CKS Question #24: Real Exam Question with Answer & Explanation

Question

Given an incomplete configuration in directory /etc/kubernetes/epconfig and a functional container image scanner with HTTPS endpoint https://wakanda.local:8081/image_policy : 1. Enable the necessary plugins to create an image policy 2. Validate the control configuration and change it to an implicit deny

Explanation

This question tests configuration of Kubernetes' ImagePolicyWebhook admission controller, which delegates pod image admission decisions to an external HTTPS webhook backend. The key tasks are enabling the plugin in kube-apiserver and setting the policy to fail-closed (implicit deny).

Approach. First, edit /etc/kubernetes/manifests/kube-apiserver.yaml to add 'ImagePolicyWebhook' to the --enable-admission-plugins flag and add --admission-control-config-file pointing to the AdmissionConfiguration file inside /etc/kubernetes/epconfig (e.g., /etc/kubernetes/epconfig/admission_config.yaml). That YAML must reference a kubeconfig file whose server points to https://wakanda.local:8081/image_policy for webhook calls. Finally, to enforce implicit deny, locate the ImagePolicyWebhook stanza in the AdmissionConfiguration and set 'defaultAllow: false' - this means if the webhook backend is unreachable, ALL image admission requests are denied (fail-closed), rather than silently allowed.

Concept tested. Kubernetes ImagePolicyWebhook admission controller - enabling the plugin in kube-apiserver, wiring a kubeconfig-based webhook backend, and configuring fail-closed (implicit deny via defaultAllow: false) vs. fail-open behavior

Reference. https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook

No community discussion yet for this question.