nerdexam
Linux_Foundation

CKS · Question #49

CKS Question #49: Real Exam Question with Answer & Explanation

This task tests your ability to harden a Kubernetes API server by modifying its static Pod manifest to disable anonymous access, enforce proper authorization, and restrict node permissions - core skills for the CKS (Certified Kubernetes Security Specialist) exam.

Submitted by andreas_gr· May 5, 2026Cluster Hardening

Question

Context For testing purposes, the kubeadm provisioned cluster 's API server was configured to allow unauthenticated and unauthorized access. Task First, secure the cluster 's API server configuring it as follows: . Forbid anonymous authentication . Use authorization mode Node,RBAC . Use admission controller NodeRestriction The cluster uses the Docker Engine as its container runtime . If needed, use the docker command to troubleshoot running containers. kubectl is configured to use unauthenticated and unauthorized access. You do not have to change it, but be aware that kubectl will stop working once you have secured the cluster . You can use the cluster 's original kubectl configuration file located at /etc/kubernetes/admin.conf to access the secured cluster.

Explanation

This task tests your ability to harden a Kubernetes API server by modifying its static Pod manifest to disable anonymous access, enforce proper authorization, and restrict node permissions - core skills for the CKS (Certified Kubernetes Security Specialist) exam.

Approach. The kube-apiserver is configured via a static Pod manifest at /etc/kubernetes/manifests/kube-apiserver.yaml. You must SSH into the control plane node, edit that file, and set three flags: (1) --anonymous-auth=false to forbid unauthenticated requests, (2) --authorization-mode=Node,RBAC to replace any permissive mode (e.g., AlwaysAllow) with role-based and node-specific authorization, and (3) --enable-admission-plugins=NodeRestriction to prevent kubelets from modifying objects outside their own node scope. After saving the file, the kubelet automatically restarts the API server (since it is a static Pod); you should wait for it to come back up and then verify access using kubectl --kubeconfig=/etc/kubernetes/admin.conf get nodes to confirm the secured cluster is functioning correctly.

Concept tested. Kubernetes API server security hardening: disabling anonymous authentication (--anonymous-auth=false), enforcing Node and RBAC authorization modes (--authorization-mode=Node,RBAC), and enabling the NodeRestriction admission controller via the kube-apiserver static Pod manifest.

Reference. https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ - see flags: --anonymous-auth, --authorization-mode, --enable-admission-plugins

Topics

#API Server Configuration#Authentication#Authorization#Admission Controllers

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CKS Practice