MoreExam
1. Question Content...
EXPLANATION
Answer: X - EXPLANATION Content.
Question1: A container image scanner is set up on the cluster.Given an incomplete configuration in the directory/etc/Kubernetes/confcontrol and a functional container image scanner with HTTPS endpoint https://acme.local.8081/image_policy
Question2: Create a User named john, create the CSR Request, fetch the certificate of the user after approving it.Create a Role name john-role to list secrets, pods in namespace johnFinally, Create a RoleBinding named john-role-binding to attach the newly created role john-role to the user john in the namespace john.To Verify: Use the kubectl auth CLI command to verify the permissions.
Question3: You can switch the cluster/configuration context using the following command:[desk@cli] $ kubectl config use-context devA default-deny NetworkPolicy avoid to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined.Task: Create a new default-deny NetworkPolicy named deny-network in the namespace test for all traffic of type Ingress + Egress The new NetworkPolicy must deny all Ingress + Egress traffic in the namespace test.Apply the newly created default-deny NetworkPolicy to all Pods running in namespace test.You can find a skeleton manifests file at /home/cert_masters/network-policy.yaml
Question4: Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.Fix all of the following violations that were found against the API server:- a. Ensure the --authorization-mode argument includes RBAC b. Ensure the --authorization-mode argument includes Node c. Ensure that the --profiling argument is set to false Fix all of the following violations that were found against the Kubelet:- a. Ensure the --anonymous-auth argument is set to false.b. Ensure that the --authorization-mode argument is set to Webhook.Fix all of the following violations that were found against the ETCD:-a. Ensure that the --auto-tls argument is not set to trueHint: Take the use of Tool Kube-Bench
Question5: Before Making any changes build the Dockerfile with tag base:v1Now Analyze and edit the given Dockerfile(based on ubuntu 16:04)Fixing two instructions present in the file, Check from Security Aspect and Reduce Size point of view.Dockerfile:FROM ubuntu:latestRUN apt-get update -yRUN apt install nginx -yCOPY entrypoint.sh /RUN useradd ubuntuENTRYPOINT ["/entrypoint.sh"]USER ubuntuentrypoint.sh#!/bin/bashecho "Hello from CKS"After fixing the Dockerfile, build the docker-image with the tag base:v2
Question6: Cluster: scannerMaster node: controlplaneWorker node: worker1You can switch the cluster/configuration context using the following command:[desk@cli] $ kubectl config use-context scannerGiven:You may use Trivy's documentation.Task:Use the Trivy open-source container scanner to detect images with severe vulnerabilities used by Pods in the namespace nato.Look for images with High or Critical severity vulnerabilities and delete the Pods that use those images.Trivy is pre-installed on the cluster's master node. Use cluster's master node to use Trivy.
Question7: Context:Cluster: prodMaster node: master1Worker node: worker1You can switch the cluster/configuration context using the following command:[desk@cli] $ kubectl config use-context prodTask:Analyse and edit the given Dockerfile (based on the ubuntu:18:04 image)/home/cert_masters/Dockerfile fixing two instructions present in the file being prominent security/best-practice issues.Analyse and edit the given manifest file/home/cert_masters/mydeployment.yaml fixing two fields present in the file being prominent security/best-practice issues.Note: Don't add or remove configuration settings; only modify the existing configuration settings, so that two configuration settings each are no longer security/best-practice concerns.Should you need an unprivileged user for any of the tasks, use user nobody with user id 65535
Question8: You can switch the cluster/configuration context using the following command:[desk@cli] $ kubectl config use-context qaContext:A pod fails to run because of an incorrectly specified ServiceAccountTask:Create a new service account named backend-qa in an existing namespace qa, which must not have access to any secret.Edit the frontend pod yaml to use backend-qa service accountNote: You can find the frontend pod yaml at /home/cert_masters/frontend-pod.yaml
Question9: Using the runtime detection tool Falco, Analyse the container behavior for at least 30 seconds, using filters that detect newly spawning and executing processes
Question10: Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that1. logs are stored at /var/log/kubernetes/kubernetes-logs.txt.2. Log files are retained for 5 days.3. at maximum, a number of 10 old audit logs files are retained.Edit and extend the basic policy to log:
Question11: You can switch the cluster/configuration context using the following command:[desk@cli] $ kubectl config use-context prod-accountContext:A Role bound to a Pod's ServiceAccount grants overly permissive permissions. Complete the following tasks to reduce the set of permissions.Task:Given an existing Pod named web-pod running in the namespace database.1. Edit the existing Role bound to the Pod's ServiceAccount test-sa to only allow performing get operations, only on resources of type Pods.2. Create a new Role named test-role-2 in the namespace database, which only allows performing update operations, only on resources of type statuefulsets.3. Create a new RoleBinding named test-role-2-bind binding the newly created Role to the Pod's ServiceAccount.Note: Don't delete the existing RoleBinding.
Question12: Create a network policy named allow-np, that allows pod in the namespace staging to connect to port 80 of other pods in the same namespace.Ensure that Network Policy:-1. Does not allow access to pod not listening on port 80.2. Does not allow access from Pods, not in namespace staging.
Question13: You can switch the cluster/configuration context using the following command:[desk@cli] $ kubectl config use-context test-accountTask: Enable audit logs in the cluster.To do so, enable the log backend, and ensure that:1. logs are stored at /var/log/Kubernetes/logs.txt2. log files are retained for 5 days3. at maximum, a number of 10 old audit log files are retainedA basic policy is provided at /etc/Kubernetes/logpolicy/audit-policy.yaml. It only specifies what not to log.Note: The base policy is located on the cluster's master node.Edit and extend the basic policy to log:1. Nodes changes at RequestResponse level2. The request body of persistentvolumes changes in the namespace frontend3. ConfigMap and Secret changes in all namespaces at the Metadata level Also, add a catch-all rule to log all other requests at the Metadata level Note: Don't forget to apply the modified policy.
Question14: use the Trivy to scan the following images,
Question15: Given an existing Pod named nginx-pod running in the namespace test-system, fetch the service-account-name used and put the content in /candidate/KSC00124.txt Create a new Role named dev-test-role in the namespace test-system, which can perform update operations, on resources of type namespaces.