Linux Foundation Kubernetes System Administration CKS Questions & Answers

• Question 41:

  CORRECT TEXT

  

  Context

  This cluster uses containerd as CRI runtime.

  Containerd's default runtime handler is runc. Containerd has been prepared to support an additional runtime handler, runsc (gVisor).

  Task

  Create a RuntimeClass named sandboxed using the prepared runtime handler named runsc.

  Update all Pods in the namespace server to run on gVisor.

  

  A. See the explanation below

  B. PlaceHolder

  Correct Answer: A

  

  

  

  

• Question 42:

  CORRECT TEXT Context

  

  A default-deny NetworkPolicy avoids to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined.

  Task

  Create a new default-deny NetworkPolicy named defaultdeny in the namespace testing for all traffic of type Egress.

  The new NetworkPolicy must deny all Egress traffic in the namespace testing.

  Apply the newly created default-deny NetworkPolicy to all Pods running in namespace testing.

  

  A. See explanation below.

  B. PlaceHolder

  Correct Answer: A

• Question 43:

  

  Create a RuntimeClass named gvisor-rc using the prepared runtime handler named runsc.

  Create a Pods of image Nginx in the Namespace server to run on the gVisor runtime class

  A. See the explanation below:

  B. PlaceHolder

  Correct Answer: A

  Install the Runtime Class for gVisor

  { # Step 1: Install a RuntimeClass cat <

  Create a Pod with the gVisor Runtime Class

  { # Step 2: Create a pod cat <

  -name: nginx image: nginx EOF }

  Verify that the Pod is running

  { # Step 3: Get the pod kubectl get pod nginx-gvisor -o wide }

• Question 44:

  CORRECT TEXT

  Task

  

  Create a NetworkPolicy named pod-access to restrict access to Pod users-service running in namespace dev-team. Only allow the following Pods to connect to Pod users-service:

  1.

  Pods in the namespace qa

  2.

  Pods with label environment: testing, in any namespace

  

  A. See explanation below.

  B. PlaceHolder

  Correct Answer: A

• Question 45:

  

  Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that

  1.

  logs are stored at /var/log/kubernetes-logs.txt.

  2.

  Log files are retained for 12 days.

  3.

  at maximum, a number of 8 old audit logs files are retained.

  4.

  set the maximum size before getting rotated to 200MB

  Edit and extend the basic policy to log:

  1.

  namespaces changes at RequestResponse

  2.

  Log the request body of secrets changes in the namespace kube-system.

  3.

  Log all other resources in core and extensions at the Request level.

  4.

  Log "pods/portforward", "services/proxy" at Metadata level.

  5.

  Omit the Stage RequestReceived

  All other requests at the Metadata level

  A. See the explanation below:

  B. PlaceHolder

  Correct Answer: A

  Kubernetes auditing provides a security-relevant chronological set of records about a cluster. Kube-apiserver performs auditing. Each request on each stage of its execution generates an event, which is then pre-processed according to a

  certain policy and written to a backend. The policy determines what's recorded and the backends persist the records. You might want to configure the audit log as part of compliance with the CIS (Center for Internet Security) Kubernetes

  Benchmark controls.

  The audit log can be enabled by default using the following configuration in cluster.yml:

  services:

  kube-api:

  audit_log:

  enabled: true

  When the audit log is enabled, you should be able to see the default values at /etc/kubernetes/audit-policy.yaml

  The log backend writes audit events to a file in JSONlines format. You can configure the log audit backend using the following kube-apiserver flags:

  --audit-log-path specifies the log file path that log backend uses to write audit events. Not specifying this flag disables log backend. - means standard out --audit-log-maxage defined the maximum number of days to retain old audit log files

  --audit-log-maxbackup defines the maximum number of audit log files to retain

  --audit-log-maxsize defines the maximum size in megabytes of the audit log file before it gets rotated

  If your cluster's control plane runs the kube-apiserver as a Pod, remember to mount the hostPath to the location of the policy file and log file, so that audit records are persisted.

  For example:

  --audit-policy-file=/etc/kubernetes/audit-policy.yaml \

  --audit-log-path=/var/log/audit.log

• Question 46:

  A container image scanner is set up on the cluster.

  Given an incomplete configuration in the directory

  /etc/kubernetes/confcontrol and a functional container image scanner with HTTPS endpoint https://test-server.local.8081/image_policy

  1.

  Enable the admission plugin.

  2.

  Validate the control configuration and change it to implicit deny.

  Finally, test the configuration by deploying the pod having the image tag as latest.

  A. See explanation below.

  B. PlaceHolder

  Correct Answer: A

  ssh-add ~/.ssh/tempprivate eval "$(ssh-agent -s)" cd contrib/terraform/aws vi terraform.tfvars terraform init terraform apply -var-file=credentials.tfvars ansible-playbook -i ./inventory/hosts ./cluster.yml -e ansible_ssh_user=core -e bootstrap_os=coreos -b --become-user=root --flush-cache -e ansible_user=core