U.S. Independence Day Deal! Unlock 25% OFF Today – Limited-Time Offer - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Linux Foundation CKS Exam - Topic 6 Question 67 Discussion

You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context stage Context: A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace. Task: 1. Create a new PodSecurityPolcy named deny-policy, which prevents the creation of privileged Pods. 2. Create a new ClusterRole name deny-access-role, which uses the newly created PodSecurityPolicy deny-policy. 3. Create a new ServiceAccount named psd-denial-sa in the existing namespace development. Finally, create a new ClusterRoleBindind named restrict-access-bind, which binds the newly created ClusterRole deny-access-role to the newly created ServiceAccount psp-denial-sa
A) Explanation: Create psp to disallow privileged container apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: deny-access-role rules: - apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - ''deny-policy'' k create sa psp-denial-sa -n development apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: restrict-access-bing roleRef: kind: ClusterRole name: deny-access-role apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: psp-denial-sa namespace: development Explanation master1 $ vim psp.yaml apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: deny-policy spec: privileged: false # Don't allow privileged pods! seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny volumes: - '*' master1 $ vim cr1.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: deny-access-role rules: - apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - ''deny-policy'' master1 $k create sa psp-denial-sa -n development master1 $ vim cb1.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: restrict-access-bing roleRef: kind: ClusterRole name: deny-access-role apiGroup: rbac.authorization.k8s.io subjects: # Authorize specific service accounts: - kind: ServiceAccount name: psp-denial-sa namespace: development master1 $k apply -f psp.yaml master1 $k apply -f cr1.yaml master1 $k apply -f cb1.yaml Reference:https://kubernetes.io/docs/concepts/policy/pod-security-policy/

Linux Foundation CKS Exam - Topic 6 Question 67 Discussion

Actual exam question for Linux Foundation's CKS exam
Question #: 67
Topic #: 6
[All CKS Questions]

You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context stage Context: A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace. Task: 1. Create a new PodSecurityPolcy named deny-policy, which prevents the creation of privileged Pods. 2. Create a new ClusterRole name deny-access-role, which uses the newly created PodSecurityPolicy deny-policy. 3. Create a new ServiceAccount named psd-denial-sa in the existing namespace development. Finally, create a new ClusterRoleBindind named restrict-access-bind, which binds the newly created ClusterRole deny-access-role to the newly created ServiceAccount psp-denial-sa

Show Suggested Answer Hide Answer
Suggested Answer: A

by Marvel at Sep 15, 2024, 04:08 PM

Limited Time Offer

25%

Off

Get Premium CKS Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Jillian
7 months ago
I think the YAML has a typo in "restrict-access-bing" - should be "binding".
upvoted 0 times
...
Maryann
7 months ago
Nice, this is a solid way to restrict access!
upvoted 0 times
...
Rosita
7 months ago
Wait, are we really still using PSPs? I thought they were phased out!
upvoted 0 times
...
Alona
7 months ago
Totally agree, we should be using OPA/Gatekeeper instead.
upvoted 0 times
...
Jesusa
8 months ago
Just a reminder, PodSecurityPolicies are deprecated in newer Kubernetes versions!
upvoted 0 times
...
Ronald
8 months ago
I feel like I’ve seen a question like this before, but I’m a bit confused about how to reference the PodSecurityPolicy in the ClusterRole. Is it `resourceNames` or something else?
upvoted 0 times
...
Kris
8 months ago
I believe the command to create the ServiceAccount is `kubectl create sa`, but I might have to double-check the namespace part.
upvoted 0 times
...
Emilio
8 months ago
I practiced a similar question where we had to create a ClusterRoleBinding, but I keep mixing up the names for the role and the service account.
upvoted 0 times
...
Britt
8 months ago
I think I remember that the PodSecurityPolicy should have `privileged: false` to prevent privileged Pods, but I'm not sure about the exact syntax for the YAML file.
upvoted 0 times
...
Huey
8 months ago
This seems like a good opportunity to practice my YAML skills. I'll make sure to double-check my syntax and resource definitions before applying them.
upvoted 0 times
...
Lonny
8 months ago
Okay, I've got a plan. First, I'll create the PodSecurityPolicy to prevent privileged Pods. Then I'll create the ClusterRole to use that policy, and finally the ClusterRoleBinding to link the ServiceAccount to the ClusterRole.
upvoted 0 times
...
Andree
8 months ago
Hmm, I'm a bit confused about the ClusterRole and ClusterRoleBinding. Do I need to create them in a specific namespace or can I do it at the cluster level?
upvoted 0 times
...
Leah
9 months ago
This question looks straightforward, I think I can handle it. I'll need to create the PodSecurityPolicy, ClusterRole, and ClusterRoleBinding as specified.
upvoted 0 times
...
Shanice
9 months ago
The search peer handles indexing and search requests, right? That sounds like the component this question is asking about.
upvoted 0 times
...
Derick
2 years ago
This is a solid solution, but I'm wondering if there are any potential pitfalls or edge cases we should consider. It's always good to think about the what-ifs.
upvoted 0 times
Margart
2 years ago
User3: Agreed, we should think about any possible issues that may arise.
upvoted 0 times
...
Marica
2 years ago
User2: It's always good to consider the what-ifs.
upvoted 0 times
...
Vincenza
2 years ago
Have you thought about any potential pitfalls or edge cases with this solution?
upvoted 0 times
...
...
Lashawn
2 years ago
The example looks great, but I'm curious if there's a way to make the `PodSecurityPolicy` more flexible. Perhaps we could add some additional rules or constraints to handle different use cases.
upvoted 0 times
Vinnie
2 years ago
User3
upvoted 0 times
...
Camellia
2 years ago
User2
upvoted 0 times
...
Alpha
2 years ago
User1
upvoted 0 times
...
...
Jeannetta
2 years ago
Exactly, then we create a ServiceAccount and bind it to the ClusterRole.
upvoted 0 times
...
Verona
2 years ago
Yes, we need to create deny-policy and bind it to deny-access-role.
upvoted 0 times
...
Jeannetta
2 years ago
I think the question is about creating a PodSecurityPolicy to prevent privileged Pods.
upvoted 0 times
...
Lili
2 years ago
The solution seems comprehensive, but I'm wondering if there's a more concise way to achieve the same result. Maybe we can combine some of the YAML manifests into a single file.
upvoted 0 times
...
Francoise
2 years ago
Haha, I like how they're using `psp-denial-sa` as the service account name. It's like they're telling the Pods, 'No privileged access for you!'
upvoted 0 times
...
Dewitt
2 years ago
Looks good, but I'm not sure if the `resourceNames` field in the `ClusterRole` is necessary. I thought the `use` verb alone would be enough to bind the `PodSecurityPolicy` to the `ClusterRole`.
upvoted 0 times
Erinn
2 years ago
I see, thanks for clarifying that. It's always good to double-check the documentation to be sure.
upvoted 0 times
...
Ettie
2 years ago
The `resourceNames` field is used to specify which `PodSecurityPolicy` the `ClusterRole` should use.
upvoted 0 times
...
...

Save Cancel