Security
Updated Dec 29, 2023 ·
Some of the scenario questions here are based on Kodekloud's CKA course labs.
NOTE
CKAD and CKA can have similar scenario questions. It is recommended to go through the CKAD practice tests.
Shortcuts
First run the two commands below for shortcuts.
export do="--dry-run=client -o yaml"
export now="--force --grace-period=0"
Questions
-
Kubectl suddenly stops responding to your commands. Check it out! Someone recently modified the /etc/kubernetes/manifests/etcd.yaml file
You are asked to investigate and fix the issue. Once you fix the issue wait for sometime for kubectl to respond. Check the logs of the ETCD container.
Answer
Check the certs.
controlplane ~ ➜ grep cert /etc/kubernetes/manifests/etcd.yaml- --cert-file=/etc/kubernetes/pki/etcd/server-certificate.crt- --client-cert-auth=true- --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt- --peer-client-cert-auth=truename: etcd-certsname: etcd-certscontrolplane ~ ➜ ls -la /etc/kubernetes/pki/etcd/total 40drwxr-xr-x 2 root root 4096 Dec 30 08:41 .drwxr-xr-x 3 root root 4096 Dec 30 08:41 ..-rw-r--r-- 1 root root 1086 Dec 30 08:41 ca.crt-rw------- 1 root root 1679 Dec 30 08:41 ca.key-rw-r--r-- 1 root root 1159 Dec 30 08:41 healthcheck-client.crt-rw------- 1 root root 1675 Dec 30 08:41 healthcheck-client.key-rw-r--r-- 1 root root 1208 Dec 30 08:41 peer.crt-rw------- 1 root root 1679 Dec 30 08:41 peer.key-rw-r--r-- 1 root root 1208 Dec 30 08:41 server.crt-rw------- 1 root root 1679 Dec 30 08:41 server.keyWe can see above that the server cert defined is incorrect. Fix the YAML file.
--cert-file=/etc/kubernetes/pki/etcd/server.crt -
The kube-api server stopped again! Check it out. Inspect the kube-api server logs and identify the root cause and fix the issue. Hint: Find the kube-apiserver container.
Answer
We can use crictl.
controlplane ~ ➜ crictl ps -a | grep apiserver7ca09e4553971 6f707f569b572 2 minutes ago Exited kube-apiserver 5 ec0124d62fe6d kube-apiserver-controlplaneThen check logs.
controlplane ~ ➜ crictl logs 7ca09e4553971 | tail -1W1230 14:21:08.206143 1 logging.go:59] [core] [Channel #3 SubChannel #6] grpc: addrConn.createTransport failed to connect to {"Addr": "127.0.0.1:2379","ServerName": "127.0.0.1","Attributes": null,"BalancerAttributes": null,"Type": 0,"Metadata": null}. Err: connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"E1230 14:21:10.930501 1 run.go:74] "command failed" err="context deadline exceeded"This could be an issue on the ETCD CA cert used. Check the certs.
controlplane ~ ✖ ls -la /etc/kubernetes/pki/total 72drwxr-xr-x 3 root root 4096 Dec 30 08:41 .drwxr-xr-x 1 root root 4096 Dec 30 08:41 ..-rw-r--r-- 1 root root 1289 Dec 30 08:41 apiserver.crt-rw-r--r-- 1 root root 1155 Dec 30 08:41 apiserver-etcd-client.crt-rw------- 1 root root 1675 Dec 30 08:41 apiserver-etcd-client.key-rw------- 1 root root 1679 Dec 30 08:41 apiserver.key-rw-r--r-- 1 root root 1164 Dec 30 08:41 apiserver-kubelet-client.crt-rw------- 1 root root 1679 Dec 30 08:41 apiserver-kubelet-client.key-rw-r--r-- 1 root root 1099 Dec 30 08:41 ca.crt-rw------- 1 root root 1675 Dec 30 08:41 ca.keydrwxr-xr-x 2 root root 4096 Dec 30 08:41 etcd-rw-r--r-- 1 root root 1115 Dec 30 08:41 front-proxy-ca.crt-rw------- 1 root root 1679 Dec 30 08:41 front-proxy-ca.key-rw-r--r-- 1 root root 1119 Dec 30 08:41 front-proxy-client.crt-rw------- 1 root root 1679 Dec 30 08:41 front-proxy-client.key-rw------- 1 root root 1675 Dec 30 08:41 sa.key-rw------- 1 root root 451 Dec 30 08:41 sa.pubcontrolplane ~ ➜ ls -la /etc/kubernetes/pki/etcd/total 40drwxr-xr-x 2 root root 4096 Dec 30 08:41 .drwxr-xr-x 3 root root 4096 Dec 30 08:41 ..-rw-r--r-- 1 root root 1086 Dec 30 08:41 ca.crt-rw------- 1 root root 1679 Dec 30 08:41 ca.key-rw-r--r-- 1 root root 1159 Dec 30 08:41 healthcheck-client.crt-rw------- 1 root root 1675 Dec 30 08:41 healthcheck-client.key-rw-r--r-- 1 root root 1208 Dec 30 08:41 peer.crt-rw------- 1 root root 1679 Dec 30 08:41 peer.key-rw-r--r-- 1 root root 1208 Dec 30 08:41 server.crt-rw------- 1 root root 1679 Dec 30 08:41 server.keycontrolplane ~ ➜ ls -la /etc/kubernetes/manifests/total 28drwxr-xr-x 1 root root 4096 Dec 30 09:17 .drwxr-xr-x 1 root root 4096 Dec 30 08:41 ..-rw------- 1 root root 2399 Dec 30 09:16 etcd.yaml-rw------- 1 root root 3872 Dec 30 09:17 kube-apiserver.yaml-rw------- 1 root root 3393 Dec 30 08:41 kube-controller-manager.yaml-rw------- 1 root root 1463 Dec 30 08:41 kube-scheduler.yamlcontrolplane ~ ➜ grep etcd /etc/kubernetes/manifests/kube-apiserver.yaml- --etcd-cafile=/etc/kubernetes/pki/ca.crt- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key- --etcd-servers=https://127.0.0.1:2379Fix the --etcd-cafile in the YAML file.
--etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt -
A new member akshay joined our team. He requires access to our cluster. The Certificate Signing Request is at the /root location.
-
Create a CertificateSigningRequest object with the name akshay with the contents of the akshay.csr file
-
As of kubernetes 1.19, the API to use for CSR is certificates.k8s.io/v1.
-
Please note that an additional field called signerName should also be added when creating CSR.
-
For client authentication to the API server we will use the built-in signer kubernetes.io/kube-apiserver-client.
-
Approve the CSR Request
Answer
controlplane ~ ➜ ls -ltotal 8-rw-r--r-- 1 root root 887 Dec 30 09:36 akshay.csr-rw------- 1 root root 1679 Dec 30 09:36 akshay.keyGenerate the base64 encoded format:
controlplane ~ ➜ cat akshay.csr | base64 -w 0LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZV3R6YUdGNU1JSUJJakFOQmdrcWCreate the YAML file. Follow: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/#create-a-certificatesigningrequest-object-to-send-to-the-kubernetes-api
## akshay-csr.yamlapiVersion: certificates.k8s.io/v1kind: CertificateSigningRequestmetadata:name: akshayspec:request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZV3R6YUdGNU1JSUJJakFOQmdrcWsignerName: kubernetes.io/kube-apiserver-clientusages:- client authcontrolplane ~ ➜ k apply -f akshay-csr.yamlcertificatesigningrequest.certificates.k8s.io/akshay createdcontrolplane ~ ➜ k get csrNAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITIONakshay 8s kubernetes.io/kube-apiserver-client kubernetes-admin <none> Pendingcsr-fnjbq 20m kubernetes.io/kube-apiserver-client-kubelet system:node:controlplane <none> Approved,Issuedcontrolplane ~ ➜ kubectl certificate approve akshaycertificatesigningrequest.certificates.k8s.io/akshay approvedcontrolplane ~ ➜ k get csrNAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITIONakshay 3m10s kubernetes.io/kube-apiserver-client kubernetes-admin <none> Approved,Issuedcsr-fnjbq 23m kubernetes.io/kube-apiserver-client-kubelet system:node:controlplane <none> Approved,Issued -
-
There is a new CSR. What groups is this CSR requesting access to?
- We need to reject it.
