Browse Exams Pricing

ExamsCKSQuestions

CKS Exam Questions

135 real CKS exam questions with expert-verified answers and explanations. Page 1 of 3.

Question #1Minimize Microservice Vulnerabilities
Create a new ServiceAccount named backend-sa in the existing namespace default, which has the capability to list the pods inside the namespace default. Create a new Pod named backe...
ServiceAccountsRBACLeast PrivilegePod Security
Question #1Runtime Security
Create a new ServiceAccount backend-sa in the existing namespace default, which has the capability to list the pods inside the namespace default. Create a new Pod named backend-pod...
ServiceAccountsRBACPod SecurityLeast Privilege
Question #2Cluster Hardening
Fix all issues via configuration and restart the affected components to ensure the new setting takes effect. Fix all of the following violations that were found against the API ser...
API Server HardeningKubelet SecurityETCD ConfigurationCIS Benchmarks
Question #2Cluster Hardening
Fix all issues via configuration and restart the affected components to ensure the new setting takes effect. Fix all of the following violations that were found against the API ser...
Kubernetes HardeningAPI Server SecurityKubelet SecurityETCD Security
Question #3Cluster Hardening
Ensure that the --authorization-mode argument is set to Webhook.
Kubernetes API ServerAuthorizationWebhookControl Plane Security
Question #3Cluster Hardening
Ensure that the --profiling argument is set to false
profilingsecurity configurationcluster hardeningattack surface reduction
Question #4Cluster Hardening
Fix all of the following violations that were found against the Kubelet:- Ensure the --anonymous-auth argument is set to false.
Kubelet HardeningAnonymous AuthenticationSecurity ConfigurationNode Security
Question #4Cluster Hardening
Fix the following violation found against ETCD: Ensure that the --auto-tls argument is not set to true. (This fix is to be applied during buildtime.)
ETCD SecurityTLS ConfigurationKubernetes Control PlaneBuildtime Configuration
Question #5Cluster Hardening
Create a PSP that will prevent the creation of privileged pods in the namespace. Create a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation of privi...
Pod Security Policy (PSP)RBACServiceAccountPrivileged Containers
Question #6Cluster Hardening
Fix all of the following violations that were found against the ETCD:- a. Ensure that the --auto-tls argument is not set to true
ETCD SecurityTLS ConfigurationCluster HardeningSecure Communications
Question #6Minimize Microservice Vulnerabilities
A Role bound to a Pod's ServiceAccount grants overly permissive permissions. Complete the following tasks to reduce the set of permissions.
RBACService AccountsLeast PrivilegePermissions Management
Question #7Cluster Hardening
Given an existing Pod named web-pod running in the namespace security. Edit the existing Role bound to the Pod's ServiceAccount sa-dev-1 to only allow performing watch operations,...
RBACRolesRoleBindingsServiceAccounts
Question #8Monitoring, Logging, and Runtime Security
Question: 5 SIMULATION Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that 1. logs are stored at /var/log/kubernetes-logs.txt. 2. Log files are reta...
Kubernetes Audit LoggingLog ManagementAPI Server ConfigurationSecurity Policy
Question #9Minimize Microservice Vulnerabilities
Question: 6 SIMULATION Analyze and edit the given Dockerfile FROM ubuntu:latest RUN apt-get update -y RUN apt-get install nginx -y COPY entrypoint.sh / ENTRYPOINT ["/entrypoint.sh"...
Dockerfile SecurityKubernetes Pod SecurityContextNon-Root UserLeast Privilege
Question #9Cluster Hardening
Task: Given an existing Pod named web-pod running in the namespace security. Edit the existing Role bound to the Pod's ServiceAccount sa-dev-1 to only allow performing watch operat...
RBACServiceAccountsRolesRoleBindings
Question #10Runtime Security
Create a RuntimeClass named gvisor-rc using the prepared runtime handler named runsc. Create a Pods of image Nginx in the Namespace server to run on the gVisor runtime class
RuntimeClassgVisorPod deploymentContainer sandboxing
Question #10Monitoring, Logging, and Runtime Security
Question: 5 SIMULATION. Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that: 1. logs are stored at /var/log/kubernetes-logs.txt. 2. Log files are re...
Kubernetes Audit LogsAPI Server ConfigurationLog RetentionAudit Policy
Question #11Minimize Microservice Vulnerabilities
