Linux Foundation CKS Exam - Topic 1 Question 32 Discussion

Actual exam question for Linux Foundation's CKS exam

Question #: 32
Topic #: 1

[All CKS Questions]

Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that

1. logs are stored at /var/log/kubernetes-logs.txt.

2. Log files are retained for 12 days.

3. at maximum, a number of 8 old audit logs files are retained.

4. set the maximum size before getting rotated to 200MB

Edit and extend the basic policy to log:

1. namespaces changes at RequestResponse

2. Log the request body of secrets changes in the namespace kube-system.

3. Log all other resources in core and extensions at the Request level.

4. Log "pods/portforward", "services/proxy" at Metadata level.

5. Omit the Stage RequestReceived

All other requests at the Metadata level

AExplanation:
Kubernetes auditing provides a security-relevant chronological set of records about a cluster. Kube-apiserver performs auditing. Each request on each stage of its execution generates an event, which is then pre-processed according to a certain policy and written to a backend. The policy determines what's recorded and the backends persist the records.
You might want to configure the audit log as part of compliance with the CIS (Center for Internet Security) Kubernetes Benchmark controls.
The audit log can be enabled by default using the following configuration incluster.yml:
services:
kube-api:
audit_log:
enabled: true
When the audit log is enabled, you should be able to see the default values at/etc/kubernetes/audit-policy.yaml
The log backend writes audit events to a file inJSONlinesformat. You can configure the log audit backend using the followingkube-apiserverflags:
--audit-log-pathspecifies the log file path that log backend uses to write audit events. Not specifying this flag disables log backend.-means standard out
--audit-log-maxagedefined the maximum number of days to retain old audit log files
--audit-log-maxbackupdefines the maximum number of audit log files to retain
--audit-log-maxsizedefines the maximum size in megabytes of the audit log file before it gets rotated
If your cluster's control plane runs the kube-apiserver as a Pod, remember to mount thehostPathto the location of the policy file and log file, so that audit records are persisted. For example:
--audit-policy-file=/etc/kubernetes/audit-policy.yaml \
--audit-log-path=/var/log/audit.log

Show Suggested Answer

Suggested Answer: A

by Hoa at Feb 03, 2023, 08:11 AM

Limited Time Offer

25%

Off

Get Premium CKS Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Lura

4 months ago

I thought logs were kept indefinitely? This is new to me!

upvoted 0 times

...

Kip

5 months ago

200MB max size? That’s a bit small for busy clusters.

upvoted 0 times

...

Van

5 months ago

Wait, we have to keep logs for 12 days? Seems excessive.

upvoted 0 times

...

Skye

5 months ago

Totally agree, especially for compliance.

upvoted 0 times

...

Wilda

5 months ago

Audit logs are super important for security!

upvoted 0 times

...

Willow

5 months ago

I recall that we need to omit the Stage RequestReceived, but I can't remember if we have to include all other requests at the Metadata level or just specific ones.

upvoted 0 times

...

Naomi

5 months ago

I’m a bit confused about the policy editing part. Do we need to specify the log level for each resource type in the YAML file?

upvoted 0 times

...

Bettina

5 months ago

I think we did a similar question where we had to set the log path and retention period. The path was definitely something like /var/log/kubernetes-logs.txt, right?

upvoted 0 times

...

Sherrell

5 months ago

I remember we practiced enabling audit logs, but I'm not entirely sure about the exact flags for retention settings.

upvoted 0 times

...

Alline

6 months ago

Okay, I think I've got this. The scenario is all about supporting the business through the architecture, so principles like "Maximize Benefit to the Enterprise" and "Responsive Change Management" are crucial. The other principles in option A also seem well-aligned. I'm feeling pretty confident about that being the best answer.

upvoted 0 times

...

Luis

6 months ago

This seems like a straightforward question about Microsoft 365 Analytics features. I think the key is to focus on the requirements - scheduling time for priority work and silencing chats in Teams.

upvoted 0 times

...

Elenor

6 months ago

I'm pretty confident I know the answer to this one. The CAPWAP heartbeat detection interval is set to 20 seconds before the active/standby switchover occurs.

upvoted 0 times

...

Merlyn

6 months ago

I remember learning about the CANVAS element in my web development class. I believe the valid events are mouseup, mousemove, and click. I'm fairly confident in those choices.

upvoted 0 times

...

Rebecka

11 months ago

Configuring audit logs is no easy task, but these instructions make it straightforward. I'm glad they included the example for running kube-apiserver as a Pod.

upvoted 0 times

Sabine

9 months ago

I agree, having the example for running kube-apiserver as a Pod is really helpful in understanding the process.

upvoted 0 times

...

Francine

10 months ago

Yes, configuring audit logs can be complex, but having clear instructions definitely helps.

upvoted 0 times

...

Helga

10 months ago

Thanks for the detailed explanation. I appreciate the example provided for running kube-apiserver as a Pod.

upvoted 0 times

...

Ilene

11 months ago

This is a well-thought-out question. The details around the CIS Kubernetes Benchmark and the ability to configure the audit log backend are a nice touch.

upvoted 0 times

Delsie

9 months ago

Don't forget to edit and extend the basic policy to log specific changes.

upvoted 0 times

...

Alba

9 months ago

We also need to set the maximum size before rotation to 200MB.

upvoted 0 times

...

Arlen

9 months ago

Yes, we should enable the log backend and make sure the logs are stored at /var/log/kubernetes-logs.txt.

upvoted 0 times

...

Hyman

9 months ago

I think we need to enable audit logs in the cluster.

upvoted 0 times

...

Jacqueline

9 months ago

And don't forget to set the maximum size before rotation to 200MB.

upvoted 0 times

...

Phung

10 months ago

We need to make sure the log files are stored at /var/log/kubernetes-logs.txt.

upvoted 0 times

...

Malinda

10 months ago

Yes, it helps track all the requests and events happening in the cluster.

upvoted 0 times

...

Nikita

11 months ago

I think enabling audit logs in the cluster is crucial for security.

upvoted 0 times

...

Laticia

11 months ago

Haha, imagine if the audit logs were stored in /dev/null by mistake. The admins would be scratching their heads trying to find the logs!

upvoted 0 times

Arlene

10 months ago

Yeah, storing audit logs in /dev/null would definitely cause some confusion.

upvoted 0 times

...

Mica

11 months ago

That would be a nightmare! They would be searching for logs that don't exist.

upvoted 0 times

...

Mauricio

11 months ago

The policy configuration looks comprehensive, covering changes to namespaces, secrets, and other resources. I like how it includes logging at different stages like RequestResponse and Metadata.

upvoted 0 times

...

Steffanie

11 months ago

I agree, it's crucial to have a detailed audit trail for compliance purposes.

upvoted 0 times

...

Talia

11 months ago

Yes, it helps track all the requests and changes made in the cluster.

upvoted 0 times

...

Jesus

11 months ago

Enabling audit logs in the cluster is crucial for security and compliance. The instructions provided cover the key aspects well, like log file path, retention period, and rotation settings.

upvoted 0 times