Question # 1 Cluster: qa-cluster
Master node: master Worker node: worker1
You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context qa-cluster
Task:
Create a NetworkPolicy named restricted-policy to restrict access to Pod product running in namespace dev.
Only allow the following Pods to connect to Pod products-service:
1. Pods in the namespace qa
2. Pods with label environment: stage, in any namespace
Answer Description
Question # 2 You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context qa
Context:
A pod fails to run because of an incorrectly specified ServiceAccount
Task:
Create a new service account named backend-qa in an existing namespace qa, which must not have access to any secret.
Edit the frontend pod yaml to use backend-qa service account
Note: You can find the frontend pod yaml at /home/cert_masters/frontend-pod.yaml
Answer Description Explanation:
[desk@cli] $ k create sa backend-qa -n qasa/backend-qa created[desk@cli] $ k get
role,rolebinding -n qaNo resources found in qa namespace.[desk@cli] $ k create role
backend -n qa --resource pods,namespaces,configmaps --verb list# No access to secret
[desk@cli] $ k create rolebinding backend -n qa --role backend --serviceaccount
qa:backend-qa[desk@cli] $ vim /home/cert_masters/frontend-pod.yaml
uk.co.certification.simulator.questionpool.PList@120e0660
[desk@cli] $ k apply -f /home/cert_masters/frontend-pod.yamlpod created
[desk@cli] $ k create sa backend-qa -n qaserviceaccount/backend-qa created[desk@cli]
$ k get role,rolebinding -n qaNo resources found in qa namespace.[desk@cli] $ k create
role backend -n qa --resource pods,namespaces,configmaps --verb
listrole.rbac.authorization.k8s.io/backend created[desk@cli] $ k create rolebinding backend
-n qa --role backend --serviceaccount qa:backendqarolebinding.
rbac.authorization.k8s.io/backend created[desk@cli] $ vim
/home/cert_masters/frontend-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: frontend
spec:
serviceAccountName: backend-qa # Add this
image: nginx
name: frontend
[desk@cli] $ k apply -f /home/cert_masters/frontend-pod.yamlpod/frontend
createdhttps://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
Question # 3
Answer Description
Question # 4 Cluster: scanner
Master node: controlplane
Worker node: worker1
You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context scanner
Given:
You may use Trivy's documentation.
Task:
Use the Trivy open-source container scanner to detect images with severe vulnerabilities used by Pods in the namespace nato.
Look for images with High or Critical severity vulnerabilities and delete the Pods that use those images.
Trivy is pre-installed on the cluster's master node. Use cluster's master node to use Trivy.
Answer Description
Question # 5 You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context dev
Context:
A CIS Benchmark tool was run against the kubeadm created cluster and found multiple issues that must be addressed.
Task:
Fix all issues via configuration and restart the affected components to ensure the new settings take effect.
Fix all of the following violations that were found against the API server:
1.2.7 authorization-mode argument is not set to AlwaysAllow FAIL
1.2.8 authorization-mode argument includes Node FAIL
1.2.7 authorization-mode argument includes RBAC FAIL
Fix all of the following violations that were found against the Kubelet:
4.2.1 Ensure that the anonymous-auth argument is set to false FAIL
4.2.2 authorization-mode argument is not set to AlwaysAllow FAIL (Use Webhook autumn/authz where possible)
Fix all of the following violations that were found against etcd:
2.2 Ensure that the client-cert-auth argument is set to true
Answer Description
Question # 6
Answer Description
Question # 7 Use the kubesec docker images to scan the given YAML manifest, edit and apply the advised changes, and passed with a score of 4 points.
kubesec-test.yaml
apiVersion: v1
kind: Pod
metadata:
name: kubesec-demo
spec:
containers:
- name: kubesec-demo
image: gcr.io/google-samples/node-hello:1.0
securityContext:
readOnlyRootFilesystem: true
Hint: docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml
Answer Description Explanation:
kubesec scan k8s-deployment.yaml
cat < kubesec-test.yaml
apiVersion: v1
kind: Pod
metadata:
name: kubesec-demo
spec:
containers:
- name: kubesec-demo
image: gcr.io/google-samples/node-hello:1.0
securityContext:
readOnlyRootFilesystem: true
EOF
kubesec scan kubesec-test.yaml
docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml
kubesec http 8080 &
[1] 12345
{"severity":"info","timestamp":"2019-05-
12T11:58:34.662+0100","caller":"server/server.go:69","message":"Starting HTTP server on
port 8080"}
curl -sSX POST --data-binary @test/asset/score-0-cap-sys-admin.yml
http://localhost:8080/scan
[
{
"object": "Pod/security-context-demo.default",
"valid": true,
"message": "Failed with a score of -30 points",
"score": -30,
"scoring": {
"critical": [
{
"selector": "containers[] .securityContext .capabilities .add == SYS_ADMIN",
"reason": "CAP_SYS_ADMIN is the most privileged capability and should always be
avoided"
},
{
"selector": "containers[] .securityContext .runAsNonRoot == true",
"reason": "Force the running image to run as a non-root user to ensure least privilege"
},
// ...
Question # 8
Answer Description
Up-to-Date
We always provide up-to-date CKS exam dumps to our clients. Keep checking website for updates and download.
Excellence
Quality and excellence of our Certified Kubernetes Security Specialist (CKS) practice questions are above customers expectations. Contact live chat to know more.
Success
Your SUCCESS is assured with the CKS exam questions of passin1day.com. Just Buy, Prepare and PASS!
Quality
All our braindumps are verified with their correct answers. Download Kubernetes Security Specialist Practice tests in a printable PDF format.
Basic
$80
Any 3 Exams of Your Choice
3 Exams PDF + Online Test Engine
Buy Now
Premium
$100
Any 4 Exams of Your Choice
4 Exams PDF + Online Test Engine
Buy Now
Gold
$125
Any 5 Exams of Your Choice
5 Exams PDF + Online Test Engine
Buy Now
Passin1Day has a big success story in last 12 years with a long list of satisfied customers.
We are UK based company, selling CKS practice test questions answers. We have a team of 34 people in Research, Writing, QA, Sales, Support and Marketing departments and helping people get success in their life.
We dont have a single unsatisfied Linux Foundation customer in this time. Our customers are our asset and precious to us more than their money.
CKS Dumps
We have recently updated Linux Foundation CKS dumps study guide. You can use our Kubernetes Security Specialist braindumps and pass your exam in just 24 hours. Our Certified Kubernetes Security Specialist (CKS) real exam contains latest questions. We are providing Linux Foundation CKS dumps with updates for 3 months. You can purchase in advance and start studying. Whenever Linux Foundation update Certified Kubernetes Security Specialist (CKS) exam, we also update our file with new questions. Passin1day is here to provide real CKS exam questions to people who find it difficult to pass exam
Kubernetes Security Specialist can advance your marketability and prove to be a key to differentiating you from those who have no certification and Passin1day is there to help you pass exam with CKS dumps. Linux Foundation Certifications demonstrate your competence and make your discerning employers recognize that Certified Kubernetes Security Specialist (CKS) certified employees are more valuable to their organizations and customers. We have helped thousands of customers so far in achieving their goals. Our excellent comprehensive Linux Foundation exam dumps will enable you to pass your certification Kubernetes Security Specialist exam in just a single try. Passin1day is offering CKS braindumps which are accurate and of high-quality verified by the IT professionals. Candidates can instantly download Kubernetes Security Specialist dumps and access them at any device after purchase. Online Certified Kubernetes Security Specialist (CKS) practice tests are planned and designed to prepare you completely for the real Linux Foundation exam condition. Free CKS dumps demos can be available on customer’s demand to check before placing an order.
What Our Customers Say
Jeff Brown
Thanks you so much passin1day.com team for all the help that you have provided me in my Linux Foundation exam. I will use your dumps for next certification as well.
Mareena Frederick
You guys are awesome. Even 1 day is too much. I prepared my exam in just 3 hours with your CKS exam dumps and passed it in first attempt :)
Ralph Donald
I am the fully satisfied customer of passin1day.com. I have passed my exam using your Certified Kubernetes Security Specialist (CKS) braindumps in first attempt. You guys are the secret behind my success ;)
Lilly Solomon
I was so depressed when I get failed in my Cisco exam but thanks GOD you guys exist and helped me in passing my exams. I am nothing without you.