Q1:

Configure openshift cluster by creating htpasswd identifier:

HTpasswd identifier name: ex280-htpasswd

Identity provider secret name: ex280-idp-secret
Add armstrong user with password sestiver
Add collins user with password redhat
Add peter user with password redhat2
Add wick user with password redhat4
Add job user with password indionce

Ans:-

htpasswd -c -B -b htpassfile armstrong sestiver

htpasswd -b htpassfile collins redhat
htpasswd -b htpassfile peter redhat2
htpasswd -b htpassfile wick redhat4
htpasswd -b htpassfile job indionce

oc create secret generic ex280-idp-secret --from-file htpasswd=htpassfile -n

openshift-config
oc get oauth cluster -o yaml > oauth.yaml
spec:
identityProviders:
- htpasswd:
fileData:
name: ex280-idp-secret
mappingMethod: claim
name: ex280-htpasswd
type: HTPasswd

oc replace -f oauth.yaml

oc login -u username -p password

Q2:
Configure openshift cluster permission , configure cluster permission so that,

--> Job can have cluster administration task

--> collins can create project* --> self provisoiner role
--> collins cannot have cluster administration task (note:- admin role youhave to
add view role or we can add any role which is not cluster admin role, anything
apart from cluster admin role.)
--> armstrong cannot create project remove self provisiuoner
--> Kubeadmin user should be deleted

Ans:-

oc adm policy add-cluster-admin-role-to-user cluster-admin john

' oc adm policy add-cluster-admin-role-to-user self-provisioner collins
oc policy add-role-to-user view collins
oc describe clusterrolebindings self-provisioner
oc adm policy remove-clutser-role-from-group self-provisioner
system:authenticated:oauth
oc describe clusterrolebindings self-provisioner
(Note:- we have removed selfprovisioner role from group so that all users
can't able to create project as per question
only armstrong user cannot create so for other users add self-
provsioner role ).
oc adm policy add-cluster-admin-role-to-user self-provisioner peter
oc adm policy add-cluster-admin-role-to-user self-provisioner wick
oc delete secret kubeadmin -n kube-system
oc get rolebindings -o wide

Q3:
Configure projects for configuring openshift cluster

5 projects should exist:

--> Sydney
--> Tokyo
--> India
--> China
--> USA

John should have admin access to sydney and usa project

Elena should have view access to India.

Ans:-

oc new-project sydney
oc new-project tokyo
oc new-project india
oc new-project china
oc new-project usa

oc policy add-role-to-user admin john -n sydney

oc policy add-role-to-user admin john -n usa
oc policy add-role-to-user view elena -n india

Q4:
Create groups to configure openshift cluster

Create group named commander and pilot

Add John and wick as the member of commander group
Add elena and peter as the member of pilot group
Commander group should have admin access to sydney
Pilot group should have view access to USA project

Ans:-

oc adm groups new commander

oc adm groups new pilot
oc adm groups add-users commander john
oc adm groups add-users commander wick
oc adm groups add-users pilot elena
oc adm groups add-users pilot peter
oc adm policy add-role-to-group admin commander -n sydney
oc adm polciy add-role-to-group view commander -n sydney
oc get rolebindings -o wide login to sydney and check it.
Q5:
Create Resource Quota

Create a resoure quota "ex280-quota" for defining limits for resource access
for projects in sydney project.
i. Total memory amount for max usage is 2Gi
ii. Total CPUdd wick user with unit for max usage is "2" kuex280-quotabernetes
units
iii. Total no of pods should be limited to 13
iv. Total no services should not exceed 10
v. Total no of replication contollers should be 3

Ans:-

oc project projectname
oc create quota ex280-quota --
hard=memory=2Gi,cpu=2,pods=13,services=10,replicationcontrollers=3 -n projectname
oc get resourcequota
oc describe resourcequota

Q6:
Create Limit Range

Create resource limit file "ex280-quotalimit" for defining range

of resource access based on soft/hard limit.

i. For pods min cpu limit is "5m" and max is "500m"

ii. For containers min cpu limit is "100m" and max is "500m" and default request of
"300m"
iii. For pods min memory is "300Mi" and max is "500Mi"
iv. For containers min memory is "200Mi" and max is "600Mi" and default request of
"400Mi"

Ans:-

oc project project name

vim limit.yaml
apiVersion: "v1"
kind: "LimitRange"
metadata:
name: ex280-quotalimit
spec:
limits:
- type: "Pod"
max:
cpu: "500m"
min:
cpu: "5m"
memory: "300Mi"
- type: "Container"
max:
cpu: "500m"
memory: "600Mi"
min:
cpu: "100m"
memory: "200Mi"
default:
cpu: "300m"
memory: "400Mi"
 oc replace -f limit.yaml
oc describe limitrange

