매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
Red Hat Certified Specialist in OpenShift Automation and Integration exam 온라인 연습
최종 업데이트 시간: 2026년05월15일
당신은 온라인 연습 문제를 통해 RedHat EX380 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 EX380 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 80개의 시험 문제와 답을 포함하십시오.
정답: Verify prerequisites exist (Secret + ConfigMap)
oc -n openshift-config get secret rhds-ldap-secret
oc -n openshift-config get configmap rhds-ca-config-map
OAuth LDAP configuration references these objects. If they don’t exist, OAuth won’t be able to bind to LDAP securely.
Edit the cluster OAuth resource
oc edit oauth cluster
The oauth/cluster resource is where identity providers are defined.
Add an LDAP identity provider entry (example structure)
Add under spec.identityProviders:
- name: corp-ldap
mappingMethod: claim
type: LDAP ldap:
url: "ldaps://ldap.example.com:636/ou=People,dc=example,dc=com?uid"
bindDN: "uid=openshift,ou=svc,dc=example,dc=com" bindPassword:
name: rhds-ldap-secret
ca:
name: rhds-ca-config-map
insecure: false
attributes:
id: ["dn"]
name: ["cn"]
preferredUsername: ["uid"]
email: ["mail"]
url: where to search for users and which attribute is used for login (here uid).
bindDN + bindPassword: service account used for LDAP queries.
ca: trusts the LDAP server CA for TLS.
attributes: maps LDAP data into OpenShift user identity fields.
Restart OAuth pods to load changes quickly oc -n openshift-authentication delete pod -l app=oauth-openshift This forces pods to restart and re-read the updated configuration. Verify the identity provider appears and users can log in
In the web console login page, you should see the new provider (name may show as corp-ldap).
After a successful login, confirm user objects appear:
oc get users
oc get identities
OpenShift creates User and Identity objects upon first successful authentication.
정답: Step 1: Confirm that the repository being pushed to is the same repository watched by the GitOps/Argo CD application.
This linkage is essential because GitOps acts only on configured source repositories and paths.
Step 2: Commit the MachineConfig changes.
The lab uses:
git commit -am "Add MachineConfig for motd"
Step 3: Push the changes to the tracked branch.
The lab uses:
git push origin main
Step 4: Allow Argo CD to detect the repository change and begin synchronization.
In a standard GitOps model, the controller compares the Git repository to the cluster state and applies drift correction or new desired resources.
Detailed
explanation:
This subTask SIMULATION is the operational purpose behind the previous Git command Task SIMULATION. The point is not merely to store a file in Git; it is to update the declarative source that Argo CD uses to reconcile the cluster. Once the repository is updated, Argo CD detects the new commit and syncs the MachineConfig into the cluster according to its application definition. This demonstrates a core automation principle in OpenShift GitOps: administrators do not treat the cluster as the primary editable surface. Instead, they modify Git and let the automation layer enforce state. That provides traceability, peer review potential, rollback capability, and consistency across environments.
정답: Step 1: Make sure the MachineConfig YAML has already been created or modified in the local Git repository.
This Task assumes the file change is ready to be committed.
Step 2: Run the command:
git commit -am "Add MachineConfig for motd" && git push origin main
Step 3: Verify the commit succeeds and the push goes to the main branch.
The lab output shows:
[main 8d32a1] Add MachineConfig for motd
Detailed
explanation:
This Task is part of a GitOps workflow. Instead of manually applying changes directly to the cluster, the desired configuration is stored in Git, and a GitOps controller such as Argo CD synchronizes the cluster to match the repository state. The command commits all tracked modified files with the message Add MachineConfig for motd and then pushes the change to the main branch. In this model, Git becomes the source of truth. A MachineConfig is typically used to manage node-level operating system configuration in OpenShift, so pushing it through GitOps ensures the change is auditable, repeatable, and reconciled declaratively. If the commit does not include the intended YAML, the synchronization mechanism will not apply the desired change.
정답: Step 1: Log in to the OpenShift web console.
This Task is explicitly defined as a GUI workflow.
Step 2: Navigate to Operators.
Installed logging components are managed through the operator framework.
Step 3: Open Installed Operators.
This lists operators already deployed in the cluster.
Step 4: Select Red Hat OpenShift Logging.
This operator manages the cluster logging stack and its custom resources.
Step 5: Open the ClusterLogging instance.
The Task SIMULATION refers to editing the existing ClusterLogging custom resource.
Step 6: Switch to YAML View.
This allows direct editing of the logging custom resource specification.
Step 7: Edit the collection type and set it to vector.
This changes the log collector implementation.
Step 8: Click Save.
The operator will reconcile the resource and apply the updated collector configuration.
Detailed
explanation:
The ClusterLogging custom resource controls the logging stack behavior in OpenShift. Changing the collection type to vector updates which collector technology is used for gathering node and container logs. In operator-managed platforms, direct YAML edits to the custom resource are the preferred method for changing managed behavior because the operator then applies and maintains the desired state. This Task tests both navigation skills in the web console and knowledge of where logging behavior is configured. Saving the resource triggers reconciliation, which is a core OpenShift operator pattern: the declared configuration is read and enforced by the operator rather than by manual per-pod changes.