- After rejecting, delete the CSR.
controlplane ~ ➜ k get csrNAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITIONagent-smith 7s kubernetes.io/kube-apiserver-client agent-x <none> Pendingakshay 4m13s kubernetes.io/kube-apiserver-client kubernetes-admin <none> Approved,Issuedcsr-fnjbq 24m kubernetes.io/kube-apiserver-client-kubelet system:node:controlplane <none> Approved,IssuedAnswer
controlplane ~ ➜ k get csr agent-smith -o yamlapiVersion: certificates.k8s.io/v1kind: CertificateSigningRequestmetadata:creationTimestamp: "2023-12-30T14:54:23Z"name: agent-smithresourceVersion: "2368"uid: 91311095-f323-42a0-a704-db17451ef8ffspec:groups:- system:masters- system:authenticatedrequest: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1dEQ0NBVUFDQVFBd0V6RVJNQThHQTFVRUF3d0libVYzTFhWelpYSXdnZ0VpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRE8wV0pXK0RYc0FKU0lyanBObzV2UklCcGxuemcrNnhjOStVVndrS2kwCkxmQzI3dCsxZUVuT041TXVxOTlOZXZtTUVPbnJEVU8vdGh5VnFQMncyWE5JRFJYall5RjQwRmJtRCs1eld5Q0sKeTNCaWhoQjkzTUo3T3FsM1VUdlo4VEVMcXlhRGtuUmwvanYvU3hnWGtvazBBQlVUcFdNeDRCcFNpS2IwVSt0RQpJRjVueEF0dE1Wa0RQUTdOYmVaUkc0M2IrUVdsVkdSL3o2RFdPZkpuYmZlek90YUF5ZEdMVFpGQy93VHB6NTJrCkVjQ1hBd3FDaGpCTGt6MkJIUFI0Sjg5RDZYYjhrMzlwdTZqcHluZ1Y2dVAwdEliT3pwcU52MFkwcWRFWnB3bXcKajJxRUwraFpFV2trRno4MGxOTnR5VDVMeE1xRU5EQ25JZ3dDNEdaaVJHYnJBZ01CQUFHZ0FEQU5CZ2txaGtpRwo5dzBCQVFzRkFBT0NBUUVBUzlpUzZDMXV4VHVmNUJCWVNVN1FGUUhVemFsTnhBZFlzYU9SUlFOd0had0hxR2k0CmhPSzRhMnp5TnlpNDRPT2lqeWFENnRVVzhEU3hrcjhCTEs4S2czc3JSRXRKcWw1ckxaeTlMUlZyc0pnaEQ0Z1kKUDlOTCthRFJTeFJPVlNxQmFCMm5XZVlwTTVjSjVURjUzbGVzTlNOTUxRMisrUk1uakRRSjdqdVBFaWM4L2RoawpXcjJFVU02VWF3enlrcmRISW13VHYybWxNWTBSK0ROdFYxWWllKzBIOS9ZRWx0K0ZTR2poNUw1WVV2STFEcWl5CjRsM0UveTNxTDcxV2ZBY3VIM09zVnBVVW5RSVNNZFFzMHFXQ3NiRTU2Q0M1RGhQR1pJcFVibktVcEF3a2ErOEUKdndRMDdqRytocGtueG11RkFlWHhnVXdvZEFMYUo3anUvVERJY3c9PQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KsignerName: kubernetes.io/kube-apiserver-clientusages:- digital signature- key encipherment- server authusername: agent-xstatus: {}controlplane ~ ➜ k get csrNAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITIONagent-smith 2m53s kubernetes.io/kube-apiserver-client agent-x <none> Pendingakshay 6m59s kubernetes.io/kube-apiserver-client kubernetes-admin <none> Approved,Issuedcsr-fnjbq 27m kubernetes.io/kube-apiserver-client-kubelet system:node:controlplane <none> Approved,Issuedcontrolplane ~ ➜ kubectl certificate deny agent-smithcertificatesigningrequest.certificates.k8s.io/agent-smith deniedcontrolplane ~ ➜ k get csrNAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITIONagent-smith 3m9s kubernetes.io/kube-apiserver-client agent-x <none> Deniedakshay 7m15s kubernetes.io/kube-apiserver-client kubernetes-admin <none> Approved,Issuedcsr-fnjbq 27m kubernetes.io/kube-apiserver-client-kubelet system:node:controlplane <none> Approved,IssuedTo delete the CSR, generate the YAML and use the kubectl delete.
controlplane ~ ➜ k get csr agent-smith -o yaml > agent-smith.ymlcontrolplane ~ ➜ k delete -f agent-smith.ymlcertificatesigningrequest.certificates.k8s.io "agent-smith" deletedcontrolplane ~ ➜ k get csrNAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITIONakshay 9m59s kubernetes.io/kube-apiserver-client kubernetes-admin <none> Approved,Issuedcsr-fnjbq 30m kubernetes.io/kube-apiserver-client-kubelet system:node:controlplane <none> Approved,Issued -
Where is the default kubeconfig file located in the current environment?
