CKS · Question #3
CKS Question #3: Real Exam Question with Answer & Explanation
This simulation question tests your ability to configure the Kubernetes API server to use Webhook authorization mode, which delegates authorization decisions to an external HTTP service. You must locate and edit the API server manifest or configuration to set the correct flag.
Question
Ensure that the --authorization-mode argument is set to Webhook.
Explanation
This simulation question tests your ability to configure the Kubernetes API server to use Webhook authorization mode, which delegates authorization decisions to an external HTTP service. You must locate and edit the API server manifest or configuration to set the correct flag.
Approach. On a kubeadm-provisioned cluster, edit the API server static pod manifest at /etc/kubernetes/manifests/kube-apiserver.yaml and add or modify the flag --authorization-mode=Webhook (or append it to an existing list such as --authorization-mode=Node,RBAC,Webhook). If a --authorization-webhook-config-file flag is also required, point it to a valid kubeconfig-style webhook config file. Save the file - kubelet will automatically restart the API server pod to apply the change. Verify the pod restarts successfully with kubectl get pods -n kube-system.
Concept tested. Kubernetes API Server Authorization Modes - specifically enabling Webhook mode (--authorization-mode=Webhook) so that the API server calls an external HTTP endpoint to make authorization decisions, as opposed to built-in modes like RBAC, ABAC, or Node authorization.
Reference. https://kubernetes.io/docs/reference/access-authn-authz/webhook/
Topics
Community Discussion
No community discussion yet for this question.