CKS復習テキスト、CKS問題集無料弊社のCKS質問トレントは、手頃な価格であるだけでなく、市場で他の教育プラットフォームであるCKS試験と比較して、ユーザーのインスタントアップグレードを容易にするための更新だけでなく、完全に練習をサポートすることもできます質問は、高品質のパフォーマンスを持っていると言うことができます。 CKS学習教材をダウンロードして学習することを後悔することは決してありません。また、最初の試行でCKS試験に合格します。
Linux Foundation CKS(認定Kubernetes Security Specialist)認定試験は、コンテナ化されたアプリケーションとKubernetesプラットフォームの保護に関する専門知識を実証したいITプロフェッショナル向けに設計されています。 Kubernetesは、コンテナ化されたアプリケーションを展開および管理するための頼りになるプラットフォームになっているため、Kubernetesのセキュリティベストプラクティスを確実に理解することが不可欠です。この認定は、候補者がKubernetesプラットフォームとコンテナ化されたアプリケーションを保護するために必要なスキルと知識を持っていることを検証します。
Linux Foundation Certified Kubernetes Security Specialist(CKS)試験は、コンテナ化されたアプリケーションとKubernetesプラットフォームを保護する際のセキュリティ専門家の知識、スキル、および専門知識を証明するように設計されています。 Kubernetesは、コンテナ化されたワークロードとサービスを管理するためのオープンソースプラットフォームであり、コンテナオーケストレーションの事実上の基準となっています。組織がコンテナ化されたワークロードに対してKubernetesをますます採用するにつれて、Kubernetesの専門知識を持つセキュリティ専門家の需要も増加しています。 Linux Foundation Certified Kubernetes Security Specialist (CKS) 認定 CKS 試験問題 (Q36-Q41):質問 # 36
You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context dev
A default-deny NetworkPolicy avoid to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined.
Task: Create a new default-deny NetworkPolicy named deny-network in the namespace test for all traffic of type Ingress + Egress The new NetworkPolicy must deny all Ingress + Egress traffic in the namespace test.
Apply the newly created default-deny NetworkPolicy to all Pods running in namespace test.
You can find a skeleton manifests file at /home/cert_masters/network-policy.yaml 正解:
解説:
master1 $ k get pods -n test --show-labels
NAME READY STATUS RESTARTS AGE LABELS
test-pod 1/1 Running 0 34s role=test,run=test-pod
testing 1/1 Running 0 17d run=testing
$ vim netpol.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-network
namespace: test
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
master1 $ k apply -f netpol.yaml
Explanation
controlplane $ k get pods -n test --show-labels
NAME READY STATUS RESTARTS AGE LABELS
test-pod 1/1 Running 0 34s role=test,run=test-pod
testing 1/1 Running 0 17d run=testing
master1 $ vim netpol1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-network
namespace: test
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
master1 $ k apply -f netpol1.yaml Reference: https://kubernetes.io/docs/conce ... g/network-policies/ Reference:
master1 $ k apply -f netpol1.yaml Reference: https://kubernetes.io/docs/conce ... g/network-policies/ Explanation controlplane $ k get pods -n test --show-labels NAME READY STATUS RESTARTS AGE LABELS test-pod 1/1 Running 0 34s role=test,run=test-pod testing 1/1 Running 0 17d run=testing master1 $ vim netpol1.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata:
name: deny-network
namespace: test
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
master1 $ k apply -f netpol1.yaml Reference: https://kubernetes.io/docs/conce ... g/network-policies/ master1 $ k apply -f netpol1.yaml Reference: https://kubernetes.io/docs/conce ... g/network-policies/
質問 # 37
You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context prod-account Context: A Role bound to a Pod's ServiceAccount grants overly permissive permissions. Complete the following tasks to reduce the set of permissions. Task: Given an existing Pod named web-pod running in the namespace database. 1. Edit the existing Role bound to the Pod's ServiceAccount test-sa to only allow performing get operations, only on resources of type Pods. 2. Create a new Role named test-role-2 in the namespace database, which only allows performing update operations, only on resources of type statuefulsets. 3. Create a new RoleBinding named test-role-2-bind binding the newly created Role to the Pod's ServiceAccount. Note: Don't delete the existing RoleBinding. 正解:
解説:
質問 # 38
You are running a highly sensitive application in your Kubernetes cluster, which stores personal identifiable information (PII) dat
a. You suspect that a malicious actor might have injected a malicious container image into your cluster and is now attempting to exfiltrate this data. You need to implement a solution to detect and prevent any suspicious data exfiltration attempts from within your cluster. 正解:
解説:
Solution (Step by Step):
1. Enable Container Security Policies (CSP) with Admission Control:
- Configure a CSP policy using the 'PodSecurityPolicy' or the newer 'PodSecurity' object.
- Restrict network egress for containers running your sensitive application to only allow communication to approved external services and destinations.
- Define rules within the CSP policy tnat disallow any container from accessing privileged ports or using privileged capabilities. This will limit the
attackers ability to establish unauthorized connections or manipulate system resources.
- Example CSP policy With 'P0dSecurity'
2. Implement Network Policies: - Configure network policies to restrict outbound network traffic from pods running tne sensitive application. - Allow only specific ports and destinations required tor the application's functionality. - This step helps prevent any unauthorized connections from the compromised container to external networks. - Example Network Policy:
3. Deploy Intrusion Detection Systems (IDS) in the Cluster: - Deploy an IDS solution like Falco or Sysdig within your cluster. - Configure Falco to monitor for suspicious activities like file system modifications, network connections, or process executions that might indicate data exfiltration attempts. - Falco can trigger alerts and block malicious activities based on the defined rules. - Example Falco rule:
4. Utilize Runtime Security Tools: - Deploy a runtime security tool like Aqua Security, Twistlock, or Snyk. - These tools monitor running containers for suspicious behaviors and vulnerabilities. - They can enforce security policies, detect anomalies, and alen you about potential data breaches. - This helps you quickly identify compromised containers and take appropriate actions. 5. Implement Data Encryption and Access Control: - Encrypt the PII data stored in your Kubernetes cluster at rest and in transit - Utilize tools like Vault or KMS to manage and secure encryption keys. - Implement access control measures to limit access to sensitive data to authorized users and applications. - This minimizes the impact of a data breach even if the malicious container gains access to the data. By combining these security measures, you can significantly reduce the risk of data exfiltration and enhance the security posture of your sensitive application running in the Kubernetes cluster.
質問 # 39
You have a Kubernetes cluster running a critical application with a Deployment named 'myapp-deployment. You suspect a recent image update has introduced a vulnerability that's causing the application to crash frequently.
You need to investigate this issue and determine the exact phase of the attack and the potential bad actor responsible. You have access to the following resources: Kubernetes audit logs: Enabled at the cluster level.
Container logs: Available for all pods associated with the 'myapp-deployments Network traffic logs: Captured by a network security solution. How would you use these resources to identify the attack phase, the potential bad actor, and the source of the vulnerability? 正解:
解説:
Solution (Step by Step) :
1. Analyze Kubernetes Audit Logs:
Focus on events related to the 'myapp-deployment: Search for entries related to pod creation, deletion, image pulls, and resource updates. Look for suspicious activity: Pay attention to any unusual image updates, unauthorized access attempts, or resource changes that occurred around the time of the crashes.
Identify the user or service account responsible for the changes: This could point to a potential bad actor if the user'service account is not expected to modify the Deployment.
2. Examine Container Logs:
Search for crash messages and error codes: This will provide insights into the specific cause of the application crashes.
Identify any unusual or suspicious activity within the container: Look for signs of malicious processes, unauthorized network connections, or data exfiltration attempts.
3. Analyze Network Traffic Logs:
Identify the source of the compromised image: Network logs can reveal the IP address of the registry or repository from which the vulnerable image was pulled.
Examine network connections from the affected pods: Look for unusual or unauthorized outbound connections that could indicate malware or communication with a malicious server.
4. Correlate Findings:
Combine information from the different logs to build a comprehensive picture of the attack.
For example, if you find a suspicious image pull in the audit logs, and the container logs show signs of malware activity, you have strong evidence of malicious image vulnerability.
Example Code Snippets:
Kubernetes Audit Logs (using kubectl):
bash
kubectl logs -f -n kube-system kube-apiserver -c kube-apiserver | grep "myapp-deployment" | grep "Create" | grep "Image"
Container Logs (using kubectl):
bash
kubectl logs -f myapp-deployment-pod-name -c myapp
Network Traffic Logs (using a network security tool like Falco):
falco -f falco.yaml -o json
Note: The specific commands and tools may vary depending on your Kubernetes environment and security tools.
質問 # 40
SIMULATION
Create a network policy named restrict-np to restrict to pod nginx-test running in namespace testing.
Only allow the following Pods to connect to Pod nginx-test:-
1. pods in the namespace default
2. pods with label version:v1 in any namespace.
Make sure to apply the network policy.
