Linux Foundation CKS Certified Kubernetes Security Specialist Exam Exam Practice Test Questions

• Question 1

  Create a Pod name Nginx-pod inside the namespace testing, Create a service for the Nginx-pod named nginx-svc, using the ingress of your choice, run the ingress on tls, secure port.

  • A . Explanation:
    $ kubectl get ing -n <namespace-of-ingress-resource>
    NAME HOSTS ADDRESS PORTS AGE
    cafe-ingress cafe.com 10.0.2.15 80 25s
    $ kubectl describe ing <ingress-resource-name> -n <namespace-of-ingress-resource>
    Name: cafe-ingress
    Namespace: default
    Address: 10.0.2.15
    Default backend: default-http-backend:80 (172.17.0.5:8080)
    Rules:
    Host Path Backends
    ---- ---- --------
    cafe.com
    /tea tea-svc:80 (<none>)
    /coffee coffee-svc:80 (<none>)
    Annotations:
    kubectl.kubernetes.io/last-applied-configuration: {'apiVersion':'networking.k8s.io/v1','kind':'Ingress','metadata':{'annotations':{},'name':'cafe-ingress','namespace':'default','selfLink':'/apis/networking/v1/namespaces/default/ingresses/cafe-ingress'},'spec':{'rules':[{'host':'cafe.com','http':{'paths':[{'backend':{'serviceName':'tea-svc','servicePort':80},'path':'/tea'},{'backend':{'serviceName':'coffee-svc','servicePort':80},'path':'/coffee'}]}}]},'status':{'loadBalancer':{'ingress':[{'ip':'169.48.142.110'}]}}}
    Events:
    Type Reason Age From Message
    ---- ------ ---- ---- -------
    Normal CREATE 1m ingress-nginx-controller Ingress default/cafe-ingress
    Normal UPDATE 58s ingress-nginx-controller Ingress default/cafe-ingress
    $ kubectl get pods -n <namespace-of-ingress-controller>
    NAME READY STATUS RESTARTS AGE
    ingress-nginx-controller-67956bf89d-fv58j 1/1 Running 0 1m
    $ kubectl logs -n <namespace> ingress-nginx-controller-67956bf89d-fv58j
    -------------------------------------------------------------------------------
    NGINX Ingress controller
    Release: 0.14.0
    Build: git-734361d
    Repository: https://github.com/kubernetes/ingress-nginx
    -------------------------------------------------------------------------------
    ....
    

  Show Answer Answer: A Next

• Question 2

  use the Trivy to scan the following images,1. amazonlinux:12. k8s.gcr.io/kube-controller-manager:v1.18.6Look for images with HIGH or CRITICAL severity vulnerabilities and store the output of the same in /opt/trivy-vulnerable.txt

  • Send us your suggestion on it.
  • Send us your suggestion

  Show Answer Answer: A Next

• Question 3

  Create a PSP that will prevent the creation of privileged pods in the namespace.Create a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation of privileged pods.Create a new ServiceAccount named psp-sa in the namespace default.Create a new ClusterRole named prevent-role, which uses the newly created Pod Security Policy prevent-privileged-policy.Create a new ClusterRoleBinding named prevent-role-binding, which binds the created ClusterRole prevent-role to the created SA psp-sa.Also, Check the Configuration is working or not by trying to Create a Privileged pod, it should get failed.

