Free 2021 Certified Kubernetes Security Specialist (CKS) Exam Questions

1. CORRECT TEXT

Retrieve the content of the existing secret named default-token-xxxxx in the testing namespace.

Store the value of the token in thetoken.txt

Create a new secret named test-db-secret in the DB namespace with the following content:

username: mysql

Create the Pod name test-db-pod of image nginx in the namespace db that can accesstest-db-secret via a volume at path /etc/mysql-credentials

To add a Kubernetes cluster to your project, group, or instance:
✑ Navigate to your:
✑ Click Add Kubernetes cluster.
✑ Click the Add existing cluster tab and fill in the details:
Get the API URL by running this command:
kubectl cluster-info | grep-E’Kubernetes master|Kubernetes control plane’| awk’/http/ {print $NF}’
✑ [email protected]
kubectl get secret -ojsonpath=”{[‘data’][‘ca\.crt’]}”

None

2. CORRECT TEXT

Given an existing Pod named test-web-pod running in the namespace test-system

Edit the existing Role bound to the Pod’s Service Account named sa-backend to only allow performing get operations on endpoints.

Create a new Rolenamed test-system-role-2 in the namespace test-system, which can perform patch operations, on resources of type statefulsets.

Create a new RoleBinding named test-system-role-2-binding binding the newly created Role to the Pod’s ServiceAccount sa-backend.

Send us your feedback on this.

None

3. CORRECT TEXT

Create a network policy named restrict-np to restrict to pod nginx-test running in namespace testing.

Only allow the following Pods to connect to Pod nginx-test:-

pods in the namespace default

2.pods with label version:v1 in any namespace.

Make sure to apply the network policy.

Send us your Feedback on this.

None

4. CORRECT TEXT

Create a Pod name Nginx-pod inside the namespace testing, Create a service for the Nginx-pod named nginx-svc, using the ingress of your choice, run the ingress on tls, secure port.

Send us your feedback on it.

None

5. CORRECT TEXT

Create aRuntimeClass named gvisor-rc using the prepared runtime handler named runsc.

Create a Pods of image Nginx in the Namespace server to run on the gVisor runtime class

✑ Install the Runtime Class for gVisor {# Step 1: Install a RuntimeClass
cat <

None

6. CORRECT TEXT

A container image scanner is set up on the cluster.

Given an incomplete configuration in the directory

/etc/Kubernetes/confcontrol and a functional container image scanner with HTTPS endpoint https://acme.local.8081/image_policy

Enable the admission plugin.
Validate the control configuration and change it to implicit deny.

Finally, test the configuration by deploying the pod having the image tag as the latest.

Send us your feedback on it.

None

7. CORRECT TEXT

You can switch the cluster/configuration context using the following command:

[[email protected]] $ kubectl config use-context dev

A default-deny NetworkPolicy avoid to accidentally expose a Pod in a namespace that doesn’t have any other NetworkPolicy defined.

Task: Create a new default-deny NetworkPolicy named deny-network in the namespace test for all traffic of type Ingress + Egress

The new NetworkPolicy must deny all Ingress + Egress traffic in the namespace test.

Apply the newly created default-deny NetworkPolicy to all Pods running in namespace test.

You can find a skeleton manifests file at /home/cert_masters/network-policy.yaml

master1 $ k get pods -n test –show-labels
✑ uk.co.cert[email protected] $ vim netpol.yaml
✑ uk.co.certification.simul[email protected] master1 $ k apply -f netpol.yaml
Explanationcontrolplane $ k get pods -n test –show-labels
NAME READY STATUS RESTARTS AGE LABELS test-pod 1/1 Running 0 34s role=test,run=test-pod testing 1/1 Running 0 17d run=testing master1 $ vim netpol1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-network
namespace: test
spec:
podSelector: {}
policyTypes:
– Ingress
– Egress

None

8. CORRECT TEXT

use the Trivy to scan the following images,

amazonlinux:1
k8s.gcr.io/kube-controller-manager:v1.18.6

Look for images with HIGH or CRITICAL severity vulnerabilities and store theoutput of the same in /opt/trivy-vulnerable.txt

Send us your suggestion on it.

None

9. CORRECT TEXT

A container image scanner is set up on the cluster.

Given an incomplete configuration in thedirectory

/etc/kubernetes/confcontrol and a functional container image scanner with HTTPS endpoint https://test-server.local.8081/image_policy

Enable the admission plugin.
Validate the control configuration and change it to implicit deny.

Finally,test the configuration by deploying the pod having the image tag as latest.

Send us your Feedback on this.

None

10. CORRECT TEXT
Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that
✑ 1. logs are stored at /var/log/kubernetes/kubernetes-logs.txt.
✑ 2. Log files are retainedfor5 days.
✑ 3. at maximum, a number of 10 old audit logs files are retained. Edit and extend the basic policy to log:
✑ 1. Cronjobs changes at RequestResponse
✑ 2. Log the request body of deployments changesinthenamespacekube-system.
✑ 3. Log all other resourcesincoreandextensions at the Request level.
✑ 4. Don’t log watch requests by the “system:kube-proxy” on endpoints or

Send us your feedback on it.

None

Leave a Reply Cancel reply