Security 1
Updated Dec 29, 2023 ·
Some of the scenario questions here are based on Kodekloud's CKA course labs.
NOTE
CKAD and CKA can have similar scenario questions. It is recommended to go through the CKAD practice tests.
Shortcuts
First run the two commands below for shortcuts.
export do="--dry-run=client -o yaml"
export now="--force --grace-period=0"
Questions
-
Identify the certificate file used for the kube-api server.
Answer
controlplane ~ ➜ k get po -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-flannel kube-flannel-ds-rvnsq 1/1 Running 0 4m43s
kube-system coredns-5d78c9869d-q28bn 1/1 Running 0 4m43s
kube-system coredns-5d78c9869d-sdgcj 1/1 Running 0 4m43s
kube-system etcd-controlplane 1/1 Running 0 4m54s
kube-system kube-apiserver-controlplane 1/1 Running 0 4m57s
kube-system kube-controller-manager-controlplane 1/1 Running 0 4m54s
kube-system kube-proxy-5ngt7 1/1 Running 0 4m43s
kube-system kube-scheduler-controlplane 1/1 Running 0 4m58s
controlplane ~ ➜ k describe -n kube-system po kube-apiserver-controlplane | grep -i cert
--etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
--kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
--proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
--tls-cert-file=/etc/kubernetes/pki/apiserver.crt
/etc/ca-certificates from etc-ca-certificates (ro)
/etc/kubernetes/pki from k8s-certs (ro)
/etc/ssl/certs from ca-certs (ro)
/usr/local/share/ca-certificates from usr-local-share-ca-certificates (ro)
/usr/share/ca-certificates from usr-share-ca-certificates (ro)
ca-certs:
Path: /etc/ssl/certs
etc-ca-certificates:
Path: /etc/ca-certificates
k8s-certs:
usr-local-share-ca-certificates:
Path: /usr/local/share/ca-certificates
usr-share-ca-certificates:
Path: /usr/share/ca-certificates
controlplane ~ ➜ k describe -n kube-system po kube-apiserver-controlplane | grep -i cert | grep api
--tls-cert-file=/etc/kubernetes/pki/apiserver.crt -
Identify the Certificate file used to authenticate kube-apiserver as a client to ETCD Server.
Answer
controlplane ~ ➜ k get po -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-flannel kube-flannel-ds-rvnsq 1/1 Running 0 4m43s
kube-system coredns-5d78c9869d-q28bn 1/1 Running 0 4m43s
kube-system coredns-5d78c9869d-sdgcj 1/1 Running 0 4m43s
kube-system etcd-controlplane 1/1 Running 0 4m54s
kube-system kube-apiserver-controlplane 1/1 Running 0 4m57s
kube-system kube-controller-manager-controlplane 1/1 Running 0 4m54s
kube-system kube-proxy-5ngt7 1/1 Running 0 4m43s
kube-system kube-scheduler-controlplane 1/1 Running 0 4m58s
controlplane ~ ➜ k describe -n kube-system po kube-apiserver-controlplane | grep -i cert | grep api
--kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt -
Identify the key used to authenticate kubeapi-server to the kubelet server.
Answer
controlplane ~ ➜ k get po -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-flannel kube-flannel-ds-rvnsq 1/1 Running 0 4m43s
kube-system coredns-5d78c9869d-q28bn 1/1 Running 0 4m43s
kube-system coredns-5d78c9869d-sdgcj 1/1 Running 0 4m43s
kube-system etcd-controlplane 1/1 Running 0 4m54s
kube-system kube-apiserver-controlplane 1/1 Running 0 4m57s
kube-system kube-controller-manager-controlplane 1/1 Running 0 4m54s
kube-system kube-proxy-5ngt7 1/1 Running 0 4m43s
kube-system kube-scheduler-controlplane 1/1 Running 0 4m58s
controlplane ~ ➜ k describe -n kube-system po kube-apiserver-controlplane | grep -i key
--etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
--kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key -
Identify the ETCD Server Certificate used to host ETCD server.
Answer
controlplane ~ ➜ k get po -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-flannel kube-flannel-ds-rvnsq 1/1 Running 0 4m43s
kube-system coredns-5d78c9869d-q28bn 1/1 Running 0 4m43s
kube-system coredns-5d78c9869d-sdgcj 1/1 Running 0 4m43s
kube-system etcd-controlplane 1/1 Running 0 4m54s
kube-system kube-apiserver-controlplane 1/1 Running 0 4m57s
kube-system kube-controller-manager-controlplane 1/1 Running 0 4m54s
kube-system kube-proxy-5ngt7 1/1 Running 0 4m43s
kube-system kube-scheduler-controlplane 1/1 Running 0 4m58s
controlplane ~ ➜ k describe -n kube-system po etcd-controlplane | grep -i cert
--cert-file=/etc/kubernetes/pki/etcd/server.crt -
Identify the ETCD Server CA Root Certificate used to serve ETCD Server. ETCD can have its own CA. So this may be a different CA certificate than the one used by kube-api server.
Answer
controlplane ~ ➜ k get po -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-flannel kube-flannel-ds-rvnsq 1/1 Running 0 4m43s
kube-system coredns-5d78c9869d-q28bn 1/1 Running 0 4m43s
kube-system coredns-5d78c9869d-sdgcj 1/1 Running 0 4m43s
kube-system etcd-controlplane 1/1 Running 0 4m54s
kube-system kube-apiserver-controlplane 1/1 Running 0 4m57s
kube-system kube-controller-manager-controlplane 1/1 Running 0 4m54s
kube-system kube-proxy-5ngt7 1/1 Running 0 4m43s
kube-system kube-scheduler-controlplane 1/1 Running 0 4m58s
controlplane ~ ➜ k describe -n kube-system po etcd-controlplane | grep -i ca
Priority Class Name: system-node-critical
--peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
--trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt -
What is the Common Name (CN) configured on the Kube API Server Certificate?
