CKS System Hardening • Complete Question Bank
Complete CKS System Hardening question bank — all 0 questions with answers and detailed explanations.
Refer to the exhibit.
```
apiVersion: v1
kind: Pod
metadata:
name: test-pod
spec:
containers:
- name: test
image: alpine
securityContext:
runAsUser: 1000
runAsGroup: 3000
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
```Refer to the exhibit.
```
$ kubectl get nodes -o yaml | grep -A10 kubeletConfig
kubeletConfig:
imageGCHighThresholdPercent: 85
imageGCLowThresholdPercent: 80
maxPods: 110
podPidsLimit: -1
resolvConf: /etc/resolv.conf
rotateCertificates: true
```Refer to the exhibit.
```
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginx
image: nginx:1.21
securityContext:
runAsNonRoot: true
runAsUser: 1000
capabilities:
add: ["NET_ADMIN"]
```Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Encrypts communication between etcd clients and the etcd server
Encrypts communication between etcd cluster members
Requires clients to present a valid certificate to access etcd
Encrypts etcd data stored on disk (requires manual configuration)
Limits which users or clients can perform operations on etcd keys
A custom seccomp profile is defined as follows:
{
"defaultAction": "SCMP_ACT_ALLOW",
"architectures": ["SCMP_ARCH_X86_64"],
"syscalls": [
{
"names": ["mkdir", "chmod"],
"action": "SCMP_ACT_ERRNO"
}
]
}The profile is placed at /var/lib/kubelet/seccomp/deny-mkdir.json. Which pod securityContext configuration correctly applies this profile?
A pod spec includes the following securityContext:
securityContext: seccompProfile: type: Localhost localhostProfile: custom-profile.json
Where should the custom seccomp profile 'custom-profile.json' be placed on the node?
A container is running with the following securityContext:
securityContext: capabilities: drop: ["ALL"] add: ["NET_BIND_SERVICE"]
Which capabilities will the container have?
You need to apply a seccomp profile to all containers in a pod. The profile is named 'custom-profile.json' and is stored on each node at /var/lib/kubelet/seccomp/. Complete the following YAML snippet:
```yaml apiVersion: v1 kind: Pod metadata: name: secure-pod spec: securityContext: seccompProfile: type: Localhost localhostProfile: ??? ``` What should replace ???