Free Linux Foundation CKS Exam Dumps and CKS Exam Questions

Question No: 1

MultipleChoice

SIMULATION

Given an existing Pod named nginx-pod running in the namespace test-system, fetch the service-account-name used and put the content in /candidate/KSC00124.txt

Create a new Role named dev-test-role in the namespace test-system, which can perform update operations, on resources of type namespaces.

Create a new RoleBinding named dev-test-role-binding, which binds the newly created Role to the Pod's ServiceAccount ( found in the Nginx pod running in namespace test-system).

Options

ASee the Explanation below

Question No: 2

MultipleChoice

SIMULATION

Given an existing Pod named nginx-pod running in the namespace test-system, fetch the service-account-name used and put the content in /candidate/KSC00124.txt

Create a new Role named dev-test-role in the namespace test-system, which can perform update operations, on resources of type namespaces.

Create a new RoleBinding named dev-test-role-binding, which binds the newly created Role to the Pod's ServiceAccount ( found in the Nginx pod running in namespace test-system).

Options

ASendusyourfeedbackonit

Question No: 3

MultipleChoice

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context stage

Context:

A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace.

Task:

1. Create a new PodSecurityPolcy named deny-policy, which prevents the creation of privileged Pods.

2. Create a new ClusterRole name deny-access-role, which uses the newly created PodSecurityPolicy deny-policy.

3. Create a new ServiceAccount named psd-denial-sa in the existing namespace development.

Finally, create a new ClusterRoleBindind named restrict-access-bind, which binds the newly created ClusterRole deny-access-role to the newly created ServiceAccount psp-denial-sa

Options

AExplanation:
Create psp to disallow privileged container
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: deny-access-role
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- ''deny-policy''
k create sa psp-denial-sa -n development
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: restrict-access-bing
roleRef:
kind: ClusterRole
name: deny-access-role
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: psp-denial-sa
namespace: development
Explanation
master1 $ vim psp.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: deny-policy
spec:
privileged: false # Don't allow privileged pods!
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
master1 $ vim cr1.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: deny-access-role
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- ''deny-policy''
master1 $k create sa psp-denial-sa -n development
master1 $ vim cb1.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: restrict-access-bing
roleRef:
kind: ClusterRole
name: deny-access-role
apiGroup: rbac.authorization.k8s.io
subjects:
# Authorize specific service accounts:
- kind: ServiceAccount
name: psp-denial-sa
namespace: development
master1 $k apply -f psp.yaml
master1 $k apply -f cr1.yaml
master1 $k apply -f cb1.yaml

Reference:https://kubernetes.io/docs/concepts/policy/pod-security-policy/
master1 $k apply -f cr1.yaml
master1 $k apply -f cb1.yaml
master1 $k apply -f psp.yaml
master1 $k apply -f cr1.yaml
master1 $k apply -f cb1.yaml

Reference:https://kubernetes.io/docs/concepts/policy/pod-security-policy/

Question No: 4

MultipleChoice

You must complete this task on the following cluster/nodes: Cluster:immutable-cluster

Master node:master1

Worker node:worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context immutable-cluster

Context: It is best practice to design containers to be stateless and immutable.

Task:

Inspect Pods running in namespaceprodand delete any Pod that is either not stateless or not immutable.

Use the following strict interpretation of stateless and immutable:

1. Pods being able to store data inside containers must be treated as not stateless.

Note:You don't have to worry whether data is actually stored inside containers or not already.

2. Pods being configured to beprivilegedin any way must be treated as potentially not stateless or not immutable.

Options

AExplanation:
k get pods -n prod
k get pod -n prod -o yaml | grep -E 'privileged|ReadOnlyRootFileSystem'
Delete the pods which do have any of these 2 properties
privileged:trueorReadOnlyRootFileSystem: false
[desk@cli]$k get pods -n prod
NAME READY STATUS RESTARTS AGE
cms 1/1 Running 0 68m
db 1/1 Running 0 4m
nginx 1/1 Running 0 23m
[desk@cli]$k get pod nginx -n prod -o yaml | grep -E 'privileged|RootFileSystem'
{'apiVersion':'v1','kind':'Pod','metadata':{'annotations':{},'creationTimestamp':null,'labels':{'run':'nginx'},'name':'nginx','namespace':'prod'},'spec':{'containers':[{'image':'nginx','name':'nginx','resources':{},'securityContext':{'privileged':true}}],'dnsPolicy':'ClusterFirst','restartPolicy':'Always'},'status':{}}
f:privileged: {}
privileged:true

[desk@cli]$k delete pod nginx -n prod
[desk@cli]$k get pod db -n prod -o yaml | grep -E 'privileged|RootFilesystem'

[desk@cli]$k delete pod cms -n prod

Reference:https://kubernetes.io/docs/concepts/policy/pod-security-policy/
https://cloud.google.com/architecture/best-practices-for-operating-containers

Question No: 5

MultipleChoice

Cluster:qa-cluster

Master node:masterWorker node:worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context qa-cluster

Task:

Create a NetworkPolicy namedrestricted-policyto restrict access to Podproductrunning in namespacedev.

Only allow the following Pods to connect to Pod products-service:

1. Pods in the namespaceqa

2. Pods with labelenvironment: stage, in any namespace

Options

AExplanation:
$k get ns qa --show-labels
NAME STATUS AGE LABELS
qa Active 47m env=stage
$k get pods -n dev --show-labels
NAME READY STATUS RESTARTS AGE LABELS
product 1/1 Running 0 3s env=dev-team
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: restricted-policy
namespace: dev
spec:
podSelector:
matchLabels:
env: dev-team
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
env: stage
- podSelector:
matchLabels:
env: stage
[desk@cli] $k get ns qa --show-labels
NAME STATUS AGE LABELS
qa Active 47m env=stage
[desk@cli] $k get pods -n dev --show-labels
NAME READY STATUS RESTARTS AGE LABELS
product 1/1 Running 0 3s env=dev-team
[desk@cli] $vim netpol2.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: restricted-policy
namespace: dev
spec:
podSelector:
matchLabels:
env: dev-team
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
env: stage
- podSelector:
matchLabels:
env: stage
[desk@cli] $k apply -f netpol2.yaml

Reference:https://kubernetes.io/docs/concepts/services-networking/network-policies/
[desk@cli] $k apply -f netpol2.yaml

Reference:https://kubernetes.io/docs/concepts/services-networking/network-policies/

Question No: 6

MultipleChoice

Cluster:admission-cluster

Master node:master

Worker node:worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context admission-cluster

Context:

A container image scanner is set up on the cluster, but it's not yet fully integrated into the cluster's configuration. When complete, the container image scanner shall scan for and reject the use of vulnerable images.

Task:

You have to complete the entire task on the cluster's master node, where all services and files have been prepared and placed.

Given an incomplete configuration in directory /etc/Kubernetes/config and a functional container image scanner with HTTPS endpoint https://imagescanner.local:8181/image_policy:

1. Enable the necessary plugins to create an image policy

2. Validate the control configuration and change it to an implicit deny

3. Edit the configuration to point to the provided HTTPS endpoint correctly

Finally, test if the configuration is working by trying to deploy the vulnerable resource /home/cert_masters/test-pod.yml

Note: You can find the container image scanner's log file at /var/log/policy/scanner.log

Options

AExplanation:
[master@cli] $cd /etc/Kubernetes/config
1. Edit kubeconfig to explicity deny
[master@cli] $vim kubeconfig.json
'defaultAllow': false # Change to false
2. fix server parameter by taking its value from ~/.kube/config
[master@cli] $cat /etc/kubernetes/config/kubeconfig.yaml | grep server
server:
3. EnableImagePolicyWebhook
[master@cli] $vim /etc/kubernetes/manifests/kube-apiserver.yaml
- --enable-admission-plugins=NodeRestriction,ImagePolicyWebhook # Add this
- --admission-control-config-file=/etc/kubernetes/config/kubeconfig.json # Add this
Explanation
[desk@cli] $ssh master
[master@cli] $cd /etc/Kubernetes/config
[master@cli] $vim kubeconfig.json
{
'imagePolicy': {
'kubeConfigFile': '/etc/kubernetes/config/kubeconfig.yaml',
'allowTTL': 50,
'denyTTL': 50,
'retryBackoff': 500,
'defaultAllow': true # Delete this
'defaultAllow': false # Add this
}
}

Note:We can see a missing value here, so how from where i can get this value
[master@cli] $cat ~/.kube/config | grep server
or
[master@cli] $cat /etc/kubernetes/manifests/kube-apiserver.yaml

[master@cli] $vim /etc/kubernetes/config/kubeconfig.yaml

[master@cli] $vim /etc/kubernetes/manifests/kube-apiserver.yaml
- --enable-admission-plugins=NodeRestriction # Delete This
- --enable-admission-plugins=NodeRestriction,ImagePolicyWebhook # Add this
- --admission-control-config-file=/etc/kubernetes/config/kubeconfig.json # Add this

Reference:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
- --enable-admission-plugins=NodeRestriction # Delete This
- --enable-admission-plugins=NodeRestriction,ImagePolicyWebhook # Add this
- --admission-control-config-file=/etc/kubernetes/config/kubeconfig.json # Add this
[master@cli] $vim /etc/kubernetes/manifests/kube-apiserver.yaml
- --enable-admission-plugins=NodeRestriction # Delete This
- --enable-admission-plugins=NodeRestriction,ImagePolicyWebhook # Add this
- --admission-control-config-file=/etc/kubernetes/config/kubeconfig.json # Add this

Reference:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/

Question No: 7

MultipleChoice

Use the kubesec docker images to scan the given YAML manifest, edit and apply the advised changes, and passed with a score of 4 points.

kubesec-test.yaml

apiVersion: v1

kind: Pod

metadata:

name: kubesec-demo

spec:

containers:

- name: kubesec-demo

image: gcr.io/google-samples/node-hello:1.0

securityContext:

readOnlyRootFilesystem: true

Options

AHint:docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml

Question No: 8

MultipleChoice

Using the runtime detection tool Falco, Analyse the container behavior for at least 20 seconds, using filters that detect newly spawning and executing processes in a single container of Nginx.

Options

Astore the incident file art /opt/falco-incident.txt, containing the detected incidents. one per line, in the format
[timestamp],[uid],[processName]

Question No: 9

MultipleChoice

Secrets stored in the etcd is not secure at rest, you can use the etcdctl command utility to find the secret value

for e.g:-

Options

AETCDCTL_API=3 etcdctl get /registry/secrets/default/cks-secret --cacert='ca.crt' --cert='server.crt' --key='server.key'
Output

Using the Encryption Configuration, Create the manifest, which secures the resource secrets using the provider AES-CBC and identity, to encrypt the secret-data at rest and ensure all secrets are encrypted with the new configuration.

Question No: 10

MultipleChoice

A container image scanner is set up on the cluster.

Given an incomplete configuration in the directory

Options

A1. Enable the admission plugin.
2. Validate the control configuration and change it to implicit deny.
Finally, test the configuration by deploying the pod having the image tag as the latest.