Answer
Find the kube-api server cert first.
controlplane ~ ➜ k get po -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-flannel kube-flannel-ds-rvnsq 1/1 Running 0 15m
kube-system coredns-5d78c9869d-q28bn 1/1 Running 0 15m
kube-system coredns-5d78c9869d-sdgcj 1/1 Running 0 15m
kube-system etcd-controlplane 1/1 Running 0 16m
kube-system kube-apiserver-controlplane 1/1 Running 0 16m
kube-system kube-controller-manager-controlplane 1/1 Running 0 16m
kube-system kube-proxy-5ngt7 1/1 Running 0 15m
kube-system kube-scheduler-controlplane 1/1 Running 0 16m
controlplane ~ ➜ k describe -n kube-system po kube-apiserver-controlplane | grep cert
--tls-cert-file=/etc/kubernetes/pki/apiserver.crtBased on: https://kubernetes.io/docs/tasks/administer-cluster/certificates/ Use the openssl command to view the certificate.
openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver.crtThe answer is kube-apiserver.
controlplane ~ ➜ openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver.crt | grep CN
Issuer: CN = kubernetes
Subject: CN = kube-apiserver -
What are the alternate names configured on the Kube API Server Certificate?
Answer
controlplane ~ ➜ openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver.crt | grep -i alternative -A 10
X509v3 Subject Alternative Name:
DNS:controlplane, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:192.20.62.6 -
What is the Common Name (CN) configured on the ETCD Server certificate?
Answer
controlplane ~ ➜ k get po -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-flannel kube-flannel-ds-rvnsq 1/1 Running 0 20m
kube-system coredns-5d78c9869d-q28bn 1/1 Running 0 20m
kube-system coredns-5d78c9869d-sdgcj 1/1 Running 0 20m
kube-system etcd-controlplane 1/1 Running 0 21m
kube-system kube-apiserver-controlplane 1/1 Running 0 21m
kube-system kube-controller-manager-controlplane 1/1 Running 0 21m
kube-system kube-proxy-5ngt7 1/1 Running 0 20m
kube-system kube-scheduler-controlplane 1/1 Running 0 21m
controlplane ~ ➜ k describe -n kube-system po etcd-controlplane | grep cert
--cert-file=/etc/kubernetes/pki/etcd/server.crtBased on: https://kubernetes.io/docs/tasks/administer-cluster/certificates/ Use the openssl command to view the certificate.
openssl x509 -noout -text -in /etc/kubernetes/pki/etcd/server.crtThe answer is the controlplane. Issuer is the CA.
controlplane ~ ➜ openssl x509 -noout -text -in /etc/kubernetes/pki/etcd/server.crt | grep CN
Issuer: CN = etcd-ca
Subject: CN = controlplane -
How long, from the issued date, is the Kube-API Server Certificate valid for?
Answer
controlplane ~ ➜ k get po -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-flannel kube-flannel-ds-rvnsq 1/1 Running 0 20m
kube-system coredns-5d78c9869d-q28bn 1/1 Running 0 20m
kube-system coredns-5d78c9869d-sdgcj 1/1 Running 0 20m
kube-system etcd-controlplane 1/1 Running 0 21m
kube-system kube-apiserver-controlplane 1/1 Running 0 21m
kube-system kube-controller-manager-controlplane 1/1 Running 0 21m
kube-system kube-proxy-5ngt7 1/1 Running 0 20m
kube-system kube-scheduler-controlplane 1/1 Running 0 21m
controlplane ~ ➜ k describe -n kube-system po kube-apiserver-controlplane | grep cert
--tls-cert-file=/etc/kubernetes/pki/apiserver.crtBased on: https://kubernetes.io/docs/tasks/administer-cluster/certificates/ Use the openssl command to view the certificate.
openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver.crtcontrolplane ~ ➜ openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver.crt | grep -i validity -A 5
Validity
Not Before: Dec 30 13:41:34 2023 GMT
Not After : Dec 29 13:41:34 2024 GMT -
How long, from the issued date, is the Root CA Certificate valid for?
Answer
controlplane ~ ➜ k get po -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-flannel kube-flannel-ds-rvnsq 1/1 Running 0 25m
kube-system coredns-5d78c9869d-q28bn 1/1 Running 0 25m
kube-system coredns-5d78c9869d-sdgcj 1/1 Running 0 25m
kube-system etcd-controlplane 1/1 Running 0 26m
kube-system kube-apiserver-controlplane 1/1 Running 0 26m
kube-system kube-controller-manager-controlplane 1/1 Running 0 26m
kube-system kube-proxy-5ngt7 1/1 Running 0 25m
kube-system kube-scheduler-controlplane 1/1 Running 0 26m
controlplane ~ ➜ k describe -n kube-system po kube-apiserver-controlplane | grep ca
Priority Class Name: system-node-critical
Image ID: registry.k8s.io/kube-apiserver@sha256:89b8d9dbef2b905b7d028ca8b7f79d35ebd9baa66b0a3ee2ddd4f3e0e2804b45
--client-ca-file=/etc/kubernetes/pki/ca.crtBased on: https://kubernetes.io/docs/tasks/administer-cluster/certificates/ Use the openssl command to view the certificate.
openssl x509 -noout -text -in /etc/kubernetes/pki/ca.crtcontrolplane ~ ➜ openssl x509 -noout -text -in /etc/kubernetes/pki/ca.crt | grep -i validity -A 3
Validity
Not Before: Dec 30 13:41:34 2023 GMT
Not After : Dec 27 13:41:34 2033 GMT