Linux Foundation CKS - Certified Kubernetes Security Specialist (CKS)

Linux Foundation CKS Premium Access Download Demo

Page: 1 / 2
Total 64 questions

Question # 1

Documentation Deployments, Pods, bom Command Help bom-help

You must connect to the correct host. Failure to do so may result in a zero score.

[candidate@base] $ ssh cks000035

Task

The alpine Deployment in the alpine namespace has three containers that run different versions of the alpine image.

First, find out which version of the alpine image contains the libcrypto3 package at version 3.1.4-r5.

Next, use the pre-installed bom tool to create an SPDX document for the identified image version at /home/candidate/alpine.spdx.

You can find the bom tool documentation at bom.

Finally, update the alpine Deployment and remove the container that uses the idenfied image version.

The Deployment's manifest file can be found at /home/candidate/alpine-deployment.yaml.

Do not modify any other containers of the Deployment.

Explanation:

1) Connect to the correct host

ssh cks000035

sudo -i

export KUBECONFIG=/etc/kubernetes/admin.conf

2) List the 3 container names + images in the Deployment

kubectl -n alpine get deploy alpine -o jsonpath='{range .spec.template.spec.containers[*]}{.name}{"\t"}{.image}{"\n"}{end}'

Youâ€™ll get 3 lines like:

c1 alpine:3.xx

c2 alpine:3.yy

c3 alpine:3.zz

3) Identify which alpine image has libcrypto3 at 3.1.4-r5

Fastest reliable method (since itâ€™s Alpine, just query apk inside each image):

Run these one-by-one for each image you saw in step 2:

docker run --rm sh -c 'apk info -v libcrypto3 2>/dev/null | head -n1'

âœ… The correct image is the one that prints exactly:

libcrypto3-3.1.4-r5

Note that full image tag, e.g.:

IMG=alpine:3.xx

4) Create SPDX document with bom for that identified image

(Use the identified image from step 3.)

bom generate --image $IMG --format spdx --output /home/candidate/alpine.spdx

Verify file exists:

ls -l /home/candidate/alpine.spdx

5) Remove ONLY the container that uses that image version

The manifest to edit is:

vi /home/candidate/alpine-deployment.yaml

In the spec.template.spec.containers: list, find the container entry whose image: equals the identified $IMG, and delete that one container block only (name/image/ports/etc for that container).

Save:

6) Apply the updated Deployment (do not change other containers)

kubectl apply -f /home/candidate/alpine-deployment.yaml

Wait rollout:

kubectl -n alpine rollout status deployment/alpine

7) Verify only 2 containers remain

kubectl -n alpine get deploy alpine -o jsonpath='{range .spec.template.spec.containers[*]}{.name}{"\t"}{.image}{"\n"}{end}'

You should now see 2 lines, and the $IMG line should be gone.

If bom generate ... errors (quick fix)

Check exact syntax on that system:

bom --help

bom generate --help

Then rerun with the flags it expects, keeping:

image = $IMG

output = /home/candidate/alpine.spdx

format = spdx

Question # 2

Task

Analyze and edit the given Dockerfile /home/candidate/KSSC00301/Docker file (based on the ubuntu:16.04 image), fixing two instructions present in the file that are prominent security/best-practice issues.

Analyze and edit the given manifest file /home/candidate/KSSC00301/deployment.yaml, fixing two fields present in the file that are prominent security/best-practice issues.

Question # 3

You must connect to the correct host . Failure to do so may

result in a zero score.

[candidato@base] $ ssh cks000023

Task

Analyze and edit the Dockerfile located at /home/candidate/subtle-bee/build/Dockerfile, fixing one instruction present in the file that is a prominent security/best-practice issue.

Do not add or remove instructions; only modify the one existing instruction with a security/best-practice concern.

Do not build the Dockerfile, Failure to do so may result in running out of storage and a zero score.

Analyze and edit the given manifest file /home/candidate/subtle-bee/deployment.yaml, fixing one fields present in the file that are a prominent security/best-practice issue.

Do not add or remove fields; only modify the one existing field with a security/best-practice concern.

Should you need an unprivileged user for any of the tasks, use user nobody with user ID 65535.

Explanation:

0) Connect to the correct host

ssh cks000023

sudo -i

PART A â€” Fix ONE prominent Dockerfile security/best-practice issue

1) Open the Dockerfile

vi /home/candidate/subtle-bee/build/Dockerfile

2) Find the â€œmost obviousâ€ security/best-practice problem and modify ONLY THAT ONE instruction

Use / search in vi to quickly find candidates:

Candidate 1 (very common): USER root (or no USER but a USER 0)

Search:

/USER

If you see:

USER root

Change that single instruction to:

USER 65535

(or USER nobody if that exact word is already used in the fileâ€”but the task explicitly allows UID 65535, so USER 65535 is safest.)

âœ… This is one-instruction change and is a top-tier best practice.

Candidate 2 (very common): FROM <image>:latest

Search:

/FROM

If you see something like:

FROM nginx:latest

Change ONLY that line to a pinned tag (example):

FROM nginx:1.25.5

(Any non-latest pinned version is the point. Donâ€™t add a digest line; just modify the existing FROM line.)

Candidate 3: ADD http://... (remote URL download)

Search:

/ADD

If you see remote URL usage like:

ADD https://example.com/app.tar.gz /app/

Change that single instruction to COPY only if itâ€™s copying local files.

