CKS Dumps - Practice your Exam with Latest Questions & Answers
Dumpschool.com is a trusted online platform that offers the latest and updated Linux-Foundation CKS Dumps. These dumps are designed to help candidates prepare for the CKS certification exam effectively. With a 100% passing guarantee, Dumpschool ensures that candidates can confidently take the exam and achieve their desired score. The exam dumps provided by Dumpschool cover all the necessary topics and include real exam questions, allowing candidates to familiarize themselves with the exam format and improve their knowledge and skills. Whether you are a beginner or have previous experience, Dumpschool.com provides comprehensive study material to ensure your success in the Linux-Foundation CKS exam.
Preparing for the Linux-Foundation CKS certification exam can be a daunting task, but with Dumpschool.com, candidates can find the latest and updated exam dumps to streamline their preparation process. The platform's guarantee of a 100% passing grade adds an extra layer of confidence, allowing candidates to approach the exam with a sense of assurance. Dumpschool.com’s comprehensive study material is designed to cater to the needs of individuals at all levels of experience, making it an ideal resource for both beginners and those with previous knowledge. By providing real exam questions and covering all the necessary topics, Dumpschool.com ensures that candidates can familiarize themselves with the exam format and boost their knowledge and skills. With Dumpschool as a trusted online platform, success in the Linux-Foundation CKS exam is within reach.
Tips to Pass CKS Exam in First Attempt
1. Explore Comprehensive Study Materials
Study Guides: Begin your preparation with our detailed study guides. Our material covers all exam objectives and provide clear explanations of complex concepts.
Practice Questions: Test your knowledge with our extensive collection of practice questions. These questions simulate the exam format and difficulty, helping you familiarize yourself with the test.
2. Utilize Expert Tips and Strategies
Learn effective time management techniques to complete the exam within the allotted time.
Take advantage of our expert tips and strategies to boost your exam performance.
Understand the common pitfalls and how to avoid them.
3. 100% Passing Guarantee
With Dumpschool's 100% passing guarantee, you can be confident in the quality of our study materials.
If needed, reach out to our support team for assistance and further guidance.
4. Experience the real exam environment by using our online test engine.
Take full-length test under exam-like conditions to simulate the test day experience.
Review your answers and identify areas for improvement.
Use the feedback from practice tests to adjust your study plan as needed.
Passing CKS Exam is a piece of Cake with Dumpschool's Study Material.
We understand the stress and pressure that comes with preparing for exams. That's why we have created a comprehensive collection of CKS exam dumps to help students to pass their exam easily. Our CKS dumps PDF are carefully curated and prepared by experienced professionals, ensuring that you have access to the most relevant and up-to-date materials, our dumps will provide you with the edge you need to succeed. With our experts study material you can study at your own pace and be confident in your knowledge before sitting for the exam. Don't let exam anxiety hold you back - let Dumpschool help you breeze through your exams with ease.
90 Days Free Updates
DumpSchool understand the importance of staying up-to-date with the latest and most accurate practice questions for the Linux-Foundation CKS certification exam. That's why we are committed to providing our customers with the most current and comprehensive resources available. With our Linux-Foundation CKS Practice Questions, you can feel confident knowing that you are preparing with the most relevant and reliable study materials. In addition, we offer a 90-day free update period, ensuring that you have access to any new questions or changes that may arise. Trust Dumpschool.com to help you succeed in your Linux-Foundation CKS exam preparation.
Dumpschool's Refund Policy
Dumpschool believe in the quality of our study materials and your ability to succeed in your IT certification exams. That's why we're proud to offer a 100% refund surety if you fail after using our dumps. This guarantee is our commitment to providing you with the best possible resources and support on your journey to certification success.
0 Review for Linux-Foundation CKS Exam Dumps
Add Your Review About Linux-Foundation CKS Exam Dumps
Question # 1
Given an existing Pod named test-web-pod running in the namespace test-system Edit the existing Role bound to the Pod's Service Account named sa-backend to only allow performing get operations on endpoints. Create a new Rolenamed test-system-role-2 in the namespace test-system, which can perform patch operations, on resources of type statefulsets. Create a new RoleBinding named test-system-role-2-binding binding the newly created Role to the Pod's ServiceAccount sa-backend.
