Question 10

Question

Fix all issues via configuration and restart the affected components to ensure the new setting takes effect. Fix all of the following violations that were found against the API server:- a. Ensure the --authorization-mode argument includes RBAC b. Ensure the --authorization-mode argument includes Node c. Ensure that the --profiling argument is set to false Fix all of the following violations that were found against the Kubelet:- a. Ensure the --anonymous-auth argument is set to false. b. Ensure that the --authorization-mode argument is set to Webhook. Fix all of the following violations that were found against the ETCD:- a. Ensure that the --auto-tls argument is not set to true Hint: Take the use of Tool Kube-Bench

Nina · Answer

Official docs and Kube-Bench walkthroughs cover these config flags really well. Worth practicing changes in a live lab.

Reese D. · Answer

Totally agree, for kubelet config you need to do a manual systemctl restart. Editing the manifests auto-reloads API server and ETCD though.

CalmLearner9171 · Answer

Does editing the manifests always auto-restart API server and ETCD pods, or do we ever need to restart manually?

Quinn G. · Answer

I get a bit confused with these flags, but looks like for API server you need both RBAC and Node in -authorization-mode plus set -profiling=false. For kubelet, it's setting anonymous-auth: false and authorization-mode: Webhook. ETCD should NOT have -auto-tls=true. Not 100% sure if just editing the manifests autorestarts all, can someone confirm?

FriendlyLearner4978 · Answer

Edit the manifests as described and kubelet will auto-restart those pods, but for kubelet config just remember to run systemctl restart kubelet manually or new flags won’t kick in.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE