CKA 模拟真题 Killer.sh | Question 24 | NetworkPolicy
Task weight: 9%
Use context: kubectl config use-context k8s-c1-H
There was a security incident where an intruder was able to access the whole cluster from a single hacked backend Pod.
To prevent this create a NetworkPolicy called np-backend in Namespace project-snake . It should allow the backend-* Pods only to:
connect to db1-* Pods on port 1111 connect to db2-* Pods on port 2222 Use the app label of Pods in your policy.
After implementation, connections from backend-* Pods to vault-* Pods on port 3333 should for example no longer work.
译文
曾经发生过一起安全事件,一个入侵者能够从一个被入侵的后端Pod访问整个集群。
为了防止这种情况,在 namespace project-snake 中创建一个名为 np-backend 的 NetworkPolicy。它应该只允许 backend-* Pods进入。
- 连接到1111端口的db1-* Pods
- 连接到2222端口的db2-* Pods。
在你的策略中使用Pods的 app 标签。
实施后,例如,从 backend-Pods到3333端口的 vault- Pods的连接应该不再工作。
解答
kubectl config use-context k8s-c1-H |
查看pod详情
k -n project-snake get pod |
vim 24.yaml |
24.yaml
# 24_np.yaml |
创建networpolicy
k -f 24.yaml create |
验证测试
k -n project-snake exec backend-0 -- curl -s 10.44.0.25:1111 |
本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来源 Hao DevSecOps!
微信
相关推荐
2023-01-09
CKA 模拟真题 Killer.sh | Question 1 | Contexts
Task weight: 1% You have access to multiple clusters from your main terminal through kubectl contexts. Write all those context names into /opt/course/1/contexts . Next write a command to display the current context into /opt/course/1/context_default_kubectl.sh , the command should use kubectl. Finally write a second command doing the same thing into /opt/course/1/context_default_no_kubectl.sh , but without the use of kubectl. 译文你可以通过 kubectl contexts 从你的主终端访问多个集群。把所有这些上下文的名字写进 ...
2023-01-09
CKA 模拟真题 Killer.sh | Question 7 | Node and Pod Resource Usage
Use context: kubectl config use-context k8s-c1-H The metrics-server has been installed in the cluster. Your college would like to know the kubectl commands to: show Nodes resource usage show Pods and their containers resource usage Please write the commands into /opt/course/7/node.sh and /opt/course/7/pod.sh . 译文在集群中已经安装了metrics-server。你们学院想知道使用 kubectl 的命令获取如下信息。 显示节点资源使用情况 显示Pod和其容器的资源使用情况 请将这些命令写入/opt/course/7/node.sh 和 /opt/course/7/pod.sh 。 解答参考: kubectl top node -h kubectl top...
2023-01-09
CKA 模拟真题 Killer.sh | Question 8 | Get Controlplane Information
Use context: kubectl config use-context k8s-c1-H Ssh into the controlplane node with ssh cluster1-controlplane1 . Check how the controlplane components kubelet, kube-apiserver, kube-scheduler, kube-controller-manager and etcd are started/installed on the controlplane node. Also find out the name of the DNS application and how it’s started/installed on the controlplane node. Write your findings into file /opt/course/8/controlplane-components.txt . The file should be structured...
2023-01-09
CKA 模拟真题 Killer.sh | Question 11 | DaemonSet on all Nodes
Use context: kubectl config use-context k8s-c1-H Use Namespace project-tiger for the following. Create a DaemonSet named ds-important with image httpd:2.4-alpine and labels id=ds-important and uuid=18426a0b-5f59-4e10-923f-c0e078e82462 . The Pods it creates should request 10 millicore cpu and 10 mebibyte memory. The Pods of that DaemonSet should run on all nodes, also controlplanes. 译文在命名空间 project-tiger 进行如下操作。创建一个名为 ds-important 的 DaemonSet ,镜像为 httpd:2.4-alpine ,标签 id=ds-important ,...
2023-01-10
CKA 模拟真题 Killer.sh | Preview Question 3
Use context: kubectl config use-context k8s-c2-AC Create a Pod named check-ip in Namespace default using image httpd:2.4.41-alpine . Expose it on port 80 as a ClusterIP Service named check-ip-service . Remember/output the IP of that Service. Change the Service CIDR to 11.96.0.0/12 for the cluster. Then create a second Service named check-ip-service2 pointing to the same Pod to check if your settings did take effect. Finally check if the IP of the first Service has...
2023-01-09
CKA 模拟真题 Killer.sh | Question 12 | Deployment on all Nodes
Use context: kubectl config use-context k8s-c1-H Use Namespace project-tiger for the following. Create a Deployment named deploy-important with label id=very-important (the Pods should also have this label) and 3 replicas. It should contain two containers, the first named container1 with image nginx:1.17.6-alpine and the second one named container2 with image kubernetes/pause . There should be only ever one Pod of that Deployment running on one worker node. We have two worker nodes:...
评论
