ITNEXT

ITNEXT is a platform for IT developers & software engineers to share knowledge, connect…

Follow publication

CKS Exam Series #3 Immutable Pods

Kim Wuestkamp
ITNEXT
Published in
3 min readDec 21, 2020

CKS Exam Series | CKA Exam Series | CKAD Exam Series

##### UPDATE UPDATE UPDATE #####

THIS CHALLENGE WON’T BE UPDATED HERE AND MOVED TO:

https://killercoda.com/killer-shell-cks

##### UPDATE UPDATE UPDATE#####

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

→ Check out the FULL CKS COURSE on Udemy ←

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Content

  1. Create Cluster & Security Best Practices
  2. Pods, Secrets and ServiceAccounts
  3. Immutable Pods
  4. Crash that Apiserver & check logs
  5. ImagePolicyWebhook / AdmissionController
  6. Users and CertificateSigningRequests
  7. ServiceAccount Token Mounting
  8. Role Based Access Control (RBAC)
  9. Role Based Access Control (RBAC) v2
  10. Container Hardening
  11. NetworkPolicies (Default Deny + Allowlist)

Rules!

  1. Be fast, avoid creating yaml manually from scratch
  2. Use only kubernetes.io/docs for help.
  3. Check our solution after you did yours. You probably have a better one!

Todays Task: Make Pods immutable

  1. Create Pod holiday with two containers c1 and c2 of image bash:5.1.0, ensure the containers keep running
  2. Create Deployment snow of image nginx:1.19.6 with 3 replicas
  3. Force container c2 of Pod holiday to run immutable: no files can be changed during runtime
  4. Make sure the container of Deployment snow will run immutable. Then make necessary paths writable for Nginx to work.
  5. Verify everything

.

.

.

.

.

Solution

1.

alias k=kubectlk run holiday --image=bash:5.1.0 --command -oyaml --dry-run=client -- sh -c 'sleep 1d' > holiday.yamlvim holiday.yaml

Add second container and change container names:

2.

k create deploy snow --image=nginx:1.19.6 -oyaml --dry-run=client > snow.yamlvim snow.yaml

Change the replicas:

3.

vim holiday.yaml

Add SecurityContext on container level:

apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: holiday
name: holiday
spec:
containers:
- command:
- sh
- -c
- sleep 1d
image: bash:5.1.0
name: c1
resources: {}
- command:
- sh
- -c
- sleep 1d
image: bash:5.1.0
name: c2
resources: {}
securityContext:
readOnlyRootFilesystem: true

dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}

4.

The idea is to make all filesystem readonly, then start the Pod and check container logs for errors. Based on the errors we can create emptyDir volumes for writing. Errors could look like:

"/var/cache/nginx/client_temp" failed (30: Read-only file system)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (30: Read-only file system)

With just Docker we could do something like:

docker run -d --read-only --tmpfs /var/cache nginx

To do this in a Deployment:

vim snow.yaml

Add volumes and volume mounts:

5.

k exec holiday -c c1 -- touch /tmp/test # works
k exec holiday -c c2 -- touch /tmp/test # error
k get deploy snow # should show 3 ready replicas
k exec snow-575cd78c85-ldplw -- touch /tmp/test # error
k exec snow-575cd78c85-ldplw -- touch /var/cache/nginx/test # works

You have a different solution?

Let us know by leaving a comment below!

— — — The END — — —

So much for this session. See you at the next one and happy learning!

Ready to join Killer Shell?

FULL CKS COURSE

LINK

…or the CKS SIMULATOR

https://killer.sh/cks

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in ITNEXT

ITNEXT is a platform for IT developers & software engineers to share knowledge, connect, collaborate, learn and experience next-gen technologies.

Written by Kim Wuestkamp

killercoda.com | killer.sh (CKS CKA CKAD Simulator) | Software Engineer, Infrastructure Architect, Certified Kubernetes

Responses (3)

Write a response