Answer: Send us your feedback on this.
Question # 2
Create a network policy named restrict-np to restrict to pod nginx-test running in namespace testing. Only allow the following Pods to connect to Pod nginx-test:- 1. pods in the namespace default 2.pods with label version:v1 in any namespace. Make sure to apply the network policy.
Answer: Send us your Feedback on this.
Question # 3
Create a Pod name Nginx-pod inside the namespace testing, Create a service for the Nginx-pod named nginx-svc, using the ingress of your choice, run the ingress on tls, secure port.
Answer: Send us your feedback on it.
Question # 4
Create aRuntimeClass named gvisor-rc using the prepared runtime handler named runsc. Create a Pods of image Nginx in the Namespace server to run on the gVisor runtime class
Answer: See the explanation below:
Explanation: Install the Runtime Class for gVisor {# Step 1: Install a RuntimeClass cat <<EOF | kubectl apply -f - apiVersion: node.k8s.io/v1beta1 kind: RuntimeClass metadata: name: gvisor handler: runsc EOF } Create a Pod with the gVisor Runtime Class { # Step 2: Create a pod cat <<EOF |kubectl apply -f - apiVersion: v1 kind: Pod metadata: name: nginx-gvisor spec: runtimeClassName: gvisor containers: - name: nginx image: nginx EOF } Verify that the Pod is running { # Step 3: Get the pod kubectl get podnginx-gvisor -o wide }
Question # 5
A container image scanner is set up on the cluster. Given an incomplete configuration in the directory /etc/Kubernetes/confcontrol and a functional container image scanner with HTTPSendpoint https://acme.local.8081/image_policy 1. Enable the admission plugin. 2. Validate the control configuration and change it to implicit deny. Finally, test the configuration by deploying the pod having the image tag as the latest.
Answer: Send us your feedback on it.
Question # 6
You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context dev A default-deny NetworkPolicy avoid to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined. Task: Create a new default-deny NetworkPolicy named deny-network in the namespace test for all traffic of type Ingress + Egress The new NetworkPolicy must deny all Ingress + Egress traffic in the namespace test. Apply the newly created default-deny NetworkPolicy to all Pods running in namespace test. You can find a skeleton manifests file at /home/cert_masters/network-policy.yaml
Answer: See the explanation below
Explanation: master1 $ k get pods -n test --show-labels uk.co.certification.simulator.questionpool.PList@e614300 $ vim netpol.yaml uk.co.certification.simulator.questionpool.PList@e6144a0 master1 $ k apply -f netpol.yaml Explanationcontrolplane $ k get pods -n test --show-labels NAME READY STATUS RESTARTS AGE LABELS test-pod 1/1 Running 0 34s role=test,run=test-pod testing 1/1 Running 0 17d run=testing master1 $ vim netpol1.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-network namespace: test spec: podSelector: {} policyTypes: - Ingress - Egress
Question # 7
On the Cluster worker node, enforce the prepared AppArmor profile #include<tunables/global> profile docker-nginx flags=(attach_disconnected,mediate_deleted) { #include<abstractions/base> network inet tcp, network inet udp, network inet icmp, deny network raw, deny network packet, file, umount, deny /bin/** wl, deny /boot/** wl, deny /dev/** wl, deny /etc/** wl, deny /home/** wl, deny /lib/** wl, deny /lib64/** wl, deny /media/** wl, deny /mnt/** wl, deny /opt/** wl, deny /proc/** wl, deny /root/** wl, deny /sbin/** wl, deny /srv/** wl, deny /tmp/** wl, deny /sys/** wl, deny /usr/** wl, audit /** w, /var/run/nginx.pid w, /usr/sbin/nginx ix, deny /bin/dash mrwklx, deny /bin/sh mrwklx, deny /usr/bin/top mrwklx, capability chown, capability dac_override, capability setuid, capability setgid, capability net_bind_service, deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) # deny write to files not in /proc/<number>/** or /proc/sys/** deny@{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w, deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel) deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/ deny @{PROC}/sysrq-trigger rwklx, deny @{PROC}/mem rwklx, deny @{PROC}/kmem rwklx, deny @{PROC}/kcore rwklx, deny mount, deny /sys/[^f]*/** wklx, deny /sys/f[^s]*/** wklx, deny /sys/fs/[^c]*/** wklx, deny /sys/fs/c[^g]*/** wklx, deny /sys/fs/cg[^r]*/** wklx, deny /sys/firmware/** rwklx, deny /sys/kernel/security/** rwklx, } Edit the prepared manifest file to include the AppArmor profile. apiVersion: v1 kind: Pod metadata: name:apparmor-pod spec: containers: - name: apparmor-pod image: nginx Finally, apply the manifests files and create the Pod specified on it. Verify: Try to use command ping, top, sh
Answer: Send us your feedback on it.
