CKS认证--CKS2021最新真题--练习题03 CKS认证--CKS 2021最新真题--练习题03
1 镜像扫描 ImagePolicyWebhook
题⽬概述
解析
2 sysdig & faloc 检测 Pod
题⽬概述
欧美电影爱情解析
3 ClusterRole
题⽬概述
解析
4 AppArmor
题⽬概述
解析
5 PodSecurityPolicy
题⽬概述
解析
6 ⽹络策略 NetworkPolicy
题⽬概述
解析
7 Dockerfile 检测
题⽬概述
解析
8 Pod 安全
题⽬概述
解析
9 创建 ServiceAccount
题⽬概述
解析
10 trivy 检测镜像安全
题⽬概述
解析
11创建 cret元宵象征着什么
题⽬概述
解析
12 kube-bench
题⽬概述
解析
13 gVisor
题⽬概述
解析
14 审计
题⽬概述
解析
15 默认⽹络策略
题⽬概述
解析
16 修改 API Server 参数
题⽬概述
解析
说明
6⽉初,笔者在 和 中分享了两套cks真题,由于时间⽐较紧急排版⽐较简陋。最近热⼼群友的反馈了⾃⼰cks考试⼼得,分享了笔者⼀套真
题解析,笔者将其适当整理,贴在此处以便于⼤家学习!
本⽂的⽬的:
其⼀是为⼤家提供cks的常见考点,以便于⼤家针对性地学习;
其⼆是给⼤家提供⼀个分享和交流的地⽅,欢迎⼤家把最优解留在评论区;
笔者11⽉中旬已经报名了cks,考完就会整理⼀份最新的真题解析了,欢迎在备考cka、cks的⼩伙伴关注 和 (改系列博⽂中包含cka和cks
复习要点,以及笔者做的实验,主要区别就是没有以真题解析的形式分享出来) 系列博⽂。
1 镜像扫描 ImagePolicyWebhook
题⽬概述
1context
success的动词形式2 A container image scanner is t up on the cluster,but It's not yet fully
3integrated into the cluster's configuration When complete,the container image
4scanner shall scall scan for and reject the u of vulnerable images.
5task
6You have to complete the entire task on the cluster master node,where all rvices and files have been prepared and placed
7Glven an incomplete configuration in directory /etc/kubernetes/aa and a functional container image scanner with HTTPS ndpitont 192.168.26.60:132 8
9 1.enable the necessary plugins to create an image policy
10 2.validate the control configuration and chage it to an implicit deny
11 3.Edit the configuration to point the provied HTTPS endpoint correctiy
12
13Finally,test if the configurateion is working by trying to deploy the valnerable resource /csk/1/web1.yaml
解析
需要从控制台ssh到master节点,编辑 /etc/kubernetes/manifest/kube-apirver.yaml
从⽂件中引⽤ ImagePolicyWebhook 的配置⽂件:
1- --enable-admission-plugins=NodeRestriction,ImagePolicyWebhook
2- --admission-control-config-file=/etc/kubernetes/aa/admission_configuration.json
配置 hostPath:
1volumes:
2- hostPath:
3 path: /etc/kubernetes/aa/
4 name: xxx
配置 volumeMounts:
编辑admission_configuration.json(题⽬会给),修改defaultAllow为fal:
编辑/etc/kubernetes/aa/kubeconfig.yaml,添加 webhook rver 地址:
重启 kubelet:
学习的谚语
验证,不允许使⽤latest的镜像:
参考⽂档:
2 sysdig & faloc 检测 Pod
题⽬概述
1
volumeMounts:2
- mountPath: /etc/kubernetes/aa/3 name: xxx 4 #考试的时候会有个readOnly:true ,删掉这⾏
1
{2
"imagePolicy": {3
"kubeConfigFile": "/etc/kubernetes/aa/kubeconfig.yaml",4
秀窝
"allowTTL": 50,5
石林图片"denyTTL": 50,6
"retryBackoff": 500,7
"defaultAllow": fal #改为fal 8 }9}
1
apiVersion: v12
kind: Config 3
clusters:4
- cluster:5
certificate-authority: /etc/kubernetes/aa/webhook.pem 6
rver: 192.168.26.60:1323/image_policy #添加webhook rver 地址7
name: bouncer_webhook 8
contexts:9
- context:10
cluster: bouncer_webhook 11
ur: api-rver 12
name: bouncer_validator 13
current-context: bouncer_validator 14
preferences: {}15
urs:16
- name: api-rver 17
ur:18 client-certificate: /etc/kubernetes/aa/apirver-client.pem 19 client-key: /etc/kubernetes/aa/apirver-clientkey.pem
1systemctl restart kubelet 2
kubectl apply -f /cks/1/web1.yaml
1root@vms61:/etc/kubernetes/aa# kubectl run pod1 --image=nginx 2Error from rver (Forbidden): pods "pod1" is forbidden: image policy webhook backend denied one or more images: Images using latest tag are not
you may ur you brower to open one additonal tab to access sysdig documentation ro Falco documentaion秋天的四字成语
Task:
ur runtime detection tools to detect anomalous process spawning and executing frequently in the sigle container
belorging to Pod redis.
