최신Linux Foundation Certified Kubernetes Security Specialist (CKS) - CKS무료샘플문제
문제1
SIMULATION
Documentation
Installing the Sidecar, PeerAuthentication, Deployments
You must connect to the correct host . Failure to do so may result in a zero score.
[candidate@base] $ ssh cks000041
Context
A microservices-based application using unencrypted Layer 4 (L4) transport must be secured with Istio.
Task
Perform the following tasks to secure an existing application's Layer 4 (L4) transport communication using Istio.
Istio is installed to secure Layer 4 (L4) communications.
You may use your browser to access Istio's documentation.
First, ensure that all Pods in the mtls namespace have the istio-proxy sidecar injected.
Next, configure mutual authentication in strict mode for all workloads in the mtls namespace.
SIMULATION
Documentation
Installing the Sidecar, PeerAuthentication, Deployments
You must connect to the correct host . Failure to do so may result in a zero score.
[candidate@base] $ ssh cks000041
Context
A microservices-based application using unencrypted Layer 4 (L4) transport must be secured with Istio.
Task
Perform the following tasks to secure an existing application's Layer 4 (L4) transport communication using Istio.
Istio is installed to secure Layer 4 (L4) communications.
You may use your browser to access Istio's documentation.
First, ensure that all Pods in the mtls namespace have the istio-proxy sidecar injected.
Next, configure mutual authentication in strict mode for all workloads in the mtls namespace.
정답:
See the Explanation below for complete solution
Explanation:
Below is the CKS exam-ready, step-by-step solution for QUESTION 15.
Follow exactly in this order. No extra changes.
QUESTION 15 - Istio mTLS (EXAM MODE)
1) Connect to the correct host
ssh cks000041
sudo -i
export KUBECONFIG=/etc/kubernetes/admin.conf
2) Ensure sidecar injection is enabled for the mtls namespace
2.1 Check current namespace labels
kubectl get ns mtls --show-labels
2.2 Enable automatic Istio sidecar injection
kubectl label namespace mtls istio-injection=enabled --overwrite
Verify:
kubectl get ns mtls --show-labels | grep istio-injection
Expected:
istio-injection=enabled
3) Ensure ALL Pods get the istio-proxy sidecar
Existing Pods will not get sidecars automatically.
You must restart workloads in the namespace.
3.1 Restart all Deployments in mtls
kubectl -n mtls rollout restart deployment
3.2 Verify Pods now have 2 containers (app + istio-proxy)
kubectl -n mtls get pods
Then check one Pod:
kubectl -n mtls get pod <pod-name> -o jsonpath='{.spec.containers[*].name}{"\n"}' Expected output includes:
istio-proxy
4) Configure mutual TLS (mTLS) in STRICT mode
4.1 Create a PeerAuthentication for the mtls namespace
cat <<EOF | kubectl apply -f -
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mtls-strict
namespace: mtls
spec:
mtls:
mode: STRICT
EOF
5) Verify mTLS policy is applied
kubectl -n mtls get peerauthentication
kubectl -n mtls describe peerauthentication mtls-strict
Expected:
Mode: STRICT
6) Final verification (exam confidence check)
6.1 Confirm all Pods are Running
kubectl -n mtls get pods
6.2 Confirm sidecar injection everywhere
kubectl -n mtls get pods -o jsonpath='{range .items[*]}{.metadata.name}{" -> "}{.spec.containers[*].name}{"\n"}{end}' Each line must include istio-proxy.
Explanation:
Below is the CKS exam-ready, step-by-step solution for QUESTION 15.
Follow exactly in this order. No extra changes.
QUESTION 15 - Istio mTLS (EXAM MODE)
1) Connect to the correct host
ssh cks000041
sudo -i
export KUBECONFIG=/etc/kubernetes/admin.conf
2) Ensure sidecar injection is enabled for the mtls namespace
2.1 Check current namespace labels
kubectl get ns mtls --show-labels
2.2 Enable automatic Istio sidecar injection
kubectl label namespace mtls istio-injection=enabled --overwrite
Verify:
kubectl get ns mtls --show-labels | grep istio-injection
Expected:
istio-injection=enabled
3) Ensure ALL Pods get the istio-proxy sidecar
Existing Pods will not get sidecars automatically.
You must restart workloads in the namespace.
3.1 Restart all Deployments in mtls
kubectl -n mtls rollout restart deployment
3.2 Verify Pods now have 2 containers (app + istio-proxy)
kubectl -n mtls get pods
Then check one Pod:
kubectl -n mtls get pod <pod-name> -o jsonpath='{.spec.containers[*].name}{"\n"}' Expected output includes:
istio-proxy
4) Configure mutual TLS (mTLS) in STRICT mode
4.1 Create a PeerAuthentication for the mtls namespace
cat <<EOF | kubectl apply -f -
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mtls-strict
namespace: mtls
spec:
mtls:
mode: STRICT
EOF
5) Verify mTLS policy is applied
kubectl -n mtls get peerauthentication
kubectl -n mtls describe peerauthentication mtls-strict
Expected:
Mode: STRICT
6) Final verification (exam confidence check)
6.1 Confirm all Pods are Running
kubectl -n mtls get pods
6.2 Confirm sidecar injection everywhere
kubectl -n mtls get pods -o jsonpath='{range .items[*]}{.metadata.name}{" -> "}{.spec.containers[*].name}{"\n"}{end}' Each line must include istio-proxy.
문제2
SIMULATION
Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.
Fix all of the following violations that were found against the API server:- a. Ensure the --authorization-mode argument includes RBAC b. Ensure the --authorization-mode argument includes Node c. Ensure that the --profiling argument is set to false Fix all of the following violations that were found against the Kubelet:- a. Ensure the --anonymous-auth argument is set to false.
b. Ensure that the --authorization-mode argument is set to Webhook.
Fix all of the following violations that were found against the ETCD:-
a. Ensure that the --auto-tls argument is not set to true
Hint: Take the use of Tool Kube-Bench
SIMULATION
Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.
Fix all of the following violations that were found against the API server:- a. Ensure the --authorization-mode argument includes RBAC b. Ensure the --authorization-mode argument includes Node c. Ensure that the --profiling argument is set to false Fix all of the following violations that were found against the Kubelet:- a. Ensure the --anonymous-auth argument is set to false.
b. Ensure that the --authorization-mode argument is set to Webhook.
Fix all of the following violations that were found against the ETCD:-
a. Ensure that the --auto-tls argument is not set to true
Hint: Take the use of Tool Kube-Bench
정답:
API server:
Ensure the --authorization-mode argument includes RBAC
Turn on Role Based Access Control.
Role Based Access Control (RBAC) allows fine-grained control over the operations that different entities can perform on different objects in the cluster. It is recommended to use the RBAC authorization mode.
Fix - Buildtime
Kubernetes
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
+ - kube-apiserver
+ - --authorization-mode=RBAC,Node
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
livenessProbe:
failureThreshold: 8
httpGet:
host: 127.0.0.1
path: /healthz
port: 6443
scheme: HTTPS
initialDelaySeconds: 15
timeoutSeconds: 15
name: kube-apiserver-should-pass
resources:
requests:
cpu: 250m
volumeMounts:
- mountPath: /etc/kubernetes/
name: k8s
readOnly: true
- mountPath: /etc/ssl/certs
name: certs
- mountPath: /etc/pki
name: pki
hostNetwork: true
volumes:
- hostPath:
path: /etc/kubernetes
name: k8s
- hostPath:
path: /etc/ssl/certs
name: certs
- hostPath:
path: /etc/pki
name: pki
Ensure the --authorization-mode argument includes Node
Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --authorization-mode parameter to a value that includes Node.
--authorization-mode=Node,RBAC
Audit:
/bin/ps -ef | grep kube-apiserver | grep -v grep
Expected result:
'Node,RBAC' has 'Node'
Ensure that the --profiling argument is set to false
Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter.
--profiling=false
Audit:
/bin/ps -ef | grep kube-apiserver | grep -v grep
Expected result:
'false' is equal to 'false'
Fix all of the following violations that were found against the Kubelet:- Ensure the --anonymous-auth argument is set to false.
Remediation: If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to false. If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
Audit:
/bin/ps -fC kubelet
Audit Config:
/bin/cat /var/lib/kubelet/config.yaml
Expected result:
'false' is equal to 'false'
2) Ensure that the --authorization-mode argument is set to Webhook.
Audit
docker inspect kubelet | jq -e '.[0].Args[] | match("--authorization-mode=Webhook").string' Returned Value: --authorization-mode=Webhook Fix all of the following violations that were found against the ETCD:- a. Ensure that the --auto-tls argument is not set to true Do not use self-signed certificates for TLS. etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.
Fix - Buildtime
Kubernetes
apiVersion: v1
kind: Pod
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
creationTimestamp: null
labels:
component: etcd
tier: control-plane
name: etcd
namespace: kube-system
spec:
containers:
- command:
+ - etcd
+ - --auto-tls=true
image: k8s.gcr.io/etcd-amd64:3.2.18
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- /bin/sh
- -ec
- ETCDCTL_API=3 etcdctl --endpoints=https://[192.168.22.9]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt
--cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt --key=/etc/kubernetes/pki/etcd/healthcheck-client.key get foo failureThreshold: 8 initialDelaySeconds: 15 timeoutSeconds: 15 name: etcd-should-fail resources: {} volumeMounts:
- mountPath: /var/lib/etcd
name: etcd-data
- mountPath: /etc/kubernetes/pki/etcd
name: etcd-certs
hostNetwork: true
priorityClassName: system-cluster-critical
volumes:
- hostPath:
path: /var/lib/etcd
type: DirectoryOrCreate
name: etcd-data
- hostPath:
path: /etc/kubernetes/pki/etcd
type: DirectoryOrCreate
name: etcd-certs
status: {}
Ensure the --authorization-mode argument includes RBAC
Turn on Role Based Access Control.
Role Based Access Control (RBAC) allows fine-grained control over the operations that different entities can perform on different objects in the cluster. It is recommended to use the RBAC authorization mode.
Fix - Buildtime
Kubernetes
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
+ - kube-apiserver
+ - --authorization-mode=RBAC,Node
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
livenessProbe:
failureThreshold: 8
httpGet:
host: 127.0.0.1
path: /healthz
port: 6443
scheme: HTTPS
initialDelaySeconds: 15
timeoutSeconds: 15
name: kube-apiserver-should-pass
resources:
requests:
cpu: 250m
volumeMounts:
- mountPath: /etc/kubernetes/
name: k8s
readOnly: true
- mountPath: /etc/ssl/certs
name: certs
- mountPath: /etc/pki
name: pki
hostNetwork: true
volumes:
- hostPath:
path: /etc/kubernetes
name: k8s
- hostPath:
path: /etc/ssl/certs
name: certs
- hostPath:
path: /etc/pki
name: pki
Ensure the --authorization-mode argument includes Node
Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --authorization-mode parameter to a value that includes Node.
--authorization-mode=Node,RBAC
Audit:
/bin/ps -ef | grep kube-apiserver | grep -v grep
Expected result:
'Node,RBAC' has 'Node'
Ensure that the --profiling argument is set to false
Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter.
--profiling=false
Audit:
/bin/ps -ef | grep kube-apiserver | grep -v grep
Expected result:
'false' is equal to 'false'
Fix all of the following violations that were found against the Kubelet:- Ensure the --anonymous-auth argument is set to false.
Remediation: If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to false. If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
Audit:
/bin/ps -fC kubelet
Audit Config:
/bin/cat /var/lib/kubelet/config.yaml
Expected result:
'false' is equal to 'false'
2) Ensure that the --authorization-mode argument is set to Webhook.
Audit
docker inspect kubelet | jq -e '.[0].Args[] | match("--authorization-mode=Webhook").string' Returned Value: --authorization-mode=Webhook Fix all of the following violations that were found against the ETCD:- a. Ensure that the --auto-tls argument is not set to true Do not use self-signed certificates for TLS. etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.
Fix - Buildtime
Kubernetes
apiVersion: v1
kind: Pod
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
creationTimestamp: null
labels:
component: etcd
tier: control-plane
name: etcd
namespace: kube-system
spec:
containers:
- command:
+ - etcd
+ - --auto-tls=true
image: k8s.gcr.io/etcd-amd64:3.2.18
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- /bin/sh
- -ec
- ETCDCTL_API=3 etcdctl --endpoints=https://[192.168.22.9]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt
--cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt --key=/etc/kubernetes/pki/etcd/healthcheck-client.key get foo failureThreshold: 8 initialDelaySeconds: 15 timeoutSeconds: 15 name: etcd-should-fail resources: {} volumeMounts:
- mountPath: /var/lib/etcd
name: etcd-data
- mountPath: /etc/kubernetes/pki/etcd
name: etcd-certs
hostNetwork: true
priorityClassName: system-cluster-critical
volumes:
- hostPath:
path: /var/lib/etcd
type: DirectoryOrCreate
name: etcd-data
- hostPath:
path: /etc/kubernetes/pki/etcd
type: DirectoryOrCreate
name: etcd-certs
status: {}
문제3
SIMULATION
Documentation Secrets, TLS Secrets, Volumes
You must connect to the correct host . Failure to do so may result in a zero score.
[candidate@base] $ ssh cks000m40
Path
Key
Context
You must complete securing access to a web server using SSL files stored in a TLS Secret .
Task
Create a TLS Secret named clever-cactus in the clever-cactus namespace for an existing Deployment named clever-cactus.
Use the following SSL files:
File
Certificate /home/candidate/clever-cactus/web.k8s.local.crt
/home/candidate/clever-cactus/web.k8s.local.key
The Deployment is already configured to use the TLS Secret.
Do not modify the existing Deployment.
Failure to do so may result in a reduced score.
SIMULATION
Documentation Secrets, TLS Secrets, Volumes
You must connect to the correct host . Failure to do so may result in a zero score.
[candidate@base] $ ssh cks000m40
Path
Key
Context
You must complete securing access to a web server using SSL files stored in a TLS Secret .
Task
Create a TLS Secret named clever-cactus in the clever-cactus namespace for an existing Deployment named clever-cactus.
Use the following SSL files:
File
Certificate /home/candidate/clever-cactus/web.k8s.local.crt
/home/candidate/clever-cactus/web.k8s.local.key
The Deployment is already configured to use the TLS Secret.
Do not modify the existing Deployment.
Failure to do so may result in a reduced score.
정답:
See the Explanation below for complete solution
Explanation:
1) Connect to the correct host
ssh cks000m40
sudo -i
export KUBECONFIG=/etc/kubernetes/admin.conf
2) Verify namespace exists (quick check)
kubectl get ns clever-cactus
3) Verify certificate and key files exist
ls -l /home/candidate/clever-cactus/web.k8s.local.crt
ls -l /home/candidate/clever-cactus/web.k8s.local.key
Both files must exist.
