CORRECT TEXT

CORRECT TEXT On the Cluster worker node, enforce the prepared AppArmor profile ✑ #include<tunables/global> ✑ ✑ profilenginx-deny flags=(attach_disconnected) { ✑ #include<abstractions/base> ✑ ✑ file, ✑ ✑ # Deny all file writes. ✑ deny/** w, ✑ } ✑ EOF’ Edit the prepared manifest file to include the AppArmor profile. ✑ apiVersion: v1 ✑ kind: Pod...

Continue reading

CORRECT TEXT

CORRECT TEXT Fix all issues via configuration and restart the affected components to ensure the new setting takes effect. Fix all of the following violations that were found against the API server:- ✑ a. Ensure that the RotateKubeletServerCertificate argumentissettotrue. ✑ b. Ensure that the admission control plugin PodSecurityPolicyisset. ✑ c. Ensure that the –kubelet-certificate-authority...

Continue reading

CORRECT TEXT

CORRECT TEXT Create a new ServiceAccount named backend-sa in the existing namespace default, which has the capability to list the pods inside thenamespace default. Create a new Pod named backend-pod in the namespace default, mount the newly created sa backend-sa to the pod, and Verify that the pod is able to list pods. Ensure...

Continue reading

CORRECT TEXT

CORRECT TEXT Cluster: scanner Master node: controlplane Worker node: worker1 You can switch the cluster/configuration context using the following command: $ kubectl config use-context scanner Given: You may use Trivy’s documentation. Task: Use the Trivy open-source container scanner to detect images with severe vulnerabilities used by Pods in the namespace nato. Look for...

Continue reading

CORRECT TEXT

CORRECT TEXT Fix all issues via configuration and restart the affected components to ensure the new setting takes effect. Fix all of the following violations that were found against the API server:- ✑ a. Ensure that the RotateKubeletServerCertificate argumentissettotrue. ✑ b. Ensure that the admission control plugin PodSecurityPolicyisset. ✑ c. Ensure that the –kubelet-certificate-authority...

Continue reading

Pods being configured to be privileged in any way must be treated as potentially not stateless or not immutable.

Pods being configured to be privileged in any way must be treated as potentially not stateless or not immutable. View Answer Answer: k get pods -n prodk get pod <pod-name> -n prod -o yaml | grep -E ‘privileged|ReadOnlyRootFileSystem’Delete the pods which do have any of these 2 propertiesprivileged:true or ReadOnlyRootFileSystem: false $ k get...

Continue reading

CORRECT TEXT

CORRECT TEXT Fix all issues via configuration and restart the affected components to ensure the new setting takes effect. Fix all of the following violations that were found against the API server:- ✑ a. Ensure that the RotateKubeletServerCertificate argumentissettotrue. ✑ b. Ensure that the admission control plugin PodSecurityPolicyisset. ✑ c. Ensure that the –kubelet-certificate-authority...

Continue reading