Linux Foundation CKS Exam - Topic 3 Question 68 Discussion

Actual exam question for Linux Foundation's CKS exam

Question #: 68
Topic #: 3

[All CKS Questions]

Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.

Fix all of the following violations that were found against theAPI server:-

a. Ensure that the RotateKubeletServerCertificate argument is set to true.

b. Ensure that the admission control plugin PodSecurityPolicy is set.

c. Ensure that the --kubelet-certificate-authority argument is set as appropriate.

Fix all of the following violations that were found against theKubelet:-

a. Ensure the --anonymous-auth argument is set to false.

b. Ensure that the --authorization-mode argument is set to Webhook.

Fix all of the following violations that were found against theETCD:-

a. Ensure that the --auto-tls argument is not set to true

b. Ensure that the --peer-auto-tls argument is not set to true

Hint: Take the use of Tool Kube-Bench

AExplanation:
Fix all of the following violations that were found against theAPI server:-
a. Ensure that the RotateKubeletServerCertificate argument is set to true.
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kubelet
tier: control-plane
name: kubelet
namespace: kube-system
spec:
containers:
- command:
- kube-controller-manager
+ - --feature-gates=RotateKubeletServerCertificate=true
image: gcr.io/google_containers/kubelet-amd64:v1.6.0
livenessProbe:
failureThreshold: 8
httpGet:
host: 127.0.0.1
path: /healthz
port: 6443
scheme: HTTPS
initialDelaySeconds: 15
timeoutSeconds: 15
name: kubelet
resources:
requests:
cpu: 250m
volumeMounts:
- mountPath: /etc/kubernetes/
name: k8s
readOnly: true
- mountPath: /etc/ssl/certs
name: certs
- mountPath: /etc/pki
name: pki
hostNetwork: true
volumes:
- hostPath:
path: /etc/kubernetes
name: k8s
- hostPath:
path: /etc/ssl/certs
name: certs
- hostPath:
path: /etc/pki
name: pki
b. Ensure that the admission control plugin PodSecurityPolicy is set.
audit: '/bin/ps -ef | grep $apiserverbin | grep -v grep'
tests:
test_items:
- flag: '--enable-admission-plugins'
compare:
op: has
value: 'PodSecurityPolicy'
set: true
remediation: |
Follow the documentation and create Pod Security Policy objects as per your environment.
Then, edit the API server pod specification file $apiserverconf
on the master node and set the --enable-admission-plugins parameter to a
value that includes PodSecurityPolicy :
--enable-admission-plugins=...,PodSecurityPolicy,...
Then restart the API Server.
scored: true
c. Ensure that the --kubelet-certificate-authority argument is set as appropriate.
audit: '/bin/ps -ef | grep $apiserverbin | grep -v grep'
tests:
test_items:
- flag: '--kubelet-certificate-authority'
set: true
remediation: |
Follow the Kubernetes documentation and setup the TLS connection between the
apiserver and kubelets. Then, edit the API server pod specification file
$apiserverconf on the master node and set the --kubelet-certificate-authority
parameter to the path to the cert file for the certificate authority.
--kubelet-certificate-authority=<ca-string>
scored: true
Fix all of the following violations that were found against theETCD:-
a. Ensure that the --auto-tls argument is not set to true
Edit the etcd pod specification file $etcdconf on the master
node and either remove the --auto-tls parameter or set it to false.
--auto-tls=false
b. Ensure that the --peer-auto-tls argument is not set to true
Edit the etcd pod specification file $etcdconf on the master
node and either remove the --peer-auto-tls parameter or set it to false.
--peer-auto-tls=false

Show Suggested Answer

Suggested Answer: A

by Alfred at Sep 19, 2024, 12:47 PM

Limited Time Offer

25%

Off

Get Premium CKS Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Ona

4 months ago

I thought --anonymous-auth was okay to leave true?

upvoted 0 times

...

Tasia

4 months ago

PodSecurityPolicy is a must-have, no doubt!

upvoted 0 times

...

