CKS 模拟真题 Killer.sh | Question 19 | Immutable Root FileSystem

Task weight: 2%

Use context: kubectl config use-context workload-prod

The Deployment immutable-deployment in Namespace team-purple should run immutable, it’s created from file /opt/course/19/immutable-deployment.yaml . Even after a successful break-in, it shouldn’t be possible for an attacker to modify the filesystem of the running container.

Modify the Deployment in a way that no processes inside the container can modify the local filesystem, only /tmp directory should be writeable. Don’t modify the Docker image.

Save the updated YAML under /opt/course/19/immutable-deployment-new.yaml and update the running Deployment.

---

译文

任务权重：2

使用环境: kubectl config use-context workload-prod

名称空间 team-purple 中的部署 immutable-deployment 应该是不可变的，它是由 /opt/course/19/immutable-deployment.yaml 文件创建的。即使在成功入侵后，攻击者也不可能修改运行中的容器的文件系统。

修改部署的方式，使容器内的任何进程都不能修改本地文件系统，只有 /tmp 目录是可写的。不要修改Docker镜像。

将更新后的YAML保存在 /opt/course/19/immutable-deployment-new.yaml 下，并更新运行中的Deployment。

---

解答

检查deploy

k -n team-purple edit deploy -o yaml

# kubectl -n team-purple edit deploy -o yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: team-purple
  name: immutable-deployment
  labels:
    app: immutable-deployment
  ...
spec:
  replicas: 1
  selector:
    matchLabels:
      app: immutable-deployment
  template:
    metadata:
      labels:
        app: immutable-deployment
    spec:
      containers:
      - image: busybox:1.32.0
        command: ['sh', '-c', 'tail -f /dev/null']
        imagePullPolicy: IfNotPresent
        name: busybox
      restartPolicy: Always

编辑静态配置文件

cp /opt/course/19/immutable-deployment.yaml /opt/course/19/immutable-deployment-new.yaml

vim /opt/course/19/immutable-deployment-new.yaml

# /opt/course/19/immutable-deployment-new.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: team-purple
  name: immutable-deployment
  labels:
    app: immutable-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: immutable-deployment
  template:
    metadata:
      labels:
        app: immutable-deployment
    spec:
      containers:
      - image: busybox:1.32.0
        command: ['sh', '-c', 'tail -f /dev/null']
        imagePullPolicy: IfNotPresent
        name: busybox
        securityContext:                  # add
          readOnlyRootFilesystem: true    # add
        volumeMounts:                     # add
        - mountPath: /tmp                 # add
          name: temp-vol                  # add
      volumes:                            # add
      - name: temp-vol                    # add
        emptyDir: {}                      # add
      restartPolicy: Always

应用文件, 删除先前创建的deployment 并创建新的deployment

k delete -f /opt/course/19/immutable-deployment-new.yaml
k create -f /opt/course/19/immutable-deployment-new.yaml

验证