Scribd
Upload
2 views

cks4

Uploaded by

Srinivasan Vasanth
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2 views

cks4

Uploaded by

Srinivasan Vasanth
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

27/12/2024, 16:59 Linux Foundation Certified Kubernetes Security Specialist (CKS) - CKS Free Exam Questions [2024]

Limited Time Discount Offer! 15% Off - Ends in 02:13:09 - Use Discount Coupon Code A4T2024

Input your exam code ... 

Linux Foundation Certified Kubernetes Security Specialist (CKS) - CKS Free Exam
Questions

QUESTION NO: 16
Create a new ServiceAccount named backend-sa in the existing namespace default, which has the capability to list the pods inside the namespace default.
Create a new Pod named backend-pod in the namespace default, mount the newly created sa backend-sa to the pod, and Verify that the pod is able to list pods.
Ensure that the Pod is running.

Hide answers/explanation  Discussion 0

Correct Answer:

A service account provides an identity for processes that run in a Pod.


When you (a human) access the cluster (for example, using kubectl), you are authenticated by the apiserver as a particular User Account (currently this is usually admin, unless
your cluster administrator has customized your cluster). Processes in containers inside pods can also contact the apiserver. When they do, they are authenticated as a particular
Service Account (for example, default).
When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace. If you get the raw json or yaml for
a pod you have created (for example, kubectl get pods/<podname> -o yaml), you can see the spec.serviceAccountName field has been automatically set.
You can access the API from inside a pod using automatically mounted service account credentials, as described in Accessing the Cluster. The API permissions of the service
account depend on the authorization plugin and policy in use.
In version 1.6+, you can opt out of automounting API credentials for a service account by setting automountServiceAccountToken: false on the service account:
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-robot
automountServiceAccountToken: false
...
In version 1.6+, you can also opt out of automounting API credentials for a particular pod:
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
serviceAccountName: build-robot
automountServiceAccountToken: false
...
The pod spec takes precedence over the service account if both specify a automountServiceAccountToken value.

QUESTION NO: 17
You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context dev Context: A CIS Benchmark tool was run
against the kubeadm created cluster and found multiple issues that must be addressed. Task: Fix all issues via configuration and restart the affected components to
ensure the new settings take effect. Fix all of the following violations that were found against the API server: 1.2.7 authorization-mode argument is not set to
AlwaysAllow FAIL 1.2.8 authorization-mode argument includes Node FAIL 1.2.7 authorization-mode argument includes RBAC FAIL Fix all of the following violations that
were found against the Kubelet: 4.2.1 Ensure that the anonymous-auth argument is set to false FAIL 4.2.2 authorization-mode argument is not set to AlwaysAllow FAIL
(Use Webhook autumn/authz where possible) Fix all of the following violations that were found against etcd: 2.2 Ensure that the client-cert-auth argument is set to true

Hide answers/explanation  Discussion 0

Correct Answer:

worker1 $ vim /var/lib/kubelet/config.yaml


anonymous:
enabled: true #Delete this
enabled: false #Replace by this Chat now

https://www.actual4test.com/exam/CKS-questions 1/6
27/12/2024, 16:59 Linux Foundation Certified Kubernetes Security Specialist (CKS) - CKS Free Exam Questions [2024]
authorization:
mode: AlwaysAllow #Delete this
mode: Webhook #Replace by this
worker1 $ systemctl restart kubelet. # To reload kubelet config ssh to master1 master1 $ vim /etc/kubernetes/manifests/kube-apiserver.yaml - -- authorization-mode=Node,RBAC
master1 $ vim /etc/kubernetes/manifests/etcd.yaml - --client-cert-auth=true Explanation ssh to worker1 worker1 $ vim /var/lib/kubelet/config.yaml apiVersion:
kubelet.config.k8s.io/v1beta1 authentication:
anonymous:
enabled: true #Delete this
enabled: false #Replace by this
webhook:
cacheTTL: 0s
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
mode: AlwaysAllow #Delete this
mode: Webhook #Replace by this
webhook:
cacheAuthorizedTTL: 0s
cacheUnauthorizedTTL: 0s
cgroupDriver: systemd
clusterDNS:
- 10.96.0.10
clusterDomain: cluster.local
cpuManagerReconcilePeriod: 0s
evictionPressureTransitionPeriod: 0s
fileCheckFrequency: 0s
healthzBindAddress: 127.0.0.1
healthzPort: 10248
httpCheckFrequency: 0s
imageMinimumGCAge: 0s
kind: KubeletConfiguration
logging: {}
nodeStatusReportFrequency: 0s
nodeStatusUpdateFrequency: 0s
resolvConf: /run/systemd/resolve/resolv.conf
rotateCertificates: true
runtimeRequestTimeout: 0s
staticPodPath: /etc/kubernetes/manifests
streamingConnectionIdleTimeout: 0s
syncFrequency: 0s
volumeStatsAggPeriod: 0s
worker1 $ systemctl restart kubelet. # To reload kubelet config ssh to master1 master1 $ vim /etc/kubernetes/manifests/kube-apiserver.yaml

