CKS Exam Dumps : Certified Kubernetes Security Specialist (CKS)

1) Connect to correct host

ssh cks000033

sudo -i

export KUBECONFIG=/etc/kubernetes/admin.conf

2) Patch the ServiceAccount to disable automounting

Task: turn off automounting of API credentials for stats-monitor-sa in monitoring.

kubectl -n monitoring patch sa stats-monitor-sa -p '{"automountServiceAccountToken": false}'

Verify:

kubectl -n monitoring get sa stats-monitor-sa -o yaml | grep -i automount

3) Edit the Deployment manifest file

Task says to modify the manifest at:

/home/candidate/stats-monitor/deployment.yaml

vi /home/candidate/stats-monitor/deployment.yaml

4) In the Deployment, ensure it uses the ServiceAccount AND inject token via Projected Volume

4.1 Make sure Deployment uses the SA

Under:

spec: -> template: -> spec:

ensure:

serviceAccountName: stats-monitor-sa

(If it already exists, leave it; don’t add extra changes beyond requirements.)

4.2 Add a projected volume named token

Under:

spec: -> template: -> spec: -> volumes:

add (or modify existing volume if present) so it is exactly:

- name: token

projected:

sources:

- serviceAccountToken:

path: token

This creates the file token inside the mounted directory, so the final path becomes:

/var/run/secrets/kubernetes.io/serviceaccount/token

4.3 Mount the projected volume read-only at the required location

Under the target container:

spec: -> template: -> spec: -> containers: -> (your container) -> volumeMounts:

Add:

- name: token

mountPath: /var/run/secrets/kubernetes.io/serviceaccount

readOnly: true

✅ This satisfies:

Projected volume name: token

Mount path: /var/run/secrets/kubernetes.io/serviceaccount/token (file inside mount)

Mounted read-only

4.4 Important: Don’t break default token mount behavior

Because you disabled SA automounting at the ServiceAccount level, you must explicitly mount the projected token (done above). That’s the whole point of this task.

Save and exit:

wq

5) Apply the updated Deployment

kubectl -n monitoring apply -f /home/candidate/stats-monitor/deployment.yaml

Wait rollout:

kubectl -n monitoring rollout status deployment/stats-monitor

6) Verify the token file exists in the running Pod

Get a pod name:

POD=$(kubectl -n monitoring get pods -l app=stats-monitor -o jsonpath='{.items[0].metadata.name}')

echo $POD

Check the token file path exists:

kubectl -n monitoring exec -it $POD -- ls -l /var/run/secrets/kubernetes.io/serviceaccount/token

Optional: confirm it’s mounted read-only (usually shown by mount options):

kubectl -n monitoring exec -it $POD -- mount | grep /var/run/secrets/kubernetes.io/serviceaccount

✅ What the examiner checks

SA stats-monitor-sa has:

automountServiceAccountToken: false

Deployment stats-monitor mounts a projected volume named token

Token file is at:

/var/run/secrets/kubernetes.io/serviceaccount/token

Mount is readOnly: true

If label selector doesn’t match (-l app=stats-monitor)

Use:

kubectl -n monitoring get pods

Then set:

POD=

$ vim /etc/kubernetes/log-policy/audit-policy.yaml

- level: RequestResponse

userGroups: ["system:nodes"]

- level: Request

resources:

- group: "" # core API group

resources: ["persistentvolumes"]

namespaces: ["frontend"]

- level: Metadata

resources:

- group: ""

resources: ["configmaps", "secrets"]

- level: Metadata

$ vim /etc/kubernetes/manifests/kube-apiserver.yaml

Add these

- --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml

- --audit-log-path=/var/log/kubernetes/logs.txt

- --audit-log-maxage=5

- --audit-log-maxbackup=10

Explanation[desk@cli] $ ssh master1

[master1@cli] $ vim /etc/kubernetes/log-policy/audit-policy.yaml

apiVersion: audit.k8s.io/v1 # This is required.

kind: Policy

# Don't generate audit events for all requests in RequestReceived stage.

omitStages:

- "RequestReceived"

rules:

# Don't log watch requests by the "system:kube-proxy" on endpoints or services

- level: None

users: ["system:kube-proxy"]

verbs: ["watch"]

resources:

- group: "" # core API group

resources: ["endpoints", "services"]

# Don't log authenticated requests to certain non-resource URL paths.

- level: None

userGroups: ["system:authenticated"]

nonResourceURLs:

- "/api*" # Wildcard matching.

