FreeCram
  1. Home
  2. Linux Foundation
  3. Certified Kubernetes Security Specialist (CKS)
  4. LinuxFoundation.CKS.v2023-03-27.q41
  5. Question 12
<< Prev Question Next Question >>

Question 12/41

On the Cluster worker node, enforce the prepared AppArmor profile
#include <tunables/global>
profile nginx-deny flags=(attach_disconnected) {
#include <abstractions/base>
file,
# Deny all file writes.
deny /** w,
}
EOF'
Edit the prepared manifest file to include the AppArmor profile.
apiVersion: v1
kind: Pod
metadata:
name: apparmor-pod
spec:
containers:
- name: apparmor-pod
image: nginx
Finally, apply the manifests files and create the Pod specified on it.
Verify: Try to make a file inside the directory which is restricted.

LEAVE A REPLY

Your email address will not be published. Required fields are marked *

Question List (41q)
1 commentQuestion 1: Using the runtime detection tool Falco, Analyse the containe...
Question 2: Analyze and edit the given Dockerfile FROM ubuntu:latest RUN...
Question 3: Context The kubeadm-created cluster's Kubernetes API server ...
Question 4: use the Trivy to scan the following images, 1. amazonlinux:1...
Question 5: SIMULATION Create a RuntimeClass named untrusted using the p...
Question 6: Context A Role bound to a Pod's ServiceAccount grants overly...
Question 7: Create a RuntimeClass named untrusted using the prepared run...
Question 8: Context A container image scanner is set up on the cluster, ...
Question 9: Create a Pod name Nginx-pod inside the namespace testing, Cr...
Question 10: SIMULATION Create a network policy named restrict-np to rest...
Question 11: SIMULATION Analyze and edit the given Dockerfile FROM ubuntu...
Question 12: On the Cluster worker node, enforce the prepared AppArmor pr...
Question 13: You can switch the cluster/configuration context using the f...
Question 14: Analyze and edit the given Dockerfile FROM ubuntu:latest RUN...
Question 15: SIMULATION Create a new ServiceAccount named backend-sa in t...
Question 16: Context A default-deny NetworkPolicy avoids to accidentally ...
Question 17: Using the runtime detection tool Falco, Analyse the containe...
Question 18: You can switch the cluster/configuration context using the f...
Question 19: You must complete this task on the following cluster/nodes: ...
Question 20: SIMULATION Create a RuntimeClass named gvisor-rc using the p...
Question 21: SIMULATION Fix all issues via configuration and restart the ...
Question 22: SIMULATION Enable audit logs in the cluster, To Do so, enabl...
Question 23: Create a network policy named allow-np, that allows pod in t...
Question 24: a. Retrieve the content of the existing secret named default...
Question 25: SIMULATION Secrets stored in the etcd is not secure at rest,...
Question 26: You can switch the cluster/configuration context using the f...
Question 27: Enable audit logs in the cluster, To Do so, enable the log b...
Question 28: Fix all issues via configuration and restart the affected co...
Question 29: Context A CIS Benchmark tool was run against the kubeadm-cre...
Question 30: Context A PodSecurityPolicy shall prevent the creation of pr...
Question 31: Two tools are pre-installed on the cluster's worker node: Us...
Question 32: SIMULATION Create a Pod name Nginx-pod inside the namespace ...
Question 33: SIMULATION Create a network policy named allow-np, that allo...
Question 34: Given an existing Pod named nginx-pod running in the namespa...
Question 35: You can switch the cluster/configuration context using the f...
Question 36: SIMULATION Create a new NetworkPolicy named deny-all in the ...
Question 37: Create a User named john, create the CSR Request, fetch the ...
Question 38: SIMULATION On the Cluster worker node, enforce the prepared ...
Question 39: SIMULATION Using the runtime detection tool Falco, Analyse t...
Question 40: Fix all issues via configuration and restart the affected co...
Question 41: Context AppArmor is enabled on the cluster's worker node. An...