Exam CKAD Topic 2 Question 116 Discussion
Actual exam question for Linux Foundation's CKAD exam
Question #: 116
Topic #: 2
Question #: 116
Topic #: 2
You are running a web application on a Kubernetes cluster, and you want to ensure that thecontainer running your application is protected from potential security vulnerabilities. You are specifically concerned about unauthorized access to the container's filesystem. Explain how you would implement AppArmor profiles to restrict access to the container's filesystem.
Suggested Answer:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Define the AppArmor Profile:
- Create a new AppArmor profile file, for example, 'nginx-apparmor.conf, within your Kubernetes configuration directory.
- Within this file, define the restrictions for the container.
- For instance, to allow access to specific directories and files:
# include common AppArmor profile
include /etc/apparmor.d/abstractions/base/nginx.apparmor
# Allow access to specific directories
/var/www/html r,
/etc/nginx r,
# Allow access to specific files
/etc/nginx/nginx.conf r,
/usr/sbin/nginx r,
# Deny access to all other files and directories
Deny
2. Load the AppArmor Profile:
- Use the create configmap' command to create a ConfigMap containing your AppArmor profile:
Bash
kubectl create configmap nginx-apparmor-profile --from-file=nginx-apparmor.conf
3. Apply the Profile to Your Deployment:
- Update your Deployment YAML file to include the AppArmor profile:
4. Restart the Pods: - Apply the updated Deployment YAML using 'kubectl apply -f nginx-deployment.yaml' - The updated deployment will restart the pods with the new AppArmor profile. 5. Verify the Profile: - Check the status of the pods with 'kubectl describe pod - Look for the "Security Context" section and verify that the AppArmor profile is correctly applied. 6. Test the Restrictions: - Try to access files or directories that are not allowed by your AppArmor profile. - This will help you confirm that the profile is effectively restricting access.
Explanation:
Solution (Step by Step) :
1. Define the AppArmor Profile:
- Create a new AppArmor profile file, for example, 'nginx-apparmor.conf, within your Kubernetes configuration directory.
- Within this file, define the restrictions for the container.
- For instance, to allow access to specific directories and files:
# include common AppArmor profile
include /etc/apparmor.d/abstractions/base/nginx.apparmor
# Allow access to specific directories
/var/www/html r,
/etc/nginx r,
# Allow access to specific files
/etc/nginx/nginx.conf r,
/usr/sbin/nginx r,
# Deny access to all other files and directories
Deny
2. Load the AppArmor Profile:
- Use the create configmap' command to create a ConfigMap containing your AppArmor profile:
Bash
kubectl create configmap nginx-apparmor-profile --from-file=nginx-apparmor.conf
3. Apply the Profile to Your Deployment:
- Update your Deployment YAML file to include the AppArmor profile:
4. Restart the Pods: - Apply the updated Deployment YAML using 'kubectl apply -f nginx-deployment.yaml' - The updated deployment will restart the pods with the new AppArmor profile. 5. Verify the Profile: - Check the status of the pods with 'kubectl describe pod - Look for the "Security Context" section and verify that the AppArmor profile is correctly applied. 6. Test the Restrictions: - Try to access files or directories that are not allowed by your AppArmor profile. - This will help you confirm that the profile is effectively restricting access.
by Antony at May 20, 2026, 04:11 AM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).