CKS Question #70: Real Exam Question with Answer & Explanation

Question

You must complete securing access to a web server using SSL files stored in a TLS Secret. Create a TLS Secret named `clever-cactus` in the `clever-cactus` namespace for an existing Deployment named `clever-cactus`. Use the following SSL files: Certificate `/home/candidate/clever-cactus/web.k8s.local.crt` and Key `/home/candidate/clever-cactus/web.k8s.local.key`. The Deployment is already configured to use the TLS Secret. Do not modify the existing Deployment.

Explanation

The task requires creating a Kubernetes TLS Secret named clever-cactus within the clever-cactus namespace, utilizing the provided certificate and key files via the kubectl create secret tls command.

Approach. To correctly complete the task, the test-taker must input the following command into the simulated terminal:

kubectl create secret tls clever-cactus --cert=/home/candidate/clever-cactus/web.k8s.local.crt --key=/home/candidate/clever-cactus/web.k8s.local.key -n clever-cactus

Reasoning:

• kubectl create secret tls: This command is specifically designed to create a Kubernetes Secret of type kubernetes.io/tls from a certificate and a key file.
• clever-cactus: This is the specified name for the new TLS Secret.
• --cert=/home/candidate/clever-cactus/web.k8s.local.crt: This flag points to the path of the SSL certificate file that must be included in the secret.
• --key=/home/candidate/clever-cactus/web.k8s.local.key: This flag points to the path of the SSL private key file that must be included in the secret.
• -n clever-cactus: This flag ensures the Secret is created in the specified clever-cactus namespace, fulfilling the requirement.

Common mistakes.

• common_mistake. 1. Using kubectl create secret generic: While a generic secret can store arbitrary data, it would not correctly set the Secret type to kubernetes.io/tls, which is crucial for components like Ingress controllers to correctly identify and use the TLS certificate and key. This would make the secret unusable for its intended purpose.

1. Forgetting or misplacing the namespace (-n clever-cactus): Omitting the namespace flag would result in the secret being created in the 'default' namespace, which violates the requirement to create it in the clever-cactus namespace. This would cause the Deployment, configured to look for the secret in the correct namespace, to fail.
2. Incorrect file paths or flag names: Typos in --cert or --key flags, or incorrect paths to the .crt and .key files, would lead to the command failing with 'file not found' errors or creating an empty/incorrect secret.
3. Attempting to modify the Deployment: The question explicitly states, 'Do not modify the existing Deployment.' Any interaction attempting to edit the Deployment's YAML or configuration would be an incorrect action and lead to failing the question.
4. Manually creating a YAML file and applying it: While technically a valid way to create a Secret, the kubectl create secret tls command is the more direct and efficient method, and often the expected solution for such tasks in certification exams to demonstrate knowledge of common kubectl utilities.

Concept tested. Creating and managing Kubernetes Secrets, specifically TLS Secrets, using kubectl from existing certificate and key files. This includes understanding Secret types (kubernetes.io/tls), namespaces, and the correct command-line arguments for kubectl create secret tls.

Reference. https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets

No community discussion yet for this question.