Linux Foundation Kubernetes System Administration CKS Questions & Answers

• Question 21:

  

  

  AppArmor is enabled on the cluster's worker node. An AppArmor profile is prepared, but not enforced yet.

  

  Task

  On the cluster's worker node, enforce the prepared AppArmor profile located at /etc/apparmor.d/nginx_apparmor.

  Edit the prepared manifest file located at /home/candidate/KSSH00401/nginx-pod.yaml to apply the AppArmor profile.

  Finally, apply the manifest file and create the Pod specified in it.

  A. See the explanation below

  B. PlaceHolder

  Correct Answer: A

• Question 22:

  

  

  You can switch the cluster/configuration context using the following command:

  [desk@cli] $ kubectl config use-context test-account

  Task: Enable audit logs in the cluster.

  To do so, enable the log backend, and ensure that:

  1.

  logs are stored at /var/log/Kubernetes/logs.txt

  2.

  log files are retained for 5 days

  3.

  at maximum, a number of 10 old audit log files are retained

  A basic policy is provided at /etc/Kubernetes/logpolicy/audit-policy.yaml. It only specifies what not to log.

  Note: The base policy is located on the cluster's master node.

  Edit and extend the basic policy to log:

  1.

  Nodes changes at RequestResponse level

  2.

  The request body of persistentvolumes changes in the namespace frontend

  3.

  ConfigMap and Secret changes in all namespaces at the Metadata level

  Also, add a catch-all rule to log all other requests at the Metadata level Note: Don't forget to apply the modified policy.

  A. See the explanation below

  B. PlaceHolder

  Correct Answer: A

  $ vim /etc/kubernetes/log-policy/audit-policy.yaml

  uk.co.certification.simulator.questionpool.PList@11602760

  $ vim /etc/kubernetes/manifests/kube-apiserver.yamlAdd these uk.co.certification.simulator.questionpool.PList@11602c70

  - --audit-log-maxbackup=10

  [desk@cli] $ ssh master1[master1@cli] $ vim /etc/kubernetes/log-policy/audit-policy.yaml

  apiVersion: audit.k8s.io/v1 # This is required.

  kind: Policy

  # Don't generate audit events for all requests in RequestReceived stage.

  omitStages:

  -"RequestReceived"

  rules:

  # Don't log watch requests by the "system:kube-proxy" on endpoints or services

  -level: None

  users: ["system:kube-proxy"]

  verbs: ["watch"]

  resources:

  -group: "" # core API group

  resources: ["endpoints", "services"]

  # Don't log authenticated requests to certain non-resource URL paths.

  -level: None

  userGroups: ["system:authenticated"]

  nonResourceURLs:

  -"/api*" # Wildcard matching.

  -"/version"

  # Add your changes below

  -

  level: RequestResponse userGroups: ["system:nodes"] # Block for nodes

  -

  level: Request resources:

  -group: "" # core API group resources: ["persistentvolumes"] # Block for persistentvolumes namespaces: ["frontend"] # Block for persistentvolumes of frontend ns

  -level: Metadata resources:

  -group: "" # core API group resources: ["configmaps", "secrets"] # Block for configmaps and secrets

  -level: Metadata # Block for everything else

  [master1@cli] $ vim /etc/kubernetes/manifests/kube-apiserver.yaml apiVersion: v1

  kind: Pod

  metadata:

  annotations:

  kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.0.0.5:6443 labels:

  component: kube-apiserver

  tier: control-plane name: kube-apiserver namespace: kube-system spec: containers:

  -command:

  -kube-apiserver - --advertise-address=10.0.0.5 - --allow-privileged=true - --authorization-mode=Node,RBAC - --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml #Add this - --audit-log-path=/var/log/kubernetes/logs.txt #Add this - --audit-log-maxage=5 #Add this - --audit-log-maxbackup=10 #Add this

  output truncated

• Question 23:

  A CIS Benchmark tool was run against the kubeadm-created cluster and found multiple issues that must be addressed immediately.

  

  Fix all issues via configuration and restart the affected components to ensure the new settings take effect. Fix all of the following violations that were found against the API server:

  

  Fix all of the following violations that were found against the Kubelet: Fix all of the following violations that were found against etcd:

  

  

  A. See explanation below.

  B. PlaceHolder

  Correct Answer: A

  

  

  

• Question 24:

  Service is running on port 389 inside the system, find the process-id of the process, and stores the names of all the open-files inside the /candidate/KH77539/files.txt, and also delete the binary.

  A. See explanation below.

  B. PlaceHolder

  Correct Answer: A

  root# netstat -ltnup

  Active Internet connections (only servers)

  Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

  tcp 0 0 127.0.0.1:17600 0.0.0.0:* LISTEN 1293/dropbox

  tcp 0 0 127.0.0.1:17603 0.0.0.0:* LISTEN 1293/dropbox

  tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 575/sshd

  tcp 0 0 127.0.0.1:9393 0.0.0.0:* LISTEN 900/perl

  tcp 0 0 :::80 :::* LISTEN 9583/docker-proxy

  tcp 0 0 :::443 :::* LISTEN 9571/docker-proxy

  udp 0 0 0.0.0.0:68 0.0.0.0:* 8822/dhcpcd

  root# netstat -ltnup | grep ':22'

  tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 575/sshd

  The ss command is the replacement of the netstat command.

  Now let's see how to use the ss command to see which process is listening on port 22:

  root# ss -ltnup 'sport = :22'

  Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port

  tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:("sshd",pid=575,fd=3))

• Question 25:

  CORRECT TEXT

  

  A container image scanner is set up on the cluster, but it's not yet fully integrated into the cluster s configuration. When complete, the container image scanner shall scan for and reject the use of vulnerable images.

  

  Given an incomplete configuration in directory /etc/kubernetes/epconfig and a functional container image scanner with HTTPS endpoint https://wakanda.local:8081 /image_policy:

  1.

  Enable the necessary plugins to create an image policy

  2.

  Validate the control configuration and change it to an implicit deny

  3.

  Edit the configuration to point to the provided HTTPS endpoint correctly

  Finally, test if the configuration is working by trying to deploy the vulnerable resource /root/KSSC00202/vulnerable-resource.yml.

  

  A. See the explanation below

  B. PlaceHolder

  Correct Answer: A

• Question 26:

  

  

  

  Cluster: dev Master node: master1 Worker node: worker1 You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context dev Task:

  Retrieve the content of the existing secret named adam in the safe namespace.

  Store the username field in a file names /home/cert-masters/username.txt, and the password field in a file named /home/cert-masters/password.txt.

  1.

  You must create both files; they don't exist yet.

  2.

  Do not use/modify the created files in the following steps, create new temporary files if needed.

  Create a new secret names newsecret in the safe namespace, with the following content:

  Username: dbadmin Password: moresecurepas

  Finally, create a new Pod that has access to the secret newsecret via a volume:

  Namespace:safe Pod name:mysecret-pod Container name:db-container Image:redis Volume name:secret-vol Mount path:/etc/mysecret

  A. See the explanation below

  B. PlaceHolder

  Correct Answer: A

• Question 27:

  

  

  

  Context:

  Cluster: gvisor

  Master node: master1

  Worker node: worker1

  You can switch the cluster/configuration context using the following command:

  [desk@cli] $ kubectl config use-context gvisor

  Context: This cluster has been prepared to support runtime handler, runsc as well as traditional one.

  Task:

  Create a RuntimeClass named not-trusted using the prepared runtime handler names runsc.

  Update all Pods in the namespace server to run on newruntime.

  A. See the explanation below

  B. PlaceHolder

  Correct Answer: A

  1.

  apiVersion: node.k8s.io/v1

  2.

  kind: RuntimeClass

  3.

  metadata:

  4.

  name: not-trusted

  5.

  handler: runsc [desk@cli] $ k apply -f runtime.yaml[desk@cli] $ k get pods

  1.

  NAME READY STATUS RESTARTS AGE

  2.

  nginx-6798fc88e8-chp6r 1/1 Running 0 11m

  3.

  nginx-6798fc88e8-fs53n 1/1 Running 0 11m

  4.

  nginx-6798fc88e8-ndved 1/1 Running 0 11m [desk@cli] $ k get deploy

  1.

  NAME READY UP-TO-DATE AVAILABLE AGE

  2.

  nginx 3/3 11 3 5m [desk@cli] $ k edit deploy nginx

  

  [desk@cli] $vim runtime.yaml

  

• Question 28:

  Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.

  Fix all of the following violations that were found against the API server:

  1.

  Ensure the --authorization-mode argument includes RBAC

  2.

  Ensure the --authorization-mode argument includes Node

  3.

  Ensure that the --profiling argument is set to false

  Fix all of the following violations that were found against the Kubelet:

  1.

  Ensure the --anonymous-auth argument is set to false.

  2.

  Ensure that the --authorization-mode argument is set to Webhook. Fix all of the following violations that were found against the ETCD:

  Ensure that the --auto-tls argument is not set to true Hint: Take the use of Tool Kube-Bench

  A. See the below.

  B. PlaceHolder

  Correct Answer: A

  API server:

  Ensure the --authorization-mode argument includes RBAC

  Turn on Role Based Access Control.Role Based Access Control (RBAC) allows fine- grained control over the operations that different entities can perform on different objects in the cluster. It is recommended to use the RBAC authorization

  mode.

  Fix - BuildtimeKubernetesapiVersion: v1

  kind: Pod

  metadata:

  creationTimestamp: null

  labels:

  component: kube-apiserver

  tier: control-plane

  name: kube-apiserver

  namespace: kube-system

  spec:

  containers:

  -command: + - kube-apiserver + - --authorization-mode=RBAC,Node image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 livenessProbe: failureThreshold: 8 httpGet: host: 127.0.0.1 path: /healthz port: 6443 scheme: HTTPS initialDelaySeconds: 15 timeoutSeconds: 15 name: kube-apiserver-should-pass resources: requests: cpu: 250m volumeMounts:

  -

  mountPath: /etc/kubernetes/ name: k8s readOnly: true

  -

  mountPath: /etc/ssl/certs name: certs

  -

  mountPath: /etc/pki name: pki hostNetwork: true volumes:

  -

  hostPath: path: /etc/kubernetes name: k8s

  -

  hostPath: path: /etc/ssl/certs name: certs

  -

  hostPath: path: /etc/pki name: pki

  Ensure the --authorization-mode argument includes Node

  Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube- apiserver.yaml on the master node and set the --authorization-mode parameter to a value that includes Node.

  --authorization-mode=Node,RBAC

  Audit:

  /bin/ps -ef | grep kube-apiserver | grep -v grep

  Expected result:

  'Node,RBAC' has 'Node'

  Ensure that the --profiling argument is set to false

  Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter.

  --profiling=false

  Audit:

  /bin/ps -ef | grep kube-apiserver | grep -v grep

  Expected result:

  'false' is equal to 'false'

  Fix all of the following violations that were found against the Kubelet:

  uk.co.certification.simulator.questionpool.PList@e3e35a0

  Remediation: If using a Kubelet config file, edit the file to set authentication: anonymous:

  enabled to false. If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.

  --anonymous-auth=false

  Based on your system, restart the kubelet service. For example:

  systemctl daemon-reload

  systemctl restart kubelet.service

  Audit:

  /bin/ps -fC kubelet

  Audit Config:

  /bin/cat /var/lib/kubelet/config.yaml

  Expected result:

  'false' is equal to 'false'

  2) Ensure that the --authorization-mode argument is set to Webhook.

  Audit

  docker inspect kubelet | jq -e '.[0].Args[] | match("--authorization- mode=Webhook").string'

  Returned Value: --authorization-mode=Webhook

  Fix all of the following violations that were found against the ETCD:

  a. Ensure that the --auto-tls argument is not set to true

  Do not use self-signed certificates for TLS. etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.

  Fix - BuildtimeKubernetesapiVersion: v1 kind: Pod metadata: annotations: scheduler.alpha.kubernetes.io/critical-pod: "" creationTimestamp: null labels: component: etcd tier: control-plane name: etcd namespace: kube-system spec: containers:

  -command:

  + - etcd

  + - --auto-tls=true

  image: k8s.gcr.io/etcd-amd64:3.2.18

  imagePullPolicy: IfNotPresent

  livenessProbe:

  exec:

  command:

  -/bin/sh

  - -ec

  -ETCDCTL_API=3 etcdctl --endpoints=https://[192.168.22.9]:2379 -- cacert=/etc/kubernetes/pki/etcd/ca.crt

  --cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt -- key=/etc/kubernetes/pki/etcd/healthcheck-client.key get foo

  failureThreshold: 8

  initialDelaySeconds: 15

  timeoutSeconds: 15

  name: etcd-should-fail

  resources: {}

  volumeMounts:

  -

  mountPath: /var/lib/etcd

  name: etcd-data

  -

  mountPath: /etc/kubernetes/pki/etcd

  name: etcd-certs

  hostNetwork: true

  priorityClassName: system-cluster-critical

  volumes:

  -

  hostPath:

  path: /var/lib/etcd

  type: DirectoryOrCreate

  name: etcd-data

  -

  hostPath:

  path: /etc/kubernetes/pki/etcd

  type: DirectoryOrCreate

  name: etcd-certs

  status: {}

  

  

• Question 29:

  You can switch the cluster/configuration context using the following command:

  [desk@cli] $ kubectl config use-context qa

  Context:

  A pod fails to run because of an incorrectly specified ServiceAccount

  Task:

  Create a new service account named backend-qa in an existing namespace qa, which must not have access to any secret.

  Edit the frontend pod yaml to use backend-qa service account

  Note: You can find the frontend pod yaml at /home/cert_masters/frontend-pod.yaml

  A. See the explanation below

  B. PlaceHolder

  Correct Answer: A

  [desk@cli] $ k create sa backend-qa -n qasa/backend-qa created [desk@cli] $ k get role,rolebinding -n qaNo resources found in qa namespace. [desk@cli] $ k create role backend -n qa --resource pods,namespaces,configmaps --verb list# No access to secret [desk@cli] $ k create rolebinding backend -n qa --role backend --serviceaccount qa:backend-qa [desk@cli] $ vim /home/ cert_masters/frontend-pod.yaml uk.co.certification.simulator.questionpool.PList@120e0660 [desk@cli] $ k apply -f /home/cert_masters/frontend-pod.yamlpod created [desk@cli] $ k create sa backend-qa -n qaserviceaccount/backend-qa created [desk@cli] $ k get role,rolebinding -n qaNo resources found in qa namespace. [desk@cli] $ k create role backend -n qa --resource pods,namespaces,configmaps --verb listrole.rbac.authorization.k8s.io/backend created [desk@cli] $ k create rolebinding backend -n qa --role backend --serviceaccount qa:backendqarolebinding.rbac.authorization.k8s.io/backend created [desk@cli] $ vim /home/cert_masters/frontend-pod.yaml apiVersion: v1 kind: Pod metadata: name: frontend spec: serviceAccountName: backend-qa # Add this image: nginx name: frontend [desk@cli] $ k apply -f /home/cert_masters/frontend-pod.yamlpod/frontend createdhttps://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

• Question 30:

  CORRECT TEXT Your organization's security policy includes:

  

  1.

  ServiceAccounts must not automount API credentials

  2.

  ServiceAccount names must end in "-sa"

  The Pod specified in the manifest file /home/candidate/KSCH00301 /pod-m

  nifest.yaml fails to schedule because of an incorrectly specified ServiceAccount.

  Complete the following tasks:

  Task

  1.

  Create a new ServiceAccount named frontend-sa in the existing namespace qa. Ensure the ServiceAccount does not automount API credentials.

  2.

  Using the manifest file at /home/candidate/KSCH00301 /pod-manifest.yaml, create the Pod.

  3.

  Finally, clean up any unused ServiceAccounts in namespace qa.

  A. See the explanation below

  B. PlaceHolder

  Correct Answer: A