Free Practice Questions for Linux Foundation CKS Exam

Create a User named john, create the CSR Request, fetch the certificate of the user after approving it.Create a Role name john-role to list secrets, pods in namespace johnFinally, Create a RoleBinding named john-role-binding to attach the newly created role john-role to the user john in the namespace john. To Verify:Use the kubectl auth CLI command to verify the permissions.

• A . Explanation:
  se kubectl to create a CSR and approve it.
  Get the list of CSRs:
  kubectl get csr
  Approve the CSR:
  kubectl certificate approve myuser
  Get the certificate
  Retrieve the certificate from the CSR:
  kubectl get csr/myuser -o yaml
  here are the role and role-binding to give john permission to create NEW_CRD resource:
  kubectl apply -f roleBindingJohn.yaml --as=john
  rolebinding.rbac.authorization.k8s.io/john_external-rosource-rb created
  kind: RoleBinding
  apiVersion: rbac.authorization.k8s.io/v1
  metadata:
  name: john_crd
  namespace: development-john
  subjects:
  - kind: User
  name: john
  apiGroup: rbac.authorization.k8s.io
  roleRef:
  kind: ClusterRole
  name: crd-creation
  kind: ClusterRole
  apiVersion: rbac.authorization.k8s.io/v1
  metadata:
  name: crd-creation
  rules:
  - apiGroups: ['kubernetes-client.io/v1']
  resources: ['NEW_CRD']
  verbs: ['create, list, get']
  

Create a PSP that will only allow the persistentvolumeclaim as the volume type in the namespace restricted.Create a new PodSecurityPolicy named prevent-volume-policy which prevents the pods which is having different volumes mount apart from persistentvolumeclaim.Create a new ServiceAccount named psp-sa in the namespace restricted.Create a new ClusterRole named psp-role, which uses the newly created Pod Security Policy prevent-volume-policyCreate a new ClusterRoleBinding named psp-role-binding, which binds the created ClusterRole psp-role to the created SA psp-sa.Hint:Also, Check the Configuration is working or not by trying to Mount a Secret in the pod maifest, it should get failed.POD Manifest:apiVersion: v1kind: Podmetadata:name:spec:containers:- name:image:volumeMounts:- name:mountPath:volumes:- name:secret:secretName:

• A . Explanation:
  apiVersion: policy/v1beta1
  kind: PodSecurityPolicy
  metadata:
  name: restricted
  annotations:
  seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
  apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
  seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
  apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
  spec:
  privileged: false
  # Required to prevent escalations to root.
  allowPrivilegeEscalation: false
  # This is redundant with non-root + disallow privilege escalation,
  # but we can provide it for defense in depth.
  requiredDropCapabilities:
  - ALL
  # Allow core volume types.
  volumes:
  - 'configMap'
  - 'emptyDir'
  - 'projected'
  - 'secret'
  - 'downwardAPI'
  # Assume that persistentVolumes set up by the cluster admin are safe to use.
  - 'persistentVolumeClaim'
  hostNetwork: false
  hostIPC: false
  hostPID: false
  runAsUser:
  # Require the container to run without root privileges.
  rule: 'MustRunAsNonRoot'
  seLinux:
  # This policy assumes the nodes are using AppArmor rather than SELinux.
  rule: 'RunAsAny'
  supplementalGroups:
  rule: 'MustRunAs'
  ranges:
  # Forbid adding the root group.
  - min: 1
  max: 65535
  fsGroup:
  rule: 'MustRunAs'
  ranges:
  # Forbid adding the root group.
  - min: 1
  max: 65535
  readOnlyRootFilesystem: false
  

Create a RuntimeClass named gvisor-rc using the prepared runtime handler named runsc.Create a Pods of image Nginx in the Namespace server to run on the gVisor runtime class

• A . Explanation:
  Install the Runtime Class for gVisor
  { # Step 1: Install a RuntimeClass
  cat <<EOF | kubectl apply -f -
  apiVersion: node.k8s.io/v1beta1
  kind: RuntimeClass
  metadata:
  name: gvisor
  handler: runsc
  EOF
  }
  Create a Pod with the gVisor Runtime Class
  { # Step 2: Create a pod
  cat <<EOF | kubectl apply -f -
  apiVersion: v1
  kind: Pod
  metadata:
  name: nginx-gvisor
  spec:
  runtimeClassName: gvisor
  containers:
  - name: nginx
  image: nginx
  EOF
  }
  Verify that the Pod is running
  { # Step 3: Get the pod
  kubectl get pod nginx-gvisor -o wide
  }
  

