CKS考古題分享,CKS考題免費下載通過Linux Foundation CKS認證考試肯定會給你帶來很好的工作前景,因為Linux Foundation CKS認證考試是一個檢驗IT知識的測試,而通過了Linux Foundation CKS認證考試,證明你的IT專業知識很強,有很強的能力,可以勝任一份很好的工作。
Linux Foundation CKS 證書是對於與 Kubernetes 一起工作的 IT 專業人員非常有價值的信譽證明。它展示了他們在 Kubernetes 集群的安全性方面的專業知識以及他們能夠在實際場景中應用最佳實踐。該證書獲得全球雇主的認可,並可以幫助專業人士在雲原生計算領域提升職業生涯。 最新的 Kubernetes Security Specialist CKS 免費考試真題 (Q25-Q30):問題 #25
You are running a Kubernetes cluster with several sensitive applications. You need to restrict access to the cluster from external sources to only the IP addresses of your development team's laptops. HOW can you implement this using Network Policies? 答案:
解題說明:
Solution (Step by Step) :
1. Define Network Policy: Create a NetworkPolicy YAML file named 'restrict-external-access.yaml
- Replace with the namespace where your sensitive applications are deployed. - Replace with the IP range of your development team's laptops. For example, '192.168.1.0/24' or a specific set of IP addresses. 2. Apply Network Policy: use 'kubectl' to apply the NetworkPolicy to your Kubernetes cluster. bash kubectl apply -f restrict-external-access-yaml 3. Verify Network Policy: Verify the NetworkPolicy is applied correctly: bash kubectl get networkpolicies -n You should see the 'restrict-external-access NetworkPolicy listed. 4. Test Access: Try accessing the cluster from an external IP address outside of the defined range. You should be blocked. Access from within the defined IP range should be allowed. This NetworkP01icy restricts ingress traffic to pods Within the specified namespace. It allows connections from the specified IP range C') and blocks all other external connections. Important Note: Ensure your firewall and other network security measures are properly configured to work in conjunction with the NetworkPolicy.
問題 #26
You need to configure a Kubernetes cluster to use a pod security policy (PSP) that restricts the use of privileged containers and specific capabilities. You want to only allow specific pods in the 'production' namespace to run With the 'NET_ADMIN' capability. 答案:
解題說明:
Solution (Step by Step) :
1. create a PSPI
- Define a PSP that restricts the use of privileged containers and capabilities, except for the capability for pods in the 'production' namespace.
2. Create a PSP Binding: - Bind the PSP to the 'production' namespace-
3. Create a Pod: - Create a Pod in the 'production' namespace and specify the 'securitycontext' with the 'NET_ADMIN' capability.
4. Apply the YAML files: - Apply the created YAML files using 'kubectl apply -f 5. Verify the permissions: - Try to create a Pod in other namespaces with the 'NET_ADMIN' capability. It should be rejected.
問題 #27
SIMULATION
Create a network policy named restrict-np to restrict to pod nginx-test running in namespace testing.
Only allow the following Pods to connect to Pod nginx-test:-
1. pods in the namespace default
2. pods with label version:v1 in any namespace.
Make sure to apply the network policy.
A. Send us your Feedback on this.
答案:A
問題 #28
Context
A Role bound to a Pod's ServiceAccount grants overly permissive permissions. Complete the following tasks to reduce the set of permissions.
Task
Given an existing Pod named web-pod running in the namespace security.
Edit the existing Role bound to the Pod's ServiceAccount sa-dev-1 to only allow performing watch operations, only on resources of type services.
Create a new Role named role-2 in the namespace security, which only allows performing update operations, only on resources of type namespaces.
Create a new RoleBinding named role-2-binding binding the newly created Role to the Pod's ServiceAccount. 答案:
解題說明:
問題 #29
SIMULATION
Context:
Cluster: gvisor
Master node: master1
Worker node: worker1
You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context gvisor
Context: This cluster has been prepared to support runtime handler, runsc as well as traditional one.
Task:
Create a RuntimeClass named not-trusted using the prepared runtime handler names runsc.
Update all Pods in the namespace server to run on newruntime. 答案:
解題說明:
See the Explanation below
Explanation:
Explanation:
[desk@cli] $vim runtime.yaml
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
name: not-trusted
handler: runsc
[desk@cli] $ k apply -f runtime.yaml
[desk@cli] $ k get pods
NAME READY STATUS RESTARTS AGE
nginx-6798fc88e8-chp6r 1/1 Running 0 11m
nginx-6798fc88e8-fs53n 1/1 Running 0 11m
nginx-6798fc88e8-ndved 1/1 Running 0 11m
[desk@cli] $ k get deploy
NAME READY UP-TO-DATE AVAILABLE AGE
nginx 3/3 11 3 5m
[desk@cli] $ k edit deploy nginx
