CKS Sample Questions Answers

Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that

• 1. logs are stored at /var/log/kubernetes/kubernetes-logs.txt.
• 2. Log files are retained for 5 days.
• 3. at maximum, a number of 10 old audit logs files are retained.

Edit and extend the basic policy to log:

• 1. Cronjobs changes at RequestResponse
• 2. Log the request body of deployments changes in the namespace kube-system.
• 3. Log all other resources in core and extensions at the Request level.
• 4. Don't log watch requests by the "system:kube-proxy" on endpoints or

Cluster: qa-cluster

Master node: master Worker node: worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $ kubectl config use-context qa-cluster

Task:

Create a NetworkPolicy named restricted-policy to restrict access to Pod product running in namespace dev.

Only allow the following Pods to connect to Pod products-service:

1. Pods in the namespace qa

2. Pods with label environment: stage, in any namespace

Create a RuntimeClass named gvisor-rc using the prepared runtime handler named runsc.

Create a Pods of image Nginx in the Namespace server to run on the gVisor runtime class

A container image scanner is set up on the cluster.

Given an incomplete configuration in the directory

/etc/kubernetes/confcontrol and a functional container image scanner with HTTPS endpoint https://test-server.local.8081/image_policy

1. Enable the admission plugin.

2. Validate the control configuration and change it to implicit deny.

Finally, test the configuration by deploying the pod having the image tag as latest.