- All Exams Instant Download
CORRECT TEXT
CORRECT TEXT On the Cluster worker node, enforce the prepared AppArmor profile ✑ #include<tunables/global> ✑ ✑ profilenginx-deny flags=(attach_disconnected) { ✑ #include<abstractions/base> ✑ ✑ file, ✑ ✑ # Deny all file writes. ✑ deny/** w, ✑ } ✑ EOF' Edit the prepared manifest file to include the AppArmor profile. ✑ apiVersion:...
CORRECT TEXT
CORRECT TEXT Fix all issues via configuration and restart the affected components to ensure the new setting takes effect. Fix all of the following violations that were found against the API server:- ✑ a. Ensure that the RotateKubeletServerCertificate argumentissettotrue. ✑ b. Ensure that the admission control plugin PodSecurityPolicyisset. ✑ c....
CORRECT TEXT
CORRECT TEXT Create a RuntimeClass named untrusted using the prepared runtime handler named runsc. Create a Pods of image alpine:3.13.2 in the Namespace default to run on the gVisor runtime class. Verify: Exec the pods and run the dmesg, you will see output like this:- View AnswerAnswer: Send us your...
CORRECT TEXT
CORRECT TEXT Create a new ServiceAccount named backend-sa in the existing namespace default, which has the capability to list the pods inside thenamespace default. Create a new Pod named backend-pod in the namespace default, mount the newly created sa backend-sa to the pod, and Verify that the pod is able...
CORRECT TEXT
CORRECT TEXT Cluster: scanner Master node: controlplane Worker node: worker1 You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context scanner Given: You may use Trivy's documentation. Task: Use the Trivy open-source container scanner to detect images with severe vulnerabilities used by Pods in the...
CORRECT TEXT
CORRECT TEXT Create a RuntimeClass named untrusted using the prepared runtime handler named runsc. Create a Pods of image alpine:3.13.2 in the Namespace default to run on the gVisor runtime class. Verify: Exec the pods and run the dmesg, you will see output like this:- View AnswerAnswer: Send us your...
CORRECT TEXT
CORRECT TEXT Fix all issues via configuration and restart the affected components to ensure the new setting takes effect. Fix all of the following violations that were found against the API server:- ✑ a. Ensure that the RotateKubeletServerCertificate argumentissettotrue. ✑ b. Ensure that the admission control plugin PodSecurityPolicyisset. ✑ c....
Pods being configured to be privileged in any way must be treated as potentially not stateless or not immutable.
Pods being configured to be privileged in any way must be treated as potentially not stateless or not immutable.View AnswerAnswer: k get pods -n prodk get pod <pod-name> -n prod -o yaml | grep -E 'privileged|ReadOnlyRootFileSystem'Delete the pods which do have any of these 2 propertiesprivileged:true or ReadOnlyRootFileSystem: false [desk@cli]$...
Tools are pre-installed on the worker1 node only
sysdig Tools are pre-installed on the worker1 node only. Analyse the container’s behaviour for at least 40 seconds, using filters that detect newly spawning and executing processes. Store an incident file at /home/cert_masters/report, in the following format: [timestamp],[uid],[processName] Note: Make sure to store incident file on the cluster's worker node,...
CORRECT TEXT
CORRECT TEXT Fix all issues via configuration and restart the affected components to ensure the new setting takes effect. Fix all of the following violations that were found against the API server:- ✑ a. Ensure that the RotateKubeletServerCertificate argumentissettotrue. ✑ b. Ensure that the admission control plugin PodSecurityPolicyisset. ✑ c....