Q7: Deploy an application

Deploy an application called rocky and at last it should be accessed by the
following link

http://rocky.apps.domain7.com

Ans:-

taints and tolerations issue

oc get events --> nodes had taint that pod din't tolerate
oc get nodes
oc describe nodes | grep -i taints
oc get dc
oc edit dc/dcname
spec:
dnsPolicy: ClusterFirst
tolerations:
- effect: NoSchedule
key: node
operator: Equal
value: worker
oc get pods
oc get svc
oc expose svc/svcname --hostname rocky.apps.domain7.com
oc get route
curl http://rocky.apps.domain7.com

Q8. Scale up minion application in holy project and create replicas upto 5

Ans:-

oc project holy
oc get pods --> pod is running state
oc get dc
oc scale --replicas=5 dc/dcname
oc get pods --> all pods are pending state because of taints so set
tolerations
oc get dc
oc edit dc/dcname
spec:
dnsPolicy: ClusterFirst
tolerations:
- effect: NoSchedule
key: node
operator: Eqaul
value: worker

oc get pods --> now pods are in running state

oc get route
curl http://routename

Q9. Autoscale of pods in scaliing project .

minumum replicas=2, maximum replicas=9 and cpupercentage=60% and default
resource requests for container cpu should be cpu 50m and resource limits cpu=100m

Ans:-
oc project scaling
oc get -o yaml dc/dcname > hello.yaml
vim hello.yaml
resources:
requests:
cpu: "50m"
limits:
cpu: "100m"

oc create --save-config -f hello.yaml -n project-name

oc describe podname | grep memory
oc autoscale dc/dcname --min=2 --max=9 --cpu-percent=60
oc get hpa

Create a secret with

secret name: magic
key name: decode_ring
key value: asdf154513

Ans:-
oc project project name
oc create secret generic magic --from-literal decode_ring=asdf154513 -n
projectname --> smallletter decode_ring

Q11. Use secret in secure project there is one pod already exists. It should use
magic secret.

Ans:-

oc project projectname
oc logs podname | head -n2
oc get dc
oc set env dc/dcname --from secret/magic
oc get pods
oc rsh podname
oc get route
curl -s routename

Q12. Create a secure route on quart project.

--> One application is already running named with hello
--> It should run on https with self signed certificate .It should use subj
"/CN=----.com".
--> It should run on https with following ur;
https://quarts.apps.domain.example.com
--> Application should produce output

Ans:-

openssl genrsa -out training.key 2048

openssl req -new -subj "/CN=quarts.apps.domain.example.com" -key
training.key -out training.csr
openssl x509 -req -in training.csr -days 366 -signkey training.key -out
training.crt
oc describe pod podname | grep Mounts -A2
 oc get secret
oc create secret tls secretname --cert /home/student/training.crt --key
/home/student/training.key
oc set env dc/dcname --from secret/secretname
oc describe pod podname | grep Mounts -A2 --> it is not mounted we've to
mount
oc set volumes deployment deploymentname -t secret-name=secretname -m
/usr/local/etc/ssl/certs
oc set volues dc/dcname --add --name=myvol --type=secret --secret-
name=secretname --mount-path=/usr/local/etc/ssl/certs

oc create route passthrough https --service servicename --hostname

php.https.apps.ocp4.example.com (Here while creating route CN name and
hostname must be same)
oc get route

Q13:
Create service account in apple project
service account name : ex280-sa

Answer:

$ oc project apple
$ oc create sa ex280-sa
$ oc adm policy --help

Q14:
Deploy an application using service account created in previous question in project
called bulky

Answer:

$ oc project bulky
$ oc get pods
$ oc logs pod/podname --> important
$ oc get events
$ oc get pods
$ oc get pod/podname -o yaml | oc adm policy scc-subject-review -f -
$ oc adm policy add-scc-to-user anyuid -z ex280-sa
$ oc set serviceaccount dc/dcname ex280-sa
$ oc describe pod console-5df4fcbb47-67c52 -n openshift-console | grep scc
$ oc get pods
$ oc get route
$ curl -s routename

Q15. Deploy an application in orange project named jboss

$ oc project orange
$ oc get events
$ oc get pods

node selector variable value issue set the nodeselector inside deployment.
oc get node -L
oc edit deployment/deploymentname

nodeSelector:
star: trek (in exam by default it is Trek change it to trek).
Q16. Deploy an application in cherry project named ronik

$oc get events

( The issue was 5 insufficient cpu already inside deployment they have given
memory as 80Gi change that to 80Mi)
$ oc get deployment
$ oc edit deployment/deploymentname

resources:
requests:
memory: 80Gi --> to 80Mi
$ oc get pods

oc rsh podname bash

for all troubleshoot questions just run oc edit pod/podname and dont do anything

except one user add self-provisioner to all users