最新的RedHat Red Hat Certified Specialist in OpenShift Automation and Integration - EX380免費考試真題
Add tolerations to a deployment
Task Information : Update payments/api deployment to tolerate dedicated=payments:NoSchedule.
Task Information : Update payments/api deployment to tolerate dedicated=payments:NoSchedule.
正確答案:
See the solution below in Explanation:
Explanation:
* Patch deployment with toleration
* oc -n payments patch deploy api --type=merge -p '{
* "spec":{"template":{"spec":{"tolerations":[
* {"key":"dedicated","operator":"Equal","value":"payments","effect":"NoSchedule"}
* ]}}}
* }'
* Toleration allows pods to schedule onto tainted nodes.
* Verify scheduling
* oc -n payments get pods -o wide
Explanation:
* Patch deployment with toleration
* oc -n payments patch deploy api --type=merge -p '{
* "spec":{"template":{"spec":{"tolerations":[
* {"key":"dedicated","operator":"Equal","value":"payments","effect":"NoSchedule"}
* ]}}}
* }'
* Toleration allows pods to schedule onto tainted nodes.
* Verify scheduling
* oc -n payments get pods -o wide
Kubeconfig Management - Set Context in Kubeconfig
正確答案:
See the solution below in Explanation:
Explanation:
Step 1: Verify the cluster name, namespace, and user name that should be referenced.
The lab uses cluster api-ocp4-example-com:6443, namespace audit-ns, and user audit-sa.
Step 2: Run the command:
oc config set-context audit --cluster api-ocp4-example-com:6443 --namespace audit-ns --user audit-sa -- kubeconfig audit.config Step 3: Confirm context creation.
The lab output shows:
Context "audit" created.
Detailed explanation:
A kubeconfig context ties together three things: a cluster endpoint, a user identity, and optionally a default namespace. This Task creates a context named audit in the file audit.config. Contexts are useful because they simplify repeated administration by letting the user switch between prepared working environments instead of re-entering cluster and namespace details each time. The namespace portion is especially helpful for project- scoped operations, because commands run under that context default to the chosen namespace. Accuracy matters here: if the user name in the context does not match the credentials entry or the cluster name does not exist in the kubeconfig, the context will not function as intended.
Explanation:
Step 1: Verify the cluster name, namespace, and user name that should be referenced.
The lab uses cluster api-ocp4-example-com:6443, namespace audit-ns, and user audit-sa.
Step 2: Run the command:
oc config set-context audit --cluster api-ocp4-example-com:6443 --namespace audit-ns --user audit-sa -- kubeconfig audit.config Step 3: Confirm context creation.
The lab output shows:
Context "audit" created.
Detailed explanation:
A kubeconfig context ties together three things: a cluster endpoint, a user identity, and optionally a default namespace. This Task creates a context named audit in the file audit.config. Contexts are useful because they simplify repeated administration by letting the user switch between prepared working environments instead of re-entering cluster and namespace details each time. The namespace portion is especially helpful for project- scoped operations, because commands run under that context default to the chosen namespace. Accuracy matters here: if the user name in the context does not match the credentials entry or the cluster name does not exist in the kubeconfig, the context will not function as intended.
Recover a NotReady worker node (basic remediation workflow)
Task Information : Diagnose a NotReady worker node and restore it to Ready state using standard OpenShift admin workflow.
Task Information : Diagnose a NotReady worker node and restore it to Ready state using standard OpenShift admin workflow.
正確答案:
See the solution below in Explanation:
Explanation:
* Identify failing node and status
* oc get nodes
* Confirms which node is NotReady.
* Inspect node conditions and events
* oc describe node < worker >
* Shows kubelet condition issues (network, disk pressure, runtime, etc.).
* Check MachineConfigPool state
* oc get mcp
* oc describe mcp worker
* If MCP is degraded, node may be stuck applying a config.
* Check node logs (kubelet)
* oc adm node-logs < worker > --path=kubelet.log
* Often reveals why node isn't reporting Ready.
* Remediate based on symptom
* Examples:
* If out of disk: free space, then verify kubelet recovers.
* If stuck MCO: investigate current/desired config and fix broken MachineConfig.
* If node cordoned/drained incorrectly: uncordon after remediation.
* oc adm uncordon < worker >
* Confirm node returns Ready
* oc get node < worker >
Explanation:
* Identify failing node and status
* oc get nodes
* Confirms which node is NotReady.
* Inspect node conditions and events
* oc describe node < worker >
* Shows kubelet condition issues (network, disk pressure, runtime, etc.).
* Check MachineConfigPool state
* oc get mcp
* oc describe mcp worker
* If MCP is degraded, node may be stuck applying a config.
* Check node logs (kubelet)
* oc adm node-logs < worker > --path=kubelet.log
* Often reveals why node isn't reporting Ready.
* Remediate based on symptom
* Examples:
* If out of disk: free space, then verify kubelet recovers.
* If stuck MCO: investigate current/desired config and fix broken MachineConfig.
* If node cordoned/drained incorrectly: uncordon after remediation.
* oc adm uncordon < worker >
* Confirm node returns Ready
* oc get node < worker >
Create and use client certificates with kubeconfig (CSR flow)
Task Information : Generate a client key/CSR for audit2, approve it, extract the signed cert, and build a kubeconfig using that cert.
Task Information : Generate a client key/CSR for audit2, approve it, extract the signed cert, and build a kubeconfig using that cert.
