Test Online Free The Linux Foundation CKS Exam Questions and Answers
The questions for CKS were last updated On Aug.26 2021 Get CKS Full AccessQuestion No : 1
CORRECT TEXT
Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that
✑ 1. logs are stored at /var/log/kubernetes/kubernetes-logs.txt.
✑ 2. Log files are retainedfor5 days.
✑ 3. at maximum, a number of 10 old audit logs files are retained. Edit and extend the basic policy to log:
✑ 1. Cronjobs changes at RequestResponse
✑ 2. Log the request body of deployments changesinthenamespacekube-system.
✑ 3. Log all other resourcesincoreandextensions at the Request level.
✑ 4. Don't log watch requests by the "system:kube-proxy" on endpoints or
Answer:Send us your feedback on it.
Question No : 2
CORRECT TEXT
Using the runtime detection tool Falco, Analyse the container behavior for at least 30 seconds, using filters that detect newly spawning and executing processes store the incident file art /opt/falco-incident.txt, containing the detected incidents. one per line, in the format
[timestamp],[uid],[user-name],[processName]
Answer:Send us your suggestion on it.
Question No : 3
k8s.gcr.io/kube-controller-manager:v1.18.6
Look for images with HIGH or CRITICAL severity vulnerabilities and store theoutput of the same in /opt/trivy-vulnerable.txt
Answer:Send us your suggestion on it.
Question No : 4
CORRECT TEXT
On the Cluster worker node, enforce the prepared AppArmor profile
✑ #include<tunables/global>
✑
✑ profilenginx-deny flags=(attach_disconnected) {
✑ #include<abstractions/base>
✑
✑ file,
✑
✑ # Deny all file writes.
✑ deny/** w,
✑ }
✑ EOF'
Edit the prepared manifest file to include the AppArmor profile.
✑ apiVersion: v1
✑ kind: Pod
✑ metadata:
✑ name:apparmor-pod
✑ spec:
✑ containers:
✑ - name: apparmor-pod
✑ image: nginx
Finally, apply the manifests files and create the Pod specified on it.
Verify: Try to make a file inside the directory which is restricted.
Answer:Send us your Feedback on this.
Question No : 5
CORRECT TEXT
Create a PSP that will only allow thepersistentvolumeclaim as the volume type in the namespace restricted.
Create a new PodSecurityPolicy named prevent-volume-policy which prevents the pods which is having different volumes mount apart from persistentvolumeclaim.
Create a new ServiceAccount named psp-sa in the namespace restricted.
Create a new ClusterRole named psp-role, which uses the newly created Pod Security Policy prevent-volume-policy
Create a new ClusterRoleBinding named psp-role-binding, which binds the created ClusterRole psp-role tothe created SA psp-sa.
Hint:
Also, Check the Configuration is working or not by trying to Mount a Secret in the pod maifest, it should get failed.
POD Manifest:
✑ apiVersion: v1
✑ kind: Pod
✑ metadata:
✑ name:
✑ spec:
✑ containers:
✑ - name:
✑ image:
✑ volumeMounts:
✑ - name:
✑ mountPath:
✑ volumes:
✑ - name:
✑ secret:
✑ secretName:
Answer:apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames:
'docker/default,runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
# Required to prevent escalations to root. allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# butwe can provide it for defense in depth. requiredDropCapabilities:
- ALL
# Allow core volume types.
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
# Assume that persistentVolumes set up by thecluster admin are safe to use.
- 'persistentVolumeClaim' hostNetwork: false hostIPC: false
hostPID: false runAsUser:
# Require the container to run without root privileges. rule: 'MustRunAsNonRoot'
seLinux:
# This policyassumes the nodes are using AppArmor rather than SELinux. rule: 'RunAsAny'
supplementalGroups: rule: 'MustRunAs' ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group. - min: 1
max: 65535
readOnlyRootFilesystem: false
Question No : 6
Create the Pod using this manifest
Answer:[desk@cli] $ ssh worker1[worker1@cli] $apparmor_parser -q /etc/apparmor.d/nginx[worker1@cli] $aa-status | grep nginxnginx-profile-1[worker1@cli] $ logout[desk@cli] $vim nginx-deploy.yamlAdd these lines under metadata:annotations: # Add this line container.apparmor.security.beta.kubernetes.io/<container-name>: localhost/nginx-profile-1[desk@cli] $kubectl apply -f nginx-deploy.yaml
Explanation[desk@cli] $ ssh worker1[worker1@cli] $apparmor_parser -q /etc/apparmor.d/nginx[worker1@cli] $aa-status | grep nginxnginx-profile-1[worker1@cli] $ logout[desk@cli] $vim nginx-deploy.yaml
Text
Description automatically generated
Question No : 7
ConfigMap and Secret changes in all namespaces at the Metadata level Also, add a catch-all rule to log all other requests at the Metadata level
Note: Don't forget to apply the modified policy.
Answer:$ vim /etc/kubernetes/log-policy/audit-policy.yaml
✑ uk.co.certification.simulator.questionpool.PList@dd91c30
$ vim /etc/kubernetes/manifests/kube-apiserver.yamlAdd these
✑ uk.co.certification.simulator.questionpool.PList@dd91f20
- --audit-log-maxbackup=10
Explanation[desk@cli] $ ssh master1[master1@cli] $ vim /etc/kubernetes/log-policy/audit-policy.yaml
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage. omitStages:
- "RequestReceived" rules:
# Don't log watch requests by the "system:kube-proxy" on endpoints or services - level: None
users: ["system:kube-proxy"]
verbs: ["watch"] resources:
- group: "" # core API group
resources: ["endpoints", "services"]
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"
# Add your changes below
- level: RequestResponse
userGroups: ["system:nodes"] # Block for nodes
- level: Request resources:
- group: "" # core API group
resources: ["persistentvolumes"] # Block for persistentvolumes
namespaces: ["frontend"] # Block for persistentvolumes of frontend ns
- level: Metadata resources:
- group: "" # core API group
resources: ["configmaps", "secrets"] # Block for configmaps & secrets
- level: Metadata # Block for everything else
[master1@cli] $ vim /etc/kubernetes/manifests/kube-apiserver.yaml apiVersion: v1
kind: Pod
metadata:
annotations:
kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.0.0.5:6443
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=10.0.0.5
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml #Add this
- --audit-log-path=/var/log/kubernetes/logs.txt #Add this
- --audit-log-maxage=5 #Add this
- --audit-log-maxbackup=10 #Add this
output truncated
Question No : 8
CORRECT TEXT
Secrets stored in the etcd is not secure at rest, you can use the etcdctl command utility to find the secret value
for e.g:-
ETCDCTL_API=3 etcdctl get /registry/secrets/default/cks-secret --cacert="ca.crt" -- cert="server.crt" --key="server.key"
Output
Using the Encryption Configuration, Create the manifest, which secures the resource secrets using the provider AES-CBC and identity, to encrypt the secret-data at rest and ensure all secrets are encrypted with the new configuration.
Answer:Send us your feedback on it.
- TOP 50 Exam Questions
-
Exam
All copyrights reserved 2024 PassQuestion NETWORK CO.,LIMITED. All Rights Reserved.
Passquestion doesn't offer Real Microsoft, Amazon, Cisco Exam Questions. All Passquestion content is sourced from the Internet.