Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CKAD Preparation > Security - Admission Controllers > Flashcards

Security - Admission Controllers Flashcards

1
Q

Where does the certificate lie that is used per default by kubectl?

A

root/.kube/config

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What can you do, if you want for example only permit images from certain images or not permit runAs root user?

A

You use Admission Controller for that.

Enforce how a Cluster is used

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What can an Admission Controller do?

A
  • validate configuration
  • change request
  • perform additional operations before pod is created
  • lot more
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Name a few by default enabled Admission Controllers

A
  • AlwaysPullImages
  • DefaultStorageClass
  • EventRateLimit
  • NamespaceExists
  • many more
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How can you see all pre-enabled admission controllers?

A

Ps -ef | grep kube-apiserver

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How do you add an Admission Controller?

A

kube-apiserver.yaml
add Flag
–enable-admission-plugings=…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How do you disable an Admission Controller?

A

add flag to kube-apiserver service/yaml:

–disable-admission-plugins=…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How do you apply changes to the kube-apiserver?

A

Change the yaml under /etc/kubernetes/manifest/kube-apiserver.yaml

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What kind of Admission Controllers exist?

A
  • Validating Admission Controller
  • Mutating Admission Controller
  • some can do both
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

In what sequence are Admission Controllers invoked?

A
  • first Mutating ACs
  • then Validating ACs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What Admission Controllers are the basis for your own?

A
  • MutatingAdmissionWebhook
  • ValidatingAdmissionWebhook
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How do Mutating/Validating AdmissionWebhooks work?

A
  • we have our own Admission Webhook server (externally or in the cluster)
  • has our own AdmissionWebhook service running
  • after a request goes through all other ACs it hits the AdmissionWebhook Controllers
  • then makes a call to the webhook service, using a AdmissionReview-Object, and gets a answer in form of AdmissionReview-object with ‘allowed’ value
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How does a Admission Webhook configuration look like?

A

yaml:

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: "pod-policy.example.com"
webhooks:
- name: "pod-policy.example.com"
  clientConfig: (location of our client webhook server)
	  url: "....." (if deployed external of cluster9
		service:
		  namespace: "webhook-namespace"
			name: "webhook-service"
		caBundle: "Ci0.." 
  rules: (only call the service, when the following is happening)
    - apiGroups: [""]
      apiVersions: ["v1"]
			operations: ["CREATE"] 
			resources: ["pods"]
			scope: "Namespaced"
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

With what command can you see with grep more than one line?

A

grep -A2 security
-> two lines after where first found security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

CKAD Preparation (35 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions