CKS Exam Series #3 Immutable Pods
Kubernetes CKS Example Exam Question Series

##### UPDATE UPDATE UPDATE #####
THIS CHALLENGE WON’T BE UPDATED HERE AND MOVED TO:
https://killercoda.com/killer-shell-cks
##### UPDATE UPDATE UPDATE#####
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
→ Check out the FULL CKS COURSE on Udemy ←
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Content
- Create Cluster & Security Best Practices
- Pods, Secrets and ServiceAccounts
- Immutable Pods
- Crash that Apiserver & check logs
- ImagePolicyWebhook / AdmissionController
- Users and CertificateSigningRequests
- ServiceAccount Token Mounting
- Role Based Access Control (RBAC)
- Role Based Access Control (RBAC) v2
- Container Hardening
- NetworkPolicies (Default Deny + Allowlist)
Rules!
- Be fast, avoid creating yaml manually from scratch
- Use only kubernetes.io/docs for help.
- Check our solution after you did yours. You probably have a better one!
Todays Task: Make Pods immutable
- Create Pod
holiday
with two containersc1
andc2
of imagebash:5.1.0
, ensure the containers keep running - Create Deployment
snow
of imagenginx:1.19.6
with 3 replicas - Force container
c2
of Podholiday
to run immutable: no files can be changed during runtime - Make sure the container of Deployment
snow
will run immutable. Then make necessary paths writable for Nginx to work. - Verify everything
.
.
.
.
.
Solution
1.
alias k=kubectlk run holiday --image=bash:5.1.0 --command -oyaml --dry-run=client -- sh -c 'sleep 1d' > holiday.yamlvim holiday.yaml
Add second container and change container names:
2.
k create deploy snow --image=nginx:1.19.6 -oyaml --dry-run=client > snow.yamlvim snow.yaml
Change the replicas:
3.
vim holiday.yaml
Add SecurityContext on container level:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: holiday
name: holiday
spec:
containers:
- command:
- sh
- -c
- sleep 1d
image: bash:5.1.0
name: c1
resources: {}
- command:
- sh
- -c
- sleep 1d
image: bash:5.1.0
name: c2
resources: {}
securityContext:
readOnlyRootFilesystem: true
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
4.
The idea is to make all filesystem readonly, then start the Pod and check container logs for errors. Based on the errors we can create emptyDir volumes for writing. Errors could look like:
"/var/cache/nginx/client_temp" failed (30: Read-only file system)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (30: Read-only file system)
With just Docker we could do something like:
docker run -d --read-only --tmpfs /var/cache nginx
To do this in a Deployment:
vim snow.yaml
Add volumes and volume mounts:
5.
k exec holiday -c c1 -- touch /tmp/test # works
k exec holiday -c c2 -- touch /tmp/test # errork get deploy snow # should show 3 ready replicas
k exec snow-575cd78c85-ldplw -- touch /tmp/test # error
k exec snow-575cd78c85-ldplw -- touch /var/cache/nginx/test # works
You have a different solution?
Let us know by leaving a comment below!
— — — The END — — —
So much for this session. See you at the next one and happy learning!
Ready to join Killer Shell?
FULL CKS COURSE

…or the CKS SIMULATOR
