CKS 模拟真题 Killer.sh | Question 5 | CIS Benchmark

Task weight: 3%

Use context: kubectl config use-context infra-prod

You're ask to evaluate specific settings of cluster2 against the CIS Benchmark recommendations. Use the tool kube-bench which is already installed on the nodes.

Connect using ssh cluster2-controlplane1 and ssh cluster2-node1.

On the master node ensure (correct if necessary) that the CIS recommendations are set for:

  1. The --profiling argument of the kube-controller-manager
  2. The ownership of directory /var/lib/etcd

On the worker node ensure (correct if necessary) that the CIS recommendations are set for:

  1. The permissions of the kubelet configuration /var/lib/kubelet/config.yaml
  2. The --client-ca-file argument of the kubelet

继续阅读“CKS 模拟真题 Killer.sh | Question 5 | CIS Benchmark”

CKS 模拟真题 Killer.sh | Question 4 | Pod Security Standard

Task weight: 8%

Use context: kubectl config use-context workload-prod

There is Deployment container-host-hacker in Namespace team-red which mounts /run/containerd as a hostPath volume on the Node where it's running. This means that the Pod can access various data about other containers running on the same Node.

To prevent this configure Namespace team-red to enforce the baseline Pod Security Standard. Once completed, delete the Pod of the Deployment mentioned above.

Check the ReplicaSet events and write the event/log lines containing the reason why the Pod isn't recreated into /opt/course/4/logs.


继续阅读“CKS 模拟真题 Killer.sh | Question 4 | Pod Security Standard”

CKS 模拟真题 Killer.sh | Question 3 | Apiserver Security

Task weight: 3%

Use context: kubectl config use-context workload-prod

You received a list from the DevSecOps team which performed a security investigation of the k8s cluster1 (workload-prod). The list states the following about the apiserver setup:

  • Accessible through a NodePort Service

Change the apiserver setup so that:

  • Only accessible through a ClusterIP Service

译文

任务重量:3%。

使用环境: kubectl config use-context workload-prod

你收到一份来自DevSecOps团队的清单,该团队对k8s cluster1(workload-prod)进行了安全调查。该清单对apiserver的设置做了如下说明。

  • 可通过 NodePort 访问

改变apiserver的设置,以便。

  • 只能通过 ClusterIP Service 访问

继续阅读“CKS 模拟真题 Killer.sh | Question 3 | Apiserver Security”

CKS 模拟真题 Killer.sh | Question 2 | Runtime Security with Falco

Task weight: 4%

Use context: kubectl config use-context workload-prod

Falco is installed with default configuration on node cluster1-node1. Connect using ssh cluster1-node1 . Use it to:

  • Find a Pod running image nginx which creates unwanted package management processes inside its container.
  • Find a Pod running image httpd which modifies /etc/passwd.

Save the Falco logs for case 1 under /opt/course/2/falco.log in format:
time-with-nanosconds,container-id,container-name,user-name
No other information should be in any line. Collect the logs for at least 30 seconds.

Afterwards remove the threads (both 1 and 2) by scaling the replicas of the Deployments that control the offending Pods down to 0.


译文

任务权重:4%。

使用环境: kubectl config use-context workload-prod

Falco已经以默认配置安装在 cluster1-node1 节点上。使用 ssh cluster1-node1 连接。用它来

  • 找到一个运行nginx镜像的Pod,它在其容器内创建了不需要的包管理进程。
  • 找到一个运行httpd镜像的Pod,它修改了/etc/passwd。

将上面的Falco日志保存在/opt/course/2/falco.log下,格式为。
time-with-nanosconds,container-id,container-name,user-name
任何一行都不应该有其他信息。收集至少30秒的日志。

之后,将违规 Pod 的 Deployments 的副本缩减到 0 ,删除线程(包括1和2)。


继续阅读“CKS 模拟真题 Killer.sh | Question 2 | Runtime Security with Falco”

CKS 模拟真题 Killer.sh | Question 1 | Contexts

Task weight: 1%

You have access to multiple clusters from your main terminal through kubectl contexts. Write all context names into /opt/course/1/contexts, one per line.

From the kubeconfig extract the certificate of user restricted@infra-prod and write it decoded to /opt/course/1/cert.


译文

任务权重:1

你可以通过终端使用 kubectl 访问多个集群。把所有的上下文名称写进 /opt/course/1/contexts ,每行一个。

从 kubeconfig 中提取用户 restricted@infra-prod 的证书,并将其解码后写入 /opt/course/1/cert


继续阅读“CKS 模拟真题 Killer.sh | Question 1 | Contexts”

CKS 模拟环境设置

预先设置环境变量, 提高效率

alias k=kubectl                         # kubectl 命令可以使用k代替
export do="--dry-run=client -o yaml"    # 导出yaml文件 可以用$do , 如 k create deploy nginx --image=nginx $do
export now="--force --grace-period 0"   # 强制 如:  k delete pod x $now

vim 设置

echo "ts=2 sw=2 et ai" >> ~/.vimrc
source ~/.vimrc

设置空格, tab,为2, tab为2空格, 换行自动对齐