CKS Question #69: Real Exam Question with Answer & Explanation

Question

You must connect to the correct host. Failure to do so may result in a zero score. [candidate@base]$ ssh cks000028 Context You must update an existing Pod to ensure the immutability of its containers. Task Modify the existing Deployment named lamp-deployment, running in namespace lamp, so that its containers: . run with user ID 20000 . use a read-only root filesystem . forbid privilege escalation The Deployment's manifest file can be found at /home/candidate/finer-sunbeam/lamp-deployment.yaml.

Explanation

1. Connect to the correct host ssh cks000028 sudo -i

2. Use the right kubeconfig (safe in exam) export KUBECONFIG=/etc/kubernetes/admin.conf

3. Open the provided Deployment manifest vi /home/candidate/finer-sunbeam/lamp-deployment.yaml

4. Edit ONLY the Pod template security settings (add/modify these fields) Inside: spec: -> template: -> spec:

4.1 Set container to run as user 20000 Add (or change) under the container securityContext:: securityContext: runAsUser: 20000

4.2 Make root filesystem read-only In the SAME container securityContext: ensure: readOnlyRootFilesystem: true

4.3 Forbid privilege escalation In the SAME container securityContext: ensure: allowPrivilegeEscalation: false

✅ The container section should look like this (example - keep your existing image/ports/etc): spec: template: spec: containers:

• name: <your-container-name> image: <unchanged> securityContext: runAsUser: 20000 readOnlyRootFilesystem: true allowPrivilegeEscalation: false

If there are multiple containers, apply the same securityContext to each container.

Save and exit: :wq

1. Apply the manifest (updates Deployment -> recreates Pods) kubectl -n lamp apply -f /home/candidate/finer-sunbeam/lamp-deployment.yaml

2. Wait for rollout kubectl -n lamp rollout status deployment/lamp-deployment

3. Verify the security settings are live 7.1 Check the Pod is running kubectl -n lamp get pods -l app=lamp -o wide (if label differs, just kubectl -n lamp get pods)

7.2 Verify the three fields on a running Pod Pick the Pod name and run: POD=$(kubectl -n lamp get pods -o jsonpath='{.items[0].metadata.name}')

kubectl -n lamp get pod $POD -o jsonpath='{.spec.containers[0].securityContext.runAsUser}{"\n"}{.spec.containers[0].securityContext.readOnlyRootFilesystem}{"\n"}{.spec.containers[0].securityContext.allowPrivilegeEscalation}{"\n"}'

Expected output: 20000 true false

If the pod fails after readOnlyRootFilesystem=true Don’t change the requirement (task demands it). Usually the app needs writable dirs via volumes, but the task doesn’t ask for that-so only adjust if the manifest already has volumes and just needs these securityContext fields.

No community discussion yet for this question.