CKS 模拟真题 Killer.sh | Preview Question 1
Use context: kubectl config use-context infra-prod You have admin access to cluster2. There is also context gianna@infra-prod which authenticates as user gianna with the same cluster. There are existing cluster-level RBAC resources in place to, among other things, ensure that user gianna can never read Secret contents cluster-wide. Confirm this is correct or restrict the existing RBAC resources to ensure this. I addition, create more RBAC resources to allow user gianna to create Pods and...
CKS 模拟真题 Killer.sh | Question 22 | Manual Static Security Analysis
(can be solved in any kubectl context) The Release Engineering Team has shared some YAML manifests and Dockerfiles with you to review. The files are located under /opt/course/22/files . As a container security expert, you are asked to perform a manual static analysis and find out possible security issues with respect to unwanted credential exposure. Running processes as root is of no concern in this task. Write the filenames which have issues into /opt/course/22/security-issues . NOTE: In...
CKS 模拟真题 Killer.sh | Question 21 | Image Vulnerability Scanning
Task weight: 2% (can be solved in any kubectl context) The Vulnerability Scanner trivy is installed on your main terminal. Use it to scan the following images for known CVEs: nginx:1.16.1-alpine k8s.gcr.io/kube-apiserver:v1.18.0 k8s.gcr.io/kube-controller-manager:v1.18.0 docker.io/weaveworks/weave-kube:2.7.0 Write all images that don’t contain the vulnerabilities CVE-2020-10878 or CVE-2020-1967 into /opt/course/21/good-images . 译文任务权重:2 (可以在任何kubectl环境下解决) 漏洞扫描器 trivy...
CKS 模拟真题 Killer.sh | Question 20 | Update Kubernetes 升级k8s集群
Task weight: 8% Use context: kubectl config use-context workload-stage The cluster is running Kubernetes 1.25.5 , update it to 1.26.0 . Use apt package manager and kubeadm for this. Use ssh cluster3-controlplane1 and ssh cluster3-node1 to connect to the instances. 译文任务权重:8%。 使用环境: kubectl config use-context workload-stage 该集群正在运行Kubernetes 1.25.5 ,请将其更新为 1.26.0 。 为此使用 apt 软件包管理器和 kubeadm 。 使用 ssh cluster3-controlplane1 和 ssh cluster3-node1 来连接到实例。 解答检查版本 kubectl get node 首先...
CKS 模拟真题 Killer.sh | Question 19 | Immutable Root FileSystem
Task weight: 2% Use context: kubectl config use-context workload-prod The Deployment immutable-deployment in Namespace team-purple should run immutable, it’s created from file /opt/course/19/immutable-deployment.yaml . Even after a successful break-in, it shouldn’t be possible for an attacker to modify the filesystem of the running container. Modify the Deployment in a way that no processes inside the container can modify the local filesystem, only /tmp directory should be writeable. Don’t...
CKS 模拟真题 Killer.sh | Question 18 | Investigate Break-in via Audit Log
Task weight: 4% Use context: kubectl config use-context infra-prod Namespace security contains five Secrets of type Opaque which can be considered highly confidential. The latest Incident-Prevention-Investigation revealed that ServiceAccount p.auster had too broad access to the cluster for some time. This SA should’ve never had access to any Secrets in that Namespace. Find out which Secrets in Namespace security this SA did access by looking at the Audit Logs under /opt/course/18/audit.log...
CKS 模拟真题 Killer.sh | Question 17 | Audit Log Policy
Task weight: 7% Use context: kubectl config use-context infra-prod Audit Logging has been enabled in the cluster with an Audit Policy located at /etc/kubernetes/audit/policy.yaml on cluster2-controlplane1 . Change the configuration so that only one backup of the logs is stored. Alter the Policy in a way that it only stores logs: From Secret resources, level Metadata From “system:nodes” userGroups, level RequestResponse After you altered the Policy make sure to empty the log file so it...
CKS 模拟真题 Killer.sh | Question 16 | Docker Image Attack Surface
Task weight: 7% Use context: kubectl config use-context workload-prod There is a Deployment image-verify in Namespace team-blue which runs image registry.killer.sh:5000/image-verify:v1 . DevSecOps has asked you to improve this image by: Changing the base image to alpine:3.12 Not installing curl Updating nginx to use the version constraint >=1.18.0 Running the main process as user myuser Do not add any new lines to the Dockerfile, just edit existing ones. The file is located at ...
CKS 模拟真题 Killer.sh | Question 15 | Configure TLS on Ingress
Task weight: 4% Use context: kubectl config use-context workload-prod In Namespace team-pink there is an existing Nginx Ingress resources named secure which accepts two paths /app and /api which point to different ClusterIP Services. From your main terminal you can connect to it using for example: HTTP: curl -v http://secure-ingress.test:31080/app HTTPS: curl -kv https://secure-ingress.test:31443/app Right now it uses a default generated TLS certificate by the Nginx Ingress...
CKS 模拟真题 Killer.sh | Question 14 | Syscall Activity
Task weight: 4% Use context: kubectl config use-context workload-prod There are Pods in Namespace team-yellow . A security investigation noticed that some processes running in these Pods are using the Syscall kill , which is forbidden by a Team Yellow internal policy. Find the offending Pod(s) and remove these by reducing the replicas of the parent Deployment to 0. 译文任务权重:4%。 使用环境: kubectl config use-context workload-prod 名称空间 team-yellow 中有一些 Pod。一项安全调查发现,在这些 Pod 中运行的一些进程正在使用 Syscall...
