CKS Question #32: Real Exam Question with Answer & Explanation

Question

You must complete this task on the following cluster/nodes: Cluster KSSC00202 Master node kssc00202-master Worker node kssc00202-worker1 You can switch the cluster/configuration context using the following command: [candidate@cli] $ kubectl config use-context KSSC00202 Context A container image scanner is set up on the cluster, but it's not yet fully integrated into the cluster s configuration. When complete, the container image scanner shall scan for and reject the use of vulnerable images. Task You have to complete the entire task on the cluster's master node, where all services and files have been prepared and placed. Given an incomplete configuration in directory /etc/kubernetes/epconfig and a functional container image scanner with HTTPS endpoint https://wakanda.local:8081 /image_policy : 1. Enable the necessary plugins to create an image policy 2. Validate the control configuration and change it to an implicit deny

Explanation

This question tests configuration of Kubernetes ImagePolicyWebhook, an admission controller that delegates container image admission decisions to an external HTTPS webhook scanner. The key security concept is 'implicit deny' - ensuring images are rejected by default when the webhook is unreachable.

Approach. 1) SSH to the master node and inspect /etc/kubernetes/epconfig - it will contain an incomplete AdmissionConfiguration YAML and kubeconfig for the webhook. 2) In the AdmissionConfiguration file, ensure the ImagePolicyWebhook stanza references the webhook endpoint (https://wakanda.local:8081/image_policy) and critically set defaultAllow: false - this enforces implicit deny, meaning if the webhook is unavailable, ALL image requests are rejected rather than allowed through. 3) Edit /etc/kubernetes/manifests/kube-apiserver.yaml to add ImagePolicyWebhook to the --enable-admission-plugins flag, and add --admission-control-config-file=/etc/kubernetes/epconfig/<config-file>.yaml pointing to the AdmissionConfiguration. 4) The kubelet will detect the static pod manifest change and restart kube-apiserver automatically; verify with kubectl get pods -n kube-system.

Concept tested. Kubernetes ImagePolicyWebhook admission controller - enabling it via kube-apiserver admission plugins, wiring an external image scanning webhook, and configuring implicit deny (defaultAllow: false) so vulnerable or unscanned images are blocked even when the webhook is unreachable (fail-closed security posture). This is a CKS (Certified Kubernetes Security Specialist) exam objective under 'Supply Chain Security'.

Reference. https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook

No community discussion yet for this question.