Linux Foundation CKS Exam - Topic 1 Question 39 Discussion

Actual exam question for Linux Foundation's CKS exam

Question #: 39
Topic #: 1

[All CKS Questions]

You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context test-account Task:Enable audit logs in the cluster.

To do so, enable the log backend, and ensure that:

1. logs are stored at/var/log/Kubernetes/logs.txt

2. log files are retained for5days

3. at maximum, a number of10old audit log files are retained

A basic policy is provided at/etc/Kubernetes/logpolicy/audit-policy.yaml. It only specifies what not to log. Note: The base policy is located on the cluster's master node.

Edit and extend the basic policy to log: 1.Nodeschanges atRequestResponselevel 2. The request body ofpersistentvolumeschanges in the namespacefrontend 3.ConfigMapandSecretchanges in all namespaces at theMetadatalevel

Also, add a catch-all rule to log all other requests at theMetadatalevel Note:Don't forget to apply the modified policy.

AExplanation:
$vim /etc/kubernetes/log-policy/audit-policy.yaml
- level: RequestResponse
userGroups: ['system:nodes']
- level: Request
resources:
- group: '' # core API group
resources: ['persistentvolumes']
namespaces: ['frontend']
- level: Metadata
resources:
- group: ''
resources: ['configmaps', 'secrets']
- level: Metadata
$vim /etc/kubernetes/manifests/kube-apiserver.yaml
Add these
- --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml
- --audit-log-path=/var/log/kubernetes/logs.txt
- --audit-log-maxage=5
- --audit-log-maxbackup=10
Explanation
[desk@cli] $ssh master1
[master1@cli] $vim /etc/kubernetes/log-policy/audit-policy.yaml
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- 'RequestReceived'
rules:
# Don't log watch requests by the 'system:kube-proxy' on endpoints or services
- level: None
users: ['system:kube-proxy']
verbs: ['watch']
resources:
- group: '' # core API group
resources: ['endpoints', 'services']
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ['system:authenticated']
nonResourceURLs:
- '/api*' # Wildcard matching.
- '/version'
# Add your changes below
- level: RequestResponse
userGroups: ['system:nodes'] # Block for nodes
- level: Request
resources:
- group: '' # core API group
resources: ['persistentvolumes'] # Block for persistentvolumes
namespaces: ['frontend'] # Block for persistentvolumes of frontend ns
- level: Metadata
resources:
- group: '' # core API group
resources: ['configmaps', 'secrets'] # Block for configmaps & secrets
- level: Metadata # Block for everything else
[master1@cli] $vim /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.0.0.5:6443
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=10.0.0.5
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml #Add this
- --audit-log-path=/var/log/kubernetes/logs.txt #Add this
- --audit-log-maxage=5 #Add this
- --audit-log-maxbackup=10 #Add this
...
output truncated
Note: log volume & policy volume is already mounted invim /etc/kubernetes/manifests/kube-apiserver.yamlso no need to mount it.

Reference:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/

Show Suggested Answer

Suggested Answer: A

by Maryann at Jul 27, 2023, 02:46 AM

Limited Time Offer

25%

Off

Get Premium CKS Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Casie

4 months ago

Good to see the audit logs being prioritized, finally!

upvoted 0 times

...

Catalina

4 months ago

Wait, are we really logging the request body for persistent volumes? Seems excessive.

upvoted 0 times

...

Lovetta

4 months ago

I think the catch-all rule is a smart move!

upvoted 0 times

...

Yuriko

5 months ago

Sounds straightforward, but why do we need to retain logs for only 5 days?

upvoted 0 times

...

Verdell

5 months ago

Just a reminder, don't forget to apply the modified policy!

upvoted 0 times

...

Kina

5 months ago

I’m a bit confused about the catch-all rule. Do we just add it at the end of the rules section in the policy file?

upvoted 0 times

...

Robt

5 months ago

I feel like we had a similar question in our last mock exam, but I can't recall if we had to specify the log retention settings like max age and backup.

upvoted 0 times

...

Alberta

5 months ago

I think the command to edit the audit policy was `vim /etc/kubernetes/log-policy/audit-policy.yaml`, right? I hope I got that part down.

upvoted 0 times

...

Shay

6 months ago

I remember we practiced enabling audit logs, but I’m not entirely sure about the exact syntax for the policy file.

upvoted 0 times

...

Alecia

6 months ago

Okay, let me think this through. We're creating a new Delta Live Tables pipeline, so we'll need to provide some basic information like the cloud storage location and the target database. I'm leaning towards C or D as the answer.

upvoted 0 times

...

Samira

6 months ago

I think the sales volume contribution variance reflects changes in sales and fixed costs, but I'm unsure how to apply it here.

upvoted 0 times

...

Ivan

6 months ago

Okay, let's see. I think the key is understanding how the loopback feature applies Group Policy differently. I'll need to review my notes on that.

upvoted 0 times

...

Quiana

6 months ago

This question seems straightforward - I think the answer is C, where users had trouble spelling the station name and the search wasn't error-tolerant. That would definitely impact satisfaction.

upvoted 0 times

...

Lashandra

6 months ago

Okay, I've got this. The key is the upsert option. If you set upsert to true, then the update command will create a new document if no matching document is found. I'm pretty confident that D is the correct answer.

upvoted 0 times

...

Izetta

6 months ago

Hmm, this looks like a tricky one. I'll need to carefully analyze the network topology and interface information to determine the alternate path.

upvoted 0 times

...

Adolph

10 months ago

The step-by-step instructions are easy to follow. I'm confident I can implement the required audit logging setup based on this question.

upvoted 0 times

Fredric

9 months ago

After that, I will update the kube-apiserver.yaml file with the necessary configurations.

upvoted 0 times

...

Annmarie

9 months ago

I think I will start by editing the audit policy file as mentioned.

upvoted 0 times

...

Enola

9 months ago

I agree, the instructions are clear and detailed.

upvoted 0 times

...

Corinne

10 months ago

The explanation for the kube-apiserver YAML file modifications is clear. I'm glad they included the reference to the official Kubernetes documentation for further information.

upvoted 0 times

Sina

9 months ago

User1: Agreed, having that reference is helpful for further information.

upvoted 0 times

...

Amie

9 months ago

User2: Yes, it's good they included the reference to the official Kubernetes documentation for more details.

upvoted 0 times

...

Timothy

9 months ago

User1: The explanation for the kube-apiserver YAML file modifications is clear.

upvoted 0 times

...

Pok

11 months ago

Looks like a comprehensive set of steps to enable audit logging in the Kubernetes cluster. The policy file configuration seems well-structured and covers the key requirements.

upvoted 0 times