2V0-71.23 Exam Dumps : VMware Tanzu for Kubernetes Operations Professional

A rolling upgrade is a method of upgrading a Kubernetes cluster without downtime by gradually replacing nodes or components with newer versions. A rolling upgrade ensures that there is no disruption to the availability and functionality of the cluster during the upgrade process. A rolling upgrade can be performed manually or using tools such as kubeadm or kops5.

The other options are incorrect because:

• In-place upgrade of each node is a method of upgrading a Kubernetes cluster by stopping each node or component and updating it to the newer version. This method can cause downtime and disruption to the cluster during the upgrade process.
• Use canary upgrade is not a valid method of upgrading a Kubernetes cluster. A canary upgrade is a technique for deploying new versions of applications or services by gradually exposing them to a subset of users or traffic before rolling them out to everyone6. It is not applicable to cluster upgrades.
• Deploy a new cluster with upgraded Kubernetes release is not a method of upgrading a Kubernetes cluster, but rather creating a new one. This method canbe costly and time-consuming, as it requires migrating all the resources and configurations from the old cluster to the new one.

References: Upgrade A Cluster, Canary deployments

The Kubernetes RBAC API declares four kinds of Kubernetes object: Role, ClusterRole, RoleBinding and ClusterRoleBinding. These objects are used to define permissions and assign them to users or groups within a cluster. A Role or ClusterRole contains rulesthat represent a set of permissions on resources or non-resource endpoints. A RoleBinding or ClusterRoleBinding grants the permissions defined in a Role or ClusterRole to a set of subjects (users, groups, or service accounts). A RoleBinding applies only within a specific namespace, while a ClusterRoleBinding applies cluster-wide.

The other options are incorrect because:

• CloudPolicyObject is not a valid Kubernetes object type. It might be confused with NetworkPolicy, which is an object type that defines how pods are allowed to communicate with each other and other network endpoints.
• Container type and Container object are not valid Kubernetes object types. They might be confused with Pod, which is an object type that represents a group of one or more containers running on a node.
• ClusterObject and ClusterNode are not valid Kubernetes object types. They might be confused with Cluster and Node, which are concepts that describe the logical and physical components of a Kubernetes cluster.

References: Using RBAC Authorization, Kubernetes RBAC: Concepts, Examples & Top Misconfigurations

Policies are one of the features of Tanzu Mission Control that allow you to manage the operation and security posture of your Kubernetes clusters and other organizational objects. Policies allow you to provide a set of rules that govern your organization and all the objects it contains. The policy types available in Tanzu Mission Control include access policy, image registry policy, network policy, quota policy, security policy, and custom policy. Policies can be applied at the individual, group, or organizational level to control access, image registries, networking, resource consumption, security context, and more18.

The other options are incorrect because:

• Policies can be configured using a tag selector to restrict the scope of the policy is false. Policies can be configured using a label selector, not a tag selector, to include or exclude certain objects from the policy. A label is a key/value pairattached to a Kubernetes object that allows you to specify identifying attributes for that object. A selector provides the means to identify the objects that have a given label18.
• Policies can only be applied to clustergroups is false. Policies can be applied to various levels of the Tanzu Mission Control resource hierarchy, such as organization, cluster group, workspace, cluster, and namespace18.
• Policies can be enforced using Kubernetes resources (NetworkPolicy, ResourceQuota etc) or using the Kyverno admission controller is false. Policies are enforced by Tanzu Mission Control using its own admission controller and webhook server. Kyverno is an open-source policy engine for Kubernetes that is not related to Tanzu Mission Control.

References: Policy-Driven Cluster Management, [Kyverno]