Linux Foundation CKS Exam - Topic 1 Question 46 Discussion

Actual exam question for Linux Foundation's CKS exam

Question #: 46
Topic #: 1

[All CKS Questions]

Use the kubesec docker images to scan the given YAML manifest, edit and apply the advised changes, and passed with a score of 4 points.

kubesec-test.yaml

apiVersion: v1

kind: Pod

metadata:

name: kubesec-demo

spec:

containers:

- name: kubesec-demo

image: gcr.io/google-samples/node-hello:1.0

securityContext:

readOnlyRootFilesystem: true

Hint:docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml

AExplanation:
kubesec scan k8s-deployment.yaml
cat <<EOF > kubesec-test.yaml
apiVersion: v1
kind: Pod
metadata:
name: kubesec-demo
spec:
containers:
- name: kubesec-demo
image: gcr.io/google-samples/node-hello:1.0
securityContext:
readOnlyRootFilesystem: true
EOF
kubesec scan kubesec-test.yaml
docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml
kubesec http 8080 &
[1] 12345
{'severity':'info','timestamp':'2019-05-12T11:58:34.662+0100','caller':'server/server.go:69','message':'Starting HTTP server on port 8080'}
curl -sSX POST --data-binary @test/asset/score-0-cap-sys-admin.yml http://localhost:8080/scan
[
{
'object': 'Pod/security-context-demo.default',
'valid': true,
'message': 'Failed with a score of -30 points',
'score': -30,
'scoring': {
'critical': [
{
'selector': 'containers[] .securityContext .capabilities .add == SYS_ADMIN',
'reason': 'CAP_SYS_ADMIN is the most privileged capability and should always be avoided'
},
{
'selector': 'containers[] .securityContext .runAsNonRoot == true',
'reason': 'Force the running image to run as a non-root user to ensure least privilege'
},
// ...

Show Suggested Answer

Suggested Answer: A

by Carey at Dec 25, 2023, 06:35 AM

Limited Time Offer

25%

Off

Get Premium CKS Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Rolf

4 months ago

Nice, but I’m skeptical about the scoring system.

upvoted 0 times

...

Junita

4 months ago

I thought the default image was secure enough, guess not.

upvoted 0 times

...

Lacresha

4 months ago

Wait, why is CAP_SYS_ADMIN even in there? That's risky!

upvoted 0 times

...

Kimbery

4 months ago

Totally agree, readOnlyRootFilesystem is a must!

upvoted 0 times

...

Viva

5 months ago

Just ran the scan, got a score of 4!

upvoted 0 times

...

Felicitas

5 months ago

I definitely remember the importance of `readOnlyRootFilesystem`, but I hope I don't forget to check for other security settings like capabilities.

upvoted 0 times

...

Augustine

5 months ago

I feel a bit uncertain about the exact command to run the scan. I know it involves `docker run`, but I might mix up the syntax.

upvoted 0 times

...

Galen

5 months ago

I think we had a similar question about setting `runAsNonRoot` to improve security. I hope I can recall that detail.

upvoted 0 times

...

Reynalda

5 months ago

I remember we practiced using kubesec to scan YAML files, but I'm not sure if I set the security context correctly last time.

upvoted 0 times

...

Frank

5 months ago

This seems pretty straightforward. I'll give it a try and see if I can get the 4-point score.

upvoted 0 times

...

Candida

5 months ago

No problem, I've used kubesec before. I'll just follow the steps in the question and make the necessary updates to the YAML to pass the scan.

upvoted 0 times

...

Adela

5 months ago

Okay, I think I've got it. I'll scan the YAML, review the issues, and then update the manifest to address the advised changes. Hopefully, I can get a score of 4 points.

upvoted 0 times

...

Lorenza

5 months ago

Hmm, I'm a bit confused about the hint. Do I need to run the kubesec image in a specific way to get the scan results?

upvoted 0 times

...

Kizzy

5 months ago

This looks straightforward. I'll start by running the kubesec docker image to scan the YAML manifest and see what issues it identifies.

upvoted 0 times

...

Sherron

6 months ago

Hmm, I'm a bit unsure about this one. There are a few options that seem relevant, but I'm not totally confident I know the best approach. I'll need to think it through carefully and make sure I understand the key considerations for this type of role.

upvoted 0 times

...

Mertie

6 months ago

I remember a practice question where we discussed the necessity of attainments, which seems relevant here, too.

upvoted 0 times

...

Gary

6 months ago

Hmm, I'm a bit unsure about this one. I know there are different types of power, but I can't quite remember which one is based on the manager's position. I'll have to think this through carefully.

upvoted 0 times

...

Kenneth

10 months ago

Kubesec? More like Kube-awesome! This tool is going to make my life so much easier. Time to secure all the things!

upvoted 0 times

Gregoria

10 months ago

User 3: Can't wait to see the improvements in our security scores!

upvoted 0 times

...

Reid

10 months ago

User 2: Absolutely, it's going to help us secure our deployments better.

upvoted 0 times

...

Colby

10 months ago

User 1: Kubesec is a game-changer for sure!

upvoted 0 times

...

Royce

11 months ago

Wait, I need to run a container to scan the YAML file? That's a bit inconvenient. I hope there's an easier way to use this tool.

upvoted 0 times

Lashonda

9 months ago

Once you get the hang of it, it becomes a quick process.

upvoted 0 times

...

Paola

9 months ago

It may seem inconvenient, but it's an effective way to ensure security.

upvoted 0 times

...

Valentin

10 months ago

You just need to run the docker command with the specified image.

upvoted 0 times

...

Lavera

10 months ago

Yes, you can use the kubesec docker images to scan the YAML manifest.

upvoted 0 times

...

Shaquana

11 months ago

Hmm, I wonder if the kubesec tool can also scan my Docker images for security vulnerabilities. That would be a nice bonus.

upvoted 0 times

...

Sharen

11 months ago

Scanning the YAML manifest and applying the suggested changes seems straightforward. I'm confident I can get a score of 4 points.

upvoted 0 times

...

Francis

11 months ago

I passed with a score of 4 points after making the changes.

upvoted 0 times

...

Helga

11 months ago

I edited and applied the advised changes to the kubesec-test.yaml.

upvoted 0 times

...

Francis

11 months ago

I found the kubesec docker images to scan the YAML manifest.

upvoted 0 times

...

Johana

11 months ago

Yes, following the hints and making the necessary changes can help us pass with a good score.

upvoted 0 times

...

Selene

11 months ago

The kubesec tool looks really useful for scanning and improving my Kubernetes manifests. I'll definitely give it a try.

upvoted 0 times

Melissa

10 months ago

The kubesec tool is indeed helpful for enhancing Kubernetes manifest security.

upvoted 0 times

...

Evette

10 months ago

I passed with a score of 4 points after making the advised changes.

upvoted 0 times

...

Sharika

10 months ago

I edited the manifest based on the suggestions and rescanned it with kubesec.

upvoted 0 times

...

Francine

10 months ago

I used the kubesec tool to scan my YAML manifest and got some suggestions for improving security.

upvoted 0 times

...

Brock

11 months ago

I agree, it's important to edit and apply the advised changes to improve security.

upvoted 0 times

...

Johana

11 months ago

I found the kubesec docker images very helpful for scanning the YAML manifest.

upvoted 0 times

...