  • A . Explanation:
    Create a PSP that will prevent the creation of privileged pods in the namespace.
    $ cat clusterrole-use-privileged.yaml
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
    name: use-privileged-psp
    rules:
    - apiGroups: ['policy']
    resources: ['podsecuritypolicies']
    verbs: ['use']
    resourceNames:
    - default-psp
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
    name: privileged-role-bind
    namespace: psp-test
    roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: use-privileged-psp
    subjects:
    - kind: ServiceAccount
    name: privileged-sa
    $ kubectl -n psp-test apply -f clusterrole-use-privileged.yaml
    After a few moments, the privileged Pod should be created.
    Create a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation of privileged pods.
    apiVersion: policy/v1beta1
    kind: PodSecurityPolicy
    metadata:
    name: example
    spec:
    privileged: false # Don't allow privileged pods!
    # The rest fills in some required fields.
    seLinux:
    rule: RunAsAny
    supplementalGroups:
    rule: RunAsAny
    runAsUser:
    rule: RunAsAny
    fsGroup:
    rule: RunAsAny
    volumes:
    - '*'
    And create it with kubectl:
    kubectl-admin create -f example-psp.yaml
    Now, as the unprivileged user, try to create a simple pod:
    kubectl-user create -f- <<EOF
    apiVersion: v1
    kind: Pod
    metadata:
    name: pause
    spec:
    containers:
    - name: pause
    image: k8s.gcr.io/pause
    EOF
    The output is similar to this:
    Error from server (Forbidden): error when creating 'STDIN': pods 'pause' is forbidden: unable to validate against any pod security policy: []
    Create a new ServiceAccount named psp-sa in the namespace default.
    $ cat clusterrole-use-privileged.yaml
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
    name: use-privileged-psp
    rules:
    - apiGroups: ['policy']
    resources: ['podsecuritypolicies']
    verbs: ['use']
    resourceNames:
    - default-psp
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
    name: privileged-role-bind
    namespace: psp-test
    roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: use-privileged-psp
    subjects:
    - kind: ServiceAccount
    name: privileged-sa
    $ kubectl -n psp-test apply -f clusterrole-use-privileged.yaml
    After a few moments, the privileged Pod should be created.
    Create a new ClusterRole named prevent-role, which uses the newly created Pod Security Policy prevent-privileged-policy.
    apiVersion: policy/v1beta1
    kind: PodSecurityPolicy
    metadata:
    name: example
    spec:
    privileged: false # Don't allow privileged pods!
    # The rest fills in some required fields.
    seLinux:
    rule: RunAsAny
    supplementalGroups:
    rule: RunAsAny
    runAsUser:
    rule: RunAsAny
    fsGroup:
    rule: RunAsAny
    volumes:
    - '*'
    And create it with kubectl:
    kubectl-admin create -f example-psp.yaml
    Now, as the unprivileged user, try to create a simple pod:
    kubectl-user create -f- <<EOF
    apiVersion: v1
    kind: Pod
    metadata:
    name: pause
    spec:
    containers:
    - name: pause
    image: k8s.gcr.io/pause
    EOF
    The output is similar to this:
    Error from server (Forbidden): error when creating 'STDIN': pods 'pause' is forbidden: unable to validate against any pod security policy: []
    Create a new ClusterRoleBinding named prevent-role-binding, which binds the created ClusterRole prevent-role to the created SA psp-sa.
    apiVersion: rbac.authorization.k8s.io/v1
    # This role binding allows 'jane' to read pods in the 'default' namespace.
    # You need to already have a Role named 'pod-reader' in that namespace.
    kind: RoleBinding
    metadata:
    name: read-pods
    namespace: default
    subjects:
    # You can specify more than one 'subject'
    - kind: User
    name: jane # 'name' is case sensitive
    apiGroup: rbac.authorization.k8s.io
    roleRef:
    # 'roleRef' specifies the binding to a Role / ClusterRole
    kind: Role #this must be Role or ClusterRole
    name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
    apiGroup: rbac.authorization.k8s.io
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
    namespace: default
    name: pod-reader
    rules:
    - apiGroups: [''] # '' indicates the core API group
    resources: ['pods']
    verbs: ['get', 'watch', 'list']
    

  Show Answer Answer: A Next

• Question 4

  Create a PSP that will only allow the persistentvolumeclaim as the volume type in the namespace restricted.Create a new PodSecurityPolicy named prevent-volume-policy which prevents the pods which is having different volumes mount apart from persistentvolumeclaim.Create a new ServiceAccount named psp-sa in the namespace restricted.Create a new ClusterRole named psp-role, which uses the newly created Pod Security Policy prevent-volume-policyCreate a new ClusterRoleBinding named psp-role-binding, which binds the created ClusterRole psp-role to the created SA psp-sa.Hint:Also, Check the Configuration is working or not by trying to Mount a Secret in the pod maifest, it should get failed.POD Manifest:apiVersion: v1kind: Podmetadata:name:spec:containers:- name:image:volumeMounts:- name:mountPath:volumes:- name:secret:secretName:

  • A . Explanation:
    apiVersion: policy/v1beta1
    kind: PodSecurityPolicy
    metadata:
    name: restricted
    annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
    seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
    apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
    spec:
    privileged: false
    # Required to prevent escalations to root.
    allowPrivilegeEscalation: false
    # This is redundant with non-root + disallow privilege escalation,
    # but we can provide it for defense in depth.
    requiredDropCapabilities:
    - ALL
    # Allow core volume types.
    volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    # Assume that persistentVolumes set up by the cluster admin are safe to use.
    - 'persistentVolumeClaim'
    hostNetwork: false
    hostIPC: false
    hostPID: false
    runAsUser:
    # Require the container to run without root privileges.
    rule: 'MustRunAsNonRoot'
    seLinux:
    # This policy assumes the nodes are using AppArmor rather than SELinux.
    rule: 'RunAsAny'
    supplementalGroups:
    rule: 'MustRunAs'
    ranges:
    # Forbid adding the root group.
    - min: 1
    max: 65535
    fsGroup:
    rule: 'MustRunAs'
    ranges:
    # Forbid adding the root group.
    - min: 1
    max: 65535
    readOnlyRootFilesystem: false
    

  Show Answer Answer: A Next

• Question 5

  You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context test-account Task:Enable audit logs in the cluster.To do so, enable the log backend, and ensure that:1. logs are stored at/var/log/Kubernetes/logs.txt2. log files are retained for5days3. at maximum, a number of10old audit log files are retainedA basic policy is provided at/etc/Kubernetes/logpolicy/audit-policy.yaml. It only specifies what not to log. Note: The base policy is located on the cluster's master node.Edit and extend the basic policy to log: 1.Nodeschanges atRequestResponselevel 2. The request body ofpersistentvolumeschanges in the namespacefrontend 3.ConfigMapandSecretchanges in all namespaces at theMetadatalevelAlso, add a catch-all rule to log all other requests at theMetadatalevel Note:Don't forget to apply the modified policy.

  • A . Explanation:
    $vim /etc/kubernetes/log-policy/audit-policy.yaml
    - level: RequestResponse
    userGroups: ['system:nodes']
    - level: Request
    resources:
    - group: '' # core API group
    resources: ['persistentvolumes']
    namespaces: ['frontend']
    - level: Metadata
    resources:
    - group: ''
    resources: ['configmaps', 'secrets']
    - level: Metadata
    $vim /etc/kubernetes/manifests/kube-apiserver.yaml
    Add these
    - --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml
    - --audit-log-path=/var/log/kubernetes/logs.txt
    - --audit-log-maxage=5
    - --audit-log-maxbackup=10
    Explanation
    [desk@cli] $ssh master1
    [master1@cli] $vim /etc/kubernetes/log-policy/audit-policy.yaml
    apiVersion: audit.k8s.io/v1 # This is required.
    kind: Policy
    # Don't generate audit events for all requests in RequestReceived stage.
    omitStages:
    - 'RequestReceived'
    rules:
    # Don't log watch requests by the 'system:kube-proxy' on endpoints or services
    - level: None
    users: ['system:kube-proxy']
    verbs: ['watch']
    resources:
    - group: '' # core API group
    resources: ['endpoints', 'services']
    # Don't log authenticated requests to certain non-resource URL paths.
    - level: None
    userGroups: ['system:authenticated']
    nonResourceURLs:
    - '/api*' # Wildcard matching.
    - '/version'
    # Add your changes below
    - level: RequestResponse
    userGroups: ['system:nodes'] # Block for nodes
    - level: Request
    resources:
    - group: '' # core API group
    resources: ['persistentvolumes'] # Block for persistentvolumes
    namespaces: ['frontend'] # Block for persistentvolumes of frontend ns
    - level: Metadata
    resources:
    - group: '' # core API group
    resources: ['configmaps', 'secrets'] # Block for configmaps & secrets
    - level: Metadata # Block for everything else
    [master1@cli] $vim /etc/kubernetes/manifests/kube-apiserver.yaml
    apiVersion: v1
    kind: Pod
    metadata:
    annotations:
    kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.0.0.5:6443
    labels:
    component: kube-apiserver
    tier: control-plane
    name: kube-apiserver
    namespace: kube-system
    spec:
    containers:
    - command:
    - kube-apiserver
    - --advertise-address=10.0.0.5
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC
    - --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml #Add this
    - --audit-log-path=/var/log/kubernetes/logs.txt #Add this
    - --audit-log-maxage=5 #Add this
    - --audit-log-maxbackup=10 #Add this
    ...
    output truncated
    Note: log volume & policy volume is already mounted invim /etc/kubernetes/manifests/kube-apiserver.yamlso no need to mount it.
    
    Reference:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
    

  Show Answer Answer: A Next