4) Create the TLS Secret (THIS IS THE MAIN TASK)
Create a TLS Secret named clever-cactus in namespace clever-cactus:
kubectl -n clever-cactus create secret tls clever-cactus \
--cert=/home/candidate/clever-cactus/web.k8s.local.crt \
--key=/home/candidate/clever-cactus/web.k8s.local.key
Do NOT use apply
Do NOT edit the Deployment
5) Verify the Secret
kubectl -n clever-cactus get secret clever-cactus
Expected type:
kubernetes.io/tls
Optional detail check:
kubectl -n clever-cactus describe secret clever-cactus
You should see:
tls.crt
tls.key
6) (Optional) Confirm Pods are running
Since the Deployment is already configured to use the Secret, Pods should now work.
kubectl -n clever-cactus get pods
Explanation:
1) Connect to the correct host
ssh cks000m40
sudo -i
export KUBECONFIG=/etc/kubernetes/admin.conf
2) Verify namespace exists (quick check)
kubectl get ns clever-cactus
3) Verify certificate and key files exist
ls -l /home/candidate/clever-cactus/web.k8s.local.crt
ls -l /home/candidate/clever-cactus/web.k8s.local.key
Both files must exist.
4) Create the TLS Secret (THIS IS THE MAIN TASK)
Create a TLS Secret named clever-cactus in namespace clever-cactus:
kubectl -n clever-cactus create secret tls clever-cactus \
--cert=/home/candidate/clever-cactus/web.k8s.local.crt \
--key=/home/candidate/clever-cactus/web.k8s.local.key
Do NOT use apply
Do NOT edit the Deployment
5) Verify the Secret
kubectl -n clever-cactus get secret clever-cactus
Expected type:
kubernetes.io/tls
Optional detail check:
kubectl -n clever-cactus describe secret clever-cactus
You should see:
tls.crt
tls.key
6) (Optional) Confirm Pods are running
Since the Deployment is already configured to use the Secret, Pods should now work.
kubectl -n clever-cactus get pods
문제4
SIMULATION
Documentation Deployment, Pod, Namespace
You must connect to the correct host . Failure to do so may result in a zero score.
[candidate@base] $ ssh cks000028
Context
You must update an existing Pod to ensure the immutability of its containers.
Task
Modify the existing Deployment named lamp-deployment, running in namespace lamp, so that its containers:
. run with user ID 20000
. use a read-only root filesystem
. forbid privilege escalation
The Deployment's manifest file con be found at /home/candidate/finer-sunbeam/lamp-deployment.yaml.
SIMULATION
Documentation Deployment, Pod, Namespace
You must connect to the correct host . Failure to do so may result in a zero score.
[candidate@base] $ ssh cks000028
Context
You must update an existing Pod to ensure the immutability of its containers.
Task
Modify the existing Deployment named lamp-deployment, running in namespace lamp, so that its containers:
. run with user ID 20000
. use a read-only root filesystem
. forbid privilege escalation
The Deployment's manifest file con be found at /home/candidate/finer-sunbeam/lamp-deployment.yaml.
정답:
See the Explanation below for complete solution
Explanation:
1) Connect to the correct host
ssh cks000028
sudo -i
2) Use the right kubeconfig (safe in exam)
export KUBECONFIG=/etc/kubernetes/admin.conf
3) Open the provided Deployment manifest
vi /home/candidate/finer-sunbeam/lamp-deployment.yaml
4) Edit ONLY the Pod template security settings (add/modify these fields) Inside:
spec: -> template: -> spec:
4.1 Set container to run as user 20000
Add (or change) under the container securityContext::
securityContext:
runAsUser: 20000
4.2 Make root filesystem read-only
In the SAME container securityContext: ensure:
readOnlyRootFilesystem: true
4.3 Forbid privilege escalation
In the SAME container securityContext: ensure:
allowPrivilegeEscalation: false
✅ The container section should look like this (example - keep your existing image/ports/etc):
spec:
template:
spec:
containers:
- name: <your-container-name>
image: <unchanged>
securityContext:
runAsUser: 20000
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
If there are multiple containers, apply the same securityContext to each container.
Save and exit:
:wq
5) Apply the manifest (updates Deployment -> recreates Pods)
kubectl -n lamp apply -f /home/candidate/finer-sunbeam/lamp-deployment.yaml
6) Wait for rollout
kubectl -n lamp rollout status deployment/lamp-deployment
7) Verify the security settings are live
7.1 Check the Pod is running
kubectl -n lamp get pods -l app=lamp -o wide
(if label differs, just kubectl -n lamp get pods)
7.2 Verify the three fields on a running Pod
Pick the Pod name and run:
POD=$(kubectl -n lamp get pods -o jsonpath='{.items[0].metadata.name}') kubectl -n lamp get pod $POD -o jsonpath='{.spec.containers[0].securityContext.runAsUser}{"\n"}{.spec.containers[0].securityContext.readOnlyRootFilesystem}{"\n"}{.spec.containers[0].securityContext.allowPrivilegeEscalation}{"\n"}' Expected output:
20000
true
false
If the pod fails after readOnlyRootFilesystem=true
Don't change the requirement (task demands it). Usually the app needs writable dirs via volumes, but the task doesn't ask for that-so only adjust if the manifest already has volumes and just needs these securityContext fields.
Explanation:
1) Connect to the correct host
ssh cks000028
sudo -i
2) Use the right kubeconfig (safe in exam)
export KUBECONFIG=/etc/kubernetes/admin.conf
3) Open the provided Deployment manifest
vi /home/candidate/finer-sunbeam/lamp-deployment.yaml
4) Edit ONLY the Pod template security settings (add/modify these fields) Inside:
spec: -> template: -> spec:
4.1 Set container to run as user 20000
Add (or change) under the container securityContext::
securityContext:
runAsUser: 20000
4.2 Make root filesystem read-only
In the SAME container securityContext: ensure:
readOnlyRootFilesystem: true
4.3 Forbid privilege escalation
In the SAME container securityContext: ensure:
allowPrivilegeEscalation: false
✅ The container section should look like this (example - keep your existing image/ports/etc):
spec:
template:
spec:
containers:
- name: <your-container-name>
image: <unchanged>
securityContext:
runAsUser: 20000
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
If there are multiple containers, apply the same securityContext to each container.
Save and exit:
:wq
5) Apply the manifest (updates Deployment -> recreates Pods)
kubectl -n lamp apply -f /home/candidate/finer-sunbeam/lamp-deployment.yaml
6) Wait for rollout
kubectl -n lamp rollout status deployment/lamp-deployment
7) Verify the security settings are live
7.1 Check the Pod is running
kubectl -n lamp get pods -l app=lamp -o wide
(if label differs, just kubectl -n lamp get pods)
7.2 Verify the three fields on a running Pod
Pick the Pod name and run:
POD=$(kubectl -n lamp get pods -o jsonpath='{.items[0].metadata.name}') kubectl -n lamp get pod $POD -o jsonpath='{.spec.containers[0].securityContext.runAsUser}{"\n"}{.spec.containers[0].securityContext.readOnlyRootFilesystem}{"\n"}{.spec.containers[0].securityContext.allowPrivilegeEscalation}{"\n"}' Expected output:
20000
true
false
If the pod fails after readOnlyRootFilesystem=true
Don't change the requirement (task demands it). Usually the app needs writable dirs via volumes, but the task doesn't ask for that-so only adjust if the manifest already has volumes and just needs these securityContext fields.
문제5
SIMULATION
You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context test-account
Task: Enable audit logs in the cluster.
To do so, enable the log backend, and ensure that:
1. logs are stored at /var/log/Kubernetes/logs.txt
2. log files are retained for 5 days
3. at maximum, a number of 10 old audit log files are retained
A basic policy is provided at /etc/Kubernetes/logpolicy/audit-policy.yaml. It only specifies what not to log.
Note: The base policy is located on the cluster's master node.
Edit and extend the basic policy to log:
1. Nodes changes at RequestResponse level
2. The request body of persistentvolumes changes in the namespace frontend
3. ConfigMap and Secret changes in all namespaces at the Metadata level Also, add a catch-all rule to log all other requests at the Metadata level Note: Don't forget to apply the modified policy.
SIMULATION
You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context test-account
Task: Enable audit logs in the cluster.
To do so, enable the log backend, and ensure that:
1. logs are stored at /var/log/Kubernetes/logs.txt
2. log files are retained for 5 days
3. at maximum, a number of 10 old audit log files are retained
A basic policy is provided at /etc/Kubernetes/logpolicy/audit-policy.yaml. It only specifies what not to log.
Note: The base policy is located on the cluster's master node.
Edit and extend the basic policy to log:
1. Nodes changes at RequestResponse level
2. The request body of persistentvolumes changes in the namespace frontend
3. ConfigMap and Secret changes in all namespaces at the Metadata level Also, add a catch-all rule to log all other requests at the Metadata level Note: Don't forget to apply the modified policy.
정답:
See the Explanation belowExplanation:
$ vim /etc/kubernetes/log-policy/audit-policy.yaml
- level: RequestResponse
userGroups: ["system:nodes"]
- level: Request
resources:
- group: "" # core API group
resources: ["persistentvolumes"]
namespaces: ["frontend"]
- level: Metadata
resources:
- group: ""
resources: ["configmaps", "secrets"]
- level: Metadata
$ vim /etc/kubernetes/manifests/kube-apiserver.yaml
Add these
- --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml
- --audit-log-path=/var/log/kubernetes/logs.txt
- --audit-log-maxage=5
- --audit-log-maxbackup=10
Explanation:
[desk@cli] $ ssh master1
[master1@cli] $ vim /etc/kubernetes/log-policy/audit-policy.yaml
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Don't log watch requests by the "system:kube-proxy" on endpoints or services
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"
# Add your changes below
- level: RequestResponse
userGroups: ["system:nodes"] # Block for nodes
- level: Request
resources:
- group: "" # core API group
resources: ["persistentvolumes"] # Block for persistentvolumes
namespaces: ["frontend"] # Block for persistentvolumes of frontend ns
- level: Metadata
resources:
- group: "" # core API group
resources: ["configmaps", "secrets"] # Block for configmaps & secrets
- level: Metadata # Block for everything else
[master1@cli] $ vim /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.0.0.5:6443 labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=10.0.0.5
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml #Add this
- --audit-log-path=/var/log/kubernetes/logs.txt #Add this
- --audit-log-maxage=5 #Add this
- --audit-log-maxbackup=10 #Add this
...
output truncated
Note: log volume & policy volume is already mounted in vim /etc/kubernetes/manifests/kube-apiserver.yaml so no need to mount it.
