Open the auxiliary access

Firefly Open Source Community

   Login   |   Register   |
New_Topic
Firefly Open Source Community Embedded Board Firefly-RK3128 CKS Positive Feedback & Exam CKS Objectives
New Topic
Print Previous Topic Next Topic

[General] CKS Positive Feedback & Exam CKS Objectives

leowood874

142

Credits

0

Prestige

0

Contribution

registered members

Rank: 2

Credits
142

【General】 CKS Positive Feedback & Exam CKS Objectives

Posted at yesterday 17:06      View:17 | Replies:0        Print      Only Author   [Copy Link] 1#
BONUS!!! Download part of BraindumpStudy CKS dumps for free: https://drive.google.com/open?id=1q6Z6obeT7JF9B3X750bVtgR9uwJVLHUp
Our company attaches great importance to overall services on our CKS study guide, if there is any problem about the delivery of CKS exam materials, please let us know, a message or an email will be available. And no matter when you send us your information on the CKS Practice Engine, our kind and considerate online service will give you help since we provide our customers with assistant on our CKS training prep 24/7.
Linux Foundation CKS (Certified Kubernetes Security Specialist) Certification Exam is an industry-recognized certification that validates an individual's skills and knowledge in securing containerized applications and Kubernetes platforms. CKS exam is designed for professionals who have experience in Kubernetes and containerization and are looking to advance their careers by demonstrating their expertise in secure container orchestration. Certified Kubernetes Security Specialist (CKS) certification is highly valued by employers and is an excellent way for professionals to showcase their expertise and differentiate themselves from others in the field.
Exam CKS Objectives, Valid CKS Test VceUnlike those impotent practice materials, our CKS study questions have salient advantages that you cannot ignore. They are abundant and effective enough to supply your needs of the CKS exam. Since we have the same ultimate goals, which is successfully pass the CKS Exam. So during your formative process of preparation, we are willing be your side all the time. As long as you have questions on the CKS learning braindumps, just contact us!
The CKS exam is designed to assess the candidate's proficiency in security best practices for Kubernetes platforms and containerized workloads, including securing Kubernetes components, securing container images and registries, securing network communication, and configuring security contexts. CKS exam is a performance-based test, which means that the candidate must complete a series of tasks in a live Kubernetes environment, demonstrating their ability to secure Kubernetes platforms and containerized workloads.
The CKS Exam is designed for professionals who have experience in Kubernetes administration and are familiar with container security concepts. CKS exam covers a wide range of topics related to Kubernetes security, including securing cluster components, securing container images, securing network communication, and securing Kubernetes API.
Linux Foundation Certified Kubernetes Security Specialist (CKS) Sample Questions (Q21-Q26):NEW QUESTION # 21
Cluster: dev
Master node: master1 Worker node: worker1
You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context dev Task: Retrieve the content of the existing secret named adam in the safe namespace.
Store the username field in a file names /home/cert-masters/username.txt, and the password field in a file named /home/cert-masters/password.txt.
1. You must create both files; they don't exist yet. 2. Do not use/modify the created files in the following steps, create new temporary files if needed.
Create a new secret names newsecret in the safe namespace, with the following content: Username: dbadmin Password: moresecurepas Finally, create a new Pod that has access to the secret newsecret via a volume:
Namespace:        safe
Pod name:        mysecret-pod
Container name:        db-container
Image:                redis
Volume name:        secret-vol
Mount path:        /etc/mysecret
Answer:
Explanation:





NEW QUESTION # 22
SIMULATION
Documentation
Deployment, Pod Security Admission, Pod Security Standards
You must connect to the correct host . Failure to do so may result in a zero score.
[candidate@base] $ ssh cks000036
Context
For compliance, all user namespaces enforce the restricted Pod Security Standard .
Task
The confidential namespace contains a Deployment that is not compliant with the restricted Pod Security Standard . Thus, its Pods can not be scheduled.
Modify the Deployment to be compliant and verify that the Pods are running.
The Deployment's manifest file can be found at /home/candidate/nginx-unprivileged.yaml.
Answer:
Explanation:
See the Explanation below for complete solution
Explanation:
1) Connect to the correct host
ssh cks000036
sudo -i
export KUBECONFIG=/etc/kubernetes/admin.conf
2) Confirm the failing Pods + see the PSA error (fast)
kubectl -n confidential get deploy
kubectl -n confidential get pods
kubectl -n confidential describe deploy <deployment-name> | sed -n '/Events/,$p' (You'll usually see "violates PodSecurity 'restricted' ..." with the exact missing fields.)
3) Edit the provided manifest
vi /home/candidate/nginx-unprivileged.yaml
You must ensure the Pod template becomes compliant. Add/ensure the following exact blocks:
4) Add Pod-level securityContext (under spec.template.spec)
Find:
spec:
template:
spec:
Add this block under it (or merge if securityContext: already exists):
securityContext:
runAsNonRoot: true
runAsUser: 65535
seccompProfile:
type: RuntimeDefault
5) Add Container-level securityContext (under the nginx container)
Find:
containers:
- name: ...
image: ...
Under that container, add (or adjust) this exact block:
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
If there are multiple containers, apply the same container securityContext to each one.
Save and exit:
:wq
6) Apply the manifest to the confidential namespace
kubectl -n confidential apply -f /home/candidate/nginx-unprivileged.yaml Wait rollout:
kubectl -n confidential rollout status deployment/<deployment-name>
If you don't know the deployment name from the file, list:
kubectl -n confidential get deploy
7) Verify Pods are running
kubectl -n confidential get pods -o wide
If still failing, show the exact PSA violation (this tells you what else to fix):
kubectl -n confidential describe pod <pod-name> | sed -n '/Events/,$p'
Quick "if it still fails" fixes (common restricted blockers)
Open the manifest again and ensure these are NOT set (or are removed/false):
hostNetwork: true
hostPID: true
hostIPC: true
any hostPort:
privileged: true
capabilities.add:
seccompProfile: Unconfined
runAsUser: 0 or runAsNonRoot: false
Then re-apply.
Minimal compliant result (what the grader expects)
Your Pod template should include:
seccompProfile: RuntimeDefault
runAsNonRoot: true (and a non-root UID like 65535)
container: allowPrivilegeEscalation: false
container: capabilities.drop: [ALL]
container: readOnlyRootFilesystem: true

NEW QUESTION # 23
SIMULATION
A container image scanner is set up on the cluster.
Given an incomplete configuration in the directory
/etc/kubernetes/confcontrol and a functional container image scanner with HTTPS endpoint https://test-server.local.8081/image_policy
1. Enable the admission plugin.
2. Validate the control configuration and change it to implicit deny.
Finally, test the configuration by deploying the pod having the image tag as latest.
Answer:
Explanation:
SeetheExplanationbelowExplanation:
ssh-add ~/.ssh/tempprivate
eval "$(ssh-agent -s)"
cd contrib/terraform/aws
vi terraform.tfvars
terraform init
terraform apply -var-file=credentials.tfvars
ansible-playbook -i ./inventory/hosts ./cluster.yml -e ansible_ssh_user=core -e bootstrap_os=coreos -b --become-user=root --flush-cache -e ansible_user=core


NEW QUESTION # 24
You are running a Kubernetes cluster with several sensitive applications. You need to restrict access to the cluster from external sources to only the IP addresses of your development team's laptops. HOW can you implement this using Network Policies?
Answer:
Explanation:
Solution (Step by Step) :
1. Define Network Policy: Create a NetworkPolicy YAML file named 'restrict-external-access.yaml

- Replace with the namespace where your sensitive applications are deployed. - Replace with the IP range of your development team's laptops. For example, '192.168.1.0/24' or a specific set of IP addresses. 2. Apply Network Policy: use 'kubectl' to apply the NetworkPolicy to your Kubernetes cluster. bash kubectl apply -f restrict-external-access-yaml 3. Verify Network Policy: Verify the NetworkPolicy is applied correctly: bash kubectl get networkpolicies -n You should see the 'restrict-external-access NetworkPolicy listed. 4. Test Access: Try accessing the cluster from an external IP address outside of the defined range. You should be blocked. Access from within the defined IP range should be allowed. This NetworkP01icy restricts ingress traffic to pods Within the specified namespace. It allows connections from the specified IP range C') and blocks all other external connections. Important Note: Ensure your firewall and other network security measures are properly configured to work in conjunction with the NetworkPolicy.

NEW QUESTION # 25
You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context test-account
Task: Enable audit logs in the cluster.
To do so, enable the log backend, and ensure that:
1. logs are stored at /var/log/Kubernetes/logs.txt
2. log files are retained for 5 days
3. at maximum, a number of 10 old audit log files are retained
A basic policy is provided at /etc/Kubernetes/logpolicy/audit-policy.yaml. It only specifies what not to log.
Note: The base policy is located on the cluster's master node.
Edit and extend the basic policy to log:
1. Nodes changes at RequestResponse level
2. The request body of persistentvolumes changes in the namespace frontend
3. ConfigMap and Secret changes in all namespaces at the Metadata level Also, add a catch-all rule to log all other requests at the Metadata level Note: Don't forget to apply the modified policy.
Answer:
Explanation:
$ vim /etc/kubernetes/log-policy/audit-policy.yaml
- level: RequestResponse
userGroups: ["system:nodes"]
- level: Request
resources:
- group: "" # core API group
resources: ["persistentvolumes"]
namespaces: ["frontend"]
- level: Metadata
resources:
- group: ""
resources: ["configmaps", "secrets"]
- level: Metadata
$ vim /etc/kubernetes/manifests/kube-apiserver.yaml
Add these
- --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml
- --audit-log-path=/var/log/kubernetes/logs.txt
- --audit-log-maxage=5
- --audit-log-maxbackup=10
Explanation
[desk@cli] $ ssh master1
[master1@cli] $ vim /etc/kubernetes/log-policy/audit-policy.yaml
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Don't log watch requests by the "system:kube-proxy" on endpoints or services
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"
# Add your changes below
- level: RequestResponse
userGroups: ["system:nodes"] # Block for nodes
- level: Request
resources:
- group: "" # core API group
resources: ["persistentvolumes"] # Block for persistentvolumes
namespaces: ["frontend"] # Block for persistentvolumes of frontend ns
- level: Metadata
resources:
- group: "" # core API group
resources: ["configmaps", "secrets"] # Block for configmaps & secrets
- level: Metadata # Block for everything else
[master1@cli] $ vim /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.0.0.5:6443 labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=10.0.0.5
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml #Add this
- --audit-log-path=/var/log/kubernetes/logs.txt #Add this
- --audit-log-maxage=5 #Add this
- --audit-log-maxbackup=10 #Add this
...
output truncated
Note: log volume & policy volume is already mounted in vim /etc/kubernetes/manifests/kube-apiserver.yaml so no need to mount it.  Reference: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ Note: log volume & policy volume is already mounted in vim /etc/kubernetes/manifests/kube-apiserver.yaml so no need to mount it.  Reference: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/

NEW QUESTION # 26
......
Exam CKS Objectives: https://www.braindumpstudy.com/CKS_braindumps.html
BTW, DOWNLOAD part of BraindumpStudy CKS dumps from Cloud Storage: https://drive.google.com/open?id=1q6Z6obeT7JF9B3X750bVtgR9uwJVLHUp
https://www.itdumpsfree.com
Reply

Use props Report

Return to List
High mode
B Color Image Link Quote Code Smilies
You need to log in before you can reply Login | Register

This forum Credits Rules

  •  

Service Hotline : (+86)18688117175
Contact us
E-mail : global@t-firefly.com
Copyright © 2014-2022, FIREFLY TECHNOLOGY CO.,LTD. All Rightts Reserved. 粤ICP备14022046号-2
Quick Reply Back to top Back to list