Linux Interview Questions For SRE/DevOps

.github/workflows/day7-challenge.yaml

@@ -0,0 +1,42 @@
+name: Deploy Snake Game to EC2
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Deploy to EC2
+      uses: appleboy/ssh-action@v0.1.10
+      with:
+        host: ${{ secrets.EC2_HOST }}
+        username: ${{ secrets.EC2_USER }}
+        key: ${{ secrets.EC2_SSH_KEY }}
+        script: |
+          # Update system packages
+          sudo apt update -y
+          sudo apt install -y python3 python3-pip python3-venv git
+
+          # Remove old directory if it exists
+          sudo rm -rf season2-snake_game
+
+          # Clone fresh
+          git clone https://github.com/Sagar2366/season2-snake_game.git
+          cd season2-snake_game
+          ls -al
+
+          # Set up a virtual environment
+          python3 -m venv venv
+          source venv/bin/activate
+          pip install --upgrade pip
+          pip install -r requirements.txt
+          sudo nohup python3 app.py > snake_game.log 2>&1 &
+
+          echo "✅ Snake Game deployed successfully!"

CKA/10_authentication_in_kubernetes.md

@@ -108,7 +108,7 @@ kubectl certificate approve myuser
 # Retrieve the Signed Certificate
 After approval, the CSR object will have the signed certificate included in its status. You can extract the certificate from the CSR object:
 ```
-kubectl get csr username-csr -o jsonpath='{.status.certificate}' | base64 --decode > myuser.crt
+kubectl get csr myuser -o jsonpath='{.status.certificate}' | base64 --decode > myuser.crt
 ```
 
 # Create role and rolebinding

CKA/13_authorization_in_kubernetes.md

@@ -6,12 +6,12 @@ Kubernetes [authorization](https://kubernetes.io/docs/reference/access-authn-aut
 
 # Authorization modes 
 ```
-1. AlwaysAllow
-2. AlwaysDeny
-3. ABAC (attribute-based access control)
-4. RBAC (role-based access control)
-5. Node
-6. Webhook
+1. AlwaysAllow → every request allowed (testing only).
+2. AlwaysDeny → every request denied (testing only).
+3. ABAC → Attribute-Based Access Control (legacy).
+4. RBAC → Role-Based Access Control (most common in prod).
+5. Node → kubelet authorizations to API server.
+6. Webhook → delegate to external service (OPA, SSO, custom APIs).
 ```
 
 # Using [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) Authorization
@@ -20,7 +20,7 @@ To enable RBAC, start the API server with the --authorization-mode flag set to a
 kube-apiserver --authorization-mode=Example,RBAC
 ```
 
-RBAC helps with:
+RBAC helps with: [Who (Subject) can do What (Verb) on Which (Resource)]
 1. Establishing a system for <b>users with different roles</b> to access a set of Kubernetes resources.
 2. Controlling </b>processes running in a pod and the operations</b> they can perform via Kubernetes API.
 3. Limiting the visibility of certain resources per namespace
@@ -65,7 +65,24 @@ RBAC consists of three key building blocks.
       kubectl get serviceaccounts
       kubectl describe serviceaccount build-bot
       kubectl run build-observer --image=alpine --restart=Never --serviceaccount=build-bot
-      ```
+    ```
+
+
+  ### Understanding ServiceAccount Token Generation and Authorization
+  ```mermaid
+    flowchart TD
+    P[Pod with serviceAccountName] --> SA[ServiceAccount object in namespace]
+    SA --> ST[Secret or Token request API]
+    ST --> T[Token generated for ServiceAccount]
+    T --> M[Token mounted into Pod filesystem at /var/run/secrets/kubernetes.io/serviceaccount]
+    M --> R[Pod process sends API request to kube-apiserver with Bearer token]
+    R --> KAS[Kube API Server]
+
+    KAS -->|Token verified against ServiceAccount and bound Role/ClusterRole| AUTHZ[Authorization Check]
+
+    AUTHZ -->|Allowed| OK[Request succeeds]
+    AUTHZ -->|Denied| FAIL[Request fails with 403 Forbidden]
+   ```
 # Understanding [RBAC API Primitives](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
 The RBAC API declares four kinds of Kubernetes object: Role, ClusterRole, RoleBinding and ClusterRoleBinding. 
 ## Role and ClusterRole
@@ -83,6 +100,39 @@ The RBAC API declares four kinds of Kubernetes object: Role, ClusterRole, RoleBi
 - <b>Alternatively, a RoleBinding can reference a ClusterRole and bind that ClusterRole to the namespace of the RoleBinding. If you want to bind a ClusterRole to all the namespaces in your cluster, you use a ClusterRoleBinding.</b>
 - ClusterRoles are cluster-scoped, you can also use them to grant access to: cluster-scoped resources (like nodes), non-resource endpoints (like /healthz), namespaced resources (like Pods), across all namespaces.
 
+```mermaid
+flowchart TB
+    U1[User: sagar]
+    SA1[ServiceAccount: build-bot]
+
+    subgraph Namespace: dev
+        R1[Role: pod-reader get list watch pods]
+        RB1[RoleBinding bind Role to User]
+        CRB1[RoleBinding bind ClusterRole to User in dev]
+    end
+
+    subgraph Cluster
+        CR1[ClusterRole: cluster-admin\nfull access]
+        CRB2[ClusterRoleBinding bind ClusterRole to ServiceAccount cluster-wide]
+    end
+
+    %% RoleBinding with Role
+    U1 --> RB1
+    RB1 --> R1
+    RB1 -->|namespace limited| Pods[Pods in dev]
+
+    %% RoleBinding with ClusterRole
+    U1 --> CRB1
+    CRB1 --> CR1
+    CRB1 -->|still limited to dev| PodsDev[Pods in dev]
+
+    %% ClusterRoleBinding with ClusterRole
+    SA1 --> CRB2
+    CRB2 --> CR1
+    CRB2 -->|cluster-wide| PodsAll[All Pods]
+    CRB2 -->|cluster-wide| Nodes[All Nodes]
+
+```
 ### Kubernetes defines a set of [default user-facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles): cluster-admin, admin, edit, view and [core-component roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#core-component-roles).
 
 1. Roles management