Tow tools are avaliable to u:
sysdig or falico
the tools are pre-installed on the cluster worker node only;the are not avaliable on the ba system or the master node.
using the tool of you choice(including any non pre-install tool) analy the container behaviour for at lest 30 conds, using filers that detect newly spawing and executing process.
store an incident file at /opt/2/report,containing the detected incidents one per line in the follwing format:
[timestamp],[uid],[processName]
解析
泾渭分明读音从控制台 ssh 到 worker 节点,⾸先找到容器的 container id:
通过 sysdig 扫描容器30s并输出到指定⽂件:
参考⽂档:
3 ClusterRole
题⽬概述
context
A Role bound to a Pod’s rviceAccount grants overly permissive permissions.
Complete the following tasks to reduce the t of permissions.
Task
Given an existing Pod named web-pod running in the namespace monitoring. Edit the existing Role bound to the Pod’s rviceAccount sa-dev-1 to only allow performing list operations, only on resources of type Endpoints.
create a new Role named role-2 in the namespace monitoring, which only allows performing update operations, only on resources of type persistentvolumeclaims.
create a new RoleBinding named role-2-binding binding the newly created Role to the Pod’s rviceAccount.
Don’t delete the existing RoleBinding.
解析
修改sa-dev-1的role权限,只允许对endpoints做list操作。 查看rolebindings sa-dev-1对应的role为role-1
编辑role-1权限:
kubectl edit role role-1 -n monitoring
1
root@vms62:~# docker ps | grep redis 25ae46a497d05 dc4395f73f8d "docker-entrypoint.s…" 5 hours ago Up 5 hours k8s_redis_redis_default_a12b0575-9136b715c0fea71 /google_containers/pau:3.2 "/pau" 5 hours ago Up 5 hours k8s_POD_redis_default_a12b01
# sysdig -l 查看帮助2sysdig -M 30 -p "*%evt.time,%ur.uid,%proc.name" container.id=5ae46a497d05 > /opt/2/report
1
root@vms60:/cks/9# kubectl get rolebindings -n monitoring 2NAME ROLE AGE 3sa-dev-1 Role/role-1 7d16h
1apiVersion: rbac.authorization.k8s.io/v1
2kind: Role
3metadata:
4 creationTimestamp: "2021-01-22T16:48:36Z"
5 name: role-1
6 namespace: monitoring
7 resourceVersion: "9528"
8 lfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/monitoring/roles/role-1
9 uid: 0dd5f94d-c27d-4052-a036-12c6c1006858
10rules:
11- apiGroups:
12 - ""
13 resources:
14 - endpoints #只允许对endpoints资源list
15 verbs:
16 - list
创建名为role-2的role,并且通过rolebinding绑定sa-dev-1,只允许对persistentvolumeclaims做update操作。
1kubectl create role role-2 --resource=persistentvolumeclaims --verb=update -n monitoring
2kubectl create rolebinding role-2-binding --role=role-2 --rviceaccount=monitoring:sa-dev-1 -n monitoring
参考⽂档:
4 AppArmor
题⽬概述
Context
AppArmor is enabled on the cluster worker node. An AppArmor profile is prepared, but not enforced yet.
You may u your browr to open one additional tab to access theAppArmor documentation.
Task
On the cluster worker node, enforce the prepared AppArmor profile located at /etc/apparmor.d/nginx_apparmor . Edit the prepared manifest file located at /cks/4/pod1.yaml to apply the AppArmor profile.
Finally, apply the manifest file and create the pod specified in it
解析
需要从控制台ssh到worker节点。
执⾏apparmor策略模块:
1# 没有grep到说明没有启动
2apparmor_status | grep nginx-profile-3
3# 加载启⽤这个配置⽂件
4apparmor_parr -q nginx_apparmor
5root@vms62:/etc/apparmor.d# apparmor_status | grep nginx
6 nginx-profile-3
创建pod添加annotations:
