EX280 Exam Dump

1. Configure the Identity Provider for the Openshift

- Create an Htpass Identity Provider with the name: htpass-ex280
- Create the secret for Identity provider users: htpass-idp-ex280
- Create the user account jobs with password deluges
- Create the user account wozniak with password grannies
- Create the user account collins with password culverins
- Create the user account adlerin with the password artiste
- Create the user account armstrong with password spacesuits

Solution:***********************************************************************

htpasswd -cbB htpasswd_file jobs deluges

htpasswd -bB htpasswd_file wozniak grannies
htpasswd -bB htpasswd_file collins culverins
htpasswd -bB htpasswd_file adlerin artiste
htpasswd -bB htpasswd_file armstrong spacesuits

oc create secret generic htpass-idp-ex280 --from-file=htpasswd=htpasswd_file

-n openshift-config

create identity provider in WEB GUI

Replace the auto-generated secret name with the given secret name “htpass-
idp-ex280”

Recommended
Try logging in with all the created users one by one

********************************************************************************

2. Configure Cluster permissions

- User jobs can modify the cluster
- Wozniak can create a project
- Amstrong cannot create projects
- Wozniak cannot modify the cluster
- Remove the kubeadmin user from the cluster

Solution for q.2:***********************************************************************

oc adm policy add-cluster-role-to-user cluster-admin jobs

Oc adm policy remove-cluster-role-from-group self-provisioner
system:authenthicated:oauth

oc adm policy add-cluster-role-to-user self-provisioner wozniak

oc adm policy remove-cluster-role-from-user self-provisioner amstrong

oc adm policy add-role-to-user view wozniak -n openshift-config

oc delete secret kubeadmin -n kube-system

*******************************************************************************

3. Configure Project permissions

a. Create the following projects
I. apollo
Ii. titan
Iii. gemini
Iv. bluebook
V. apache
b. User armstong is the admin for the apollo and titan project
c. User Collins can view the apollo project

Solution for q.3:***********************************************************************

oc new-project apollo

oc new-project titan

oc new-project gemini

oc new-project bluebook

oc new-project apache

oc adm policy add-role-to-user admin armstong -n apollo

oc adm policy add-role-to-user admin armstong -n titan

oc adm policy add-role-to-user view Collins -n apollo

****************************************************************************************

4. Create Groups and configure permissions

a. Create a group called commander and user wozniak is a member of this group.
b. Create a group called pilot and user adlerin is the member of this group.
c. The commander group members can edit the Apollo and Titan projects.
d. The pilot group members can view Apollo project but not edit it.

Solution for q.4:***********************************************************************

oc adm groups new commander

oc adm groups add-user commander wozniak

oc adm groups new pilot

oc adm groups add-user pilot adlerin

oc adm policy add-role-to-group edit commander -n Apollo

oc adm policy add-role-to-group edit commander -n Titan

oc adm policy add-role-to-group view pilot -n Apollo

****************************************************************************************

5. Configure Quotas for the Project

Create ResourceQuota in manhattan project named ex280-quota

a. The amount of memory consumed across all containers may not exceed 1Gi
b. The amount of CPU across all containers may not exceed 2 full cores.
c. The maximum number of replication controllers does not exceed 3
d. The maximum number of pods does not exceed 3
e. The maximum number of services does not exceed 6

Solution for q.5:***********************************************************************

oc create quota ex280-quota --

hard=cpu=2,memory=1Gi,pods=3,services=6,replicationcontrollers=3 -n
manhattan
****************************************************************************************

6. Configure Limits for the Project

Create a Limit Range in the bluebook project name ex280-limits
a. The amount of memory consumed by a single pod is between 100Mi and 300Mi
b. The amount of CPU consumed by a single pod is between 10m and 500m
c. The amount of CPU consumed by a single container is between 10m and 500m with a default
request value of 100m
d. The amount of memory consumed by a single container is between 100Mi and 300Mi with a
default request value of 100Mi

Solution for q.6:***********************************************************************

GUI method:
● Go to the console
● Click on the administration at the bottom left
● Click on the limitrange
● Choose the project name
● Click create LimitRange
● In the YAML format
● Bring ‘type: Container’ to the top just below limits and add ‘-’
● Input min, max, and CPU because it is given, and delete default in the Container section
because it is not given.
● Copy the container section and past it in the bottom line
● Change the ‘container’ to ‘pod’
● Delete the default request because it is not given
● Double-check and save

