CKS Exam Series #3 Immutable Pods

Kubernetes CKS Example Exam Question Series

CKS Exam Series | CKA Exam Series | CKAD Exam Series

##### UPDATE UPDATE UPDATE #####

THIS CHALLENGE WON’T BE UPDATED HERE AND MOVED TO:

https://killercoda.com/killer-shell-cks

##### UPDATE UPDATE UPDATE#####

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

→ Check out the FULL CKS COURSE on Udemy ←

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Content

1. Create Cluster & Security Best Practices
2. Pods, Secrets and ServiceAccounts
3. Immutable Pods
4. Crash that Apiserver & check logs
5. ImagePolicyWebhook / AdmissionController
6. Users and CertificateSigningRequests
7. ServiceAccount Token Mounting
8. Role Based Access Control (RBAC)
9. Role Based Access Control (RBAC) v2
10. Container Hardening
11. NetworkPolicies (Default Deny + Allowlist)

Rules!

1. Be fast, avoid creating yaml manually from scratch
2. Use only kubernetes.io/docs for help.
3. Check our solution after you did yours. You probably have a better one!

Todays Task: Make Pods immutable

1. Create Pod holiday with two containers c1 and c2 of image bash:5.1.0, ensure the containers keep running
2. Create Deployment snow of image nginx:1.19.6 with 3 replicas
3. Force container c2 of Pod holiday to run immutable: no files can be changed during runtime
4. Make sure the container of Deployment snow will run immutable. Then make necessary paths writable for Nginx to work.
5. Verify everything

.

.

.

.

.

Solution

1.

alias k=kubectl
k run holiday --image=bash:5.1.0 --command -oyaml --dry-run=client -- sh -c 'sleep 1d' > holiday.yaml
vim holiday.yaml

Add second container and change container names:

2.

k create deploy snow --image=nginx:1.19.6 -oyaml --dry-run=client > snow.yaml
vim snow.yaml

Change the replicas:

3.

vim holiday.yaml

Add SecurityContext on container level:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: holiday
  name: holiday
spec:
  containers:
  - command:
    - sh
    - -c
    - sleep 1d
    image: bash:5.1.0
    name: c1
    resources: {}
  - command:
    - sh
    - -c
    - sleep 1d
    image: bash:5.1.0
    name: c2
    resources: {}
    securityContext:
      readOnlyRootFilesystem: true
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

4.

The idea is to make all filesystem readonly, then start the Pod and check container logs for errors. Based on the errors we can create emptyDir volumes for writing. Errors could look like:

"/var/cache/nginx/client_temp" failed (30: Read-only file system)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (30: Read-only file system)

With just Docker we could do something like:

docker run -d --read-only --tmpfs /var/cache nginx

To do this in a Deployment:

vim snow.yaml

Add volumes and volume mounts:

5.

k exec holiday -c c1 -- touch /tmp/test # works
k exec holiday -c c2 -- touch /tmp/test # error
k get deploy snow # should show 3 ready replicas
k exec snow-575cd78c85-ldplw -- touch /tmp/test # error
k exec snow-575cd78c85-ldplw -- touch /var/cache/nginx/test # works

You have a different solution?

Let us know by leaving a comment below!

— — — The END — — —

So much for this session. See you at the next one and happy learning!

Ready to join Killer Shell?

FULL CKS COURSE

LINK

…or the CKS SIMULATOR

https://killer.sh/cks