QUESTION: 13

use the Trivy to scan the following images,
1. amazonlinux:1
2. k8s.gcr.io/kube-controller-manager:v1.18.6

Look for images with HIGH or CRITICAL severity vulnerabilities and store the output of the same in /opt/trivy-vulnerable.txt

Answer is pending. Send us your suggestion on it.

Answer(s): A

Reveal Solution Next Question

QUESTION: 14

Two tools are pre-installed on the cluster's worker node:

sysdig falco

Using the tool of your choice (including any non pre-installed tool), analyze the container's behavior for at least 30 seconds, using filters that detect newly spawning and executing processes.

Store an incident file at /opt/KSRS00101/alerts/details, containing the detected incidents, one per line, in the following format:

The following example shows a properly formatted incident file:

See Explanation section for answer.

Answer(s): A

Explanation:

Reveal Solution Next Question

QUESTION: 15

Create a User named john, create the CSR Request, fetch the certificate of the user after approving it. Create a Role name john-role to list secrets, pods in namespace john Finally, Create a RoleBinding named john-role-binding to attach the newly created role john-role to the user john in the namespace john.

To Verify: Use the kubectl auth CLI command to verify the permissions.

See Explanation section for answer.

Answer(s): A

Explanation:

se kubectl to create a CSR and approve it.

Get the list of CSRs:
kubectl get csr
Approve the CSR:
kubectl certificate approve myuser
Get the certificate
Retrieve the certificate from the CSR:
kubectl get csr/myuser -o yaml here are the role and role-binding to give john permission to create NEW_CRD resource:
kubectl apply -f roleBindingJohn.yaml --as=john rolebinding.rbac.authorization.k8s.io/john_external-rosource-rb created kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: john_crd namespace: development-john subjects:
- kind: User name: john apiGroup: rbac.authorization.k8s.io roleRef:
kind: ClusterRole name: crd-creation kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: crd-creation rules:
- apiGroups: ["kubernetes-client.io/v1"]
resources: ["NEW_CRD"]
verbs: ["create, list, get"]

Reveal Solution Next Question

QUESTION: 16

Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.
Fix all of the following violations that were found against the API server:-

1.Ensure that the RotateKubeletServerCertificate argument is set to true.
2.Ensure that the admission control plugin PodSecurityPolicy is set.
3.Ensure that the --kubelet-certificate-authority argument is set as appropriate.
4.Fix all of the following violations that were found against the Kubelet:-
5.Ensure the --anonymous-auth argument is set to false.
6.Ensure that the --authorization-mode argument is set to Webhook.
7.Fix all of the following violations that were found against the ETCD:-
8.Ensure that the --auto-tls argument is not set to true
9.Ensure that the --peer-auto-tls argument is not set to true Hint: Take the use of Tool Kube-Bench

See Explanation section for answer.

Answer(s): A

Explanation:

Fix all of the following violations that were found against the API server:-

a) Ensure that the RotateKubeletServerCertificate argument is set to true.

apiVersion: v1
kind: Pod metadata:
creationTimestamp: null labels:
component: kubelet tier: control-plane name: kubelet namespace: kube-system spec:
containers:
- command:
- kube-controller-manager
+ - --feature-gates=RotateKubeletServerCertificate=true image: gcr.io/google_containers/kubelet-amd64:v1.6.0 livenessProbe:
failureThreshold: 8
httpGet:
host: 127.0.0.1
path: /healthz port: 6443
scheme: HTTPS
initialDelaySeconds: 15
timeoutSeconds: 15
name: kubelet resources:
requests:
cpu: 250m volumeMounts:
- mountPath: /etc/kubernetes/
name: k8s readOnly: true

- mountPath: /etc/ssl/certs name: certs
- mountPath: /etc/pki name: pki hostNetwork: true volumes:
- hostPath:
path: /etc/kubernetes name: k8s
- hostPath:
path: /etc/ssl/certs name: certs
- hostPath:
path: /etc/pki name: pki b. Ensure that the admission control plugin PodSecurityPolicy is set.

audit:
"/bin/ps -ef |
grep
$apiserverbin
| grep -v grep"
tests:
test_items:
- flag: "--enable-admission-plugins"
compare:
op: has value: "PodSecurityPolicy"
set: true remediation: |
Follow the documentation and create Pod Security Policy objects as per your environment.
Then, edit the API server pod specification file $apiserverconf on the master node and set the --enable-admission-plugins parameter to a value that includes PodSecurityPolicy :
--enable-admission-plugins=...,PodSecurityPolicy,...
Then restart the API Server.
scored: true c. Ensure that the --kubelet-certificate-authority argument is set as appropriate.
audit:
"/bin/ps -ef |
grep
$apiserverbin

| grep -v grep"
tests:
test_items:
- flag: "--kubelet-certificate-authority"
set: true remediation: |
Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file
$apiserverconf on the master node and set the --kubelet-certificate- authority parameter to the path to the cert file for the certificate authority.
--kubelet-certificate-authority=<ca-string>
scored: true

Fix all of the following violations that were found against the ETCD:-

a) Ensure that the --auto-tls argument is not set to true Edit the etcd pod specification file $etcdconf on the master node and either remove the --auto-tls parameter or set it to false.
--auto-tls=false b. Ensure that the --peer-auto-tls argument is not set to true

Edit the etcd pod specification file $etcdconf on the master node and either remove the --peer-auto-tls parameter or set it to false.
--peer-auto-tls=false

Reveal Solution Next Question

Free CKS Exam Braindumps (page: 4)

QUESTION: 13

QUESTION: 14

Explanation:

QUESTION: 15

Explanation:

QUESTION: 16

Explanation: