The Ops Community ⚙️: Akshay Rao

Build a end to end DevSecOps pipeline for Nodejs project

Akshay Rao — Sun, 29 Oct 2023 17:59:45 +0000

Hi this Akshay Rao, I tried to create the whole devops pipeline including some security scans. These security scans are very important as the vulnerability is found before the Application is the production, because if the vulnerability are found in the production the cost of rectifying is very high.

Lets start by understanding the pipeline

the developers commit the App code to the remote repository like GitHub, GitBucket and others.
code has to built, run unit test and pass it.
we will have to scan the whole code for vulnerabilities, for that we will be conducting SAST (Static Application Security testingTesting),SCA(Software Composition Analysis) and DAST (Dynamic Application Security Testing).
The SAST is a methodology to find security vulnerabilities in the application. I have used Sonar cloud to perform SAST in this pipeline
The SCA is performed to evaluate security, license compliance, imported package vulnerabilities or the deprecated packages and code quality. I have used Snyk tool in the pipeline.
The DAST is similar to SAST but he scan is done when the application is running in the production environment. I have used OWASP ZAP tool in pipeline.
After the scans are done then the reports and issues are generated. if any vulnerability found can be rectified immediately or can be communicated to the developers.

I have take nodejs project in the Github, write a workflow.yml
In this yml file i have created

Three jobs (build, security and zap_scan)
In build job ,I have built the application and performed SAST scan in the name of Sonar cloud scan.
In Security job, I have run the SCA scan with Snyk tool.
In Zap_scan, I have performed the DAST with OWASP ZAP tool. In the Target key we can put the url of the Application. I had to generate a token form Synk and Sonar cloud (SYNK_TOKENS & SONAR_TOKEN) in the github repository settings. Then commit the workflow and the scans will start running in the actions tab in the github.

name: Build code, run unit test, run SAST, SCA, DAST security scan for NodeJs App
on: push

jobs:
  build:
    runs-on: ubuntu-latest
    name: Run unit tests and SAST scan on the source code 
    steps:
    - uses: actions/checkout@v3
    - uses: actions/setup-node@v3
      with:
        node-version: 16
        cache: npm
    - run: npm install
    - name: SonarCloud Scan
      uses: sonarsource/sonarcloud-github-action@master
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
      with:
        args: >
          -Dsonar.organization=<PUT YOUR ORGANIZATION NAME>
          -Dsonar.projectKey=< PUT YOUR PROJECT KEY NAME>
  security:
    runs-on: ubuntu-latest
    needs: build
    name: Run the SCA scan on the source code
    steps:
      - uses: actions/checkout@master
      - name: RunSnyk to check for vulnerabilities
        uses: snyk/actions/node@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKENS }}
  zap_scan:
    runs-on: ubuntu-latest
    needs: security
    name: Run DAST scan on the web application
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          ref: master
      - name: ZAP Scan
        uses: zaproxy/action-baseline@v0.6.1
        with:
          docker_name: 'owasp/zap2docker-stable'
          target: 'http://example.com/'
          rules_file_name: '.zap/rules.tsv'
          cmd_options: '-a'

The reports will be genarated as artifacts or in the actions by clicking on scan names or through dashboard url which will be mentioned.
SAST Report

SCA Report

DAST Report

the github repo-https://github.com/asecurityguru/devsecops-with-github-actions-end-to-end-nodejs-project
I hope this helps you find solutions to problems
Thank you

Terraform: Resource dependencies

Akshay Rao — Sun, 29 Oct 2023 17:53:08 +0000

Hi, this Akshay Rao. Lets us look how does Terraform handle resource dependencies and provisioning order.

Terraform uses an implicit and explicit dependency paradigm to manage resource dependencies and provisioning order. This model enables Terraform to comprehend the connections between resources and guarantees that they are provisioned in the proper sequence to meet these requirements.

Implicit Dependency Model: Based on the configuration code, Terraform automatically ascertains the interdependence between resources. When one resource refers to the properties of another, Terraform creates an implicit dependency between them. For instance, Terraform will automatically recognize the dependency between an EC2 instance and a security group if you create an AWS EC2 instance and assign it to a certain security group. As a result, Terraform will make sure the security group is established first.
Explicit Dependency Model: There are occasions when you must provide explicit dependencies that Terraform cannot deduce from the configuration on its own. The depends_on parameter can be used in this situation. Even if there are no direct references between two resources in the configuration, the depends_on parameter specifies that they are interdependent. When resources lack direct attribute references to one another yet are logically dependent on one another.

An illustration of how resource dependencies operate in a Terraform configuration is given below:

resource "aws_security_group" "sg" {
  name_prefix = "sg_"
}

resource "aws_instance" "instance" {
  ami           = "ami-400Odg3r354efd"
  instance_type = "t2.micro"
  security_groups = [
    aws_security_group.web_sg.id,
  ]

}

resource "aws_s3_bucket" "tf_bucket" {
  bucket = "my-tf-bucket"
  acl    = "private"

}

In this example, the aws_instance resource is dependent on the aws_security_group resource because the security group ID is referenced in the security_groups parameter. Terraform understands that the security group must be created before the EC2 instance.

However, because the aws_s3_bucket resource contains no references to other resources, it has no implicit dependencies. If you need to construct the S3 bucket after the EC2 instance and security group are created, you can use the depends_on argument:

resource "aws_s3_bucket" "tf_bucket" {
  bucket = "my-tf-bucket"
  acl    = "private"

  depends_on = [
    aws_instance.instance,
    aws_security_group.sg,
  ]
}

Using the depends_on parameter, you explicitly specify that the aws_s3_bucket resource is dependent on both the aws_instance.instance and the aws_security_group.sg resources, ensuring proper provisioning sequence.

Keep in mind that, while depends_on aids in ordering, it does not impose rigid resource sequencing. Terraform prioritizes creating resources concurrently and resolving dependencies over waiting for each resource to be built sequentially.

Terraform: Nginx in GCE

Akshay Rao — Sun, 29 Oct 2023 17:47:48 +0000

Introduction

hi, i am Akshay Rao
This blog is about the installation of nginx in GCP VM through terraform.

Pre-requisite

GCP account (can get 300$ free trial account)
Terraform installed
VS-code

Let's start

create a project in the gcp console.
click on the tab beside google cloud logo and click new project, give name i have given it a terraform-gcp.

create a service account by searching service account in the search bar, click create service account-> give name -> add the editor role under basic.
create a keys for the service account and download the json file.
make a directory in which the terraform scripts will be stored and move the above downloaded json to this directory.

mv ~/Downloads/<file name> credentials.json

create a file named main.tf

Provider block

provider "google" {
  project = "<your project-id>"
  credentials = "${file("credentials.json")}" 
  region = "us-west1"
  zone = "us-west1-a"
}

now execute terraform init
this is done so that the terraform can connect to gcp.
.terraform.lock.hcl .terraform
will be created automatically
provider will be registered.

Resources block create a network , one subnetwork and VM instance in which the nginx will be running.

resource "google_compute_network" "vpc_network" {
  name                    = "my-custom-network"
  auto_create_subnetworks = false
  mtu                     = 1460
}

resource "google_compute_subnetwork" "default" {
  name          = "us-west-a"
  ip_cidr_range = "10.0.1.0/24"
  region        = "us-west1"
  network       = google_compute_network.vpc_network.id
}

resource "google_compute_instance" "nginx-instance" {
    name = "nginx-intsance"
    machine_type = "f1-micro"
    tags = ["ssh"]                                              
    zone = "us-west1-a"
    allow_stopping_for_update = true

    boot_disk {
      initialize_params {
        image = "debian-cloud/debian-11"
      }
    }
    metadata_startup_script =  "sudo apt-get update; sudo apt-get install -y nginx; sudo systemctl start nginx"      // renderning script from template file
    network_interface {
      subnetwork = "google_compute_subnetwork.default.id"
      subnetwork_project = "<your project id>"
      access_config {
         // is included so that the vm gets external ip address
      }
    }
}

mtu - maximum trasmiaaion unit.
added boot as the debian 11 image.
in the metadata_startup_script i have passed the installation commands for the nginx.

Deployment and Verify

save it
now run command terraform plan and yes
terraform will know the what resources to create with plan command and it will create orderly when applied.