Question: 6 SIMULATION. Analyze and edit the given Dockerfile FROM ubuntu:latest RUN apt-get update -y RUN apt-get install nginx -y COPY entrypoint.sh / ENTRYPOINT ["/entrypoint.sh...
Dockerfile SecurityKubernetes SecurityContextLeast PrivilegeContainer Image Security
Question #11Minimize Microservice Vulnerabilities
Create a NetworkPolicy named pod-access to restrict access to Pod users-service running in namespace dev-team.
NetworkPolicyKubernetes NetworkingNetwork SegmentationMicroservice Security
Question #12Runtime Security
Given the following container configuration: ```yaml runAsUser: 1000 containers: - name: sec-ctx-demo-2 image: gcr.io/google-samples/node-hello:1.0 securityContext: runAsUser: 0 pr...
Security ContextLeast PrivilegeContainer SecurityPrivileged Containers
Question #12Minimize Microservice Vulnerabilities
Only allow the following Pods to connect to Pod users-service: - Pods in the namespace qa - Pods with label environment: testing, in any namespace Make sure to apply the NetworkPol...
Kubernetes NetworkPolicyNetwork SecurityPod SelectorNamespace Selector
Question #13Supply Chain Security
A container image scanner is set up on the cluster. Given an incomplete configuration in the directory /etc/kubernetes/confcontrol and a functional container image scanner with HTT...
Admission ControllersImage Policy WebhookKube-apiserver ConfigurationImplicit Deny
Question #14Runtime Security
Given the following AppArmor profile and Pod manifest: AppArmor Profile: ``` profile nginx-deny flags=(attach_disconnected) { #include <abstractions/base> file, # Deny all file wri...
AppArmorKubernetes SecurityPod SecurityRuntime Security Policies
Question #14Cluster Hardening
On the Cluster worker node, enforce the prepared AppArmor profile
AppArmorWorker Node SecurityHost Hardening
Question #15Cluster Hardening
Create a new NetworkPolicy named deny-all in the namespace testing which denies all traffic of type ingress and egress traffic
KubernetesNetworkPolicyNetwork SecurityIngress/Egress
Question #15Minimize Microservice Vulnerabilities
a. Retrieve the content of the existing secret named default-token-xxxxx in the testing namespace. Store the value of the token in the token.txt b. Create a new secret named test-d...
Kubernetes SecretsCredential ManagementPod ConfigurationSecret Volume Mounts
Question #16Cluster Hardening
a. Retrieve the content of the existing secret named default-token-xxxxx in the testing namespace. Store the value of the token in the token.txt. b. Create a new secret named test-...
Kubernetes SecretsSecret Volume Mountskubectl CLI
Question #16Supply Chain Security
use the Trivy to scan the following images, 1. amazonlinux:1 2. k8s.gcr.io/kube-controller-manager:v1.18.6 Look for images with HIGH or CRITICAL severity vulnerabilities and store...
TrivyImage ScanningVulnerability ManagementContainer Security
Question #17Runtime Security
Create a RuntimeClass named untrusted using the prepared runtime handler named runsc. Create a Pods of image alpine:3.13.2 in the Namespace default to run on the gVisor runtime cla...
RuntimeClassgVisorPod securityContainer isolation
Question #17Supply Chain Security
use the Trivy to scan the following images, 1. amazonlinux:1 2. k8s.gcr.io/kube-controller-manager:v1.18.6 Look for images with HIGH or CRITICAL severity vulnerabilities and store...
TrivyVulnerability ScanningContainer Image SecuritySupply Chain Security
Question #18Monitoring, Logging, and Runtime Security
You must complete this task on the following cluster/nodes: Cluster | Master node | Worker node KSRS001 | ksrs00101-master | ksrs00101-worker1 You can switch the cluster/configurat...
Runtime SecurityFalcoProcess MonitoringSecurity Logging
Question #18Minimize Microservice Vulnerabilities
Create a network policy named allow-np, that allows pod in the namespace staging to connect to port 80 of other pods in the same namespace. Ensure that Network Policy: 1. Does not...
Network PolicyNetwork SegmentationIngress RulesPod Isolation
Question #19Cluster Hardening
Ensure that the admission control plugin PodSecurityPolicy is set.
PodSecurityPolicyAdmission ControlKubernetes SecuritySecurity Policies
Question #19Minimize Microservice Vulnerabilities
Create a Pod name Nginx-pod inside the namespace testing, Create a service for the Nginx-pod named nginx-svc, using the ingress of your choice, run the ingress on tls, secure port.
Kubernetes PodsKubernetes ServicesKubernetes IngressTLS Configuration
Question #20Cluster Hardening
