Linux Foundation Kubernetes System Administration CKS Questions & Answers

• Question 31:

  

  

  You can switch the cluster/configuration context using the following command:

  [desk@cli] $ kubectl config use-context stage

  Context:

  A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace.

  Task:

  1.

  Create a new PodSecurityPolcy named deny-policy, which prevents the creation of privileged Pods.

  2.

  Create a new ClusterRole name deny-access-role, which uses the newly created PodSecurityPolicy deny-policy.

  3.

  Create a new ServiceAccount named psd-denial-sa in the existing namespace development.

  Finally, create a new ClusterRoleBindind named restrict-access-bind, which binds the newly created ClusterRole deny-access-role to the newly created ServiceAccount psp-denial-sa

  A. See the explanation below

  B. PlaceHolder

  Correct Answer: A

  Create psp to disallow privileged container uk.co.certification.simulator.questionpool.PList@11600d40 k create sa psp-denial-sa -n development uk.co.certification.simulator.questionpool.PList@11601040 namespace: development Explanationmaster1 $ vim psp.yaml apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: deny-policy spec: privileged: false # Don't allow privileged pods! seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny volumes:

  -'*'

  master1 $ vim cr1.yaml

  apiVersion: rbac.authorization.k8s.io/v1

  kind: ClusterRole

  metadata:

  name: deny-access-role

  rules:

  -apiGroups: ['policy']

  resources: ['podsecuritypolicies']

  verbs: ['use']

  resourceNames:

  -"deny-policy"

  master1 $ k create sa psp-denial-sa -n developmentmaster1 $ vim cb1.yaml apiVersion: rbac.authorization.k8s.io/v1

  kind: ClusterRoleBinding

  metadata:

  name: restrict-access-bing

  roleRef:

  kind: ClusterRole

  name: deny-access-role

  apiGroup: rbac.authorization.k8s.io

  subjects:

  # Authorize specific service accounts:

  -kind: ServiceAccount

  name: psp-denial-sa

  namespace: development

• Question 32:

  Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that

  1.

  logs are stored at /var/log/kubernetes/kubernetes-logs.txt.

  2.

  Log files are retained for 5 days.

  3.

  at maximum, a number of 10 old audit logs files are retained. Edit and extend the basic policy to log:

  1.

  Cronjobs changes at RequestResponse

  2.

  Log the request body of deployments changes in the namespace kube-system.

  3.

  Log all other resources in core and extensions at the Request level.

  4.

  Don't log watch requests by the "system:kube-proxy" on endpoints or

  A. See explanation below.

  B. PlaceHolder

  Correct Answer: A

• Question 33:

  

  

  

  You can switch the cluster/configuration context using the following command:

  [desk@cli] $ kubectl config use-context dev

  Context:

  A CIS Benchmark tool was run against the kubeadm created cluster and found multiple issues that must be addressed.

  Task:

  Fix all issues via configuration and restart the affected components to ensure the new settings take effect.

  Fix all of the following violations that were found against the API server:

  1.2.7 authorization-mode argument is not set to AlwaysAllow FAIL

  1.2.8 authorization-mode argument includes Node FAIL

  1.2.7 authorization-mode argument includes RBAC FAIL

  Fix all of the following violations that were found against the Kubelet:

  4.2.1 Ensure that the anonymous-auth argument is set to false FAIL

  4.2.2 authorization-mode argument is not set to AlwaysAllow FAIL (Use Webhook autumn/authz where possible)

  Fix all of the following violations that were found against etcd:

  2.2 Ensure that the client-cert-auth argument is set to true

  A. See the explanation below

  B. PlaceHolder

  Correct Answer: A

  worker1 $ vim /var/lib/kubelet/config.yaml uk.co.certification.simulator.questionpool.PList@132b77a0 worker1 $ systemctl restart kubelet. # To reload kubelet configssh to master1master1 $ vim /etc/kubernetes/manifests/kube-apiserver.yaml- -- authorizationmode=Node,RBACmaster1 $ vim /etc/kubernetes/manifests/etcd.yaml- --client-cert- auth=true

  Explanationssh to worker1worker1 $ vim /var/lib/kubelet/config.yaml apiVersion: kubelet.config.k8s.io/v1beta1 authentication: anonymous: enabled: true #Delete this enabled: false #Replace by this webhook: cacheTTL: 0s enabled: true x509: clientCAFile: /etc/kubernetes/pki/ca.crt authorization: mode: AlwaysAllow #Delete this mode: Webhook #Replace by this webhook: cacheAuthorizedTTL: 0s cacheUnauthorizedTTL: 0s cgroupDriver: systemd clusterDNS:

  -10.96.0.10 clusterDomain: cluster.local cpuManagerReconcilePeriod: 0s evictionPressureTransitionPeriod: 0s fileCheckFrequency: 0s healthzBindAddress: 127.0.0.1 healthzPort: 10248 httpCheckFrequency: 0s imageMinimumGCAge: 0s kind: KubeletConfiguration logging: {} nodeStatusReportFrequency: 0s nodeStatusUpdateFrequency: 0s resolvConf: /run/systemd/resolve/resolv.conf rotateCertificates: true runtimeRequestTimeout: 0s staticPodPath: /etc/kubernetes/manifests streamingConnectionIdleTimeout: 0s syncFrequency: 0s volumeStatsAggPeriod: 0s worker1 $ systemctl restart kubelet. # To reload kubelet configssh to master1master1 $ vim /etc/kubernetes/manifests/kube-apiserver.yaml

  

  master1 $ vim /etc/kubernetes/manifests/etcd.yaml

• Question 34:

  A Role bound to a Pod's ServiceAccount grants overly permissive permissions. Complete the following tasks to reduce the set of permissions.

  

  Task

  Given an existing Pod named web-pod running in the namespace security.

  Edit the existing Role bound to the Pod's ServiceAccount sa-dev-1 to only allow performing watch operations, only on resources of type services.

  Create a new Role named role-2 in the namespace security, which only allows performing update

  operations, only on resources of type namespaces.

  Create a new RoleBinding named role-2-binding binding the newly created Role to the Pod's ServiceAccount.

  

  A. See the explanation below

  B. PlaceHolder

  Correct Answer: A

  

  

• Question 35:

  Analyze and edit the given Dockerfile

  1.

  FROM ubuntu:latest

  2.

  RUN apt-get update -y

  3.

  RUN apt-install nginx -y

  4.

  COPY entrypoint.sh /

  5.

  ENTRYPOINT ["/entrypoint.sh"]

  6.

  USER ROOT

  Fixing two instructions present in the file being prominent security best practice issues

  Analyze and edit the deployment manifest file

  1.

  apiVersion: v1

  2.

  kind: Pod

  3.

  metadata:

  4.

  name: security-context-demo-2

  5.

  spec:

  6.

  securityContext:

  7.

  runAsUser: 1000

  8.

  containers:

  9.

  - name: sec-ctx-demo-2 10.image: gcr.io/google-samples/node-hello:1.0 11.securityContext: 12.runAsUser: 0 13.privileged: True 14.allowPrivilegeEscalation: false

  Fixing two fields present in the file being prominent security best practice issues

  Don't add or remove configuration settings; only modify the existing configuration settings

  Whenever you need an unprivileged user for any of the tasks, use user test-user with the user id 5487

  A. See the explanation below:

  B. PlaceHolder

  Correct Answer: A

  FROM debian:latest MAINTAINER [email protected]

  # 1 - RUN RUN apt-get update andand DEBIAN_FRONTEND=noninteractive apt-get install -yq apt-utils RUN DEBIAN_FRONTEND=noninteractive apt-get install -yq htop RUN apt-get clean

  # 2 - CMD #CMD ["htop"] #CMD ["ls", "-l"]

  # 3 - WORKDIR and ENV WORKDIR /root ENV DZ version1 $ docker image build -t bogodevops/demo . Sending build context to Docker daemon 3.072kB

  Step 1/7 : FROM debian:latest ---> be2868bebaba

  Step 2/7 : MAINTAINER [email protected] ---> Using cache ---> e2eef476b3fd

  Step 3/7 : RUN apt-get update andand DEBIAN_FRONTEND=noninteractive apt-get install -yq apt-utils ---> Using cache ---> 32fd044c1356

  Step 4/7 : RUN DEBIAN_FRONTEND=noninteractive apt-get install -yq htop ---> Using cache ---> 0a5b514a209e

  Step 5/7 : RUN apt-get clean ---> Using cache ---> 5d1578a47c17

  Step 6/7 : WORKDIR /root ---> Using cache ---> 6b1c70e87675

  Step 7/7 : ENV DZ version1 ---> Using cache ---> cd195168c5c7 Successfully built cd195168c5c7 Successfully tagged bogodevops/demo:latest

• Question 36:

  CORRECT TEXT

  

  Two tools are pre-installed on the cluster's worker node:

  1.

  sysdig

  2.

  falco

  Using the tool of your choice (including any non pre-installed tool), analyze the container's behavior for at least 30 seconds, using filters that detect newly spawning and executing processes. Store an incident file at /opt/KSRS00101/alerts/

  details, containing the detected incidents, one per line, in the following format:

  

  The following example shows a properly formatted incident file:

  

  A. See the explanation below:

  B. PlaceHolder

  Correct Answer: A

  

  

  Text

  

  Text

  

• Question 37:

  Use the kubesec docker images to scan the given YAML manifest, edit and apply the advised changes, and passed with a score of 4 points.

  kubesec-test.yaml

  1.

  apiVersion: v1

  2.

  kind: Pod

  3.

  metadata:

  4.

  name: kubesec-demo

  5.

  spec:

  6.

  containers:

  7.

  - name: kubesec-demo

  8.

  image: gcr.io/google-samples/node-hello:1.0

  9.

  securityContext: 10.readOnlyRootFilesystem: true

  Hint: docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml

  A. See explanation below.

  B. PlaceHolder

  Correct Answer: A

  kubesec scan k8s-deployment.yaml cat < kubesec-test.yaml apiVersion: v1 kind: Pod metadata: name: kubesec-demo spec: containers:

  -name: kubesec-demo image: gcr.io/google-samples/node-hello:1.0 securityContext: readOnlyRootFilesystem: true EOF kubesec scan kubesec-test.yaml

  docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml

  kubesec http 8080 and

  [1] 12345 {"severity":"info","timestamp":"2019-0512T11:58:34.662+0100","caller":"server/server.go:69","message":"Starting HTTP server on port 8080"}

  curl -sSX POST --data-binary @test/asset/score-0-cap-sys-admin.yml http://localhost:8080/scan

  [

  {

  "object": "Pod/security-context-demo.default",

  "valid": true,

  "message": "Failed with a score of -30 points",

  "score": -30,

  "scoring": {

  "critical": [

  {

  "selector": "containers[] .securityContext .capabilities .add == SYS_ADMIN", "reason": "CAP_SYS_ADMIN is the most privileged capability and should always be avoided" },

  {

  "selector": "containers[] .securityContext .runAsNonRoot == true", "reason": "Force the running image to run as a non-root user to ensure least privilege" }, // ...

• Question 38:

  Create a User named john, create the CSR Request, fetch the certificate of the user after approving it.

  Create a Role name john-role to list secrets, pods in namespace john

  Finally, Create a RoleBinding named john-role-binding to attach the newly created role john-role to the user john in the namespace john.

  To Verify: Use the kubectl auth CLI command to verify the permissions.

  A. See the below.

  B. PlaceHolder

  Correct Answer: A

  se kubectl to create a CSR and approve it.

  Get the list of CSRs:

  kubectl get csr

  Approve the CSR:

  kubectl certificate approve myuser

  Get the certificateRetrieve the certificate from the CSR:

  kubectl get csr/myuser -o yaml

  here are the role and role-binding to give john permission to create NEW_CRD resource:

  kubectl apply -f roleBindingJohn.yaml --as=john

  rolebinding.rbac.authorization.k8s.io/john_external-rosource-rb created

  kind: RoleBinding

  apiVersion: rbac.authorization.k8s.io/v1

  metadata:

  name: john_crd

  namespace: development-john

  subjects:

  -kind: User name: john apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: crd-creation

  kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: crd-creation rules:

  -apiGroups: ["kubernetes-client.io/v1"] resources: ["NEW_CRD"] verbs: ["create, list, get"]

• Question 39:

  You must complete this task on the following cluster/nodes:

  Cluster: trace Master node: master Worker node: worker1

  You can switch the cluster/configuration context using the following command:

  [desk@cli] $ kubectl config use-context trace

  Given: You may use Sysdig or Falco documentation.

  Task:

  Use detection tools to detect anomalies like processes spawning and executing something weird frequently in the single container belonging to Pod tomcat.

  Two tools are available to use:

  1.

  falco

  2.

  sysdig

  Tools are pre-installed on the worker1 node only.

  Analyse the container's behaviour for at least 40 seconds, using filters that detect newly spawning and executing processes.

  Store an incident file at /home/cert_masters/report, in the following format:

  [timestamp],[uid],[processName]

  Note: Make sure to store incident file on the cluster's worker node, don't move it to master node.

  A. See the explanation below

  B. PlaceHolder

  Correct Answer: A

  $vim /etc/falco/falco_rules.local.yaml uk.co.certification.simulator.questionpool.PList@120e24d0 $kill -1 Explanation[desk@cli] $ ssh node01[node01@cli] $ vim /etc/falco/falco_rules.yamlsearch for Container Drift Detected and paste in falco_rules.local.yaml[node01@cli] $ vim /etc/falco/falco_rules.local.yaml

  -rule: Container Drift Detected (open+create) desc: New executable created in a container due to open+create condition: > evt.type in (open,openat,creat) and evt.is_open_exec=true and container and not runc_writing_exec_fifo and not runc_writing_var_lib_docker and not user_known_container_drift_activities and evt.rawres>=0 output: > %evt.time,%user.uid,%proc.name # Add this/Refer falco documentation priority: ERROR [node01@cli] $ vim /etc/falco/falco.yaml

• Question 40:

  Create a RuntimeClass named untrusted using the prepared runtime handler named runsc.

  Create a Pods of image alpine:3.13.2 in the Namespace default to run on the gVisor runtime class.

  A. See the explanation below:

  B. PlaceHolder

  Correct Answer: A