Linux Foundation Certified Kubernetes Security Specialist (CKS) - CKS 模擬練習
SIMULATION
Documentation Deployments, Pods, Falco
You must connect to the correct host . Failure to do so may result in a zero score.
[candidate@base] $ ssh cks000026
Context
A Pod is misbehaving and poses a security threat to the system.
Task
One of the Pods belonging to the application ollama is misbehaving. It is directly accessing the system's memory reading from the sensitive file /dev/mem.
First, identify the misbehaving Pod accessing /dev/mem.
The cluster uses the Docker Engine as its container runtime . If needed, use the docker command to troubleshoot running containers.
Next, identify the Deployment managing the misbehaving Pod and scale it to zero replicas.
Do not modify the Deployment except for scaling it down.
Do not modify any other Deployments .
Do not delete any Deployments.
Documentation Deployments, Pods, Falco
You must connect to the correct host . Failure to do so may result in a zero score.
[candidate@base] $ ssh cks000026
Context
A Pod is misbehaving and poses a security threat to the system.
Task
One of the Pods belonging to the application ollama is misbehaving. It is directly accessing the system's memory reading from the sensitive file /dev/mem.
First, identify the misbehaving Pod accessing /dev/mem.
The cluster uses the Docker Engine as its container runtime . If needed, use the docker command to troubleshoot running containers.
Next, identify the Deployment managing the misbehaving Pod and scale it to zero replicas.
Do not modify the Deployment except for scaling it down.
Do not modify any other Deployments .
Do not delete any Deployments.
正解:
See the Explanation below for complete solution
Explanation:
1) Connect to the correct host
ssh cks000026
sudo -i
2) Identify the misbehaving Pod accessing /dev/mem
This task hints Falco is available → use it first (fast + intended).
2.1 Check Falco logs for /dev/mem access
journalctl -u falco | grep dev/mem
If Falco runs as a pod instead of systemd:
kubectl -n falco logs -l app=falco | grep dev/mem
2.2 Identify the Pod name
From the Falco output, you will see something like:
Pod=ollama-xxxxx Namespace=default File=/dev/mem
Note the exact Pod name (example: ollama-7c9d6f7b6d-abcde)
3) (If Falco logs are unclear) Confirm using Docker runtime
Because the cluster uses Docker, verify which container is accessing /dev/mem.
3.1 List running containers
docker ps
3.2 Inspect suspicious container
(Find container related to ollama)
docker inspect <container_id> | grep ollama
You should confirm it maps to the same Pod you saw in Falco.
4) Identify the Deployment managing the misbehaving Pod
4.1 Get Pod details
kubectl get pod <MISBEHAVING_POD_NAME> -o wide
4.2 Find owning Deployment
kubectl get pod <MISBEHAVING_POD_NAME> -o jsonpath='{.metadata.ownerReference[0].name}' This will output something like:
ollama
That is the Deployment name
5) Scale ONLY that Deployment to zero replicas
Do not edit, delete, or touch anything else
kubectl scale deployment ollama --replicas=0
6) Verify the Pod is terminated
kubectl get pods | grep ollama
Expected: no running Pods
Also confirm replicas:
kubectl get deployment ollama
Replicas should show:
0/0
Explanation:
1) Connect to the correct host
ssh cks000026
sudo -i
2) Identify the misbehaving Pod accessing /dev/mem
This task hints Falco is available → use it first (fast + intended).
2.1 Check Falco logs for /dev/mem access
journalctl -u falco | grep dev/mem
If Falco runs as a pod instead of systemd:
kubectl -n falco logs -l app=falco | grep dev/mem
2.2 Identify the Pod name
From the Falco output, you will see something like:
Pod=ollama-xxxxx Namespace=default File=/dev/mem
Note the exact Pod name (example: ollama-7c9d6f7b6d-abcde)
3) (If Falco logs are unclear) Confirm using Docker runtime
Because the cluster uses Docker, verify which container is accessing /dev/mem.
3.1 List running containers
docker ps
3.2 Inspect suspicious container
(Find container related to ollama)
docker inspect <container_id> | grep ollama
You should confirm it maps to the same Pod you saw in Falco.
4) Identify the Deployment managing the misbehaving Pod
4.1 Get Pod details
kubectl get pod <MISBEHAVING_POD_NAME> -o wide
4.2 Find owning Deployment
kubectl get pod <MISBEHAVING_POD_NAME> -o jsonpath='{.metadata.ownerReference[0].name}' This will output something like:
ollama
That is the Deployment name
5) Scale ONLY that Deployment to zero replicas
Do not edit, delete, or touch anything else
kubectl scale deployment ollama --replicas=0
6) Verify the Pod is terminated
kubectl get pods | grep ollama
Expected: no running Pods
Also confirm replicas:
kubectl get deployment ollama
Replicas should show:
0/0
SIMULATION
Create a User named john, create the CSR Request, fetch the certificate of the user after approving it.
Create a Role name john-role to list secrets, pods in namespace john
Finally, Create a RoleBinding named john-role-binding to attach the newly created role john-role to the user john in the namespace john.
To Verify: Use the kubectl auth CLI command to verify the permissions.
Create a User named john, create the CSR Request, fetch the certificate of the user after approving it.
Create a Role name john-role to list secrets, pods in namespace john
Finally, Create a RoleBinding named john-role-binding to attach the newly created role john-role to the user john in the namespace john.
To Verify: Use the kubectl auth CLI command to verify the permissions.
正解:
See explanation below
Explanation:
se kubectl to create a CSR and approve it.
Get the list of CSRs:
kubectl get csr
Approve the CSR:
kubectl certificate approve myuser
Get the certificate
Retrieve the certificate from the CSR:
kubectl get csr/myuser -o yaml
here are the role and role-binding to give john permission to create NEW_CRD resource:
kubectl apply -f roleBindingJohn.yaml --as=john
rolebinding.rbac.authorization.k8s.io/john_external-rosource-rb created kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata:
name: john_crd
namespace: development-john
subjects:
- kind: User
name: john
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: crd-creation
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: crd-creation
rules:
- apiGroups: ["kubernetes-client.io/v1"]
resources: ["NEW_CRD"]
verbs: ["create, list, get"]
Explanation:
se kubectl to create a CSR and approve it.
Get the list of CSRs:
kubectl get csr
Approve the CSR:
kubectl certificate approve myuser
Get the certificate
Retrieve the certificate from the CSR:
kubectl get csr/myuser -o yaml
here are the role and role-binding to give john permission to create NEW_CRD resource:
kubectl apply -f roleBindingJohn.yaml --as=john
rolebinding.rbac.authorization.k8s.io/john_external-rosource-rb created kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata:
name: john_crd
namespace: development-john
subjects:
- kind: User
name: john
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: crd-creation
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: crd-creation
rules:
- apiGroups: ["kubernetes-client.io/v1"]
resources: ["NEW_CRD"]
verbs: ["create, list, get"]
SIMULATION
Create a Pod name Nginx-pod inside the namespace testing, Create a service for the Nginx-pod named nginx-svc, using the ingress of your choice, run the ingress on tls, secure port.
Create a Pod name Nginx-pod inside the namespace testing, Create a service for the Nginx-pod named nginx-svc, using the ingress of your choice, run the ingress on tls, secure port.
正解:
See the Explanation belowExplanation:
$ kubectl get ing -n <namespace-of-ingress-resource>
NAME HOSTS ADDRESS PORTS AGE
cafe-ingress cafe.com 10.0.2.15 80 25s
$ kubectl describe ing <ingress-resource-name> -n <namespace-of-ingress-resource> Name: cafe-ingress Namespace: default Address: 10.0.2.15 Default backend: default-http-backend:80 (172.17.0.5:8080) Rules:
Host Path Backends
---- ---- --------
cafe.com
/tea tea-svc:80 (<none>)
/coffee coffee-svc:80 (<none>)
Annotations:
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"networking.k8s.io/v1","kind":"Ingress","metadata":{"annotations":{},"name":"cafe-ingress","namespace":"default","selfLink":"/apis/networking/v1/namespaces/default/ingresses/cafe-ingress"},"spec":{"rules":[{"host":"cafe.com","http":{"paths":[{"backend":{"serviceName":"tea-svc","servicePort":80},"path":"/tea"},{"backend":{"serviceName":"coffee-svc","servicePort":80},"path":"/coffee"}]}}]},"status":{"loadBalancer":{"ingress":[{"ip":"169.48.142.110"}]}}} Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 1m ingress-nginx-controller Ingress default/cafe-ingress
Normal UPDATE 58s ingress-nginx-controller Ingress default/cafe-ingress
$ kubectl get pods -n <namespace-of-ingress-controller>
NAME READY STATUS RESTARTS AGE
ingress-nginx-controller-67956bf89d-fv58j 1/1 Running 0 1m
$ kubectl logs -n <namespace> ingress-nginx-controller-67956bf89d-fv58j
------------------------------------------------------------------------------- NGINX Ingress controller Release: 0.14.0 Build: git-734361d Repository: https://github.com/kubernetes/ingress-nginx
-------------------------------------------------------------------------------
....
$ kubectl get ing -n <namespace-of-ingress-resource>
NAME HOSTS ADDRESS PORTS AGE
cafe-ingress cafe.com 10.0.2.15 80 25s
$ kubectl describe ing <ingress-resource-name> -n <namespace-of-ingress-resource> Name: cafe-ingress Namespace: default Address: 10.0.2.15 Default backend: default-http-backend:80 (172.17.0.5:8080) Rules:
Host Path Backends
---- ---- --------
cafe.com
/tea tea-svc:80 (<none>)
/coffee coffee-svc:80 (<none>)
Annotations:
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"networking.k8s.io/v1","kind":"Ingress","metadata":{"annotations":{},"name":"cafe-ingress","namespace":"default","selfLink":"/apis/networking/v1/namespaces/default/ingresses/cafe-ingress"},"spec":{"rules":[{"host":"cafe.com","http":{"paths":[{"backend":{"serviceName":"tea-svc","servicePort":80},"path":"/tea"},{"backend":{"serviceName":"coffee-svc","servicePort":80},"path":"/coffee"}]}}]},"status":{"loadBalancer":{"ingress":[{"ip":"169.48.142.110"}]}}} Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 1m ingress-nginx-controller Ingress default/cafe-ingress
Normal UPDATE 58s ingress-nginx-controller Ingress default/cafe-ingress
$ kubectl get pods -n <namespace-of-ingress-controller>
NAME READY STATUS RESTARTS AGE
ingress-nginx-controller-67956bf89d-fv58j 1/1 Running 0 1m
$ kubectl logs -n <namespace> ingress-nginx-controller-67956bf89d-fv58j
------------------------------------------------------------------------------- NGINX Ingress controller Release: 0.14.0 Build: git-734361d Repository: https://github.com/kubernetes/ingress-nginx
-------------------------------------------------------------------------------
....
SIMULATION
Context
A CIS Benchmark tool was run against the kubeadm-created cluster and found multiple issues that must be addressed immediately.
Task
Fix all issues via configuration and restart the affected components to ensure the new settings take effect.
Fix all of the following violations that were found against the API server:
Fix all of the following violations that were found against the Kubelet:
Fix all of the following violations that were found against etcd:
Context
A CIS Benchmark tool was run against the kubeadm-created cluster and found multiple issues that must be addressed immediately.
Task
Fix all issues via configuration and restart the affected components to ensure the new settings take effect.
Fix all of the following violations that were found against the API server:
Fix all of the following violations that were found against the Kubelet:
Fix all of the following violations that were found against etcd:
正解:
See the Explanation below
Explanation:
Explanation:
SIMULATION
Context
A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace.
Task
Create a new PodSecurityPolicy named prevent-psp-policy,which prevents the creation of privileged Pods.
Create a new ClusterRole named restrict-access-role, which uses the newly created PodSecurityPolicy prevent-psp-policy.
