Analyze and edit the given DockerfileFROM ubuntu:latestRUN apt-get update -yRUN apt-install nginx -yCOPY entrypoint.sh /ENTRYPOINT ["/entrypoint.sh"]USER ROOTFixing two instructions present in the file being prominent security best practice issuesAnalyze and edit the deployment manifest file apiVersion: v1kind: Pod metadata:name: security-context-demo-2spec:securityContext:runAsUser: 1000containers:- name: sec-ctx-demo-2image: gcr.io/google-samples/node-hello:1.0securityContext:runAsUser: 0privileged: True allowPrivilegeEscalation: falseFixing two fields present in the file being prominent security best practice issues Don't add or remove configuration settings; only modify the existing configuration settings Whenever you need an unprivileged user for any of the tasks, use user test-user with the user id
Answer(s): A
FROM debian:latestMAINTAINER k@bogotobogo.com# 1 - RUNRUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -yq apt-utils RUN DEBIAN_FRONTEND=noninteractive apt-get install -yq htop RUN apt-get clean# 2 - CMD#CMD ["htop"]#CMD ["ls", "-l"]# 3 - WORKDIR and ENVWORKDIR /rootENV DZ version1$ docker image build -t bogodevops/demo .Sending build context to Docker daemon 3.072kBStep 1/7 : FROM debian:latest---> be2868bebabaStep 2/7 : MAINTAINER k@bogotobogo.com---> Using cache---> e2eef476b3fdStep 3/7 : RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -yq apt-utils---> Using cache---> 32fd044c1356Step 4/7 : RUN DEBIAN_FRONTEND=noninteractive apt-get install -yq htop ---> Using cache---> 0a5b514a209eStep 5/7 : RUN apt-get clean---> Using cache---> 5d1578a47c17Step 6/7 : WORKDIR /root---> Using cache---> 6b1c70e87675Step 7/7 : ENV DZ version1---> Using cache---> cd195168c5c7Successfully built cd195168c5c7Successfully tagged bogodevops/demo:latest
Create a RuntimeClass named gvisor-rc using the prepared runtime handler named runsc. Create a Pods of image Nginx in the Namespace server to run on the gVisor runtime class
Install the Runtime Class for gVisor{ # Step 1: Install a RuntimeClass cat <<EOF | kubectl apply -f -apiVersion: node.k8s.io/v1beta1kind: RuntimeClass metadata:name: gvisor handler: runscEOF}Create a Pod with the gVisor Runtime Class{ # Step 2: Create a pod cat <<EOF | kubectl apply -f -apiVersion: v1kind: Pod metadata:name: nginx-gvisor spec:runtimeClassName: gvisor containers:- name: nginx image: nginxEOF}Verify that the Pod is running{ # Step 3: Get the pod kubectl get pod nginx-gvisor -o wide}
TaskCreate a NetworkPolicy named pod-access to restrict access to Pod users-service running in namespace dev-team.Only allow the following Pods to connect to Pod users-service:Pods in the namespace qaPods with label environment: testing, in any namespace
A container image scanner is set up on the cluster.Given an incomplete configuration in the directory/etc/kubernetes/confcontrol and a functional container image scanner with HTTPS endpoint https://test-server.local.8081/image_policy1. Enable the admission plugin.2. Validate the control configuration and change it to implicit deny.Finally, test the configuration by deploying the pod having the image tag as latest.
ssh-add ~/.ssh/tempprivate eval "$(ssh-agent -s)"cd contrib/terraform/aws vi terraform.tfvars terraform init terraform apply -var-file=credentials.tfvars ansible-playbook -i ./inventory/hosts ./cluster.yml -e ansible_ssh_user=core -e bootstrap_os=coreos - b --become-user=root --flush-cache -e ansible_user=core
On the Cluster worker node, enforce the prepared AppArmor profile #include <tunables/global>profile nginx-deny flags=(attach_disconnected) {#include <abstractions/base>file,# Deny all file writes.deny /** w,}EOF'Edit the prepared manifest file to include the AppArmor profile.apiVersion: v1kind: Pod metadata:name: apparmor-pod spec:containers:- name: apparmor-pod image: nginxFinally, apply the manifests files and create the Pod specified on it.Verify: Try to make a file inside the directory which is restricted.
Share your comments for Linux Foundation CKS exam with other users:
upload cks exam questions