You can switch the cluster/configuration context using the following command:
[desk@cli] $kubectl config use-context dev
Context:
A CIS Benchmark tool was run against the kubeadm created cluster and found multiple issues that must be addressed.
Task:
Fix all issues via configuration and restart the affected components to ensure the new settings take effect.
Fix all of the following violations that were found against the API server:
1.2.7authorization-modeargument is not set toAlwaysAllow FAIL
1.2.8authorization-modeargument includesNode FAIL
1.2.7authorization-modeargument includesRBAC FAIL
Fix all of the following violations that were found against the Kubelet:
4.2.1 Ensure that theanonymous-auth argumentis set to false FAIL
4.2.2authorization-modeargument is not set to AlwaysAllow FAIL (UseWebhookautumn/authz where possible)
Fix all of the following violations that were found against etcd:
2.2 Ensure that theclient-cert-authargument is set to true
You can switch the cluster/configuration context using the following command:
[desk@cli] $kubectl config use-context prod-account
Context:
A Role bound to a Pod's ServiceAccount grants overly permissive permissions. Complete the following tasks to reduce the set of permissions.
Task:
Given an existing Pod namedweb-podrunning in the namespacedatabase.
1. Edit the existing Role bound to the Pod's ServiceAccounttest-sato only allow performing get operations, only on resources of type Pods.
2. Create a new Role namedtest-role-2in the namespacedatabase, which only allows performingupdateoperations, only on resources of typestatuefulsets.
3. Create a new RoleBinding namedtest-role-2-bindbinding the newly created Role to the Pod's ServiceAccount.
Note: Don't delete the existing RoleBinding.
Context:
Cluster:gvisor
Master node:master1
Worker node:worker1
You can switch the cluster/configuration context using the following command:
[desk@cli] $kubectl config use-context gvisor
Context:This cluster has been prepared to support runtime handler, runsc as well as traditional one.
Task:
Create a RuntimeClass namednot-trustedusing the prepared runtime handler namesrunsc.
Update all Pods in the namespace server to run onnewruntime.
You can switch the cluster/configuration context using the following command:
[desk@cli] $kubectl config use-context dev
A default-deny NetworkPolicy avoid to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined.
Task: Create a new default-deny NetworkPolicy nameddeny-networkin the namespacetestfor all traffic of type Ingress + Egress
The new NetworkPolicy must deny all Ingress + Egress traffic in the namespacetest.
Apply the newly createddefault-denyNetworkPolicy to all Pods running in namespacetest.
You can find a skeleton manifests file at /home/cert_masters/network-policy.yaml
Cluster:scanner
Master node:controlplane
Worker node:worker1
You can switch the cluster/configuration context using the following command:
[desk@cli] $kubectl config use-context scanner
Given:
You may use Trivy's documentation.
Task:
Use the Trivy open-source container scanner to detect images with severe vulnerabilities used by Pods in the namespacenato.
Look for images withHighorCriticalseverity vulnerabilities and delete the Pods that use those images.
Trivy is pre-installed on the cluster's master node. Use cluster's master node to use Trivy.