Linux Foundation CKS考試內容,CKS PDF題庫適當的選擇培訓是成功的保證,但是選擇是相當重要的,NewDumps的知名度眾所周知,沒有理由不選擇它。當然,如果涉及到完善的培訓資料給你,如果你不適用那也是沒有效果的,所以在利用我們NewDumps的培訓資料之前,你可以先下載部分免費試題及答案作為試用,這樣你可以做好最真實的考試準備,以便輕鬆自如的應對CKS測試,這也是為什麼成千上萬的考生依賴我們NewDumps的重要原因之一,我們提供的是最好最實惠最完整的CKS考試培訓資料,以至於幫助他們順利通過測試。
CKS 認證對於與 Kubernetes 和容器化應用程式相關的 IT 專業人員而言,是一個非常有價值的認證。它展示了候選人在工作中維持最高安全標準的承諾,並在就業市場上提供了競爭優勢。 該認證考試非常嚴格和具有挑戰性,要求候選人對 Kubernetes 安全最佳實踐有很強的理解。然而,這也是一個有價值的經驗,因為成功通過考試的候選人將具備保護 Kubernetes 環境和防範組織遭受網絡威脅的技能和知識。 最新的 Kubernetes Security Specialist CKS 免費考試真題 (Q32-Q37):問題 #32
Your Kubernetes cluster iS running a web application that requires access to a database hosted on an external Cloud provider. Describe how you can secure the connection between the application and the database using TLS/SSL encryption and identity-based authentication. 答案:
解題說明:
Solution (Step by Step) :
1. Configure TLS/SSL Encryption:
- Generate Certificate: Obtain a TLS/SSL certificate from a trusted certificate authority (CA) or use a self-signed certificate for development purposes-
- Install Certificate on Database Server: Install the certificate on the database server, making it available to the database service.
- Configure Database Service: Configure the database service to accept connections only over TLS/SSL.
- Configure Application Container:
- Mount Certificate: Mount the TLS/SSL certificate into the application container as a secret.
- Configure Application Code: Update the application code to use the certificate when connecting to the database.
2. Implement Identity-Based Authentication:
- Create Database User: Create a dedicated database user specifically for the web application.
- Grant Permissions: Grant appropriate permissions to the database user, limiting access to the necessary tables and data.
- Use Authentication Plugin: Configure the database service to use an authentication plugin that supports identity-based authentication.
- Generate Database Credentials: Generate database credentials (usemame and password) for the application.
- Store Credentials Secretly: Store the database credentials securely as a Kubernetes secret.
- Access Credentials from Application: Configure the application to access the database credentials from the secret.
3. Connect Application to Database:
- Configure Connection String: Update the application's connection string to use TLS/SSL and the database user credentials.
- Example Connection String:
jdbc:postgresql://database-host:5432/database-name?ssl=true&sslmode=require&user=app user&password=app-password
4. Security Considerations:
- Certificate Validation: Ensure the certificate is validated by the application to prevent man-in-the-middle attacks.
- Secure Credential Management: Implement strong security measures to protect the database credentials stored as secrets.
- Access Control: Limit access to the database to only authorized users and applications.
- Network Isolatiom Consider using network policies to isolate the web application from other workloads and restrict unnecessary network traffic.
問題 #33
SIMULATION
A container image scanner is set up on the cluster.
Given an incomplete configuration in the directory
/etc/kubernetes/confcontrol and a functional container image scanner with HTTPS endpoint https://test-server.local.8081/image_policy
1. Enable the admission plugin.
2. Validate the control configuration and change it to implicit deny.
Finally, test the configuration by deploying the pod having the image tag as latest.
A. Send us the Feedback on it.
答案:A
問題 #34
SIMULATION
Create a PSP that will only allow the persistentvolumeclaim as the volume type in the namespace restricted.
Create a new PodSecurityPolicy named prevent-volume-policy which prevents the pods which is having different volumes mount apart from persistentvolumeclaim.
Create a new ServiceAccount named psp-sa in the namespace restricted.
Create a new ClusterRole named psp-role, which uses the newly created Pod Security Policy prevent-volume-policy Create a new ClusterRoleBinding named psp-role-binding, which binds the created ClusterRole psp-role to the created SA psp-sa.
Hint:
Also, Check the Configuration is working or not by trying to Mount a Secret in the pod maifest, it should get failed.
POD Manifest:
apiVersion: v1
kind: Pod
metadata:
name:
spec:
containers:
- name:
image:
volumeMounts:
- name:
mountPath:
volumes:
- name:
secret:
secretName: 答案:
解題說明:
See the Explanation belowExplanation:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
# Allow core volume types.
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
# Assume that persistentVolumes set up by the cluster admin are safe to use.
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
問題 #35
You are tasked with securing a Kubernetes cluster running a critical application. One of the security best practices you need to implement is to enforce the use of signed container images. You have access to a private container registry and a PKI system for generating and managing certificates. Explain in detail now you would implement this policy, covering steps like image signing, verification, and integration with Kubernetes. 答案:
解題說明:
Solution (Step by Step) :
1. Generate Certificate and Key:
- Use your PKI system to generate a certificate and private key for signing container images. This will be used to authenticate and verify the image's origin and integrity
- Choose appropriate key lengths and algorithms for security.
2. Sign Container Image:
-After building your container image, use the generated private key to sign it.
- Tools like 'cosign' or 'docker-content-trust' can be used for image signing.
- 'cosigns example:
bash
cosign sign --key my-private-key-pem nginx:latest
3. Push Signed Image to Registry:
- Push the signed image to your private container registry The signed image should include the signature and certificate.
4. Configure Kubernetes Image Policy:
- Implement an image policy in your Kubernetes cluster that enforces the verification of signatures for images pulled from your private registry
- You can use 'PodSecurityPolicy' or 'P0dSecurityAdmissioru for this purpose.
- Example 'PodSecurityPolicy' with image signature validation (this is a simplified example):
5. Configure Image Pull Secrets: - Create a Kubernetes Secret containing the public certificate used for verification. - You can then use 'imagePullSecrets' in your deployment resources to reference this secret. - Example:
6. Deploy Your Application - Once your image policy is configured, you can deploy your application using the signed images. - Kubernetes Will verify the signature before starting any pods.
問題 #36
Cluster: admission-cluster
Master node: master
Worker node: worker1
You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context admission-cluster
Context:
A container image scanner is set up on the cluster, but it's not yet fully integrated into the cluster's configuration. When complete, the container image scanner shall scan for and reject the use of vulnerable images.
Task:
You have to complete the entire task on the cluster's master node, where all services and files have been prepared and placed.
Given an incomplete configuration in directory /etc/Kubernetes/config and a functional container image scanner with HTTPS endpoint https://imagescanner.local:8181/image_policy:
1. Enable the necessary plugins to create an image policy
2. Validate the control configuration and change it to an implicit deny
3. Edit the configuration to point to the provided HTTPS endpoint correctly Finally, test if the configuration is working by trying to deploy the vulnerable resource /home/cert_masters/test-pod.yml Note: You can find the container image scanner's log file at /var/log/policy/scanner.log 答案:
解題說明:
[master@cli] $ cd /etc/Kubernetes/config
1. Edit kubeconfig to explicity deny
[master@cli] $ vim kubeconfig.json
"defaultAllow": false # Change to false
2. fix server parameter by taking its value from ~/.kube/config
[master@cli] $cat /etc/kubernetes/config/kubeconfig.yaml | grep server
server:
3. Enable ImagePolicyWebhook
[master@cli] $ vim /etc/kubernetes/manifests/kube-apiserver.yaml
- --enable-admission-plugins=NodeRestriction,ImagePolicyWebhook # Add this
- --admission-control-config-file=/etc/kubernetes/config/kubeconfig.json # Add this Explanation
[desk@cli] $ ssh master
[master@cli] $ cd /etc/Kubernetes/config
[master@cli] $ vim kubeconfig.json
{
"imagePolicy": {
"kubeConfigFile": "/etc/kubernetes/config/kubeconfig.yaml",
"allowTTL": 50,
"denyTTL": 50,
"retryBackoff": 500,
"defaultAllow": true # Delete this
"defaultAllow": false # Add this
}
}
Note: We can see a missing value here, so how from where i can get this value
[master@cli] $cat ~/.kube/config | grep server
or
[master@cli] $cat /etc/kubernetes/manifests/kube-apiserver.yaml
[master@cli] $vim /etc/kubernetes/config/kubeconfig.yaml
[master@cli] $ vim /etc/kubernetes/manifests/kube-apiserver.yaml - --enable-admission-plugins=NodeRestriction # Delete This - --enable-admission-plugins=NodeRestriction,ImagePolicyWebhook # Add this - --admission-control-config-file=/etc/kubernetes/config/kubeconfig.json # Add this Reference: https://kubernetes.io/docs/refer ... ission-controllers/
- --enable-admission-plugins=NodeRestriction # Delete This
- --enable-admission-plugins=NodeRestriction,ImagePolicyWebhook # Add this
- --admission-control-config-file=/etc/kubernetes/config/kubeconfig.json # Add this
[master@cli] $ vim /etc/kubernetes/manifests/kube-apiserver.yaml - --enable-admission-plugins=NodeRestriction # Delete This - --enable-admission-plugins=NodeRestriction,ImagePolicyWebhook # Add this - --admission-control-config-file=/etc/kubernetes/config/kubeconfig.json # Add this Reference: https://kubernetes.io/docs/refer ... ission-controllers/
