Need help with 2 questions 1. When we have an existing pod and we want to modify . . .

Jia:
Need help with 2 questions

  1. When we have an existing pod and we want to modify it, we do kubectl get <podname> -o yaml > some.yaml
    This some.yaml has too much extra data also suppose we tend to just change the serviceaccountName but we also have the volumeMount we get by default due to default serviceaccountoken and forgot to remove it… whats the best way to modify the existing pod and how to extract just the relevant data ?
  2. in mock1, question 4 it says run the pod on node01 and i had given nodeName in metadata but answer doesnt has it… how does the seccomp profile detects on which localhost to run the seccomp if nodeName is not given
    answer given under /var/answers is
controlplane $ cat /var/answers/answer4.md
#Copy the audit.json seccomp profile to /var/lib/kubelet/seccomp/profiles in node01:
$ mv /root/audit.json /var/lib/kubelet/seccomp/profiles



# Recreate the pod using the below YAML File
apiVersion: v1
kind: Pod
metadata:
  labels:
    run: nginx
  name: audit-nginx
spec:
  securityContext:
    seccompProfile:
      type: Localhost
      localhostProfile: profiles/audit.json
  containers:
  - image: nginx
    name: nginx
controlplane $

Danny:
I had the same dilemma with Q4 on exam 1
so your answer is actually is correct and the seccomp profile looks good as well,
The trick in the question is it will ask you to load the seccomp profile to the default place, on the control plane this location doesn’t exist, which you have correctly identified as

/var/lib/kubelet/seccomp/profiles

if you look in node 1 you will see that this location exists and it will mark your answer as correct
I do agree that the question should state which node has the secomp profiles

Danny:
for point 1 its

kubectl get po (pod name) -o yaml -n (namespace) --dry-run &gt; test.yaml

then make modification via vi / command so pres esc and then /serviceaccount this will take you to the service account line in the file

then usual delete and apply

Jia:
@Danny Thank you so much Danny… for the seccomp profile… we have to give the nodeName or the nodeselector correct to tell which node to locate the profile in ?

Dinesh Pola:
@Jia check the taints on the nodes (kubectl describe node <node_name>). Pods cannot be scheduled on the master, as there is only one worker node - you wont need any selectors. hope this helps!