Challenge, Medium,  on  Kubernetes

Enforce Immutable Container

Scenario

You are required to convert the existing Pod manifest into an immutable container by enforcing Kubernetes security best practices while ensuring that nginx continues to operate correctly.

A Pod manifest is located at:

/home/laborant/immutable/api-server.yaml

Configure the container to use a read-only root filesystem and disable privilege escalation.

Add emptyDir volumes and mount them at /var/cache/nginx and /var/run. Without these, nginx cannot write its runtime files and the Pod will fail to start.

Update and apply the manifest, then attempt to create a file inside the container and store the resulting read-only filesystem error in:

/home/laborant/immutable/error.log

Do not modify the container image. Update the manifest with the required security context and volumes, then apply it.

Hint

Use emptyDir: {} volumes and mount them to /var/cache/nginx and /var/run. Use kubectl exec to try creating a file outside the writable mounts, then redirect stderr to the error log file using 2>. See the official docs: Configure a Security Context

Test Cases

How to Author Challenges on iximiuz Labs

Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.

Install labctl CLI

curl -sf https://labs.iximiuz.com/cli/install.sh | sh

This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.

Authorize labctl

labctl auth login

This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.

Pull challenge content

labctl content pull challenge enforce-immutable-container-27a225d5

This will create a local copy of the challenge content in a directory named enforce-immutable-container-27a225d5. You only need to do this once per challenge.

Stream your changes

labctl content push -fw challenge enforce-immutable-container-27a225d5

Run this command in a separate terminal to continuously upload your changes to the server while editing the challenge in your favorite text editor or IDE.

You can also use labctl to create, list, and delete your content. Learn more about the available commands: labctl content --help

Start challenge