U.S. Independence Day Deal! Unlock 25% OFF Today – Limited-Time Offer - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Linux Foundation CKS Exam - Topic 1 Question 39 Discussion

You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context test-account Task:Enable audit logs in the cluster.To do so, enable the log backend, and ensure that:1. logs are stored at/var/log/Kubernetes/logs.txt2. log files are retained for5days3. at maximum, a number of10old audit log files are retainedA basic policy is provided at/etc/Kubernetes/logpolicy/audit-policy.yaml. It only specifies what not to log. Note: The base policy is located on the cluster's master node.Edit and extend the basic policy to log: 1.Nodeschanges atRequestResponselevel 2. The request body ofpersistentvolumeschanges in the namespacefrontend 3.ConfigMapandSecretchanges in all namespaces at theMetadatalevelAlso, add a catch-all rule to log all other requests at theMetadatalevel Note:Don't forget to apply the modified policy.
A) Explanation: $vim /etc/kubernetes/log-policy/audit-policy.yaml - level: RequestResponse userGroups: ['system:nodes'] - level: Request resources: - group: '' # core API group resources: ['persistentvolumes'] namespaces: ['frontend'] - level: Metadata resources: - group: '' resources: ['configmaps', 'secrets'] - level: Metadata $vim /etc/kubernetes/manifests/kube-apiserver.yaml Add these - --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml - --audit-log-path=/var/log/kubernetes/logs.txt - --audit-log-maxage=5 - --audit-log-maxbackup=10 Explanation [desk@cli] $ssh master1 [master1@cli] $vim /etc/kubernetes/log-policy/audit-policy.yaml apiVersion: audit.k8s.io/v1 # This is required. kind: Policy # Don't generate audit events for all requests in RequestReceived stage. omitStages: - 'RequestReceived' rules: # Don't log watch requests by the 'system:kube-proxy' on endpoints or services - level: None users: ['system:kube-proxy'] verbs: ['watch'] resources: - group: '' # core API group resources: ['endpoints', 'services'] # Don't log authenticated requests to certain non-resource URL paths. - level: None userGroups: ['system:authenticated'] nonResourceURLs: - '/api*' # Wildcard matching. - '/version' # Add your changes below - level: RequestResponse userGroups: ['system:nodes'] # Block for nodes - level: Request resources: - group: '' # core API group resources: ['persistentvolumes'] # Block for persistentvolumes namespaces: ['frontend'] # Block for persistentvolumes of frontend ns - level: Metadata resources: - group: '' # core API group resources: ['configmaps', 'secrets'] # Block for configmaps & secrets - level: Metadata # Block for everything else [master1@cli] $vim /etc/kubernetes/manifests/kube-apiserver.yaml apiVersion: v1 kind: Pod metadata: annotations: kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.0.0.5:6443 labels: component: kube-apiserver tier: control-plane name: kube-apiserver namespace: kube-system spec: containers: - command: - kube-apiserver - --advertise-address=10.0.0.5 - --allow-privileged=true - --authorization-mode=Node,RBAC - --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml #Add this - --audit-log-path=/var/log/kubernetes/logs.txt #Add this - --audit-log-maxage=5 #Add this - --audit-log-maxbackup=10 #Add this ... output truncated Note: log volume & policy volume is already mounted invim /etc/kubernetes/manifests/kube-apiserver.yamlso no need to mount it. Reference:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/

Linux Foundation CKS Exam - Topic 1 Question 39 Discussion

Actual exam question for Linux Foundation's CKS exam
Question #: 39
Topic #: 1
[All CKS Questions]

You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context test-account Task:Enable audit logs in the cluster.

To do so, enable the log backend, and ensure that:

1. logs are stored at/var/log/Kubernetes/logs.txt

2. log files are retained for5days

3. at maximum, a number of10old audit log files are retained

A basic policy is provided at/etc/Kubernetes/logpolicy/audit-policy.yaml. It only specifies what not to log. Note: The base policy is located on the cluster's master node.

Edit and extend the basic policy to log: 1.Nodeschanges atRequestResponselevel 2. The request body ofpersistentvolumeschanges in the namespacefrontend 3.ConfigMapandSecretchanges in all namespaces at theMetadatalevel

Also, add a catch-all rule to log all other requests at theMetadatalevel Note:Don't forget to apply the modified policy.

Show Suggested Answer Hide Answer
Suggested Answer: A

Contribute your Thoughts:

0/2000 characters
Casie
7 months ago
Good to see the audit logs being prioritized, finally!
upvoted 0 times
...
Catalina
7 months ago
Wait, are we really logging the request body for persistent volumes? Seems excessive.
upvoted 0 times
...
Lovetta
7 months ago
I think the catch-all rule is a smart move!
upvoted 0 times
...
Yuriko
8 months ago
Sounds straightforward, but why do we need to retain logs for only 5 days?
upvoted 0 times
...
Verdell
8 months ago
Just a reminder, don't forget to apply the modified policy!
upvoted 0 times
...
Kina
8 months ago
I’m a bit confused about the catch-all rule. Do we just add it at the end of the rules section in the policy file?
upvoted 0 times
...
Robt
8 months ago
I feel like we had a similar question in our last mock exam, but I can't recall if we had to specify the log retention settings like max age and backup.
upvoted 0 times
...
Alberta
8 months ago
I think the command to edit the audit policy was `vim /etc/kubernetes/log-policy/audit-policy.yaml`, right? I hope I got that part down.
upvoted 0 times
...
Shay
9 months ago
I remember we practiced enabling audit logs, but I’m not entirely sure about the exact syntax for the policy file.
upvoted 0 times
...
Alecia
9 months ago
Okay, let me think this through. We're creating a new Delta Live Tables pipeline, so we'll need to provide some basic information like the cloud storage location and the target database. I'm leaning towards C or D as the answer.
upvoted 0 times
...
Samira
9 months ago
I think the sales volume contribution variance reflects changes in sales and fixed costs, but I'm unsure how to apply it here.
upvoted 0 times
...
Ivan
9 months ago
Okay, let's see. I think the key is understanding how the loopback feature applies Group Policy differently. I'll need to review my notes on that.
upvoted 0 times
...
Quiana
9 months ago
This question seems straightforward - I think the answer is C, where users had trouble spelling the station name and the search wasn't error-tolerant. That would definitely impact satisfaction.
upvoted 0 times
...
Lashandra
9 months ago
Okay, I've got this. The key is the upsert option. If you set upsert to true, then the update command will create a new document if no matching document is found. I'm pretty confident that D is the correct answer.
upvoted 0 times
...
Izetta
9 months ago
Hmm, this looks like a tricky one. I'll need to carefully analyze the network topology and interface information to determine the alternate path.
upvoted 0 times
...
Adolph
1 year ago
The step-by-step instructions are easy to follow. I'm confident I can implement the required audit logging setup based on this question.
upvoted 0 times
Fredric
12 months ago
After that, I will update the kube-apiserver.yaml file with the necessary configurations.
upvoted 0 times
...
Annmarie
12 months ago
I think I will start by editing the audit policy file as mentioned.
upvoted 0 times
...
Enola
12 months ago
I agree, the instructions are clear and detailed.
upvoted 0 times
...
...
Corinne
1 year ago
The explanation for the kube-apiserver YAML file modifications is clear. I'm glad they included the reference to the official Kubernetes documentation for further information.
upvoted 0 times
Sina
1 year ago
User1: Agreed, having that reference is helpful for further information.
upvoted 0 times
...
Amie
1 year ago
User2: Yes, it's good they included the reference to the official Kubernetes documentation for more details.
upvoted 0 times
...
Timothy
1 year ago
User1: The explanation for the kube-apiserver YAML file modifications is clear.
upvoted 0 times
...
...
Pok
1 year ago
Looks like a comprehensive set of steps to enable audit logging in the Kubernetes cluster. The policy file configuration seems well-structured and covers the key requirements.
upvoted 0 times
Brandee
12 months ago
Don't forget to apply the modified policy after making changes.
upvoted 0 times
...
Rolland
12 months ago
I like that it includes specific rules for different types of changes and requests.
upvoted 0 times
...
Jess
1 year ago
Yes, it provides clear instructions on how to configure the audit policy file.
upvoted 0 times
...
Melissa
1 year ago
This guide is really helpful for setting up audit logs in Kubernetes.
upvoted 0 times
...
Eileen
1 year ago
Don't forget to apply the modified policy after making changes.
upvoted 0 times
...
Graham
1 year ago
I like that it includes specific rules for different types of changes and requests.
upvoted 0 times
...
Brock
1 year ago
Yes, it provides clear instructions on how to configure the audit policy file.
upvoted 0 times
...
Olen
1 year ago
This guide is really helpful for setting up audit logs in Kubernetes.
upvoted 0 times
...
...
Elouise
1 year ago
The provided explanation on how to edit the policy and apply it is very helpful.
upvoted 0 times
...
Kate
1 year ago
I think editing and extending the basic policy is crucial for proper logging.
upvoted 0 times
...
Elouise
1 year ago
I feel confident about enabling audit logs in the cluster.
upvoted 0 times
...

Save Cancel