EX432 Red Hat Certified Specialist in OpenShift Advanced Cluster Management Questions and Answers

Create overlay structure:

mkdir -p overlays/production

Confirm:

ls -R overlays

Why this matters:

Kustomize overlays let you maintain base manifests and environment-specific patches (production vs dev, etc.).

Create the ManagedClusterSet:

oc create managedclusterset development

Confirm it exists:

oc get managedclusterset

oc describe managedclusterset development

Why these steps matter:

ClusterSets are an ACM grouping primitive used for RBAC scoping , governance targeting, and multi-cluster app placement.

Confirm the policy exists in the namespace:

oc get policy -n team-dev

Confirm Placement exists and selects clusters:

oc get placement -n team-dev

oc get placementdecision -n team-dev

Confirm PlacementBinding points to correct placement + policy:

oc get placementbinding -n team-dev -o yaml

Fix common mistakes:

wrong namespace

placement name mismatch

missing ClusterSetBinding in the namespace Why this matters: Policy framework requires placement + binding; missing/incorrect targeting is the #1 real-world issue.

Create the object storage secret (you’ll be given endpoint/access keys in an exam):

oc -n open-cluster-management-observability create secret generic thanos-object-storage \

--from-file=thanos.yaml=/path/to/thanos.yaml

Create or edit MultiClusterObservability CR to enable observability (storage class, retention, etc.).

Verify observability pods in the observability namespace and check dashboards/metrics. Why this matters: Monitoring health/performance with ACM observability is a common learning objective in ACM training.

Check cluster conditions:

oc describe managedcluster cluster-dev

Check agent namespaces and pods on the managed cluster (common namespace names depend on deployment, but you’re looking for ACM/klusterlet agents).

On hub, check managedclusteraddons and addon health:

oc get managedclusteraddon -n cluster-dev

oc describe managedclusteraddon -n cluster-dev < addon-name >

Typical fixes: missing pull secret, network/DNS issues, CSR approval issues, etc. (Exam expects you to identify from events/conditions).

In the hub cluster Web Console, go to Infrastructure → Clusters (ACM console navigation).

Click Import cluster .

Provide a name (the UI may request details like distribution/credentials depending on flow).

The wizard will provide a command to run on the managed cluster you want to import.

Copy that import command.

Log into the managed cluster (spoke) using oc and run the copied command.

Back on the hub, wait until the cluster status becomes Ready / Managed .

Why these steps matter:

Import registers the managed cluster, installs the klusterlet/agent components, and enables policy/app placement management.

Create the ManagedClusterSet:

oc create managedclusterset production

Validate:

oc get managedclusterset

oc describe managedclusterset production

Why this matters:

Separating development and production clusters is common for governance/RBAC isolation.

Create PolicySet to group related policies.

Use Governance UI to filter by PolicySet and view compliance per cluster.

Export/report (or capture output via CLI oc get policy -o wide) depending on lab capability.

Grant the ClusterSet role (admin on production).

Log in as user-a and attempt:

list clusters in production vs development

create policies in a namespace bound to production

Confirm authorization errors when accessing development resources.

(ClusterSet RBAC is explicitly part of cluster set management and access scope.)

Policies in ACM require:

a Policy resource

a Placement (which clusters to target)

a PlacementBinding (bind policy ↔ placement)

Create the Policy (in team-dev) enforcing a namespace audit-logs:

cat < < 'EOF' | oc apply -f -

apiVersion: policy.open-cluster-management.io/v1

kind: Policy

metadata:

name: policy-ensure-audit-namespace

namespace: team-dev

spec:

remediationAction: enforce

disabled: false

policy-templates:

- objectDefinition:

apiVersion: policy.open-cluster-management.io/v1

kind: ConfigurationPolicy

metadata:

name: ensure-audit-namespace

spec:

remediationAction: enforce

severity: low

object-templates:

- complianceType: musthave

objectDefinition:

apiVersion: v1

kind: Namespace

metadata:

name: audit-logs

EOF

Create PlacementBinding to bind it to dev-clusters placement:

cat < < 'EOF' | oc apply -f -

apiVersion: policy.open-cluster-management.io/v1

kind: PlacementBinding

metadata:

name: bind-policy-ensure-audit-namespace

namespace: team-dev

placementRef:

apiGroup: cluster.open-cluster-management.io

kind: Placement

name: dev-clusters

subjects:

- apiGroup: policy.open-cluster-management.io

kind: Policy

name: policy-ensure-audit-namespace

EOF

Verify compliance:

oc get policy -n team-dev

oc describe policy policy-ensure-audit-namespace -n team-dev

Why this matters:

This is the core “ACM governance” exam pattern: define desired state and enforce across clusters.