CKS exam tips required

udaya.linux · March 15, 2024, 11:48am

Hi All,

I am planning to take the CKS exam in near future. Can any one guide me where to get the parameter details in case if any question is asking me to add it in any of the pod definitions lets say if we are trying to fix the kube-bench findings.

Thanks,
S.Udayakumar

Alistair_KodeKloud · March 15, 2024, 7:04pm

Parameters for what?
Which pod definitions?

Kube-bench reports are usually pretty clear on what action they want you to take.

udaya.linux · March 16, 2024, 6:14am

I mean all the cluster components pods like api-server, etctl, etc… which the kube-bench reports.

Yes true. But if the parameter to fix is given in “–” format and the etctl which needs to be fixed is running as a service where we have to modify the configuration file then we cannot use the same fix right?

Thanks,
S.Udayakumar

Alistair_KodeKloud · March 16, 2024, 8:07pm

The parameters to etcd are the same whether it runs as a pod or as a service. It is just which file you edit.

If it’s a pod, edit /etc/kubernetes/manifests/etcd.yaml

If it’s a service (external etcd), then

Find the service unit file
```
systemctl cat etcd
```
The first line of the output is a comment which has the path to the file you need to edit
Edit that file and change the arguments

Restart etcd

systemctl daemon reload
systemctl restart etcd

udaya.linux · March 18, 2024, 10:45am

Thanks for your detailed reply.

To be more specific I am working on mock exam 3.

in that first question I have to fix the kube-bench issues.

below is the fix:

4.2.2 If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If
using executable arguments, edit the kubelet service file
/lib/systemd/system/kubelet.service on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
–authorization-mode=Webhook
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service

but since I have to modify the file /var/lib/kubelet/config.yaml as the kubelet process is using this config and in that we cannot use this same fix as recommended.

But I found it in the Kubernetes documentation and added the below parameter. But when I rerun the report this specific issue is not at all going.

KubeletAuthorization: Webhook

udaya.linux · March 18, 2024, 10:50am

After I modified the config as below then this deviation is fixed.

authorization:
mode: Webhook

Alistair_KodeKloud · March 18, 2024, 8:18pm

It has given you both possible fixes, based on the fact that there are two ways to configure kubelet. When kubelet was first developed, all settings were via command line arguments (second way), but now it has a YAML configuration document (first, and preferred way).

If using a Kubelet config file, edit the file to set authorization: mode to Webhook.
If using executable arguments, edit the kubelet service file
/lib/systemd/system/kubelet.service on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
–authorization-mode=Webhook

Your solution was the first of the above.