正確答案:
See the solution below in Explanation:
Explanation:
* Generate private key and CSR
* openssl genrsa -out audit2.key 2048
* openssl req -new -key audit2.key -out audit2.csr -subj "/CN=audit2/O=auditors"
* CN becomes username; O can map to groups in some setups.
* Base64 encode CSR for the API object
* CSR=$(base64 -w0 audit2.csr)
* Kubernetes CSR object expects base64-encoded request data.
* Create the CSR object
* cat < < EOF | oc apply -f -
* apiVersion: certificates.k8s.io/v1
* kind: CertificateSigningRequest
* metadata:
* name: audit2-csr
* spec:
* request: ${CSR}
* signerName: kubernetes.io/kube-apiserver-client
* usages:
* - client auth
* EOF
* Approve the CSR
* oc adm certificate approve audit2-csr
* Approval triggers certificate issuance.
* Extract the signed certificate
* oc get csr audit2-csr -o jsonpath='{.status.certificate}' | base64 -d > audit2.crt
* Produces the client certificate file.
* Build kubeconfig using cert/key
* oc config set-credentials audit2 \
* --client-certificate=audit2.crt --client-key=audit2.key \
* --embed-certs=true --kubeconfig=audit2.kubeconfig
* oc config set-cluster lab \
* --server="$(oc whoami --show-server)" \
* --insecure-skip-tls-verify=true \
* --kubeconfig=audit2.kubeconfig
* oc config set-context audit2 \
* --cluster=lab --user=audit2 --namespace=default \
* --kubeconfig=audit2.kubeconfig
* Creates a kubeconfig that authenticates using client certificates.
* Test
* oc --kubeconfig=audit2.kubeconfig get ns
Explanation:
* Generate private key and CSR
* openssl genrsa -out audit2.key 2048
* openssl req -new -key audit2.key -out audit2.csr -subj "/CN=audit2/O=auditors"
* CN becomes username; O can map to groups in some setups.
* Base64 encode CSR for the API object
* CSR=$(base64 -w0 audit2.csr)
* Kubernetes CSR object expects base64-encoded request data.
* Create the CSR object
* cat < < EOF | oc apply -f -
* apiVersion: certificates.k8s.io/v1
* kind: CertificateSigningRequest
* metadata:
* name: audit2-csr
* spec:
* request: ${CSR}
* signerName: kubernetes.io/kube-apiserver-client
* usages:
* - client auth
* EOF
* Approve the CSR
* oc adm certificate approve audit2-csr
* Approval triggers certificate issuance.
* Extract the signed certificate
* oc get csr audit2-csr -o jsonpath='{.status.certificate}' | base64 -d > audit2.crt
* Produces the client certificate file.
* Build kubeconfig using cert/key
* oc config set-credentials audit2 \
* --client-certificate=audit2.crt --client-key=audit2.key \
* --embed-certs=true --kubeconfig=audit2.kubeconfig
* oc config set-cluster lab \
* --server="$(oc whoami --show-server)" \
* --insecure-skip-tls-verify=true \
* --kubeconfig=audit2.kubeconfig
* oc config set-context audit2 \
* --cluster=lab --user=audit2 --namespace=default \
* --kubeconfig=audit2.kubeconfig
* Creates a kubeconfig that authenticates using client certificates.
* Test
* oc --kubeconfig=audit2.kubeconfig get ns
Node Management - Remove Taint on Worker Node
正確答案:
See the solution below in Explanation:
Explanation:
Step 1: Log in to the OpenShift web console with an account that has sufficient cluster administrative privileges.
This Task is performed from the GUI, not the CLI. The lab hint explicitly places this under the worker node details page in the console.
Step 2: Navigate to Compute .
This area contains node-level resources, including control plane and worker nodes.
Step 3: Open Nodes .
Here you can view all nodes currently registered in the cluster.
Step 4: Select the required worker node .
Choose the exact worker node referenced by the lab Task SIMULATION .
Step 5: Open the Details tab.
The taint configuration is managed from the selected node's details view.
Step 6: Locate the Taints section and click Edit .
A taint is used to control pod scheduling. If a worker has a taint, pods without matching tolerations may not schedule there.
Step 7: Remove the unwanted taint entry.
Removing the taint makes the worker eligible again for normal scheduling behavior, depending on the rest of the cluster policy.
Step 8: Click Save .
This commits the change so the node is updated and the scheduler can evaluate it without that taint.
Explanation:
Step 1: Log in to the OpenShift web console with an account that has sufficient cluster administrative privileges.
This Task is performed from the GUI, not the CLI. The lab hint explicitly places this under the worker node details page in the console.
Step 2: Navigate to Compute .
This area contains node-level resources, including control plane and worker nodes.
Step 3: Open Nodes .
Here you can view all nodes currently registered in the cluster.
Step 4: Select the required worker node .
Choose the exact worker node referenced by the lab Task SIMULATION .
Step 5: Open the Details tab.
The taint configuration is managed from the selected node's details view.
Step 6: Locate the Taints section and click Edit .
A taint is used to control pod scheduling. If a worker has a taint, pods without matching tolerations may not schedule there.
Step 7: Remove the unwanted taint entry.
Removing the taint makes the worker eligible again for normal scheduling behavior, depending on the rest of the cluster policy.
Step 8: Click Save .
This commits the change so the node is updated and the scheduler can evaluate it without that taint.