diff --git a/README.md b/README.md
index 4931fa8..33994ed 100644
--- a/README.md
+++ b/README.md
@@ -4651,6 +4651,12 @@ Desktop virtualization
Yes, it's a operating-system-level virtualization, where the kernel is shared and allows to use multiple isolated user-spaces instances.
+How the introduction of virtual machines changed the industry and the way applications were deployed?
+
+The introduction of virtual machines allowed companies to deploy multiple business applications on the same hardware while each application is separated from each other in secured way, where each is running on its own separate operating system.
+What is the OCI?
-OCI (Open Container Initiative) is an open governance established in 2015 to standardize container creation - format, runtime, etc. At that time there were a number of parties involved and the most prominent one was Docker.
+OCI (Open Container Initiative) is an open governance established in 2015 to standardize container creation - mostly image format and runtime. At that time there were a number of parties involved and the most prominent one was Docker.
+
+Specifications published by OCI:
+
+ - [image-spec](https://github.com/opencontainers/image-spec)
+ - [runtime-spec](https://github.com/opencontainers/runtime-spec)
Describe in detail what happens when you run `podman/docker run hello-world`?
-Docker CLI passes your request to Docker daemon.
-Docker daemon downloads the image from Docker Hub
-Docker daemon creates a new container by using the image it downloaded
-Docker daemon redirects output from container to Docker CLI which redirects it to the standard output
-What are `dockerd, docker-containerd, docker-runc, docker-containerd-ctr, docker-containerd-shim` ?
-
-dockerd - The Docker daemon itself. The highest level component in your list and also the only 'Docker' product listed. Provides all the nice UX features of Docker.
-
-(docker-)containerd - Also a daemon, listening on a Unix socket, exposes gRPC endpoints. Handles all the low-level container management tasks, storage, image distribution, network attachment, etc...
-
-(docker-)containerd-ctr - A lightweight CLI to directly communicate with containerd. Think of it as how 'docker' is to 'dockerd'.
-
-(docker-)runc - A lightweight binary for actually running containers. Deals with the low-level interfacing with Linux capabilities like cgroups, namespaces, etc...
-
-(docker-)containerd-shim - After runC actually runs the container, it exits (allowing us to not have any long-running processes responsible for our containers). The shim is the component which sits between containerd and runc to facilitate this.
-
-![alt text](https://i.stack.imgur.com/lAtSR.png "Docker Process")
-
+Docker/Podman CLI passes your request to Docker daemon.
+Docker/Podman daemon downloads the image from Docker Hub
+Docker/Podman daemon creates a new container by using the image it downloaded
+Docker/Podman daemon redirects output from container to Docker CLI which redirects it to the standard output
Which components/layers compose the Docker technology?
+
+1. Runtime - responsible for starting and stopping containers
+2. Daemon/Engine - implements the runtime, API, ...
+3. Orchestrator
+What is the low-level runtime?
+
+ - The low level runtime is called runc
+ - It manages every container running on Docker host
+ - Its purpose is to interact with the underlying OS to start and stop containers
+ - Its reference implementation is of the OCI (Open Containers Initiative)
+What is the high-level runtime?
+
+ - The high level runtime is called containerd
+ - It manages the whole lifecycle of a container - network interfaces, pulling images, ...
+ - It manages the lower level runtime (runc) instances
+ - It's used both by Docker and Kubernetes as a container runtime
+
+Note: running `ps -ef | grep -i containerd` on a system with Docker installed and running, you should see a process of containerd
+True or False? The docker daemon (dockerd) performs lower-level tasks compared to containerd
+
+False. The Docker daemon performs higher-level tasks compared to containerd.
+It's responsible for managing networks, volumes, images, ...
+Describe in detail what happens when you run `docker pull image:tag`?
Docker CLI passes your request to Docker daemon. Dockerd Logs shows the process
@@ -5755,7 +5788,6 @@ pulling blob \"sha256:61c5ed1cbdf8e801f3b73d906c61261ad916b2532d6756e7c4fbcacb97
Applying tar in /var/lib/docker/overlay2/507df36fe373108f19df4b22a07d10de7800f33c9613acb139827ba2645444f7/diff" storage-driver=overlay2
Applied tar sha256:514c3a3e64d4ebf15f482c9e8909d130bcd53bcc452f0225b0a04744de7b8c43 to 507df36fe373108f19df4b22a07d10de7800f33c9613acb139827ba2645444f7, size: 1223534
-
How the Docker client communicates with the daemon?
+
+Via the local socket at `/var/run/docker.sock`
+What is a container image?
+
+An image of a container contains the application, its dependencies and the operating system where the application is executed.
+TODO: add more details
+How to list the container images on certain host?
+
+`podman image ls`
+`docker image ls`
+
+Depends on which containers technology you use.
+How to retrieve the latest ubuntu image?
+
+`docker image pull ubuntu:latest`
+What is Dockerfile
@@ -5938,15 +6000,21 @@ Read more [here](https://www.redhat.com/en/topics/containers/what-is-a-kubernete
Do you have experience with deploying a Kubernetes cluster? If so, can you describe the process in high-level?
-1. Create multiple instances you will use as Kubernetes nodes/workers. Create also an instance to act as the Master. The instances can be part of the cloud or virtual machines on physical hosts.
-2. When or why NOT to use Kubernetes?
- - If you deploy applications using containers and you need to manage scaling, rolling out updates, etc. You probably want to use Kubernetes
+ - If you are big team of engineers (e.g. 200) deploying applications using containers and you need to manage scaling, rolling out updates, etc. You probably want to use Kubernetes
+
- If you manage low level infrastructure or baremetals, Kubernetes is probably not what you need or want
+ - If you are a small team (e.g. 20-50 engineers) Kubernetes might be an overkill (even if you need scale, rolling out updates, etc.)
What actions or operations you consider as best practices when it comes to Kuberentes?
+
+ - Always make sure Kubernetes YAML files are valid. Applying automated checks and pipelines is recommended.
+ - Always specify requests and limits to prevent situation where containers are using the entire cluster memory which may lead to OOM issue
+What is kubectl?
@@ -6029,6 +6104,18 @@ False. A Kubernetes cluster consists of at least 1 master and can have 0 workers
You are managing multiple Kubernetes clusters. How do you quickly change between the clusters using kubectl?
+
+`kubectl config use-context`
+How do you prevent high memory usage in your Kubernetes cluster and possibly issues like memory leak and OOM?
+
+Apply requests and limits, especially on third party applications (where the uncertainty is even bigger)
+Why it's usually considered better to include one container per Pod?
+
+One reason is that it makes it harder to scale, when you need to scale only one of the containers in a given Pod.
+True or False? The lifecycle of Pods and Services isn't connected so when a pod dies, the service still stays
+True or False? The lifecycle of Pods and Services isn't connected so when a Pod dies, the Service still stays
True
How to get information on a certain service?
-kubctl describe service
-It exposes a ReplicaSet by creating a service called 'replicaset-svc'. The exposed port is 2017 and the service type is NodePort which means it will be reachable externally.
+It exposes a ReplicaSet by creating a service called 'replicaset-svc'. The exposed port is 2017 (this is the port used by the application) and the service type is NodePort which means it will be reachable externally.
+True or False? the target port, in the case of running the following command, will be exposed only on one of the Kubernetes cluster nodes but it will routed to all the pods
+
+```
+kubectl expose rs some-replicaset --name=replicaset-svc --target-port=2017 --type=NodePort
+```
+
+
+False. It will be exposed on every node of the cluster and will be routed to one of the Pods (which belong to the ReplicaSet)
How to verify that a certain service configured to forward the requests to a given pod
-Run `kubectl describe service` and if the IPs from "Endpoints" match any IPs from the output of `kubectl get pod -o wide`
+Run `kubectl describe service` and see if the IPs from "Endpoints" match any IPs from the output of `kubectl get pod -o wide`
+Explain what will happen when running apply on the following block
+
+```
+apiVersion: v1
+kind: Service
+metadata:
+ name: some-app
+spec:
+ type: NodePort
+ ports:
+ - port: 8080
+ nodePort: 2017
+ protocol: TCP
+ selector:
+ type: backend
+ service: some-app
+```
+
+
+It creates a new Service of the type "NodePort" which means it can be used for internal and external communication with the app.
