CKS · Question #13
CKS Question #13: Real Exam Question with Answer & Explanation
This question tests knowledge of Kubernetes ImagePolicyWebhook admission control, requiring you to enable the plugin, configure fail-closed (implicit deny) behavior, and verify the scanner rejects non-compliant image tags like 'latest'.
Question
A container image scanner is set up on the cluster. Given an incomplete configuration in the directory /etc/kubernetes/confcontrol and a functional container image scanner with HTTPS endpoint https://test-server.local:8081/image_policy 1. Enable the admission plugin. 2. Validate the control configuration and change it to implicit deny. Finally, test the configuration by deploying the pod having the image tag as latest.
Explanation
This question tests knowledge of Kubernetes ImagePolicyWebhook admission control, requiring you to enable the plugin, configure fail-closed (implicit deny) behavior, and verify the scanner rejects non-compliant image tags like 'latest'.
Approach. Step 1 - Enable the admission plugin: Edit /etc/kubernetes/manifests/kube-apiserver.yaml and add 'ImagePolicyWebhook' to --enable-admission-plugins, and point --admission-control-config-file to the config in /etc/kubernetes/confcontrol/ (e.g., admission_config.yaml). Step 2 - Fix the AdmissionConfiguration: Inside the config file, locate the imagePolicy block and set 'defaultAllow: false'. This is the 'implicit deny' or fail-closed setting - if the webhook at https://test-server.local:8081/image_policy is unreachable, ALL image requests are denied rather than allowed. Step 3 - Validate the kubeconfig referenced by the config file exists and correctly points to the HTTPS webhook endpoint. Step 4 - Test by running 'kubectl run test --image=nginx:latest'; the pod creation should be rejected by the admission webhook because the 'latest' tag is a policy violation (non-deterministic image), confirming the scanner and implicit deny are both working correctly.
Concept tested. Kubernetes ImagePolicyWebhook Admission Controller - specifically: (1) enabling a dynamic admission plugin on the kube-apiserver, (2) the difference between explicit allow (defaultAllow: true, fail-open) and implicit deny (defaultAllow: false, fail-closed), and (3) how webhook-based image scanning enforces supply chain security policies such as blocking untagged or 'latest'-tagged images at the API server level before a pod is scheduled.
Reference. Kubernetes docs: 'Using Admission Controllers > ImagePolicyWebhook' - https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook | CKS exam domain: Supply Chain Security
Topics
Community Discussion
No community discussion yet for this question.