$ vim /etc/kubernetes/log-policy/audit-policy.yaml
- level: RequestResponse
userGroups: ["system:nodes"]
- level: Request
resources:
- group: "" # core API group
resources: ["persistentvolumes"]
namespaces: ["frontend"]
- level: Metadata
resources:
- group: ""
resources: ["configmaps", "secrets"]
- level: Metadata
$ vim /etc/kubernetes/manifests/kube-apiserver.yaml
Add these
- --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml
- --audit-log-path=/var/log/kubernetes/logs.txt
- --audit-log-maxage=5
- --audit-log-maxbackup=10
Explanation:
[desk@cli] $ ssh master1
[master1@cli] $ vim /etc/kubernetes/log-policy/audit-policy.yaml
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Don't log watch requests by the "system:kube-proxy" on endpoints or services
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"
# Add your changes below
- level: RequestResponse
userGroups: ["system:nodes"] # Block for nodes
- level: Request
resources:
- group: "" # core API group
resources: ["persistentvolumes"] # Block for persistentvolumes
namespaces: ["frontend"] # Block for persistentvolumes of frontend ns
- level: Metadata
resources:
- group: "" # core API group
resources: ["configmaps", "secrets"] # Block for configmaps & secrets
- level: Metadata # Block for everything else
[master1@cli] $ vim /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.0.0.5:6443 labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=10.0.0.5
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml #Add this
- --audit-log-path=/var/log/kubernetes/logs.txt #Add this
- --audit-log-maxage=5 #Add this
- --audit-log-maxbackup=10 #Add this
...
output truncated
Note: log volume & policy volume is already mounted in vim /etc/kubernetes/manifests/kube-apiserver.yaml so no need to mount it.
문제6
SIMULATION
Context
You must resolve issues that a CIS Benchmark tool found for the kubeadm provisioned cluster.
Task
Fix all issues via configuration and restart the affected components to ensure the new settings take effect.
Fix all of the following violations that were found against the kubelet:
The cluster uses the Docker Engine os its container runtime, If needed, use the docker command to troubleshaot running containers.
Ensure that the anonymous-auth argument is set to false FAIL
Ensure that the -authorization-mode argument is not set to FAIL
AlwaysAllow
Use Webhook authentication /authorization where possible.
Fix all of the following violations that were found against ettd :
Ensure that the -client cert auth argument is set to true FAIL
SIMULATION
Context
You must resolve issues that a CIS Benchmark tool found for the kubeadm provisioned cluster.
Task
Fix all issues via configuration and restart the affected components to ensure the new settings take effect.
Fix all of the following violations that were found against the kubelet:
The cluster uses the Docker Engine os its container runtime, If needed, use the docker command to troubleshaot running containers.
Ensure that the anonymous-auth argument is set to false FAIL
Ensure that the -authorization-mode argument is not set to FAIL
AlwaysAllow
Use Webhook authentication /authorization where possible.
Fix all of the following violations that were found against ettd :
Ensure that the -client cert auth argument is set to true FAIL
정답:
See the Explanation below for complete solution
Explanation:
1) SSH to the right node
ssh cks000002
sudo -i
2) Fix kubelet CIS findings
2.1 Edit kubelet config (MAIN place in kubeadm clusters)
vi /var/lib/kubelet/config.yaml
A) Set anonymous-auth to false
Find (or add) this block exactly:
authentication:
anonymous:
enabled: false
B) Use Webhook authentication (recommended by task)
Ensure this exists under authentication:
webhook:
enabled: true
C) Use Webhook authorization and NOT AlwaysAllow
Find (or add) this block exactly:
authorization:
mode: Webhook
When done, your file should contain something like this (exact structure to aim for):
authentication:
anonymous:
enabled: false
webhook:
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
mode: Webhook
If x509: section isn't there, it's usually already present in kubeadm; don't panic. Only the task-required parts are: anonymous false + webhook enabled + authorization mode Webhook.
2.2 Restart kubelet (required for config.yaml changes)
systemctl daemon-reload
systemctl restart kubelet
systemctl status kubelet --no-pager
Quick confirm (optional but fast):
grep -nE "anonymous|webhook|authorization|mode" /var/lib/kubelet/config.yaml
3) Fix etcd CIS finding: --client-cert-auth=true
3.1 Edit etcd static pod manifest (kubeadm path)
vi /etc/kubernetes/manifests/etcd.yaml
Find the container command: args that look like:
- command:
- etcd
- --something=...
Ensure this line exists exactly in the list:
- --client-cert-auth=true
Also ensure this is present (usually already is, but add if missing):
- --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
Example snippet (what you want the args area to include):
- command:
- etcd
- --client-cert-auth=true
- --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
3.2 Apply etcd change (auto-restart happens)
Just save the file. Kubelet will restart etcd automatically.
Watch it restart (pick one depending on runtime):
If Docker runtime (your task mentions Docker):
docker ps | grep etcd
If you don't see it briefly, wait 2-5 seconds and rerun:
docker ps | grep etcd
(Alternative if available)
crictl ps | grep etcd
4) Final quick validation (fast exam check)
Kubelet config check
grep -n "enabled: false" -n /var/lib/kubelet/config.yaml | head
grep -n "webhook" /var/lib/kubelet/config.yaml
grep -n "authorization" /var/lib/kubelet/config.yaml
etcd arg check
grep -n "client-cert-auth" /etc/kubernetes/manifests/etcd.yaml
Explanation:
1) SSH to the right node
ssh cks000002
sudo -i
2) Fix kubelet CIS findings
2.1 Edit kubelet config (MAIN place in kubeadm clusters)
vi /var/lib/kubelet/config.yaml
A) Set anonymous-auth to false
Find (or add) this block exactly:
authentication:
anonymous:
enabled: false
B) Use Webhook authentication (recommended by task)
Ensure this exists under authentication:
webhook:
enabled: true
C) Use Webhook authorization and NOT AlwaysAllow
Find (or add) this block exactly:
authorization:
mode: Webhook
When done, your file should contain something like this (exact structure to aim for):
authentication:
anonymous:
enabled: false
webhook:
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
mode: Webhook
If x509: section isn't there, it's usually already present in kubeadm; don't panic. Only the task-required parts are: anonymous false + webhook enabled + authorization mode Webhook.
2.2 Restart kubelet (required for config.yaml changes)
systemctl daemon-reload
systemctl restart kubelet
systemctl status kubelet --no-pager
Quick confirm (optional but fast):
grep -nE "anonymous|webhook|authorization|mode" /var/lib/kubelet/config.yaml
3) Fix etcd CIS finding: --client-cert-auth=true
3.1 Edit etcd static pod manifest (kubeadm path)
vi /etc/kubernetes/manifests/etcd.yaml
Find the container command: args that look like:
- command:
- etcd
- --something=...
Ensure this line exists exactly in the list:
- --client-cert-auth=true
Also ensure this is present (usually already is, but add if missing):
- --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
Example snippet (what you want the args area to include):
- command:
- etcd
- --client-cert-auth=true
- --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
3.2 Apply etcd change (auto-restart happens)
Just save the file. Kubelet will restart etcd automatically.
Watch it restart (pick one depending on runtime):
If Docker runtime (your task mentions Docker):
docker ps | grep etcd
If you don't see it briefly, wait 2-5 seconds and rerun:
docker ps | grep etcd
(Alternative if available)
crictl ps | grep etcd
4) Final quick validation (fast exam check)
Kubelet config check
grep -n "enabled: false" -n /var/lib/kubelet/config.yaml | head
grep -n "webhook" /var/lib/kubelet/config.yaml
grep -n "authorization" /var/lib/kubelet/config.yaml
etcd arg check
grep -n "client-cert-auth" /etc/kubernetes/manifests/etcd.yaml
문제7
SIMULATION
Context
You must implement auditing for the kubeadm provisioned cluster.
Task
First, reconfigure the cluster 's API server, so that:
. the basic audit policy located at
/etc/kubernetes/logpolicy/audit-policy.yaml is used,
. logs are stored at /var/log/kubernetes/audit-logs.txt,
. and a maximum of 2 logs are retained for 10 days.
The cluster uses the Docker Engine as its container runtime . If needed, use the docker command to troubleshoot running containers.
The basic policy only specifies what not to log.
Next, edit and extend the basic policy to log:
. namespaces interactions at RequestResponse level
. the request body of deployments interactions in the namespace webapps
. ConfigMap and Secret interactions in all namespaces at the Metadata level
. all other requests at the Metadata level
Make sure the API server uses the extended policy.
Failure to do so may result in a reduced score.
SIMULATION
Context
You must implement auditing for the kubeadm provisioned cluster.
Task
First, reconfigure the cluster 's API server, so that:
. the basic audit policy located at
/etc/kubernetes/logpolicy/audit-policy.yaml is used,
. logs are stored at /var/log/kubernetes/audit-logs.txt,
. and a maximum of 2 logs are retained for 10 days.
The cluster uses the Docker Engine as its container runtime . If needed, use the docker command to troubleshoot running containers.
The basic policy only specifies what not to log.
Next, edit and extend the basic policy to log:
. namespaces interactions at RequestResponse level
. the request body of deployments interactions in the namespace webapps
. ConfigMap and Secret interactions in all namespaces at the Metadata level
. all other requests at the Metadata level
Make sure the API server uses the extended policy.
Failure to do so may result in a reduced score.
정답:
See the Explanation below for complete solution
Explanation:
1) Connect to the correct host
ssh cks000028
sudo -i
(If hostname differs in your exam, use the one shown in the question banner.)
2) Edit the API server static pod manifest
API server is a static pod in kubeadm.
vi /etc/kubernetes/manifests/kube-apiserver.yaml
3) Configure API server to enable auditing
Inside the command: section, ensure ALL of the following flags exist
(add them if missing, modify if present).
3.1 Use the given audit policy file
- --audit-policy-file=/etc/kubernetes/logpolicy/audit-policy.yaml
3.2 Store audit logs at the required location
- --audit-log-path=/var/log/kubernetes/audit-logs.txt
3.3 Retain a maximum of 2 log files
- --audit-log-maxbackup=2
3.4 Retain logs for 10 days
- --audit-log-maxage=10
✅ Example (your file may have more flags - that's fine):
- command:
- kube-apiserver
- --audit-policy-file=/etc/kubernetes/logpolicy/audit-policy.yaml
- --audit-log-path=/var/log/kubernetes/audit-logs.txt
- --audit-log-maxbackup=2
- --audit-log-maxage=10
Save and exit:
:wq
The API server will auto-restart (static pod).
