Join the discussion
Question 1/40
You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context dev A default-deny NetworkPolicy avoid to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined.
Task: Create a new default-deny NetworkPolicy named deny-network in the namespace test for all traffic of type Ingress + Egress The new NetworkPolicy must deny all Ingress + Egress traffic in the namespace test.
Apply the newly created default-deny NetworkPolicy to all Pods running in namespace test.
You can find a skeleton manifests file at /home/cert_masters/network-policy.yaml
Task: Create a new default-deny NetworkPolicy named deny-network in the namespace test for all traffic of type Ingress + Egress The new NetworkPolicy must deny all Ingress + Egress traffic in the namespace test.
Apply the newly created default-deny NetworkPolicy to all Pods running in namespace test.
You can find a skeleton manifests file at /home/cert_masters/network-policy.yaml
Correct Answer:
master1 $ k get pods -n test --show-labels
NAME READY STATUS RESTARTS AGE LABELS
test-pod 1/1 Running 0 34s role=test,run=test-pod
testing 1/1 Running 0 17d run=testing
$ vim netpol.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-network
namespace: test
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
master1 $ k apply -f netpol.yaml
Explanation
controlplane $ k get pods -n test --show-labels
NAME READY STATUS RESTARTS AGE LABELS
test-pod 1/1 Running 0 34s role=test,run=test-pod
testing 1/1 Running 0 17d run=testing
master1 $ vim netpol1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-network
namespace: test
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
master1 $ k apply -f netpol1.yaml Reference: https://kubernetes.io/docs/concepts/services-networking/network-policies/ Explanation controlplane $ k get pods -n test --show-labels NAME READY STATUS RESTARTS AGE LABELS test-pod 1/1 Running 0 34s role=test,run=test-pod testing 1/1 Running 0 17d run=testing master1 $ vim netpol1.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata:
name: deny-network
namespace: test
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
master1 $ k apply -f netpol1.yaml Reference: https://kubernetes.io/docs/concepts/services-networking/network-policies/
NAME READY STATUS RESTARTS AGE LABELS
test-pod 1/1 Running 0 34s role=test,run=test-pod
testing 1/1 Running 0 17d run=testing
$ vim netpol.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-network
namespace: test
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
master1 $ k apply -f netpol.yaml
Explanation
controlplane $ k get pods -n test --show-labels
NAME READY STATUS RESTARTS AGE LABELS
test-pod 1/1 Running 0 34s role=test,run=test-pod
testing 1/1 Running 0 17d run=testing
master1 $ vim netpol1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-network
namespace: test
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
master1 $ k apply -f netpol1.yaml Reference: https://kubernetes.io/docs/concepts/services-networking/network-policies/ Explanation controlplane $ k get pods -n test --show-labels NAME READY STATUS RESTARTS AGE LABELS test-pod 1/1 Running 0 34s role=test,run=test-pod testing 1/1 Running 0 17d run=testing master1 $ vim netpol1.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata:
name: deny-network
namespace: test
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
master1 $ k apply -f netpol1.yaml Reference: https://kubernetes.io/docs/concepts/services-networking/network-policies/
Add Comments
- Other Question (40q)
- Q1. You can switch the cluster/configuration context using the following command: [desk@cli] $...
- Q2. SIMULATION On the Cluster worker node, enforce the prepared AppArmor profile #include <...
- Q3. SIMULATION On the Cluster worker node, enforce the prepared AppArmor profile #include <...
- Q4. Cluster: qa-cluster Master node: master Worker node: worker1 You can switch the cluster/co...
- Q5. SIMULATION Using the runtime detection tool Falco, Analyse the container behavior for at l...
- Q6. SIMULATION A container image scanner is set up on the cluster. Given an incomplete configu...
- Q7. SIMULATION Create a Pod name Nginx-pod inside the namespace testing, Create a service for ...
- Q8. Analyze and edit the given Dockerfile FROM ubuntu:latest RUN apt-get update -y RUN apt-ins...
- Q9. Fix all issues via configuration and restart the affected components to ensure the new set...
- Q10. Service is running on port 389 inside the system, find the process-id of the process, and ...
- Q11. On the Cluster worker node, enforce the prepared AppArmor profile #include <tunables/gl...
- Q12. Given an existing Pod named nginx-pod running in the namespace test-system, fetch the serv...
- Q13. Context A container image scanner is set up on the cluster, but it's not yet fully integra...
- Q14. You can switch the cluster/configuration context using the following command: [desk@cli] $...
- Q15. Cluster: scanner Master node: controlplane Worker node: worker1 You can switch the cluster...
- Q16. You can switch the cluster/configuration context using the following command: [desk@cli] $...
- Q17. Fix all issues via configuration and restart the affected components to ensure the new set...
- Q18. SIMULATION Create a RuntimeClass named gvisor-rc using the prepared runtime handler named ...
- Q19. SIMULATION use the Trivy to scan the following images, 1. amazonlinux:1 2. k8s.gcr.io/kube...
- Q20. Analyze and edit the given Dockerfile FROM ubuntu:latest RUN apt-get update -y RUN apt-ins...
- Q21. Cluster: dev Master node: master1 Worker node: worker1 You can switch the cluster/configur...
- Q22. On the Cluster worker node, enforce the prepared AppArmor profile #include <tunables/gl...
- Q23. Create a Pod name Nginx-pod inside the namespace testing, Create a service for the Nginx-p...
- Q24. SIMULATION Fix all issues via configuration and restart the affected components to ensure ...
- Q25. Context A Role bound to a Pod's ServiceAccount grants overly permissive permissions. Compl...
- Q26. a. Retrieve the content of the existing secret named default-token-xxxxx in the testing na...
- Q27. SIMULATION Use the kubesec docker images to scan the given YAML manifest, edit and apply t...
- Q28. Create a new ServiceAccount named backend-sa in the existing namespace default, which has ...
- Q29. SIMULATION Analyze and edit the given Dockerfile FROM ubuntu:latest RUN apt-get update -y ...
- Q30. You must complete this task on the following cluster/nodes: Cluster: immutable-cluster Mas...
- Q31. Use the kubesec docker images to scan the given YAML manifest, edit and apply the advised ...
- Q32. Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that 1. log...
- Q33. You can switch the cluster/configuration context using the following command: [desk@cli] $...
- Q34. Create a network policy named allow-np, that allows pod in the namespace staging to connec...
- Q35. Fix all issues via configuration and restart the affected components to ensure the new set...
- Q36. SIMULATION Create a network policy named restrict-np to restrict to pod nginx-test running...
- Q37. Create a new NetworkPolicy named deny-all in the namespace testing which denies all traffi...
- Q38. SIMULATION Before Making any changes build the Dockerfile with tag base:v1 Now Analyze and...
- Q39. Create a RuntimeClass named untrusted using the prepared runtime handler named runsc. Crea...
- Q40. Two tools are pre-installed on the cluster's worker node: Using the tool of your choice (i...
