CKS · Question #56
CKS Question #56: Real Exam Question with Answer & Explanation
This task tests the ability to harden a Kubernetes API server that was deliberately misconfigured to allow unauthenticated/unauthorized access, by restoring proper authorization modes, admission controllers, and removing a dangerous ClusterRoleBinding.
Question
Reconfigure the cluster's Kubernetes API server to ensure that only authenticated and authorized REST requests are allowed. Use authorization mode Node,RBAC and admission controller NodeRestriction. Cleaning up, remove the ClusterRoleBinding for user:system:anonymous. You must complete this task on the following cluster/nodes: Master node KSCH00101-master Worker node ksch00101-worker1. You can switch the cluster/configuration context using the following command: `kubectl config use-context KSCH00101`. Context: The kubeadm-created cluster's Kubernetes API server was, for testing purposes, temporarily configured to allow unauthenticated and unauthorized access granting the anonymous user cluster-admin access.
Explanation
This task tests the ability to harden a Kubernetes API server that was deliberately misconfigured to allow unauthenticated/unauthorized access, by restoring proper authorization modes, admission controllers, and removing a dangerous ClusterRoleBinding.
Approach. Switch to the correct context with kubectl config use-context KSCH00101, then SSH into the master node and edit the static pod manifest at /etc/kubernetes/manifests/kube-apiserver.yaml. In that file, set --authorization-mode=Node,RBAC, ensure --enable-admission-plugins=NodeRestriction is present (or added), and remove or set --anonymous-auth=false if it was explicitly enabled. After saving, kubelet will automatically restart the API server pod. Finally, from a kubectl-accessible context, identify and delete the offending ClusterRoleBinding with kubectl get clusterrolebinding | grep anonymous followed by kubectl delete clusterrolebinding <name> - this removes the cluster-admin privilege granted to system:anonymous.
Concept tested. Kubernetes API server security hardening - specifically: (1) controlling authentication via --anonymous-auth, (2) enforcing least-privilege authorization using Node+RBAC modes, (3) restricting kubelet API access via the NodeRestriction admission controller, and (4) auditing and removing overly permissive ClusterRoleBindings that expose cluster-admin to unauthenticated users.
Reference. https://kubernetes.io/docs/reference/access-authn-authz/rbac/ | https://kubernetes.io/docs/reference/access-authn-authz/node/ | https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction
Topics
Community Discussion
No community discussion yet for this question.