Certified Kubernetes Security Specialist CKS Free Updated Questions

1. Create a new ServiceAccount named psd-denial-sa in the existing namespace development.

Finally, create a new ClusterRoleBindind named restrict-access-bind, which binds the newly created ClusterRole deny-access-role to the newly created ServiceAccount psp-denial-sa

2. Create a new RoleBinding named test-role-2-bind binding the newly created Role to the Pod's ServiceAccount.

Note: Don't delete the existing RoleBinding.

3. k8s.gcr.io/kube-controller-manager:v1.18.6

Look for images with HIGH or CRITICAL severity vulnerabilities and store theoutput of the same in /opt/trivy-vulnerable.txt

4. CORRECT TEXT

Context:

Cluster: prod

Master node: master1

Worker node: worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $ kubectl config use-context prod

Task:

Analyse and edit the given Dockerfile (based on the ubuntu:18:04 image)

/home/cert_masters/Dockerfile fixing two instructions present in the file being prominent security/best-practice issues.

Analyse and edit the given manifest file

/home/cert_masters/mydeployment.yaml fixing two fields present in the file being prominent security/best-practice issues.

Note: Don't add or remove configuration settings; only modify the existing configuration settings, so that two configuration settings each are no longer security/best-practice concerns.

Should you need an unprivileged user for any of the tasks, use user nobody with user id 65535

5. CORRECT TEXT

On the Cluster worker node, enforce the prepared AppArmor profile

✑ #include<tunables/global>

✑

✑

✑ profile docker-nginx flags=(attach_disconnected,mediate_deleted) {

✑ #include<abstractions/base>

✑

✑ network inet tcp,

✑ network inet udp,

✑ network inet icmp,

✑

✑ deny network raw,

✑

✑ deny network packet,

✑

✑ file,

✑ umount,

✑

✑ deny /bin/** wl,

✑ deny /boot/** wl,

✑ deny /dev/** wl,

✑ deny /etc/** wl,

✑ deny /home/** wl,

✑ deny /lib/** wl,

✑ deny /lib64/** wl,

✑ deny /media/** wl,

✑ deny /mnt/** wl,

✑ deny /opt/** wl,

✑ deny /proc/** wl,

✑ deny /root/** wl,

✑ deny /sbin/** wl,

✑ deny /srv/** wl,

✑ deny /tmp/** wl,

✑ deny /sys/** wl,

✑ deny /usr/** wl,

✑

✑ audit /** w,

✑

✑ /var/run/nginx.pid w,

✑

✑ /usr/sbin/nginx ix,

✑

✑ deny /bin/dash mrwklx,

✑ deny /bin/sh mrwklx,

✑ deny /usr/bin/top mrwklx,

✑

✑

✑ capability chown,

✑ capability dac_override,

✑ capability setuid,

✑ capability setgid,

✑ capability net_bind_service,

✑

✑ deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)

✑ # deny write to files not in /proc/<number>/** or /proc/sys/**

✑ deny@{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,

✑ deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)

✑ deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/

✑ deny @{PROC}/sysrq-trigger rwklx,

✑ deny @{PROC}/mem rwklx,

✑ deny @{PROC}/kmem rwklx,

✑ deny @{PROC}/kcore rwklx,

✑

✑ deny mount,

✑

✑ deny /sys/[^f]*/** wklx,

✑ deny /sys/f[^s]*/** wklx,

✑ deny /sys/fs/[^c]*/** wklx,

✑ deny /sys/fs/c[^g]*/** wklx,

✑ deny /sys/fs/cg[^r]*/** wklx,

✑ deny /sys/firmware/** rwklx,

✑ deny /sys/kernel/security/** rwklx,

✑ }

Edit the prepared manifest file to include the AppArmor profile.

✑ apiVersion: v1

✑ kind: Pod

✑ metadata:

✑ name:apparmor-pod

✑ spec:

✑ containers:

✑ - name: apparmor-pod

✑ image: nginx

Finally, apply the manifests files and create the Pod specified on it.

Verify: Try to use command ping, top, sh

6. CORRECT TEXT

You can switch the cluster/configuration context using the following command:

[desk@cli] $ kubectl config use-context dev

A default-deny NetworkPolicy avoid to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined.

Task: Create a new default-deny NetworkPolicy named deny-network in the namespace test for all traffic of type Ingress + Egress

The new NetworkPolicy must deny all Ingress + Egress traffic in the namespace test.

Apply the newly created default-deny NetworkPolicy to all Pods running in namespace test.

You can find a skeleton manifests file at /home/cert_masters/network-policy.yaml

7. Validate the control configuration and change it to implicit deny.

Finally, test the configuration by deploying the pod having the image tag as the latest.

8. CORRECT TEXT

Create aRuntimeClass named gvisor-rc using the prepared runtime handler named runsc.

Create a Pods of image Nginx in the Namespace server to run on the gVisor runtime class

9. CORRECT TEXT

Create a Pod name Nginx-pod inside the namespace testing, Create a service for the Nginx-pod named nginx-svc, using the ingress of your choice, run the ingress on tls, secure port.

10. pods with label version:v1 in any namespace.

Make sure to apply the network policy.

11. CORRECT TEXT

Given an existing Pod named test-web-pod running in the namespace test-system

Edit the existing Role bound to the Pod's Service Account named sa-backend to only allow performing get operations on endpoints.

Create a new Rolenamed test-system-role-2 in the namespace test-system, which can perform patch operations, on resources of type statefulsets.

Create a new RoleBinding named test-system-role-2-binding binding the newly created Role to the Pod's ServiceAccount sa-backend.

12. CORRECT TEXT

a. Retrieve the content of the existing secret named default-token-xxxxx in the testing namespace.

Store the value of the token in thetoken.txt

b. Create a new secret named test-db-secret in the DB namespace with the following content:

username: mysql

password: password@123

Create the Pod name test-db-pod of image nginx in the namespace db that can accesstest-db-secret via a volume at path /etc/mysql-credentials

13. CORRECT TEXT

Create a RuntimeClass named untrusted using the prepared runtime handler named runsc.

Create a Pods of image alpine:3.13.2 in the Namespace default to run on the gVisor runtime class.

Verify: Exec the pods and run the dmesg, you will see output like this:-

14. Pods being configured to be privileged in any way must be treated as potentially not stateless or not immutable.

15. CORRECT TEXT

Cluster: scanner

Master node: controlplane

Worker node: worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $ kubectl config use-context scanner

Given:

You may use Trivy's documentation.

Task:

Use the Trivy open-source container scanner to detect images with severe vulnerabilities used by Pods in the namespace nato.

Look for images with High or Critical severity vulnerabilities and delete the Pods that use those images.

Trivy is pre-installed on the cluster's master node. Use cluster's master node to use Trivy.

16. CORRECT TEXT

On the Cluster worker node, enforce the prepared AppArmor profile

✑ #include<tunables/global>

✑

✑ profilenginx-deny flags=(attach_disconnected) {

✑ #include<abstractions/base>

✑

✑ file,

✑

✑ # Deny all file writes.

✑ deny/** w,

✑ }

✑ EOF'

Edit the prepared manifest file to include the AppArmor profile.

✑ apiVersion: v1

✑ kind: Pod

✑ metadata:

✑ name:apparmor-pod

✑ spec:

✑ containers:

✑ - name: apparmor-pod

✑ image: nginx

Finally, apply the manifests files and create the Pod specified on it.

Verify: Try to make a file inside the directory which is restricted.