Answer
The answer is /root/.kube/config
controlplane ~ ➜ ls -latotal 60drwx------ 1 root root 4096 Dec 30 10:02 .drwxr-xr-x 1 root root 4096 Dec 30 09:57 ..-rw-r--r-- 1 root root 1272 Dec 30 09:57 .bash_profile-rw-r--r-- 1 root root 3265 Nov 2 11:39 .bashrcdrwxr-xr-x 1 root root 4096 Dec 30 10:02 .cachedrwxr-xr-x 2 root root 4096 Dec 30 10:02 CKAdrwxr-xr-x 1 root root 4096 Nov 2 11:36 .configdrwxr-xr-x 3 root root 4096 Dec 30 10:02 .kube-rw-rw-rw- 1 root root 1456 Dec 30 10:02 my-kube-config-rw-r--r-- 1 root root 161 Dec 5 2019 .profile-rw-rw-rw- 1 root root 0 Dec 13 05:39 sample.yamldrwx------ 2 root root 4096 Dec 30 10:02 .sshdrwxr-xr-x 4 root root 4096 Nov 2 11:37 .vim-rw-r--r-- 1 root root 132 Nov 2 11:37 .vimrc-rw-r--r-- 1 root root 165 Nov 2 11:38 .wget-hstscontrolplane ~ ➜ ls -la .kube/total 24drwxr-xr-x 3 root root 4096 Dec 30 10:02 .drwx------ 1 root root 4096 Dec 30 10:02 ..drwxr-x--- 4 root root 4096 Dec 30 10:02 cache-rw------- 1 root root 5640 Dec 30 09:57 config -
In the default kubeconfig file, what is the user configured in the current context?
Answer
controlplane ~/.kube ➜ grep -i context configcontexts:- context:current-context: kubernetes-admin@kubernetescontrolplane ~/.kube ➜ grep -i current-context -A 5 configcurrent-context: kubernetes-admin@kuberneteskind: Configpreferences: {}users:- name: kubernetes-admin -
A new kubeconfig file named my-kube-config is created. It is placed in the /root directory. How many clusters are defined in that kubeconfig file?
Answer
controlplane ~ ➜ ls -ltotal 8drwxr-xr-x 2 root root 4096 Dec 30 10:02 CKA-rw-rw-rw- 1 root root 1456 Dec 30 10:08 my-kube-config-rw-rw-rw- 1 root root 0 Dec 13 05:39 sample.yamlcontrolplane ~ ➜ grep cluster my-kube-configclusters:cluster:cluster:cluster:- name: test-cluster-1cluster:cluster: developmentcluster: kubernetes-on-awscluster: productioncluster: test-cluster-1 -
In the new my-kube-config, what user is configured in the research context?
Answer
controlplane ~ ➜ grep -A 5 research my-kube-config- name: researchcontext:cluster: test-cluster-1user: dev-user -
In the new my-kube-config, what is the name of the client-certificate file configured for the aws-user?
Answer
controlplane ~ ➜ grep -A 10 aws-user my-kube-config--- name: aws-useruser:client-certificate: /etc/kubernetes/pki/users/aws-user/aws-user.crtclient-key: /etc/kubernetes/pki/users/aws-user/aws-user.key -
I would like to use the dev-user to access test-cluster-1. Set the current context to the right one so I can do that.
Once the right context is identified, use the kubectl config use-context command.
Answer
controlplane ~ ✖ k config --kubeconfig my-kube-config get-contextsCURRENT NAME CLUSTER AUTHINFO NAMESPACEaws-user@kubernetes-on-aws kubernetes-on-aws aws-userresearch test-cluster-1 dev-user* test-user@development development test-usertest-user@production production test-usercontrolplane ~ ➜ k config --kubeconfig my-kube-config use-context researchSwitched to context "research".controlplane ~ ➜ k config --kubeconfig my-kube-config get-contextsCURRENT NAME CLUSTER AUTHINFO NAMESPACEaws-user@kubernetes-on-aws kubernetes-on-aws aws-user* research test-cluster-1 dev-usertest-user@development development test-usertest-user@production production test-user