Hulleman.io

EX280 (DO180 + DO280) EXAM CHEAT SHEET

This document contains the essential commands and tasks for the Red Hat Certified OpenShift Administrator exam. Each section uses a short “Task” description, commands, and brief verification steps.

1. Authentication

Task: Configure the Identity Provider so users can log in using passwords from /tmp/users.htpasswd.

Commands:

oc create secret generic my-users-secret --from-file=htpasswd=/tmp/users.htpasswd -n openshift-config
oc edit oauth cluster

YAML snippet to add in the editor:

spec:
  identityProviders:
  - name: my-htpasswd
    type: HTPasswd
    mappingMethod: claim
    htpasswd:
      fileData:
        name: my-users-secret

Verify:

oc login -u <username> -p <password>

2. RBAC

Task: Make user michelle admin of project finance and david a viewer.

Commands:

oc adm policy add-role-to-user admin michelle -n finance
oc adm policy add-role-to-user view david -n finance

Verify:

oc policy can-i create pods --as=david -n finance    # expected: no
oc policy can-i create pods --as=michelle -n finance # expected: yes

3. Networking: Secure Routes

Task: Expose service frontend via HTTPS (edge) at www.test.com using certificates from /tmp/certs.

Commands:

oc create route edge my-route \
  --service=frontend \
  --cert=/tmp/certs/tls.crt \
  --key=/tmp/certs/tls.key \
  --ca-cert=/tmp/certs/ca.crt \
  --hostname=www.test.com \
  -n my-project

Verify:

curl -k -v https://www.test.com

4. Networking: Network Policies

Task: Block all traffic to project backend, except from pods in project monitoring.

Policy (policy.yaml):

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-only-monitoring
  namespace: backend
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: monitoring

Commands:

oc label namespace monitoring name=monitoring
oc create -f policy.yaml

Verify:

oc run test-client --image=registry.access.redhat.com/ubi8/ubi --rm -it -- /bin/sh -c "curl --connect-timeout 5 http://<backend-service> || echo unreachable"

5. Service Accounts & SCC

Task: Grant a service account the anyuid SCC for pods that get Forbidden.

Commands:

oc get pod log-collector -o jsonpath='{.spec.serviceAccountName}'
oc adm policy add-scc-to-user anyuid -z <serviceaccount> -n my-project
oc delete pod log-collector

Verify: new pod should become Running.

6. Scaling & Autoscaling

Task: Scale manually and configure HPA.

Commands:

oc scale deployment app-x --replicas=4 -n my-project
oc autoscale deployment app-y --min=2 --max=8 --cpu-percent=70 -n my-project

Verify:

oc get hpa -n my-project
oc get deployment app-y -o wide -n my-project

7. Resource Quota

Task: Set project dev limit to 2 CPU and 4Gi RAM.

Commands:

oc create quota dev-quota --hard=requests.cpu=2,requests.memory=4Gi -n dev
oc describe quota dev-quota -n dev

8. Limit Ranges

Task: Ensure new pods in dev receive a default 200m CPU request.

limits.yaml:

apiVersion: v1
kind: LimitRange
metadata:
  name: default-limits
spec:
  limits:
  - default:
      memory: 512Mi
      cpu: 500m
    defaultRequest:
      memory: 256Mi
      cpu: 200m
    type: Container

Commands:

oc create -f limits.yaml -n dev
oc get limitrange -n dev

9. Storage (PVC & PV)

Task: Create a 5Gi PVC with storageClass nfs.

pvc.yaml:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: my-claim
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 5Gi
  storageClassName: nfs

Commands:

oc create -f pvc.yaml -n my-namespace
oc get pvc -n my-namespace

10. Scheduling (Node selectors)

Task: Run deployment db only on nodes labeled disk=ssd.

Commands:

oc label node worker-1 disk=ssd
oc set node-selector deployment/db disk=ssd -n my-project
oc get pod -o wide -n my-project

11. Node maintenance

Task: Drain node worker-2 for maintenance.

Commands:

oc adm cordon worker-2
oc adm drain worker-2 --ignore-daemonsets --delete-emptydir-data --force
oc get nodes

Verify: worker-2 should be SchedulingDisabled.

12. Podman

Task: Pull ubi8 image, tag as myapp:v1 and push to internal registry.

Commands:

podman login registry.redhat.io
podman pull registry.redhat.io/ubi8/ubi:latest
podman tag registry.redhat.io/ubi8/ubi:latest registry.lab.example.com/myapp:v1
podman push registry.lab.example.com/myapp:v1 --tls-verify=false

13. Troubleshooting (Pods)

ImagePullBackOff:

oc describe pod <podname> -n <project>
oc edit deployment <name> -n <project>

CrashLoopBackOff:

oc logs deployment/<name> -n <project>
oc get events -n <project> --sort-by=.metadata.creationTimestamp

14. Troubleshooting (Services)

Checks and commands:

oc describe service <name> -n <project>
oc get pod --show-labels -n <project>
oc edit service <name> -n <project>
oc exec -it <pod> -n <project> -- curl -sS http://<service>:<port> || echo fail

CLI quickkit:

oc api-resources | grep -i <word>
oc help | grep -i <action>
oc <command> --help | grep -A 10 Examples
export yaml="--dry-run=client -o yaml"
oc create deployment my-app --image=nginx $yaml > app.yaml