UCKS Exam Series #1 Create Cluster & Security Best Practices
Kubernetes CKS Example Exam Question Series
#####################################
THIS CHALLENGE WON’T BE UPDATED HERE AND MOVED TO:
https://killercoda.com/killer-shell-cks
######################################
Content
- Create Cluster & Security Best Practices
- Pods, Secrets and ServiceAccounts
- Immutable Pods
- Crash that Apiserver & check logs
- ImagePolicyWebhook / AdmissionController
- Users and CertificateSigningRequests
- ServiceAccount Token Mounting
- Role Based Access Control (RBAC)
- Role Based Access Control (RBAC) v2
- Container Hardening
- NetworkPolicies (Default Deny + Allowlist)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
→ Check out the FULL CKS COURSE on Udemy ←
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rules!
- Be fast, avoid creating yaml manually from scratch
- Use only kubernetes.io/docs for help.
- Check our solution after you did yours. You probably have a better one!
Todays Task: Create a CKS Cluster for studying and check Security Best Practices
This is the first task of this series, hence it’ll be a bit about preparation rather than solving scenarios yourself. We think the best way to study for the CKS is to have your own cluster on hand.
This can be just a simple cluster, one controlplane (master), one node (worker) and installed using kubeadm. You’ll work with this exact cluster setup in the CKS exam.
- Create two Virtual Machines
- Install the controlplane using
kubeadm - Install the node using
kubeadm - Add the node to the cluster
- Watch Kubernetes Best Practices and get mentally ready!
Solution
We’ll use Gcloud in this series, because it’s easy, simple and free (free credit). But you can create the necessary two VMs anywhere you like!
Three is also a Vagrant repo by Preston Sheldon that people could use instead: https://github.com/pksheldon4/cks-cluster
1. Create two Virtual Machines
To create the VMs in Gcloud we can run:
Create cks-controlplane:
gcloud compute instances create cks-controlplane --zone=europe-west3-c \
--machine-type=e2-medium \
--image=ubuntu-1804-bionic-v20201014 \
--image-project=ubuntu-os-cloud \
--boot-disk-size=50GBCreate cks-node:
gcloud compute instances create cks-node --zone=europe-west3-c \
--machine-type=e2-medium \
--image=ubuntu-1804-bionic-v20201014 \
--image-project=ubuntu-os-cloud \
--boot-disk-size=50GBYou can also choose a different zone near you: https://cloud.google.com/compute/docs/regions-zones
2. Install Controlplane using Kubeadm
There is a repository for this challenge series.
gcloud compute ssh cks-controlplane
> sudo -i
> bash <(curl -s https://raw.githubusercontent.com/killer-sh/cks-challenge-series/master/cluster-setup/latest/install_controlplane.sh) exit
sudo -i # login again to get nicer bash with autocompletion
3. Install Node using Kubeadm
gcloud compute ssh cks-node
> sudo -i
> bash <(curl -s https://raw.githubusercontent.com/killer-sh/cks-challenge-series/master/cluster-setup/latest/install_node.sh)exit
sudo -i # login again to get nicer bash with autocompletion
4. Add Node to the cluster
Copy the kubeadm join command which the install_controlplane.sh script outputs on the controlplane-VM to the node-VM and execute it there:
We could also create a new join token with: kubeadm token create -—print-join-command —-ttl 0.
Afterwards we should see:
5. Watch Kubernetes Security Best Practices
…and get mentally ready!
ALWAYS STOP YOUR INSTANCES when not in use, and only start again when needed, like:
gloud compute instances stop cks-controlplane cks-node
gloud compute instances start cks-controlplane cks-nodeThis saves you precious cloud resources!
You have a different solution?
Let us know by writing a comment below!
— — — The END — — —
So much for this first session. You should now already have a good K8s cluster as a base which you can use for studying and learning.
See you at the next one and happy learning!
Ready to join Killer Shell?
FULL CKS COURSE
…or the CKS SIMULATOR
