nerdexam
ExamsCKSQuestions#65
Linux_FoundationLinux_Foundation

CKS · Question #65

CKS Question #65: Real Exam Question with Answer & Explanation

This CKS task tests your ability to inspect container images for specific package versions, generate an SPDX Software Bill of Materials (SBOM) using the 'bom' CLI tool, and manage a Kubernetes Deployment by removing a specific container.

Submitted by chen.hong· May 5, 2026Supply Chain Security

Question

Task: The alpine Deployment in the alpine namespace has three containers that run different versions of the alpine image. First, find out which version of the alpine image contains the libcrypto3 package at version 3.1.4-r5. Next, use the pre-installed bom tool to create an SPDX document for the identified image version at /home/candidate/alpine.spdx. Finally, update the alpine Deployment and remove the container that uses the identified image version. The Deployment's manifest file can be found at /home/candidate/alpine-deployment.yaml. Do not modify any other containers of the Deployment. You must connect to the correct host. Failure to do so may result in a zero score. Initial connection: `ssh cks000035`.

Explanation

This CKS task tests your ability to inspect container images for specific package versions, generate an SPDX Software Bill of Materials (SBOM) using the 'bom' CLI tool, and manage a Kubernetes Deployment by removing a specific container.

Approach. 1) SSH to cks000035, then inspect the Deployment: kubectl -n alpine get deploy alpine -o yaml to identify the three container image versions (e.g., alpine:3.17, alpine:3.18, alpine:3.19). 2) For each version, check the libcrypto3 package: docker run --rm alpine:3.X.X apk list --installed 2>/dev/null | grep libcrypto3 (or apk info -v libcrypto3) until you find the one reporting version 3.1.4-r5. 3) Generate the SPDX document with the pre-installed bom tool: bom generate --image alpine:3.X.X -o /home/candidate/alpine.spdx. 4) Edit /home/candidate/alpine-deployment.yaml to delete the entire containers entry that references the identified image version, then apply: kubectl apply -f /home/candidate/alpine-deployment.yaml and verify with kubectl -n alpine get deploy alpine.

Concept tested. Supply Chain Security - container image SBOM generation with SPDX format using the 'bom' tool, combined with package-level image inspection (APK) to identify vulnerable/specific image versions, and Kubernetes Deployment container lifecycle management.

Reference. CKS Exam Domain: Supply Chain Security (20%); https://github.com/kubernetes-sigs/bom; SPDX Specification: https://spdx.dev/specifications/

Topics

#SBOM Generation#Container Image Analysis#Kubernetes Deployment Management#Software Supply Chain Security

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CKS PracticeBrowse All CKS Questions