The Linux Foundation CKS Certified Kubernetes Security Specialist (CKS) Online Training

Question #11

CORRECT TEXT

Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.

Fix all of the following violations that were found against the API server:-

✑ a. Ensure that the RotateKubeletServerCertificate argumentissettotrue.

✑ b. Ensure that the admission control plugin PodSecurityPolicyisset.

✑ c. Ensure that the –kubelet-certificate-authority argumentissetasappropriate.

Fix all of the following violations that were found against the Kubelet:-

✑ a. Ensure the –anonymous-auth argumentissettofalse.

✑ b. Ensure that the –authorization-mode argumentissetto Webhook.

Fix all of the following violations that were found against the ETCD:-

✑ a. Ensure that the –auto-tls argumentisnotsettotrue

✑ b. Ensure that the –peer-auto-tls argumentisnotsettotrue

Hint: Take the use of Tool Kube-Bench

Reveal Solution Hide Solution

Correct Answer: Fix all of thefollowing violations that were found against the API server:-

✑ a. Ensure that the RotateKubeletServerCertificate argumentissettotrue.

apiVersion: v1

kind: Pod

metadata:

creationTimestamp: null

labels:

component:kubelet

tier: control-plane

name: kubelet

namespace: kube-system

spec:

containers:

– command:

– kube-controller-manager

+ – –feature-gates=RotateKubeletServerCertificate=true image: gcr.io/google_containers/kubelet-amd64:v1.6.0 livenessProbe:

failureThreshold: 8 httpGet:

host: 127.0.0.1

path: /healthz

port: 6443

scheme: HTTPS

initialDelaySeconds: 15

timeoutSeconds: 15

name:kubelet

resources:

requests:

cpu: 250m

volumeMounts:

– mountPath: /etc/kubernetes/ name: k8s

readOnly: true

– mountPath: /etc/ssl/certs name: certs

– mountPath: /etc/pki name:pki hostNetwork: true volumes:

– hostPath:

path: /etc/kubernetes

name: k8s

– hostPath:

path: /etc/ssl/certs

name: certs

– hostPath: path: /etc/pki name: pki

✑ b. Ensure that theadmission control plugin PodSecurityPolicyisset.

audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"

tests:

test_items:

– flag: "–enable-admission-plugins"

compare:

op: has

value:"PodSecurityPolicy"

set: true

remediation: |

Follow the documentation and create Pod Security Policy objects as per your environment. Then, edit the API server pod specification file $apiserverconf

on themaster node and set the –enable-admission-plugins parameter to a

value that includes PodSecurityPolicy :

–enable-admission-plugins=…,PodSecurityPolicy,…

Then restart the API Server.

scored: true

✑ c. Ensure thatthe –kubelet-certificate-authority argumentissetasappropriate.

audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"

tests:

test_items:

– flag: "–kubelet-certificate-authority" set: true

remediation: |

Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file $apiserverconf on the master node and set the –kubelet-certificate-authority parameter to the path to the cert file for the certificate authority. –kubelet-certificate-authority=<ca-string>

scored: true

Fix all of the following violations that were found against the ETCD:-

✑ a. Ensurethat the –auto-tls argumentisnotsettotrue

Edit the etcd pod specification file $etcdconf on the masternode and either remove the — auto-tls parameter or set it to false.–auto-tls=false

✑ b. Ensure that the –peer-auto-tls argumentisnotsettotrue

Edit the etcd pod specification file $etcdconf on the masternode and either remove the — peer-auto-tls parameter or set it to false.–peer-auto-tls=false

Question #11

CORRECT TEXT

Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.

Fix all of the following violations that were found against the API server:-

✑ a. Ensure that the RotateKubeletServerCertificate argumentissettotrue.

✑ b. Ensure that the admission control plugin PodSecurityPolicyisset.

✑ c. Ensure that the –kubelet-certificate-authority argumentissetasappropriate.

Fix all of the following violations that were found against the Kubelet:-

✑ a. Ensure the –anonymous-auth argumentissettofalse.

✑ b. Ensure that the –authorization-mode argumentissetto Webhook.

Fix all of the following violations that were found against the ETCD:-

✑ a. Ensure that the –auto-tls argumentisnotsettotrue

✑ b. Ensure that the –peer-auto-tls argumentisnotsettotrue

Hint: Take the use of Tool Kube-Bench

Reveal Solution Hide Solution

Correct Answer: Fix all of thefollowing violations that were found against the API server:-

✑ a. Ensure that the RotateKubeletServerCertificate argumentissettotrue.

apiVersion: v1

kind: Pod

metadata:

creationTimestamp: null

labels:

component:kubelet

tier: control-plane

name: kubelet

namespace: kube-system

spec:

containers:

– command:

