MoreExam
1. Question Content...
EXPLANATION
Answer: X - EXPLANATION Content.
Question1: Given an existing Pod named nginx-pod running in the namespace test-system, fetch the service-account-name used and put the content in /candidate/KSC00124.txt Create a new Role named dev-test-role in the namespace test-system, which can perform update operations, on resources of type namespaces.
Question2: SIMULATIONEnable audit logs in the cluster, To Do so, enable the log backend, and ensure that1. logs are stored at /var/log/kubernetes/kubernetes-logs.txt.2. Log files are retained for 5 days.3. at maximum, a number of 10 old audit logs files are retained.Edit and extend the basic policy to log:1. Cronjobs changes at RequestResponse2. Log the request body of deployments changes in the namespace kube-system.3. Log all other resources in core and extensions at the Request level.4. Don't log watch requests by the "system:kube-proxy" on endpoints or
Question3: Create a network policy named allow-np, that allows pod in the namespace staging to connect to port 80 of other pods in the same namespace.Ensure that Network Policy:-1. Does not allow access to pod not listening on port 80.2. Does not allow access from Pods, not in namespace staging.
Question4: Create a User named john, create the CSR Request, fetch the certificate of the user after approving it.Create a Role name john-role to list secrets, pods in namespace johnFinally, Create a RoleBinding named john-role-binding to attach the newly created role john-role to the user john in the namespace john. To Verify: Use the kubectl auth CLI command to verify the permissions.
Question5: SIMULATIONSecrets stored in the etcd is not secure at rest, you can use the etcdctl command utility to find the secret value for e.g:- ETCDCTL_API=3 etcdctl get /registry/secrets/default/cks-secret --cacert="ca.crt" --cert="server.crt" --key="server.key" OutputUsing the Encryption Configuration, Create the manifest, which secures the resource secrets using the provider AES-CBC and identity, to encrypt the secret-data at rest and ensure all secrets are encrypted with the new configuration.
Question6: use the Trivy to scan the following images,1. amazonlinux:12. k8s.gcr.io/kube-controller-manager:v1.18.6Look for images with HIGH or CRITICAL severity vulnerabilities and store the output of the same in /opt/trivy-vulnerable.txt
Question7: SIMULATIONCreate a RuntimeClass named gvisor-rc using the prepared runtime handler named runsc.Create a Pods of image Nginx in the Namespace server to run on the gVisor runtime class
Question8: ContextAppArmor is enabled on the cluster's worker node. An AppArmor profile is prepared, but not enforced yet.TaskOn the cluster's worker node, enforce the prepared AppArmor profile located at /etc/apparmor.d/nginx_apparmor.Edit the prepared manifest file located at /home/candidate/KSSH00401/nginx-pod.yaml to apply the AppArmor profile.Finally, apply the manifest file and create the Pod specified in it.
Question9: You can switch the cluster/configuration context using the following command:[desk@cli] $ kubectl config use-context prod-accountContext:A Role bound to a Pod's ServiceAccount grants overly permissive permissions. Complete the following tasks to reduce the set of permissions.Task:Given an existing Pod named web-pod running in the namespace database.1. Edit the existing Role bound to the Pod's ServiceAccount test-sa to only allow performing get operations, only on resources of type Pods.2. Create a new Role named test-role-2 in the namespace database, which only allows performing update operations, only on resources of type statuefulsets.3. Create a new RoleBinding named test-role-2-bind binding the newly created Role to the Pod's ServiceAccount.Note: Don't delete the existing RoleBinding.
Question10: SIMULATIONUsing the runtime detection tool Falco, Analyse the container behavior for at least 20 seconds, using filters that detect newly spawning and executing processes in a single container of Nginx.store the incident file art /opt/falco-incident.txt, containing the detected incidents. one per line, in the format[timestamp],[uid],[processName]
Question11: Analyze and edit the given DockerfileFROM ubuntu:latestRUN apt-get update -yRUN apt-install nginx -yCOPY entrypoint.sh /ENTRYPOINT ["/entrypoint.sh"]USER ROOTFixing two instructions present in the file being prominent security best practice issues Analyze and edit the deployment manifest file apiVersion: v1 kind: Pod metadata:name: security-context-demo-2spec:securityContext:runAsUser: 1000containers:- name: sec-ctx-demo-2image: gcr.io/google-samples/node-hello:1.0securityContext:runAsUser: 0privileged: TrueallowPrivilegeEscalation: falseFixing two fields present in the file being prominent security best practice issues Don't add or remove configuration settings; only modify the existing configuration settings Whenever you need an unprivileged user for any of the tasks, use user test-user with the user id 5487
Question12: SIMULATIONCreate a RuntimeClass named untrusted using the prepared runtime handler named runsc.Create a Pods of image alpine:3.13.2 in the Namespace default to run on the gVisor runtime class.Verify: Exec the pods and run the dmesg, you will see output like this:-
Question13: Analyze and edit the given DockerfileFROM ubuntu:latestRUN apt-get update -yRUN apt-install nginx -yCOPY entrypoint.sh /ENTRYPOINT ["/entrypoint.sh"]USER ROOTFixing two instructions present in the file being prominent security best practice issues Analyze and edit the deployment manifest file apiVersion: v1 kind: Pod metadata:name: security-context-demo-2spec:securityContext:runAsUser: 1000containers:- name: sec-ctx-demo-2image: gcr.io/google-samples/node-hello:1.0securityContext:runAsUser: 0privileged: TrueallowPrivilegeEscalation: falseFixing two fields present in the file being prominent security best practice issues Don't add or remove configuration settings; only modify the existing configuration settings Whenever you need an unprivileged user for any of the tasks, use user test-user with the user id 5487
Question14: Create a RuntimeClass named untrusted using the prepared runtime handler named runsc.Create a Pods of image alpine:3.13.2 in the Namespace default to run on the gVisor runtime class.
Question15: ContextA PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace.TaskCreate a new PodSecurityPolicy named prevent-psp-policy,which prevents the creation of privileged Pods.Create a new ClusterRole named restrict-access-role, which uses the newly created PodSecurityPolicy prevent-psp-policy.Create a new ServiceAccount named psp-restrict-sa in the existing namespace staging.Finally, create a new ClusterRoleBinding named restrict-access-bind, which binds the newly created ClusterRole restrict-access-role to the newly created ServiceAccount psp-restrict-sa.
Question16: ContextThe kubeadm-created cluster's Kubernetes API server was, for testing purposes, temporarily configured to allow unauthenticated and unauthorized access granting the anonymous user duster-admin access.TaskReconfigure the cluster's Kubernetes API server to ensure that only authenticated and authorized REST requests are allowed.Use authorization mode Node,RBAC and admission controller NodeRestriction.Cleaning up, remove the ClusterRoleBinding for user system:anonymous.
Question17: SIMULATIONFix all issues via configuration and restart the affected components to ensure the new setting takes effect.Fix all of the following violations that were found against the API server:- a. Ensure the --authorization-mode argument includes RBAC b. Ensure the --authorization-mode argument includes Node c. Ensure that the --profiling argument is set to false Fix all of the following violations that were found against the Kubelet:- a. Ensure the --anonymous-auth argument is set to false.b. Ensure that the --authorization-mode argument is set to Webhook.Fix all of the following violations that were found against the ETCD:-a. Ensure that the --auto-tls argument is not set to trueHint: Take the use of Tool Kube-Bench
Question18: ContextA Role bound to a Pod's ServiceAccount grants overly permissive permissions. Complete the following tasks to reduce the set of permissions.TaskGiven an existing Pod named web-pod running in the namespace security.Edit the existing Role bound to the Pod's ServiceAccount sa-dev-1 to only allow performing watch operations, only on resources of type services.Create a new Role named role-2 in the namespace security, which only allows performing update operations, only on resources of type namespaces.Create a new RoleBinding named role-2-binding binding the newly created Role to the Pod's ServiceAccount.
Question19: SIMULATIONCreate a network policy named allow-np, that allows pod in the namespace staging to connect to port 80 of other pods in the same namespace.Ensure that Network Policy:-1. Does not allow access to pod not listening on port 80.2. Does not allow access from Pods, not in namespace staging.
Question20: a. Retrieve the content of the existing secret named default-token-xxxxx in the testing namespace.Store the value of the token in the token.txtb. Create a new secret named test-db-secret in the DB namespace with the following content:username: mysqlpassword: password@123Create the Pod name test-db-pod of image nginx in the namespace db that can access test-db-secret via a volume at path /etc/mysql-credentials
Question21: Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.Fix all of the following violations that were found against the API server:- a. Ensure that the RotateKubeletServerCertificate argument is set to true.b. Ensure that the admission control plugin PodSecurityPolicy is set.c. Ensure that the --kubelet-certificate-authority argument is set as appropriate.Fix all of the following violations that were found against the Kubelet:- a. Ensure the --anonymous-auth argument is set to false.b. Ensure that the --authorization-mode argument is set to Webhook.Fix all of the following violations that were found against the ETCD:-a. Ensure that the --auto-tls argument is not set to trueb. Ensure that the --peer-auto-tls argument is not set to trueHint: Take the use of Tool Kube-Bench
Question22: You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context qa Context: A pod fails to run because of an incorrectly specified ServiceAccount Task: Create a new service account named backend-qa in an existing namespace qa, which must not have access to any secret. Edit the frontend pod yaml to use backend-qa service account Note: You can find the frontend pod yaml at /home/cert_masters/frontend-pod.yaml
Question23: Using the runtime detection tool Falco, Analyse the container behavior for at least 20 seconds, using filters that detect newly spawning and executing processes in a single container of Nginx.store the incident file art /opt/falco-incident.txt, containing the detected incidents. one per line, in the format[timestamp],[uid],[processName]
Question24: ContextA default-deny NetworkPolicy avoids to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined.TaskCreate a new default-deny NetworkPolicy named defaultdeny in the namespace testing for all traffic of type Egress.The new NetworkPolicy must deny all Egress traffic in the namespace testing.Apply the newly created default-deny NetworkPolicy to all Pods running in namespace testing.
Question25: Two tools are pre-installed on the cluster's worker node:Using the tool of your choice (including any non pre-installed tool), analyze the container's behavior for at least 30 seconds, using filters that detect newly spawning and executing processes.Store an incident file at /opt/KSRS00101/alerts/details, containing the detected incidents, one per line, in the following format:The following example shows a properly formatted incident file:
Question26: You can switch the cluster/configuration context using the following command:[desk@cli] $ kubectl config use-context qaContext:A pod fails to run because of an incorrectly specified ServiceAccountTask:Create a new service account named backend-qa in an existing namespace qa, which must not have access to any secret.Edit the frontend pod yaml to use backend-qa service accountNote: You can find the frontend pod yaml at /home/cert_masters/frontend-pod.yaml
Question27: ContextA CIS Benchmark tool was run against the kubeadm-created cluster and found multiple issues that must be addressed immediately.TaskFix all issues via configuration and restart the affected components to ensure the new settings take effect.Fix all of the following violations that were found against the API server:Fix all of the following violations that were found against the Kubelet:Fix all of the following violations that were found against etcd:
Question28: SIMULATIONCreate a Pod name Nginx-pod inside the namespace testing, Create a service for the Nginx-pod named nginx-svc, using the ingress of your choice, run the ingress on tls, secure port.
Question29: SIMULATIONAnalyze and edit the given DockerfileFROM ubuntu:latestRUN apt-get update -yRUN apt-install nginx -yCOPY entrypoint.sh /ENTRYPOINT ["/entrypoint.sh"]USER ROOTFixing two instructions present in the file being prominent security best practice issues Analyze and edit the deployment manifest file apiVersion: v1 kind: Pod metadata:name: security-context-demo-2spec:securityContext:runAsUser: 1000containers:- name: sec-ctx-demo-2image: gcr.io/google-samples/node-hello:1.0securityContext:runAsUser: 0privileged: TrueallowPrivilegeEscalation: falseFixing two fields present in the file being prominent security best practice issues Don't add or remove configuration settings; only modify the existing configuration settings Whenever you need an unprivileged user for any of the tasks, use user test-user with the user id 5487
Question30: SIMULATIONCreate a new NetworkPolicy named deny-all in the namespace testing which denies all traffic of type ingress and egress traffic
Question31: SIMULATIONCreate a new ServiceAccount named backend-sa in the existing namespace default, which has the capability to list the pods inside the namespace default.Create a new Pod named backend-pod in the namespace default, mount the newly created sa backend-sa to the pod, and Verify that the pod is able to list pods.Ensure that the Pod is running.
Question32: ContextA container image scanner is set up on the cluster, but it's not yet fully integrated into the cluster s configuration. When complete, the container image scanner shall scan for and reject the use of vulnerable images.TaskGiven an incomplete configuration in directory /etc/kubernetes/epconfig and a functional container image scanner with HTTPS endpoint https://wakanda.local:8081 /image_policy :1. Enable the necessary plugins to create an image policy2. Validate the control configuration and change it to an implicit deny3. Edit the configuration to point to the provided HTTPS endpoint correctly Finally, test if the configuration is working by trying to deploy the vulnerable resource /root/KSSC00202/vulnerable-resource.yml.
Question33: Using the runtime detection tool Falco, Analyse the container behavior for at least 20 seconds, using filters that detect newly spawning and executing processes in a single container of Nginx.
Question34: On the Cluster worker node, enforce the prepared AppArmor profile#include <tunables/global>profile nginx-deny flags=(attach_disconnected) {#include <abstractions/base>file,# Deny all file writes.deny /** w,}EOF'Edit the prepared manifest file to include the AppArmor profile.apiVersion: v1kind: Podmetadata:name: apparmor-podspec:containers:- name: apparmor-podimage: nginxFinally, apply the manifests files and create the Pod specified on it.Verify: Try to make a file inside the directory which is restricted.
Question35: You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context dev A default-deny NetworkPolicy avoid to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined.Task: Create a new default-deny NetworkPolicy named deny-network in the namespace test for all traffic of type Ingress + Egress The new NetworkPolicy must deny all Ingress + Egress traffic in the namespace test.Apply the newly created default-deny NetworkPolicy to all Pods running in namespace test.You can find a skeleton manifests file at /home/cert_masters/network-policy.yaml
Question36: SIMULATIONCreate a network policy named restrict-np to restrict to pod nginx-test running in namespace testing.Only allow the following Pods to connect to Pod nginx-test:-1. pods in the namespace default2. pods with label version:v1 in any namespace.Make sure to apply the network policy.
Question37: Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that1. logs are stored at /var/log/kubernetes/kubernetes-logs.txt.2. Log files are retained for 5 days.3. at maximum, a number of 10 old audit logs files are retained.Edit and extend the basic policy to log:1. Cronjobs changes at RequestResponse2. Log the request body of deployments changes in the namespace kube-system.3. Log all other resources in core and extensions at the Request level.4. Don't log watch requests by the "system:kube-proxy" on endpoints or
Question38: Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.Fix all of the following violations that were found against the API server:- a. Ensure that the RotateKubeletServerCertificate argument is set to true.b. Ensure that the admission control plugin PodSecurityPolicy is set.c. Ensure that the --kubelet-certificate-authority argument is set as appropriate.Fix all of the following violations that were found against the Kubelet:- a. Ensure the --anonymous-auth argument is set to false.b. Ensure that the --authorization-mode argument is set to Webhook.Fix all of the following violations that were found against the ETCD:-a. Ensure that the --auto-tls argument is not set to trueb. Ensure that the --peer-auto-tls argument is not set to trueHint: Take the use of Tool Kube-Bench
Question39: SIMULATIONOn the Cluster worker node, enforce the prepared AppArmor profile#include <tunables/global>profile docker-nginx flags=(attach_disconnected,mediate_deleted) {#include <abstractions/base>network inet tcp,network inet udp,network inet icmp,deny network raw,deny network packet,file,umount,deny /bin/** wl,deny /boot/** wl,deny /dev/** wl,deny /etc/** wl,deny /home/** wl,deny /lib/** wl,deny /lib64/** wl,deny /media/** wl,deny /mnt/** wl,deny /opt/** wl,deny /proc/** wl,deny /root/** wl,deny /sbin/** wl,deny /srv/** wl,deny /tmp/** wl,deny /sys/** wl,deny /usr/** wl,audit /** w,/var/run/nginx.pid w,/usr/sbin/nginx ix,deny /bin/dash mrwklx,deny /bin/sh mrwklx,deny /usr/bin/top mrwklx,capability chown,capability dac_override,capability setuid,capability setgid,capability net_bind_service,deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)# deny write to files not in /proc/<number>/** or /proc/sys/**deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w, deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel) deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/ deny @{PROC}/sysrq-trigger rwklx, deny @{PROC}/mem rwklx, deny @{PROC}/kmem rwklx, deny @{PROC}/kcore rwklx, deny mount, deny /sys/[^f]*/** wklx, deny /sys/f[^s]*/** wklx, deny /sys/fs/[^c]*/** wklx, deny /sys/fs/c[^g]*/** wklx, deny /sys/fs/cg[^r]*/** wklx, deny /sys/firmware/** rwklx, deny /sys/kernel/security/** rwklx,}Edit the prepared manifest file to include the AppArmor profile.apiVersion: v1kind: Podmetadata:name: apparmor-podspec:containers:- name: apparmor-podimage: nginxFinally, apply the manifests files and create the Pod specified on it.Verify: Try to use command ping, top, sh
Question40: You must complete this task on the following cluster/nodes: Cluster: immutable-cluster Master node: master1 Worker node: worker1 You can switch the cluster/configuration context using the following command:[desk@cli] $ kubectl config use-context immutable-clusterContext: It is best practice to design containers to be stateless and immutable.Task:Inspect Pods running in namespace prod and delete any Pod that is either not stateless or not immutable.Use the following strict interpretation of stateless and immutable:1. Pods being able to store data inside containers must be treated as not stateless.Note: You don't have to worry whether data is actually stored inside containers or not already.2. Pods being configured to be privileged in any way must be treated as potentially not stateless or not immutable.
Question41: Create a Pod name Nginx-pod inside the namespace testing, Create a service for the Nginx-pod named nginx-svc, using the ingress of your choice, run the ingress on tls, secure port.