CKS Exam Dumps - Certified Kubernetes Security Specialist (CKS)

Searching for workable clues to ace the Linux Foundation CKS Exam? You’re on the right place! ExamCert has realistic, trusted and authentic exam prep tools to help you achieve your desired credential. ExamCert’s CKS PDF Study Guide, Testing Engine and Exam Dumps follow a reliable exam preparation strategy, providing you the most relevant and updated study material that is crafted in an easy to learn format of questions and answers. ExamCert’s study tools aim at simplifying all complex and confusing concepts of the exam and introduce you to the real exam scenario and practice it with the help of its testing engine and real exam dumps

Go to page:

Question # 4

Cluster:Â qa-cluster

Master node:Â masterÂ Worker node:Â worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $Â kubectl config use-context qa-cluster

Task:

Create a NetworkPolicy namedÂ restricted-policyÂ to restrict access to PodÂ productÂ running in namespaceÂ dev.

Only allow the following Pods to connect to Pod products-service:

1. Pods in the namespaceÂ qa

2. Pods with labelÂ environment: stage, in any namespace

Full Access

Question # 5

Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.

Fix all of the following violations that were found against theÂ API server:-

Â Â Â Â

Â a. Ensure that the RotateKubeletServerCertificate argument is set to true.

Â Â b. Ensure that the admission control plugin PodSecurityPolicy is set.

c. Ensure that the --kubelet-certificate-authority argument is set as appropriate.

Fix all of the following violations that were found against theÂ Kubelet:-

Â Â

Â a. Ensure the --anonymous-auth argument is set to false.

Â b. Ensure that the --authorization-mode argument is set to Webhook.

Fix all of the following violations that were found against theÂ ETCD:-

Â Â

a. Ensure that the --auto-tls argument is not set to true

b. Ensure that the --peer-auto-tls argument is not set to true

Â Â Â Hint: Take the use of Tool Kube-Bench

Full Access

Answer:

Explanation:

Fix all of the following violations that were found against theÂ API server:-

Â Â Â Â

Â a. Ensure that the RotateKubeletServerCertificate argument is set to true.

apiVersion: v1

kind: Pod

metadata:

creationTimestamp: null

labels:

component: kubelet

tier: control-plane

namespace: kube-system

spec:

containers:

- command:

- kube-controller-manager

+ - --feature-gates=RotateKubeletServerCertificate=true

image: gcr.io/google_containers/kubelet-amd64:v1.6.0

livenessProbe:

failureThreshold: 8

httpGet:

host: 127.0.0.1

path: /healthz

port: 6443

scheme: HTTPS

initialDelaySeconds: 15

timeoutSeconds: 15

resources:

requests:

cpu: 250m

volumeMounts:

- mountPath: /etc/kubernetes/

readOnly: true

- mountPath: /etc/ssl/certs

- mountPath: /etc/pki

hostNetwork: true

volumes:

- hostPath:

path: /etc/kubernetes

- hostPath:

path: /etc/ssl/certs

- hostPath:

path: /etc/pki

Â Â b. Ensure that the admission control plugin PodSecurityPolicy is set.

audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"

tests:

test_items:

- flag: "--enable-admission-plugins"

compare:

op: has

value: "PodSecurityPolicy"

set: true

remediation: |

Follow the documentation and create Pod Security Policy objects as per your environment.

Then, edit the API server pod specification file $apiserverconf

on the master node and set the --enable-admission-plugins parameter to a

value that includes PodSecurityPolicy :

--enable-admission-plugins=...,PodSecurityPolicy,...

Then restart the API Server.

scored: true

c. Ensure that the --kubelet-certificate-authority argument is set as appropriate.

audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"

tests:

test_items:

- flag: "--kubelet-certificate-authority"

set: true

remediation: |

Follow the Kubernetes documentation and setup the TLS connection between the

apiserver and kubelets. Then, edit the API server pod specification file

$apiserverconf on the master node and set the --kubelet-certificate-authority

parameter to the path to the cert file for the certificate authority.

--kubelet-certificate-authority=

scored: true

Fix all of the following violations that were found against theÂ ETCD:-

Â Â

a. Ensure that the --auto-tls argument is not set to true

Edit the etcd pod specification file $etcdconf on the master

node and either remove the --auto-tls parameter or set it to false.

--auto-tls=false

b. Ensure that the --peer-auto-tls argument is not set to true

Edit the etcd pod specification file $etcdconf on the master

node and either remove the --peer-auto-tls parameter or set it to false.

--peer-auto-tls=false

Question # 6

Two tools are pre-installed on the cluster's worker node:

sysdig

falco

Using the tool of your choice (including any non pre-installed tool), analyze the container's behavior for at least 30 seconds, using filters that detect newly spawning and executing processes.

Store an incident file at /opt/KSRS00101/alerts/details, containing the detected incidents, one per line, in the following format:

The following example shows a properly formatted incident file:

Full Access

Question # 7

Create a RuntimeClass named gvisor-rc using the prepared runtime handler named runsc.

Create a Pods of image Nginx in the Namespace server to run on the gVisor runtime class

Full Access

Question # 8

Use the kubesec docker images to scan the given YAML manifest, edit and apply the advised changes, and passed with a score of 4 points.

kubesec-test.yaml

apiVersion: v1

kind: Pod

metadata:

spec:

containers:

- name: kubesec-demo

image: gcr.io/google-samples/node-hello:1.0

securityContext:

readOnlyRootFilesystem: true

Hint:Â docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin <</b> kubesec-test.yaml

Full Access

Answer:

Explanation:

kubesec scan k8s-deployment.yaml
cat <<EOF > kubesec-test.yaml
apiVersion: v1
kind: Pod
metadata:
name: kubesec-demo
spec:
containers:
- name: kubesec-demo
image: gcr.io/google-samples/node-hello:1.0
securityContext:
readOnlyRootFilesystem: true
EOF
kubesec scan kubesec-test.yaml
docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml
kubesec http 8080 &
[1] 12345
{"severity":"info","timestamp":"2019-05-12T11:58:34.662+0100","caller":"server/server.go:69","message":"Starting HTTP server on port 8080"}
curl -sSX POST --data-binary @test/asset/score-0-cap-sys-admin.yml http://localhost:8080/scan
[
{
"object": "Pod/security-context-demo.default",
"valid": true,
"message": "Failed with a score of -30 points",
"score": -30,
"scoring": {
"critical": [
{
"selector": "containers[] .securityContext .capabilities .add == SYS_ADMIN",
"reason": "CAP_SYS_ADMIN is the most privileged capability and should always be avoided"
},
{
"selector": "containers[] .securityContext .runAsNonRoot == true",
"reason": "Force the running image to run as a non-root user to ensure least privilege"
},
// ...

Go to page:
<< First

Prev

1

2

3

Next

Last >>

Hot Exams

AZ-900 Dumps

200-301 Dumps

350-401 Dumps

350-701 Dumps

AZ-104 Dumps

CS0-003 Dumps

N10-009 Dumps

SY0-701 Dumps

CAS-005 Dumps

PT0-003 Dumps

ZDTA Dumps

Month End Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: scxmas70

CKS Exam Dumps - Certified Kubernetes Security Specialist (CKS)

Answer:

Explanation:

Answer:

Explanation:

Answer:

Answer:

Explanation:

Answer:

Explanation:

Hot Exams