Question # 8
use the Trivy to scan the following images, 1. amazonlinux:1 2. k8s.gcr.io/kube-controller-manager:v1.18.6 Look for images with HIGH or CRITICAL severity vulnerabilities and store theoutput of the same in /opt/trivy-vulnerable.txt
Answer: Send us your suggestion on it.
Question # 9
You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context prod-account Context: A Role bound to a Pod's ServiceAccount grants overly permissive permissions. Complete the following tasks to reduce the set of permissions. Task: Given an existing Pod named web-pod running in the namespace database. 1. Edit the existing Role bound to the Pod's ServiceAccount test-sa to only allow performing get operations, only on resources of type Pods. 2. Create a new Role named test-role-2 in the namespace database, which only allows performing update operations, only on resources of type statuefulsets. 3. Create a new RoleBinding named test-role-2-bind binding the newly created Role to the Pod's ServiceAccount. Note: Don't delete the existing RoleBinding.
Answer: See the explanation below
Explanation: $ k edit role test-role -n database uk.co.certification.simulator.questionpool.PList@e615200 $ k create role test-role-2 -n database --resource statefulset --verb update$ k create rolebinding test-role-2-bind -n database --role test-role-2 --serviceaccount=database:testsa Explanation[desk@cli]$ k get pods -n database NAME READY STATUS RESTARTS AGE LABELS web-pod 1/1 Running 0 34s run=web-pod [desk@cli]$ k get roles -n databasetest-role[desk@cli]$ k edit role test-role -n database apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: creationTimestamp: "2021-06-13T11:12:23Z" name: test-role namespace: database resourceVersion: "1139" selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/database/roles/test-role uid: 49949265-6e01-499c-94ac-5011d6f6a353 rules: - apiGroups: - "" resources: - pods verbs: - "*" # Delete this - get # Replace by this
Question # 10
You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context stage Context: A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace. Task: 1. Create a new PodSecurityPolcy named deny-policy, which prevents the creation of privileged Pods. 2. Create a new ClusterRole name deny-access-role, which uses the newly created PodSecurityPolicy deny-policy. 3. Create a new ServiceAccount named psd-denial-sa in the existing namespace development. Finally, create a new ClusterRoleBindind named restrict-access-bind, which binds the newly created ClusterRole deny-access-role to the newly created ServiceAccount pspdenial-sa
Answer: See the explanation below
Explanation: Create psp to disallow privileged container uk.co.certification.simulator.questionpool.PList@dd90cb0 k create sa psp-denial-sa -n development uk.co.certification.simulator.questionpool.PList@dd90eb0 namespace: development Explanationmaster1 $ vim psp.yaml apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: deny-policy spec: privileged: false # Don't allow privileged pods! seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny volumes: - '*' master1 $ vim cr1.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: deny-access-role rules: - apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - “deny-policy” master1 $ k create sa psp-denial-sa -n developmentmaster1 $ vim cb1.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: restrict-access-bing roleRef: kind: ClusterRole name: deny-access-role apiGroup: rbac.authorization.k8s.io subjects: # Authorize specific service accounts: - kind: ServiceAccount name: psp-denial-sa namespace: development
Question # 11
A container image scanner is set up on the cluster.Given an incomplete configuration in thedirectory/etc/kubernetes/confcontrol and a functional container image scanner with HTTPS endpointhttps://test-server.local.8081/image_policy1. Enable the admission plugin.2. Validate the control configuration and change it to implicit deny.Finally,test the configuration by deploying the pod having the image tag as latest.
Answer: Send us your Feedback on this.
Question # 12
Create a PSP that will prevent the creation ofprivileged pods in the namespace. Create a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation of privileged pods. Create a new ServiceAccount named psp-sa in the namespace default. Create a new ClusterRole namedprevent-role, which uses the newly created Pod Security Policy prevent-privileged-policy. Create a new ClusterRoleBinding named prevent-role-binding, which binds the created ClusterRole prevent-role to the created SA psp-sa. Also, Check the Configuration is working or not by trying to Create a Privileged pod, it should get failed.
Answer: See the Explanation below.
Explanation: Create a PSP that will prevent the creation of privileged pods in the namespace. $ cat clusterrole-use-privileged.yaml --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: use-privileged-psp rules: - apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - default-psp --- apiVersion:rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: privileged-role-bind namespace: psp-test roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: use-privileged-psp subjects: - kind: ServiceAccount name: privileged-sa $ kubectl -n psp-test apply -f clusterrole-use-privileged.yaml After a few moments, the privileged Pod should be created. Create a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation ofprivileged pods. apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: example spec: privileged: false # Don't allow privileged pods! # The rest fills in some required fields. seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny volumes: - '*' And create it with kubectl: kubectl-admin create -f example-psp.yaml Now, as the unprivileged user, try to create a simple pod: kubectl-user create -f-<<EOF apiVersion: v1 kind: Pod metadata: name: pause spec: containers: - name: pause image: k8s.gcr.io/pause EOF The output is similar to this: Error from server (Forbidden): error when creating "STDIN": pods "pause" isforbidden: unable to validate against any pod security policy: [] Create a new ServiceAccount named psp-sa in the namespace default. $ cat clusterrole-use-privileged.yaml --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: use-privileged-psp rules: - apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - default-psp --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name:privileged-role-bind namespace: psp-test roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: use-privileged-psp subjects: - kind: ServiceAccount name: privileged-s $ kubectl -n psp-test apply -fclusterrole-use-privileged.yaml After a few moments, the privileged Pod should be created. Create a new ClusterRole named prevent-role, which uses the newly created Pod Security Policy prevent-privileged-policy. apiVersion:policy/v1beta1 kind:PodSecurityPolicy metadata: name:example spec: privileged:false# Don't allow privileged pods! # The rest fills in some required fields. seLinux: rule:RunAsAny supplementalGroups: rule:RunAsAny runAsUser: rule:RunAsAny fsGroup: rule:RunAsAny volumes: -'*' And create it with kubectl: kubectl-admin create -f example-psp.yaml Now, as the unprivileged user, try to create a simple pod: kubectl-user create -f-<<EOF apiVersion: v1 kind: Pod metadata: name:pause spec: containers: - name: pause image: k8s.gcr.io/pause EOF The output is similar to this: Error from server (Forbidden): error when creating "STDIN": pods "pause" is forbidden: unable to validate against any pod security policy: [] Create a new ClusterRoleBinding named prevent-role-binding, which binds the created ClusterRole prevent-role to the created SA psp-sa. apiVersion:rbac.authorization.k8s.io/v1 # This role binding allows "jane" to read pods in the "default" namespace. # You need to already have a Role named "pod-reader" in that namespace. kind:RoleBinding Linux Foundation CKS : Practice Test metadata: name:read-pods namespace:default subjects: # You can specify more than one "subject" -kind:User name:jane# "name" is case sensitive apiGroup:rbac.authorization.k8s.io roleRef: # "roleRef" specifies the binding to a Role / ClusterRole kind:Role#this must be Role or ClusterRole name:pod-reader# this must match the name of the Role or ClusterRole you wish to bind to apiGroup:rbac.authorization.k8s.io apiVersion:rbac.authorization.k8s.io/v1 kind:Role metadata: namespace:default name:pod-reader rules: -apiGroups:[""]# "" indicates the core API group resources:["pods"] verbs:["get","watch","list"]
Question # 13
Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that1. logs are stored at /var/log/kubernetes/kubernetes-logs.txt.2. Log files are retainedfor5 days.3. at maximum, a number of 10 old audit logs files are retained.Edit and extend the basic policy to log:1. Cronjobs changes at RequestResponse2. Log the request body of deployments changesinthenamespacekube-system.3. Log all other resourcesincoreandextensions at the Request level.4. Don't log watch requests by the "system:kube-proxy" on endpoints or
Answer: Send us your feedback on it.
