EX380 Red Hat Certified Specialist in OpenShift Automation and Integration Questions and Answers

Step 1: Identify the pending certificate signing request.

The lab names it audit-csr.

Step 2: Run the approval command:

oc adm certificate approve audit-csr

Step 3: Confirm approval.

The lab output shows:

certificatesigningrequest.certificates.k8s.io/audit-csr approved

Detailed explanation:

In Kubernetes and OpenShift, a CSR must be approved before the requester can use the signed certificate for authentication. This Task approves the CSR named audit-csr, which is likely associated with the audit user or service account access flow in the lab. Certificate-based authentication is commonly used for kubeconfig access because it enables secure client identity without relying solely on tokens. Until the CSR is approved, the certificate cannot be trusted by the cluster API for authenticated operations. Administrative approval is therefore a gatekeeping step that ensures only intended certificate requests become valid credentials. This Task is part of a broader kubeconfig workflow that continues with setting credentials and defining context.

============

Label the chosen worker nodes

oc label node worker-1 workload=payments

oc label node worker-2 workload=payments

Node labels are key/value metadata used by the scheduler.

Add a nodeSelector to the deployment

oc -n payments patch deploy api --type=merge -p '{

"spec":{"template":{"spec":{"nodeSelector":{"workload":"payments"}}}}

}'

Forces pods to schedule only to nodes that match the label.

Verify placement

oc -n payments get pods -o wide

Confirms pods are running on the intended nodes.

==========

Step 1: Verify the cluster name, namespace, and user name that should be referenced.

The lab uses cluster api-ocp4-example-com:6443, namespace audit-ns, and user audit-sa.

Step 2: Run the command:

oc config set-context audit --cluster api-ocp4-example-com:6443 --namespace audit-ns --user audit-sa --kubeconfig audit.config

Step 3: Confirm context creation.

The lab output shows:

Context "audit" created.

Detailed explanation:

A kubeconfig context ties together three things: a cluster endpoint, a user identity, and optionally a default namespace. This Task creates a context named audit in the file audit.config. Contexts are useful because they simplify repeated administration by letting the user switch between prepared working environments instead of re-entering cluster and namespace details each time. The namespace portion is especially helpful for project-scoped operations, because commands run under that context default to the chosen namespace. Accuracy matters here: if the user name in the context does not match the credentials entry or the cluster name does not exist in the kubeconfig, the context will not function as intended.

============

Create the schedule

velero schedule create orders-daily \

--schedule "0 1 * * *" \

--include-namespaces orders \

--snapshot-volumes

Cron format: minute hour day month weekday.

Verify schedule exists

velero schedule get

Confirm backups are created by the schedule

velero backup get | grep orders-daily

Scheduled backups usually have names derived from the schedule.

==========

Step 1: Ensure the target project exists.

The lab specifies the namespace/project auth-audit.

Step 2: Run the command:

oc create sa audit -n auth-audit

Step 3: Verify creation.

The lab output shows:

serviceaccount/audit created

Detailed explanation:

This creates a service account named audit in the auth-audit namespace. Service accounts provide non-human identities for workloads and automation processes running inside the cluster. They are also commonly used when controlled API access is needed for scripts, jobs, or external kubeconfig generation. Creating a dedicated service account instead of using the default one is good practice because it supports least privilege and clearer access tracking. In exam and administration scenarios, service accounts are often paired with explicit RBAC bindings to grant only the permissions needed for the intended Task SIMULATION . This step lays the identity foundation before assigning a role in the following Task SIMULATION .

============

Export objects to YAML

oc -n orders get deploy,svc,route,cm,secret -o yaml > orders-app.yaml

Exports key application resources.

Create target namespace

oc new-project orders-copy

Apply exported YAML

oc -n orders-copy apply -f orders-app.yaml

Recreates resources (some fields may need adjustment, like namespaces or immutable fields).

Validate

oc -n orders-copy get all

==========

Step 1: Identify the application namespace after restore.

The lab shows the namespace as my-app-namespace.

Step 2: Run the SCC assignment command:

oc adm policy add-scc-to-user anyuid -z default -n my-app-namespace

Step 3: Confirm the role binding is applied.

The lab output shows:

clusterrole.rbac.authorization.k8s.io/system:openshift:scc:anyuid added: "default"

Detailed explanation:

After a restore, the application may fail if its pods require a security context not permitted by the default SCC allocation. This command grants the anyuid SCC to the default service account in the my-app-namespace project. The -z default syntax targets the default service account, which many restored workloads use if no custom service account is defined. The anyuid SCC allows containers to run with arbitrary user IDs, which some legacy or prebuilt images require. In OpenShift, SCC mismatches commonly cause pods to remain in pending or crash-related states. Assigning the proper SCC resolves those admission issues so workloads can start successfully. This step is therefore a post-restore operational fix to align security policy with application requirements.

============

Verify prerequisites exist (Secret + ConfigMap)

oc -n openshift-config get secret rhds-ldap-secret

oc -n openshift-config get configmap rhds-ca-config-map

OAuth LDAP configuration references these objects. If they don’t exist, OAuth won’t be able to bind to LDAP securely.

Edit the cluster OAuth resource

oc edit oauth cluster

The oauth/cluster resource is where identity providers are defined.

Add an LDAP identity provider entry (example structure) Add under spec.identityProviders:

- name: corp-ldap

mappingMethod: claim

type: LDAP

ldap:

url: "ldaps://ldap.example.com:636/ou=People,dc=example,dc=com?uid"

bindDN: "uid=openshift,ou=svc,dc=example,dc=com"

bindPassword:

name: rhds-ldap-secret

ca:

name: rhds-ca-config-map

insecure: false

attributes:

id: ["dn"]

name: ["cn"]

preferredUsername: ["uid"]

email: ["mail"]

url: where to search for users and which attribute is used for login (here uid).

bindDN + bindPassword: service account used for LDAP queries.

ca: trusts the LDAP server CA for TLS.

attributes: maps LDAP data into OpenShift user identity fields.

Restart OAuth pods to load changes quickly

oc -n openshift-authentication delete pod -l app=oauth-openshift

This forces pods to restart and re-read the updated configuration.

Verify the identity provider appears and users can log in

In the web console login page, you should see the new provider (name may show as corp-ldap).

After a successful login, confirm user objects appear:

oc get users

oc get identities

OpenShift creates User and Identity objects upon first successful authentication.

==========

Run group sync with prune controls

oc adm groups sync --sync-config=groupsync.yaml --confirm --prune-whitelist=/tmp/whitelist.txt

Prune removes stale memberships/groups, but whitelist protects selected groups from pruning.

Verify group membership reflects LDAP

oc describe group < groupname >

Confirms removed users are no longer listed.

==========