Secure Kubernetes Services. Exam Questions With 100% Correct Answers
0 view 0 purchase
Course
Secure Kubernetes Services
Institution
Secure Kubernetes Services
Secure Kubernetes Services. Exam Questions
With 100% Correct Answers
A client asked for help with controlling the access mechanism to a set of IKS clusters across
different environments. Besides controlling access via IBM Cloud IAM permissions to the IKS
clusters, what other security configurat...
Secure Kubernetes Services. Exam Questions
With 100% Correct Answers
A client asked for help with controlling the access mechanism to a set of IKS clusters across
different environments. Besides controlling access via IBM Cloud IAM permissions to the IKS
clusters, what other security configuration could be implemented to limit the risk of unauthorized
access? - answer✔Create an allowlist for the IKS API server.
What is the minimum permission required for a developer who wants to integrate the
application's CD pipeline to the IKS cluster? - answer✔Create a service account and role binding
for the namespace.
What pod security policy should be assigned so that the team has only the required level of
access and nothing extra when the application deployment team needs to deploy pods on the
IBM Cloud Kubernetes service that can create host path volumes and can run with any user ID
and group ID? - answer✔ibm-anyuid-hostpath-psp-user
How can it be verified if a resource configuration of a new IKS cluster is following security best
practices? - answer✔Integrate the IKS cluster with the Security and Compliance Center.
How do you isolate IKS clusters deployed on a public network? - answer✔Apply Calico public
network policies on top of the default policies.
A production IKS cluster in a VPC has three worker nodes without any public exposure. The
IKS cluster needs to access the IBM Cloud Container registry. Describe how this security control
can be implemented. - answer✔Apply the Calico private network policies to allow private
services.
Describe how the Calico network policy blocks traffic at the Kubernetes interfaces. -
answer✔Using Linux iptables
A client is running a firewall at their site and recently chose IKS in IBM Cloud but is unable to
access their IKS cluster. List the correct sequence of commands to get the service endpoint and
port number to add into the firewall in order to allow access. - answer✔(1) ibmcloud login [--
sso] (2) ibmcloud target -g <resource-group> (3) ibmcloud ks cluster get --cluster <cluster name
or id> (4) curl --insecure <endpoint>/version
Describe the significance of creating an allowlist for the private cloud service endpoint in a
multizone VPC Red Hat OpenShift cluster on IBM Cloud. - answer✔Only authorized requests to
the cluster masters that originate from subnets
What is the minimum IBM Cloud IAM platform access required for a new SRE who is
responsible for updating, adding/replacing worker nodes, and troubleshooting/reloading worker
nodes of Red Hat OpenShift on the IBM Cloud cluster? - answer✔Operator role
What security policy is applied to VPC subnets that control traffic to and from a VPC cluster in
Red Hat OpenShift on IBM Cloud? - answer✔Access Control Lists
What network security option on the worker node endpoint controls traffic to and from a VPC
cluster on Red Hat OpenShift on IBM Cloud? - answer✔Kubernetes network policies
Worker-to-Worker node communication on Red Hat OpenShift on IBM Cloud requires UDP,
TCP, VRRP, and IPEncap traffic to be allowed. Describe what is needed to allow pod-to-pod
traffic across subnets. - answer✔IPEncap
For Red Hat OpenShift on IBM Cloud Classic Infrastructure, which software-defined network
can be used to act as a cluster firewall? - answer✔Calico
What two endpoints allow clients running the IBM Cloud Satellite location to connect to a
service, server, or application that runs outside the location, or allows clients connected to the
IBM Cloud private network connect to a service, server, or application in the IBM Cloud
Satellite location? - answer✔Cloud endpoint / Location endpoint
By default, __________ is how data is transported over an IBM Cloud Satellite link secured
between source and destination resources. - answer✔Using TLS 1.3 encryption managed by IBM
How do we expose the private service endpoint? - answer✔We can expose Private Cloud Service
Endpoint of the Kubernetes master by using a private network load balancer (NLB)
When to use Public Cloud service endpoint? - answer✔Use a public Cloud service endpoint to
access services from the internet.
How to control who has access to the Private cloud service endpoint across different
environments in Kubernetes service clusters? - answer✔Users can create a Subnet Allowlist to
control access to the Private cloud service endpoint
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller sirjoel. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $11.49. You're not tied to anything after your purchase.
