Security

Question 1

v What is the command to create a service account?

Answer 1

k create serviceaccount <username></username>

Question 2

What component provides authorization for users?

Answer 2

kube-apiserver

Question 3

What are the 4 options for authorization?

Answer 3

• Static Password File
• Static Token File
• Certificates
• 3rd party Identity Services (such as LDAP)

Question 4

Where do you add the flag/option for specifying a static password file and what is the flag/option? (THIS IS NOT RECOMMENDED IN A PROD ENV)

Answer 4

You specify the static password file in the kube-apiserver.service or in the manifest in the spec section with with the –basic-auth-file=<filename></filename>

Question 5

Where do you add the flag/option for specifying a static password file and what is the flag/option? (THIS IS NOT RECOMMENDED IN A PROD ENV)

Answer 5

You specify the static password file in the or in the manifest in the spec section with with the –basic-auth-file=<filename></filename>

Question 6

What command will show you all the certificates used by the kube-apiserver?

Answer 6

cat /etc/kubernetes/manifests/kube-apiserver.yaml

Question 7

What command checks the content of a certificate?

Answer 7

openssl x509 -in /etc/kubrenetes/pki/apiserver.crt -text -noout

Question 8

What command generates kets for the CA?

Answer 8

openssl genrsa -out ca.key 2048

Question 9

What is the command to create a CSR for the CA?

Answer 9

openssl req -new -key ca.key -subj :/CN=KUBERNETES-CA” -out ca.csr

Question 10

What command signs certificates for the CA?

Answer 10

openssl x509 -req -in ca.csr signkey ca.key -out ca.crt

Question 11

What command creates a CSR for an admin user?

Answer 11

openssl req -new -key admin.key -subj :/CN=kube-admin/O=system:masters” -out admin.csr

Question 12

What command signs a CSR for an admin user?

Answer 12

openssl x509 -req -in admin.csr -CA ca.crt -CAkey ca.key -out admin.crt

Question 13

What are the names that are specified on the kube-apiserver certificate?

Answer 13

kubernetes
kubernetes.default
kubernetes.default.svc
kubernetes.default.svc.cluster.local
10.96.0.1
172.17.0.87

Question 14

What are the steps to adding new users via the certificates API?

Answer 14

1. Create CertificateSigningRequest Object
2. Review Requests
3. Approve Requests
4. Share Certs to Users

Question 15

What is the openssl command to generate a key for a new user?

Answer 15

openssl genrsa -out <user>.key 2048</user>

Question 16

What is the openssl command to generate a cert for a new user?

Answer 16

openssl req -new -key <user>.key -subj "/CN=<user>" -out <user>.csr</user></user></user>

Question 17

What is the command for an admin to see all CSR requests?

Answer 17

k get csr

Question 18

What are the attributes of a CSR definition file?

Answer 18

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: akshay
spec:
groups:
- system:authenticated
request: <Paste>
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth</Paste>

Question 19

What is the command to approve a csr request?

Answer 19

kubectl certificate approve <user></user>

Question 20

What is the command to get a user certificate?

Answer 20

k get csr <user> -o yaml under status.certificate and to decript: echo "xxx" | base64 --decode</user>

Question 21

What is the command to view the kubeconfig file?

Answer 21

k config view

or

k config view –kubeconfig=<filename></filename>

Question 22

What is the command to change context?

Answer 22

k config use-context <context_name></context_name>

Question 23

What is the name of the api group that is responsible for namespaces, pods, rc, events, endpoints, nodes, bindings, PV, PVC, configmaps, secrets, services?

Answer 23

core

Question 24

What are some examples of named APIs?

Answer 24

apps/
extensions/
networking.k8s.io/
storage.k8s.io/
authentication.k8s.io/
certificates.k8s.io/

Question 25

What are some examples of verbs under the named group for apps/v1/deployments?

Answer 25

get
list
create
delete
update
watch

Question 26

What is a command to list the named APIs?

