- Create runtimeclass named sandboxed with handler runsc and run new pod using runtime as sandboxed with image nginx.
- Set min TLS version to VersionTLS12 and cipher to TLS_AES_128_GCM_SHA256 for Kubelet nad kubeapi server
- etcd with –-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- Node-authrization to minimize the cluster role and remove clusterrole and anonymous access.
- ImagePolicyWebhook with default deny add correct app endpoint url in kubeconfig file
- auditing with maxage=10, rotate=5
- falco runtime format %evt,%user.name,%user.id,%proc.name
- network policy default deny, pod with name and namespace selector
- create service account bind with role/clusterrole binding and create a pod, delete unsed sa
- create a secret and mount to pod with readonly
- Create service account with automounttoken off
- create a pod with /root/profile using apparmor. podname=xyz, image=nginx
- analyse 2 issues in Dockerfile and Deployment file
- scan image with trivy and delete critical severity pod
- fix kube-bench report for kube-api , kubelet, kube-controler
- Upgrade k8 cluster from 1.25.4 to 1.26.0
CKS Practice questions 2023
Published by