– kube-controller-manager

+ – –feature-gates=RotateKubeletServerCertificate=true image: gcr.io/google_containers/kubelet-amd64:v1.6.0 livenessProbe:

failureThreshold: 8 httpGet:

host: 127.0.0.1

path: /healthz

port: 6443

scheme: HTTPS

initialDelaySeconds: 15

timeoutSeconds: 15

name:kubelet

resources:

requests:

cpu: 250m

volumeMounts:

– mountPath: /etc/kubernetes/ name: k8s

readOnly: true

– mountPath: /etc/ssl/certs name: certs

– mountPath: /etc/pki name:pki hostNetwork: true volumes:

– hostPath:

path: /etc/kubernetes

name: k8s

– hostPath:

path: /etc/ssl/certs

name: certs

– hostPath: path: /etc/pki name: pki

✑ b. Ensure that theadmission control plugin PodSecurityPolicyisset.

audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"

tests:

test_items:

– flag: "–enable-admission-plugins"

compare:

op: has

value:"PodSecurityPolicy"

set: true

remediation: |

Follow the documentation and create Pod Security Policy objects as per your environment. Then, edit the API server pod specification file $apiserverconf

on themaster node and set the –enable-admission-plugins parameter to a

value that includes PodSecurityPolicy :

–enable-admission-plugins=…,PodSecurityPolicy,…

Then restart the API Server.

scored: true

✑ c. Ensure thatthe –kubelet-certificate-authority argumentissetasappropriate.

audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"

tests:

test_items:

– flag: "–kubelet-certificate-authority" set: true

remediation: |

Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file $apiserverconf on the master node and set the –kubelet-certificate-authority parameter to the path to the cert file for the certificate authority. –kubelet-certificate-authority=<ca-string>

scored: true

Fix all of the following violations that were found against the ETCD:-

✑ a. Ensurethat the –auto-tls argumentisnotsettotrue

Edit the etcd pod specification file $etcdconf on the masternode and either remove the — auto-tls parameter or set it to false.–auto-tls=false

✑ b. Ensure that the –peer-auto-tls argumentisnotsettotrue

Edit the etcd pod specification file $etcdconf on the masternode and either remove the — peer-auto-tls parameter or set it to false.–peer-auto-tls=false

Question #11

CORRECT TEXT

Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.

Fix all of the following violations that were found against the API server:-

✑ a. Ensure that the RotateKubeletServerCertificate argumentissettotrue.

✑ b. Ensure that the admission control plugin PodSecurityPolicyisset.

✑ c. Ensure that the –kubelet-certificate-authority argumentissetasappropriate.

Fix all of the following violations that were found against the Kubelet:-

✑ a. Ensure the –anonymous-auth argumentissettofalse.

✑ b. Ensure that the –authorization-mode argumentissetto Webhook.

Fix all of the following violations that were found against the ETCD:-

✑ a. Ensure that the –auto-tls argumentisnotsettotrue

✑ b. Ensure that the –peer-auto-tls argumentisnotsettotrue

Hint: Take the use of Tool Kube-Bench

Reveal Solution Hide Solution

Correct Answer: Fix all of thefollowing violations that were found against the API server:-

✑ a. Ensure that the RotateKubeletServerCertificate argumentissettotrue.

apiVersion: v1

kind: Pod

metadata:

creationTimestamp: null

labels:

component:kubelet

tier: control-plane

name: kubelet

namespace: kube-system

spec:

containers:

– command:

– kube-controller-manager

+ – –feature-gates=RotateKubeletServerCertificate=true image: gcr.io/google_containers/kubelet-amd64:v1.6.0 livenessProbe:

failureThreshold: 8 httpGet:

host: 127.0.0.1

path: /healthz

port: 6443

scheme: HTTPS

initialDelaySeconds: 15

timeoutSeconds: 15

name:kubelet

resources:

requests:

cpu: 250m

volumeMounts:

– mountPath: /etc/kubernetes/ name: k8s

readOnly: true

– mountPath: /etc/ssl/certs name: certs

– mountPath: /etc/pki name:pki hostNetwork: true volumes:

– hostPath:

path: /etc/kubernetes

name: k8s

– hostPath:

path: /etc/ssl/certs

name: certs

– hostPath: path: /etc/pki name: pki

✑ b. Ensure that theadmission control plugin PodSecurityPolicyisset.

audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"

tests:

test_items:

– flag: "–enable-admission-plugins"

compare:

op: has

value:"PodSecurityPolicy"

set: true

remediation: |

Follow the documentation and create Pod Security Policy objects as per your environment. Then, edit the API server pod specification file $apiserverconf

on themaster node and set the –enable-admission-plugins parameter to a

value that includes PodSecurityPolicy :

–enable-admission-plugins=…,PodSecurityPolicy,…

Then restart the API Server.

scored: true

✑ c. Ensure thatthe –kubelet-certificate-authority argumentissetasappropriate.

audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"

tests:

test_items:

– flag: "–kubelet-certificate-authority" set: true

remediation: |

Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file $apiserverconf on the master node and set the –kubelet-certificate-authority parameter to the path to the cert file for the certificate authority. –kubelet-certificate-authority=<ca-string>

scored: true

Fix all of the following violations that were found against the ETCD:-

✑ a. Ensurethat the –auto-tls argumentisnotsettotrue

Edit the etcd pod specification file $etcdconf on the masternode and either remove the — auto-tls parameter or set it to false.–auto-tls=false

✑ b. Ensure that the –peer-auto-tls argumentisnotsettotrue

Edit the etcd pod specification file $etcdconf on the masternode and either remove the — peer-auto-tls parameter or set it to false.–peer-auto-tls=false

Question #11

CORRECT TEXT

Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.