Answer 26

curl http://localhost:6443 -k

You must use the:
k proxy

Question 27

What are the read permissions for node authorizer?

Answer 27

read: services, endpoints, nodes, pods

Question 28

What are the write permissions for node authorizer?

Answer 28

write: node status, pod status, events

Question 29

What are the different authorization-mode options?

Answer 29

–authorization-mode=Node,RBAC,Webhook

Question 30

What happens when an option specified in –authorization-mode denies a request?

Answer 30

If the first one deny the request, it will move to the next one

Question 31

What are the 3 parameters that are needed for setting rules in a Role definition file?

Answer 31

apiGroups, resources, verbs

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [””] # “” indicates the core API group
resources: [“pods”]
verbs: [“get”, “watch”, “list”]
- apiGroups: [””]
resources: [“ConfigMap”]
verbs: [“create”]

Question 32

How do you link a user to a role?

Answer 32

Create a role binding definition file.

apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows “jane” to read pods in the “default” namespace.
# You need to already have a Role named “pod-reader” in that namespace.
kind: RoleBinding
metadata:
name: read-pods-binding
namespace: default
subjects:
# You can specify more than one “subject”
- kind: User
name: jane # “name” is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
# “roleRef” specifies the binding to a Role / ClusterRole
kind: Role #this must be Role or ClusterRole
name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io

Question 33

What is the command to list the roles?

Answer 33

kubectl get roles

Question 34

What is the command to list role bindings?

Answer 34

kubectl get rolebindings

Question 35

What is the command to see details about a role binding?

Answer 35

kubectl describe role read-pods-binding

Question 36

What is the command to see if you have access to an action?

Answer 36

kubectl auth can-i delete pods

Question 37

What is the command to see if a user has access to an action?

Answer 37

kubectl auth can-i create deployments –as dev-user –namespace test

Question 38

What are the namespaced scoped resources?

Answer 38

pods
replicasets
jobs
deployments
services
secrets
roles
rolebindings
configmaps
pvc

Question 39

What are the cluster scoped resources?

Answer 39

nodes
pv
clusterroles
clusterrolebindings
certificatesigningrequests
namespaces

Question 40

Can a cluster role be used for namespaced resources?

Answer 40

ClusterRole can be used for namespaced resources but will then be generic to all namespaces.

Question 41

What is the command to create a service account?

Answer 41

kubectl create serviceaccount <name></name>

Question 42

What command lists service accounts?

Answer 42

k get serviceaccount

Question 43

What command explains service accounts?

Answer 43

k describe serviceaccount <service_account_name></service_account_name>

Question 44

What command shows details about the service account’s token?

Answer 44

k describe secret <service_account_token_name></service_account_token_name>

Question 45

What is the command to create a private container repository?

Answer 45

kubectl create secret docker-registry regcred \
–docker-server=private-registry.io \
–docker-username=registry-user \
–docker-password=registry-password \
–docker-email=registry-user@org.com

Question 46

Capabilities are only available at what level?

Answer 46

Container level

Question 47

Container level security context overrides what level of security context?

Answer 47

The pod level

Question 48

What spec configuration sets security capabilities?

Answer 48

securityContext:

Example 1 –>
apiVersion: v1
kind: Pod
metadata:
name: web-pod
spec:
containers:
- image: ubuntu
name: ubuntu
command: [“sleep”, “3600”]
securityContext:
runAsUser: 1000

Example 2 –>
apiVersion: v1
kind: Pod
metadata:
name: web-pod
spec:
containers:
- image: ubuntu
name: ubuntu
command: [“sleep”, “3600”]
securityContext:
runAsUser: 1000
capabilities:
add: [“MAC_ADMIN”]

Question 49

What is the default network communication policy for pods?

Answer 49

By default every pod can communicate to every pod or services within the cluster.

Question 50

How do you assign a network policy to a pod?

Answer 50

Create a network policy definition, and assign using labels and selectors.