CKS · Question #58
CKS Question #58: Real Exam Question with Answer & Explanation
This question tests your ability to harden a Kubernetes API server by modifying its static Pod manifest on a kubeadm-provisioned cluster, specifically disabling anonymous access, enforcing Node+RBAC authorization, and enabling the NodeRestriction admission controller.
Question
Context: For testing purposes, the kubeadm provisioned cluster 's API server was configured to allow unauthenticated and unauthorized access. Task: First, secure the cluster 's API server configuring it as follows: - Forbid anonymous authentication - Use authorization mode Node,RBAC - Use admission controller NodeRestriction The cluster uses the Docker Engine as its container runtime . If needed, use the docker command to troubleshoot running containers. kubectl is configured to use unauthenticated and unauthorized access. You do not have to change it, but be aware that kubectl will stop working once you have secured the cluster . You can use the cluster 's original kubectl configuration file located at /etc/kubernetes/admin.conf to access the secured cluster.
Explanation
This question tests your ability to harden a Kubernetes API server by modifying its static Pod manifest on a kubeadm-provisioned cluster, specifically disabling anonymous access, enforcing Node+RBAC authorization, and enabling the NodeRestriction admission controller.
Approach. On a kubeadm cluster, the API server runs as a static Pod defined at /etc/kubernetes/manifests/kube-apiserver.yaml. You must edit that file on the control-plane node and set three flags: (1) --anonymous-auth=false to forbid unauthenticated requests, (2) --authorization-mode=Node,RBAC to replace any permissive mode (e.g. AlwaysAllow) with proper Node and RBAC authorization, and (3) --enable-admission-plugins=NodeRestriction to restrict what kubelets can modify. Because kubelet watches the manifests directory, the API server container restarts automatically; use 'docker ps | grep kube-apiserver' to confirm the new container is running. Once the server is secured, kubectl configured for anonymous access will stop working, so all further verification must use 'kubectl --kubeconfig=/etc/kubernetes/admin.conf' which carries valid admin credentials.
Concept tested. Kubernetes API server hardening via static Pod manifest flags: anonymous-auth, authorization-mode (Node,RBAC), and admission controllers (NodeRestriction) on a kubeadm cluster.
Reference. https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests | https://kubernetes.io/docs/reference/access-authn-authz/authorization/#authorization-modules | https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction
Topics
Community Discussion
No community discussion yet for this question.