Valid CKS Exam Dumps are Your best Choice to Pass

1. CORRECT TEXT

Create a PSP that will prevent the creation ofprivileged pods in the namespace.

Create a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation of privileged pods.

Create a new ServiceAccount named psp-sa in the namespace default.

Create a new ClusterRole namedprevent-role, which uses the newly created Pod Security Policy prevent-privileged-policy.

Create a new ClusterRoleBinding named prevent-role-binding, which binds the created ClusterRole prevent-role to the created SA psp-sa.

Also, Check the Configuration is working or not by trying to Create a Privileged pod, it should get failed.

2. pods with label version:v1 in any namespace.

Make sure to apply the network policy.

3. CORRECT TEXT

Create a new ServiceAccount named backend-sa in the existing namespace default, which has the capability to list the pods inside thenamespace default.

Create a new Pod named backend-pod in the namespace default, mount the newly created sa backend-sa to the pod, and Verify that the pod is able to list pods.

Ensure that the Pod is running.

4. CORRECT TEXT

Cluster: scanner

Master node: controlplane

Worker node: worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $ kubectl config use-context scanner

Given:

You may use Trivy's documentation.

Task:

Use the Trivy open-source container scanner to detect images with severe vulnerabilities used by Pods in the namespace nato.

Look for images with High or Critical severity vulnerabilities and delete the Pods that use those images.

Trivy is pre-installed on the cluster's master node. Use cluster's master node to use Trivy.

5. Do not use/modify the created files in the following steps, create new temporary files if needed.

Create a new secret names newsecret in the safe namespace, with the following content:

Username: dbadmin

Password: moresecurepas

Finally, create a new Pod that has access to the secret newsecret via a volume:

✑ Namespace:safe

✑ Pod name:mysecret-pod

✑ Container name:db-container

✑ Image:redis

✑ Volume name:secret-vol

✑ Mount path:/etc/mysecret

6. Validate the control configuration and change it to implicit deny.

Finally, test the configuration by deploying the pod having the image tag as the latest.

7. Create a new RoleBinding named test-role-2-bind binding the newly created Role to the Pod's ServiceAccount.

Note: Don't delete the existing RoleBinding.

8. CORRECT TEXT

Using the runtime detection tool Falco, Analyse the container behavior for at least 30 seconds, using filters that detect newly spawning and executing processes store the incident file art /opt/falco-incident.txt, containing the detected incidents. one per line, in the format

[timestamp],[uid],[user-name],[processName]

9. Edit the configuration to point to the provided HTTPS endpoint correctly

Finally, test if the configuration is working by trying to deploy the vulnerable resource /home/cert_masters/test-pod.yml

Note: You can find the container image scanner's log file at /var/log/policy/scanner.log

10. Does not allow access from Pods, not in namespace staging.

11. Pods being configured to be privileged in any way must be treated as potentially not stateless or not immutable.

12. CORRECT TEXT

Create a RuntimeClass named untrusted using the prepared runtime handler named runsc.

Create a Pods of image alpine:3.13.2 in the Namespace default to run on the gVisor runtime class.

Verify: Exec the pods and run the dmesg, you will see output like this:-

13. CORRECT TEXT

Create aRuntimeClass named gvisor-rc using the prepared runtime handler named runsc.

Create a Pods of image Nginx in the Namespace server to run on the gVisor runtime class

14. CORRECT TEXT

Context:

Cluster: gvisor

Master node: master1

Worker node: worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $ kubectl config use-context gvisor

Context: This cluster has been prepared to support runtime handler, runsc as well as traditional one.

Task:

Create a RuntimeClass named not-trusted using the prepared runtime handler names runsc.

Update all Pods in the namespace server to run on newruntime.

15. CORRECT TEXT

Create a User named john, create the CSR Request, fetch the certificate of the user after approving it.

Create a Role name john-role to list secrets, pods in namespace john

Finally, Create a RoleBinding named john-role-binding to attach the newlycreated role john-role to the user john in the namespace john.

To Verify: Use the kubectl auth CLI command to verify the permissions.

16. CORRECT TEXT

On the Cluster worker node, enforce the prepared AppArmor profile

✑ #include

✑

✑

✑ profile docker-nginx flags=(attach_disconnected,mediate_deleted) {

✑ #include

✑

✑ network inet tcp,

✑ network inet udp,

✑ network inet icmp,

✑

✑ deny network raw,

✑

✑ deny network packet,

✑

✑ file,

✑ umount,

✑

✑ deny /bin/** wl,

✑ deny /boot/** wl,

✑ deny /dev/** wl,

✑ deny /etc/** wl,

✑ deny /home/** wl,

✑ deny /lib/** wl,

✑ deny /lib64/** wl,

✑ deny /media/** wl,

✑ deny /mnt/** wl,

✑ deny /opt/** wl,

✑ deny /proc/** wl,

✑ deny /root/** wl,

✑ deny /sbin/** wl,

✑ deny /srv/** wl,

✑ deny /tmp/** wl,

✑ deny /sys/** wl,

✑ deny /usr/** wl,

✑

✑ audit /** w,

✑

✑ /var/run/nginx.pid w,

✑

✑ /usr/sbin/nginx ix,

✑

✑ deny /bin/dash mrwklx,

✑ deny /bin/sh mrwklx,

✑ deny /usr/bin/top mrwklx,

✑

✑

✑ capability chown,

✑ capability dac_override,

✑ capability setuid,

✑ capability setgid,

✑ capability net_bind_service,

✑

✑ deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)

✑ # deny write to files not in /proc//** or /proc/sys/**

✑ deny@{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,

✑ deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)

✑ deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/

✑ deny @{PROC}/sysrq-trigger rwklx,

✑ deny @{PROC}/mem rwklx,

✑ deny @{PROC}/kmem rwklx,

✑ deny @{PROC}/kcore rwklx,

✑

✑ deny mount,

✑

✑ deny /sys/[^f]*/** wklx,

✑ deny /sys/f[^s]*/** wklx,

✑ deny /sys/fs/[^c]*/** wklx,

✑ deny /sys/fs/c[^g]*/** wklx,

✑ deny /sys/fs/cg[^r]*/** wklx,

✑ deny /sys/firmware/** rwklx,

✑ deny /sys/kernel/security/** rwklx,

✑ }

Edit the prepared manifest file to include the AppArmor profile.

✑ apiVersion: v1

✑ kind: Pod

✑ metadata:

✑ name:apparmor-pod

✑ spec:

✑ containers:

✑ - name: apparmor-pod

✑ image: nginx

Finally, apply the manifests files and create the Pod specified on it.

Verify: Try to use command ping, top, sh

17. CORRECT TEXT

Create a Pod name Nginx-pod inside the namespace testing, Create a service for the Nginx-pod named nginx-svc, using the ingress of your choice, run the ingress on tls, secure port.