Security
Some of the scenario questions here are based on Kodekloud's CKA course labs.
CKAD and CKA can have similar scenario questions. It is recommended to go through the CKAD practice tests.
Shortcuts
First run the two commands below for shortcuts.
export do="--dry-run=client -o yaml"
export now="--force --grace-period=0"
Questions
-
What secret type must we choose for docker registry?
Answer
root@controlplane ~ ➜ k create secret --help | grep docker
docker-registry Create a secret for use with a Docker registry -
Update the image of the deployment to use a new image from myprivateregistry.com:5000
root@controlplane ~ ➜ k get deployments.apps
NAME READY UP-TO-DATE AVAILABLE AGE
web 2/2 2 2 104sAnswer
We simply need to append at the beginning of the image.
k edit deployments.appsspec:
containers:
- image: myprivateregistry.com:5000/nginx:alpine -
Create a secret object with the credentials required to access the registry.
- Name: private-reg-cred
- Username: dock_user
- Password: dock_password
- Server: myprivateregistry.com:5000
- Email: dock_user@myprivateregistry.com
Secret Type: docker-registry
Answer
Based on: https://kubernetes.io/docs/concepts/configuration/secret/
kubectl create secret docker-registry private-reg-cred \
--docker-email=dock_user@myprivateregistry.com \
--docker-username=dock_user \
--docker-password=dock_password \
--docker-server=myprivateregistry.com:5000root@controlplane ~ ➜ kubectl create secret docker-registry private-reg-cred \
> --docker-email=dock_user@myprivateregistry.com \
> --docker-username=dock_user \
> --docker-password=dock_password \
> --docker-server=myprivateregistry.com:5000
secret/private-reg-cred created
root@controlplane ~ ➜ k get secrets
NAME TYPE DATA AGE
private-reg-cred kubernetes.io/dockerconfigjson 1 8s
root@controlplane ~ ➜ k describe secrets private-reg-cred
Name: private-reg-cred
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/dockerconfigjson
Data
====
.dockerconfigjson: 176 bytesWhen we try to generate the YAML file, we can see that the data is hidden.
root@controlplane ~ ➜ k get secrets private-reg-cred -o yaml
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyJteXByaXZhdGVyZWdpc3RyeS5jb206NTAwMCI6eyJ1c2VybmFtZSI6ImRvY2tfdXNlciIsInBhc3N3b3JkIjoiZG9ja19wYXNzd29yZCIsImVtYWlsIjoiZG9ja191c2VyQG15cHJpdmF0ZXJlZ2lzdHJ5LmNvbSIsImF1dGgiOiJaRzlqYTE5MWMyVnlPbVJ2WTJ0ZmNHRnpjM2R2Y21RPSJ9fX0=
kind: Secret
metadata:
creationTimestamp: "2023-12-30T17:26:54Z"
name: private-reg-cred
namespace: default
resourceVersion: "2092"
uid: 7bd9c254-9f9e-425a-b7f2-589c85f5df0a
type: kubernetes.io/dockerconfigjson -
Configure the deployment to use credentials from the new secret to pull images from the private registry
root@controlplane ~ ➜ k get secrets
NAME TYPE DATA AGE
private-reg-cred kubernetes.io/dockerconfigjson 1 2m40s
root@controlplane ~ ➜ k get deployments.apps
NAME READY UP-TO-DATE AVAILABLE AGE
web 2/2 1 2 13mAnswer
root@controlplane ~ ➜ k get deployments.apps web -o yaml > web.yaml
root@controlplane ~ ➜ k delete -f web.yaml
deployment.apps "web" deleted
root@controlplane ~ ➜ k get deployments.apps
No resources found in default namespace.Modify the YAML file. Follow: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
spec:
containers:
- image: myprivateregistry.com:5000/nginx:alpine
imagePullPolicy: IfNotPresent
name: nginx
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
imagePullSecrets:
- name: private-reg-credroot@controlplane ~ ➜ k apply -f web.yaml
deployment.apps/web created
root@controlplane ~ ➜ k get deployments.apps
NAME READY UP-TO-DATE AVAILABLE AGE
web 2/2 2 2 3s -
What is the user used to execute the sleep process within the ubuntu-sleeper pod?
controlplane ~ ➜ k get po
NAME READY STATUS RESTARTS AGE
ubuntu-sleeper 1/1 Running 0 76sAnswer
Enter the pod and run whoami.
controlplane ~ ➜ k exec -it ubuntu-sleeper -- whoami
root -
Edit the pod ubuntu-sleeper to run the sleep process with user ID 1010.