Fix all of the following violations that were found against the API server:-

✑ a. Ensure that the RotateKubeletServerCertificate argumentissettotrue.

✑ b. Ensure that the admission control plugin PodSecurityPolicyisset.

✑ c. Ensure that the –kubelet-certificate-authority argumentissetasappropriate.

Fix all of the following violations that were found against the Kubelet:-

✑ a. Ensure the –anonymous-auth argumentissettofalse.

✑ b. Ensure that the –authorization-mode argumentissetto Webhook.

Fix all of the following violations that were found against the ETCD:-

✑ a. Ensure that the –auto-tls argumentisnotsettotrue

✑ b. Ensure that the –peer-auto-tls argumentisnotsettotrue

Hint: Take the use of Tool Kube-Bench

Reveal Solution Hide Solution

Correct Answer: Fix all of thefollowing violations that were found against the API server:-

✑ a. Ensure that the RotateKubeletServerCertificate argumentissettotrue.

apiVersion: v1

kind: Pod

metadata:

creationTimestamp: null

labels:

component:kubelet

tier: control-plane

name: kubelet

namespace: kube-system

spec:

containers:

– command:

– kube-controller-manager

+ – –feature-gates=RotateKubeletServerCertificate=true image: gcr.io/google_containers/kubelet-amd64:v1.6.0 livenessProbe:

failureThreshold: 8 httpGet:

host: 127.0.0.1

path: /healthz

port: 6443

scheme: HTTPS

initialDelaySeconds: 15

timeoutSeconds: 15

name:kubelet

resources:

requests:

cpu: 250m

volumeMounts:

– mountPath: /etc/kubernetes/ name: k8s

readOnly: true

– mountPath: /etc/ssl/certs name: certs

– mountPath: /etc/pki name:pki hostNetwork: true volumes:

– hostPath:

path: /etc/kubernetes

name: k8s

– hostPath:

path: /etc/ssl/certs

name: certs

– hostPath: path: /etc/pki name: pki

✑ b. Ensure that theadmission control plugin PodSecurityPolicyisset.

audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"

tests:

test_items:

– flag: "–enable-admission-plugins"

compare:

op: has

value:"PodSecurityPolicy"

set: true

remediation: |

Follow the documentation and create Pod Security Policy objects as per your environment. Then, edit the API server pod specification file $apiserverconf

on themaster node and set the –enable-admission-plugins parameter to a

value that includes PodSecurityPolicy :

–enable-admission-plugins=…,PodSecurityPolicy,…

Then restart the API Server.

scored: true

✑ c. Ensure thatthe –kubelet-certificate-authority argumentissetasappropriate.

audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"

tests:

test_items:

– flag: "–kubelet-certificate-authority" set: true

remediation: |

Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file $apiserverconf on the master node and set the –kubelet-certificate-authority parameter to the path to the cert file for the certificate authority. –kubelet-certificate-authority=<ca-string>

scored: true

Fix all of the following violations that were found against the ETCD:-

✑ a. Ensurethat the –auto-tls argumentisnotsettotrue

Edit the etcd pod specification file $etcdconf on the masternode and either remove the — auto-tls parameter or set it to false.–auto-tls=false

✑ b. Ensure that the –peer-auto-tls argumentisnotsettotrue

Edit the etcd pod specification file $etcdconf on the masternode and either remove the — peer-auto-tls parameter or set it to false.–peer-auto-tls=false

Question #15

Create the Pod using this manifest

Reveal Solution Hide Solution

Question #16

CORRECT TEXT

Using the runtime detection tool Falco, Analyse the container behavior for at least 30 seconds, using filters that detect newly spawning and executing processes store the incident file art /opt/falco-incident.txt, containing the detected incidents. one per line, in the format

[timestamp],[uid],[user-name],[processName]

Reveal Solution Hide Solution

Question #17

CORRECT TEXT

Create a new ServiceAccount named backend-sa in the existing namespace default, which has the capability to list the pods inside thenamespace default.

Create a new Pod named backend-pod in the namespace default, mount the newly created sa backend-sa to the pod, and Verify that the pod is able to list pods.

Ensure that the Pod is running.

Reveal Solution Hide Solution