- "/version"

# Add your changes below

- level: RequestResponse

userGroups: ["system:nodes"] # Block for nodes

- level: Request

resources:

- group: "" # core API group

resources: ["persistentvolumes"] # Block for persistentvolumes

namespaces: ["frontend"] # Block for persistentvolumes of frontend ns

- level: Metadata

resources:

- group: "" # core API group

resources: ["configmaps", "secrets"] # Block for configmaps & secrets

- level: Metadata # Block for everything else

[master1@cli] $ vim /etc/kubernetes/manifests/kube-apiserver.yaml

apiVersion: v1

kind: Pod

metadata:

annotations:

kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.0.0.5:6443

labels:

component: kube-apiserver

tier: control-plane

name: kube-apiserver

namespace: kube-system

spec:

containers:

- command:

- kube-apiserver

- --advertise-address=10.0.0.5

- --allow-privileged=true

- --authorization-mode=Node,RBAC

- --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml #Add this

- --audit-log-path=/var/log/kubernetes/logs.txt #Add this

- --audit-log-maxage=5 #Add this

- --audit-log-maxbackup=10 #Add this

output truncated

Note: log volume & policy volume is already mounted in vim /etc/kubernetes/manifests/kube-apiserver.yaml so no need to mount it.

1) Connect to the correct host

ssh cks000035

sudo -i

export KUBECONFIG=/etc/kubernetes/admin.conf

2) List the 3 container names + images in the Deployment

kubectl -n alpine get deploy alpine -o jsonpath='{range .spec.template.spec.containers[*]}{.name}{"\t"}{.image}{"\n"}{end}'

You’ll get 3 lines like:

c1 alpine:3.xx

c2 alpine:3.yy

c3 alpine:3.zz

3) Identify which alpine image has libcrypto3 at 3.1.4-r5

Fastest reliable method (since it’s Alpine, just query apk inside each image):

Run these one-by-one for each image you saw in step 2:

docker run --rm sh -c 'apk info -v libcrypto3 2>/dev/null | head -n1'

docker run --rm sh -c 'apk info -v libcrypto3 2>/dev/null | head -n1'

docker run --rm sh -c 'apk info -v libcrypto3 2>/dev/null | head -n1'

✅ The correct image is the one that prints exactly:

libcrypto3-3.1.4-r5

Note that full image tag, e.g.:

IMG=alpine:3.xx

4) Create SPDX document with bom for that identified image

(Use the identified image from step 3.)

bom generate --image $IMG --format spdx --output /home/candidate/alpine.spdx

Verify file exists:

ls -l /home/candidate/alpine.spdx

5) Remove ONLY the container that uses that image version

The manifest to edit is:

vi /home/candidate/alpine-deployment.yaml

In the spec.template.spec.containers: list, find the container entry whose image: equals the identified $IMG, and delete that one container block only (name/image/ports/etc for that container).

Save:

wq

6) Apply the updated Deployment (do not change other containers)

kubectl apply -f /home/candidate/alpine-deployment.yaml

Wait rollout:

kubectl -n alpine rollout status deployment/alpine

7) Verify only 2 containers remain

kubectl -n alpine get deploy alpine -o jsonpath='{range .spec.template.spec.containers[*]}{.name}{"\t"}{.image}{"\n"}{end}'

You should now see 2 lines, and the $IMG line should be gone.

If bom generate ... errors (quick fix)

Check exact syntax on that system:

bom --help

bom generate --help

Then rerun with the flags it expects, keeping:

image = $IMG

output = /home/candidate/alpine.spdx

format = spdx