Jennie

4 months ago

Wait, are we sure about the --auto-tls settings? Seems risky.

upvoted 0 times

...

Amie

4 months ago

Agreed, that's crucial for security.

upvoted 0 times

...

Lai

5 months ago

Don't forget to set RotateKubeletServerCertificate to true!

upvoted 0 times

...

Eladia

5 months ago

I recall that for ETCD, we need to ensure --auto-tls is not true, but I’m not clear on how to edit the pod specification files.

upvoted 0 times

...

Glennis

5 months ago

For the Kubelet settings, I feel a bit uncertain about the --authorization-mode argument. Was it always supposed to be set to Webhook?

upvoted 0 times

...

Clement

5 months ago

I think we had a similar question about admission control plugins in our last mock exam. I need to double-check how to enable PodSecurityPolicy correctly.

upvoted 0 times

...

Shaun

5 months ago

I remember we practiced setting the RotateKubeletServerCertificate to true, but I'm not entirely sure where to find that in the configuration files.

upvoted 0 times

...

Derick

5 months ago

Whoa, this is a lot of stuff to fix. I'm a bit overwhelmed looking at all these different issues across the API server, kubelet, and etcd. I'll need to take it step-by-step and make sure I don't miss anything. Might be a good idea to use a tool like Kube-Bench to validate the changes too.

upvoted 0 times

...

France

5 months ago

Okay, this is a good opportunity to demonstrate my Kubernetes expertise. I've worked with these types of configuration tasks before, so I feel confident I can get this done efficiently. The key will be making sure I double-check all the settings before restarting the components.

upvoted 0 times

...

Laticia

5 months ago

Hmm, I'm a little unsure about this one. All these different components and configuration settings seem a bit complex. I'll need to review the Kubernetes documentation carefully to make sure I understand how to properly implement all these changes.

upvoted 0 times

...

Ethan

6 months ago

This looks like a pretty straightforward configuration issue. I think I can handle it - just need to make the changes to the API server, kubelet, and etcd configs as specified in the question.

upvoted 0 times

...

Cammy

6 months ago

I'm a bit unsure if we need to log into the applications right away in the preparation phase. It could be important, but I feel like it might not be necessary until later.

upvoted 0 times

...

Lore

1 year ago

Rotate the kubelet server cert? That's a new one to me. I wonder if there's a good reason why they're specifically calling that out.

upvoted 0 times

Jamal

1 year ago

I'll make sure to configure it properly and restart the components to apply the new settings.

upvoted 0 times

...

Ludivina

1 year ago

Yeah, it helps prevent unauthorized access and ensures a higher level of security.

upvoted 0 times

...

Delsie

1 year ago

It's important for security reasons to rotate the kubelet server certificate regularly.

upvoted 0 times

...

Salina

1 year ago

I bet the exam proctors are sitting back and laughing at us as we struggle to figure out the right combination of settings. Gotta love these Kubernetes security audits!

upvoted 0 times

Kimberely

1 year ago

Once we configure everything correctly, we can restart the components and ensure the new settings take effect.

upvoted 0 times

...

Arlen

1 year ago

Yeah, let's use the Kube-Bench tool to help us fix these violations.

upvoted 0 times

...

Lorenza

1 year ago

I think we just need to carefully follow the instructions and make sure we get everything right.

upvoted 0 times

...

Jina

1 year ago

I know, these security audits can be so tricky!

upvoted 0 times

...

Viola

1 year ago

Yes, and we should also ensure that the admission control plugin PodSecurityPolicy is set.

upvoted 0 times

...

Nakisha

1 year ago

I agree, setting RotateKubeletServerCertificate to true is crucial for security.

upvoted 0 times

...

Svetlana

2 years ago

Ah, the classic 'fix all the things' kind of question. At least they threw in a hint about using Kube-Bench - that should make our lives a bit easier.

upvoted 0 times

...

Florinda

2 years ago

Hold up, is that really all there is to it? What if there are dependencies between these settings? We better double-check the documentation to make sure we're not missing anything.

upvoted 0 times