CKS - Problematic question description

Kubernetes
#1

I’m doing the CKS mock exams part and I’ve stumbled into a question that is written misleadingly:

A pod has been created in the omni namespace. However, there are a couple of issues with it.

  1. The pod has been created with more permissions than it needs.

  2. It allows read access in the directory /usr/share/nginx/html/internal causing an Internal Site to be accessed publicly.

To check this, click on the button called Site (above the terminal) and add /internal/ to the end of the URL.
Use the below recommendations to fix this.

  1. Use the AppArmor profile created at /etc/apparmor.d/frontend to restrict the internal site.

  2. There are several service accounts created in the omni namespace. Apply the principle of least privilege and use the service account with the minimum privileges (excluding the default service account).

  3. Once the pod is recreated with the correct service account, delete the other unused service accounts in omni namespace (excluding the default service account).

You can recreate the pod but do not create a new service accounts and do not use the default service account.

As far as I understand, serviceaccount have no privileges at all.
Serviceaccounts are bound using rolebindings to roles and these roles define the privileges that the bound serviceaccount would have.

So when I tested the question, it failed saying that the service account with the least privileges is frontend-default while infact, this serviceaccount is not bound to any role which means it has no privileges. Am I wrong in the way I see it?

This is the explanation for this question:

Screenshot 2024-08-07 at 3.46.34
Screenshot 2024-08-07 at 3.46.341920×1072 161 KB

#2

The construction of the problem is indeed a bit artificial, but the supposition behind the question is not unreasonable: the two service accounts that have roles bound to them have some privilege. That leaves frontend-default and default, and since you’re told to ignore default, that’s what you want for the service account for the pod.

Sometimes it makes sense not to overthink some of these scenarios, which are mostly there to see if you understand the concepts. You appear to understand; you just don’t accept the framing of the problem :slight_smile:

1 Like