U.S. Independence Day Deal! Unlock 25% OFF Today – Limited-Time Offer - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Linux Foundation CKS Exam - Topic 1 Question 10 Discussion

You can switch the cluster/configuration context using the following command:[desk@cli] $kubectl config use-context devContext:A CIS Benchmark tool was run against the kubeadm created cluster and found multiple issues that must be addressed.Task:Fix all issues via configuration and restart the affected components to ensure the new settings take effect.Fix all of the following violations that were found against the API server:1.2.7authorization-modeargument is not set toAlwaysAllow FAIL1.2.8authorization-modeargument includesNode FAIL1.2.7authorization-modeargument includesRBAC FAILFix all of the following violations that were found against the Kubelet:4.2.1 Ensure that theanonymous-auth argumentis set to false FAIL4.2.2authorization-modeargument is not set to AlwaysAllow FAIL (UseWebhookautumn/authz where possible)Fix all of the following violations that were found against etcd:2.2 Ensure that theclient-cert-authargument is set to true
A) Explanation: worker1 $ vim /var/lib/kubelet/config.yaml anonymous: enabled: true #Delete this enabled: false #Replace by this authorization: mode: AlwaysAllow #Delete this mode: Webhook #Replace by this worker1 $ systemctl restart kubelet. # To reload kubelet config ssh to master1 master1 $ vim /etc/kubernetes/manifests/kube-apiserver.yaml - -- authorization-mode=Node,RBAC master1 $ vim /etc/kubernetes/manifests/etcd.yaml - --client-cert-auth=true Explanation ssh to worker1 worker1 $ vim /var/lib/kubelet/config.yaml apiVersion: kubelet.config.k8s.io/v1beta1 authentication: anonymous: enabled: true #Delete this enabled: false #Replace by this webhook: cacheTTL: 0s enabled: true x509: clientCAFile: /etc/kubernetes/pki/ca.crt authorization: mode: AlwaysAllow #Delete this mode: Webhook #Replace by this webhook: cacheAuthorizedTTL: 0s cacheUnauthorizedTTL: 0s cgroupDriver: systemd clusterDNS: - 10.96.0.10 clusterDomain: cluster.local cpuManagerReconcilePeriod: 0s evictionPressureTransitionPeriod: 0s fileCheckFrequency: 0s healthzBindAddress: 127.0.0.1 healthzPort: 10248 httpCheckFrequency: 0s imageMinimumGCAge: 0s kind: KubeletConfiguration logging: {} nodeStatusReportFrequency: 0s nodeStatusUpdateFrequency: 0s resolvConf: /run/systemd/resolve/resolv.conf rotateCertificates: true runtimeRequestTimeout: 0s staticPodPath: /etc/kubernetes/manifests streamingConnectionIdleTimeout: 0s syncFrequency: 0s volumeStatsAggPeriod: 0s worker1 $ systemctl restart kubelet. # To reload kubelet config ssh to master1 master1 $ vim /etc/kubernetes/manifests/kube-apiserver.yaml master1 $ vim /etc/kubernetes/manifests/etcd.yaml

Linux Foundation CKS Exam - Topic 1 Question 10 Discussion

Actual exam question for Linux Foundation's CKS exam
Question #: 10
Topic #: 1
[All CKS Questions]

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context dev

Context:

A CIS Benchmark tool was run against the kubeadm created cluster and found multiple issues that must be addressed.

Task:

Fix all issues via configuration and restart the affected components to ensure the new settings take effect.

Fix all of the following violations that were found against the API server:

1.2.7authorization-modeargument is not set toAlwaysAllow FAIL

1.2.8authorization-modeargument includesNode FAIL

1.2.7authorization-modeargument includesRBAC FAIL

Fix all of the following violations that were found against the Kubelet:

4.2.1 Ensure that theanonymous-auth argumentis set to false FAIL

4.2.2authorization-modeargument is not set to AlwaysAllow FAIL (UseWebhookautumn/authz where possible)

Fix all of the following violations that were found against etcd:

2.2 Ensure that theclient-cert-authargument is set to true

Show Suggested Answer Hide Answer
Suggested Answer: A

Contribute your Thoughts:

0/2000 characters
Glory
8 months ago
I thought client-cert-auth was optional, guess I was wrong!
upvoted 0 times
...
Miss
8 months ago
Just fixed the anonymous-auth setting, feels good!
upvoted 0 times
...
Anissa
8 months ago
Wait, are we really using Node in the authorization-mode? That seems risky.
upvoted 0 times
...
Mitsue
8 months ago
Totally agree, AlwaysAllow is a big no-no!
upvoted 0 times
...
Marguerita
8 months ago
The authorization-mode needs to be set correctly for security.
upvoted 0 times
...
Cristal
8 months ago
I feel like we had a similar question in our last mock exam about kubelet settings, but I can't remember if we had to restart the kubelet after making changes.
upvoted 0 times
...
Darnell
8 months ago
I definitely remember that we need to set client-cert-auth to true for etcd, but I hope I don't mix up the file paths again.
upvoted 0 times
...
Elfrieda
8 months ago
I think the authorization modes for the API server should be set correctly, but I can't recall if we need to include both Node and RBAC or just one of them.
upvoted 0 times
...
Lili
8 months ago
I remember we practiced changing the kubelet configuration, but I'm unsure about the exact syntax for disabling anonymous authentication.
upvoted 0 times
...
Tony
9 months ago
This seems like a straightforward question. I'd focus on user desirability, company viability, and deployment stability to assess the feasibility of the solution.
upvoted 0 times
...
Nidia
9 months ago
Hmm, I'm a bit unsure about this one. Matching rules can be tricky, so I'll need to review my notes to make sure I understand the different conditions.
upvoted 0 times
...
Milly
9 months ago
This question seems straightforward to me. The key is that a passive approach has been selected, so the next step should be to identify the performance measures. I'm going with A.
upvoted 0 times
...
Lisandra
9 months ago
I'm leaning towards B as well. The Ethereum protocol is the core requirement, and the JSON-RPC seems to be the standard way for clients to interact with the nodes. I feel good about this one.
upvoted 0 times
...

Save Cancel