- Take me to the Mock Exam 3
Solutions for lab - Mock Exam 3:
With questions where you need to modify API server, you can use this resource to diagnose a failure of the API server to restart.
-
A kube-bench report is available at the
Kube-bench assessment report
tab. Fix the tests withFAIL
status for4 Worker Node Security Configuration
.Make changes to the
/var/lib/kubelet/config.yaml
After you have fixed the issues, you can update the published report in the
Kube-bench assessment report
tab by running/root/publish_kubebench.sh
to validate results.Reveal
Update
/var/lib/kubelet/config.yaml
as below-
Change authorization to Webhook for authorization-mode failure:
authorization: mode: Webhook
-
Add below for KernelDefaults Failure:
protectKernelDefaults: true
-
-
Enable auditing in this kubernetes cluster. Create a new policy file that will only log events based on the below specifications:
- Namespace:
prod
- Level:
metadata
- Operations:
delete
- Resources:
secrets
- Log Path:
/var/log/prod-secrets.log
- Audit file location:
/etc/kubernetes/prod-audit.yaml
- Maximum days to keep the logs:
30
Once the policy is created it, enable and make sure that it works.
Reveal
-
Create
/etc/kubernetes/prod-audit.yaml
as below:apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: Metadata namespace: ["prod"] verb: ["delete"] resources: - group: "" resource: ["secrets"]
-
Next, make sure to enable logging in api-server by adding the following arguments in the API server manifest:
- --audit-policy-file=/etc/kubernetes/prod-audit.yaml - --audit-log-path=/var/log/prod-secrets.log - --audit-log-maxage=30
-
Then, add to the volumes and volume mounts sections as shown in the below snippets.
- name: audit hostPath: path: /etc/kubernetes/prod-audit.yaml type: File - name: audit-log hostPath: path: /var/log/prod-secrets.log type: FileOrCreate
In the above, the
type
of eachhostPath
are set as follows:File
-/etc/kubernetes/prod-audit.yaml
is a file that must pre-exist (you created it in stepi
of this solution)FileOrCreate
- The fileprod-secrets.log
will be created in directory/var/log
if it does not exist. If it does exist, it will be appended to.
- mountPath: /etc/kubernetes/prod-audit.yaml name: audit readOnly: true - mountPath: /var/log/prod-secrets.log name: audit-log readOnly: false
-
Finally save the file and make sure that kube-apiserver restarts. This can take up to a minute. You can run the following to see the pods restarting (press
CTRL-C
to exit the watch):watch crictl ps
If it does not start, then know how to diagnose why. Being able to do this can be the difference between passing and failing the CKS exam!
- Namespace:
-
We have a pod definition template
/root/kubesec-pod.yaml
oncontrolplane
host. Scan this template using thekubesec
tool and you will notice some failures.Fix the failures in this file and save the success report in
/root/kubesec_success_report.json
.Make sure that the final kubesec scan status is passed.
Reveal
-
Scan the pod YAML
kubesec scan /root/kubesec-pod.yaml
You will see failure message as:
containers[] .securityContext .privileged == true
-
Update privileged flag in
/root/kubesec-pod.yaml
privileged: false
-
Then run
kubesec scan /root/kubesec-pod.yaml kubesec scan /root/kubesec-pod.yaml > /root/kubesec_success_report.json
-
-
In the dev namespace create below resources...
- A role
dev-write
with access to get, watch, list and create pods in the same namespace. - A Service account called
developer
and then binddev-write
role to it with a rolebinding calleddev-write-binding
. - Finally, create a pod using the template
/root/dev-pod.yaml
. The pod should run with the service account developer. Update/root/dev-pod.yaml
as necessary
Reveal
-
Create role dev-write as below:
kubectl create role -n dev dev-write --resource pods --verb get,watch,list,create
-
Create service account developer and rolebinding as below:
kubectl create sa -n dev developer kubectl create rolebinding -n dev dev-write-binding --role dev-write --serviceaccount dev:developer
-
Update
/root/dev-pod.yaml
. AdjustserviceAccount
andnamespace
accordingly and deploy pod.
- A role
-
Try to create a pod using the template defined in
/root/beta-pod.yaml
in the namespacebeta
. This should result in a failure.Troubleshoot and fix the OPA validation issue while creating the pod. You can update /root/beta-pod.yaml as necessary.
The Rego configuration map for OPA is in
untrusted-registry
underopa
namespace.NOTE: In the end pod need not to be successfully running but make sure that it passed the OPA validation and gets created.
Reveal
If you inspect the rego file defined in the configmap called
untrusted-registry
, you will see that it denies repositories that do not begin withkodekloud.io/
.To fix this, update the image URL to
kodekloud.io/
and then create the pod:-
Inspect the configmap
kubectl get cm -n opa untrusted-registry -o yaml
-
Edit
/root/beta-pod.yaml
and adjust the image...- image: kodekloud.io/google-samples/node-hello:1.0
-
Create it
kubectl create -f /root/beta-pod.yaml
NOTE: The pod will now be created as it passes the policy checks. However, it will not run as such an image does not exist.
-
-
We want to deploy an
ImagePolicyWebhook
admission controller to secure the deployments in our cluster.- Fix the error in
/etc/kubernetes/pki/admission_configuration.yaml
which will be used byImagePolicyWebhook
- Make sure that the policy is set to implicit deny. If the webhook service is not reachable, the configuration file should automatically reject all the images.
- Enable the plugin on API server.
The kubeconfig file for already created imagepolicywebhook resources is under
/etc/kubernetes/pki/admission_kube_config.yaml
Reveal
-
Update
/etc/kubernetes/pki/admission_configuration.yaml
and make required changes:-
Set the path to the kubeconfig file. Note that you are not told where this file is, so we need to look for it.
- Check the directory
/etc/kubernetes/pki
where the admission configuration is. You should find it in the same directory asadmission_kube_config.yaml
. - Note that when API server loads the admission configuration, the path for
kubeConfigFile
refers to the file system of the container not the host. Therefore you should validate API server's volumes and volume mounts to know where in the container the host path/etc/kubernetes/pki
will be mounted. Luckily it is the same path.
- Check the directory
-
Set the path to the
kubeConfigFile
and changedefaultAllow
tofalse
to satisfy the "automatically reject" condition.apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration plugins: - name: ImagePolicyWebhook configuration: imagePolicy: kubeConfigFile: /etc/kubernetes/pki/admission_kube_config.yaml allowTTL: 50 denyTTL: 50 retryBackoff: 500 defaultAllow: false
-
-
Update /etc/kubernetes/manifests/kube-apiserver.yaml as below:
- --enable-admission-plugins=NodeRestriction,ImagePolicyWebhook - --admission-control-config-file=/etc/kubernetes/pki/admission_configuration.yaml
-
Finally save the file and make sure that kube-apiserver restarts. This can take up to a minute. You can run the following to see the pods restarting (press
CTRL-C
to exit the watch):watch crictl ps
If it does not start, then know how to diagnose why. Being able to do this can be the difference between passing and failing the CKS exam!
- Fix the error in
-
Delete pods from
alpha
namespace which are not immutable.Examine the pods by getting them with
-o yaml
. Look for settings that voilate the condition of immutability.Reveal
- Pod
solaris
is immutable as it hasreadOnlyRootFilesystem: true
so it should not be deleted. - Pod
sonata
is running withreadOnlyRootFilesystem: false
thus it can be mutated so should be deleted. - Pod
triton
has no setting forreadOnlyRootFilesystem
. The default for this when not present isfalse
therefore it should be deleted.
- Pod