If itâ€™s a remote URL, the more â€œcorrectâ€ fix would normally be using curl with verification, but that would require adding instructions (not allowed).

So in this exam constraint, do NOT pick this unless itâ€™s actually a local add like:

ADD . /app

Then change just the word:

COPY . /app

3) Save and exit

âš ï¸ Donâ€™t run docker build (task forbids building).

PART B â€” Fix ONE prominent security/best-practice issue in the Deployment manifest

4) Open the manifest

vi /home/candidate/subtle-bee/deployment.yaml

5) Change ONLY ONE existing field that is a clear security issue

Use / search in vi for the usual â€œbad fieldsâ€:

Option 1 (most common): running as root

Search:

/runAsUser

If you see:

runAsUser: 0

Change that one existing field value to:

runAsUser: 65535

âœ… This is a single-field change and matches the prompt hint.

Option 2: privileged container

Search:

/privileged

If you see:

privileged: true

Change only that value to:

privileged: false

Option 3: allow privilege escalation

Search:

/allowPrivilegeEscalation

If you see:

allowPrivilegeEscalation: true

Change only that value to:

allowPrivilegeEscalation: false

Option 4: writable root filesystem

Search:

/readOnlyRootFilesystem

If you see:

readOnlyRootFilesystem: false

Change only that value to:

readOnlyRootFilesystem: true

Option 5: image uses :latest

Search:

/image:

If you see:

image: something:latest

Change only that value to a pinned tag, e.g.:

image: something:1.2.3

6) Save and exit

What to pick (fast decision rule)

If you see run as root in either file, thatâ€™s usually the highest scoring / most â€œprominentâ€ security issue.

Dockerfile: USER root â†’ USER 65535

Deployment: runAsUser: 0 â†’ runAsUser: 65535

Those are perfect because you only modify one line/field and it matches the hint.

Question # 4

Documentation Namespace, NetworkPolicy, Pod

You must connect to the correct host . Failure to do so may result in a zero score.

[candidate@base] $ ssh cks000031

Context

You must implement NetworkPolicies controlling the traffic flow of existing Deployments across namespaces.

Task

First, create a NetworkPolicy named deny-policy in the prod namespace to block all ingress traffic.

The prod namespace is labeled env:prod

Next, create a NetworkPolicy named allow-from-prod in the data namespace to allow ingress traffic only from Pods in the prod namespace.

Use the label of the prod names & Click to copy traffic.

The data namespace is labeled env:data

Do not modify or delete any namespaces or Pods . Only create the required NetworkPolicies.

Question # 5

Context

For testing purposes, the kubeadm provisioned cluster 's API server

was configured to allow unauthenticated and unauthorized access.

Task

First, secure the cluster 's API server configuring it as follows:

. Forbid anonymous authentication

. Use authorization mode Node,RBAC

. Use admission controller NodeRestriction

The cluster uses the Docker Engine as its container runtime . If needed, use the docker command to troubleshoot running containers.

kubectl is configured to use unauthenticated and unauthorized access. You do not have to change it, but be aware that kubectl will stop working once you have secured the cluster .

You can use the cluster 's original kubectl configuration file located at etc/kubernetes/admin.conf to access the secured cluster.

Next, to clean up, remove the ClusterRoleBinding

system:anonymous.

Question # 6

You can switch the cluster/configuration context using the following command:

[desk@cli] $Â kubectl config use-context devÂ

A default-deny NetworkPolicy avoid to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined.

Task:Â Create a new default-deny NetworkPolicy namedÂ deny-networkÂ in the namespaceÂ testÂ for all traffic of type Ingress + Egress

The new NetworkPolicy must deny all Ingress + Egress traffic in the namespaceÂ test.

Apply the newly createdÂ default-denyÂ NetworkPolicy to all Pods running in namespaceÂ test.

You can find a skeleton manifests file at /home/cert_masters/network-policy.yaml

Question # 7

Task

Create a NetworkPolicy named pod-access to restrict access to Pod users-service running in namespace dev-team.

Only allow the following Pods to connect to Pod users-service:

Pods in the namespace qa

Pods with label environment: testing, in any namespace

Question # 8

Create a Pod name Nginx-pod inside the namespace testing, Create a service for the Nginx-pod named nginx-svc, using the ingress of your choice, run the ingress on tls, secure port.

Question # 9

Documentation Upgrading kubeadm clusters

You must connect to the correct host . Failure to do so may result in a zero score.

[candidate@base] $ ssh cks000034

Context

The kubeadm provisioned cluster was recently upgraded, leaving one node on a slightly older version due to workload compatibility concerns.

Task

Upgrade the cluster node compute-0 to match the version of the control plane node.

Use a command like the following to connect to the compute node:

[candidate@cks000034] $ ssh compute-0

Do not modify any running workloads in the cluster.

Do not forget to exit from the compute node once you have completed your tasks:

[candidate@icompute-e] $ exit

Question # 10

A container image scanner is set up on the cluster.

Given an incomplete configuration in the directory

/etc/kubernetes/confcontrol and a functional container image scanner with HTTPS endpoint https://test-server.local.8081/image_policy

1. Enable the admission plugin.

2. Validate the control configuration and change it to implicit deny.

Finally, test the configuration by deploying the pod having the image tag as latest.

Month End Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmas50

Linux Foundation CKS - Certified Kubernetes Security Specialist (CKS)

The Answer Is:

Explanation:

The Answer Is:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation: