Updated CKS Exam Dumps Are Online For Success

1. CORRECT TEXT

a. Retrieve the content of the existing secret named default-token-xxxxx in the testing namespace.

Store the value of the token in thetoken.txt

b. Create a new secret named test-db-secret in the DB namespace with the following content:

username: mysql

password: password@123

Create the Pod name test-db-pod of image nginx in the namespace db that can accesstest-db-secret via a volume at path /etc/mysql-credentials

2. CORRECT TEXT

Create a RuntimeClass named untrusted using the prepared runtime handler named runsc.

Create a Pods of image alpine:3.13.2 in the Namespace default to run on the gVisor runtime class.

Verify: Exec the pods and run the dmesg, you will see output like this:-

3. Pods being configured to be privileged in any way must be treated as potentially not stateless or not immutable.

4. CORRECT TEXT

Cluster: scanner

Master node: controlplane

Worker node: worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $ kubectl config use-context scanner

Given:

You may use Trivy's documentation.

Task:

Use the Trivy open-source container scanner to detect images with severe vulnerabilities used by Pods in the namespace nato.

Look for images with High or Critical severity vulnerabilities and delete the Pods that use those images.

Trivy is pre-installed on the cluster's master node. Use cluster's master node to use Trivy.

5. CORRECT TEXT

On the Cluster worker node, enforce the prepared AppArmor profile

✑ #include<tunables/global>

✑

✑ profilenginx-deny flags=(attach_disconnected) {

✑ #include<abstractions/base>

✑

✑ file,

✑

✑ # Deny all file writes.

✑ deny/** w,

✑ }

✑ EOF'

Edit the prepared manifest file to include the AppArmor profile.

✑ apiVersion: v1

✑ kind: Pod

✑ metadata:

✑ name:apparmor-pod

✑ spec:

✑ containers:

✑ - name: apparmor-pod

✑ image: nginx

Finally, apply the manifests files and create the Pod specified on it.

Verify: Try to make a file inside the directory which is restricted.

6. sysdig

Tools are pre-installed on the worker1 node only.

Analyse the container’s behaviour for at least 40 seconds, using filters that detect newly spawning and executing processes.

Store an incident file at /home/cert_masters/report, in the following format:

[timestamp],[uid],[processName]

Note: Make sure to store incident file on the cluster's worker node, don't move it to master node.

7. CORRECT TEXT

Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.

Fix all of the following violations that were found against the API server:-

✑ a. Ensure that the RotateKubeletServerCertificate argumentissettotrue.

✑ b. Ensure that the admission control plugin PodSecurityPolicyisset.

✑ c. Ensure that the --kubelet-certificate-authority argumentissetasappropriate.

Fix all of the following violations that were found against the Kubelet:-

✑ a. Ensure the --anonymous-auth argumentissettofalse.

✑ b. Ensure that the --authorization-mode argumentissetto Webhook.

Fix all of the following violations that were found against the ETCD:-

✑ a. Ensure that the --auto-tls argumentisnotsettotrue

✑ b. Ensure that the --peer-auto-tls argumentisnotsettotrue

Hint: Take the use of Tool Kube-Bench

8. Create the Pod using this manifest

9. CORRECT TEXT

Using the runtime detection tool Falco, Analyse the container behavior for at least 30 seconds, using filters that detect newly spawning and executing processes store the incident file art /opt/falco-incident.txt, containing the detected incidents. one per line, in the format

[timestamp],[uid],[user-name],[processName]

10. CORRECT TEXT

Create a new ServiceAccount named backend-sa in the existing namespace default, which has the capability to list the pods inside thenamespace default.

Create a new Pod named backend-pod in the namespace default, mount the newly created sa backend-sa to the pod, and Verify that the pod is able to list pods.

Ensure that the Pod is running.