New CKS Dumps – Certified Kubernetes Security Specialist (CKS) Certification

1. CORRECT TEXT

Create a PSP that will only allow the persistentvolumeclaim as the volume type in the namespace restricted.

Create a new PodSecurityPolicy named prevent-volume-policy which prevents the pods which is having different volumes mount apart from persistentvolumeclaim.

Create a new ServiceAccount named psp-sa in the namespace restricted.

Create a new ClusterRole named psp-role, which uses the newly created Pod Security Policy prevent-volume-policy

Create a new ClusterRoleBinding named psp-role-binding, which binds the created ClusterRole psp-role to the created SA psp-sa.

Hint:

Also, Check the Configuration is working or not by trying to Mount a Secret in the pod maifest, it should get failed.

POD Manifest:

✑ apiVersion: v1

✑ kind: Pod

✑ metadata:

✑ name:

✑ spec:

✑ containers:

✑ - name:

✑ image:

✑ volumeMounts:

✑ - name:

✑ mountPath:

✑ volumes:

✑ - name:

✑ secret:

✑ secretName:

2. CORRECT TEXT

a. Retrieve the content of the existing secret named default-token-xxxxx in the testing namespace.

Store the value of the token in the token.txt

b. Create a new secret named test-db-secret in the DB namespace with the following content:

username: mysql

password: password@123

Create the Pod name test-db-pod of image nginx in the namespace db that can access test-db-secret via a volume at path /etc/mysql-credentials

3. CORRECT TEXT

Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.

Fix all of the following violations that were found against the API server:-

✑ a. Ensure the --authorization-mode argument includes RBAC

✑ b. Ensure the --authorization-mode argument includes Node

✑ c. Ensure that the --profiling argumentissettofalse

Fix all of the following violations that were found against the Kubelet:-

✑ a. Ensure the --anonymous-auth argumentissettofalse.

✑ b. Ensure that the --authorization-mode argumentissetto Webhook.

Fix all of the following violations that were found against the ETCD:-

a. Ensure that the --auto-tls argument is not set to true

Hint: Take the use of Tool Kube-Bench

4. CORRECT TEXT

On the Cluster worker node, enforce the prepared AppArmor profile

✑ #include<tunables/global>

✑ profile nginx-deny flags=(attach_disconnected) {

✑ #include<abstractions/base>

✑ file,

✑ # Deny all file writes.

✑ deny/** w,

✑ }

✑ EOF'

Edit the prepared manifest file to include the AppArmor profile.

✑ apiVersion: v1

✑ kind: Pod

✑ metadata:

✑ name: apparmor-pod

✑ spec:

✑ containers:

✑ - name: apparmor-pod

✑ image: nginx

Finally, apply the manifests files and create the Pod specified on it.

Verify: Try to make a file inside the directory which is restricted.

5. CORRECT TEXT

Create a RuntimeClass named gvisor-rc using the prepared runtime handler named runsc.

Create a Pods of image Nginx in the Namespace server to run on the gVisor runtime class

6. CORRECT TEXT

Create a new NetworkPolicy named deny-all in the namespace testing which denies all traffic of type ingress and egress traffic

7. Does not allow access from Pods, not in namespace staging.

8. CORRECT TEXT

Given an existing Pod named nginx-pod running in the namespace test-system, fetch the service-account-name used and put the content in /candidate/KSC00124.txt

Create a new Role named dev-test-role in the namespace test-system, which can perform

update operations, on resources of type namespaces.

Create a new RoleBinding named dev-test-role-binding, which binds the newly created Role to the Pod's ServiceAccount ( found in the Nginx pod running in namespace test-system).