U.S. Independence Day Deal! Unlock 25% OFF Today – Limited-Time Offer - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Linux Foundation CKS Exam - Topic 1 Question 46 Discussion

Use the kubesec docker images to scan the given YAML manifest, edit and apply the advised changes, and passed with a score of 4 points.kubesec-test.yamlapiVersion: v1kind: Podmetadata:name: kubesec-demospec:containers:- name: kubesec-demoimage: gcr.io/google-samples/node-hello:1.0securityContext:readOnlyRootFilesystem: trueHint:docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml
A) Explanation: kubesec scan k8s-deployment.yaml cat <<EOF > kubesec-test.yaml apiVersion: v1 kind: Pod metadata: name: kubesec-demo spec: containers: - name: kubesec-demo image: gcr.io/google-samples/node-hello:1.0 securityContext: readOnlyRootFilesystem: true EOF kubesec scan kubesec-test.yaml docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml kubesec http 8080 & [1] 12345 {'severity':'info','timestamp':'2019-05-12T11:58:34.662+0100','caller':'server/server.go:69','message':'Starting HTTP server on port 8080'} curl -sSX POST --data-binary @test/asset/score-0-cap-sys-admin.yml http://localhost:8080/scan [ { 'object': 'Pod/security-context-demo.default', 'valid': true, 'message': 'Failed with a score of -30 points', 'score': -30, 'scoring': { 'critical': [ { 'selector': 'containers[] .securityContext .capabilities .add == SYS_ADMIN', 'reason': 'CAP_SYS_ADMIN is the most privileged capability and should always be avoided' }, { 'selector': 'containers[] .securityContext .runAsNonRoot == true', 'reason': 'Force the running image to run as a non-root user to ensure least privilege' }, // ...

Linux Foundation CKS Exam - Topic 1 Question 46 Discussion

Actual exam question for Linux Foundation's CKS exam
Question #: 46
Topic #: 1
[All CKS Questions]

Use the kubesec docker images to scan the given YAML manifest, edit and apply the advised changes, and passed with a score of 4 points.

kubesec-test.yaml

apiVersion: v1

kind: Pod

metadata:

name: kubesec-demo

spec:

containers:

- name: kubesec-demo

image: gcr.io/google-samples/node-hello:1.0

securityContext:

readOnlyRootFilesystem: true

Hint:docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml

Show Suggested Answer Hide Answer
Suggested Answer: A

by Carey at Dec 25, 2023, 06:35 AM

Limited Time Offer

25%

Off

Get Premium CKS Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Rolf
7 months ago
Nice, but I’m skeptical about the scoring system.
upvoted 0 times
...
Junita
7 months ago
I thought the default image was secure enough, guess not.
upvoted 0 times
...
Lacresha
7 months ago
Wait, why is CAP_SYS_ADMIN even in there? That's risky!
upvoted 0 times
...
Kimbery
7 months ago
Totally agree, readOnlyRootFilesystem is a must!
upvoted 0 times
...
Viva
8 months ago
Just ran the scan, got a score of 4!
upvoted 0 times
...
Felicitas
8 months ago
I definitely remember the importance of `readOnlyRootFilesystem`, but I hope I don't forget to check for other security settings like capabilities.
upvoted 0 times
...
Augustine
8 months ago
I feel a bit uncertain about the exact command to run the scan. I know it involves `docker run`, but I might mix up the syntax.
upvoted 0 times
...
Galen
8 months ago
I think we had a similar question about setting `runAsNonRoot` to improve security. I hope I can recall that detail.
upvoted 0 times
...
Reynalda
8 months ago
I remember we practiced using kubesec to scan YAML files, but I'm not sure if I set the security context correctly last time.
upvoted 0 times
...
Frank
8 months ago
This seems pretty straightforward. I'll give it a try and see if I can get the 4-point score.
upvoted 0 times
...
Candida
8 months ago
No problem, I've used kubesec before. I'll just follow the steps in the question and make the necessary updates to the YAML to pass the scan.
upvoted 0 times
...
Adela
8 months ago
Okay, I think I've got it. I'll scan the YAML, review the issues, and then update the manifest to address the advised changes. Hopefully, I can get a score of 4 points.
upvoted 0 times
...
Lorenza
8 months ago
Hmm, I'm a bit confused about the hint. Do I need to run the kubesec image in a specific way to get the scan results?
upvoted 0 times
...
Kizzy
8 months ago
This looks straightforward. I'll start by running the kubesec docker image to scan the YAML manifest and see what issues it identifies.
upvoted 0 times
...
Sherron
9 months ago
Hmm, I'm a bit unsure about this one. There are a few options that seem relevant, but I'm not totally confident I know the best approach. I'll need to think it through carefully and make sure I understand the key considerations for this type of role.
upvoted 0 times
...
Mertie
9 months ago
I remember a practice question where we discussed the necessity of attainments, which seems relevant here, too.
upvoted 0 times
...
Gary
9 months ago
Hmm, I'm a bit unsure about this one. I know there are different types of power, but I can't quite remember which one is based on the manager's position. I'll have to think this through carefully.
upvoted 0 times
...
Kenneth
1 year ago
Kubesec? More like Kube-awesome! This tool is going to make my life so much easier. Time to secure all the things!
upvoted 0 times
Gregoria
1 year ago
User 3: Can't wait to see the improvements in our security scores!
upvoted 0 times
...
Reid
1 year ago
User 2: Absolutely, it's going to help us secure our deployments better.
upvoted 0 times
...
Colby
1 year ago
User 1: Kubesec is a game-changer for sure!
upvoted 0 times
...
...
Royce
1 year ago
Wait, I need to run a container to scan the YAML file? That's a bit inconvenient. I hope there's an easier way to use this tool.
upvoted 0 times
Lashonda
1 year ago
Once you get the hang of it, it becomes a quick process.
upvoted 0 times
...
Paola
1 year ago
It may seem inconvenient, but it's an effective way to ensure security.
upvoted 0 times
...
Valentin
1 year ago
You just need to run the docker command with the specified image.
upvoted 0 times
...
Lavera
1 year ago
Yes, you can use the kubesec docker images to scan the YAML manifest.
upvoted 0 times
...
...
Shaquana
1 year ago
Hmm, I wonder if the kubesec tool can also scan my Docker images for security vulnerabilities. That would be a nice bonus.
upvoted 0 times
...
Sharen
1 year ago
Scanning the YAML manifest and applying the suggested changes seems straightforward. I'm confident I can get a score of 4 points.
upvoted 0 times
...
Francis
1 year ago
I passed with a score of 4 points after making the changes.
upvoted 0 times
...
Helga
1 year ago
I edited and applied the advised changes to the kubesec-test.yaml.
upvoted 0 times
...
Francis
1 year ago
I found the kubesec docker images to scan the YAML manifest.
upvoted 0 times
...
Johana
1 year ago
Yes, following the hints and making the necessary changes can help us pass with a good score.
upvoted 0 times
...
Selene
1 year ago
The kubesec tool looks really useful for scanning and improving my Kubernetes manifests. I'll definitely give it a try.
upvoted 0 times
Melissa
1 year ago
The kubesec tool is indeed helpful for enhancing Kubernetes manifest security.
upvoted 0 times
...
Evette
1 year ago
I passed with a score of 4 points after making the advised changes.
upvoted 0 times
...
Sharika
1 year ago
I edited the manifest based on the suggestions and rescanned it with kubesec.
upvoted 0 times
...
Francine
1 year ago
I used the kubesec tool to scan my YAML manifest and got some suggestions for improving security.
upvoted 0 times
...
...
Brock
1 year ago
I agree, it's important to edit and apply the advised changes to improve security.
upvoted 0 times
...
Johana
1 year ago
I found the kubesec docker images very helpful for scanning the YAML manifest.
upvoted 0 times
...

Save Cancel