The YAML will look like the following

apiVersion: v1
kind: LimitRange
metadata:
name: ex280-limits
namespace: bluebook
spec:
limits:
- type: Container
defaultRequest:
memory: 100Mi
cpu: 100m
min:
memory: 100Mi
cpu: 10m
max:
 memory: 300Mi
cpu: 500m
- type: Pod
min:
memory: 100Mi
cpu: 10m
max:
memory: 300Mi
cpu: 500m

To check the limit range

oc describe limitrange/ex280-limits -n bluebook

****************************************************************************************

7. Deploy an Application
Deploy an application called rocky in bluewills project
a. The application should be reachable from the URL:
http://rocky.apps.ocp4.example.com
b. You should get valid Output
(magic sa will be mentioned)

Solution for q.7:***********************************************************************

Oc project bluewills

Oc get pods

Oc logs pod/<podname>

Oc create sa magic

Oc adm policy add-scc-to-user anyuid -z magic

Oc set serviceaccount deployment/<deploymentname> magic

Oc get all

If the service doesn’t exist run the following

Oc expose dc/<dcname>
Oc expost svc/<svcname>

****************************************************************************************
8. Configure and Deploy a secure edge route
Deploy an application called oxcart securely in the project called area51
a. The application has a self-signed certificate available at
"/C=US/ST=NC/L=Raleigh/O=RedHat/OU=RHT/CN=oxcart.apps.ocp4.example.com "
b. The application should be reachable at the URL: https://oxcart.apps.ocp4.example.com
c. Application produces a valid Output

Solution for q.8:***********************************************************************

Oc project area51

Oc get all

Oc delete route <routename>

Create a .ctr and .key file using the given script

Oc create route edge <routename> –service=<servicename> –

hostname=<hostname> –cert=<.crt> –key=<.key>

To check go to the browser

Type in the hostname and the warning page will appear because of the
certificate

***************************************************************************************

9. Scale the Application manually

Scale an application called hydra in the project called lerna
The hydra application should be scaled to five times

Solution for q.9:***********************************************************************

oc project lerna

Oc get all
oc scale --replicas=5 deployment/hydra

To check
oc get all
****************************************************************************************
10. Configure Autoscaling for an Application
Configure autoscaling for the scala application in the project gru with the following
specification
a. Minimum number of replicas: 6
b. Maximum number of replicas: 40
c. Threshold CPU-Percentage: 60
d. Application resource of CPU Request: 25m
e. Application limits of CPU Limits: 100m

Solution for q.10:***********************************************************************

oc project gru

Oc autoscale dc/scala –min=6 –max=40 –cpu-percent=60

Oc set resource dc/scala –limits=cpu=100m –requests=cpu=25m

****************************************************************************************

11. Configure an Secret

Configure a secret in the math project and the name of the secret should be magic.
The secret should have following key value pairs
Decoder_Ring: ASDA142hfh-gfrhhueo-erfdk345v

Solution for q.11:***********************************************************************

Oc project math

Oc create secret generic magic –from-litral=Decoder_Ring=ASDA142hfh-gfrhhueo-erfdk345v

****************************************************************************************

12. Use the Secret value for Application Deployment

Configure the environmental variable for the application called qed in the math project so
that it uses the secret “magic”
After configuring the environmental value for the application it should stop producing the
following output
“App is not configured properly”
Solution for q.12:***********************************************************************

oc project math
oc set env --from=secret/magic dc/myapp

****************************************************************************************

13. Configure a Service Account

Create a service account called ex-280-sa in the project called apples
This service account should be able to run applications with any user ID.

Solution for q.13:***********************************************************************

oc project apples

oc create sa ex-280-sa

oc adm policy add-scc-to-user anyuid -z ex-280-sa

oc set sa dc/<dcname> <saname>

****************************************************************************************

14. Deploy an Application

Deploy an application called oranges in the project apples
a. This application should use the service account ex-280-sa
b. The Application should produce a valid output

Solution for q.14:***********************************************************************

oc project apples

oc get all

oc edit service/oranges

Replace orange with oranges

oc set serviceaccount dc/oranges ex-280-sa

To check the pod status

oc get all

****************************************************************************************

15. Deploy an Application

Deploy an application called voyager (atlas) in the project path-finder (mercury)
a. Don’t add any new configuration
b. Application should produce a valid output

Solution for q.15:***********************************************************************

Oc project mercury

Oc get all

Oc edit dc/<dcname>

Go to resources and replace 80GB to 1GB

To check run the oc get all command

****************************************************************************************

16. Deploy an Application

Deploy an application called mercury in the project atlas
a. Don’t add any new configuration
b. Application should produce an valid output

Solution for q.16:***********************************************************************

Oc project mercury

Oc get all

Oc edit dc/<dcname>

Go to resources and replace 80GB to 1GB

Or
Go to resources and replace 100 CPU to 10m

To check run the oc get all command

****************************************************************************************

17. Create NetworkPolicy to allow between projects database and checker

Allow to database project pod from checker projects pods using port 8080:
i.e. only from namespace selector team:devsecops and podselector
deployment:web-mysql

Solution for q.17:***********************************************************************

Go to console

Go to networking

Go to networkpolicies

Choose the project ‘database’

Create the network policy

Input the target pod selector

To get the pod selector of the database

Oc describe pod/<podname>

And identify the label

Choose the rule type, which is the add ingress rule

Choose the access type, which is add pods from inside the cluster

Input namespace selector, which is team:devsecops

Input pod selector, which is deployment:web-mysql

Input the port number 8080

To verify run the following

Oc project checker

Oc get all

Oc rsh pod/<podname>

Curl <ipaddr of the pod in the database project>

The curl will work

****************************************************************************************
18. Deploy a movie site application from the Helm chart
Helm repo: <url is given>
Target project

Solution for q.16:***********************************************************************

helm repo add redhat-movie-repo http://charts.ocp4.example.com/charts/

Helm search repo

helm install movie-site redhat-movie-repo/<chart_name> -n <target_project>

helm list

****************************************************************************************

20. Set livenessProbe for atlas deployment in mercury project with the below detail
Tcp connection port 8080
initialDelayseconds 10
timeoutseconds: 30

Solution for q.20:***********************************************************************

oc set probe dc/atlas --liveness --open-tcp=8080 --initial-delay-seconds=10 --timeout-

seconds=30

****************************************************************************************

21. Collect health check of the openshift cluster and

Archive and compress it with tar cvaf command
Upload it with the provided script

Solution for q.21:***********************************************************************

oc adm must-gather

tar -cvaf must-gather.ClusterID.tar.gz must-gather.local.xxxx.yyyy/

/pathto/uploadscript.sh must-gather.tar.gz

****************************************************************************************
22. Create a cronjob

Solution for q.21:***********************************************************************

Oc create sa <saname>

Oc adm policy add-scc-to-user previlaged -Z <saname>

Oc set sa dc/<dcname> <saname>

Go to the console
Go to workload
Create a cronjob
Add the following
ServiceAccountName: <saname>
SuccessfulJobHistory:
Add the given parameters:
Image
Schedule 5 4 2 * *
*min(0 - 59) *hour(0 - 23) *dayofthemonth(1 - 31) *monthoftheyear(1 - 12) *daysoftheweek(0 -
6)

Every second day of the month

Or the cli method

Oc create cronjob <cronjobname> –image <imagename> –schedule ‘ ‘ –dryrun=client -o yaml >

cronj.yaml

Then edit the yaml

****************************************************************************************

23. Create Project Templet

Create a limitrange in the GUI

oc adm create-bootstrap-project-template -o yaml > mytemplate.yaml

Copy and past the limitrange format from the gui to mytemplate.yaml file

Modify the name and namespace of the limitrange with ${PROJECT_NAME}-limit and
${PROJECT_NAME}

Check all parameters are set as the given

Oc create -f mytemplate.yaml -n openshift-config

oc edit projects.config.openshift.io cluster

Delete the open and close bracker of the spec

so it will look from ‘spec: {}’ to ‘spec:’

And below that add 2 spaces and with the following

projectRequestTemplate:
name: <name of the project template>

To verify run the following command

Watch oc get pods -n openshift-apiserver

Application problems:

1. If the pod is pending or it is not running do the following options

The problem might be with the node selector

Oc describe dc/<dcname>

Check the label Under template.spec.nodeselector

oc get nodes –show-labels

oc label nodes <nodename> <lablename>=<valuename> –overwrite

After doing the above the pod will be running.

Or the problem might be a resource set that is not available in the cluster

Oc get events
You will get insufficient CPU or memory, so do the following

Oc edit dc/<dcname>

2. If the pod is in Crashloopbackoff state do the following

Oc logs pod/<podname>

We will get insufficient permission errors

Therefore, we will assign anyuid role to the already created service account or create the
service account if it doesn’t exist.

Oc create sa <saname>

Oc adm policy add-scc-to-user anyuid -z <saname>

Oc set sa dc/<dcname> <saname>

Then the pod will be in a running state

Check the route to confirm

3. The pod might be in running state but the route doesn’t work on a browser

Oc project <projectname>

Oc describe service/<servicename>

If the endpoint parameter has none value, that means the label in the deployment is not
matching that of the service

Check the deployment

Oc describe dc/<dcname>

So the recommended action is to edit the service instead of the dc

Oc edit service/<scname>

Replace the label to match that of the deployment label