Docker DCA Practice Test - Questions Answers, Page 11

The statement is correct. In the provided Kubernetes YAML, it's defined that traffic sent to the IP of this service on port 8080 will be routed to port 80 in a random pod with the label app: nginx. This is because it's a ClusterIP service type which is meant for internal communication within the cluster, and it uses selectors to route traffic to the correct pods.Reference:Docker Certified Associate Guide,DCA Prep Guide

The statement is incorrect because it does not mention the service name or the clusterIP address. Traffic sent to the IP of any pod with the label app: nginx on port 8080 will not be forwarded to port 80 in that pod, unless the traffic is coming from another pod within the same cluster that knows the pod IP. To access the service from outside the cluster, the traffic must be sent to the clusterIP address of the service, which is assigned by Kubernetes, and the port 8080 of the service, which is defined in the yaml file. The service will then forward the traffic to one of the selected pods on port 80.

To summarize, the correct statement should be:

Traffic sent to theclusterIP addressof the servicedcaon port8080will be forwarded to port 80 in one of the pods with the label app: nginx.

A node is a physical or virtual machine running Docker Engine in swarm mode1.A node can be either a manager or a worker, depending on its role in the cluster1.A physical machine participating in the swarm is a node, regardless of its role or availability2.Reference:

How nodes work | Docker Docs

Manage nodes in a swarm | Docker Docs

In the context of a swarm mode cluster, an instance of the Docker engine participating in the swarm is indeed a node1.A node can be either a manager or a worker, depending on the role assigned by the swarm manager2.A manager node handles the orchestration and management of the swarm, while a worker node executes the tasks assigned by the manager2.A node can join or leave a swarm at any time, and the swarm manager will reconcile the desired state of the cluster accordingly1.Reference:

1: Swarm mode overview | Docker Docs

2: Manage nodes in a swarm | Docker Docs

= Scanning images to detect any security vulnerability is a function of UCP.UCP integrates with Docker Trusted Registry (DTR), which is a secure and scalable image storage solution1.DTR has a built-in image scanning feature that checks every layer of every image for known vulnerabilities and displays the results in the UCP web UI2. This helps users to identify and fix any security issues before deploying their applications.UCP also allows users to enforce security policies and only allow running applications that use images that are scanned and free of vulnerabilities3.Reference:

Docker Trusted Registry | Docker Docs

Scan images for vulnerabilities | Docker Docs

Manage images | Docker Docs

Image role-based access control isnota function of UCP. UCP has its own built-in authentication mechanism and integrates with LDAP services.It also has role-based access control (RBAC), so that you can control who can access and make changes to your cluster and applications1.However, image role-based access control is a feature of Docker Trusted Registry (DTR), which integrates with UCP and allows you to manage the images you use for your applications2.DTR lets you define granular permissions for images, such as who can push, pull, delete, or scan them3.Reference:Universal Control Plane overview), Docker Trusted Registry overview),Docker Access Control)

= This is a function of UCP, as it integrates with Docker Trusted Registry (DTR) to provide built-in security and access control for your images. DTR allows you to enforce security policies and only allow running applications that use Docker images you know and trust. You can sign your images with Docker Content Trust (DCT) to prove their authenticity and integrity.UCP will verify the signatures of the images before deploying them to the cluster12.Reference:

Universal Control Plane overview | dockerlabs

How to Sign Your Docker Images to Increase Trust - How-To Geek

The commandkubectl get deployment apiwill only show the status of the deployment object, such as the number of replicas, available pods, and updated pods1.It will not display the events table for the deployment, which contains information about the creation, scaling, and updating of the deployment and its pods2.To see the events table for the deployment, you need to use thekubectl describe deployment apicommand, which will show the details of the deployment object, including the events3.Alternatively, you can use thekubectl get events --field-selector involvedObject.name=apicommand, which will filter the events by the name of the involved object4.Reference:

Kubectl: Get Deployments - Kubernetes - ShellHacks

Events in Kubernetes | Kubernetes

kubectl Cheat Sheet | Kubernetes

kubernetes - kubectl get events only for a pod - Stack Overflow

SELinux could be blocking the operation of setting the system time from inside a Docker container. SELinux is a security mechanism that enforces mandatory access control (MAC) policies on Linux systems. It restricts the actions that processes can perform based on their security contexts, such as user, role, type, and level. By default, SELinux prevents Docker containers from accessing or modifying the host's system time, as this could pose a security risk or cause inconsistency. To allow Docker containers to set the system time, SELinux needs to be configured with the appropriate permissions or labels, or disabled altogether. However, this is not recommended, as it could compromise the security and stability of the system.Reference:

Change system date time in Docker containers without impacting host

Change Date Inside a Docker Container

How to Handle Timezones in Docker Containers

5 ways to change time in Docker container

How to set system time dynamically in a Docker container