controlplane ~ ➜ k get po
NAME READY STATUS RESTARTS AGE
ubuntu-sleeper 1/1 Running 0 76sAnswer
controlplane ~ ➜ k get po ubuntu-sleeper -o yaml > ubuntu-sleeper.yaml
controlplane ~ ✦ ➜ k delete po ubuntu-sleeper $now
Warning: Immediate deletion does not wait for confirmation that the running resource has been terminated. The resource may continue to run on the cluster indefinitely.
pod "ubuntu-sleeper" force deleted
controlplane ~ ✦ ✖ k get po
No resources found in default namespace.## ubuntu-sleeper.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: "2023-12-30T17:40:14Z"
name: ubuntu-sleeper
namespace: default
resourceVersion: "814"
uid: f866a186-25d6-45f3-9fb8-f8e37cf91c38
spec:
securityContext:
runAsUser: 1010
containers:
- command:
- sleep
- "4800"
image: ubuntu
imagePullPolicy: Always
name: ubuntucontrolplane ~ ➜ k apply -f ubuntu-sleeper.yaml
pod/ubuntu-sleeper created
controlplane ~ ➜ k get po
NAME READY STATUS RESTARTS AGE
ubuntu-sleeper 1/1 Running 0 3s
controlplane ~ ➜ k exec -it ubuntu-sleeper -- whoami
whoami: cannot find name for user ID 1010
command terminated with exit code 1 -
Update pod ubuntu-sleeper to run as Root user and with the SYS_TIME capability.
controlplane ~ ➜ k get po
NAME READY STATUS RESTARTS AGE
ubuntu-sleeper 1/1 Running 0 2m48sAnswer
controlplane ~ ➜ k get po ubuntu-sleeper -o yaml > ubuntu-sleeper.yaml
controlplane ~ ➜ k delete po ubuntu-sleeper $now
Warning: Immediate deletion does not wait for confirmation that the running resource has been terminated. The resource may continue to run on the cluster indefinitely.
pod "ubuntu-sleeper" force deleted
controlplane ~ ➜ k get po
No resources found in default namespace.## ubuntu-sleeper.yaml
---
apiVersion: v1
kind: Pod
metadata:
name: ubuntu-sleeper
namespace: default
spec:
containers:
- command:
- sleep
- "4800"
image: ubuntu
name: ubuntu-sleeper
securityContext:
capabilities:
add: ["SYS_TIME"]controlplane ~ ➜ k apply -f ubuntu-sleeper.yaml
pod/ubuntu-sleeper created
controlplane ~ ➜ k get po
NAME READY STATUS RESTARTS AGE
ubuntu-sleeper 1/1 Running 0 6s
controlplane ~ ➜ k exec -it ubuntu-sleeper -- whoami
root -
How many network policies do you see in the environment?
Answer
controlplane ~ ➜ k api-resources | grep -i network
ingressclasses networking.k8s.io/v1 false IngressClass
ingresses ing networking.k8s.io/v1 true Ingress
networkpolicies netpol networking.k8s.io/v1 true NetworkPolicy
controlplane ~ ➜ k get netpol
NAME POD-SELECTOR AGE
payroll-policy name=payroll 37s -
Which pod is the Network Policy applied on?
controlplane ~ ➜ k get netpol
NAME POD-SELECTOR AGE
payroll-policy name=payroll 37sAnswer
controlplane ~ ➜ k describe networkpolicies.networking.k8s.io payroll-policy
Name: payroll-policy
Namespace: default
Created on: 2023-12-30 13:01:40 -0500 EST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: name=payroll
Allowing ingress traffic:
To Port: 8080/TCP
From:
PodSelector: name=internal
Not affecting egress traffic
Policy Types: Ingress -
Create a network policy to allow traffic from the Internal application only to the payroll-service and db-service. Use the spec given below. You might want to enable ingress traffic to the pod to test your rules in the UI.
-
Policy Name: internal-policy
-
Policy Type: Egress
-
Egress Allow: payroll
-
Payroll Port: 8080
-
Egress Allow: mysql
-
MySQL Port: 3306
Answer
## internal-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: internal-policy
namespace: default
spec:
podSelector:
matchLabels:
name: internal
policyTypes:
- Egress
- Ingress
ingress:
- {}
egress:
- to:
- podSelector:
matchLabels:
name: mysql
ports:
- protocol: TCP
port: 3306
- to:
- podSelector:
matchLabels:
name: payroll
ports:
- protocol: TCP
port: 8080
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCPNote: We have also allowed Egress traffic to TCP and UDP port. This has been added to ensure that the internal DNS resolution works from the internal pod.
controlplane ~ ➜ k apply -f internal-policy.yaml
networkpolicy.networking.k8s.io/internal-policy created
controlplane ~ ➜ k get networkpolicies.networking.k8s.io
NAME POD-SELECTOR AGE
internal-policy name=internal 3s
payroll-policy name=payroll 17m -