CKS exam tips required

Hi All,

I am planning to take the CKS exam in near future. Can any one guide me where to get the parameter details in case if any question is asking me to add it in any of the pod definitions lets say if we are trying to fix the kube-bench findings.

Thanks,
S.Udayakumar

Parameters for what?
Which pod definitions?

Kube-bench reports are usually pretty clear on what action they want you to take.

I mean all the cluster components pods like api-server, etctl, etc… which the kube-bench reports.

Yes true. But if the parameter to fix is given in “–” format and the etctl which needs to be fixed is running as a service where we have to modify the configuration file then we cannot use the same fix right?

Thanks,
S.Udayakumar

The parameters to etcd are the same whether it runs as a pod or as a service. It is just which file you edit.

If it’s a pod, edit /etc/kubernetes/manifests/etcd.yaml

If it’s a service (external etcd), then

  1. Find the service unit file

    systemctl cat etcd
    

    The first line of the output is a comment which has the path to the file you need to edit

  2. Edit that file and change the arguments

  3. Restart etcd

    systemctl daemon reload
    systemctl restart etcd
    

Thanks for your detailed reply.

To be more specific I am working on mock exam 3.

in that first question I have to fix the kube-bench issues.

below is the fix:

4.2.2 If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If
using executable arguments, edit the kubelet service file
/lib/systemd/system/kubelet.service on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
–authorization-mode=Webhook
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service

but since I have to modify the file /var/lib/kubelet/config.yaml as the kubelet process is using this config and in that we cannot use this same fix as recommended.

But I found it in the Kubernetes documentation and added the below parameter. But when I rerun the report this specific issue is not at all going.

KubeletAuthorization: Webhook

After I modified the config as below then this deviation is fixed.

authorization:
mode: Webhook

It has given you both possible fixes, based on the fact that there are two ways to configure kubelet. When kubelet was first developed, all settings were via command line arguments (second way), but now it has a YAML configuration document (first, and preferred way).

  1. If using a Kubelet config file, edit the file to set authorization: mode to Webhook.
  2. If using executable arguments, edit the kubelet service file
    /lib/systemd/system/kubelet.service on each worker node and
    set the below parameter in KUBELET_AUTHZ_ARGS variable.
    –authorization-mode=Webhook

Your solution was the first of the above.