+The port of the application is 8080 and the requests will forwarded to this port. The exposed port is 2017. As a note, this is not a common practice, to specify the nodePort.
+The port used TCP (instead of UDP) and this is also the default so you don't have to specify it.
+The selector used by the Service to know to which Pods to forward the requests. In this case, Pods with the label "type: backend" and "service: some-app".
True or False? When "NodePort" is used, "ClusterIP" will be created automatically?
+
+True
+When would you use the "LoadBalancer" type
+
+Mostly when you would like to combine it with cloud provider's load balancer
+How would you map a service to an external address?
+
+Using the 'ExternalName' directive.
+Describe in detail what happens when you create a service
+
+1. Kubectl sends a request to the API server to create a Service
+2. The controller detects there is a new Service
+3. Endpoint objects created with the same name as the service, by the controller
+4. The controller is using the Service selector to identify the endpoints
+5. kube-proxy detects there is a new endpoint object + new service and adds iptables rules to capture traffic to the Service port and redirect it to endpoints
+6. kube-dns detects there is a new Service and adds the container record to the dns server
+How to list the endpoints of a certain app?
+
+`kubectl get ep How can you find out information on a Service related to a certain Pod if all you can use is
kubectl exec
+
+You can run `kubectl exec
+Variables such as `[SERVICE_NAME]_SERVICE_HOST`, `[SERVICE_NAME]_SERVICE_PORT`, ...
+Describe what happens when a container tries to connect with its corresponding Service for the first time. Explain who added each of the components you include in your description
+
+ - The container looks at the nameserver defined in /etc/resolv.conf
+ - The container queries the nameserver so the address is resolved to the Service IP
+ - Requests sent to the Service IP are forwarded with iptables rules (or other chosen software) to the endpoint(s).
+
+Explanation as to who added them:
+
+ - The nameserver in the container is added by kubelet during the scheduling of the Pod, by using kube-dns
+ - The DNS record of the service is added by kube-dns during the Service creation
+ - iptables rules are added by kube-proxy during Endpoint and Service creation
+Explain the meaning of "http", "host" and "backend" directives
@@ -6456,6 +6645,12 @@ the http line used for specifying that incoming requests will be forwarded to th
backend is referencing the internal service (serviceName is the name under metadata and servicePort is the port under the ports section).
Why using a wildcard in ingress host may lead to issues?
+
+The reason you should not wildcard value in a host (like `- host: *`) is because you basically tell your Kubernetes cluster to forward all the traffic to the container where you used this ingress. This may cause the entire cluster to go down.
+What is Ingress Controller?
@@ -6653,6 +6848,22 @@ True. When the label, used by a ReplicaSet in the selector field, removed from a
kubectl scale deploy ReplicaSets are running the moment the user executed the command to create them (like
kubectl create -f rs.yaml
)
+
+False. It can take some time, depends on what exactly you are running. To see if they are up and running, run `kubectl get rs` and watch the 'READY' column.
+How to expose a ReplicaSet as a new service?
+
+`kubectl expose rs Where Kubernetes gets the status data (which is added to the configuration file) from?
+Where Kubernetes cluster stores the cluster state?
etcd
What is etcd?
@@ -6756,6 +6967,10 @@ True
True
Why etcd? Why not some SQL or NoSQL database?
+Which containers pattern is used in the following drawing?
-Explain the sidecar container pattern
Explain what is CronJob and what is it used for
+What possible issue can arise from using the following spec and how to fix it?
+
+```
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+ name: some-cron-job
+spec:
+ schedule: '*/1 * * * *'
+ startingDeadlineSeconds: 10
+ concurrencyPolicy: Allow
+```
+
+
+If the cron job fails, the next job will not replace the previous one due to the "concurrencyPolicy" value which is "Allow". It will keep spawning new jobs and so eventually the system will be filled with failed cron jobs.
+To avoid such problem, the "concurrencyPolicy" value should be either "Replace" or "Forbid".
+What issue might arise from using the following CronJob and how to fix it?
+
+```
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+ name: "some-cron-job"
+spec:
+ schedule: '*/1 * * * *'
+jobTemplate:
+ spec:
+ template:
+ spec:
+ restartPolicy: Never
+ concurrencyPolicy: Forbid
+ successfulJobsHistoryLimit: 1
+ failedJobsHistoryLimit: 1
+```
+
+
+The following lines placed under the template:
+
+```
+concurrencyPolicy: Forbid
+successfulJobsHistoryLimit: 1
+failedJobsHistoryLimit: 1
+```
+
+As a result this configuration isn't part of the cron job spec hence the cron job has no limits which can cause issues like OOM and potentially lead to API server being down.
+To fix it, these lines should placed in the spec of the cron job, above or under the "schedule" directive in the above example.
+Explain Imperative Management vs. Declarative Management
+Explain what Kubernetes Service Discovery means
Trur or False? Sensitive data, like credentials, should be stored in a ConfigMap
+True or False? Sensitive data, like credentials, should be stored in a ConfigMap
False. Use secret.
How are labels and selectors used?
Explain what is CronJob and what is it used for
-What QoS classes are there?
@@ -7439,7 +7707,36 @@ View more [here](https://www.youtube.com/watch?v=rDCWxkvPlAw)
What is Kubeconfig?
What is Gatekeeper?
+
+[Gatekeeper docs](https://open-policy-agent.github.io/gatekeeper/website/docs): "Gatekeeper is a validating (mutating TBA) webhook that enforces CRD-based policies executed by Open Policy Agent"
+Explain how Gatekeeper works
+
+On every request sent to the Kubernetes cluster, Gatekeeper sends the policies and the resources to OPA (Open Policy Agent) to check if it violates any policy. If it does, Gatekeeper will return the policy error message back. If it isn't violates any policy, the request will reach the cluster.
+What is Conftest?
+
+Conftest allows you to write tests against structured files. You can think of it as tests library for Kubernetes resources.
+It is mostly used in testing environments such as CI pipelines or local hooks.
+What is Datree? How is it different from Conftest?
+
+Same as Conftest, it is used for policy testing and enforcement. The difference is that it comes with built-in policies.
+What is Helm?
@@ -9650,11 +9947,19 @@ Alert manager is responsible for alerts ;)
How do you know if a certain directory is a git repository?
-You can check if there is a ".git" directory inside it.
+You can check if there is a ".git" directory.
How to check if a file is tracked and if not, then track it?
+Explain the following:
git directory
, working directory
and staging area
+
+This answer taken from [git-scm.com](https://git-scm.com/book/en/v1/Getting-Started-Git-Basics#_the_three_states)
+
+"The Git directory is where Git stores the meta data and object database for your project. This is the most important part of Git, and it is what is copied when you clone a repository from another computer.
+
+The working directory is a single checkout of one version of the project. These files are pulled out of the compressed database in the Git directory and placed on disk for you to use or modify.
+
+The staging area is a simple file, generally contained in your Git directory, that stores information about what will go into your next commit. It’s sometimes referred to as the index, but it’s becoming standard to refer to it as the staging area."
Explain the following:
git directory
, working directory
and staging area
+How to check if a file is tracked and if not, then track it?
-The Git directory is where Git stores the meta data and object database for your project. This is the most important part of Git, and it is what is copied when you clone a repository from another computer.
+There are different ways to check whether a file is tracked or not:
-The working directory is a single checkout of one version of the project. These files are pulled out of the compressed database in the Git directory and placed on disk for you to use or modify.
+ - `git ls-file How can you see which changes have done before committing them?
-This answer taken from [git-scm.com](https://git-scm.com/book/en/v1/Getting-Started-Git-Basics#_the_three_states)
+`git diff```
+What
git status
does?
+You have two branches - main and devel. How do you make sure devel is in sync with main?
+
+```
+git checkout main
+git pull
+git checkout devel
+git merge main
+```
+You have two branches - main and devel. How do you put devel into main?
+
+git checkout main
+git merge devel
+git push origin main
git reset
and git revert
?- -`git revert` creates a new commit which undoes the changes from last commit. - -`git reset` depends on the usage, can modify the index or change the commit which the branch head -is currently pointing at. -
-git rebase
?git reset
and git revert
?+ +`git revert` creates a new commit which undoes the changes from last commit. + +`git reset` depends on the usage, can modify the index or change the commit which the branch head +is currently pointing at. +
+git rebase
?