CKS 题库 3、默认网络策略
Context一个默认拒绝(default-deny)的NetworkPolicy可避免在未定义任何其他NetworkPolicy的namespace中意外公开Pod。 Task为所有类型为 Ingress+Egress 的流量在 namespace testing 中创建一个名为 denypolicy 的新默认拒绝 NetworkPolicy 。 此新的 NetworkPolicy 必须拒绝 namespace testing 中的所有的 Ingress + Egress 流量。 将新创建的默认拒绝 NetworkPolicy 应用在 namespace testing 中运行的所有 Pod 。 你可以在 /cks/net/p1.yaml 找到一个模板清单文件。 参考https://kubernetes.io/zh-cn/docs/concepts/services-networking/network-policies/#默认拒绝所有入口和所有出站流量 解答切换集群 kubectl config use-context KSCS00101 编辑模板文件 /...
CKS 题库 2、Pod指定ServiceAccount
Context您组织的安全策略包括: ServiceAccount不得自动挂载API凭据 ServiceAccount名称必须以“-sa”结尾 清单文件 /cks/sa/pod1.yaml 中指定的Pod由于 ServiceAccount 指定错误而无法调度。 请完成以下项目: Task 在现有namespace qa 中创建一个名为 backend-sa 的新ServiceAccount, 确保此ServiceAccount不自动挂载API凭据。 使用 /cks/sa/pod1.yaml 中的清单文件来创建一个Pod。 最后,清理 namespace qa 中任何 未使用的 ServiceAccount。 参考https://kubernetes.io/zh-cn/docs/tasks/configure-pod-container/configure-service-account/#使用默认的服务账户访问-api-服务器 解答切换集群 kubectl config use-context KSCH00301 创建 ServiceAccountvi qa-s...
CKS 题库 1、kube-bench 修复不安全项
Context针对 kubeadm创建的 cluster运行CIS基准测试工具时,发现了多个必须立即解决的问题。 Task通过配置修复所有问题并重新启动受影响的组件以确保新的设置生效。 修复针对 API 服务器发现的所有以下违规行为:1.2.7 Ensure that the –authorization-mode argument is not set to AlwaysAllow FAIL1.2.8 Ensure that the –authorization-mode argument includes Node FAIL1.2.9 Ensure that the –authorization-mode argument includes RBAC FAIL1.2.18 Ensure that the –insecure-bind-address argument is not set FAIL 1.25中这项题目没给出,但最好也检查一下,模拟环境里需要改)1.2.19 Ensure that the –insecure-port argument is set to...
CKA 模拟真题 Killer.sh Extra | Question 2 | Curl Manually Contact API
Use context: kubectl config use-context k8s-c1-H There is an existing ServiceAccount secret-reader in Namespace project-hamster . Create a Pod of image curlimages/curl:7.65.3 named tmp-api-contact which uses this ServiceAccount. Make sure the container keeps running. Exec into the Pod and use curl to access the Kubernetes Api of that cluster manually, listing all available secrets. You can ignore insecure https connection. Write the command(s) for this into file /opt/course/e4/list-secrets.s...
CKA 模拟真题 Killer.sh | Extra Question 1 | Find Pods first to be terminated
Use context: kubectl config use-context k8s-c1-H Check all available Pods in the Namespace project-c13 and find the names of those that would probably be terminated first if the nodes run out of resources (cpu or memory) to schedule all Pods. Write the Pod names into /opt/course/e1/pods-not-stable.txt . 译文检查名称空间 project-c13 中的所有可用 Pod,并找出在节点资源(CPU 或内存)耗尽时可能首先终止的 Pod 名称,以调度所有 Pod。 将 Pod 名称写入 /opt/course/e1/pods-not-stable.txt。 解答当节点上的可用cpu或内存资源达到极限时,Kubernetes将寻找那些使用的资源超过其要求的Pod。这些将是第一批终止的候...
CKA 模拟真题 Killer.sh | Preview Question 3
Use context: kubectl config use-context k8s-c2-AC Create a Pod named check-ip in Namespace default using image httpd:2.4.41-alpine . Expose it on port 80 as a ClusterIP Service named check-ip-service . Remember/output the IP of that Service. Change the Service CIDR to 11.96.0.0/12 for the cluster. Then create a second Service named check-ip-service2 pointing to the same Pod to check if your settings did take effect. Finally check if the IP of the first Service has changed. 译文在命名空间defa...
CKA 模拟真题 Killer.sh | Preview Question 2
Use context: kubectl config use-context k8s-c1-H You’re asked to confirm that kube-proxy is running correctly on all nodes. For this perform the following in Namespace project-hamster : Create a new Pod named p2-pod with two containers, one of image nginx:1.21.3-alpine and one of image busybox:1.31 . Make sure the busybox container keeps running for some time. Create a new Service named p2-service which exposes that Pod internally in the cluster on port 3000->80. Find the kube-proxy contai...
CKA 模拟真题 Killer.sh | Preview Question 1
Use context: kubectl config use-context k8s-c2-AC The cluster admin asked you to find out the following information about etcd running on cluster2-controlplane1: Server private key location Server certificate expiration date Is client certificate authentication enabled Write these information into /opt/course/p1/etcd-info.txt Finally you’re asked to save an etcd snapshot at /etc/etcd-snapshot.db on cluster2-controlplane1 and display its status. 译文集群管理员要求你找出关于在 cluster2-controlplane1 上运行的 etc...
CKA 模拟真题 Killer.sh | Question 25 | Etcd Snapshot Save and Restore
Task weight: 8% Use context: kubectl config use-context k8s-c3-CCC Make a backup of etcd running on cluster3-controlplane1 and save it on the controlplane node at /tmp/etcd-backup.db . Then create a Pod of your kind in the cluster. Finally restore the backup, confirm the cluster is still working and that the created Pod is no longer with us. 译文备份运行在 cluster3-controlplane1 上的 etcd,并将其保存在 controlplane 节点上的 /tmp/etcd-backup.db 中。 然后在集群中创建一个 Pod。 最后还原备份,确认集群仍在运行,且创建的 Pod 已不复存在。 解答kubectl config...
CKA 模拟真题 Killer.sh | Question 24 | NetworkPolicy
Task weight: 9% Use context: kubectl config use-context k8s-c1-H There was a security incident where an intruder was able to access the whole cluster from a single hacked backend Pod. To prevent this create a NetworkPolicy called np-backend in Namespace project-snake . It should allow the backend-* Pods only to: connect to db1-* Pods on port 1111 connect to db2-* Pods on port 2222 Use the app label of Pods in your policy. After implementation, connections from backend-* Pods to vault-* Pods o...
