본문 바로가기
Compute/kubernetis

31. 새로 추가된 시험 유형 - 1 / configmap 수정

by 조청유곽 2025. 11. 6.
반응형

[Question]

An Nginx Deploy named nginx-static is Running in the nginx-static NS. 
It is configured using a ConfigMap named nginx-config. Update the nginx-config ConfigMap 
to allow only TLSv1.3 connections. re-create, restart, or scale resources as necessary. 
By using command to test the changes.

[candidate@cka2025] $ curl --tls-max 1.2 https://web.k8s.local

 

 

[Precondition]

(1) 테스트에 사용할 configmap 생성 

---
apiVersion: v1
kind: Namespace
metadata:
  name: nginx-static
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-config
  namespace: nginx-static
data:
  nginx.conf: |
    user  nginx;
    worker_processes  auto;

    error_log  /var/log/nginx/error.log warn;
    pid        /var/run/nginx.pid;

    events {
      worker_connections  1024;
    }

    http {
      # 기본 로그 포맷
      log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                        '$status $body_bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for"';

      access_log  /var/log/nginx/access.log  main;

      # TLS 1.3만 허용
      ssl_protocols TLSv1.3;
      ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256;
      ssl_prefer_server_ciphers on;

      # 80 → 443 리다이렉트(선택)
      server {
        listen 80;
        listen [::]:80;
        server_name  web.k8s.local;
        return 301 https://$host$request_uri;
      }

      server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name  web.k8s.local;

        ssl_certificate     /etc/nginx/tls/tls.crt;
        ssl_certificate_key /etc/nginx/tls/tls.key;

        # 데모 응답
        location / {
          return 200 "OK: TLSv1.3 only\n";
        }
      }
    }
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-static
  namespace: nginx-static
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx-static
  template:
    metadata:
      labels:
        app: nginx-static
    spec:
      containers:
        - name: nginx
          image: nginx:1.25-alpine
          imagePullPolicy: IfNotPresent
          ports:
            - name: https
              containerPort: 443
            - name: http
              containerPort: 80
          args:
            - /bin/sh
            - -c
            - |
              # 설정 파일 유효성 점검 후 포그라운드 실행
              nginx -t && exec nginx -g 'daemon off;'
          readinessProbe:
            tcpSocket:
              port: 443
            initialDelaySeconds: 3
            periodSeconds: 5
          livenessProbe:
            tcpSocket:
              port: 443
            initialDelaySeconds: 10
            periodSeconds: 10
          volumeMounts:
            - name: nginx-config
              mountPath: /etc/nginx/nginx.conf
              subPath: nginx.conf
            - name: tls-secret
              mountPath: /etc/nginx/tls
              readOnly: true
      volumes:
        - name: nginx-config
          configMap:
            name: nginx-config
            items:
              - key: nginx.conf
                path: nginx.conf
        - name: tls-secret
          secret:
            secretName: nginx-tls

 

[Solve]

- configmap을 yaml로 출력 후 sslv3만 남도록 수정. 
- 기존 configmap 삭제 후 재생성 
- deployments rollout restart로 재실행 

 

controlplane ~ ➜  kubectl get configmaps -n nginx-static nginx-config -o yaml > 31.configmap.yaml

controlplane ~ ➜  kubectl get deployments.apps 
No resources found in default namespace.

controlplane ~ ➜  kubectl get deployments.apps -A
NAMESPACE      NAME                     READY   UP-TO-DATE   AVAILABLE   AGE
kube-system    coredns                  1/1     1            1           8m6s
kube-system    local-path-provisioner   1/1     1            1           8m6s
kube-system    metrics-server           1/1     1            1           8m6s
kube-system    traefik                  1/1     1            1           7m38s
nginx-static   nginx-static             0/2     2            0           2m7s

controlplane ~ ➜  kubectl delete configmaps -n nginx-static nginx-config 
configmap "nginx-config" deleted from nginx-static namespace

controlplane ~ ➜  kubectl apply -f 31.configmap.yaml 
configmap/nginx-config created

controlplane ~ ➜  kubectl rollout 
history  (View rollout history)                  restart  (Restart a resource)                    status   (Show the status of the rollout)
pause    (Mark the provided resource as paused)  resume   (Resume a paused resource)              undo     (Undo a previous rollout)

controlplane ~ ➜  kubectl rollout restart 
daemonset    deployment   statefulset  

controlplane ~ ➜  kubectl rollout restart deployment -n nginx-static nginx-static 
deployment.apps/nginx-static restarted

controlplane ~ ➜  kubectl get deployments.apps -n nginx-static 
NAME           READY   UP-TO-DATE   AVAILABLE   AGE
nginx-static   0/2     1            0           3m44s

controlplane ~ ➜  kubectl get deployments.apps -n nginx-static 
NAME           READY   UP-TO-DATE   AVAILABLE   AGE
nginx-static   0/2     1            0           3m50s

controlplane ~ ➜  kubectl rollout status deployment -n nginx-static nginx-static 
Waiting for deployment "nginx-static" rollout to finish: 1 out of 2 new replicas have been updated...
반응형
저작자표시 비영리 변경금지 (새창열림)

'Compute > kubernetis' 카테고리의 다른 글

31. 새로 추가된 시험 유형 - 3 / HPA 생성  (0) 2025.11.06
31. 새로 추가된 시험 유형 - 2 / Gateway API Migration  (0) 2025.11.06
쿠버네티스 kubernetis 환경에서의 인터페이스 구성 ovs / veth / bridge  (0) 2025.04.07
[따배씨] 30. Network Policy / CKA 시험 문제 학습  (0) 2025.02.01
[따배씨] 29. Kube-DNS / CKA 시험 문제 학습  (0) 2025.02.01

관련글

티스토리툴바