CKS 模拟真题 Killer.sh | Question 13 | Restrict access to Metadata Server
Task weight: 7% Use context: kubectl config use-context infra-prod There is a metadata service available at http://192.168.100.21:32000 on which Nodes can reach sensitive data, like cloud credentials for initialisation. By default, all Pods in the cluster also have access to this endpoint. The DevSecOps team has asked you to restrict access to this metadata server. In Namespace metadata-access : Create a NetworkPolicy named metadata-deny which prevents egress to 192.168.100.21 for all Pods...
CKS 模拟真题 Killer.sh | Question 12 | Hack Secrets
Task weight: 8% Use context: kubectl config use-context restricted@infra-prod You’re asked to investigate a possible permission escape in Namespace restricted . The context authenticates as user restricted which has only limited permissions and shouldn’t be able to read Secret values. Try to find the password-key values of the Secrets secret1 , secret2 and secret3 in Namespace restricted . Write the decoded plaintext values into files /opt/course/12/secret1 , /opt/course/12/secret2 and ...
CKS 模拟真题 Killer.sh | Question 11 | Secrets in ETCD
Task weight: 7% Use context: kubectl config use-context workload-prod There is an existing Secret called database-access in Namespace team-green . Read the complete Secret content directly from ETCD (using etcdctl ) and store it into /opt/course/11/etcd-secret-content . Write the plain and decoded Secret’s value of key “pass” into /opt/course/11/database-password . 译文任务权重:7%。 使用环境:kubectl config use-context workload-prod 在命名空间 team-green 中有一个名为 data-access 的现有 Secret。 直接从 ETCD 读取完整的...
CKS 模拟真题 Killer.sh | Question 10 | Container Runtime Sandbox gVisor
Task weight: 4% Use context: kubectl config use-context workload-prod Team purple wants to run some of their workloads more secure. Worker node cluster1-node2 has container engine containerd already installed and it’s configured to support the runsc/gvisor runtime. Create a RuntimeClass named gvisor with handler runsc . Create a Pod that uses the RuntimeClass. The Pod should be in Namespace team-purple , named gvisor-test and of image nginx:1.19.2 . Make sure the Pod runs on ...
CKS 模拟真题 Killer.sh | Question 9 | AppArmor Profile
Task weight: 3% Use context: kubectl config use-context workload-prod Some containers need to run more secure and restricted. There is an existing AppArmor profile located at /opt/course/9/profile for this. Install the AppArmor profile on Node cluster1-node1 . Connect using ssh cluster1-node1 . Add label security=apparmor to the Node Create a Deployment named apparmor in Namespace default with: One replica of image nginx:1.19.2 NodeSelector for security=apparmor Single container named c1...
CKS 模拟真题 Killer.sh | Question 8 | Secure Kubernetes Dashboard
Task weight: 3% Use context: kubectl config use-context workload-prod The Kubernetes Dashboard is installed in Namespace kubernetes-dashboard and is configured to: Allow users to “skip login” Allow insecure access (HTTP without authentication) Allow basic authentication Allow access from outside the cluster You are asked to make it more secure by: Deny users to “skip login” Deny insecure access, enforce HTTPS (self signed certificates are ok for now) Add the --auto-generate-certificates...
CKS 模拟真题 Killer.sh | Question 7 | Open Policy Agent
Task weight: 6% Use context: kubectl config use-context infra-prod The Open Policy Agent and Gatekeeper have been installed to, among other things, enforce blacklisting of certain image registries. Alter the existing constraint and/or template to also blacklist images from very-bad-registry.com . Test it by creating a single Pod using image very-bad-registry.com/image in Namespace default , it shouldn’t work. You can also verify your changes by looking at the existing Deployment...
CKS 模拟真题 Killer.sh | Question 6 | Verify Platform Binaries
Task weight: 2% (can be solved in any kubectl context) There are four Kubernetes server binaries located at /opt/course/6/binaries . You’re provided with the following verified sha512 values for these: kube-apiserver f417c0555bc0167355589dd1afe23be9bf909bf98312b1025f12015d1b58a1c62c9908c0067a7764fa35efdac7016a9efa8711a44425dd6692906a7c283f032c kube-controller-manager...
CKS 模拟真题 Killer.sh | Question 5 | CIS Benchmark
Task weight: 3% Use context: kubectl config use-context infra-prod You’re ask to evaluate specific settings of cluster2 against the CIS Benchmark recommendations. Use the tool kube-bench which is already installed on the nodes. Connect using ssh cluster2-controlplane1 and ssh cluster2-node1 . On the master node ensure (correct if necessary) that the CIS recommendations are set for: The --profiling argument of the kube-controller-manager The ownership of directory /var/lib/etcd On the...
CKS 模拟真题 Killer.sh | Question 4 | Pod Security Standard
Task weight: 8% Use context: kubectl config use-context workload-prod There is Deployment container-host-hacker in Namespace team-red which mounts /run/containerd as a hostPath volume on the Node where it’s running. This means that the Pod can access various data about other containers running on the same Node. To prevent this configure Namespace team-red to enforce the baseline Pod Security Standard. Once completed, delete the Pod of the Deployment mentioned above. Check the...