정답: Step 1: Make sure the context already exists in the kubeconfig file.
This follows the context creation Task SIMULATION.
Step 2: Run the command:
oc config use-context audit --kubeconfig audit.config
Step 3: Confirm the active context switches successfully.
The lab output shows:
Switched to context "audit".
Detailed
explanation:
This command activates the audit context inside the specified kubeconfig file. Once selected, subsequent oc commands using that kubeconfig will default to the cluster, user, and namespace associated with that context. This is operationally important because many administration mistakes come from running commands against the wrong cluster or project. Using explicit context switching reduces that risk and makes the kubeconfig usable for the intended audit workflow. In exams and real environments alike, the context is what turns separate kubeconfig elements into a working session configuration. Without switching to the correct context, even a well-formed kubeconfig may not be used as expected.
정답: Step 1: Verify the cluster name, namespace, and user name that should be referenced.
The lab uses cluster api-ocp4-example-com:6443, namespace audit-ns, and user audit-sa.
Step 2: Run the command:
oc config set-context audit --cluster api-ocp4-example-com:6443 --namespace audit-ns --user audit-sa --kubeconfig audit.config
Step 3: Confirm context creation.
The lab output shows:
Context "audit" created.
Detailed
explanation:
A kubeconfig context ties together three things: a cluster endpoint, a user identity, and optionally a default namespace. This Task creates a context named audit in the file audit.config. Contexts are useful because they simplify repeated administration by letting the user switch between prepared working environments instead of re-entering cluster and namespace details each time. The namespace portion is especially helpful for project-scoped operations, because commands run under that context default to the chosen namespace. Accuracy matters here: if the user name in the context does not match the credentials entry or the cluster name does not exist in the kubeconfig, the context will not function as intended.
정답: Step 1: Ensure the client certificate and private key files are available.
The lab uses audit.crt and tls.key.
Step 2: Run the command:
oc config set-credentials audit --client-certificate audit.crt --client-key tls.key --embed-certs -- kubeconfig audit.config
Step 3: Confirm the user entry is written.
The lab output shows:
User "audit" set.
Detailed
explanation:
This command creates or updates the audit user entry inside the kubeconfig file audit.config. It points the user to a client certificate and private key, and the --embed-certs option stores certificate material directly inside the kubeconfig rather than only referencing external files. That makes the kubeconfig more portable because it can be moved and used without separately copying the certificate files, provided the embedded content is valid. In certificate-based authentication, the private key proves client possession while the certificate presents the approved identity. If the certificate and key do not match, authentication will fail. This step does not yet define what cluster or namespace the user works against; it only defines the credential identity.
정답: Step 1: Identify the pending certificate signing request.
The lab names it audit-csr.
Step 2: Run the approval command:
oc adm certificate approve audit-csr
Step 3: Confirm approval.
The lab output shows:
certificatesigningrequest.certificates.k8s.io/audit-csr approved
Detailed
explanation:
In Kubernetes and OpenShift, a CSR must be approved before the requester can use the signed certificate for authentication. This Task approves the CSR named audit-csr, which is likely associated with the audit user or service account access flow in the lab. Certificate-based authentication is commonly used for kubeconfig access because it enables secure client identity without relying solely on tokens. Until the CSR is approved, the certificate cannot be trusted by the cluster API for authenticated operations. Administrative approval is therefore a gatekeeping step that ensures only intended certificate requests become valid credentials. This Task is part of a broader kubeconfig workflow that continues with setting credentials and defining context.
정답: Step 1: Confirm the service account exists in auth-audit.
It must exist before a role can be assigned to it.
Step 2: Run the command:
oc adm policy add-cluster-role-to-user cluster-reader system:serviceaccount:auth-audit:audit
Step 3: Verify the binding is added.
The lab output shows:
clusterrole.rbac.authorization.k8s.io/cluster-reader added: "system:serviceaccount:auth-audit:audit"
Detailed
explanation:
This binds the cluster-reader cluster role to the audit service account. The full subject format system:serviceaccount:namespace:name is required because OpenShift RBAC needs the exact service account identity. The cluster-reader role is broader than a project-scoped view role because it allows read-level access across cluster resources. This is appropriate for auditing or inspection use cases where the account must observe but not modify. The distinction between cluster roles and namespaced roles is important: cluster roles apply to non-namespaced resources and broad cluster visibility, while local roles are limited to individual projects. This Task is a classic RBAC operation that combines identity creation with controlled privilege assignment.
정답: Step 1: Ensure the target project exists.
The lab specifies the namespace/project auth-audit.
Step 2: Run the command:
oc create sa audit -n auth-audit
Step 3: Verify creation.