[akshay.rao terraform-gcp]$ terraform plan
data.template_file.nginx_installation: Reading...
data.template_file.nginx_installation: Read complete after 0s [id=cfbeb1ad70856f85403aaec9edaed46cdcd3ab215367abd5b1049f5a69a24fc1]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_compute_instance.nginx-instance will be created
  + resource "google_compute_instance" "nginx-instance" {
      + allow_stopping_for_update = true
      + can_ip_forward            = false
      + cpu_platform              = (known after apply)
      + current_status            = (known after apply)
      + deletion_protection       = false
      + guest_accelerator         = (known after apply)
      + id                        = (known after apply)
      + instance_id               = (known after apply)
      + label_fingerprint         = (known after apply)
      + machine_type              = "f1-micro"
      + metadata_fingerprint      = (known after apply)
      + metadata_startup_script   = <<-EOT
            #!/bin/bash/
            set -e
            echo "** installing nginx **"
            sudo apt-get update
            sudo apt-get install -y nginx
            sudo systemctl enable nginx
            sudo systemctl restart nginx

            echo "**   Installation Complteted!!   **"

            echo "Welcome to Nginx which is deployed using Terraform!!!" > /var/www/html

            echo "**   Startup script completes!!   **"
        EOT
      + min_cpu_platform          = (known after apply)
      + name                      = "nginx-intsance"
      + project                   = (known after apply)
      + self_link                 = (known after apply)
      + tags                      = [
          + "proxy",
        ]
      + tags_fingerprint          = (known after apply)
      + zone                      = "us-west1-a"

      + boot_disk {
          + auto_delete                = true
          + device_name                = (known after apply)
          + disk_encryption_key_sha256 = (known after apply)
          + kms_key_self_link          = (known after apply)
          + mode                       = "READ_WRITE"
          + source                     = (known after apply)

          + initialize_params {
              + image  = "debian-cloud/debian-11"
              + labels = (known after apply)
              + size   = (known after apply)
              + type   = (known after apply)
            }
        }

      + network_interface {
          + ipv6_access_type   = (known after apply)
          + name               = (known after apply)
          + network            = "default"
          + network_ip         = (known after apply)
          + stack_type         = (known after apply)
          + subnetwork         = (known after apply)
          + subnetwork_project = (known after apply)

          + access_config {
              + nat_ip       = (known after apply)
              + network_tier = (known after apply)
            }
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

now terraform apply and yes

[akshay.rao terraform-gcp ]$ terraform apply
data.template_file.nginx_installation: Reading...
data.template_file.nginx_installation: Read complete after 0s [id=cfbeb1ad70856f85403aaec9edaed46cdcd3ab215367abd5b1049f5a69a24fc1]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_compute_instance.nginx-instance will be created
  + resource "google_compute_instance" "nginx-instance" {
      + allow_stopping_for_update = true
      + can_ip_forward            = false
      + cpu_platform              = (known after apply)
      + current_status            = (known after apply)
      + deletion_protection       = false
      + guest_accelerator         = (known after apply)
      + id                        = (known after apply)
      + instance_id               = (known after apply)
      + label_fingerprint         = (known after apply)
      + machine_type              = "f1-micro"
      + metadata_fingerprint      = (known after apply)
      + metadata_startup_script   = <<-EOT
            #!/bin/bash/
            set -e
            echo "** installing nginx **"
            sudo apt-get update
            sudo apt-get install -y nginx
            sudo systemctl enable nginx
            sudo systemctl restart nginx

            echo "**   Installation Complteted!!   **"

            echo "Welcome to Nginx which is deployed using Terraform!!!" > /var/www/html

            echo "**   Startup script completes!!   **"
        EOT
      + min_cpu_platform          = (known after apply)
      + name                      = "nginx-intsance"
      + project                   = (known after apply)
      + self_link                 = (known after apply)
      + tags                      = [
          + "proxy",
        ]
      + tags_fingerprint          = (known after apply)
      + zone                      = "us-west1-a"

      + boot_disk {
          + auto_delete                = true
          + device_name                = (known after apply)
          + disk_encryption_key_sha256 = (known after apply)
          + kms_key_self_link          = (known after apply)
          + mode                       = "READ_WRITE"
          + source                     = (known after apply)

          + initialize_params {
              + image  = "debian-cloud/debian-11"
              + labels = (known after apply)
              + size   = (known after apply)
              + type   = (known after apply)
            }
        }

      + network_interface {
          + ipv6_access_type   = (known after apply)
          + name               = (known after apply)
          + network            = "default"
          + network_ip         = (known after apply)
          + stack_type         = (known after apply)
          + subnetwork         = (known after apply)
          + subnetwork_project = (known after apply)