Chat now

https://www.actual4test.com/exam/CKS-questions 2/6
27/12/2024, 16:59 Linux Foundation Certified Kubernetes Security Specialist (CKS) - CKS Free Exam Questions [2024]
master1 $ vim /etc/kubernetes/manifests/etcd.yaml

QUESTION NO: 18
Create a RuntimeClass named untrusted using the prepared runtime handler named runsc.
Create a Pods of image alpine:3.13.2 in the Namespace default to run on the gVisor runtime class.

Hide answers/explanation  Discussion 0

Correct Answer:

QUESTION NO: 19
Create a User named john, create the CSR Request, fetch the certificate of the user after approving it.
Create a Role name john-role to list secrets, pods in namespace john
Finally, Create a RoleBinding named john-role-binding to attach the newly created role john-role to the user john in the namespace john. To Verify: Use the kubectl auth
CLI command to verify the permissions.

Hide answers/explanation  Discussion 0

Correct Answer:

se kubectl to create a CSR and approve it.


Get the list of CSRs:
kubectl get csr
Approve the CSR:
kubectl certificate approve myuser Chat now

https://www.actual4test.com/exam/CKS-questions 3/6
27/12/2024, 16:59 Linux Foundation Certified Kubernetes Security Specialist (CKS) - CKS Free Exam Questions [2024]
Get the certificate
Retrieve the certificate from the CSR:
kubectl get csr/myuser -o yaml
here are the role and role-binding to give john permission to create NEW_CRD resource:
kubectl apply -f roleBindingJohn.yaml --as=john
rolebinding.rbac.authorization.k8s.io/john_external-rosource-rb created kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata:
name: john_crd
namespace: development-john
subjects:
- kind: User
name: john
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: crd-creation
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: crd-creation
rules:
- apiGroups: ["kubernetes-client.io/v1"]
resources: ["NEW_CRD"]
verbs: ["create, list, get"]

QUESTION NO: 20
Analyze and edit the given Dockerfile
FROM ubuntu:latest
RUN apt-get update -y
RUN apt-install nginx -y
COPY entrypoint.sh /
ENTRYPOINT ["/entrypoint.sh"]
USER ROOT
Fixing two instructions present in the file being prominent security best practice issues Analyze and edit the deployment manifest file apiVersion: v1 kind: Pod metadata:
name: security-context-demo-2
spec:
securityContext:
runAsUser: 1000
containers:
- name: sec-ctx-demo-2
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsUser: 0
privileged: True
allowPrivilegeEscalation: false
Fixing two fields present in the file being prominent security best practice issues Don't add or remove configuration settings; only modify the existing configuration
settings Whenever you need an unprivileged user for any of the tasks, use user test-user with the user id 5487

Hide answers/explanation  Discussion 0

Correct Answer:

FROM debian:latest
MAINTAINER [email protected]
# 1 - RUN
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -yq apt-utils RUN DEBIAN_FRONTEND=noninteractive apt-get install -yq htop RUN apt-get clean
# 2 - CMD
#CMD ["htop"]
#CMD ["ls", "-l"]
# 3 - WORKDIR and ENV
WORKDIR /root
ENV DZ version1
$ docker image build -t bogodevops/demo .
Sending build context to Docker daemon 3.072kB
Step 1/7 : FROM debian:latest
---> be2868bebaba
Step 2/7 : MAINTAINER [email protected]
---> Using cache
---> e2eef476b3fd
Step 3/7 : RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -yq apt-utils
---> Using cache
---> 32fd044c1356
Step 4/7 : RUN DEBIAN_FRONTEND=noninteractive apt-get install -yq htop Chat now

https://www.actual4test.com/exam/CKS-questions 4/6
27/12/2024, 16:59 Linux Foundation Certified Kubernetes Security Specialist (CKS) - CKS Free Exam Questions [2024]
---> Using cache
---> 0a5b514a209e
Step 5/7 : RUN apt-get clean
---> Using cache
---> 5d1578a47c17
Step 6/7 : WORKDIR /root
---> Using cache
---> 6b1c70e87675
Step 7/7 : ENV DZ version1
---> Using cache
---> cd195168c5c7
Successfully built cd195168c5c7
Successfully tagged bogodevops/demo:latest

QUALITY AND VALUE


Actual4test Practice Exams are written to the highest standards of technical accuracy, using only certified subject matter experts and published authors for development - no all
study materials.

TESTED AND APPROVED


We are committed to the process of vendor and third party approvals. We believe professionals and executives alike deserve the confidence of quality coverage these
authorizations provide.