The lab output shows:
serviceaccount/audit created
Detailed
explanation:
This creates a service account named audit in the auth-audit namespace. Service accounts provide non-human identities for workloads and automation processes running inside the cluster. They are also commonly used when controlled API access is needed for scripts, jobs, or external kubeconfig generation. Creating a dedicated service account instead of using the default one is good practice because it supports least privilege and clearer access tracking. In exam and administration scenarios, service accounts are often paired with explicit RBAC bindings to grant only the permissions needed for the intended Task SIMULATION. This step lays the identity foundation before assigning a role in the following Task SIMULATION.
정답: Step 1: Identify the application namespace after restore.
The lab shows the namespace as my-app-namespace.
Step 2: Run the SCC assignment command:
oc adm policy add-scc-to-user anyuid -z default -n my-app-namespace
Step 3: Confirm the role binding is applied.
The lab output shows:
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:anyuid added: "default"
Detailed
explanation:
After a restore, the application may fail if its pods require a security context not permitted by the default SCC allocation. This command grants the anyuid SCC to the default service account in the my-
app-namespace project. The -z default syntax targets the default service account, which many restored workloads use if no custom service account is defined. The anyuid SCC allows containers to run with arbitrary user IDs, which some legacy or prebuilt images require. In OpenShift, SCC mismatches commonly cause pods to remain in pending or crash-related states. Assigning the proper SCC resolves those admission issues so workloads can start successfully. This step is therefore a post-restore operational fix to align security policy with application requirements.
정답: Step 1: Make sure Velero is installed and configured in the environment.
The Task SIMULATION assumes an existing backup named backup-app-daily is already present.
Step 2: Run the restore command:
velero restore create --from-backup backup-app-daily
Step 3: Confirm the restore request is submitted.
The lab output shows:
Restore request "backup-app-daily-2024" submitted successfully.
Detailed
explanation:
This command instructs Velero to create a restore operation using the existing backup called backup-app-daily. Velero is commonly used to protect Kubernetes and OpenShift resources by backing up object definitions and, when configured, persistent data integrations. The command does not manually recreate resources one by one; instead, it leverages the metadata captured during backup. A successful restore submission means the request has been accepted, not necessarily that every object has already been fully restored. In practical administration, you would often follow this by checking restore status and validating the application namespace, pods, services, routes, and storage bindings. This lab Task SIMULATION focuses specifically on initiating the restore from the named backup source.
정답: Step 1: Ensure the certificate file rhds_ca.crt is available in your current working directory or use the correct path.
The Task requires creating a configmap from this CA certificate file.
Step 2: Run the command:
oc create configmap rhds-ca-config-map --from-file ca.crt=rhds_ca.crt -n openshift-config
Step 3: Confirm the configmap is created.
The lab output shows:
configmap/rhds-ca-config-map created
Detailed
explanation:
This creates a configmap named rhds-ca-config-map in the openshift-config namespace and maps the local file rhds_ca.crt to the key name ca.crt inside the configmap. This is important in external identity integration because OpenShift may need to trust a custom certificate authority when communicating with LDAP or another secured external service. By placing the certificate in a configmap, the authentication operator or related cluster configuration can reference it cleanly. The key name matters because many OpenShift resources expect a CA bundle key with a specific filename-like convention. If the file path is wrong, the command fails immediately. If the configmap name or key mapping is wrong, the authentication provider referencing it may not trust the external endpoint.
정답: Step 1: Open a terminal with oc access to the cluster.
This Task is CLI-driven and targets the openshift-config namespace.
Step 2: Run the command:
oc create secret generic rhds-ldap-secret --from-literal bindPassword=redhatocp -n openshift-config
Step 3: Verify that the secret is created successfully.
The lab output shows:
secret/rhds-ldap-secret created
Detailed
explanation:
This step creates a generic secret named rhds-ldap-secret in the openshift-config namespace. The secret stores a key called bindPassword with the value redhatocp. In an identity-provider or LDAP integration workflow, the bind password is used by OpenShift when connecting to the external directory service. Storing this value in a secret is the correct operational pattern because authentication material should not be embedded directly into configuration objects. The openshift-config namespace is specifically important because cluster authentication configuration commonly references secrets and configmaps from that namespace. If the secret name or key is wrong, the authentication configuration that depends on it may fail to validate or connect properly.
정답: Step 1: Log in to the OpenShift web console with an account that has sufficient cluster administrative privileges.
This Task is performed from the GUI, not the CLI. The lab hint explicitly places this under the worker node details page in the console.
Step 2: Navigate to Compute.
This area contains node-level resources, including control plane and worker nodes.
Step 3: Open Nodes.
Here you can view all nodes currently registered in the cluster.
Step 4: Select the required worker node.
Choose the exact worker node referenced by the lab Task SIMULATION.
Step 5: Open the Details tab.
The taint configuration is managed from the selected node’s details view.
Step 6: Locate the Taints section and click Edit.
A taint is used to control pod scheduling. If a worker has a taint, pods without matching tolerations may not schedule there.
Step 7: Remove the unwanted taint entry.
Removing the taint makes the worker eligible again for normal scheduling behavior, depending on the rest of the cluster policy.
Step 8: Click Save.
This commits the change so the node is updated and the scheduler can evaluate it without that taint