Create a new NetworkPolicy named deny-all in the namespace testing which denies all traffic of type ingress and egress traffic

• A . Explanation:
  You can create a 'default' isolation policy for a namespace by creating a NetworkPolicy that selects all pods but does not allow any ingress traffic to those pods.
  ---
  apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
  name: default-deny-ingress
  spec:
  podSelector: {}
  policyTypes:
  - Ingress
  You can create a 'default' egress isolation policy for a namespace by creating a NetworkPolicy that selects all pods but does not allow any egress traffic from those pods.
  ---
  apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
  name: allow-all-egress
  spec:
  podSelector: {}
  egress:
  - {}
  policyTypes:
  - Egress
  Default deny all ingress and all egress traffic
  You can create a 'default' policy for a namespace which prevents all ingress AND egress traffic by creating the following NetworkPolicy in that namespace.
  ---
  apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
  name: default-deny-all
  spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  This ensures that even pods that aren't selected by any other NetworkPolicy will not be allowed ingress or egress traffic.
  

Using the runtime detection tool Falco, Analyse the container behavior for at least 20 seconds, using filters that detect newly spawning and executing processes in a single container of Nginx.store the incident file art /opt/falco-incident.txt, containing the detected incidents. one per line, in the format[timestamp],[uid],[processName]

• Send us your feedback on it.
• Send us your

use the Trivy to scan the following images,1. amazonlinux:12. k8s.gcr.io/kube-controller-manager:v1.18.6Look for images with HIGH or CRITICAL severity vulnerabilities and store the output of the same in /opt/trivy-vulnerable.txt

• Send us your suggestion on it.
• Send us your suggestion

You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context stage Context: A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace. Task: 1. Create a new PodSecurityPolcy named deny-policy, which prevents the creation of privileged Pods. 2. Create a new ClusterRole name deny-access-role, which uses the newly created PodSecurityPolicy deny-policy. 3. Create a new ServiceAccount named psd-denial-sa in the existing namespace development. Finally, create a new ClusterRoleBindind named restrict-access-bind, which binds the newly created ClusterRole deny-access-role to the newly created ServiceAccount psp-denial-sa

• A . Explanation:
  Create psp to disallow privileged container
  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
  name: deny-access-role
  rules:
  - apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs: ['use']
  resourceNames:
  - ''deny-policy''
  k create sa psp-denial-sa -n development
  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRoleBinding
  metadata:
  name: restrict-access-bing
  roleRef:
  kind: ClusterRole
  name: deny-access-role
  apiGroup: rbac.authorization.k8s.io
  subjects:
  - kind: ServiceAccount
  name: psp-denial-sa
  namespace: development
  Explanation
  master1 $ vim psp.yaml
  apiVersion: policy/v1beta1
  kind: PodSecurityPolicy
  metadata:
  name: deny-policy
  spec:
  privileged: false # Don't allow privileged pods!
  seLinux:
  rule: RunAsAny
  supplementalGroups:
  rule: RunAsAny
  runAsUser:
  rule: RunAsAny
  fsGroup:
  rule: RunAsAny
  volumes:
  - '*'
  master1 $ vim cr1.yaml
  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
  name: deny-access-role
  rules:
  - apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs: ['use']
  resourceNames:
  - ''deny-policy''
  master1 $k create sa psp-denial-sa -n development
  
  master1 $ vim cb1.yaml
  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRoleBinding
  metadata:
  name: restrict-access-bing
  roleRef:
  kind: ClusterRole
  name: deny-access-role
  apiGroup: rbac.authorization.k8s.io
  subjects:
  # Authorize specific service accounts:
  - kind: ServiceAccount
  name: psp-denial-sa
  namespace: development
  master1 $k apply -f psp.yaml
  master1 $k apply -f cr1.yaml
  master1 $k apply -f cb1.yaml
  
  Reference:https://kubernetes.io/docs/concepts/policy/pod-security-policy/
  

a. Retrieve the content of the existing secret nameddefault-token-xxxxxin the testing namespace.Store the value of the token in the token.txtb. Create a new secret named test-db-secret in the DB namespace with the following content:username:mysqlpassword:password@123Create the Pod name test-db-pod of image nginx in the namespace db that can access test-db-secret via a volume at path /etc/mysql-credentials

• A . Explanation:
  To add a Kubernetes cluster to your project, group, or instance:
  Navigate to your:
  Project'sOperations > Kubernetespage, for a project-level cluster.
  Group'sKubernetespage, for a group-level cluster.
  Admin Area >Kubernetespage, for an instance-level cluster.
  ClickAdd Kubernetes cluster.
  Click theAdd existing clustertab and fill in the details:
  Kubernetes cluster name(required) - The name you wish to give the cluster.
  Environment scope(required) - Theassociated environmentto this cluster.
  API URL(required) - It's the URL that GitLab uses to access the Kubernetes API. Kubernetes exposes several APIs, we want the ''base'' URL that is common to all of them. For example,https://kubernetes.example.comrather thanhttps://kubernetes.example.com/api/v1.
  Get the API URL by running this command:
  kubectl cluster-info | grep -E 'Kubernetes master|Kubernetes control plane' | awk '/http/ {print $NF}'
  CA certificate(required) - A valid Kubernetes certificate is needed to authenticate to the cluster. We use the certificate created by default.
  List the secrets withkubectl get secrets, and one should be named similar todefault-token-xxxxx. Copy that token name for use below.
  Get the certificate by running this command:
  kubectl get secret <secret name> -o jsonpath='{['data']['ca\.crt']}'
  

Analyze and edit the given DockerfileFROM ubuntu:latestRUN apt-get update -yRUN apt-install nginx -yCOPY entrypoint.sh /ENTRYPOINT ['/entrypoint.sh']USER ROOTFixing two instructions present in the file being prominent security best practice issuesAnalyze and edit the deployment manifest fileapiVersion: v1kind: Podmetadata:name: security-context-demo-2spec:securityContext:runAsUser: 1000containers:- name: sec-ctx-demo-2image: gcr.io/google-samples/node-hello:1.0securityContext:runAsUser: 0privileged: TrueallowPrivilegeEscalation: falseFixing two fields present in the file being prominent security best practice issuesDon't add or remove configuration settings; only modify the existing configuration settingsWhenever you need an unprivileged user for any of the tasks, use user test-user with the user id 5487

• A . Explanation:
  FROM debian:latest
  MAINTAINER [email protected]
  # 1 - RUN
  RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -yq apt-utils
  RUN DEBIAN_FRONTEND=noninteractive apt-get install -yq htop
  RUN apt-get clean
  # 2 - CMD
  #CMD ['htop']
  #CMD ['ls', '-l']
  # 3 - WORKDIR and ENV
  WORKDIR /root
  ENV DZ version1
  $ docker image build -t bogodevops/demo .
  Sending build context to Docker daemon 3.072kB
  Step 1/7 : FROM debian:latest
  ---> be2868bebaba
  Step 2/7 : MAINTAINER [email protected]
  ---> Using cache
  ---> e2eef476b3fd
  Step 3/7 : RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -yq apt-utils
  ---> Using cache
  ---> 32fd044c1356
  Step 4/7 : RUN DEBIAN_FRONTEND=noninteractive apt-get install -yq htop
  ---> Using cache
  ---> 0a5b514a209e
  Step 5/7 : RUN apt-get clean
  ---> Using cache
  ---> 5d1578a47c17
  Step 6/7 : WORKDIR /root
  ---> Using cache
  ---> 6b1c70e87675
  Step 7/7 : ENV DZ version1
  ---> Using cache
  ---> cd195168c5c7
  Successfully built cd195168c5c7
  Successfully tagged bogodevops/demo:latest
  

Create a PSP that will prevent the creation of privileged pods in the namespace.Create a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation of privileged pods.Create a new ServiceAccount named psp-sa in the namespace default.Create a new ClusterRole named prevent-role, which uses the newly created Pod Security Policy prevent-privileged-policy.Create a new ClusterRoleBinding named prevent-role-binding, which binds the created ClusterRole prevent-role to the created SA psp-sa.Also, Check the Configuration is working or not by trying to Create a Privileged pod, it should get failed.