Question # 14
Create a new NetworkPolicy named deny-all in the namespace testing which denies all traffic of type ingress and egress traffic
Answer: See the explanation below:
Explanation: You can create a "default" isolation policyfor a namespace by creating a NetworkPolicy that selects all pods but does not allow any ingress traffic to those pods. --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress spec: podSelector: {} policyTypes: - Ingress You can create a "default" egress isolation policy for a namespace by creating a NetworkPolicy that selects all pods but does not allow any egress traffic from those pods. --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-all-egress spec: podSelector: {} egress: - {} policyTypes: - Egress Default deny all ingress and all egress trafficYou can create a "default" policy for a namespace which prevents all ingress AND egress traffic bycreating the following NetworkPolicy in that namespace. --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all spec: podSelector: {} policyTypes: - Ingress - Egress This ensures that even pods that aren't selected by any other NetworkPolicy will not be allowed ingress or egress traffic.
Question # 15
Use the kubesec docker images to scan the given YAML manifest, edit and apply the advised changes, and passed with a score of 4 points. kubesec-test.yaml apiVersion: v1 kind: Pod metadata: name: kubesec-demo spec: containers: - name: kubesec-demo image: gcr.io/google-samples/node-hello:1.0 securityContext: readOnlyRootFilesystem:true Hint: docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin <kubesec-test.yaml
Answer: Send us your feedback on it.
Question # 16
You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context qa Context: A pod fails to run because of an incorrectly specified ServiceAccount Task: Create a new service account named backend-qa in an existing namespace qa, which must not have access to any secret. Edit the frontend pod yaml to use backend-qa service account Note: You can find the frontend pod yaml at /home/cert_masters/frontend-pod.yaml
Answer: See the explanation below
Explanation: [desk@cli] $ k create sa backend-qa -n qasa/backend-qa created[desk@cli] $ k get role,rolebinding -n qaNo resources found in qa namespace.[desk@cli] $ k create role backend -n qa --resource pods,namespaces,configmaps --verb list# No access to secret [desk@cli] $ k create rolebinding backend -n qa --role backend --serviceaccount qa:backend-qa[desk@cli] $ vim /home/cert_masters/frontend-pod.yaml uk.co.certification.simulator.questionpool.PList@dd92a20 [desk@cli] $ k apply -f /home/cert_masters/frontend-pod.yamlpod created [desk@cli] $ k create sa backend-qa -n qaserviceaccount/backend-qa created[desk@cli] $ k get role,rolebinding -n qaNo resources found in qa namespace.[desk@cli] $ k create role backend -n qa --resource pods,namespaces,configmaps --verb listrole.rbac.authorization.k8s.io/backend created[desk@cli] $ k create rolebinding backend -n qa --role backend --serviceaccount qa:backendqarolebinding.rbac.authorization.k8s.io/backend created[desk@cli] $ vim /home/cert_masters/frontend-pod.yaml apiVersion: v1 kind: Pod metadata: name: frontend spec: serviceAccountName: backend-qa # Add this image: nginx name: frontend [desk@cli] $ k apply -f /home/cert_masters/frontend-pod.yamlpod/frontend createdhttps://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
Question # 17
You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context test-account Task: Enable audit logs in the cluster. To do so, enable the log backend, and ensure that: 1. logs are stored at /var/log/Kubernetes/logs.txt 2. log files are retained for 5 days 3. at maximum, a number of 10 old audit log files are retained A basic policy is provided at /etc/Kubernetes/logpolicy/audit-policy.yaml. It only specifies what not to log. Note: The base policy is located on the cluster's master node. Edit and extend the basic policy to log: 1. Nodes changes at RequestResponse level 2. The request body of persistentvolumes changes in the namespace frontend 3. ConfigMap and Secret changes in all namespaces at the Metadata level Also, add a catch-all rule to log all other requests at the Metadata level Note: Don't forget to apply the modified policy.
Answer: See the explanation below
Explanation: $ vim /etc/kubernetes/log-policy/audit-policy.yaml uk.co.certification.simulator.questionpool.PList@dd91c30 $ vim /etc/kubernetes/manifests/kube-apiserver.yamlAdd these uk.co.certification.simulator.questionpool.PList@dd91f20 - --audit-log-maxbackup=10 Explanation[desk@cli] $ ssh master1[master1@cli] $ vim /etc/kubernetes/log-policy/auditpolicy.yaml apiVersion: audit.k8s.io/v1 # This is required. kind: Policy # Don't generate audit events for all requests in RequestReceived stage. omitStages: - "RequestReceived" rules: # Don't log watch requests by the "system:kube-proxy" on endpoints or services - level: None users: ["system:kube-proxy"] verbs: ["watch"] resources: - group: "" # core API group resources: ["endpoints", "services"] # Don't log authenticated requests to certain non-resource URL paths. - level: None userGroups: ["system:authenticated"] nonResourceURLs: - "/api*" # Wildcard matching. - "/version" # Add your changes below - level: RequestResponse userGroups: ["system:nodes"] # Block for nodes - level: Request resources: - group: "" # core API group resources: ["persistentvolumes"] # Block for persistentvolumes namespaces: ["frontend"] # Block for persistentvolumes of frontend ns - level: Metadata resources: - group: "" # core API group resources: ["configmaps", "secrets"] # Block for configmaps & secrets - level: Metadata # Block for everything else [master1@cli] $ vim /etc/kubernetes/manifests/kube-apiserver.yaml apiVersion: v1 kind: Pod metadata: annotations: kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.0.0.5:6443 labels: component: kube-apiserver tier: control-plane name: kube-apiserver namespace: kube-system spec: containers: - command: - kube-apiserver - --advertise-address=10.0.0.5 - --allow-privileged=true - --authorization-mode=Node,RBAC - --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml #Add this - --audit-log-path=/var/log/kubernetes/logs.txt #Add this - --audit-log-maxage=5 #Add this - --audit-log-maxbackup=10 #Add this output truncated
Question # 18
Analyze and edit the given Dockerfile FROM ubuntu:latest RUN apt-getupdate -y RUN apt-install nginx -y COPY entrypoint.sh / ENTRYPOINT ["/entrypoint.sh"] USER ROOT Fixing two instructions present in the file being prominent security bestpractice issues Analyze and edit the deployment manifest file apiVersion: v1 kind: Pod metadata: name: security-context-demo-2 spec: securityContext: runAsUser: 1000 containers: - name: sec-ctx-demo-2 image:gcr.io/google-samples/node-hello:1.0 securityContext: runAsUser: 0 privileged:True allowPrivilegeEscalation:false Fixing two fields present in the file being prominent security best practice issues Don't add or remove configurationsettings; only modify the existing configuration settings Whenever you need an unprivileged user for any of the tasks, use user test-user with the user id 5487
Answer: Send us the Feedback on it.
Question # 19
Cluster: qa-cluster Master node: master Worker node: worker1 You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context qa-cluster Task: Create a NetworkPolicy named restricted-policy to restrict access to Pod product running in namespace dev. Only allow the following Pods to connect to Pod products-service: 1. Pods in the namespace qa 2. Pods with label environment: stage, in any namespace
Answer: See the Explanation below.
Explanation: $ k get ns qa --show-labels uk.co.certification.simulator.questionpool.PList@dd83920 $ k get pods -n dev --show-labels uk.co.certification.simulator.questionpool.PList@dd83a10 [desk@cli] $ k get ns qa --show-labels NAME STATUS AGE LABELS qa Active 47m env=stage [desk@cli] $ k get pods -n dev --show-labels NAME READY STATUS RESTARTS AGE LABELS product 1/1 Running 0 3s env=dev-team [desk@cli] $ vim netpol2.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: restricted-policy namespace: dev spec: podSelector: matchLabels: env: dev-team policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: env: stage - podSelector: matchLabels: env: stage
Question # 20
Service is running on port 389 inside the system, find the process-id of the process, and stores the names of all the open-files inside the /candidate/KH77539/files.txt, and alsodelete thebinary.
0 Review for Linux-Foundation CKS Exam Dumps