CKS

CORRECT TEXT Fix all issues via configuration and restart the affected components to ensure the new setting takes effect. Fix all of the following violations that were found against the API server:- ✑ a. Ensure that the RotateKubeletServerCertificate argumentissettotrue. ✑ b. Ensure that the admission control plugin PodSecurityPolicyisset. ✑ c....

CORRECT TEXT On the Cluster worker node, enforce the prepared AppArmor profile ✑ #include<tunables/global> ✑ ✑ profilenginx-deny flags=(attach_disconnected) { ✑ #include<abstractions/base> ✑ ✑ file, ✑ ✑ # Deny all file writes. ✑ deny/** w, ✑ } ✑ EOF' Edit the prepared manifest file to include the AppArmor profile. ✑ apiVersion:...

Create the Pod using this manifestView AnswerAnswer: [desk@cli] $ ssh worker1[worker1@cli] $apparmor_parser -q /etc/apparmor.d/nginx[worker1@cli] $aa-status | grep nginxnginx-profile-1[worker1@cli] $ logout[desk@cli] $vim nginx-deploy.yamlAdd these lines under metadata:annotations: # Add this line container.apparmor.security.beta.kubernetes.io/<container-name>: localhost/nginx-profile-1[desk@cli] $kubectl apply -f nginx-deploy.yaml Explanation[desk@cli] $ ssh worker1[worker1@cli] $apparmor_parser -q /etc/apparmor.d/nginx[worker1@cli] $aa-status | grep nginxnginx-profile-1[worker1@cli] $ logout[desk@cli] $vim...

CORRECT TEXT Using the runtime detection tool Falco, Analyse the container behavior for at least 30 seconds, using filters that detect newly spawning and executing processes store the incident file art /opt/falco-incident.txt, containing the detected incidents. one per line, in the format [timestamp],[uid],[user-name],[processName]View AnswerAnswer: Send us your suggestion on it.

CORRECT TEXT On the Cluster worker node, enforce the prepared AppArmor profile ✑ #include<tunables/global> ✑ ✑ profilenginx-deny flags=(attach_disconnected) { ✑ #include<abstractions/base> ✑ ✑ file, ✑ ✑ # Deny all file writes. ✑ deny/** w, ✑ } ✑ EOF' Edit the prepared manifest file to include the AppArmor profile. ✑ apiVersion:...

CORRECT TEXT Create a RuntimeClass named untrusted using the prepared runtime handler named runsc. Create a Pods of image alpine:3.13.2 in the Namespace default to run on the gVisor runtime class. Verify: Exec the pods and run the dmesg, you will see output like this:- View AnswerAnswer: Send us your...

CORRECT TEXT a. Retrieve the content of the existing secret named default-token-xxxxx in the testing namespace. Store the value of the token in thetoken.txt b. Create a new secret named test-db-secret in the DB namespace with the following content: username: mysql password: password@123 Create the Pod name test-db-pod of image...

CORRECT TEXT Create a RuntimeClass named gvisor-rc using the prepared runtime handler named runsc. Create a Pods of image Nginx in the Namespace server to run on the gVisor runtime classView AnswerAnswer: ✑ Install the Runtime Class for gVisor { # Step 1: Install a RuntimeClass cat <<EOF | kubectl...

CORRECT TEXT Given an existing Pod named nginx-pod running in the namespace test-system, fetch the service-account-name used and put the content in /candidate/KSC00124.txt Create a new Role named dev-test-role in the namespace test-system, which can perform update operations, on resources of type namespaces. Create a new RoleBinding named dev-test-role-binding, which...

CORRECT TEXT Create a new NetworkPolicy named deny-all in the namespace testing which denies all traffic of type ingress and egress trafficView AnswerAnswer: You can create a "default" isolation policy for a namespace by creating a NetworkPolicy that selects all pods but does not allow any ingress traffic to those...