Linux Foundation Exam CKS Topic 1 Question 46 Discussion

Actual exam question for Linux Foundation's CKS exam

Question #: 46
Topic #: 1

[All CKS Questions]

Use the kubesec docker images to scan the given YAML manifest, edit and apply the advised changes, and passed with a score of 4 points.

kubesec-test.yaml

apiVersion: v1

kind: Pod

metadata:

name: kubesec-demo

spec:

containers:

- name: kubesec-demo

image: gcr.io/google-samples/node-hello:1.0

securityContext:

readOnlyRootFilesystem: true

Hint:docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml

AExplanation:
kubesec scan k8s-deployment.yaml
cat <<EOF > kubesec-test.yaml
apiVersion: v1
kind: Pod
metadata:
name: kubesec-demo
spec:
containers:
- name: kubesec-demo
image: gcr.io/google-samples/node-hello:1.0
securityContext:
readOnlyRootFilesystem: true
EOF
kubesec scan kubesec-test.yaml
docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml
kubesec http 8080 &
[1] 12345
{'severity':'info','timestamp':'2019-05-12T11:58:34.662+0100','caller':'server/server.go:69','message':'Starting HTTP server on port 8080'}
curl -sSX POST --data-binary @test/asset/score-0-cap-sys-admin.yml http://localhost:8080/scan
[
{
'object': 'Pod/security-context-demo.default',
'valid': true,
'message': 'Failed with a score of -30 points',
'score': -30,
'scoring': {
'critical': [
{
'selector': 'containers[] .securityContext .capabilities .add == SYS_ADMIN',
'reason': 'CAP_SYS_ADMIN is the most privileged capability and should always be avoided'
},
{
'selector': 'containers[] .securityContext .runAsNonRoot == true',
'reason': 'Force the running image to run as a non-root user to ensure least privilege'
},
// ...

Show Suggested Answer

Suggested Answer: A

by Carey at Dec 25, 2023, 06:35 AM

Limited Time Offer

25%

21 days ago

I found the kubesec docker images very helpful for scanning the YAML manifest.

upvoted 0 times

...