This lab provides practice scenarios to help prepare you for the Certified Kubernetes Security Specialist (CKS) exam. You will be presented with tasks to complete, as well as server(s) and/or an existing Kubernetes cluster to complete them in. You will need to use your knowledge of Kubernetes to successfully complete the provided tasks, much like you would on the real CKS exam. Good luck!
Successfully complete this lab by achieving the following learning objectives:
- Configure Admission Control
The cluster needs to be configured to scan incoming container images before running workloads. An image scanning service is already set up.
Modify the admission control configuration so that it will implicitly deny images, even if the image scanning service is unreachable. The global admission control configuration is at
/etc/kubernetes/admission-control/admission-control.conf, and the specific configuration for the admission controller is at
- Set the URL of the Image Scanning Service
Add the URL of the image scanning service to the
kubeconfigused by the admission controller.
The service can be reached at
- Enable the Admission Control Plugin(s)
kube-apiservermanifest, enable any admission control plugin(s) necessary to scan images.
There are two Pod manifests in
/home/cloud_useron the CLI server. If your setup is working,
no-vulns-pod.ymlshould pass image validation, while
vulns-pod.ymlshould fail due to vulnerabilities.