Linux Foundation CKS Quiz 6 Topic 1 Questions 26-30

Question: 1

SIMULATION

Use the kubesec docker images to scan the given YAML manifest, edit and apply the advised changes, and passed with a score of 4 points.

kubesec-test.yaml

apiVersion: v1

kind: Pod

metadata:

name: kubesec-demo

spec:

containers:

- name: kubesec-demo

image: gcr.io/google-samples/node-hello:1.0

securityContext:

readOnlyRootFilesystem: true

Hint:docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml

ASend us the Feedback on it.

Show Answer

Question: 2

SIMULATION

Using the runtime detection tool Falco, Analyse the container behavior for at least 20 seconds, using filters that detect newly spawning and executing processes in a single container of Nginx.

store the incident file art /opt/falco-incident.txt, containing the detected incidents. one per line, in the format

[timestamp],[uid],[processName]

ASend us the Feedback on it.

Show Answer

Question: 3

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context stage

Context:

A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace.

Task:

1. Create a new PodSecurityPolcy named deny-policy, which prevents the creation of privileged Pods.

2. Create a new ClusterRole name deny-access-role, which uses the newly created PodSecurityPolicy deny-policy.

3. Create a new ServiceAccount named psd-denial-sa in the existing namespace development.

Finally, create a new ClusterRoleBindind named restrict-access-bind, which binds the newly created ClusterRole deny-access-role to the newly created ServiceAccount psp-denial-sa

AExplanation:
Create psp to disallow privileged container
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: deny-access-role
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- ''deny-policy''
k create sa psp-denial-sa -n development
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: restrict-access-bing
roleRef:
kind: ClusterRole
name: deny-access-role
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: psp-denial-sa
namespace: development
Explanation
master1 $ vim psp.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: deny-policy
spec:
privileged: false # Don't allow privileged pods!
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
master1 $ vim cr1.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: deny-access-role
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- ''deny-policy''
master1 $k create sa psp-denial-sa -n development
master1 $ vim cb1.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: restrict-access-bing
roleRef:
kind: ClusterRole
name: deny-access-role
apiGroup: rbac.authorization.k8s.io
subjects:
# Authorize specific service accounts:
- kind: ServiceAccount
name: psp-denial-sa
namespace: development
master1 $k apply -f psp.yaml
master1 $k apply -f cr1.yaml
master1 $k apply -f cb1.yaml

Reference:https://kubernetes.io/docs/concepts/policy/pod-security-policy/
master1 $k apply -f cr1.yaml
master1 $k apply -f cb1.yaml
master1 $k apply -f psp.yaml
master1 $k apply -f cr1.yaml
master1 $k apply -f cb1.yaml

Reference:https://kubernetes.io/docs/concepts/policy/pod-security-policy/

Show Answer

Question: 4

You must complete this task on the following cluster/nodes: Cluster:immutable-cluster

Master node:master1

Worker node:worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context immutable-cluster

Context: It is best practice to design containers to be stateless and immutable.

Task:

Inspect Pods running in namespaceprodand delete any Pod that is either not stateless or not immutable.

Use the following strict interpretation of stateless and immutable:

1. Pods being able to store data inside containers must be treated as not stateless.

Note:You don't have to worry whether data is actually stored inside containers or not already.

2. Pods being configured to beprivilegedin any way must be treated as potentially not stateless or not immutable.

AExplanation:
k get pods -n prod
k get pod -n prod -o yaml | grep -E 'privileged|ReadOnlyRootFileSystem'
Delete the pods which do have any of these 2 properties
privileged:trueorReadOnlyRootFileSystem: false
[desk@cli]$k get pods -n prod
NAME READY STATUS RESTARTS AGE
cms 1/1 Running 0 68m
db 1/1 Running 0 4m
nginx 1/1 Running 0 23m
[desk@cli]$k get pod nginx -n prod -o yaml | grep -E 'privileged|RootFileSystem'
{'apiVersion':'v1','kind':'Pod','metadata':{'annotations':{},'creationTimestamp':null,'labels':{'run':'nginx'},'name':'nginx','namespace':'prod'},'spec':{'containers':[{'image':'nginx','name':'nginx','resources':{},'securityContext':{'privileged':true}}],'dnsPolicy':'ClusterFirst','restartPolicy':'Always'},'status':{}}
f:privileged: {}
privileged:true

[desk@cli]$k delete pod nginx -n prod
[desk@cli]$k get pod db -n prod -o yaml | grep -E 'privileged|RootFilesystem'

[desk@cli]$k delete pod cms -n prod

Reference:https://kubernetes.io/docs/concepts/policy/pod-security-policy/
https://cloud.google.com/architecture/best-practices-for-operating-containers

Show Answer

Question: 5

Cluster:qa-cluster

Master node:masterWorker node:worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context qa-cluster

Task:

Create a NetworkPolicy namedrestricted-policyto restrict access to Podproductrunning in namespacedev.

Only allow the following Pods to connect to Pod products-service:

1. Pods in the namespaceqa

2. Pods with labelenvironment: stage, in any namespace

AExplanation:
$k get ns qa --show-labels
NAME STATUS AGE LABELS
qa Active 47m env=stage
$k get pods -n dev --show-labels
NAME READY STATUS RESTARTS AGE LABELS
product 1/1 Running 0 3s env=dev-team
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: restricted-policy
namespace: dev
spec:
podSelector:
matchLabels:
env: dev-team
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
env: stage
- podSelector:
matchLabels:
env: stage
[desk@cli] $k get ns qa --show-labels
NAME STATUS AGE LABELS
qa Active 47m env=stage
[desk@cli] $k get pods -n dev --show-labels
NAME READY STATUS RESTARTS AGE LABELS
product 1/1 Running 0 3s env=dev-team
[desk@cli] $vim netpol2.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: restricted-policy
namespace: dev
spec:
podSelector:
matchLabels:
env: dev-team
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
env: stage
- podSelector:
matchLabels:
env: stage
[desk@cli] $k apply -f netpol2.yaml

Reference:https://kubernetes.io/docs/concepts/services-networking/network-policies/
[desk@cli] $k apply -f netpol2.yaml

Reference:https://kubernetes.io/docs/concepts/services-networking/network-policies/

Show Answer

Linux Foundation CKS Quiz:6 Topic:1 Questions:26-30