EASY TO PASS
If you prepare for the exams using our Actual4test testing engine, It is easy to succeed for all certifications in the first attempt. You don't have to deal with all dumps or any free
torrent / rapidshare all stuff.

TRY BEFORE BUY


Actual4test offers free demo of each product. You can check out the interface, question quality and usability of our practice exams before you decide to buy.

(https://www.actual4test.com)

Here are all the actual test exam dumps for IT exams. Most people prepare for the actual exams with our test dumps to pass their exams. So it's critical to choose and actual test
pdf to succeed.

RECENT DISCUSSIONS Chat now


https://www.actual4test.com/exam/CKS-questions 5/6
27/12/2024, 16:59 Linux Foundation Certified Kubernetes Security Specialist (CKS) - CKS Free Exam Questions [2024]
Exam 000-221 Topic 1 Question 72 Discussion (https://www.actual4test.com/discussions/IBM/exam-000-221-topic-1-question-72-discussion-p1099426.html)

Exam M2010-616 Topic 3 Question 8 Discussion (https://www.actual4test.com/discussions/IBM/exam-m2010-616-topic-3-question-8-discussion-p1099425.html)

Exam 2V0-31.23 Topic 3 Question 23 Discussion (https://www.actual4test.com/discussions/VMware/exam-2v0-31.23-topic-3-question-23-discussion-p1099424.html)

Exam 2V0-11.24 Topic 1 Question 279 Discussion (https://www.actual4test.com/discussions/VMware/exam-2v0-11.24-topic-1-question-279-discussion-p1099423.html)

Exam HP0-S43 Topic 1 Question 55 Discussion (https://www.actual4test.com/discussions/HP/exam-hp0-s43-topic-1-question-55-discussion-p1099422.html)

Exam A2040-922 Topic 1 Question 1 Discussion (https://www.actual4test.com/discussions/IBM/exam-a2040-922-topic-1-question-1-discussion-p1099421.html)

Exam M2090-728 Topic 1 Question 6 Discussion (https://www.actual4test.com/discussions/IBM/exam-m2090-728-topic-1-question-6-discussion-p1099420.html)

Useful Links

ALL PRODUCTS (HTTPS://WWW.ACTUAL4TEST.COM/ALLPRODUCTS.PHP) 

FREQUENTLY ASKED QUESTIONS (HTTPS://WWW.ACTUAL4TEST.COM/PAGE_FAQS.HTML) 

GUARANTEE & REFUND POLICY (HTTPS://WWW.ACTUAL4TEST.COM/PAGE_GUARANTEE.HTML) 

HOW TO BUY? (HTTPS://WWW.ACTUAL4TEST.COM/PAGE_HOWTOBUY.HTML) 

ABOUT US (HTTPS://WWW.ACTUAL4TEST.COM/PAGE_ABOUT.HTML) 

Contact Us

Our Working Time: ( GMT 0:00-15:00 )


From Monday to Saturday

Support: Contact now  (https://www.actual4test.com/contact.php)

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2024 Actual4test NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy
(https://www.actual4test.com/page_privacy.html)

 (https://www.facebook.com/sharer.php?u=https://www.actual4test.com/exam/CKS-questions)
 (https://twitter.com/share?
original_referer=https%3A%2F%2Ffanyv88.com%3A443%2Fhttp%2Fwww.actual4test.com%2F&source=tweetbutton&text=Actual4test&url=https://www.actual4test.com/exam/CKS-
questions&via=)
 (https://plus.google.com/share?url=https://www.actual4test.com/exam/CKS-questions)
 (https://www.linkedin.com/cws/share?url=https://www.actual4test.com/exam/CKS-questions)
 (https://pinterest.com/pin/create/button/?url=https://www.actual4test.com/exam/CKS-
questions&description=Actual4test&media=https://www.actual4test.com/_/a4t/imgs/product.jpg)

Disclaimer:
Actual4test doesn't offer Real SANS and GIAC Exam Questions.
Oracle and Java are registered trademarks of Oracle and/or its affiliates
Actual4test material do not contain actual actual Oracle Exam Questions or material.
Actual4test doesn't offer Real Microsoft Exam Questions.
Microsoft®, Azure®, Windows®, Windows Vista®, and the Windows logo are registered trademarks of Microsoft Corporation
Actual4test Materials do not contain actual questions and answers from Cisco's Certification Exams. The brand Cisco is a registered trademark of CISCO, Inc
CFA Institute does not endorse, promote or warrant the accuracy or quality of these questions. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA
Institute.
Actual4test does not offer exam dumps or questions from actual exams. We offer learning material and practice tests created by subject matter experts to assist and help learners
prepare for those exams. All certification brands used on the website are owned by the respective brand owners. Actual4test does not own or claim any ownership on any of the
brands.

Chat now

https://www.actual4test.com/exam/CKS-questions 6/6

You might also like