New Year Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: simple70

  1. Home
  2. Linux Foundation
  3. Kubernetes Security Specialist
  4. CKS
  5. Certified Kubernetes Security Specialist (CKS) Questions and Answers

Pass the Linux Foundation Kubernetes Security Specialist CKS Questions and answers with CertsForce

 Linux Foundation Exams      Go to Exam Detail      Get Premium Access
Viewing page 2 out of 2 pages
Viewing questions 11-20 out of questions
Questions # 11:

You can switch the cluster/configuration context using the following command:

[desk@cli] $ kubectl config use-context prod-account 

Context:

A Role bound to a Pod's ServiceAccount grants overly permissive permissions. Complete the following tasks to reduce the set of permissions.

Task:

Given an existing Pod named web-pod running in the namespace database.

1. Edit the existing Role bound to the Pod's ServiceAccount test-sa to only allow performing get operations, only on resources of type Pods.

2. Create a new Role named test-role-2 in the namespace database, which only allows performing update operations, only on resources of type statuefulsets.

3. Create a new RoleBinding named test-role-2-bind binding the newly created Role to the Pod's ServiceAccount.

Note: Don't delete the existing RoleBinding.

Expert Solution
Questions # 12:

Context:

Cluster: gvisor

Master node: master1

Worker node: worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $ kubectl config use-context gvisor

Context: This cluster has been prepared to support runtime handler, runsc as well as traditional one.

Task:

Create a RuntimeClass named not-trusted using the prepared runtime handler names runsc.

Update all Pods in the namespace server to run on newruntime.

Expert Solution
Questions # 13:

Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that

    1. logs are stored at /var/log/kubernetes/kubernetes-logs.txt.

    2. Log files are retained for 5 days.

    3. at maximum, a number of 10 old audit logs files are retained.

Edit and extend the basic policy to log:

    1. Cronjobs changes at RequestResponse

    2. Log the request body of deployments changes in the namespace kube-system.

    3. Log all other resources in core and extensions at the Request level.

    4. Don't log watch requests by the "system:kube-proxy" on endpoints or

Expert Solution
Questions # 14:

You can switch the cluster/configuration context using the following command:

[desk@cli] $ kubectl config use-context dev 

A default-deny NetworkPolicy avoid to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined.

Task:  Create a new default-deny NetworkPolicy named deny-network in the namespace test for all traffic of type Ingress + Egress

The new NetworkPolicy must deny all Ingress + Egress traffic in the namespace test.

Apply the newly created default-deny NetworkPolicy to all Pods running in namespace test.

You can find a skeleton manifests file at /home/cert_masters/network-policy.yaml

Expert Solution
Viewing page 2 out of 2 pages
Viewing questions 11-20 out of questions