CKS Mock Test 1, Q8: ImagePolicyWebhook

I cannot complete this question successfully.
I implement the ImagePolicyWebhook and the apiserver restarts successfully.
I have set “defaultAllow” to false. I am allowed to recreate the pod with the original image though it should be denied.
The auto corrector says that the policy is not implemented.
I am fairly sure I was able to pass this question in the past (several weeks ago?).
See attached.


I have screen captures of the kube-apiserver config but i cannot post it because of limits.

Hi @Ed-Pike,
Just testing and it’s work fine

Be sure that, the admission-configuration yaml file is in the correct folder. He needs to be in /root/CKS/ImagePolicy also you need to :

  • provide the path
  • enable ImagePolicyWebhook

on kube-apiserver file

ALERT SPOILER

You can see the correction here https://github.com/kodekloudhub/certified-kubernetes-security-specialist-cks-course/blob/main/docs/08-Mock-Exams/02-Mock-Exam-1.md

Thanks for the reply. If you compare my screen captures with the answers, they are identical except that my kube-apiserver settings lines are in alphabetical order. I did not take a screenshot of the files being in the CKS/ImagePolicy directory. Also, I did not take a screenshot of my kube-apiserver rebooting and running. I will attempt this again. I can still only do one attachment at a time here. So here is screenshot 2. I have a 3rd one but is just showing the auto grader showing that my ImagePolicyWebhook is not enabled or implemented.

OMG i figured it out. I was making a kube-apiserver.yaml.bak file, then editing kube-apiserver.yaml. On save, server restarts, but it is reading in the .bak file. If I moved the .bak file …, then server restarts again and this time it reads from the .yaml file. IDK if thats something to do with linux reading files by file id/pointer or something, but I suspect the apiserver code is looking for kube-apiserver.yaml*, and finds the .bak file first. it should look for “kube-apiserver.yaml” as a defined string. Oddly it was watching the correct file for changes (.yaml), but loading the wrong file (.bak). It was watching the .bak file for its presence, so when it moved out of directory, it reinitiated and found the correct one. That was so frustrating. I finished this problem correctly all the times before because I used to be lazy and not make .bak file. Ironic.

Hi @Ed-Pike,
Nice to see your issue fixed, in fact, kubernetes reads all files inside the manifest folder and create static pod using it. As the content is your *.bak file is in a correct YAML format, then he uses it and creates a static pod.
You can reproduce these behaviours with the following command :

k run test --image=nginx --dry-run=client -o yaml > /etc/kubernetes/manifests/test
k run test-117 --image=nginx:1.17 --dry-run=client -o yaml > /etc/kubernetes/manifests/test.ba
k run test-118 --image=nginx:1.18 --dry-run=client -o yaml > /etc/kubernetes/manifests/test.iso

test

You can see here, whatever the extension, he will create a static pod if the file is on the right manifest.

When I was doing this mock lab, the API was not coming up and it did not create any logs to check.
Then I noticed the key give away on this question >>> its the volume host and volume mounts. tricky!