Linux Foundation Kubernetes System Administration CKS Questions & Answers

• Question 11:

  Create a new NetworkPolicy named deny-all in the namespace testing which denies all traffic of type ingress and egress traffic

  A. See the explanation below:

  B. PlaceHolder

  Correct Answer: A

  You can create a "default" isolation policy for a namespace by creating a NetworkPolicy that selects all pods but does not allow any ingress traffic to those pods.

  apiVersion: networking.k8s.io/v1

  kind: NetworkPolicy

  metadata:

  name: default-deny-ingress

  spec:

  podSelector: {}

  policyTypes:

  -Ingress

  You can create a "default" egress isolation policy for a namespace by creating a NetworkPolicy that selects all pods but does not allow any egress traffic from those pods.

  apiVersion: networking.k8s.io/v1

  kind: NetworkPolicy

  metadata:

  name: allow-all-egress

  spec:

  podSelector: {}

  egress:

  -{} policyTypes:

  -Egress

  Default deny all ingress and all egress traffic

  You can create a "default" policy for a namespace which prevents all ingress AND egress traffic by creating the following NetworkPolicy in that namespace.

  apiVersion: networking.k8s.io/v1

  kind: NetworkPolicy

  metadata:

  name: default-deny-all

  spec:

  podSelector: {}

  policyTypes:

  -Ingress

  -Egress

  This ensures that even pods that aren't selected by any other NetworkPolicy will not be allowed ingress or egress traffic.

• Question 12:

  CORRECT TEXT

  

  A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace.

  Task

  Create a new PodSecurityPolicy named prevent-psp-policy,which prevents the creation of privileged Pods.

  Create a new ClusterRole named restrict-access-role, which uses the newly created PodSecurityPolicy prevent-psp-policy.

  Create a new ServiceAccount named psp-restrict-sa in the existing namespace staging.

  Finally, create a new ClusterRoleBinding named restrict-access-bind, which binds the newly created ClusterRole restrict-access-role to the newly created ServiceAccount psp- restrict-sa.

  

  A. See explanation below.

  B. PlaceHolder

  Correct Answer: A

  

  

  

  

• Question 13:

  Context:

  Cluster: prod

  Master node: master1

  Worker node: worker1

  You can switch the cluster/configuration context using the following command:

  [desk@cli] $ kubectl config use-context prod

  Task:

  Analyse and edit the given Dockerfile (based on the ubuntu:18:04 image)

  /home/cert_masters/Dockerfile fixing two instructions present in the file being prominent security/best-practice issues.

  Analyse and edit the given manifest file

  /home/cert_masters/mydeployment.yaml fixing two fields present in the file being prominent security/best-practice issues.

  Note: Don't add or remove configuration settings; only modify the existing configuration settings, so that two configuration settings each are no longer security/best-practice concerns.

  Should you need an unprivileged user for any of the tasks, use user nobody with user id 65535

  A. See the explanation below

  B. PlaceHolder

  Correct Answer: A

  1. For Dockerfile: Fix the image version and user name in Dockerfile2. For mydeployment.yaml : Fix security contexts

  Explanation[desk@cli] $ vim /home/cert_masters/Dockerfile FROM ubuntu:latest # Remove this FROM ubuntu:18.04 # Add this USER root # Remove this USER nobody # Add this RUN apt get install -y lsof=4.72 wget=1.17.1 nginx=4.2 ENV ENVIRONMENT=testing USER root # Remove this USER nobody # Add this CMD ["nginx -d"]

  

  Text

  [desk@cli] $ vim /home/cert_masters/mydeployment.yaml

  apiVersion: apps/v1

  kind: Deployment

  metadata:

  creationTimestamp: null

  labels:

  app: kafka

  name: kafka

  spec:

  replicas: 1

  selector:

  matchLabels:

  app: kafka

  strategy: {}

  template:

  metadata:

  creationTimestamp: null

  labels:

  app: kafka

  spec:

  containers:

  -image: bitnami/kafka

  name: kafka

  volumeMounts:

  -

  name: kafka-vol

  mountPath: /var/lib/kafka

  securityContext:

  {"capabilities":{"add":["NET_ADMIN"],"drop":["all"]},"privileged":

  True,"readOnlyRootFilesystem": False, "runAsUser": 65535} # Delete This {"capabilities":{"add":["NET_ADMIN"],"drop":["all"]},"privileged":

  False,"readOnlyRootFilesystem": True, "runAsUser": 65535} # Add This resources: {}

  volumes:

  -

  name: kafka-vol

  emptyDir: {}

  status: {}

  Pictorial View:[desk@cli] $ vim /home/cert_masters/mydeployment.yaml

  

• Question 14:

  The kubeadm-created cluster's Kubernetes API server was, for testing purposes, temporarily configured to allow unauthenticated and unauthorized access granting the anonymous user duster-admin access.

  

  Task

  Reconfigure the cluster's Kubernetes API server to ensure that only authenticated and authorized REST requests are allowed.

  Use authorization mode Node,RBAC and admission controller NodeRestriction.

  Cleaning up, remove the ClusterRoleBinding for user system:anonymous.

  

  A. See explanation below.

  B. PlaceHolder

  Correct Answer: A

  

  

  

• Question 15:

  Cluster: qa-cluster

  Master node: master Worker node: worker1 You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context qa-cluster

  Task:

  Create a NetworkPolicy named restricted-policy to restrict access to Pod product running in namespace dev.

  Only allow the following Pods to connect to Pod products-service:

  1.

  Pods in the namespace qa

  2.

  Pods with label environment: stage, in any namespace

  A. See the below.

  B. PlaceHolder

  Correct Answer: A

• Question 16:

  

  

  

  1.

  Retrieve the content of the existing secret named default-token-xxxxx in the testing namespace.

  Store the value of the token in the token.txt

  2.

  Create a new secret named test-db-secret in the DB namespace with the following content:

  username: mysql password: password@123

  Create the Pod name test-db-pod of image nginx in the namespace db that can access test-db-secret via a volume at path /etc/mysql-credentials

  A. See the explanation below:

  B. PlaceHolder

  Correct Answer: A

  To add a Kubernetes cluster to your project, group, or instance:

  1.

  Navigate to your:

  2.

  Click Add Kubernetes cluster.

  3.

  Click the Add existing cluster tab and fill in the details:

  Get the API URL by running this command:

  kubectl cluster-info | grep -E 'Kubernetes master|Kubernetes control plane' | awk '/http/ {print $NF}'

  uk.co.certification.simulator.questionpool.PList@113e1f90

  kubectl get secret -o jsonpath="{['data']['ca\.crt']}"

• Question 17:

  You can switch the cluster/configuration context using the following command:

  [desk@cli] $ kubectl config use-context prod-account

  Context:

  A Role bound to a Pod's ServiceAccount grants overly permissive permissions. Complete the following tasks to reduce the set of permissions.

  Task:

  Given an existing Pod named web-pod running in the namespace database.

  1.

  Edit the existing Role bound to the Pod's ServiceAccount test-sa to only allow performing get operations, only on resources of type Pods.

  2.

  Create a new Role named test-role-2 in the namespace database, which only allows performing update operations, only on resources of type statuefulsets.

  3.

  Create a new RoleBinding named test-role-2-bind binding the newly created Role to the Pod's ServiceAccount. Note: Don't delete the existing RoleBinding.

  A. See the explanation below

  B. PlaceHolder

  Correct Answer: A

  

  

• Question 18:

  Given an existing Pod named nginx-pod running in the namespace test-system, fetch the service-account-name used and put the content in /candidate/KSC00124.txt

  Create a new Role named dev-test-role in the namespace test-system, which can perform update operations, on resources of type namespaces.

  Create a new RoleBinding named dev-test-role-binding, which binds the newly created Role to the Pod's ServiceAccount ( found in the Nginx pod running in namespace test- system).

  A. See explanation below.

  B. PlaceHolder

  Correct Answer: A

  

• Question 19:

  Create a PSP that will prevent the creation of privileged pods in the namespace.

  Create a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation of privileged pods.

  Create a new ServiceAccount named psp-sa in the namespace default.

  Create a new ClusterRole named prevent-role, which uses the newly created Pod Security Policy prevent-privileged-policy.

  Create a new ClusterRoleBinding named prevent-role-binding, which binds the created ClusterRole prevent-role to the created SA psp-sa.

  Also, Check the Configuration is working or not by trying to Create a Privileged pod, it should get failed.

  A. See the below.

  B. PlaceHolder

  Correct Answer: A

  Create a PSP that will prevent the creation of privileged pods in the namespace. $ cat clusterrole-use-privileged.yaml apiVersion: rbac.authorization.k8s.io/v1

  kind: ClusterRole metadata: name: use-privileged-psp rules:

  -apiGroups: ['policy']

  resources: ['podsecuritypolicies']

  verbs: ['use']

  resourceNames:

  -default-psp

  apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: privileged-role-bind namespace: psp-test roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: use-privileged-psp subjects:

  -kind: ServiceAccount name: privileged-sa $ kubectl -n psp-test apply -f clusterrole-use-privileged.yaml

  After a few moments, the privileged Pod should be created.

  Create a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation of privileged pods.

  apiVersion: policy/v1beta1

  kind: PodSecurityPolicy

  metadata:

  name: example

  spec:

  privileged: false # Don't allow privileged pods!

  # The rest fills in some required fields.

  seLinux:

  rule: RunAsAny

  supplementalGroups:

  rule: RunAsAny

  runAsUser:

  rule: RunAsAny

  fsGroup:

  rule: RunAsAny

  volumes:

  -'*'

  And create it with kubectl:

  kubectl-admin create -f example-psp.yaml

  Now, as the unprivileged user, try to create a simple pod:

  kubectl-user create -f- <

  apiVersion: v1

  kind: Pod

  metadata:

  name: pause

  spec:

  containers:

  -name: pause

  image: k8s.gcr.io/pause

  EOF

  The output is similar to this:

  Error from server (Forbidden): error when creating "STDIN": pods "pause" is forbidden:

  unable to validate against any pod security policy: []

  Create a new ServiceAccount named psp-sa in the namespace default.

  $ cat clusterrole-use-privileged.yaml

  apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: use-privileged-psp rules:

  -apiGroups: ['policy']

  resources: ['podsecuritypolicies']

  verbs: ['use']

  resourceNames:

  -default-psp

  apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: privileged-role-bind namespace: psp-test roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: use-privileged-psp subjects:

  -kind: ServiceAccount name: privileged-sa $ kubectl -n psp-test apply -f clusterrole-use-privileged.yaml After a few moments, the privileged Pod should be created.

  Create a new ClusterRole named prevent-role, which uses the newly created Pod Security Policy prevent-privileged-policy.

  apiVersion: policy/v1beta1

  kind: PodSecurityPolicy

  metadata:

  name: example

  spec:

  privileged: false # Don't allow privileged pods!

  # The rest fills in some required fields.

  seLinux:

  rule: RunAsAny

  supplementalGroups:

  rule: RunAsAny

  runAsUser:

  rule: RunAsAny

  fsGroup:

  rule: RunAsAny

  volumes:

  -'*'

  And create it with kubectl:

  kubectl-admin create -f example-psp.yaml

  Now, as the unprivileged user, try to create a simple pod:

  kubectl-user create -f- <

  apiVersion: v1

  kind: Pod

  metadata:

  name: pause

  spec:

  containers:

  -name: pause

  image: k8s.gcr.io/pause

  EOF

  The output is similar to this:

  Error from server (Forbidden): error when creating "STDIN": pods "pause" is forbidden:

  unable to validate against any pod security policy: []

  Create a new ClusterRoleBinding named prevent-role-binding, which binds the created ClusterRole prevent-role to the created SA psp-sa.

  apiVersion: rbac.authorization.k8s.io/v1

  # This role binding allows "jane" to read pods in the "default" namespace. # You need to already have a Role named "pod-reader" in that namespace.

  kind: RoleBinding

  metadata:

  name: read-pods

  namespace: default

  subjects:

  # You can specify more than one "subject"

  -kind: User name: jane # "name" is case sensitive apiGroup: rbac.authorization.k8s.io roleRef: # "roleRef" specifies the binding to a Role / ClusterRole kind: Role #this must be Role or ClusterRole name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to apiGroup: rbac.authorization.k8s.io

  apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: default name: pod-reader rules:

  -apiGroups: [""] # "" indicates the core API group resources: ["pods"] verbs: ["get", "watch", "list"]

• Question 20:

  Cluster: scanner

  Master node: controlplane

  Worker node: worker1

  You can switch the cluster/configuration context using the following command:

  [desk@cli] $ kubectl config use-context scanner

  Given:

  You may use Trivy's documentation.

  Task:

  Use the Trivy open-source container scanner to detect images with severe vulnerabilities used by Pods in the namespace nato.

  Look for images with High or Critical severity vulnerabilities and delete the Pods that use those images.

  Trivy is pre-installed on the cluster's master node. Use cluster's master node to use Trivy.

  A. See the explanation below

  B. PlaceHolder

  Correct Answer: A