CKS · Question #43
CKS Question #43: Real Exam Question with Answer & Explanation
This task tests your ability to create a Kubernetes RuntimeClass resource to enable gVisor (runsc) sandbox isolation, then patch existing Pods in a namespace to use it.
Question
Create a RuntimeClass named sandboxed using the prepared runtime handler named runsc. Update all Pods in the namespace server to run on gVisor. You can find a skeleton manifest file at /home/candidate/KSMV00301/runtime-class.yaml
Explanation
This task tests your ability to create a Kubernetes RuntimeClass resource to enable gVisor (runsc) sandbox isolation, then patch existing Pods in a namespace to use it.
Approach. First, edit /home/candidate/KSMV00301/runtime-class.yaml to define a RuntimeClass with metadata.name: sandboxed and handler: runsc, then apply it with kubectl apply -f. Next, for every Pod in the 'server' namespace, add spec.runtimeClassName: sandboxed - since Pods are immutable at the spec level, you must delete and recreate each one (or patch the owning controller like a Deployment with kubectl patch/edit so new Pods inherit the field). Verify with kubectl get pods -n server -o jsonpath='{.items[*].spec.runtimeClassName}' to confirm all Pods show 'sandboxed'.
Concept tested. Kubernetes RuntimeClass (node.k8s.io/v1) - creating sandbox runtime profiles with gVisor (runsc handler) and applying runtimeClassName to workloads for stronger container isolation
Reference. https://kubernetes.io/docs/concepts/containers/runtime-class/
Topics
Community Discussion
No community discussion yet for this question.