This page was exported from Latest Exam Prep [ http://certify.vceprep.com ] Export date:Sat Dec 14 10:54:54 2024 / +0000 GMT ___________________________________________________ Title: Feb 25, 2023 Reliable Study Materials for CKS Exam Success For Sure [Q23-Q40] --------------------------------------------------- Feb 25, 2023 Reliable Study Materials for CKS Exam Success For Sure 100% Latest Most updated CKS Questions and Answers NO.23 Context: Cluster: gvisor Master node: master1 Worker node: worker1You can switch the cluster/configuration context using the following command:[desk@cli] $ kubectl config use-context gvisorContext: This cluster has been prepared to support runtime handler, runsc as well as traditional one.Task: Create a RuntimeClass named not-trusted using the prepared runtime handler names runsc. Update all Pods in the namespace server to run on newruntime. Explanation[desk@cli] $vim runtime.yamlapiVersion: node.k8s.io/v1kind: RuntimeClassmetadata:name: not-trustedhandler: runsc[desk@cli] $ k apply -f runtime.yaml [desk@cli] $ k get podsNAME READY STATUS RESTARTS AGEnginx-6798fc88e8-chp6r 1/1 Running 0 11mnginx-6798fc88e8-fs53n 1/1 Running 0 11mnginx-6798fc88e8-ndved 1/1 Running 0 11m[desk@cli] $ k get deployNAME READY UP-TO-DATE AVAILABLE AGEnginx 3/3 11 3 5m[desk@cli] $ k edit deploy nginxNO.24 You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context stage Context: A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace. Task: 1. Create a new PodSecurityPolcy named deny-policy, which prevents the creation of privileged Pods. 2. Create a new ClusterRole name deny-access-role, which uses the newly created PodSecurityPolicy deny-policy. 3. Create a new ServiceAccount named psd-denial-sa in the existing namespace development. Finally, create a new ClusterRoleBindind named restrict-access-bind, which binds the newly created ClusterRole deny-access-role to the newly created ServiceAccount psp-denial-sa Create psp to disallow privileged containerapiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: deny-access-rolerules:– apiGroups: [‘policy’]resources: [‘podsecuritypolicies’]verbs: [‘use’]resourceNames:– “deny-policy”k create sa psp-denial-sa -n developmentapiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: restrict-access-bingroleRef:kind: ClusterRolename: deny-access-roleapiGroup: rbac.authorization.k8s.iosubjects:– kind: ServiceAccountname: psp-denial-sanamespace: developmentExplanationmaster1 $ vim psp.yamlapiVersion: policy/v1beta1kind: PodSecurityPolicymetadata:name: deny-policyspec:privileged: false # Don’t allow privileged pods!seLinux:rule: RunAsAnysupplementalGroups:rule: RunAsAnyrunAsUser:rule: RunAsAnyfsGroup:rule: RunAsAnyvolumes:– ‘*’master1 $ vim cr1.yamlapiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: deny-access-rolerules:– apiGroups: [‘policy’]resources: [‘podsecuritypolicies’]verbs: [‘use’]resourceNames:– “deny-policy”master1 $ k create sa psp-denial-sa -n development master1 $ vim cb1.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata:name: restrict-access-bingroleRef:kind: ClusterRolename: deny-access-roleapiGroup: rbac.authorization.k8s.iosubjects:# Authorize specific service accounts:– kind: ServiceAccountname: psp-denial-sanamespace: developmentmaster1 $ k apply -f psp.yaml master1 $ k apply -f cr1.yaml master1 $ k apply -f cb1.yaml Reference: https://kubernetes.io/docs/concepts/policy/pod-security-policy/NO.25 SIMULATIONGiven an existing Pod named test-web-pod running in the namespace test-system Edit the existing Role bound to the Pod’s Service Account named sa-backend to only allow performing get operations on endpoints.Create a new Role named test-system-role-2 in the namespace test-system, which can perform patch operations, on resources of type statefulsets.Create a new RoleBinding named test-system-role-2-binding binding the newly created Role to the Pod’s ServiceAccount sa-backend.  Send us your feedback on this. NO.26 On the Cluster worker node, enforce the prepared AppArmor profile#include <tunables/global>profile nginx-deny flags=(attach_disconnected) {#include <abstractions/base>file,# Deny all file writes.deny /** w,}EOF’Edit the prepared manifest file to include the AppArmor profile.apiVersion: v1kind: Podmetadata:name: apparmor-podspec:containers:– name: apparmor-podimage: nginxFinally, apply the manifests files and create the Pod specified on it.Verify: Try to make a file inside the directory which is restricted. NO.27 Create a RuntimeClass named untrusted using the prepared runtime handler named runsc.Create a Pods of image alpine:3.13.2 in the Namespace default to run on the gVisor runtime class. NO.28 You must complete this task on the following cluster/nodes: Cluster: immutable-cluster Master node: master1 Worker node: worker1 You can switch the cluster/configuration context using the following command:[desk@cli] $ kubectl config use-context immutable-clusterContext: It is best practice to design containers to be stateless and immutable.Task:Inspect Pods running in namespace prod and delete any Pod that is either not stateless or not immutable.Use the following strict interpretation of stateless and immutable:1. Pods being able to store data inside containers must be treated as not stateless.Note: You don’t have to worry whether data is actually stored inside containers or not already.2. Pods being configured to be privileged in any way must be treated as potentially not stateless or not immutable. k get pods -n prodk get pod <pod-name> -n prod -o yaml | grep -E ‘privileged|ReadOnlyRootFileSystem’ Delete the pods which do have any of these 2 properties privileged:true or ReadOnlyRootFileSystem: false[desk@cli]$ k get pods -n prodNAME READY STATUS RESTARTS AGEcms 1/1 Running 0 68mdb 1/1 Running 0 4mnginx 1/1 Running 0 23m[desk@cli]$ k get pod nginx -n prod -o yaml | grep -E ‘privileged|RootFileSystem’{“apiVersion”:”v1″,”kind”:”Pod”,”metadata”:{“annotations”:{},”creationTimestamp”:null,”labels”:{“run”:”nginx”},”name”:”nginx”,”namespace”:”prod”},”spec”:{“containers”:[{“image”:”nginx”,”name”:”nginx”,”resources”:{},”securityContext”:{“privileged”:true}}],”dnsPolicy”:”ClusterFirst”,”restartPolicy”:”Always”},”status”:{}} f:privileged: {} privileged: true[desk@cli]$ k delete pod nginx -n prod[desk@cli]$ k get pod db -n prod -o yaml | grep -E ‘privileged|RootFilesystem’[desk@cli]$ k delete pod cms -n prod Reference: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ https://cloud.google.com/architecture/best-practices-for-operating-containers Reference:[desk@cli]$ k delete pod cms -n prod Reference: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ https://cloud.google.com/architecture/best-practices-for-operating-containersNO.29 SIMULATIONUsing the runtime detection tool Falco, Analyse the container behavior for at least 20 seconds, using filters that detect newly spawning and executing processes in a single container of Nginx.store the incident file art /opt/falco-incident.txt, containing the detected incidents. one per line, in the format[timestamp],[uid],[processName]  Send us the Feedback on it. NO.30 Context: Cluster: prod Master node: master1 Worker node: worker1You can switch the cluster/configuration context using the following command:[desk@cli] $ kubectl config use-context prodTask: Analyse and edit the given Dockerfile (based on the ubuntu:18:04 image) /home/cert_masters/Dockerfile fixing two instructions present in the file being prominent security/best-practice issues.Analyse and edit the given manifest file /home/cert_masters/mydeployment.yaml fixing two fields present in the file being prominent security/best-practice issues.Note: Don’t add or remove configuration settings; only modify the existing configuration settings, so that two configuration settings each are no longer security/best-practice concerns. Should you need an unprivileged user for any of the tasks, use user nobody with user id 65535 1. For Dockerfile: Fix the image version & user name in Dockerfile 2. For mydeployment.yaml : Fix security contexts Explanation[desk@cli] $ vim /home/cert_masters/DockerfileFROM ubuntu:latest # Remove thisFROM ubuntu:18.04 # Add thisUSER root # Remove thisUSER nobody # Add thisRUN apt get install -y lsof=4.72 wget=1.17.1 nginx=4.2ENV ENVIRONMENT=testingUSER root # Remove thisUSER nobody # Add thisCMD [“nginx -d”][desk@cli] $ vim /home/cert_masters/mydeployment.yamlapiVersion: apps/v1kind: Deploymentmetadata:creationTimestamp: nulllabels:app: kafkaname: kafkaspec:replicas: 1selector:matchLabels:app: kafkastrategy: {}template:metadata:creationTimestamp: nulllabels:app: kafkaspec:containers:– image: bitnami/kafkaname: kafkavolumeMounts:– name: kafka-volmountPath: /var/lib/kafkasecurityContext:{“capabilities”:{“add”:[“NET_ADMIN”],”drop”:[“all”]},”privileged”: True,”readOnlyRootFilesystem”: False, “runAsUser”: 65535} # Delete This{“capabilities”:{“add”:[“NET_ADMIN”],”drop”:[“all”]},”privileged”: False,”readOnlyRootFilesystem”: True, “runAsUser”: 65535} # Add This resources: {} volumes:– name: kafka-volemptyDir: {}status: {}Pictorial View: [desk@cli] $ vim /home/cert_masters/mydeployment.yamlNO.31 SIMULATIONService is running on port 389 inside the system, find the process-id of the process, and stores the names of all the open-files inside the /candidate/KH77539/files.txt, and also delete the binary.  Send us your feedback on it. NO.32 Analyze and edit the given DockerfileFROM ubuntu:latestRUN apt-get update -yRUN apt-install nginx -yCOPY entrypoint.sh /ENTRYPOINT [“/entrypoint.sh”]USER ROOTFixing two instructions present in the file being prominent security best practice issues Analyze and edit the deployment manifest file apiVersion: v1 kind: Pod metadata:name: security-context-demo-2spec:securityContext:runAsUser: 1000containers:– name: sec-ctx-demo-2image: gcr.io/google-samples/node-hello:1.0securityContext:runAsUser: 0privileged: TrueallowPrivilegeEscalation: falseFixing two fields present in the file being prominent security best practice issues Don’t add or remove configuration settings; only modify the existing configuration settings Whenever you need an unprivileged user for any of the tasks, use user test-user with the user id 5487  Send us your Feedback on this. NO.33 Create a new ServiceAccount named backend-sa in the existing namespace default, which has the capability to list the pods inside the namespace default.Create a new Pod named backend-pod in the namespace default, mount the newly created sa backend-sa to the pod, and Verify that the pod is able to list pods.Ensure that the Pod is running. A service account provides an identity for processes that run in a Pod.When you (a human) access the cluster (for example, using kubectl), you are authenticated by the apiserver as a particular User Account (currently this is usually admin, unless your cluster administrator has customized your cluster). Processes in containers inside pods can also contact the apiserver. When they do, they are authenticated as a particular Service Account (for example, default).When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace. If you get the raw json or yaml for a pod you have created (for example, kubectl get pods/<podname> -o yaml), you can see the spec.serviceAccountName field has been automatically set.You can access the API from inside a pod using automatically mounted service account credentials, as described in Accessing the Cluster. The API permissions of the service account depend on the authorization plugin and policy in use.In version 1.6+, you can opt out of automounting API credentials for a service account by setting automountServiceAccountToken: false on the service account:apiVersion: v1kind: ServiceAccountmetadata:name: build-robotautomountServiceAccountToken: false…In version 1.6+, you can also opt out of automounting API credentials for a particular pod:apiVersion: v1kind: Podmetadata:name: my-podspec:serviceAccountName: build-robotautomountServiceAccountToken: false…The pod spec takes precedence over the service account if both specify a automountServiceAccountToken value.NO.34 ContextA Role bound to a Pod’s ServiceAccount grants overly permissive permissions. Complete the following tasks to reduce the set of permissions.TaskGiven an existing Pod named web-pod running in the namespace security.Edit the existing Role bound to the Pod’s ServiceAccount sa-dev-1 to only allow performing watch operations, only on resources of type services.Create a new Role named role-2 in the namespace security, which only allows performing update operations, only on resources of type namespaces.Create a new RoleBinding named role-2-binding binding the newly created Role to the Pod’s ServiceAccount. NO.35 ContextA container image scanner is set up on the cluster, but it’s not yet fully integrated into the cluster s configuration. When complete, the container image scanner shall scan for and reject the use of vulnerable images.TaskGiven an incomplete configuration in directory /etc/kubernetes/epconfig and a functional container image scanner with HTTPS endpoint https://wakanda.local:8081 /image_policy :1. Enable the necessary plugins to create an image policy2. Validate the control configuration and change it to an implicit deny3. Edit the configuration to point to the provided HTTPS endpoint correctly Finally, test if the configuration is working by trying to deploy the vulnerable resource /root/KSSC00202/vulnerable-resource.yml. NO.36 You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context prod-account Context: A Role bound to a Pod’s ServiceAccount grants overly permissive permissions. Complete the following tasks to reduce the set of permissions. Task: Given an existing Pod named web-pod running in the namespace database. 1. Edit the existing Role bound to the Pod’s ServiceAccount test-sa to only allow performing get operations, only on resources of type Pods. 2. Create a new Role named test-role-2 in the namespace database, which only allows performing update operations, only on resources of type statuefulsets. 3. Create a new RoleBinding named test-role-2-bind binding the newly created Role to the Pod’s ServiceAccount. Note: Don’t delete the existing RoleBinding. NO.37 Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that1. logs are stored at /var/log/kubernetes/kubernetes-logs.txt.2. Log files are retained for 5 days.3. at maximum, a number of 10 old audit logs files are retained.Edit and extend the basic policy to log:1. Cronjobs changes at RequestResponse2. Log the request body of deployments changes in the namespace kube-system.3. Log all other resources in core and extensions at the Request level.4. Don’t log watch requests by the “system:kube-proxy” on endpoints or NO.38 On the Cluster worker node, enforce the prepared AppArmor profile#include <tunables/global>profile nginx-deny flags=(attach_disconnected) {#include <abstractions/base>file,# Deny all file writes.deny /** w,}EOF’  Edit the prepared manifest file to include the AppArmor profile. apiVersion: v1kind: Podmetadata:name: apparmor-podspec:containers:– name: apparmor-podimage: nginxFinally, apply the manifests files and create the Pod specified on it.Verify: Try to make a file inside the directory which is restricted.NO.39 SIMULATIONSecrets stored in the etcd is not secure at rest, you can use the etcdctl command utility to find the secret value for e.g:- ETCDCTL_API=3 etcdctl get /registry/secrets/default/cks-secret –cacert=”ca.crt” –cert=”server.crt” –key=”server.key” OutputUsing the Encryption Configuration, Create the manifest, which secures the resource secrets using the provider AES-CBC and identity, to encrypt the secret-data at rest and ensure all secrets are encrypted with the new configuration.  Send us the Feedback on it. NO.40 TaskAnalyze and edit the given Dockerfile /home/candidate/KSSC00301/Docker file (based on the ubuntu:16.04 image), fixing two instructions present in the file that are prominent security/best-practice issues.Analyze and edit the given manifest file /home/candidate/KSSC00301/deployment.yaml, fixing two fields present in the file that are prominent security/best-practice issues.  Loading … New Linux Foundation CKS Dumps & Questions: https://www.vceprep.com/CKS-latest-vce-prep.html --------------------------------------------------- Images: https://certify.vceprep.com/wp-content/plugins/watu/loading.gif https://certify.vceprep.com/wp-content/plugins/watu/loading.gif --------------------------------------------------- --------------------------------------------------- Post date: 2023-02-25 12:38:23 Post date GMT: 2023-02-25 12:38:23 Post modified date: 2023-02-25 12:38:23 Post modified date GMT: 2023-02-25 12:38:23