ExamGecko
Login
Home / Linux Foundation / CKS / List of questions
Ask Question

Linux Foundation CKS Practice Test - Questions Answers, Page 5

List of questions

Question 41

Report
Export
Collapse

Linux Foundation CKS image Question 41 51519 09182024213140000000

Context

A default-deny NetworkPolicy avoids to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined.

Task

Create a new default-deny NetworkPolicy named defaultdeny in the namespace testing for all traffic of type Egress.

The new NetworkPolicy must deny all Egress traffic in the namespace testing.

Apply the newly created default-deny NetworkPolicy to all Pods running in namespace testing.

Linux Foundation CKS image Question 41 51519 09182024213140000000

Become a Premium Member for full access
  Unlock Premium Member

Question 42

Report
Export
Collapse

Context

Linux Foundation CKS image Question 42 51520 09182024213140000000

A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace.

Task

Create a new PodSecurityPolicy named prevent-psp-policy,which prevents the creation of privileged Pods.

Create a new ClusterRole named restrict-access-role, which uses the newly created PodSecurityPolicy prevent-psp-policy.

Create a new ServiceAccount named psp-restrict-sa in the existing namespace staging.

Finally, create a new ClusterRoleBinding named restrict-access-bind, which binds the newly created ClusterRole restrict-access-role to the newly created ServiceAccount psp-restrict-sa.

Linux Foundation CKS image Question 42 51520 09182024213140000000

Become a Premium Member for full access
  Unlock Premium Member

Question 43

Report
Export
Collapse

Linux Foundation CKS image Question 43 51521 09182024213140000000

Task

Analyze and edit the given Dockerfile /home/candidate/KSSC00301/Docker file (based on the ubuntu:16.04 image), fixing two instructions present in the file that are prominent security/bestpractice issues.

Analyze and edit the given manifest file /home/candidate/KSSC00301/deployment.yaml, fixing two fields present in the file that are prominent security/best-practice issues.

Linux Foundation CKS image Question 43 51521 09182024213140000000

Linux Foundation CKS image Question 43 51521 09182024213140000000

Become a Premium Member for full access
  Unlock Premium Member

Question 44

Report
Export
Collapse

Linux Foundation CKS image Question 44 51522 09182024213140000000

Context

The kubeadm-created cluster's Kubernetes API server was, for testing purposes, temporarily configured to allow unauthenticated and unauthorized access granting the anonymous user dusteradmin access.

Task

Reconfigure the cluster's Kubernetes API server to ensure that only authenticated and authorized REST requests are allowed.

Use authorization mode Node,RBAC and admission controller NodeRestriction.

Cleaning up, remove the ClusterRoleBinding for user system:anonymous.

Linux Foundation CKS image Question 44 51522 09182024213140000000

Linux Foundation CKS image Question 44 51522 09182024213140000000

Become a Premium Member for full access
  Unlock Premium Member
Total 44 questions
Go to page: of 5
Open VPLUS File
Convert VPLUS to PDF

Related questions

Context AppArmor is enabled on the cluster's worker node. An AppArmor profile is prepared, but not enforced yet. Task On the cluster's worker node, enforce the prepared AppArmor profile located at /etc/apparmor.d/nginx_apparmor. Edit the prepared manifest file located at /home/candidate/KSSH00401/nginx-pod.yaml to apply the AppArmor profile. Finally, apply the manifest file and create the Pod specified in it.
Create a new ServiceAccount named backend-sa in the existing namespace default, which has the capability to list the pods inside the namespace default. Create a new Pod named backend-pod in the namespace default, mount the newly created sa backend-sa to the pod, and Verify that the pod is able to list pods. Ensure that the Pod is running.
Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that 1. logs are stored at /var/log/kubernetes-logs.txt. 2. Log files are retained for 12 days. 3. at maximum, a number of 8 old audit logs files are retained. 4. set the maximum size before getting rotated to 200MB Edit and extend the basic policy to log: 1. namespaces changes at RequestResponse 2. Log the request body of secrets changes in the namespace kube-system. 3. Log all other resources in core and extensions at the Request level. 4. Log "pods/portforward", "services/proxy" at Metadata level. 5. Omit the Stage RequestReceived All other requests at the Metadata level
Context A CIS Benchmark tool was run against the kubeadm-created cluster and found multiple issues that must be addressed immediately. Task Fix all issues via configuration and restart the affected components to ensure the new settings take effect. Fix all of the following violations that were found against the API server: Fix all of the following violations that were found against the Kubelet: Fix all of the following violations that were found against etcd:
Create a Pod name Nginx-pod inside the namespace testing, Create a service for the Nginx-pod named nginx-svc, using the ingress of your choice, run the ingress on tls, secure port.
Create a User named john, create the CSR Request, fetch the certificate of the user after approving it. Create a Role name john-role to list secrets, pods in namespace john Finally, Create a RoleBinding named john-role-binding to attach the newly created role john-role to the user john in the namespace john. To Verify: Use the kubectl auth CLI command to verify the permissions.
Cluster: scanner Master node: controlplane Worker node: worker1 You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context scanner Given: You may use Trivy's documentation. Task: Use the Trivy open-source container scanner to detect images with severe vulnerabilities used by Pods in the namespace nato. Look for images with High or Critical severity vulnerabilities and delete the Pods that use those images. Trivy is pre-installed on the cluster's master node. Use cluster's master node to use Trivy.
You must complete this task on the following cluster/nodes: Cluster: immutable-cluster Master node: master1 Worker node: worker1 You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context immutable-cluster Context: It is best practice to design containers to be stateless and immutable. Task: Inspect Pods running in namespace prod and delete any Pod that is either not stateless or not immutable. Use the following strict interpretation of stateless and immutable: 1. Pods being able to store data inside containers must be treated as not stateless. Note: You don't have to worry whether data is actually stored inside containers or not already. 2. Pods being configured to be privileged in any way must be treated as potentially not stateless or not immutable.
Use the kubesec docker images to scan the given YAML manifest, edit and apply the advised changes, and passed with a score of 4 points. kubesec-test.yaml apiVersion: v1 kind: Pod metadata: name: kubesec-demo spec: containers: - name: kubesec-demo image: gcr.io/google-samples/node-hello:1.0 securityContext: readOnlyRootFilesystem: true Hint: docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml
Context A container image scanner is set up on the cluster, but it's not yet fully integrated into the cluster s configuration. When complete, the container image scanner shall scan for and reject the use of vulnerable images. Task Given an incomplete configuration in directory /etc/kubernetes/epconfig and a functional container image scanner with HTTPS endpoint https://wakanda.local:8081 /image_policy : 1. Enable the necessary plugins to create an image policy 2. Validate the control configuration and change it to an implicit deny 3. Edit the configuration to point to the provided HTTPS endpoint correctlyFinally, test if the configuration is working by trying to deploy the vulnerable resource /root/KSSC00202/vulnerable-resource.yml.