          + access_config {
              + nat_ip       = (known after apply)
              + network_tier = (known after apply)
            }
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

google_compute_instance.nginx-instance: Creating...
google_compute_instance.nginx-instance: Still creating... [10s elapsed]
google_compute_instance.nginx-instance: Still creating... [20s elapsed]
google_compute_instance.nginx-instance: Creation complete after 22s [id=projects/terraform-gcp-388209/zones/us-west1-a/instances/nginx-intsance]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

now go to console and search for vm instances you will be able to see the vm running

click on ssh with open with browser window

the terminal will open
run command systemctl status nginx
you will get:-

we have insatlled nginx through terraform.
Thank you

Docker Container manipulation Part-II

Akshay Rao — Sun, 29 Oct 2023 17:29:50 +0000

Introduction
Hi, I am Akshay Rao this is the part II of container manipulations. I had written the blog on basic manipulation.
I will leave the link of the previous in the conclusion.
I have used Go app for demonstration purposes.
How to Restart a Container
Here there can be two situations

Restating a stoped or killed container
Rebooting a running container To restart a stopped or killed container we can use container start command docker container start “identifier”

docker container start akshay_rao
akshay_rao
akshayrao@HL00802 ~ % docker container ls -a
CONTAINER ID   IMAGE                                             COMMAND          CREATED        STATUS                    PORTS                    NAMES
6360b3c15f34   aksrao1998/first-go-project                       "/app/project"   28 hours ago   Up 14 seconds             0.0.0.0:8080->8080/tcp   akshay_rao
52fa8c04c200   aksrao1998/first-go-project                       "/app/project"   29 hours ago   Exited (2) 28 hours ago                            elated_colden
b2f071967c1a   aksrao1998/first-go-project                       "/app/project"   29 hours ago   Exited (2) 29 hours ago                            goofy_haslett
5db127b7f005   aksrao1998/first-go-repository:first-go-project   "/app/project"   29 hours ago   Exited (2) 29 hours ago                            nostalgic_margulis
eab55402a418   aksrao1998/first-go-repository:first-go-project   "/app/project"   29 hours ago   Exited (2) 29 hours ago                            blissful_sutherland
b0de1c496db1   aksrao1998/first-go-project                       "/app/project"   29 hours ago   Exited (2) 29 hours ago                            peaceful_moore
7c72eda7950c   aksrao1998/first-go-project                       "/app/project"   4 weeks ago    Exited (2) 4 weeks ago                             zealous_clarke

Rebooting a container
docker conatiner restart “indentifier”

docker container restart akshay_rao
akshay_rao

How to Create a Container Without Running
docker container create “image-name”

docker container create  -p 8080:8080 aksrao1998/first-go-project
6360b3c15f34b8dc605079cfd1c58f9e4ea9c900d4307bab5fafe766c4623451

How to Remove Dangling Containers
Container rm command is used when un-necessary container are there.
docker container rm “container-identifier”
There is also option —rm for container run and container start commands which will remove the containers as soon as they are stopped.

docker container run —rm -p 8080:8080 —name remove_it  aksrao1998/first-go-project

How to Run a Container in Interactive Mode
Sometimes we have to execute commands inside the container, -it option is used to get acccess to the STDERR.
Any interactive program inside a container can be interacted with using the -it option. This choice is actually the combination of two distinct choices.

You can send inputs to bash by connecting to the container's input stream using the -i or —interactive option.
By allocating a pseudo-tty, the -t or —tty option ensures that you receive good formatting and a native terminal-like experience.

How to Work With Executable Images
The program running inside the container is isolated from the local host file system so to grant direct access used bind mounts.
By using a bind mount, you can create a two-way data connection between the contents of one directory (the source) on your local file system and another directory inside a container (destination). The source directory will benefit from any modifications made to the destination directory in this manner, and vice versa.
—volume or -v “”local file system directory absolute path:”container file system directory absolute path”:”read write access”
Conclusion
I have covered most of the container manipulation.
the last blog link:-https://dev.to/aksrao1998/docker-container-manipulation-part-i-1pbe
Thank you

Docker Container Manipulation Part-I

Akshay Rao — Sun, 29 Oct 2023 17:27:53 +0000

Introduction

I am Akshay Rao working in Annotation.Inc. I tried different container manipulations in this blog.
I have used Go app for demonstration purposes.

How to Run a Container
The “docker run” command is used to start a container using images.
I used docker run "image name" command which has generic syntax but the actual syntax is
Docker "object" "command" "options"

Object - describes which docker object will be manipulated
Command - task that the docker deamon will be assigned
Options - parameter which will overrule the defaults behaviour of the command.

docker container run --publish 8080:8080 aksrao1998/first-go-project

How to Publish a Port
syntax:- —publish "host port":"container port"
To publish port I used —publish or -p option and binding the container port 8080 with host system 8080.
The app will be accessed in localhost:8080
To stop the container close the terminal window or press ctrl+c

How to Use Detached Mode
The container stops when the terminal window is closed. This is because, by default the container that are ran in foreground are attached to the terminal.
So in-order to run the container separately detach option is used.
This a very famous options —detach or -d

Example:- docker container run —detach —publish 8080:8080 aksrao1998/first-go-project

docker container run -d -p 8080:8080 aksrao1998/first-go-project
6360b3c15f34b8dc605079cfd1c58f9e4ea9c900d4307bab5fafe766c4623451

The order of the options provided doesn’t matter, but make sure that the options are written before image name, anything written after image name is considered as an argument.

How to List Containers

docker container ls

CONTAINER ID   IMAGE                            COMMAND          CREATED         STATUS           PORTS                       NAMES
6360b3c15f34   aksrao1998/first-go-project   "/app/project"   5 minutes ago   Up 5 minutes   0.0.0.0:8080->8080/tcp   affectionate_hertz

Container ID is provide as it is 64 character long but for display only first 12 characters are displayed.
Name is automatically assigned by the daemon, we can also manually assign name to the container for better observer ability .

How to Name or Rename a Container
Every container has two identifiers

Conatiner ID - a random 64 character-long string
Name:- combination of two random words, joined with underscore

—name option can be used while running a container

To rename the container use container rename
Syntax- docker container rename "container identifier" "new name"

docker rename affectionate_hertz akshay_rao
docker container ls

CONTAINER ID   IMAGE                          COMMAND          CREATED          STATUS            PORTS                  NAMES
6360b3c15f34   aksrao1998/first-go-project   "/app/project"   19 minutes ago   Up 6 seconds   0.0.0.0:8080->8080/tcp   akshay_rao

How to Stop or Kill a Running Container
The container can be stoped by closing the terminal window or ctrl+c.
But for those container which are detach options need to use container stop command.
Syntax:- docker container stop “identifier”
Example-

docker container stop akshay_rao

This command sends SIGTERM signal to shutdown the container properly, if the container doesn’t stop within certain time than SIGKILL signal is sent to shutdown immediately.
To kill the container directly kill command can be used.
Syntax- docker container kill "identifier"

docker container kill akshay_rao

Conclusion
I have introduced the basic manipulation like running, publishing, detaching, renaming and terminating the containers.
I hope that this helps in managing docker containers and stay tuned for Part-II.
How do you think about the blog?
pls comment and share
Thank you

How does a pod get launched when deployment is applied.

Akshay Rao — Sun, 29 Oct 2023 17:24:49 +0000

Introduction
Hi, I am Akshay Rao.
While working with Kubernetes, i had a question how does the deployment make a pod, even in the yaml file, the kind we don't mention the as pod then also the pod is created, i researched and understood how it actually it works.
Let's Start
For this flow to understand we need to understand the controllers in the k8s.
every controller has a 2 component:-

Informers keep an eye on the desired state of resources in a scalable and sustainable manner. They also have a resync mechanism, which enforces periodic reconciliation and is frequently used to ensure that the cluster state and the assumed state cached in memory do not drift (due to faults or network issues.
Work queue is essentially a component that may be utilized by the event handler to handle the queuing of state changes and aid in the implementation of retries. This feature is accessible in client-go via the work queue package. Resources can be requeued if there are mistakes when updating the world or publishing the status, or if we need to evaluate the resource after a period of time for various reasons. we have understood the controller components, now we will see the pods creation flow.

The deployment controller (located within kube-controller-manager) detects (through a deployment informer) that the user has created a deployment. In its business logic, it generates a replica set.
The replica set controller (again, inside kube-controllermanager) observes the new replica set (through a replica set informer) and executes its business logic, which generates a pod object.
The scheduler (within the kube-scheduler binary), which is also a controller, observes the pod with an empty spec.nodeName field (through a pod informer). Its business logic queues the pod for scheduling.
Meanwhile, another controller, the kubelet, observes the new pod (via its pod informer). However, the new pod's spec.nodeName field is empty, therefore it does not match the kubelet's node name. It ignores the pod and returns to sleep until next event is triggered.
The scheduler removes the pod from the work queue and assigns it to a node with appropriate spare resources by modifying the pod's spec.nodeName field and writing it to the API server.
The kubelet re-wakes as a result of the pod update event. It compares the spec.nodeName to its own node name once again. Because the names match, the kubelet launches the pod's containers and informs back to the API server that the containers have been launched by writing this information into the pod status.
The replica set controller observes the modified pod but is powerless to intervene.
The pod eventually comes to an end. The kubelet will detect this, retrieve the pod object from the API server, set the "terminated" condition in the pod's status, and return it to the API server.
When the replica set controller observes the terminated pod, he determines that it must be replaced. It removes the terminated pod from the API server and replaces it with a fresh one.
And so on.

Thus this ishow the pods are created via deployments.
I hope this has brough some clarity.

Thank you

Kubernetes : Core Concepts

Akshay Rao — Sun, 29 Oct 2023 17:23:01 +0000

Introduction
Hi, I am Akshay Rao, will be starting a exercise series on k8s.
In this blog there will not explanation only problems and solutions.if you want explanation have a look at this series:-
https://dev.to/aksrao1998/series/24887

Pre-requisite
have minikube or kind running in the local machine.

Note:- k is alias for kubectl.

Let's Start

Problem 1
Create a namespace called 'mynamespace' and a pod with image nginx called nginx on this namespace.

Solution

[k8s-ckad (⎈|minikube:default)]$ k get ns
NAME              STATUS   AGE
default           Active   9d
hands-on          Active   9d
kube-node-lease   Active   9d
kube-public       Active   9d
kube-system       Active   9d

[k8s-ckad (⎈|minikube:default)]$ k create namespace mynamespace
namespace/mynamespace created
[k8s-ckad (⎈|minikube:default)]$ k config set-context --current --namespace=mynamespace
Context "minikube" modified.

# deploy a pod
[k8s-ckad (⎈|minikube:mynamespace)]$ kubectl run nginx --image=nginx --dry-run=client -o yaml > pods.yaml

# edit the pods.yaml
metadata:
  creationTimestamp: null
  labels:
    run: nginx
  name: nginx
  namespace: mynamespace 

# verify
[k8s-ckad (⎈|minikube:mynamespace)]$ k create -f pods.yaml 
pod/nginx created
[k8s-ckad (⎈|minikube:mynamespace)]$ k get po
NAME    READY   STATUS    RESTARTS   AGE
nginx   1/1     Running   0          6s

Problem 2
Create a busybox pod (using kubectl command) that runs the command "env". Run it and see the output.

Solution

[k8s-ckad (⎈|minikube:mynamespace)]$ k run soln2 --image=busybox --command --restart=Never -it --rm -- env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=soln2
TERM=xterm
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_SERVICE_PORT=443
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
HOME=/root
pod "soln2" deleted

Problem 3
Create the YAML for a new ResourceQuota called 'myrq' with hard limits of 1 CPU, 1G memory and 2 pods without creating it

Solution

[k8s-ckad (⎈|minikube:mynamespace)]$ k create quota myrq  --hard=cpu=1,memory=1G,pods=2 --dry-run=client -o y
aml
apiVersion: v1
kind: ResourceQuota
metadata:
  creationTimestamp: null
  name: myrq
spec:
  hard:
    cpu: "1"
    memory: 1G
    pods: "2"
status: {}

Problem 4

Create a pod with image nginx:1.25.1 called nginx and expose traffic on port 80

Solution

[k8s-ckad (⎈|minikube:mynamespace)]$ k run  mypod --image=nginx:1.25.1 --port=80
pod/mypod created

#Verify

[k8s-ckad (⎈|minikube:mynamespace)]$ k get po
NAME    READY   STATUS              RESTARTS   AGE
mypod   0/1     ContainerCreating   0          4s
nginx   1/1     Running             0          20m

[k8s-ckad (⎈|minikube:mynamespace)]$ k exec -it mypod bash -- nginx -v
nginx version: nginx/1.25.1

[k8s-ckad (⎈|minikube:mynamespace)]$ k describe pods mypod
Name:             mypod
Namespace:        mynamespace
Priority:         0
Service Account:  default
Node:             minikube/192.168.49.2
Start Time:       Thu, 12 Oct 2023 17:33:46 +0900
Labels:           run=mypod
Annotations:      <none>
Status:           Running
IP:               172.17.0.4
IPs:
  IP:  172.17.0.4
Containers:
  mypod:
    Container ID:   docker://147821ce3a12c57d9fef21026a57fcd0cee71360b411275db391a3dcccc25270
    Image:          nginx:1.25.1
    Image ID:       docker-pullable://nginx@sha256:67f9a4f10d147a6e04629340e6493c9703300ca23a2f7f3aa56fe615d75d31ca
    Port:           80/TCP
    Host Port:      0/TCP

I hope this blog exercise has helped you.
Thank you