ITNEXT

ITNEXT is a platform for IT developers & software engineers to share knowledge, connect…

Follow publication

CKS Exam Series #2 Pods, Secrets and ServiceAccounts

Kim Wuestkamp
ITNEXT
Published in
2 min readDec 13, 2020

--

CKS Exam Series | CKA Exam Series | CKAD Exam Series

#####################################

THIS CHALLENGE WON’T BE UPDATED HERE AND MOVED TO:

https://killercoda.com/killer-shell-cks

######################################

Content

  1. Create Cluster & Security Best Practices
  2. Pods, Secrets and ServiceAccounts
  3. Immutable Pods
  4. Crash that Apiserver & check logs
  5. ImagePolicyWebhook / AdmissionController
  6. Users and CertificateSigningRequests
  7. ServiceAccount Token Mounting
  8. Role Based Access Control (RBAC)
  9. Role Based Access Control (RBAC) v2
  10. Container Hardening
  11. NetworkPolicies (Default Deny + Allowlist)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

→ Check out the FULL CKS COURSE on Udemy ←

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rules!

  1. Be fast, avoid creating yaml manually from scratch
  2. Use only kubernetes.io/docs for help.
  3. Check our solution after you did yours. You probably have a better one!

Todays Task: Pod with ServiceAccount uses Secrets

  1. Create new Namespace ns-secure and perform everything else in there
  2. Create ServiceAccount secret-manager
  3. Create Secret sec-a1 with any literal content of your choice
  4. Create Secret sec-a2 with any file content of your choice (like /etc/hosts)
  5. Create Pod secret-manager image nginx which uses the new SA
  6. Make Secret sec-a1 available as environment variable SEC_A1
  7. Mount Secret sec-a2 into the Pod read-only under /etc/sec-a2
  8. Verify your solution worked

.

.

.

.

.

Solution

To solve this we’re logged into our controlplane node cks-controlplane .

1.

alias k=kubectlk create ns ns-secure

2.

k -n ns-secure create sa secret-manager

3.

k -n ns-secure create secret generic sec-a1 --from-literal user=admin

4.

k -n ns-secure create secret generic sec-a2 --from-file index=/etc/hosts

5. 6. 7.

k -n ns-secure run secret-manager --image=nginx -oyaml --dry-run=client > pod.yaml

Now edit the yaml to:

8.

And to verify:

k -f pod.yaml createk -n ns-secure exec secret-manager -- env | grep SECk -n ns-secure exec secret-manager -- mount | grep sec

You have a different solution?

Let us know by writing a comment below!

— — — The END — — —

So much for this session. See you at the next one and happy learning!

Ready to join Killer Shell?

FULL CKS COURSE

LINK

…or the CKS SIMULATOR

https://killer.sh/cks

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

Published in ITNEXT

ITNEXT is a platform for IT developers & software engineers to share knowledge, connect, collaborate, learn and experience next-gen technologies.

Written by Kim Wuestkamp

killercoda.com | killer.sh (CKS CKA CKAD Simulator) | Software Engineer, Infrastructure Architect, Certified Kubernetes

Responses (5)

Write a response