Kubernetes Assignment– 6

Security, Monitoring & Logging

Basic Questions

  1. Create a ServiceAccount named dev-user in the default namespace.
  2. Create a Role that allows listing Pods in the default namespace.
  3. Bind the Role to the dev-user ServiceAccount using a RoleBinding.
  4. Use kubectl auth can-i to check if dev-user can list Pods.
  5. Create a Role that allows creating ConfigMaps in a namespace.
  6. Create a ClusterRole that allows viewing nodes.
  7. Bind the ClusterRole to a ServiceAccount using a ClusterRoleBinding.
  8. Create a simple NetworkPolicy that denies all ingress traffic to Pods.
  9. Create a NetworkPolicy that only allows traffic from Pods with label role=frontend.
  10. Verify NetworkPolicy enforcement by testing Pod-to-Pod communication.
  11. Create a Secret with a username and password in base64 encoding.
  12. Mount the Secret into a Pod as environment variables.
  13. Enable encryption at rest for Secrets by editing the API server config.
  14. Deploy Prometheus using a Helm chart.
  15. Access the Prometheus UI inside the cluster.
  16. Deploy Grafana using a Helm chart.
  17. Add Prometheus as a data source in Grafana.
  18. Import a pre-built Kubernetes monitoring dashboard in Grafana.
  19. Deploy an Elasticsearch Pod using a Helm chart.
  20. Deploy Kibana and connect it to Elasticsearch.

Intermediate Questions

  1. Create a Role that allows viewing, creating, and deleting Pods in a namespace.
  2. Restrict a user to only use the dev namespace via RBAC.
  3. Create a RoleBinding for a specific user and verify access.
  4. Deny egress traffic for a Pod using a NetworkPolicy.
  5. Allow ingress traffic only on port 80 using a NetworkPolicy.
  6. Create a NetworkPolicy that allows Pods in the frontend namespace to access Pods in the backend namespace.
  7. Apply Pod Security Standards by enforcing restricted policy at the namespace level.
  8. Deploy a Pod as non-root and verify with kubectl exec.
  9. Add resource requests and limits to a Pod for security best practices.
  10. Create a Secret with TLS certificate and mount it into an Nginx Pod.
  11. Deploy Prometheus Operator for advanced monitoring.
  12. Configure Prometheus to scrape metrics from a custom app endpoint.
  13. Deploy Grafana with persistent storage enabled.
  14. Create a custom Grafana dashboard with CPU and memory metrics.
  15. Deploy Fluentd as a DaemonSet for log collection.
  16. Connect Fluentd to Elasticsearch and verify logs are ingested.
  17. Deploy Kibana and create an index pattern to view logs.
  18. Compare EFK vs ELK logging stack in a short write-up.
  19. Expose Grafana and Kibana using Ingress resources.
  20. Document security best practices for managing Kubernetes Secrets.

Advanced Questions

  1. Create an RBAC policy that restricts a ServiceAccount to only read Pods and ConfigMaps in a namespace.
  2. Assign the policy to a user and test with kubectl commands.
  3. Configure a NetworkPolicy that allows only Pods labeled app=api to talk to app=db Pods on port 3306.
  4. Deploy a Pod with PodSecurityContext to run as non-root, with read-only filesystem.
  5. Enable Secrets encryption at rest and validate by inspecting the etcd database.
  6. Deploy Prometheus and Grafana using a single Helm chart (kube-prometheus-stack).
  7. Create Grafana alerts for high Pod CPU usage.
  8. Integrate Prometheus alerts with Slack or Email.
  9. Deploy an EFK stack (Elasticsearch, Fluentd, Kibana) with persistent storage.
  10. Deliver a final hands-on project:
    • Create namespace secure-app
    • Deploy an app Pod with restricted PodSecurityContext
    • Use RBAC to give read-only access to secure-app namespace
    • Apply NetworkPolicy to restrict traffic to the app
    • Deploy Prometheus + Grafana to monitor the app
    • Deploy EFK stack to collect and visualize app logs.