Secrets stored in the etcd is not secure at rest, you can use the etcdctl command utility to find the secret value for e.g.: ETCDCTL_API=3 etcdctl get /registry/secrets/default/cks...
etcd secrets encryptionsecrets at restEncryption ConfigurationAES-CBC
Question #20Cluster Hardening
Ensure that the --kubelet-certificate-authority argument is set as appropriate.
kubelet securityTLS authenticationcertificate authoritynode hardening
Question #21Cluster Hardening
Create a PSP that will only allow the persistentvolumeclaim as the volume type in the namespace restricted. Create a new PodSecurityPolicy named prevent-volume-policy which prevent...
PodSecurityPolicyRBACVolume restrictionsCluster hardening
Question #21Monitoring, Logging, and Runtime Security
Service is running on port 389 inside the system, find the process-id of the process, and stores the names of all the open-files inside the /candidate/KH77539/files.txt, and also d...
Process ManagementNetwork MonitoringFile System OperationsSecurity Remediation
Question #22Cluster Hardening
Given an existing Pod named nginx-pod running in the namespace test-system, fetch the service-account-name used and put the content in /candidate/KSC00124.txt Create a new Role nam...
RBACService AccountsKubernetes Securitykubectl
Question #22Minimize Microservice Vulnerabilities
Use the kubesec docker images to scan the given YAML manifest, edit and apply the advised changes, and passed with a score of 4 points. kubesec-test.yaml apiVersion: v1 kind: Pod m...
KubesecContainer HardeningSecurityContextManifest Security
Question #23Runtime Security
Using the runtime detection tool Falco, Analyse the container behavior for at least 20 seconds, using filters that detect newly spawning and executing processes in a single contain...
FalcoRuntime SecurityContainer SecurityProcess Monitoring
Question #23Monitoring, Logging, and Runtime Security
Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that 1. logs are stored at /var/log/kubernetes/kubernetes-logs.txt. 2. Log files are retained for 5 d...
Kubernetes Audit LoggingAPI Server ConfigurationAudit PolicyLog Retention
Question #24Supply Chain Security
Given an incomplete configuration in directory /etc/kubernetes/epconfig and a functional container image scanner with HTTPS endpoint https://wakanda.local:8081/image_policy : 1. En...
Image PolicyAdmission ControllersContainer Image SecurityKubernetes Security Configuration
Question #25Supply Chain Security
Edit the configuration to point to the provided HTTPS endpoint correctly. You can find the container image scanner's log file at /var/log/imagepolicy/acme.log. Finally, test if the...
Image ScanningAdmission ControllersImage PolicyPolicy Enforcement
Question #26Minimize Microservice Vulnerabilities
QUESTION 29 You must complete this task on the following cluster/nodes: Cluster: immutable-cluster Worker node: worker1 You can switch the cluster/configuration context using the f...
Pod SecurityContainer Best PracticesImmutabilityStatelessness
Question #27Cluster Hardening
Context: A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace. Task: 1. Create a new PodSecurityPolicy named deny-policy, which prevents the cr...
PodSecurityPolicy (PSP)RBACPrivileged ContainersAdmission Control
Question #27Cluster Hardening
Secrets stored in the etcd is not secure at rest, you can use the etcdctl command utility to find the secret value. For example: A `kubectl create secret` command is shown, followe...
Kubernetes SecretsEncryption at Restetcd securityEncryption Configuration
Question #28Minimize Microservice Vulnerabilities
Context: Cluster: prod Master node: master1 Worker node: worker1 You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-conte...
Dockerfile Security Best PracticesKubernetes SecurityContextPrivilege Escalation PreventionContainer Hardening
Question #29Runtime Security
Perform the following fixes: 1. For `Dockerfile`: Fix the image version & user name in `Dockerfile`. 2. For `mydeployment.yaml`: Fix security contexts.
Dockerfile securityKubernetes securityContextContainer runtime securityLeast privilege
Question #30Monitoring, Logging, and Runtime Security
Enable audit logs in the cluster. To do so, enable the log backend, and ensure that: 1. logs are stored at `/var/log/Kubernetes/logs.txt` 2. log files are retained for 5 days 3. at...
Kubernetes Audit LoggingAPI Server ConfigurationAudit PolicySecurity Logging

Page 1 of 3Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.