系列文章目录
【CKS最新模拟真题】获取多个集群的上下文名称并保存到指定文件中
文章目录
- 系列文章目录
- 参考地址
- 一、TASK
- 二、解题过程
- 1、问题一解题
- 2、问题二解题
参考地址
CKS考试允许打开falco的地址
https://falco.org/docs/reference/rules/supported-fields/
一、TASK
英文题目要求
Solve this question on: ssh cks7262
Falco is installed on worker node cks7262-node1. Connect using ssh cks7262-node1 from cks7262. There is file /etc/falco/rules.d/falco_custom.yaml with rules that help you to:
Find a Pod running image httpd which modifies /etc/passwd.
Scale the Deployment that controls that Pod down to 0.
Find a Pod running image nginx which triggers rule Package management process launched.
Change the rule log text after Package management process launched to only include:
time-with-nanosconds,container-id,container-name,user-name
Collect the logs for at least 20 seconds and save them under /opt/course/2/falco.log on cks7262.
Scale the Deployment that controls that Pod down to 0.
中译
在以下位置解决此问题:ssh cks7262
Falco 安装在 worker node cks7262-node1上。使用 from 进行连接 。有一些 包含规则的文件可帮助您:
ssh cks7262-node1
/etc/falco/rules.d/falco_custom.yaml
1、找到一个pod镜像为httpd的然后 修改 /etc/passwd
将 控制该 Pod 的 Deployment 缩减为 0。
2、找到触发 规则 的 Pod 运行镜像 。nginxPackage management process launched
将规则日志文本Package management process launched更改为 only include:
time-with-nanosconds,container-id,container-name,user-name
收集日志至少 20 秒,并将其保存在cks7262节点的 /opt/course/2/falco.log中
将 控制该 Pod 的 Deployment 缩减为 0。
二、解题过程
1、问题一解题
过程如下(示例):
#按要求连接对应的集群
candidate@terminal:~$ ssh cks7262#切换到root用户下,防止普通用户操作写入文件没权限
candidate@cks7262:~$ sudo -i#连接到指定的node1节点上
root@cks7262:~# ssh cks7262-node1#检查所提到的falco_custom.yaml 文件
root@cks7262:~# ll /etc/falco/rules.d/#获取pod镜像为httpd的然后将副本数修改为0
root@cks7262:~# kubectl get deployment -oyaml |grep 'cks7262-node1'|grep httpd
root@cks7262:~# kubectl scale deployment -n team-purple --replicas=0 rating-service
2、问题二解题
过程如下(示例):
#按要求连接对应的集群
candidate@terminal:~$ ssh cks7262#切换到root用户下,防止普通用户操作写入文件没权限
candidate@cks7262:~$ sudo -i#连接到指定的node1节点上
root@cks7262:~# ssh cks7262-node1#检查所提到的falco_custom.yaml 文件
root@cks7262:~# cd /etc/falco/rules.d/#修改题目中提到的falco_custom.yaml 文件
root@cks7262:rules.d# cp - p falco_custom.yaml falco_custom.yaml_bak
root@cks7262:rules.d# vim falco_custom.yaml
- rule: Launch Package Management Process in Containerdesc: Package management process ran inside containercondition: >spawned_processand containerand user.name != "_apt"and package_mgmt_procsand not package_mgmt_ancestor_procsoutput: >Package management process launched %evt.time,%container.id,%container.name,%user.name #changepriority: ERRORtags: [process, mitre_persistence]#收集20秒日志,然后将日志复制到 cks7262节点中的/opt/course/2/falco.log文件中
root@cks7262-node1:rules.d# falco -M 20
root@cks7262-node1:rules.d# exit
root@cks7262:~# vim /opt/course/2/falco.log #粘贴日志#根据日志产生的容器id找对应的pod及命名空间
root@cks7262:~# crictl ps -id 819f9 #如果没有则在node1上找
root@cks7262-node1:rules.d# crictl ps -id 819f9
root@cks7262-node1:rules.d# crictl pods -id 23e88 #取得日志文件中容器id对应的pod名称和命名空间名称#将查找出来的pod删除
root@cks7262:~# kubectl scale deployment --replicas=0 -n team-blue webapi
![【洛谷】B3844 [GESP样题 二级] 画正方形(详细注释)](https://i-blog.csdnimg.cn/direct/6ec0fd13240f4d508347ce6c61279172.png)
