CORRECT TEXT

CKS 0 Comments

CORRECT TEXT

Create a PSP that will only allow the persistentvolumeclaim as the volume type in the namespace restricted.

Create a new PodSecurityPolicy named prevent-volume-policy which prevents the pods which is having different volumes mount apart from persistentvolumeclaim.

Create a new ServiceAccount named psp-sa in the namespace restricted.

Create a new ClusterRole named psp-role, which uses the newly created Pod Security Policy prevent-volume-policy

Create a new ClusterRoleBinding named psp-role-binding, which binds the created ClusterRole psp-role to the created SA psp-sa.

Hint:

Also, Check the Configuration is working or not by trying to Mount a Secret in the pod maifest, it should get failed.

POD Manifest:

✑ apiVersion: v1

✑ kind: Pod

✑ metadata:

✑ name:

✑ spec:

✑ containers:

✑ – name:

✑ image:

✑ volumeMounts:

✑ – name:

✑ mountPath:

✑ volumes:

✑ – name:

✑ secret:

✑ secretName:

Answer: apiVersion: policy/v1beta1

kind: PodSecurityPolicy

metadata:

name: restricted

annotations:

seccomp.security.alpha.kubernetes.io/allowedProfileNames:

‘docker/default,runtime/default’

apparmor.security.beta.kubernetes.io/allowedProfileNames: ‘runtime/default’

seccomp.security.alpha.kubernetes.io/defaultProfileName: ‘runtime/default’

apparmor.security.beta.kubernetes.io/defaultProfileName: ‘runtime/default’

spec:

privileged: false

# Required to prevent escalations to root. allowPrivilegeEscalation: false

# This is redundant with non-root + disallow privilege escalation,

# but we can provide it for defense in depth. requiredDropCapabilities:

– ALL

# Allow core volume types.

volumes:

– ‘configMap’

– ’emptyDir’

– ‘projected’

– ‘secret’

– ‘downwardAPI’

# Assume that persistentVolumes set up by the cluster admin are safe to use. – ‘persistentVolumeClaim’

hostNetwork: false

hostIPC: false

hostPID: false runAsUser:

# Require the container to run without root privileges.

rule: ‘MustRunAsNonRoot’

seLinux:

# This policy assumes the nodes are using AppArmor rather than SELinux. rule: ‘RunAsAny’

supplementalGroups: rule: ‘MustRunAs’ ranges:

# Forbid adding the root group.

– min: 1 max: 65535 fsGroup:

rule: ‘MustRunAs’ ranges:

# Forbid adding the root group. – min: 1

max: 65535

readOnlyRootFilesystem: false

Latest CKS Dumps Valid Version with 44 Q&As

Latest And Valid Q&A | Instant Download | Once Fail, Full Refund

Instant Download CKS PDF     CKS Questions Online Training
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments