MoreExam
1. Question Content...
EXPLANATION
Answer: X - EXPLANATION Content.
Question1: Given an existing Pod named nginx-pod running in the namespace test-system, fetch the service-account-name used and put the content in /candidate/KSC00124.txt Create a new Role named dev-test-role in the namespace test-system, which can perform update operations, on resources of type namespaces.
Question2: Cluster: qa-clusterMaster node: master Worker node: worker1You can switch the cluster/configuration context using the following command:[desk@cli] $ kubectl config use-context qa-clusterTask:Create a NetworkPolicy named restricted-policy to restrict access to Pod product running in namespace dev.Only allow the following Pods to connect to Pod products-service:1. Pods in the namespace qa2. Pods with label environment: stage, in any namespace
Question3: SIMULATIONEnable audit logs in the cluster, To Do so, enable the log backend, and ensure that1. logs are stored at /var/log/kubernetes/kubernetes-logs.txt.2. Log files are retained for 5 days.3. at maximum, a number of 10 old audit logs files are retained.Edit and extend the basic policy to log:1. Cronjobs changes at RequestResponse2. Log the request body of deployments changes in the namespace kube-system.3. Log all other resources in core and extensions at the Request level.4. Don't log watch requests by the "system:kube-proxy" on endpoints or
Question4: Create a Pod name Nginx-pod inside the namespace testing, Create a service for the Nginx-pod named nginx-svc, using the ingress of your choice, run the ingress on tls, secure port.
Question5: SIMULATIONUsing the runtime detection tool Falco, Analyse the container behavior for at least 30 seconds, using filters that detect newly spawning and executing processes store the incident file art /opt/falco-incident.txt, containing the detected incidents. one per line, in the format[timestamp],[uid],[user-name],[processName]
Question6: SIMULATIONCreate a new NetworkPolicy named deny-all in the namespace testing which denies all traffic of type ingress and egress traffic
Question7: SIMULATIONBefore Making any changes build the Dockerfile with tag base:v1Now Analyze and edit the given Dockerfile(based on ubuntu 16:04)Fixing two instructions present in the file, Check from Security Aspect and Reduce Size point of view.Dockerfile:FROM ubuntu:latestRUN apt-get update -yRUN apt install nginx -yCOPY entrypoint.sh /RUN useradd ubuntuENTRYPOINT ["/entrypoint.sh"]USER ubuntuentrypoint.sh#!/bin/bashecho "Hello from CKS"After fixing the Dockerfile, build the docker-image with the tag base:v2 To Verify: Check the size of the image before and after the build.
Question8: Cluster: devMaster node: master1Worker node: worker1You can switch the cluster/configuration context using the following command:[desk@cli] $ kubectl config use-context devTask:Retrieve the content of the existing secret named adam in the safe namespace.Store the username field in a file names /home/cert-masters/username.txt, and the password field in a file named /home/cert-masters/password.txt.1. You must create both files; they don't exist yet.2. Do not use/modify the created files in the following steps, create new temporary files if needed.Create a new secret names newsecret in the safe namespace, with the following content:Username: dbadminPassword: moresecurepasFinally, create a new Pod that has access to the secret newsecret via a volume:Namespace: safePod name: mysecret-podContainer name: db-containerImage: redisVolume name: secret-volMount path: /etc/mysecret
Question9: Using the runtime detection tool Falco, Analyse the container behavior for at least 20 seconds, using filters that detect newly spawning and executing processes in a single container of Nginx.
Question10: Context:Cluster: prodMaster node: master1Worker node: worker1You can switch the cluster/configuration context using the following command:[desk@cli] $ kubectl config use-context prodTask:Analyse and edit the given Dockerfile (based on the ubuntu:18:04 image)/home/cert_masters/Dockerfile fixing two instructions present in the file being prominent security/best-practice issues.Analyse and edit the given manifest file/home/cert_masters/mydeployment.yaml fixing two fields present in the file being prominent security/best-practice issues.Note: Don't add or remove configuration settings; only modify the existing configuration settings, so that two configuration settings each are no longer security/best-practice concerns.Should you need an unprivileged user for any of the tasks, use user nobody with user id 65535
Question11: SIMULATIONuse the Trivy to scan the following images,1. amazonlinux:12. k8s.gcr.io/kube-controller-manager:v1.18.6Look for images with HIGH or CRITICAL severity vulnerabilities and store the output of the same in /opt/trivy-vulnerable.txt
Question12: Context:Cluster: gvisorMaster node: master1Worker node: worker1You can switch the cluster/configuration context using the following command:[desk@cli] $ kubectl config use-context gvisorContext: This cluster has been prepared to support runtime handler, runsc as well as traditional one.Task:Create a RuntimeClass named not-trusted using the prepared runtime handler names runsc.Update all Pods in the namespace server to run on newruntime.
Question13: Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.Fix all of the following violations that were found against the API server:- a. Ensure that the RotateKubeletServerCertificate argument is set to true.b. Ensure that the admission control plugin PodSecurityPolicy is set.c. Ensure that the --kubelet-certificate-authority argument is set as appropriate.Fix all of the following violations that were found against the Kubelet:- a. Ensure the --anonymous-auth argument is set to false.b. Ensure that the --authorization-mode argument is set to Webhook.Fix all of the following violations that were found against the ETCD:-a. Ensure that the --auto-tls argument is not set to trueb. Ensure that the --peer-auto-tls argument is not set to trueHint: Take the use of Tool Kube-Bench
Question14: SIMULATIONGiven an existing Pod named nginx-pod running in the namespace test-system, fetch the service-account-name used and put the content in /candidate/KSC00124.txt Create a new Role named dev-test-role in the namespace test-system, which can perform update operations, on resources of type namespaces.Create a new RoleBinding named dev-test-role-binding, which binds the newly created Role to the Pod's ServiceAccount ( found in the Nginx pod running in namespace test-system).
Question15: A container image scanner is set up on the cluster.Given an incomplete configuration in the directory/etc/kubernetes/confcontrol and a functional container image scanner with HTTPS endpoint https://test-server.local.8081/image_policy
Question16: Service is running on port 389 inside the system, find the process-id of the process, and stores the names of all the open-files inside the /candidate/KH77539/files.txt, and also delete the binary.
Question17: SIMULATIONGiven an existing Pod named test-web-pod running in the namespace test-system Edit the existing Role bound to the Pod's Service Account named sa-backend to only allow performing get operations on endpoints.Create a new Role named test-system-role-2 in the namespace test-system, which can perform patch operations, on resources of type statefulsets.Create a new RoleBinding named test-system-role-2-binding binding the newly created Role to the Pod's ServiceAccount sa-backend.
Question18: Create a PSP that will only allow the persistentvolumeclaim as the volume type in the namespace restricted.Create a new PodSecurityPolicy named prevent-volume-policy which prevents the pods which is having different volumes mount apart from persistentvolumeclaim.Create a new ServiceAccount named psp-sa in the namespace restricted.Create a new ClusterRole named psp-role, which uses the newly created Pod Security Policy prevent-volume-policyCreate a new ClusterRoleBinding named psp-role-binding, which binds the created ClusterRole psp-role to the created SA psp-sa.Hint:Also, Check the Configuration is working or not by trying to Mount a Secret in the pod maifest, it should get failed.POD Manifest:apiVersion: v1kind: Podmetadata:name:spec:containers:- name:image:volumeMounts:- name:mountPath:volumes:- name:secret:secretName:
Question19: You can switch the cluster/configuration context using the following command:[desk@cli] $ kubectl config use-context devA default-deny NetworkPolicy avoid to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined.Task: Create a new default-deny NetworkPolicy named deny-network in the namespace test for all traffic of type Ingress + Egress The new NetworkPolicy must deny all Ingress + Egress traffic in the namespace test.Apply the newly created default-deny NetworkPolicy to all Pods running in namespace test.You can find a skeleton manifests file at /home/cert_masters/network-policy.yaml
Question20: Create a RuntimeClass named untrusted using the prepared runtime handler named runsc.Create a Pods of image alpine:3.13.2 in the Namespace default to run on the gVisor runtime class.
Question21: Before Making any changes build the Dockerfile with tag base:v1Now Analyze and edit the given Dockerfile(based on ubuntu 16:04)Fixing two instructions present in the file, Check from Security Aspect and Reduce Size point of view.Dockerfile:FROM ubuntu:latestRUN apt-get update -yRUN apt install nginx -yCOPY entrypoint.sh /RUN useradd ubuntuENTRYPOINT ["/entrypoint.sh"]USER ubuntuentrypoint.sh#!/bin/bashecho "Hello from CKS"After fixing the Dockerfile, build the docker-image with the tag base:v2
Question22: SIMULATIONUsing the runtime detection tool Falco, Analyse the container behavior for at least 20 seconds, using filters that detect newly spawning and executing processes in a single container of Nginx.store the incident file art /opt/falco-incident.txt, containing the detected incidents. one per line, in the format[timestamp],[uid],[processName]
Question23: SIMULATIONOn the Cluster worker node, enforce the prepared AppArmor profile#include <tunables/global>profile nginx-deny flags=(attach_disconnected) {#include <abstractions/base>file,# Deny all file writes.deny /** w,}EOF'Edit the prepared manifest file to include the AppArmor profile.apiVersion: v1kind: Podmetadata:name: apparmor-podspec:containers:- name: apparmor-podimage: nginxFinally, apply the manifests files and create the Pod specified on it.Verify: Try to make a file inside the directory which is restricted.
Question24: You must complete this task on the following cluster/nodes: Cluster: immutable-cluster Master node: master1 Worker node: worker1 You can switch the cluster/configuration context using the following command:[desk@cli] $ kubectl config use-context immutable-clusterContext: It is best practice to design containers to be stateless and immutable.Task:Inspect Pods running in namespace prod and delete any Pod that is either not stateless or not immutable.Use the following strict interpretation of stateless and immutable:1. Pods being able to store data inside containers must be treated as not stateless.Note: You don't have to worry whether data is actually stored inside containers or not already.2. Pods being configured to be privileged in any way must be treated as potentially not stateless or not immutable.
Question25: On the Cluster worker node, enforce the prepared AppArmor profile#include <tunables/global>profile docker-nginx flags=(attach_disconnected,mediate_deleted) {#include <abstractions/base>network inet tcp,network inet udp,network inet icmp,deny network raw,deny network packet,file,umount,deny /bin/** wl,deny /boot/** wl,deny /dev/** wl,deny /etc/** wl,deny /home/** wl,deny /lib/** wl,deny /lib64/** wl,deny /media/** wl,deny /mnt/** wl,deny /opt/** wl,deny /proc/** wl,deny /root/** wl,deny /sbin/** wl,deny /srv/** wl,deny /tmp/** wl,deny /sys/** wl,deny /usr/** wl,audit /** w,/var/run/nginx.pid w,/usr/sbin/nginx ix,deny /bin/dash mrwklx,deny /bin/sh mrwklx,deny /usr/bin/top mrwklx,capability chown,capability dac_override,capability setuid,capability setgid,capability net_bind_service,deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)# deny write to files not in /proc/<number>/** or /proc/sys/**deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w, deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel) deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/ deny @{PROC}/sysrq-trigger rwklx, deny @{PROC}/mem rwklx, deny @{PROC}/kmem rwklx, deny @{PROC}/kcore rwklx, deny mount, deny /sys/[^f]*/** wklx, deny /sys/f[^s]*/** wklx, deny /sys/fs/[^c]*/** wklx, deny /sys/fs/c[^g]*/** wklx, deny /sys/fs/cg[^r]*/** wklx, deny /sys/firmware/** rwklx, deny /sys/kernel/security/** rwklx,}Edit the prepared manifest file to include the AppArmor profile.apiVersion: v1kind: Podmetadata:name: apparmor-podspec:containers:- name: apparmor-podimage: nginxFinally, apply the manifests files and create the Pod specified on it.Verify: Try to use command ping, top, sh