Scribd
Upload
96 views10 pages

A Company Provides Vce Files Free and Valid Dumps PDF

VCEDumps offers free and valid VCE files and PDF dumps for the Certified Kubernetes Security Specialist (CKS) exam provided by the Linux Foundation. The document includes various tasks and solutions related to Kubernetes security practices, such as using kubesec for scanning YAML manifests and managing service accounts and roles. It emphasizes best practices for container security and provides detailed instructions for specific exam scenarios.

Uploaded by

Elmaaradi Ayoub
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
96 views10 pages

A Company Provides Vce Files Free and Valid Dumps PDF

VCEDumps offers free and valid VCE files and PDF dumps for the Certified Kubernetes Security Specialist (CKS) exam provided by the Linux Foundation. The document includes various tasks and solutions related to Kubernetes security practices, such as using kubesec for scanning YAML manifests and managing service accounts and roles. It emphasizes best practices for container security and provides detailed instructions for specific exam scenarios.

Uploaded by

Elmaaradi Ayoub
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

VCEDumps

http://www.vcedumps.com
A company provides vce files free and valid dumps pdf
CKS vce files, CKS dumps pdf
IT Certification Guaranteed, The Easy Way!

Exam : CKS

Title : Certified Kubernetes Security


Specialist (CKS)

Vendor : Linux Foundation

Version : DEMO

CKS vce exam, CKS dumps free, CKS dumps pdf 1


https://www.vcedumps.com/CKS-examcollection.html
CKS vce files, CKS dumps pdf
IT Certification Guaranteed, The Easy Way!

NO.1 Use the kubesec docker images to scan the given YAML manifest, edit and apply the advised
changes, and passed with a score of 4 points.
kubesec-test.yaml
apiVersion: v1
kind: Pod
metadata:
name: kubesec-demo
spec:
containers:
- name: kubesec-demo
image: gcr.io/google-samples/node-hello:1.0
securityContext:
readOnlyRootFilesystem: true
Hint: docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml
Answer:
kubesec scan k8s-deployment.yaml
cat <<EOF > kubesec-test.yaml
apiVersion: v1
kind: Pod
metadata:
name: kubesec-demo
spec:
containers:
- name: kubesec-demo
image: gcr.io/google-samples/node-hello:1.0
securityContext:
readOnlyRootFilesystem: true
EOF
kubesec scan kubesec-test.yaml
docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml kubesec http 8080 &
[1] 12345
{"severity":"info","timestamp":"2019-05-
12T11:58:34.662+0100","caller":"server/server.go:69","message":"Starting HTTP server on port
8080"} curl -sSX POST --data-binary @test/asset/score-0-cap-sys-admin.yml
http://localhost:8080/scan
[
{
"object": "Pod/security-context-demo.default",
"valid": true,
"message": "Failed with a score of -30 points",
"score": -30,
"scoring": {
"critical": [
{
"selector": "containers[] .securityContext .capabilities .add == SYS_ADMIN",
"reason": "CAP_SYS_ADMIN is the most privileged capability and should always be avoided"

CKS vce exam, CKS dumps free, CKS dumps pdf 2


https://www.vcedumps.com/CKS-examcollection.html
CKS vce files, CKS dumps pdf
IT Certification Guaranteed, The Easy Way!

},
{
"selector": "containers[] .securityContext .runAsNonRoot == true",
"reason": "Force the running image to run as a non-root user to ensure least privilege"
},
// ...

NO.2 You must complete this task on the following cluster/nodes: Cluster: immutable-cluster Master
node: master1 Worker node: worker1 You can switch the cluster/configuration context using the
following command: [desk@cli] $ kubectl config use-context immutable-cluster Context: It is best
practice to design containers to be stateless and immutable. Task: Inspect Pods running in
namespace prod and delete any Pod that is either not stateless or not immutable. Use the following
strict interpretation of stateless and immutable: 1. Pods being able to store data inside containers
must be treated as not stateless. Note: You don't have to worry whether data is actually stored inside
containers or not already. 2. Pods being configured to be privileged in any way must be treated as
potentially not stateless or not immutable.
Answer:

CKS vce exam, CKS dumps free, CKS dumps pdf 3


https://www.vcedumps.com/CKS-examcollection.html
CKS vce files, CKS dumps pdf
IT Certification Guaranteed, The Easy Way!

Reference: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
https://cloud.google.com/architecture/best-practices-for-operating-containers

NO.3 Create a new ServiceAccount named backend-sa in the existing namespace default, which has
the capability to list the pods inside the namespace default.
Create a new Pod named backend-pod in the namespace default, mount the newly created sa
backend-sa to the pod, and Verify that the pod is able to list pods.
Ensure that the Pod is running.
Answer:
A service account provides an identity for processes that run in a Pod.
When you (a human) access the cluster (for example, using kubectl), you are authenticated by the
apiserver as a particular User Account (currently this is usually admin, unless your cluster
administrator has customized your cluster). Processes in containers inside pods can also contact the
apiserver. When they do, they are authenticated as a particular Service Account (for example,
default).
When you create a pod, if you do not specify a service account, it is automatically assigned the
default service account in the same namespace. If you get the raw json or yaml for a pod you have
created (for example, kubectl get pods/<podname> -o yaml), you can see the
spec.serviceAccountName field has been automatically set.
You can access the API from inside a pod using automatically mounted service account credentials, as
described in Accessing the Cluster. The API permissions of the service account depend on the
authorization plugin and policy in use.
In version 1.6+, you can opt out of automounting API credentials for a service account by setting

CKS vce exam, CKS dumps free, CKS dumps pdf 4


https://www.vcedumps.com/CKS-examcollection.html
CKS vce files, CKS dumps pdf
IT Certification Guaranteed, The Easy Way!

automountServiceAccountToken: false on the service account:


apiVersion: v1
kind: ServiceAccount
metadata:
name: build-robot
automountServiceAccountToken: false
...
In version 1.6+, you can also opt out of automounting API credentials for a particular pod:
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
serviceAccountName: build-robot
automountServiceAccountToken: false
...
The pod spec takes precedence over the service account if both specify a
automountServiceAccountToken value.

NO.4 Context
A Role bound to a Pod's ServiceAccount grants overly permissive permissions. Complete the following
tasks to reduce the set of permissions.
Task
Given an existing Pod named web-pod running in the namespace security.
Edit the existing Role bound to the Pod's ServiceAccount sa-dev-1 to only allow performing watch
operations, only on resources of type services.
Create a new Role named role-2 in the namespace security, which only allows performing update
operations, only on resources of type namespaces.
Create a new RoleBinding named role-2-binding binding the newly created Role to the Pod's
ServiceAccount.

Answer:

CKS vce exam, CKS dumps free, CKS dumps pdf 5


https://www.vcedumps.com/CKS-examcollection.html
CKS vce files, CKS dumps pdf
IT Certification Guaranteed, The Easy Way!

CKS vce exam, CKS dumps free, CKS dumps pdf 6


https://www.vcedumps.com/CKS-examcollection.html
CKS vce files, CKS dumps pdf
IT Certification Guaranteed, The Easy Way!

NO.5 Given an existing Pod named nginx-pod running in the namespace test-system, fetch the
service-account-name used and put the content in /candidate/KSC00124.txt Create a new Role
named dev-test-role in the namespace test-system, which can perform update operations, on
resources of type namespaces.
Create a new RoleBinding named dev-test-role-binding, which binds the newly created Role to the
Pod's ServiceAccount ( found in the Nginx pod running in namespace test-system).
Answer:

CKS vce exam, CKS dumps free, CKS dumps pdf 7


https://www.vcedumps.com/CKS-examcollection.html
CKS vce files, CKS dumps pdf
IT Certification Guaranteed, The Easy Way!

CKS vce exam, CKS dumps free, CKS dumps pdf 8


https://www.vcedumps.com/CKS-examcollection.html
CKS vce files, CKS dumps pdf
IT Certification Guaranteed, The Easy Way!

CKS vce exam, CKS dumps free, CKS dumps pdf 9


https://www.vcedumps.com/CKS-examcollection.html

You might also like