Audit and remove stale users and groups from the cluster. Validate the cleanup process. ee the Solution below. Solution: 1. List all users and groups: oc get users oc get groups 2. Remove unused users and groups: oc delete user <user -name> oc delete group <group -name> 3. Validate the removal: oc get users oc get groups Explanation: Periodic cleanup of stale users and groups ensures an updated and secure access control configuration. Configure a role that allows a group to manage ConfigMaps and Secrets in a namespace. Validate their permissions. ee the Solution below. Solution: 1. Create a custom role: oc create role config -secret -manager --verb=get,list,create,update,delete --resource=configmaps,secrets -n dev -namespace 2. Bind the role to a group: oc create rolebinding config -secret -binding --role=config -secret -manager --group=managers -n dev- namespace 3. Validate access:
oc auth can-i create configmaps -n dev-namespace --as=user1 oc auth can -i delete secrets -n dev -namespace --as=user1 Explanation: Custom roles provide granular control, enabling specific resource management without exposing the entire namespace. Restrict project creation to specific users. Validate the restricted behavior for other users. ee the Solution below. Solution: 1. Remove the self -provisioner role from all authenticated users: oc adm policy remove -cluster -role-from-group self -provisioner system:authenticated 2. Assign self -provisioner to a specific user: oc adm policy add -cluster -role-to-user self -provisioner user1 3. Validate restricted access for others: oc login -u user2 -p <password> oc new -project restricted -project Explanation: Restricting project creation ensures tighter control over resource usage and aligns with organizational policies. Integrate an external LDAP server as an identity provider for authentication. Validate the LDAP login. ee the Solution below. Solution: 1. Configure the LDAP identity provider: apiVersion: config.openshift.io/v1 kind: OAuth metadata:
name: cluster spec: identityProviders: - name: ldap-idp type: LDAP mappingMethod: claim ldap: url: ldaps://ldap.example.com/ou=users,dc=example,dc=com bindDN: "cn=admin,dc=example,dc=com" bindPassword: name: ldap-secret attributes: id: ["dn"] preferredUsername: ["uid"] name: ["cn"] email: ["mail"] 2. Apply the configuration: oc apply -f oauth -config.yaml 3. Validate login: oc login -u ldap -user -p <password> Explanation: LDAP integration centralizes authentication, enabling consistent user management across systems. Assign a user permissions to view and modify ServiceAccounts in a namespace. Validate their access. ee the Solution below. Solution: 1. Create a custom role: oc create role sa-manager --verb=get,list,create,update,delete --resource=serviceaccounts -n dev- namespace 2. Bind the role to the user: oc create rolebinding sa -manager -binding --role=sa -manager --user=user1 -n dev -namespace 3. Validate their permissions:
kind: PodDisruptionBudget metadata: name: pdb-sample spec: minAvailable: 1 selector: matchLabels: app: sample -app 2. Apply the PDB: kubectl apply -f pdb.yaml 3. Verify the PDB: kubectl get pdb Explanation: PDBs maintain application availability during voluntary disruptions, such as node upgrades, by defining minimum operational pod thresholds. Create a custom OpenShift project with resource quotas to limit CPU and memory usage for all pods. Include YAML definitions for the project and quota. ee the Solution below. Solution: 1. Create a project: oc new -project custom -project 2. Define a resource quota quota.yaml: apiVersion: v1 kind: ResourceQuota metadata: name: project -quota spec: hard: requests.cpu: "2" requests.memory: 4Gi limits.cpu: "4" limits.memory: 8Gi
oc auth can -i create serviceaccounts -n dev -namespace --as=user1 Explanation: Custom roles allow precise control over ServiceAccount management, crucial for secure workload configuration. Revoke a user’s access to a namespace while retaining their cluster -wide permissions. Validate their restricted access. ee the Solution below. Solution: 1. Remove role bindings for the user in the namespace: oc delete rolebinding <binding -name> -n dev -namespace 2. Validate their restricted access: oc auth can -i get pods -n dev -namespace --as=user1 Explanation: Revoking namespace -specific permissions isolates user access, maintaining compliance with security policies. Configure a role binding to allow a group to create PersistentVolumeClaims (PVCs) in a namespace. Validate their access. ee the Solution below. Solution: 1. Create a role for PVC management: oc create role pvc -manager --verb=create,get,list --resource=persistentvolumeclaims -n dev -namespace 2. Bind the role to the group: oc create rolebinding pvc -manager -binding --role=pvc -manager --group=developers -n dev -namespace 3. Validate access:
Solution: 1. Create a Headless Service YAML file: apiVersion: v1 kind: Service metadata: name: headless -service spec: clusterIP: None selector: app: my-stateful -app ports: - protocol: TCP port: 80 2. Apply the Service and verify DNS resolution: kubectl apply -f headless -service.yaml kubectl exec <pod -name> -- nslookup headless -service Explanation: Headless Services provide direct access to individual pod IPs, which is essential for StatefulSet workloads. Deploy an application using a Kubernetes CronJob that runs every 5 minutes. Validate its execution. ee the Solution below. Solution: 1. Create a CronJob YAML file cronjob.yaml: apiVersion: batch/v1 kind: CronJob metadata: name: my-cronjob spec: schedule: "*/5 * * * *" jobTemplate: spec: template: spec: containers: - name: my -container