Create a new ServiceAccount named psp-restrict-sa in the existing namespace staging.
Finally, create a new ClusterRoleBinding named restrict-access-bind, which binds the newly created ClusterRole restrict-access-role to the newly created ServiceAccount psp-restrict-sa.
Context
A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace.
Task
Create a new PodSecurityPolicy named prevent-psp-policy,which prevents the creation of privileged Pods.
Create a new ClusterRole named restrict-access-role, which uses the newly created PodSecurityPolicy prevent-psp-policy.
Create a new ServiceAccount named psp-restrict-sa in the existing namespace staging.
Finally, create a new ClusterRoleBinding named restrict-access-bind, which binds the newly created ClusterRole restrict-access-role to the newly created ServiceAccount psp-restrict-sa.
正解:
See the Explanation below
Explanation:
Explanation:
SIMULATION
Context
A Role bound to a Pod's ServiceAccount grants overly permissive permissions. Complete the following tasks to reduce the set of permissions.
Task
Given an existing Pod named web-pod running in the namespace security.
Edit the existing Role bound to the Pod's ServiceAccount sa-dev-1 to only allow performing watch operations, only on resources of type services.
Create a new Role named role-2 in the namespace security, which only allows performing update operations, only on resources of type namespaces.
Create a new RoleBinding named role-2-binding binding the newly created Role to the Pod's ServiceAccount.
Context
A Role bound to a Pod's ServiceAccount grants overly permissive permissions. Complete the following tasks to reduce the set of permissions.
Task
Given an existing Pod named web-pod running in the namespace security.
Edit the existing Role bound to the Pod's ServiceAccount sa-dev-1 to only allow performing watch operations, only on resources of type services.
Create a new Role named role-2 in the namespace security, which only allows performing update operations, only on resources of type namespaces.
Create a new RoleBinding named role-2-binding binding the newly created Role to the Pod's ServiceAccount.
正解:
SeetheExplanationbelowExplanation:
SIMULATION
Context
You must resolve issues that a CIS Benchmark tool found for the kubeadm provisioned cluster.
Task
Fix all issues via configuration and restart the affected components to ensure the new settings take effect.
Fix all of the following violations that were found against the kubelet:
The cluster uses the Docker Engine os its container runtime, If needed, use the docker command to troubleshaot running containers.
Ensure that the anonymous-auth argument is set to false FAIL
Ensure that the -authorization-mode argument is not set to FAIL
AlwaysAllow
Use Webhook authentication /authorization where possible.
Fix all of the following violations that were found against ettd :
Ensure that the -client cert auth argument is set to true FAIL
Context
You must resolve issues that a CIS Benchmark tool found for the kubeadm provisioned cluster.
Task
Fix all issues via configuration and restart the affected components to ensure the new settings take effect.
Fix all of the following violations that were found against the kubelet:
The cluster uses the Docker Engine os its container runtime, If needed, use the docker command to troubleshaot running containers.
Ensure that the anonymous-auth argument is set to false FAIL
Ensure that the -authorization-mode argument is not set to FAIL
AlwaysAllow
Use Webhook authentication /authorization where possible.
Fix all of the following violations that were found against ettd :
Ensure that the -client cert auth argument is set to true FAIL
正解:
See the Explanation below for complete solution
Explanation:
1) SSH to the right node
ssh cks000002
sudo -i
2) Fix kubelet CIS findings
2.1 Edit kubelet config (MAIN place in kubeadm clusters)
vi /var/lib/kubelet/config.yaml
A) Set anonymous-auth to false
Find (or add) this block exactly:
authentication:
anonymous:
enabled: false
B) Use Webhook authentication (recommended by task)
Ensure this exists under authentication:
webhook:
enabled: true
C) Use Webhook authorization and NOT AlwaysAllow
Find (or add) this block exactly:
authorization:
mode: Webhook
When done, your file should contain something like this (exact structure to aim for):
authentication:
anonymous:
enabled: false
webhook:
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
mode: Webhook
If x509: section isn't there, it's usually already present in kubeadm; don't panic. Only the task-required parts are: anonymous false + webhook enabled + authorization mode Webhook.
2.2 Restart kubelet (required for config.yaml changes)
systemctl daemon-reload
systemctl restart kubelet
systemctl status kubelet --no-pager
Quick confirm (optional but fast):
grep -nE "anonymous|webhook|authorization|mode" /var/lib/kubelet/config.yaml
3) Fix etcd CIS finding: --client-cert-auth=true
3.1 Edit etcd static pod manifest (kubeadm path)
vi /etc/kubernetes/manifests/etcd.yaml
Find the container command: args that look like:
- command:
- etcd
- --something=...
Ensure this line exists exactly in the list:
- --client-cert-auth=true
Also ensure this is present (usually already is, but add if missing):
- --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
Example snippet (what you want the args area to include):
- command:
- etcd
- --client-cert-auth=true
- --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
3.2 Apply etcd change (auto-restart happens)
Just save the file. Kubelet will restart etcd automatically.
Watch it restart (pick one depending on runtime):
If Docker runtime (your task mentions Docker):
docker ps | grep etcd
If you don't see it briefly, wait 2-5 seconds and rerun:
docker ps | grep etcd
(Alternative if available)
crictl ps | grep etcd
4) Final quick validation (fast exam check)
Kubelet config check
grep -n "enabled: false" -n /var/lib/kubelet/config.yaml | head
grep -n "webhook" /var/lib/kubelet/config.yaml
grep -n "authorization" /var/lib/kubelet/config.yaml
etcd arg check
grep -n "client-cert-auth" /etc/kubernetes/manifests/etcd.yaml
Explanation:
1) SSH to the right node
ssh cks000002
sudo -i
2) Fix kubelet CIS findings
2.1 Edit kubelet config (MAIN place in kubeadm clusters)
vi /var/lib/kubelet/config.yaml
A) Set anonymous-auth to false
Find (or add) this block exactly:
authentication:
anonymous:
enabled: false
B) Use Webhook authentication (recommended by task)
Ensure this exists under authentication:
webhook:
enabled: true
C) Use Webhook authorization and NOT AlwaysAllow
Find (or add) this block exactly:
authorization:
mode: Webhook
When done, your file should contain something like this (exact structure to aim for):
authentication:
anonymous:
enabled: false
webhook:
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
mode: Webhook
If x509: section isn't there, it's usually already present in kubeadm; don't panic. Only the task-required parts are: anonymous false + webhook enabled + authorization mode Webhook.
2.2 Restart kubelet (required for config.yaml changes)
systemctl daemon-reload
systemctl restart kubelet
systemctl status kubelet --no-pager
Quick confirm (optional but fast):
grep -nE "anonymous|webhook|authorization|mode" /var/lib/kubelet/config.yaml
3) Fix etcd CIS finding: --client-cert-auth=true
3.1 Edit etcd static pod manifest (kubeadm path)
vi /etc/kubernetes/manifests/etcd.yaml
Find the container command: args that look like:
- command:
- etcd
- --something=...
Ensure this line exists exactly in the list:
- --client-cert-auth=true
Also ensure this is present (usually already is, but add if missing):
- --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
Example snippet (what you want the args area to include):
- command:
- etcd
- --client-cert-auth=true
- --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
3.2 Apply etcd change (auto-restart happens)
Just save the file. Kubelet will restart etcd automatically.
Watch it restart (pick one depending on runtime):
If Docker runtime (your task mentions Docker):
docker ps | grep etcd
If you don't see it briefly, wait 2-5 seconds and rerun:
docker ps | grep etcd
(Alternative if available)
crictl ps | grep etcd
4) Final quick validation (fast exam check)
Kubelet config check
grep -n "enabled: false" -n /var/lib/kubelet/config.yaml | head
grep -n "webhook" /var/lib/kubelet/config.yaml
grep -n "authorization" /var/lib/kubelet/config.yaml
etcd arg check
grep -n "client-cert-auth" /etc/kubernetes/manifests/etcd.yaml