• A . Explanation:
  Create a PSP that will prevent the creation of privileged pods in the namespace.
  $ cat clusterrole-use-privileged.yaml
  ---
  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
  name: use-privileged-psp
  rules:
  - apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs: ['use']
  resourceNames:
  - default-psp
  ---
  apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
  name: privileged-role-bind
  namespace: psp-test
  roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: use-privileged-psp
  subjects:
  - kind: ServiceAccount
  name: privileged-sa
  $ kubectl -n psp-test apply -f clusterrole-use-privileged.yaml
  After a few moments, the privileged Pod should be created.
  Create a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation of privileged pods.
  apiVersion: policy/v1beta1
  kind: PodSecurityPolicy
  metadata:
  name: example
  spec:
  privileged: false # Don't allow privileged pods!
  # The rest fills in some required fields.
  seLinux:
  rule: RunAsAny
  supplementalGroups:
  rule: RunAsAny
  runAsUser:
  rule: RunAsAny
  fsGroup:
  rule: RunAsAny
  volumes:
  - '*'
  And create it with kubectl:
  kubectl-admin create -f example-psp.yaml
  Now, as the unprivileged user, try to create a simple pod:
  kubectl-user create -f- <<EOF
  apiVersion: v1
  kind: Pod
  metadata:
  name: pause
  spec:
  containers:
  - name: pause
  image: k8s.gcr.io/pause
  EOF
  The output is similar to this:
  Error from server (Forbidden): error when creating 'STDIN': pods 'pause' is forbidden: unable to validate against any pod security policy: []
  Create a new ServiceAccount named psp-sa in the namespace default.
  $ cat clusterrole-use-privileged.yaml
  ---
  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
  name: use-privileged-psp
  rules:
  - apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs: ['use']
  resourceNames:
  - default-psp
  ---
  apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
  name: privileged-role-bind
  namespace: psp-test
  roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: use-privileged-psp
  subjects:
  - kind: ServiceAccount
  name: privileged-sa
  $ kubectl -n psp-test apply -f clusterrole-use-privileged.yaml
  After a few moments, the privileged Pod should be created.
  Create a new ClusterRole named prevent-role, which uses the newly created Pod Security Policy prevent-privileged-policy.
  apiVersion: policy/v1beta1
  kind: PodSecurityPolicy
  metadata:
  name: example
  spec:
  privileged: false # Don't allow privileged pods!
  # The rest fills in some required fields.
  seLinux:
  rule: RunAsAny
  supplementalGroups:
  rule: RunAsAny
  runAsUser:
  rule: RunAsAny
  fsGroup:
  rule: RunAsAny
  volumes:
  - '*'
  And create it with kubectl:
  kubectl-admin create -f example-psp.yaml
  Now, as the unprivileged user, try to create a simple pod:
  kubectl-user create -f- <<EOF
  apiVersion: v1
  kind: Pod
  metadata:
  name: pause
  spec:
  containers:
  - name: pause
  image: k8s.gcr.io/pause
  EOF
  The output is similar to this:
  Error from server (Forbidden): error when creating 'STDIN': pods 'pause' is forbidden: unable to validate against any pod security policy: []
  Create a new ClusterRoleBinding named prevent-role-binding, which binds the created ClusterRole prevent-role to the created SA psp-sa.
  apiVersion: rbac.authorization.k8s.io/v1
  # This role binding allows 'jane' to read pods in the 'default' namespace.
  # You need to already have a Role named 'pod-reader' in that namespace.
  kind: RoleBinding
  metadata:
  name: read-pods
  namespace: default
  subjects:
  # You can specify more than one 'subject'
  - kind: User
  name: jane # 'name' is case sensitive
  apiGroup: rbac.authorization.k8s.io
  roleRef:
  # 'roleRef' specifies the binding to a Role / ClusterRole
  kind: Role #this must be Role or ClusterRole
  name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: rbac.authorization.k8s.io
  apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
  namespace: default
  name: pod-reader
  rules:
  - apiGroups: [''] # '' indicates the core API group
  resources: ['pods']
  verbs: ['get', 'watch', 'list']