delete secret kubeadmin -n kube-system
* Verify permissions:
oc adm policy who-can create projectrequests
oc describe rolebinding.rbac -n apollo
oc describe rolebinding.rbac -n test
This task tests core OpenShift administration around project lifecycle control, cluster-level RBAC, and decommissioning default bootstrap credentials.