— 自动化运维 Leaning—
读书笔记
设置配置环境:
[candidate@node-1] $ kubectl config use-context k8skubectl explain deployment.spec
kubectl explain deployment.spec.selector1.8版本之前 .spec.selector 可以省略
1.8版本之后 .spec.selector 不可以省略
设置配置环境:
[candidate@node-1] $ kubectl config use-context k8snamespace haddock 中名为 nosql 的 Deployment 的 Pod 因其容器已用完资源而无法启动。
请更新 haddock Deployment ,使 Pod
https://kubernetes.io/zh-cn/docs/concepts/configuration/manage-resources-containers/
设置配置环境:
[candidate@node-1] $ kubectl config use-context k8s在现有的 namespace pod-resources 中创建一个名为 nginx-resources 的 Pod 。
镜像为 nginx:1.16 ,为其容器指定资源请求 40m 的 CPU 和 50Mi 的内存
https://kubernetes.io/zh-cn/docs/concepts/configuration/manage-resources-containers/
设置配置环境:
[candidate@node-1] $ kubectl config use-context k8s一个Dockerfile 已经存在于 /ckad/DF/Dockerfile
docker -h设置配置环境:
[candidate@node-1] $ kubectl config use-context k8shttps://kubernetes.io/zh-cn/docs/tasks/job/automated-tasks-with-cron-jobs/
https://kubernetes.io/zh-cn/docs/concepts/workloads/controllers/job/
kubectl explain cronjob.spec
设置配置环境:
[candidate@node-1] $ kubectl config use-context k8s- name: pi
image: perl:5
command: ["perl", " Mbignum=bpi", " wle", "print bpi(2000)"]https://kubernetes.io/zh-cn/docs/tasks/job/automated-tasks-with-cron-jobs/
https://kubernetes.io/zh-cn/docs/concepts/workloads/controllers/job/
kubectl explain cronjob.speccron 表示法
https://tool.lu/crontab/
Use context: kubectl config use-context workload-stage
A security scan result shows that there is an unknown miner process running on one of the Nodes in cluster3. The report states that the process is listening on port 6666. Kill the process and delete the binary.
Use context: kubectl config use-context infra-prod
There is an existing Open Policy Agent + Gatekeeper policy to enforce that all Namespaces need to have label security-level set. Extend the policy constraint and template so that all Namespaces also need to set label management-team. Any new Namespace creation without these two labels should be prevented.
Write the names of all existing Namespaces which violate the updated policy into /opt/course/p2/fix-namespaces.
Use context: kubectl config use-context infra-prod
You have admin access to cluster2. There is also context gianna@infra-prod which authenticates as user gianna with the same cluster.
There are existing cluster-level RBAC resources in place to, among other things, ensure that user gianna can never read Secret contents cluster-wide. Confirm this is correct or restrict the existing RBAC resources to ensure this.
I addition, create more RBAC resources to allow user gianna to create Pods and Deployments in Namespaces security, restricted and internal. It's likely the user will receive these exact permissions as well for other Namespaces in the future.
(can be solved in any kubectl context)
The Release Engineering Team has shared some YAML manifests and Dockerfiles with you to review. The files are located under /opt/course/22/files.
As a container security expert, you are asked to perform a manual static analysis and find out possible security issues with respect to unwanted credential exposure. Running processes as root is of no concern in this task.
Write the filenames which have issues into /opt/course/22/security-issues.
NOTE: In the Dockerfile and YAML manifests, assume that the referred files, folders, secrets and volume mounts are present. Disregard syntax or logic errors.
继续阅读“CKS 模拟真题 Killer.sh | Question 22 | Manual Static Security Analysis”