Optional quick check:
docker ps | grep kube-apiserver
4) Edit and EXTEND the audit policy
Open the given basic policy:
vi /etc/kubernetes/logpolicy/audit-policy.yaml
The file already contains rules for what NOT to log.
You must ADD rules BELOW them (do not delete existing ones).
5) Add the required audit rules (EXACT ORDER)
Append the following rules in this order (order matters in audit policies).
5.1 Log namespaces interactions at RequestResponse
- level: RequestResponse
resources:
- group: ""
resources: ["namespaces"]
5.2 Log deployment request bodies in namespace webapps
- level: RequestResponse
namespaces: ["webapps"]
resources:
- group: "apps"
resources: ["deployments"]
5.3 Log ConfigMap and Secret interactions (all namespaces) at Metadata
- level: Metadata
resources:
- group: ""
resources: ["configmaps", "secrets"]
5.4 Log all other requests at Metadata
This must be LAST
- level: Metadata
5.5 Final audit-policy.yaml should END like this
# (existing "do not log" rules above)
- level: RequestResponse
resources:
- group: ""
resources: ["namespaces"]
- level: RequestResponse
namespaces: ["webapps"]
resources:
- group: "apps"
resources: ["deployments"]
- level: Metadata
resources:
- group: ""
resources: ["configmaps", "secrets"]
- level: Metadata
Save and exit:
:wq
6) Make sure API server uses the EXTENDED policy
Touch the manifest to guarantee reload:
touch /etc/kubernetes/manifests/kube-apiserver.yaml
Wait a few seconds.
7) Verify auditing is working
7.1 Check audit log file exists
ls -l /var/log/kubernetes/audit-logs.txt
7.2 Generate test activity
kubectl get namespaces
kubectl get configmaps -A
7.3 Confirm logs are written
tail -n 20 /var/log/kubernetes/audit-logs.txt
You should see audit entries.
Explanation:
1) Connect to the correct host
ssh cks000028
sudo -i
(If hostname differs in your exam, use the one shown in the question banner.)
2) Edit the API server static pod manifest
API server is a static pod in kubeadm.
vi /etc/kubernetes/manifests/kube-apiserver.yaml
3) Configure API server to enable auditing
Inside the command: section, ensure ALL of the following flags exist
(add them if missing, modify if present).
3.1 Use the given audit policy file
- --audit-policy-file=/etc/kubernetes/logpolicy/audit-policy.yaml
3.2 Store audit logs at the required location
- --audit-log-path=/var/log/kubernetes/audit-logs.txt
3.3 Retain a maximum of 2 log files
- --audit-log-maxbackup=2
3.4 Retain logs for 10 days
- --audit-log-maxage=10
✅ Example (your file may have more flags - that's fine):
- command:
- kube-apiserver
- --audit-policy-file=/etc/kubernetes/logpolicy/audit-policy.yaml
- --audit-log-path=/var/log/kubernetes/audit-logs.txt
- --audit-log-maxbackup=2
- --audit-log-maxage=10
Save and exit:
:wq
The API server will auto-restart (static pod).
Optional quick check:
docker ps | grep kube-apiserver
4) Edit and EXTEND the audit policy
Open the given basic policy:
vi /etc/kubernetes/logpolicy/audit-policy.yaml
The file already contains rules for what NOT to log.
You must ADD rules BELOW them (do not delete existing ones).
5) Add the required audit rules (EXACT ORDER)
Append the following rules in this order (order matters in audit policies).
5.1 Log namespaces interactions at RequestResponse
- level: RequestResponse
resources:
- group: ""
resources: ["namespaces"]
5.2 Log deployment request bodies in namespace webapps
- level: RequestResponse
namespaces: ["webapps"]
resources:
- group: "apps"
resources: ["deployments"]
5.3 Log ConfigMap and Secret interactions (all namespaces) at Metadata
- level: Metadata
resources:
- group: ""
resources: ["configmaps", "secrets"]
5.4 Log all other requests at Metadata
This must be LAST
- level: Metadata
5.5 Final audit-policy.yaml should END like this
# (existing "do not log" rules above)
- level: RequestResponse
resources:
- group: ""
resources: ["namespaces"]
- level: RequestResponse
namespaces: ["webapps"]
resources:
- group: "apps"
resources: ["deployments"]
- level: Metadata
resources:
- group: ""
resources: ["configmaps", "secrets"]
- level: Metadata
Save and exit:
:wq
6) Make sure API server uses the EXTENDED policy
Touch the manifest to guarantee reload:
touch /etc/kubernetes/manifests/kube-apiserver.yaml
Wait a few seconds.
7) Verify auditing is working
7.1 Check audit log file exists
ls -l /var/log/kubernetes/audit-logs.txt
7.2 Generate test activity
kubectl get namespaces
kubectl get configmaps -A
7.3 Confirm logs are written
tail -n 20 /var/log/kubernetes/audit-logs.txt
You should see audit entries.