Question # 1 Given an existing Pod named nginx-pod running in the namespace test-system, fetch the
service-account-name used and put the content in /candidate/KSC00124.txt
Create a new Role named dev-test-role in the namespace test-system, which can perform
update operations, on resources of type namespaces.
Create a new RoleBinding named dev-test-role-binding, which binds the newly created
Role to the Pod's ServiceAccount ( found in the Nginx pod running in namespace testsystem).
Answer Description
Question # 2 Create a new NetworkPolicy named deny-all in the namespace testing which denies all
traffic of type ingress and egress traffic
Answer Description Explanation:
You can create a "default" isolation policy for a namespace by creating a NetworkPolicy that selects all pods but does not allow any ingress traffic to those pods.
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
spec:
podSelector: {}
policyTypes:
- Ingress
You can create a "default" egress isolation policy for a namespace by creating a NetworkPolicy that selects all pods but does not allow any egress traffic from those pods.
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-egress
spec:
podSelector: {}
egress:
- {}
policyTypes:
- Egress
Default deny all ingress and all egress trafficYou can create a "default" policy for a namespace which prevents all ingress AND egress traffic by creating the following NetworkPolicy in that namespace.
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
This ensures that even pods that aren't selected by any other NetworkPolicy will not be allowed ingress or egress traffic.
Question # 3 You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context dev
Context:
A CIS Benchmark tool was run against the kubeadm created cluster and found multiple issues that must be addressed.
Task:
Fix all issues via configuration and restart the affected components to ensure the new settings take effect.
Fix all of the following violations that were found against the API server:
1.2.7 authorization-mode argument is not set to AlwaysAllow FAIL
1.2.8 authorization-mode argument includes Node FAIL
1.2.7 authorization-mode argument includes RBAC FAIL
Fix all of the following violations that were found against the Kubelet:
4.2.1 Ensure that the anonymous-auth argument is set to false FAIL
4.2.2 authorization-mode argument is not set to AlwaysAllow FAIL (Use Webhook autumn/authz where possible)
Fix all of the following violations that were found against etcd:
2.2 Ensure that the client-cert-auth argument is set to true
Answer Description
Question # 4 Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that:
1. logs are stored at /var/log/kubernetes/kubernetes-logs.txt.
2. Log files are retained for 5 days.
3. at maximum, a number of 10 old audit logs files are retained.
Edit and extend the basic policy to log:
1. Cronjobs changes at RequestResponse
2. Log the request body of deployments changes in the namespace kube-system.
3. Log all other resources in core and extensions at the Request level.
4. Don't log watch requests by the "system:kube-proxy" on endpoints or
Answer Description
Question # 5 Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that
1. logs are stored at /var/log/kubernetes-logs.txt.
2. Log files are retained for 12 days.
3. at maximum, a number of 8 old audit logs files are retained.
4. set the maximum size before getting rotated to 200MB
Edit and extend the basic policy to log:
1. namespaces changes at RequestResponse
2. Log the request body of secrets changes in the namespace kube-system
3. Log all other resources in core and extensions at the Request level.
4. Log "pods/portforward", "services/proxy" at Metadata level.
5. Omit the Stage RequestReceived
All other requests at the Metadata level
Answer Description Explanation:
Kubernetes auditing provides a security-relevant chronological set of records about a
cluster. Kube-apiserver performs auditing. Each request on each stage of its execution
generates an event, which is then pre-processed according to a certain policy and written
to a backend. The policy determines what’s recorded and the backends persist the records.
You might want to configure the audit log as part of compliance with the CIS (Center for
Internet Security) Kubernetes Benchmark controls.
The audit log can be enabled by default using the following configuration in cluster.yml:
services:
kube-api:
audit_log:
enabled: true
When the audit log is enabled, you should be able to see the default values at
/etc/kubernetes/audit-policy.yaml
The log backend writes audit events to a file in JSONlines format. You can configure the
log audit backend using the following kube-apiserver flags:
--audit-log-path specifies the log file path that log backend uses to write audit
events. Not specifying this flag disables log backend. - means standard out
--audit-log-maxage defined the maximum number of days to retain old audit log
files
--audit-log-maxbackup defines the maximum number of audit log files to retain
--audit-log-maxsize defines the maximum size in megabytes of the audit log file
before it gets rotated
If your cluster's control plane runs the kube-apiserver as a Pod, remember to mount
the hostPath to the location of the policy file and log file, so that audit records are persisted.
For example:
--audit-policy-file=/etc/kubernetes/audit-policy.yaml \
--audit-log-path=/var/log/audit.log
Question # 6
Answer Description
Question # 7 Service is running on port 389 inside the system, find the process-id of the process, and
stores the names of all the open-files inside the /candidate/KH77539/files.txt, and also
delete the binary.
Answer Description root# netstat -ltnup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:17600 0.0.0.0:* LISTEN 1293/dropbox
tcp 0 0 127.0.0.1:17603 0.0.0.0:* LISTEN 1293/dropbox
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 575/sshd
tcp 0 0 127.0.0.1:9393 0.0.0.0:* LISTEN 900/perl
tcp 0 0 :::80 :::* LISTEN 9583/docker-proxy
tcp 0 0 :::443 :::* LISTEN 9571/docker-proxy
udp 0 0 0.0.0.0:68 0.0.0.0:* 8822/dhcpcd
root# netstat -ltnup | grep ':22'
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 575/sshd
The ss command is the replacement of the netstat command.
Now let’s see how to use the ss command to see which process is listening on port 22:
root# ss -ltnup 'sport = :22'
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:("sshd",pid=575,fd=3))
Question # 8 You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context stage
Context:
A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace.
Task:
1. Create a new PodSecurityPolcy named deny-policy, which prevents the creation of privileged Pods.
2. Create a new ClusterRole name deny-access-role, which uses the newly created PodSecurityPolicy deny-policy.
3. Create a new ServiceAccount named psd-denial-sa in the existing namespace development.
Finally, create a new ClusterRoleBindind named restrict-access-bind, which binds the newly created ClusterRole deny-access-role to the newly created ServiceAccount pspdenial-sa
Answer Description Explanation:
Create psp to disallow privileged container
uk.co.certification.simulator.questionpool.PList@11600d40
k create sa psp-denial-sa -n development
uk.co.certification.simulator.questionpool.PList@11601040
namespace: development
Explanationmaster1 $ vim psp.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: deny-policy
spec:
privileged: false # Don't allow privileged pods!
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
master1 $ vim cr1.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: deny-access-role
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- “deny-policy”
master1 $ k create sa psp-denial-sa -n developmentmaster1 $ vim cb1.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: restrict-access-bing
roleRef:
kind: ClusterRole
name: deny-access-role
apiGroup: rbac.authorization.k8s.io
subjects:
# Authorize specific service accounts:
- kind: ServiceAccount
name: psp-denial-sa
namespace: development
Up-to-Date
We always provide up-to-date CKS exam dumps to our clients. Keep checking website for updates and download.
Excellence
Quality and excellence of our Certified Kubernetes Security Specialist (CKS) practice questions are above customers expectations. Contact live chat to know more.
Success
Your SUCCESS is assured with the CKS exam questions of passin1day.com. Just Buy, Prepare and PASS!
Quality
All our braindumps are verified with their correct answers. Download Kubernetes Security Specialist Practice tests in a printable PDF format.
Basic
$80
Any 3 Exams of Your Choice
3 Exams PDF + Online Test Engine
Buy Now
Premium
$100
Any 4 Exams of Your Choice
4 Exams PDF + Online Test Engine
Buy Now
Gold
$125
Any 5 Exams of Your Choice
5 Exams PDF + Online Test Engine
Buy Now
Passin1Day has a big success story in last 12 years with a long list of satisfied customers.
We are UK based company, selling CKS practice test questions answers. We have a team of 34 people in Research, Writing, QA, Sales, Support and Marketing departments and helping people get success in their life.
We dont have a single unsatisfied Linux Foundation customer in this time. Our customers are our asset and precious to us more than their money.
CKS Dumps
We have recently updated Linux Foundation CKS dumps study guide. You can use our Kubernetes Security Specialist braindumps and pass your exam in just 24 hours. Our Certified Kubernetes Security Specialist (CKS) real exam contains latest questions. We are providing Linux Foundation CKS dumps with updates for 3 months. You can purchase in advance and start studying. Whenever Linux Foundation update Certified Kubernetes Security Specialist (CKS) exam, we also update our file with new questions. Passin1day is here to provide real CKS exam questions to people who find it difficult to pass exam
Kubernetes Security Specialist can advance your marketability and prove to be a key to differentiating you from those who have no certification and Passin1day is there to help you pass exam with CKS dumps. Linux Foundation Certifications demonstrate your competence and make your discerning employers recognize that Certified Kubernetes Security Specialist (CKS) certified employees are more valuable to their organizations and customers. We have helped thousands of customers so far in achieving their goals. Our excellent comprehensive Linux Foundation exam dumps will enable you to pass your certification Kubernetes Security Specialist exam in just a single try. Passin1day is offering CKS braindumps which are accurate and of high-quality verified by the IT professionals. Candidates can instantly download Kubernetes Security Specialist dumps and access them at any device after purchase. Online Certified Kubernetes Security Specialist (CKS) practice tests are planned and designed to prepare you completely for the real Linux Foundation exam condition. Free CKS dumps demos can be available on customer’s demand to check before placing an order.
What Our Customers Say
Jeff Brown
Thanks you so much passin1day.com team for all the help that you have provided me in my Linux Foundation exam. I will use your dumps for next certification as well.
Mareena Frederick
You guys are awesome. Even 1 day is too much. I prepared my exam in just 3 hours with your CKS exam dumps and passed it in first attempt :)
Ralph Donald
I am the fully satisfied customer of passin1day.com. I have passed my exam using your Certified Kubernetes Security Specialist (CKS) braindumps in first attempt. You guys are the secret behind my success ;)
Lilly Solomon
I was so depressed when I get failed in my Cisco exam but thanks GOD you guys exist and helped me in passing my exams. I am nothing without you.