How To Pass Certified Kubernetes Security Specialist (CKS) Exam Easily?

1. Create the Pod using this manifest

2. ConfigMap and Secret changes in all namespaces at the Metadata level Also, add a catch-all rule to log all other requests at the Metadata level

Note: Don't forget to apply the modified policy.

3. CORRECT TEXT

Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that

✑ 1. logs are stored at /var/log/kubernetes/kubernetes-logs.txt.

✑ 2. Log files are retainedfor5 days.

✑ 3. at maximum, a number of 10 old audit logs files are retained. Edit and extend the basic policy to log:

✑ 1. Cronjobs changes at RequestResponse

✑ 2. Log the request body of deployments changesinthenamespacekube-system.

✑ 3. Log all other resourcesincoreandextensions at the Request level.

✑ 4. Don't log watch requests by the "system:kube-proxy" on endpoints or

4. Edit the configuration to point to the provided HTTPS endpoint correctly

Finally, test if the configuration is working by trying to deploy the vulnerable resource /home/cert_masters/test-pod.yml

Note: You can find the container image scanner's log file at /var/log/policy/scanner.log

5. CORRECT TEXT

Create a User named john, create the CSR Request, fetch the certificate of the user after approving it.

Create a Role name john-role to list secrets, pods in namespace john

Finally, Create a RoleBinding named john-role-binding to attach the newlycreated role john-role to the user john in the namespace john.

To Verify: Use the kubectl auth CLI command to verify the permissions.

6. k8s.gcr.io/kube-controller-manager:v1.18.6

Look for images with HIGH or CRITICAL severity vulnerabilities and store theoutput of the same in /opt/trivy-vulnerable.txt

7. CORRECT TEXT

Use the kubesec docker images to scan the given YAML manifest, edit and apply the advised changes, and passed with a score of 4 points.

kubesec-test.yaml

✑ apiVersion: v1

✑ kind: Pod

✑ metadata:

✑ name: kubesec-demo

✑ spec:

✑ containers:

✑ - name: kubesec-demo

✑ image: gcr.io/google-samples/node-hello:1.0

✑ securityContext:

✑ readOnlyRootFilesystem:true

Hint: docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin <kubesec-test.yaml

8. CORRECT TEXT

You can switch the cluster/configuration context using the following command:

[desk@cli] $ kubectl config use-context dev

A default-deny NetworkPolicy avoid to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined.

Task: Create a new default-deny NetworkPolicy named deny-network in the namespace test for all traffic of type Ingress + Egress

The new NetworkPolicy must deny all Ingress + Egress traffic in the namespace test.

Apply the newly created default-deny NetworkPolicy to all Pods running in namespace test.

You can find a skeleton manifests file at /home/cert_masters/network-policy.yaml

9. Create a new ServiceAccount named psd-denial-sa in the existing namespace development.

Finally, create a new ClusterRoleBindind named restrict-access-bind, which binds the newly created ClusterRole deny-access-role to the newly created ServiceAccount psp-denial-sa

10. CORRECT TEXT

Using the runtime detection tool Falco, Analyse the container behavior for at least 20 seconds, using filters that detect newly spawning and executing processes in asingle container of Nginx.

store the incident file art /opt/falco-incident.txt, containing the detected incidents. one per line, in the format

[timestamp],[uid],[processName]

11. sysdig

Tools are pre-installed on the worker1 node only.

Analyse the container’s behaviour for at least 40 seconds, using filters that detect newly spawning and executing processes.

Store an incident file at /home/cert_masters/report, in the following format:

[timestamp],[uid],[processName]

Note: Make sure to store incident file on the cluster's worker node, don't move it to master node.