U.S. Independence Day Deal! Unlock 25% OFF Today – Limited-Time Offer - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Linux Foundation CKS Exam - Topic 3 Question 68 Discussion

Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.Fix all of the following violations that were found against theAPI server:-a. Ensure that the RotateKubeletServerCertificate argument is set to true.b. Ensure that the admission control plugin PodSecurityPolicy is set.c. Ensure that the --kubelet-certificate-authority argument is set as appropriate.Fix all of the following violations that were found against theKubelet:-a. Ensure the --anonymous-auth argument is set to false.b. Ensure that the --authorization-mode argument is set to Webhook.Fix all of the following violations that were found against theETCD:-a. Ensure that the --auto-tls argument is not set to trueb. Ensure that the --peer-auto-tls argument is not set to trueHint: Take the use of Tool Kube-Bench
A) Explanation: Fix all of the following violations that were found against theAPI server:- a. Ensure that the RotateKubeletServerCertificate argument is set to true. apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: component: kubelet tier: control-plane name: kubelet namespace: kube-system spec: containers: - command: - kube-controller-manager + - --feature-gates=RotateKubeletServerCertificate=true image: gcr.io/google_containers/kubelet-amd64:v1.6.0 livenessProbe: failureThreshold: 8 httpGet: host: 127.0.0.1 path: /healthz port: 6443 scheme: HTTPS initialDelaySeconds: 15 timeoutSeconds: 15 name: kubelet resources: requests: cpu: 250m volumeMounts: - mountPath: /etc/kubernetes/ name: k8s readOnly: true - mountPath: /etc/ssl/certs name: certs - mountPath: /etc/pki name: pki hostNetwork: true volumes: - hostPath: path: /etc/kubernetes name: k8s - hostPath: path: /etc/ssl/certs name: certs - hostPath: path: /etc/pki name: pki b. Ensure that the admission control plugin PodSecurityPolicy is set. audit: '/bin/ps -ef | grep $apiserverbin | grep -v grep' tests: test_items: - flag: '--enable-admission-plugins' compare: op: has value: 'PodSecurityPolicy' set: true remediation: | Follow the documentation and create Pod Security Policy objects as per your environment. Then, edit the API server pod specification file $apiserverconf on the master node and set the --enable-admission-plugins parameter to a value that includes PodSecurityPolicy : --enable-admission-plugins=...,PodSecurityPolicy,... Then restart the API Server. scored: true c. Ensure that the --kubelet-certificate-authority argument is set as appropriate. audit: '/bin/ps -ef | grep $apiserverbin | grep -v grep' tests: test_items: - flag: '--kubelet-certificate-authority' set: true remediation: | Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file $apiserverconf on the master node and set the --kubelet-certificate-authority parameter to the path to the cert file for the certificate authority. --kubelet-certificate-authority=<ca-string> scored: true Fix all of the following violations that were found against theETCD:- a. Ensure that the --auto-tls argument is not set to true Edit the etcd pod specification file $etcdconf on the master node and either remove the --auto-tls parameter or set it to false. --auto-tls=false b. Ensure that the --peer-auto-tls argument is not set to true Edit the etcd pod specification file $etcdconf on the master node and either remove the --peer-auto-tls parameter or set it to false. --peer-auto-tls=false

Linux Foundation CKS Exam - Topic 3 Question 68 Discussion

Actual exam question for Linux Foundation's CKS exam
Question #: 68
Topic #: 3
[All CKS Questions]

Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.

Fix all of the following violations that were found against theAPI server:-

a. Ensure that the RotateKubeletServerCertificate argument is set to true.

b. Ensure that the admission control plugin PodSecurityPolicy is set.

c. Ensure that the --kubelet-certificate-authority argument is set as appropriate.

Fix all of the following violations that were found against theKubelet:-

a. Ensure the --anonymous-auth argument is set to false.

b. Ensure that the --authorization-mode argument is set to Webhook.

Fix all of the following violations that were found against theETCD:-

a. Ensure that the --auto-tls argument is not set to true

b. Ensure that the --peer-auto-tls argument is not set to true

Hint: Take the use of Tool Kube-Bench

Show Suggested Answer Hide Answer
Suggested Answer: A

Contribute your Thoughts:

0/2000 characters
Ona
7 months ago
I thought --anonymous-auth was okay to leave true?
upvoted 0 times
...
Tasia
7 months ago
PodSecurityPolicy is a must-have, no doubt!
upvoted 0 times
...
Jennie
7 months ago
Wait, are we sure about the --auto-tls settings? Seems risky.
upvoted 0 times
...
Amie
7 months ago
Agreed, that's crucial for security.
upvoted 0 times
...
Lai
8 months ago
Don't forget to set RotateKubeletServerCertificate to true!
upvoted 0 times
...
Eladia
8 months ago
I recall that for ETCD, we need to ensure --auto-tls is not true, but I’m not clear on how to edit the pod specification files.
upvoted 0 times
...
Glennis
8 months ago
For the Kubelet settings, I feel a bit uncertain about the --authorization-mode argument. Was it always supposed to be set to Webhook?
upvoted 0 times
...
Clement
8 months ago
I think we had a similar question about admission control plugins in our last mock exam. I need to double-check how to enable PodSecurityPolicy correctly.
upvoted 0 times
...
Shaun
8 months ago
I remember we practiced setting the RotateKubeletServerCertificate to true, but I'm not entirely sure where to find that in the configuration files.
upvoted 0 times
...
Derick
8 months ago
Whoa, this is a lot of stuff to fix. I'm a bit overwhelmed looking at all these different issues across the API server, kubelet, and etcd. I'll need to take it step-by-step and make sure I don't miss anything. Might be a good idea to use a tool like Kube-Bench to validate the changes too.
upvoted 0 times
...
France
8 months ago
Okay, this is a good opportunity to demonstrate my Kubernetes expertise. I've worked with these types of configuration tasks before, so I feel confident I can get this done efficiently. The key will be making sure I double-check all the settings before restarting the components.
upvoted 0 times
...
Laticia
8 months ago
Hmm, I'm a little unsure about this one. All these different components and configuration settings seem a bit complex. I'll need to review the Kubernetes documentation carefully to make sure I understand how to properly implement all these changes.
upvoted 0 times
...
Ethan
9 months ago
This looks like a pretty straightforward configuration issue. I think I can handle it - just need to make the changes to the API server, kubelet, and etcd configs as specified in the question.
upvoted 0 times
...
Cammy
9 months ago
I'm a bit unsure if we need to log into the applications right away in the preparation phase. It could be important, but I feel like it might not be necessary until later.
upvoted 0 times
...
Lore
2 years ago
Rotate the kubelet server cert? That's a new one to me. I wonder if there's a good reason why they're specifically calling that out.
upvoted 0 times
Jamal
2 years ago
I'll make sure to configure it properly and restart the components to apply the new settings.
upvoted 0 times
...
Ludivina
2 years ago
Yeah, it helps prevent unauthorized access and ensures a higher level of security.
upvoted 0 times
...
Delsie
2 years ago
It's important for security reasons to rotate the kubelet server certificate regularly.
upvoted 0 times
...
...
Salina
2 years ago
I bet the exam proctors are sitting back and laughing at us as we struggle to figure out the right combination of settings. Gotta love these Kubernetes security audits!
upvoted 0 times
Kimberely
2 years ago
Once we configure everything correctly, we can restart the components and ensure the new settings take effect.
upvoted 0 times
...
Arlen
2 years ago
Yeah, let's use the Kube-Bench tool to help us fix these violations.
upvoted 0 times
...
Lorenza
2 years ago
I think we just need to carefully follow the instructions and make sure we get everything right.
upvoted 0 times
...
Jina
2 years ago
I know, these security audits can be so tricky!
upvoted 0 times
...
...
Viola
2 years ago
Yes, and we should also ensure that the admission control plugin PodSecurityPolicy is set.
upvoted 0 times
...
Nakisha
2 years ago
I agree, setting RotateKubeletServerCertificate to true is crucial for security.
upvoted 0 times
...
Svetlana
2 years ago
Ah, the classic 'fix all the things' kind of question. At least they threw in a hint about using Kube-Bench - that should make our lives a bit easier.
upvoted 0 times
...
Florinda
2 years ago
Hold up, is that really all there is to it? What if there are dependencies between these settings? We better double-check the documentation to make sure we're not missing anything.
upvoted 0 times
Torie
2 years ago
Let's review the documentation carefully before making any changes.
upvoted 0 times
...
Mari
2 years ago
I agree, it's always best to be thorough when making configuration changes.
upvoted 0 times
...
Cordelia
2 years ago
Good point, we don't want to overlook anything important.
upvoted 0 times
...
Blythe
2 years ago
We should definitely double-check the documentation to make sure we're not missing any dependencies.
upvoted 0 times
...
...
Leota
2 years ago
I think we need to fix the violations against the API server first.
upvoted 0 times
...
Fannie
2 years ago
Hmm, the solution looks pretty straightforward. Just need to configure the right arguments on the API server, kubelet, and etcd components.
upvoted 0 times
Shawnta
2 years ago
Yes, we just need to make sure we set the correct arguments and restart the components.
upvoted 0 times
...
Allene
2 years ago
I agree, it seems like a simple fix. Just follow the instructions provided.
upvoted 0 times
...
...

Save Cancel