Question # 1 Context:
Cluster: prod
Master node: master1
Worker node: worker1
You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context prod
Task:
Analyse and edit the given Dockerfile (based on the ubuntu:18:04 image)
/home/cert_masters/Dockerfile fixing two instructions present in the file being prominent security/best-practice issues.
Analyse and edit the given manifest file
/home/cert_masters/mydeployment.yaml fixing two fields present in the file being prominent security/best-practice issues.
Note: Don't add or remove configuration settings; only modify the existing configuration settings, so that two configuration settings each are no longer security/best-practice concerns.
Should you need an unprivileged user for any of the tasks, use user nobody with user id 65535
Answer Description Explanation:
1. For Dockerfile: Fix the image version & user name in Dockerfile2. For mydeployment.yaml : Fix security contexts
Explanation[desk@cli] $ vim /home/cert_masters/Dockerfile
FROM ubuntu:latest # Remove this
FROM ubuntu:18.04 # Add this
USER root # Remove this
USER nobody # Add this
RUN apt get install -y lsof=4.72 wget=1.17.1 nginx=4.2
ENV ENVIRONMENT=testing
USER root # Remove this
USER nobody # Add this
CMD ["nginx -d"]
Question # 2 Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.
Fix all of the following violations that were found against the API server:-
a. Ensure that the RotateKubeletServerCertificate argument is set to true.
b. Ensure that the admission control plugin PodSecurityPolicy is set.
c. Ensure that the --kubelet-certificate-authority argument is set as appropriate.
Fix all of the following violations that were found against the Kubelet:-
a. Ensure the --anonymous-auth argument is set to false.
b. Ensure that the --authorization-mode argument is set to Webhook.
Fix all of the following violations that were found against the ETCD:-
a. Ensure that the --auto-tls argument is not set to true
b. Ensure that the --peer-auto-tls argument is not set to true
Hint: Take the use of Tool Kube-Bench
Answer Description Explanation:
Fix all of the following violations that were found against the API server:-
a. Ensure that the RotateKubeletServerCertificate argument is set to true.
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kubelet
tier: control-plane
name: kubelet
namespace: kube-system
spec:
containers:
- command:
- kube-controller-manager
+ - --feature-gates=RotateKubeletServerCertificate=true
image: gcr.io/google_containers/kubelet-amd64:v1.6.0
livenessProbe:
failureThreshold: 8
httpGet:
host: 127.0.0.1
path: /healthz
port: 6443
scheme: HTTPS
initialDelaySeconds: 15
timeoutSeconds: 15
name: kubelet
resources:
requests:
cpu: 250m
volumeMounts:
- mountPath: /etc/kubernetes/
name: k8s
readOnly: true
- mountPath: /etc/ssl/certs
name: certs
- mountPath: /etc/pki
name: pki
hostNetwork: true
volumes:
- hostPath:
path: /etc/kubernetes
name: k8s
- hostPath:
path: /etc/ssl/certs
name: certs
- hostPath:
path: /etc/pki
name: pki
b. Ensure that the admission control plugin PodSecurityPolicy is set.
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--enable-admission-plugins"
compare:
op: has
value: "PodSecurityPolicy"
set: true
remediation: |
Follow the documentation and create Pod Security Policy objects as per your environment.
Then, edit the API server pod specification file $apiserverconf
on the master node and set the --enable-admission-plugins parameter to a
value that includes PodSecurityPolicy :
--enable-admission-plugins=...,PodSecurityPolicy,...
Then restart the API Server.
scored: true
c. Ensure that the --kubelet-certificate-authority argument is set as appropriate.
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--kubelet-certificate-authority"
set: true
remediation: |
Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file
$apiserverconf on the master node and set the --kubelet-certificate-authority
parameter to the path to the cert file for the certificate authority.
--kubelet-certificate-authority=
scored: true
Fix all of the following violations that were found against the ETCD:-
a. Ensure that the --auto-tls argument is not set to true
Edit the etcd pod specification file $etcdconf on the masternode and either remove the -- auto-tls parameter or set it to false.--auto-tls=false
b. Ensure that the --peer-auto-tls argument is not set to true
Edit the etcd pod specification file $etcdconf on the masternode and either remove the -- peer-auto-tls parameter or set it to false.--peer-auto-tls=false
Question # 3 You must complete this task on the following cluster/nodes: Cluster: immutable-cluster
Master node : master1
Worker node : worker1
You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context immutable-cluster
Context : It is best practice to design containers to be stateless and immutable.
Task:
Inspect Pods running in namespace prod and delete any Pod that is either not stateless or
not immutable.
Use the following strict interpretation of stateless and immutable:
1. Pods being able to store data inside containers must be treated as not stateless.
Note: You don't have to worry whether data is actually stored inside containers or not
already.
2. Pods being configured to be privileged in any way must be treated as potentially not
stateless or not immutable.
Answer Description
Question # 4 Cluster: dev
Master node: master1
Worker node: worker1
You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context dev
Task:
Retrieve the content of the existing secret named adam in the safe namespace.
Store the username field in a file names /home/cert-masters/username.txt, and the password field in a file named /home/cert-masters/password.txt.
1. You must create both files; they don't exist yet.
2. Do not use/modify the created files in the following steps, create new temporary files if needed.
Create a new secret names newsecret in the safe namespace, with the following content:
Username: dbadmin
Password: moresecurepas
Finally, create a new Pod that has access to the secret newsecret via a volume:
Namespace:safe
Pod name:mysecret-pod
Container name:db-container
Image:redis
Volume name:secret-vol
Mount path:/etc/mysecret
Answer Description
Question # 5 On the Cluster worker node, enforce the prepared AppArmor profile
#include
profile nginx-deny flags=(attach_disconnected) {
#include
file,
# Deny all file writes.
deny /** w,
}
EOF'
Edit the prepared manifest file to include the AppArmor profile.
apiVersion: v1
kind: Pod
metadata:
name: apparmor-pod
spec:
containers:
- name: apparmor-pod
image: nginx
Finally, apply the manifests files and create the Pod specified on it.
Verify: Try to make a file inside the directory which is restricted.
Answer Description
Question # 6
Answer Description
Question # 7 You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context qa
Context:
A pod fails to run because of an incorrectly specified ServiceAccount
Task:
Create a new service account named backend-qa in an existing namespace qa, which must not have access to any secret.
Edit the frontend pod yaml to use backend-qa service account
Note: You can find the frontend pod yaml at /home/cert_masters/frontend-pod.yaml
Answer Description Explanation:
[desk@cli] $ k create sa backend-qa -n qasa/backend-qa created[desk@cli] $ k get
role,rolebinding -n qaNo resources found in qa namespace.[desk@cli] $ k create role
backend -n qa --resource pods,namespaces,configmaps --verb list# No access to secret
[desk@cli] $ k create rolebinding backend -n qa --role backend --serviceaccount
qa:backend-qa[desk@cli] $ vim /home/cert_masters/frontend-pod.yaml
uk.co.certification.simulator.questionpool.PList@120e0660
[desk@cli] $ k apply -f /home/cert_masters/frontend-pod.yamlpod created
[desk@cli] $ k create sa backend-qa -n qaserviceaccount/backend-qa created[desk@cli]
$ k get role,rolebinding -n qaNo resources found in qa namespace.[desk@cli] $ k create
role backend -n qa --resource pods,namespaces,configmaps --verb
listrole.rbac.authorization.k8s.io/backend created[desk@cli] $ k create rolebinding backend
-n qa --role backend --serviceaccount qa:backendqarolebinding.
rbac.authorization.k8s.io/backend created[desk@cli] $ vim
/home/cert_masters/frontend-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: frontend
spec:
serviceAccountName: backend-qa # Add this
image: nginx
name: frontend
[desk@cli] $ k apply -f /home/cert_masters/frontend-pod.yamlpod/frontend
createdhttps://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
Question # 8 Given an existing Pod named nginx-pod running in the namespace test-system, fetch the
service-account-name used and put the content in /candidate/KSC00124.txt
Create a new Role named dev-test-role in the namespace test-system, which can perform
update operations, on resources of type namespaces.
Create a new RoleBinding named dev-test-role-binding, which binds the newly created
Role to the Pod's ServiceAccount ( found in the Nginx pod running in namespace testsystem).
Answer Description
Up-to-Date
We always provide up-to-date CKS exam dumps to our clients. Keep checking website for updates and download.
Excellence
Quality and excellence of our Certified Kubernetes Security Specialist (CKS) practice questions are above customers expectations. Contact live chat to know more.
Success
Your SUCCESS is assured with the CKS exam questions of passin1day.com. Just Buy, Prepare and PASS!
Quality
All our braindumps are verified with their correct answers. Download Kubernetes Security Specialist Practice tests in a printable PDF format.
Basic
$80
Any 3 Exams of Your Choice
3 Exams PDF + Online Test Engine
Buy Now
Premium
$100
Any 4 Exams of Your Choice
4 Exams PDF + Online Test Engine
Buy Now
Gold
$125
Any 5 Exams of Your Choice
5 Exams PDF + Online Test Engine
Buy Now
Passin1Day has a big success story in last 12 years with a long list of satisfied customers.
We are UK based company, selling CKS practice test questions answers. We have a team of 34 people in Research, Writing, QA, Sales, Support and Marketing departments and helping people get success in their life.
We dont have a single unsatisfied Linux Foundation customer in this time. Our customers are our asset and precious to us more than their money.
CKS Dumps
We have recently updated Linux Foundation CKS dumps study guide. You can use our Kubernetes Security Specialist braindumps and pass your exam in just 24 hours. Our Certified Kubernetes Security Specialist (CKS) real exam contains latest questions. We are providing Linux Foundation CKS dumps with updates for 3 months. You can purchase in advance and start studying. Whenever Linux Foundation update Certified Kubernetes Security Specialist (CKS) exam, we also update our file with new questions. Passin1day is here to provide real CKS exam questions to people who find it difficult to pass exam
Kubernetes Security Specialist can advance your marketability and prove to be a key to differentiating you from those who have no certification and Passin1day is there to help you pass exam with CKS dumps. Linux Foundation Certifications demonstrate your competence and make your discerning employers recognize that Certified Kubernetes Security Specialist (CKS) certified employees are more valuable to their organizations and customers. We have helped thousands of customers so far in achieving their goals. Our excellent comprehensive Linux Foundation exam dumps will enable you to pass your certification Kubernetes Security Specialist exam in just a single try. Passin1day is offering CKS braindumps which are accurate and of high-quality verified by the IT professionals. Candidates can instantly download Kubernetes Security Specialist dumps and access them at any device after purchase. Online Certified Kubernetes Security Specialist (CKS) practice tests are planned and designed to prepare you completely for the real Linux Foundation exam condition. Free CKS dumps demos can be available on customer’s demand to check before placing an order.
What Our Customers Say
Jeff Brown
Thanks you so much passin1day.com team for all the help that you have provided me in my Linux Foundation exam. I will use your dumps for next certification as well.
Mareena Frederick
You guys are awesome. Even 1 day is too much. I prepared my exam in just 3 hours with your CKS exam dumps and passed it in first attempt :)
Ralph Donald
I am the fully satisfied customer of passin1day.com. I have passed my exam using your Certified Kubernetes Security Specialist (CKS) braindumps in first attempt. You guys are the secret behind my success ;)
Lilly Solomon
I was so depressed when I get failed in my Cisco exam but thanks GOD you guys exist and helped me in passing my exams. I am nothing without you.