当前位置：首页 > news >正文

cka解题思路1.32-4

news 2025/9/20 16:30:22

11、crd

您必须连接到正确的主机。不这样做可能导致零分。
[candidate@base] $ ssh cka000055
Task
验证已部署到集群的 cert-manager 应用程序。
使用 kubectl ，将 cert-manager 所有定制资源定义（CRD）的列表，保存到 ~/resources.yaml 。
注意：您必须使用 kubectl 的默认输出格式。请勿设置输出格式。否则将导致分数降低。
使用 kubectl ，提取定制资源 Certificate 的 subject 规范字段的文档，并将其保存到 ~/subject.yaml 。
注意：您可以使用 kubectl 支持的任何输出格式。如果不确定，请使用默认输出格式。

题目要求:

1、验证已部署到集群的cert-manager
2、将cert-manger的crd列表保存到指定路径指定文件
3、提取定制资源的certificate subject规范文档保存到指定文件

解题过程

1、验证cert-manager 运行状态

kubectl get pods -n cert-manager
NAME                                       READY   STATUS    RESTARTS        AGE
cert-manager-5c76bb8d65-cpgnb              1/1     Running   12 (101m ago)   193d
cert-manager-cainjector-78c5b9fb9c-7sk22   1/1     Running   12 (101m ago)   193d
cert-manager-webhook-7d4b9c66-m9xl7        1/1     Running   12 (101m ago)   193d

2、保存crd到指定路径和文件名

kubectl get crd | grep cert-manager > ~/resource.yaml
candidate@master01:~$ cat resource.yaml
certificaterequests.cert-manager.io                   2025-03-02T06:38:34Z
certificates.cert-manager.io                          2025-03-02T06:38:34Z
challenges.acme.cert-manager.io                       2025-03-02T06:38:34Z
clusterissuers.cert-manager.io                        2025-03-02T06:38:34Z
issuers.cert-manager.io                               2025-03-02T06:38:35Z
orders.acme.cert-manager.io                           2025-03-02T06:38:35Z

3、保存certificates subject规范

kubectl explain certificate.spec.subject > ~/subject.yaml
candidate@master01:~$ cat subject.yaml
GROUP:      cert-manager.io
KIND:       Certificate
VERSION:    v1FIELD: subject <Object>DESCRIPTION:Requested set of X509 certificate subject attributes.More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6The common name attribute is specified separately in the `commonName` field.Cannot be set if the `literalSubject` field is set.FIELDS:countries     <[]string>Countries to be used on the Certificate.localities    <[]string>Cities to be used on the Certificate.organizationalUnits   <[]string>Organizational Units to be used on the Certificate.organizations <[]string>Organizations to be used on the Certificate.postalCodes   <[]string>Postal codes to be used on the Certificate.provinces     <[]string>State/Provinces to be used on the Certificate.serialNumber  <string>Serial number to be used on the Certificate.streetAddresses       <[]string>Street addresses to be used on the Certificate.

12、configmap

必须连接到正确的主机。不这样做可能导致零分。
[candidate@base] $ ssh cka000048
Task
名为 nginx-static 的 NGINX Deployment 正在 nginx-static namespace 中运行。它通过名为 nginx-config 的 ConfigMap 进行配置。
更新 nginx-config ConfigMap 以仅允许 TLSv1.3 连接。
注意：您可以根据需要重新创建、重新启动或扩展资源。
您可以使用以下命令测试更改:
candidate@cka000048$ curl -k --tls-max 1.2 https://web.k8snginx.local
由于不再允许使用 TLSv1.2，此命令应该会失败。

题目要求:

1、更新configmap 仅允许tls1.3链接
2、restart deployment 应用configmap生效
3、验证是否能访问

解题过程:

1、查看deployment是否正常运行，以及configmap配置

kubectl get deployments.apps -n nginx-static
NAME           READY   UP-TO-DATE   AVAILABLE   AGE
nginx-static   1/1     1            1           193d
candidate@master01:~$ kubectl get configmaps -n nginx-static
kube-root-ca.crt  nginx-config      nginx-index
candidate@master01:~$ kubectl get configmaps -n nginx-static nginx-config -o yaml
apiVersion: v1
data:nginx.conf: |server {listen 443 ssl;server_name web.k8snginx.local;ssl_certificate /etc/nginx/ssl/tls.crt;ssl_certificate_key /etc/nginx/ssl/tls.key;ssl_protocols TLSv1.2 TLSv1.3;ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256';ssl_prefer_server_ciphers on;location / {root /usr/share/nginx/html;index index.html;}}
immutable: true # 将 ConfigMap（或 Secret）设为“不可变”
kind: ConfigMap
metadata:annotations:kubectl.kubernetes.io/last-applied-configuration: |{"apiVersion":"v1","data":{"nginx.conf":"server {\n  listen 443 ssl;\n  server_name web.k8snginx.local;\n\n  ssl_certificate /etc/nginx/ssl/tls.crt;\n  ssl_certificate_key /etc/nginx/ssl/tls.key;\n\n  ssl_protocols TLSv1.2 TLSv1.3;\n  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256';\n  ssl_prefer_server_ciphers on;\n\n  location / {\n    root /usr/share/nginx/html;\n    index index.html;\n  }\n}\n"},"immutable":true,"kind":"ConfigMap","metadata":{"annotations":{},"name":"nginx-config","namespace":"nginx-static"}}creationTimestamp: "2025-03-02T06:46:32Z"name: nginx-confignamespace: nginx-staticresourceVersion: "25034"uid: b1a308a8-2c61-4782-86b5-6b2169d0f9b2

补充: 什么是 immutable: true？
这是 Kubernetes 1.19+ 引入的一个特性，用于将 ConfigMap（或 Secret）设为“不可变”。
● 一旦设置 immutable: true，该 ConfigMap 的内容（.data 和 .binaryData）就不能再被修改
● 试图修改会报错：field is immutable when ‘immutable’ is set
● 唯一能做的操作是删除并重建它（前提是没有任何 Pod 正在使用它）
2、保存configmap，删除并重建

kubectl get configmaps -n nginx-static nginx-config -o yaml > configmap.yaml
candidate@master01:~$ cat configmap.yaml
apiVersion: v1
data:nginx.conf: |server {listen 443 ssl;server_name web.k8snginx.local;ssl_certificate /etc/nginx/ssl/tls.crt;ssl_certificate_key /etc/nginx/ssl/tls.key;ssl_protocols TLSv1.3;ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256';ssl_prefer_server_ciphers on;location / {root /usr/share/nginx/html;index index.html;}}
immutable: true
kind: ConfigMap
metadata:name: nginx-confignamespace: nginx-static
kubectl apply -f configmap.yaml

3、使用命令重建，验证是否生效

kubectl get deployments.apps -n nginx-static
NAME           READY   UP-TO-DATE   AVAILABLE   AGE
nginx-static   1/1     1            1           193d
#使用scale调整副本数重建deploymentkubectl scale deployment -n nginx-static nginx-static --replicas=0
deployment.apps/nginx-static scaled
candidate@master01:~$ kubectl scale deployment -n nginx-static nginx-static --replicas=1
deployment.apps/nginx-static scaled
#验证访问是否正常
curl -k --tls-max 1.2 https://web.k8snginx.local
curl: (35) error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
candidate@master01:~$ curl -k --tls-max 1.3 https://web.k8snginx.local
Hello World ^_^ My Wechat is shadowooom