CKS 2021最新真題--練習(xí)01

1、CKS 2021最新真題-練習(xí)011 鏡像掃描ImagePolicyWebhook2 sysdig檢測pod3 clusterrole4 AppArmor5 PodSecurityPolicy6 網(wǎng)絡(luò)策略7 dockerfile檢測及yaml文件問題8 pod安全9 創(chuàng)建ServiceAccount10 trivy檢測鏡像安全11 創(chuàng)建secret12 kube-benct13 gVsior14 審計(jì)15 默認(rèn)網(wǎng)絡(luò)策略1 鏡像掃描ImagePolicyWebhook題目概述contextA container image scanner is set up on the cluster,but

2、 Its not yet fullyintegrated into the clusters configuration When complete,the container imagescanner shall scall scan for and reject the use of vulnerable images.taskYou have to complete the entire task on the clusters master node,where allservices and files have been prepared and placedGlven an in

3、complete configuration in directory /etc/kubernetes/aa and afunctional container image scanner with HTTPS sendpitont0:1323/image_policy1.enable the necessary plugins to create an image policy2.validate the control configuration and chage it to an implicit deny3.Edit the configurati

4、on to point the provied HTTPS endpoint correctiyFinally,test if the configurateion is working by trying to deploy the valnerableresource /csk/1/web1.yaml解析1. 切換集群,查看master,sshmaster2. ls /etc/kubernetes/xxx3. vi /etc/kubernetes/xxx/xxx.yaml 更改 true 為 falsevi /etc/kubernetes/xxx/xxx.yaml 中 https的地址vo

5、lume需要掛載進(jìn)去4. 啟用ImagePolicyWebhook和- -admission-control-config-file=5. systemctl restart kubelet6.kubectl run pod1 -image=nginxhttps:/kubernetes.io/zh/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook2 sysdig檢測pod題目概述you may user you brower to open one additonal tab to acces

6、s sysdigsdocumentation ro Falcos documentaionTask:user runtime detection tools to detect anomalous processes spawning and executingfrequently in the sigle container belorging to Pod redis.Tow tools are avaliable to use:sysdigfalicothe tools are pre-installed on the clusters worker node only;the are

7、notavaliable on the base system or the master node.using the tool of you choice(including any non pre-install tool) analyse thecontainers behaviour for at lest 30 seconds,using filers that detect newlyspawing and executing processesstore an incident file at /opt/2/report,containing the detected inci

8、dents one perline in the follwing format:timestamp,uid,processName解析0. 記住使用sysdig -l |grep 搜索相關(guān)字段1. 切換集群,查詢對應(yīng)的pod,ssh到pod對應(yīng)的node主機(jī)上2. 使用sysding,注意要求格式和時間,結(jié)果重定向到對應(yīng)的文件3. sysdig -M 30 -p *%evt.time,%user.uid,% container.id=容器id /opt/2/report3 clusterrole題目概述contextA Role bound to a pods servic

9、eAccount grants overly permissive permissionComplete the following tasks to reduce the set of permissions.taskGlven an existing Pod name web-pod running in the namespace monitoring Edit theRoleebound to the Pods serviceAccount sa-dev-1 to only allow performing listoperations,only on resources of typ

10、e Endpointscreate a new Role named role-2 in the namespaces monitoring which only allowsperforming update operations,only on resources of type persistentvoumeclaims.create a new Rolebind name role role-2-bindding binding the newly created Roletothe Pods serviceAccount解析1. 查找rollebind對應(yīng)的rolle修改權(quán)限為lis

11、t 和 endpointskubectl edit role role-1 -n monitoring2. 記住 -verb是權(quán)限 -resource是對象kubectl create role role-2 -verb=update -resource=persistentvolumeclaims -nmonitoring3. 創(chuàng)建綁定 綁定為對應(yīng)的sakubectl create rolebinding role-2-bindding -role=role-2 -serviceaccount=monitoring:sa-dev-1 -n monitoring4 AppArmor題目概述Co

12、ntextAppArmor is enabled on the clusters worker node. An AppArmor profile is prepared, but not enforced yet. You may use your browser to open one additional tab to access theAppArmor documentation. TaskOn the clusters worker node, enforce the prepared AppArmor profile located at/etc/apparmor.d/nginx

13、_apparmor . Edit the prepared manifest file located at/cks/4/pod1.yaml to apply the AppArmor profile. Finally, apply the manifest file and create the pod specified in it解析1. 切換結(jié)群,記住查看nodes,ssh到node節(jié)點(diǎn)2. 查看對應(yīng)的配置文件和名字cd /etc/apparmor.dvi nginx_apparmorapparmor_status |grep nginx-profile-3 # 沒有g(shù)rep到說明沒有

14、啟動apparmor_parser -q nginx_apparmor # 加載啟用這個配置文件3. 修改對應(yīng)yaml應(yīng)用這個規(guī)則 ,打開官網(wǎng)的網(wǎng)址復(fù)制例子,修改容器名字和本地的配置名vi /cks/4/pod1.yaml.metadata:annotations:container.apparmor.security.beta.kubernetes.io/podx: nginx-profile-3.4. 修改后創(chuàng)建出來kubectl apply -f /cks/4/pod1.yamlhttps:/kubernetes.io/zh/docs/tutorials/clusters/apparmo

15、r/#%E4%B8%BE%E4%BE%8B5 PodSecurityPolicy題目概述contextA PodsecurityPolicy shall prevent the creati on of privileged Pods in a specificnamespace. TaskCreate a new PodSecurityPolicy named prevent-psp-policy , which prevents the creation of privileged Pods. Create a new ClusterRole named restrict-access-r

16、ole , which uses the newly created PodSecurityPolicy prevent-psp-policy . Create a new serviceAccount named psp-denial-sa in the existing namespace development . Finally, create a new clusterRoleBinding named dany-access-bind , which binds the newlycreated ClusterRole restrict-access-role to the new

17、ly created serviceAccount解析0. 切換結(jié)群,查看是否啟用# vi /etc/kubernetes/manifests/kube-apiserver.yaml- -enable-admission-plugins=NodeRestriction,PodSecurityPolicy# systemctl restart kubelet1. 官方網(wǎng)址復(fù)制psp,修改拒絕特權(quán)# cat psp.yamlapiVersion: policy/v1beta1kind: PodSecurityPolicymetadata:name: prevent-psp-policyspec:p

18、rivileged: falseseLinux:rule: RunAsAnysupplementalGroups:rule: RunAsAnyrunAsUser:rule: RunAsAnyfsGroup:rule: RunAsAnyvolumes:- *# kubectl create -f psp.yaml2. 創(chuàng)建對應(yīng)的clusterrolekubectl create clusterrole restrict-access-role -verb=use -resource=podsecuritypolicy -resource-name=prevent-psp-policy3. 創(chuàng)建s

19、a 看對應(yīng)的nskubectl create sa psp-denial-sa -n development4. 創(chuàng)建綁定關(guān)系kubectl create clusterrolebinding dany-access-bind -clusterrole=restrict-access-role -serviceaccount=development:psp-denial-sahttps:/kubernetes.io/zh/docs/concepts/policy/pod-security-policy/#%E5%88%9B%E5%BB%BA%E4%B8%80%E4%B8%AA%E7%AD%96

20、%E7%95%A5%E5%92%8C%E4%B8%80%E4%B8%AA-pod6 網(wǎng)絡(luò)策略題目概述create a NetworkPolicy named pod-access torestrict access to Pod products-service running in namespace development . only allow the following Pods to connect to Pod products-service :Pods in the namespace testingPods with label environment: staging ,

21、 in any namespaceMake sure to apply the NetworkPolicy. You can find a skelet on manifest file at /cks/6/p1.yaml解析1. 主機(jī)查看pod的標(biāo)簽kubectl get pod -n development -show-labels2. 查看對應(yīng)ns的標(biāo)簽,沒有需要設(shè)置一下kubectl label ns testing name=testing3. cat networkpolicy.yamlkind: NetworkPolicymetadata:name: pod-accessname

22、space: developmentspec:podSelector:matchLabels:environment: stagingpolicyTypes:- Ingressingress:- from:- namespaceSelector:matchLabels:name: testing- from:- namespaceSelector:matchLabels:podSelector:matchLabels:environment: stagingkubectl create -f networkpolicyhttps:/kubernetes.io/zh/docs/concepts/

23、services-networking/network-policies/#networkpolicy-resource7 dockerfile檢測及yaml文件問題題目概述TaskAnalyze and edit the given Dockerfile (based on the ubuntu:16.04 image) /cks/7/Dockerfile fixing two instructions present in the file being prominent security/best-practice issues. Analyze and edit the given m

24、anifest file /cks/7/deployment.yaml fixing two fields present in the file being prominent security/best-practice issues.解析1.注意dockerfile提示的錯誤數(shù)量注釋:USER root2.注意api版本問題,和特權(quán)網(wǎng)絡(luò),也是要看題目中說的錯誤是幾處8 pod安全題目概述contextlt is best-practice to design containers to best teless and immutable. Tasklnspect Pods running

25、 in namespace testing and delete any Pod that is either not stateless or not immutable. use the following strict interpretation of stateless and immutable:Pods being able to store data inside containers must be treated as not stateless.You dont have to worry whether data is actually stored inside co

26、ntainers or not already. Pods being configured to be privileged in any way must be treated as potentially not stateless and not immutable.解析1. get 所有pod2. 查看是否有特權(quán) privi*3. 查看是否有volume4. 把特權(quán)網(wǎng)絡(luò)和volume都刪除kubectl get pod pod1 -n testing -o jsonpath=.spec.volumes | jqkubectl get pod sso -n testing -o yam

27、l |grep privi.*: truekubectl delete pod xxxxx -n testing9 創(chuàng)建ServiceAccount題目概述contextA Pod fails to run because of an incorrectly specified ServiceAcccount.Taskcreate a new ServiceAccount named frontend-sa in the existing namespace qa ,which must not have access to any secrets.lnspect the Pod named

28、frontend running inthe namespace qa . Edit the Pod to use the newly created serviceAccount解析1.獲取sa模板kubectl create serviceaccount frontend-sa -n qa -dry-run -o yaml2.通過官方文檔查找自動掛載automountServiceAccountToken: false3.修改pod中serviceAccountName4.創(chuàng)建pod刪除其他sa10 trivy檢測鏡像安全題目概述TaskUse the Trivy open-source

29、container scanner to detect images with severe vulnerabilities used by Pods in the namespace yavin . Look for images with High or Critical severity vulnerabilities,and delete the Pods that use those images. Trivy is pre-installed on the clusters master node only; it is not available on the base syst

30、em or the worker nodes. Youll have to connect to the clusters master node to use Trivy解析1. 切換集群,ssh到對應(yīng)的master2. get pod 把對應(yīng)的image都掃描一下,不能有High or Critical3. 把有問題的鏡像pod刪除11 創(chuàng)建secret題目概述TaskRetrieve the content of the existing secret named db1-test in the istio-system namespace. store the username fie

31、ld in a file named /cks/11/old-username.txt , and the password field in a file named /cks/11/old-pass.txt. You must create both files; they dont existyet.Do not use/modify the created files in!the following steps, create new temporaryfiles if needed. Create a new secret named test-workflow inthe ist

32、io-system namespace, with the followingcontent:username : thanospassword : hahahahaFinally, create a new Pod that has access to the secret test-workflow via a volume:pod name dev-podnamespace istio-systemcontainer name dev-containerimage nginx:1.9volume name dev-volumemount path /etc/test-secret解析ku

33、bectl get secrets db1-test -n istio-system -o yamlecho -n aGFoYTAwMQ= | base64 -d /cks/11/old-pass.txtecho -n dG9t | base64 -d /cks/11/old-username.txtkubectl create secret generic test-workflow -from-literal=username=thanos - from-literal=password=hahahaha -n istio-system更具需求創(chuàng)建secrt的pod12 kube-benc

34、t題目概述contextACIS Benchmark tool was run against the kubeadm-created cluster and found multiple issues that must be addressed immediately. TaskFix all issues via configuration and restart theaffected components to ensure the new settings take effect. Fix all of the following violations that were foun

35、d against the API server:Ensure that the 1.2.7 -authorization-mode FAIL argument is not set to AlwaysAllowEnsure that the 1.2.8 -authorization-mode FAIL argument includes NodeEnsure that the 1.2.9 -authorization-mode FAIL argument includes RBACEnsure that the 1.2.18 -insecure-bind-address FAIL argum

36、ent is not setEnsure that the 1.2.19 -insecure-port FAIL argument is set to 0Fix all of the following violations that were found against the kubelet:Ensure that the 4.2.1 anonymous-auth FAIL argument is set to falseEnsure that the4.2.2 -authorization-mode FAIL argument is not set to AlwaysAllow Use

37、webhook authn/authz解析1. 切換機(jī)器到對應(yīng)的ssh 到 master節(jié)點(diǎn)2. kube-benct run 查找對應(yīng)的條目,然后修復(fù)考試中有個ETCD13 gVsior題目概述contextThis cluster uses containerd as CRl runtime. Containerds default runtime handler is runc . Containerd has been prepared to support an additional runtime handler , runsc (gVisor). TaskCreate a Run

38、timeClass named untrusted using the prepared runtime handler namedrunsc . Update all Pods in the namespace client to run on gvisor, unless they are already running on anon-default runtime handler. You can find a skeleton manifest file at /cks/13/rc.yam解析1.切換集群 用官網(wǎng)文檔創(chuàng)建一個runtimeclass2.再更具題目要求創(chuàng)建pod使用這個

39、runtimehttps:/kubernetes.io/zh/docs/concepts/containers/runtime-class/#2-%E5%88%9B%E5%BB%BA%E7%9B%B8%E5%BA%94%E7%9A%84-runtimeclass-%E8%B5%84%E6%BA%9014 審計(jì)題目概述TaskEnable audit logs in the cluster. To do so, enable the log backend, and ensurethat:logs are stored at /var/log/kubernetes/audit-logs.txtlog files are retained for 5 days at maximum, a number of 10 auditlog files are retainedA basic poli