EX380試験無料問題集「RedHat Red Hat Certified Specialist in OpenShift Automation and Integration 認定」
Maintain group synchronization on a schedule (CronJob)
Task Information : Create a CronJob that runs LDAP group sync on a schedule using a service account that has the required permissions.
Task Information : Create a CronJob that runs LDAP group sync on a schedule using a service account that has the required permissions.
正解:
See the solution below in Explanation:
Explanation:
* Create a namespace for the sync job
* oc new-project id-sync
* Keeps the automation components organized.
* Create a service account for the sync job
* oc -n id-sync create sa group-sync
* CronJob runs under this SA identity.
* Grant cluster permissions to manage groups
* oc adm policy add-cluster-role-to-user cluster-admin system:serviceaccount:id-sync:group-sync
* In real environments you should scope down, but lab Task SIMULATIONs often accept cluster- admin for speed.
* Create a ConfigMap for groupsync.yaml and Secret(s) for bind password/CA
* Mount them into the job container.
* Create CronJob to run group sync
* Command inside job:
* oc adm groups sync --sync-config=/config/groupsync.yaml --confirm
* The CronJob ensures periodic reconciliation with LDAP.
* Verify job runs
* oc -n id-sync get cronjob
* oc -n id-sync get jobs
* oc -n id-sync logs job/ < job-name >
Explanation:
* Create a namespace for the sync job
* oc new-project id-sync
* Keeps the automation components organized.
* Create a service account for the sync job
* oc -n id-sync create sa group-sync
* CronJob runs under this SA identity.
* Grant cluster permissions to manage groups
* oc adm policy add-cluster-role-to-user cluster-admin system:serviceaccount:id-sync:group-sync
* In real environments you should scope down, but lab Task SIMULATIONs often accept cluster- admin for speed.
* Create a ConfigMap for groupsync.yaml and Secret(s) for bind password/CA
* Mount them into the job container.
* Create CronJob to run group sync
* Command inside job:
* oc adm groups sync --sync-config=/config/groupsync.yaml --confirm
* The CronJob ensures periodic reconciliation with LDAP.
* Verify job runs
* oc -n id-sync get cronjob
* oc -n id-sync get jobs
* oc -n id-sync logs job/ < job-name >
GitOps and MachineConfig - Push MachineConfig to Git
正解:
See the solution below in Explanation:
Explanation:
Step 1: Make sure the MachineConfig YAML has already been created or modified in the local Git repository.
This Task assumes the file change is ready to be committed.
Step 2: Run the command:
git commit -am "Add MachineConfig for motd" & & git push origin main
Step 3: Verify the commit succeeds and the push goes to the main branch.
The lab output shows:
[main 8d32a1] Add MachineConfig for motd
Detailed explanation:
This Task is part of a GitOps workflow. Instead of manually applying changes directly to the cluster, the desired configuration is stored in Git, and a GitOps controller such as Argo CD synchronizes the cluster to match the repository state. The command commits all tracked modified files with the message Add MachineConfig for motd and then pushes the change to the main branch. In this model, Git becomes the source of truth. A MachineConfig is typically used to manage node-level operating system configuration in OpenShift, so pushing it through GitOps ensures the change is auditable, repeatable, and reconciled declaratively. If the commit does not include the intended YAML, the synchronization mechanism will not apply the desired change.
Explanation:
Step 1: Make sure the MachineConfig YAML has already been created or modified in the local Git repository.
This Task assumes the file change is ready to be committed.
Step 2: Run the command:
git commit -am "Add MachineConfig for motd" & & git push origin main
Step 3: Verify the commit succeeds and the push goes to the main branch.
The lab output shows:
[main 8d32a1] Add MachineConfig for motd
Detailed explanation:
This Task is part of a GitOps workflow. Instead of manually applying changes directly to the cluster, the desired configuration is stored in Git, and a GitOps controller such as Argo CD synchronizes the cluster to match the repository state. The command commits all tracked modified files with the message Add MachineConfig for motd and then pushes the change to the main branch. In this model, Git becomes the source of truth. A MachineConfig is typically used to manage node-level operating system configuration in OpenShift, so pushing it through GitOps ensures the change is auditable, repeatable, and reconciled declaratively. If the commit does not include the intended YAML, the synchronization mechanism will not apply the desired change.
Export and import container images (mirror to internal registry)
Task Information : Pull an image from an external registry, push it into the OpenShift internal registry, and update a deployment to use the mirrored image.
Task Information : Pull an image from an external registry, push it into the OpenShift internal registry, and update a deployment to use the mirrored image.
正解:
See the solution below in Explanation:
Explanation:
* Log in to OpenShift internal registry
* oc registry login
* Allows podman to push to the internal registry.
* Pull external image
* podman pull docker.io/library/nginx:1.25
* Gets the image locally.
* Tag for internal registry destination
* podman tag nginx:1.25 image-registry.openshift-image-registry.svc:5000/orders/nginx:1.25
* Uses the cluster service DNS name (works inside cluster network).
* Push to internal registry
* podman push image-registry.openshift-image-registry.svc:5000/orders/nginx:1.25
* Update deployment to use internal image
* oc -n orders set image deploy/web web=image-registry.openshift-image-registry.svc:5000/orders/nginx:
1.25
* Verify rollout
* oc -n orders rollout status deploy/web
* oc -n orders get pods -o wide
Explanation:
* Log in to OpenShift internal registry
* oc registry login
* Allows podman to push to the internal registry.
* Pull external image
* podman pull docker.io/library/nginx:1.25
* Gets the image locally.
* Tag for internal registry destination
* podman tag nginx:1.25 image-registry.openshift-image-registry.svc:5000/orders/nginx:1.25
* Uses the cluster service DNS name (works inside cluster network).
* Push to internal registry
* podman push image-registry.openshift-image-registry.svc:5000/orders/nginx:1.25
* Update deployment to use internal image
* oc -n orders set image deploy/web web=image-registry.openshift-image-registry.svc:5000/orders/nginx:
1.25
* Verify rollout
* oc -n orders rollout status deploy/web
* oc -n orders get pods -o wide
Deploy Event Router and capture Kubernetes events in logging
Task Information : Deploy an event router so Kubernetes events are recorded as logs, then trigger events and confirm they appear in logging queries.
Task Information : Deploy an event router so Kubernetes events are recorded as logs, then trigger events and confirm they appear in logging queries.
正解:
See the solution below in Explanation:
* Deploy event router resources
* Apply a deployment/serviceaccount/rolebinding manifest for eventrouter:
* oc apply -f eventrouter.yaml -n openshift-logging
* Eventrouter watches event API and writes them to stdout (collected by logging).
* Verify eventrouter pod is running
* oc -n openshift-logging get pods | grep -i event
* Trigger some events
* oc -n default run evtest --image=busybox --restart=Never -- sleep 1
* oc -n default delete pod evtest
* Creation/deletion generates events.
* Query logs for events
* In the logging UI/backend, search for the namespace/pod name evtest or eventrouter messages.
* Explanation: Validates that events are being converted to searchable logs.
* Deploy event router resources
* Apply a deployment/serviceaccount/rolebinding manifest for eventrouter:
* oc apply -f eventrouter.yaml -n openshift-logging
* Eventrouter watches event API and writes them to stdout (collected by logging).
* Verify eventrouter pod is running
* oc -n openshift-logging get pods | grep -i event
* Trigger some events
* oc -n default run evtest --image=busybox --restart=Never -- sleep 1
* oc -n default delete pod evtest
* Creation/deletion generates events.
* Query logs for events
* In the logging UI/backend, search for the namespace/pod name evtest or eventrouter messages.
* Explanation: Validates that events are being converted to searchable logs.
Integrate OpenShift with LDAP (create LDAP identity provider)
Task Information : Configure cluster OAuth to add an LDAP identity provider using an existing bind secret and CA ConfigMap , then verify login works.
Task Information : Configure cluster OAuth to add an LDAP identity provider using an existing bind secret and CA ConfigMap , then verify login works.
正解:
See the solution below in Explanation:
Explanation:
* Verify prerequisites exist (Secret + ConfigMap)
* oc -n openshift-config get secret rhds-ldap-secret
* oc -n openshift-config get configmap rhds-ca-config-map
* OAuth LDAP configuration references these objects. If they don't exist, OAuth won't be able to bind to LDAP securely.
* Edit the cluster OAuth resource
* oc edit oauth cluster
* The oauth/cluster resource is where identity providers are defined.
* Add an LDAP identity provider entry (example structure) Add under spec.identityProviders:
* - name: corp-ldap
* mappingMethod: claim
* type: LDAP
* ldap:
* url: "ldaps://ldap.example.com:636/ou=People,dc=example,dc=com?uid"
* bindDN: "uid=openshift,ou=svc,dc=example,dc=com"
* bindPassword:
* name: rhds-ldap-secret
* ca:
* name: rhds-ca-config-map
* insecure: false
* attributes:
* id: ["dn"]
* name: ["cn"]
* preferredUsername: ["uid"]
* email: ["mail"]
* url: where to search for users and which attribute is used for login (here uid).
* bindDN + bindPassword: service account used for LDAP queries.
* ca: trusts the LDAP server CA for TLS.
* attributes: maps LDAP data into OpenShift user identity fields.
* Restart OAuth pods to load changes quickly
* oc -n openshift-authentication delete pod -l app=oauth-openshift
* This forces pods to restart and re-read the updated configuration.
* Verify the identity provider appears and users can log in
* In the web console login page, you should see the new provider (name may show as corp-ldap).
* After a successful login, confirm user objects appear:
* oc get users
* oc get identities
* OpenShift creates User and Identity objects upon first successful authentication.
Explanation:
* Verify prerequisites exist (Secret + ConfigMap)
* oc -n openshift-config get secret rhds-ldap-secret
* oc -n openshift-config get configmap rhds-ca-config-map
* OAuth LDAP configuration references these objects. If they don't exist, OAuth won't be able to bind to LDAP securely.
* Edit the cluster OAuth resource
* oc edit oauth cluster
* The oauth/cluster resource is where identity providers are defined.
* Add an LDAP identity provider entry (example structure) Add under spec.identityProviders:
* - name: corp-ldap
* mappingMethod: claim
* type: LDAP
* ldap:
* url: "ldaps://ldap.example.com:636/ou=People,dc=example,dc=com?uid"
* bindDN: "uid=openshift,ou=svc,dc=example,dc=com"
* bindPassword:
* name: rhds-ldap-secret
* ca:
* name: rhds-ca-config-map
* insecure: false
* attributes:
* id: ["dn"]
* name: ["cn"]
* preferredUsername: ["uid"]
* email: ["mail"]
* url: where to search for users and which attribute is used for login (here uid).
* bindDN + bindPassword: service account used for LDAP queries.
* ca: trusts the LDAP server CA for TLS.
* attributes: maps LDAP data into OpenShift user identity fields.
* Restart OAuth pods to load changes quickly
* oc -n openshift-authentication delete pod -l app=oauth-openshift
* This forces pods to restart and re-read the updated configuration.
* Verify the identity provider appears and users can log in
* In the web console login page, you should see the new provider (name may show as corp-ldap).
* After a successful login, confirm user objects appear:
* oc get users
* oc get identities
* OpenShift creates User and Identity objects upon first successful authentication.