Linux Foundation Exam CKS Topic 1 Question 28 Discussion

Actual exam question for Linux Foundation's Certified Kubernetes Security Specialist exam

Question #: 28
Topic #: 1

[All Certified Kubernetes Security Specialist Questions]

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context test-account

Task:Enable audit logs in the cluster.

To do so, enable the log backend, and ensure that:

1. logs are stored at/var/log/Kubernetes/logs.txt

2. log files are retained for5days

3. at maximum, a number of10old audit log files are retained

A basic policy is provided at/etc/Kubernetes/logpolicy/audit-policy.yaml. It only specifies what not to log.

Note: The base policy is located on the cluster's master node.

Edit and extend the basic policy to log:

1.Nodeschanges atRequestResponselevel

2. The request body ofpersistentvolumeschanges in the namespacefrontend

3.ConfigMapandSecretchanges in all namespaces at theMetadatalevel

Also, add a catch-all rule to log all other requests at theMetadatalevel

Note:Don't forget to apply the modified policy.

AExplanation:
$vim /etc/kubernetes/log-policy/audit-policy.yaml
- level: RequestResponse
userGroups: ['system:nodes']
- level: Request
resources:
- group: '' # core API group
resources: ['persistentvolumes']
namespaces: ['frontend']
- level: Metadata
resources:
- group: ''
resources: ['configmaps', 'secrets']
- level: Metadata
$vim /etc/kubernetes/manifests/kube-apiserver.yaml
Add these
- --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml
- --audit-log-path=/var/log/kubernetes/logs.txt
- --audit-log-maxage=5
- --audit-log-maxbackup=10
Explanation
[desk@cli] $ssh master1
[master1@cli] $vim /etc/kubernetes/log-policy/audit-policy.yaml
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- 'RequestReceived'
rules:
# Don't log watch requests by the 'system:kube-proxy' on endpoints or services
- level: None
users: ['system:kube-proxy']
verbs: ['watch']
resources:
- group: '' # core API group
resources: ['endpoints', 'services']
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ['system:authenticated']
nonResourceURLs:
- '/api*' # Wildcard matching.
- '/version'
# Add your changes below
- level: RequestResponse
userGroups: ['system:nodes'] # Block for nodes
- level: Request
resources:
- group: '' # core API group
resources: ['persistentvolumes'] # Block for persistentvolumes
namespaces: ['frontend'] # Block for persistentvolumes of frontend ns
- level: Metadata
resources:
- group: '' # core API group
resources: ['configmaps', 'secrets'] # Block for configmaps & secrets
- level: Metadata # Block for everything else
[master1@cli] $vim /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.0.0.5:6443
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=10.0.0.5
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml #Add this
- --audit-log-path=/var/log/kubernetes/logs.txt #Add this
- --audit-log-maxage=5 #Add this
- --audit-log-maxbackup=10 #Add this
...
output truncated
Note: log volume & policy volume is already mounted invim /etc/kubernetes/manifests/kube-apiserver.yamlso no need to mount it.

Reference:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
Note: log volume & policy volume is already mounted invim /etc/kubernetes/manifests/kube-apiserver.yamlso no need to mount it.

Reference:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/

Show Suggested Answer

Suggested Answer: A

by Weldon at Jul 30, 2022, 07:52 AM

Limited Time Offer

25%

Off

Get Premium CKS Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Currently there are no comments in this discussion, be the first to comment!