Analyze and edit the given Dockerfile FROM ubuntu:latest RUN apt-get update -y RUN apt-install nginx -y COPY entrypoint.sh / ENTRYPOINT ["/entrypoint.sh"] USER ROOT Fixing two instructions present in the file being prominent security best practice issues Analyze and edit the deployment manifest file apiVersion: v1 kind: Pod metadata: name: security-context-demo-2 spec: securityContext: runAsUser: 1000 containers: - name: sec-ctx-demo-2 image: gcr.io/google-samples/node-hello:1.0 securityContext: runAsUser: 0 privileged: True allowPrivilegeEscalation: false Fixing two fields present in the file being prominent security best practice issues Don't add or remove configuration settings; only modify the existing configuration settings Whenever you need an unprivileged user for any of the tasks, use user test-user with the user id 5487
Q: 7
Your Answer
Discussion
Pin the Dockerfile base image to ubuntu:20.04 and switch USER to test-user. In the manifest, set runAsUser: 5487 and privileged: false.
Pin the base image version and run as test-user, set runAsUser: 5487 and privileged: false.
Anyone seen a similar CKS question with these exact Ubuntu and UID values before?
Pinning ubuntu:20.04 is a must for reproducibility, and using test-user instead of root drops privileges in both files. Also, setting privileged: false keeps the pod from getting extra permissions. Pretty sure that's what they're looking for here.
Be respectful. No spam.
Question 7 of 10
