Kubernetes Interview Questions and Answer Part – 7

What is the main reason why the Ingress API has not been developed beyond its original specification?

  • It was delivered to test ingress use cases, but annotations took over and now there’s no going back
  • It was intended to accommodate a wide range of technologies as a lowest common denominator (Ans)
  • It’s developers were aware that Istio was coming down the line, with a more sophisticated ingress capability

Which proxy technology underpins Contour, Ambassador and Istio?

  • Nginx
  • Envoy (Ans)
  • HAProxy

If a service of type NodePort has its externalTrafficPolicy set to Local, what will happen to ingress traffic that arrives at a particular node that isn’t running a service endpoint (pod)?

  • Packets will get dropped, as the policy prohibits routing traffic to an endpoint on another node (Ans)
  • The packets will get routed to an appropriate endpoint, courtesy of Kubernetes’ flat network model
  • The source IP address of packets arriving at the node will be changed (SNAT) to that of the node

Why does a service of either type, NodePort or LoadBalanacer, result in a clusterIP being allocated for the service?

  • So that external requests can be load balanced across the service’s endpoints, via the clusterIP (Ans)
  • For backwards compatibility – the kube-proxy in ‘userspace’ proxy mode requires it, but it is entirely optional when operating in ‘iptables’ or ‘ipvs’ mode
  • Without the clusterIP, a NodePort service with externalTrafficPolicy set to Local, will fail to route traffic to endpoints on other nodes

With regular expression syntax used in the following ingress definition for the nginx ingress controller, which of the following path rewrites is correct?
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: path-rule-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
rules:
– host: dibble.sh
http:
paths:
– backend:
serviceName: nginxhello-blue
servicePort: 80
path: /blue/?(.*)

  • dibble.sh/blueberry rewrites to dibble.sh/blue
  • dibble.sh/ rewrites to dibble.sh/blue/
  • dibble.sh/blue rewrites to dibble.sh/ (Ans)

What is the primary purpose for annotations in Ingess API definitions?

  • The primary Kubernetes API mechanism for defining ingress configuration
  • A means of circumventing the limitations in the Ingress API (Ans)
  • A method for differentiating between different ingress controller capabilities

What is the best technique for handling X.509 certificate renewals with cert-manager?

  • Create a cron job to periodically check the validity of the certificate, and generate a new Certificate object 30 days before expiry
  • Relax, cert-manager is aware of the renewal window for certificates, and will attempt to renew the certificate in the renewal window (Ans)
  • Cert-manager requires the deployment of Certbot in the cluster, which handles certificate renewals on its behalf

Which ACME challenge type needs to be configured for obtaining a wildcard certificate from Let’s Encrypt using cert-manager?

  • Cert-manager is unable to obtain wildcard certificates from Let’s Encrypt
  • Either of DNS01 or HTTP01. A DNS01 challenge explicitly establishes control of a domain, whilst a HTTP01 challenge implicitly establishes control of a domain
  • DNS01, because the challenge establishes control of a domain (Ans)

Which of the following is NOT a technique for setting the ingress class of an ingress controller?

  • A configuration override applied to a Helm chart during installation
  • An annotation set in an ingress resource definition (Ans)
  • A command line argument defined in a Deployment definition for the ingress controller

Which of the following is NOT a mechanism for configuring an ingress controller?

  • Labels (Ans)
  • Annotations
  • Command line arguments

Why might it be necessary to deploy a default backend service?

  • Without a default backend service, ingress definitions will fail to be configured when applied
  • To provide a coherent, customized experience for clients presenting invalid HTTP requests (Ans)
  • Invalid client requests will otherwise be randomly routed to one of the available backend services

Which of the following is NOT a perceived limitation of using a Service object to handle ingress traffic?

  • Any external TCP/UDP traffic can be proxied to a service’s virtual IP address (Ans)
  • Routing of HTTP/S traffic based on hostname or path is not supported
  • Client IP addresses are subject to source network address translation (SNAT)

Which Kubernetes API resource types do you think cert-manager need access to, in order to manager certificate lifecycles?

  • ConfigMap, Secret, Event, Service, Pod
  • ConfigMap, Event, Service, Pod, Ingress
  • ConfigMap, Secret, Event, Service, Pod, Ingress (Ans)

Which of the following ingress options is the only one that fully supports the Ingress API?

  • Contour ingress controller (Ans)
  • Ambassador API gateway
  • Istio service mesh

Which of the following ensures maximum availability of an ingress controller in a Kubernetes cluster?

  • Define multiple Deployments of the ingress controller, scoped to different namespaces
  • Use a DaemonSet to invoke an ingress controller pod on each of the cluster’s nodes
  • Configure a Deployment with more than one replica specified in its definition (Ans)
Rajesh Kumar