CKS Exam Questions
135 real CKS exam questions with expert-verified answers and explanations. Page 2 of 3.
- Question #31Runtime Security
Cluster: qa-cluster Master node: master Worker node: worker1 You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context q...
NetworkPolicyIngress ControlNamespace IsolationLabel Selectors - Question #31Runtime Security
AppArmor is enabled on the cluster's worker node. An AppArmor profile is prepared, but not enforced yet. On the cluster's worker node, enforce the prepared AppArmor profile located...
AppArmorKubernetes SecurityContextContainer Runtime SecurityLinux Security Modules - Question #32Minimize Microservice Vulnerabilities
You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context qa Context: A pod fails to run because of an incorrectly speci...
Service AccountsPod SecurityAccess ControlYAML Configuration - Question #32Supply Chain Security
You must complete this task on the following cluster/nodes: Cluster KSSC00202 Master node kssc00202-master Worker node kssc00202-worker1 You can switch the cluster/configuration co...
Admission ControllersImagePolicyWebhookAPI Server ConfigurationImage Security Policies - Question #33Cluster Hardening
Edit the configuration to point to the provided HTTPS endpoint correctly. Finally, test if the configuration is working by trying to deploy the vulnerable resource /root/KSSC00202/...
Admission ControllersPolicy EnforcementKubernetes SecurityHTTPS Configuration - Question #33Monitoring, Logging, and Runtime Security
You must complete this task on the following cluster/nodes: Cluster: trace Master node: master Worker node: worker1 You can switch the cluster/configuration context using the follo...
Runtime SecurityContainer MonitoringAnomaly DetectionFalco/Sysdig - Question #34Minimize Microservice Vulnerabilities
You must complete this task on the following cluster/nodes: Cluster: immutable-cluster Worker node: worker1 Context: It is best practice to design containers to be stateless and im...
Pod SecurityContextStateless ContainersImmutable Infrastructurekubectl - Question #34Cluster Hardening
SIMULATION Cluster: dev Master node: master1 Worker node: worker1 You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-cont...
kubectlkubeconfigcontext managementcluster access - Question #35Minimize Microservice Vulnerabilities
Context: Cluster: prod Master node: master1 Worker node: worker1 You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-conte...
Dockerfile SecurityKubernetes SecurityContainer HardeningPod Security Standards - Question #35Minimize Microservice Vulnerabilities
Retrieve the content of the existing secret named adam in the safe namespace. Store the username field in a file named /home/cert-masters/username.txt, and the password field in a...
Secrets ManagementPod SecuritykubectlSecret Volumes - Question #36Runtime Security
Cluster: scanner Master node: controlplane Worker node: worker1 You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-contex...
TrivyVulnerability ScanningContainer Image SecurityKubernetes Pod Management - Question #36Minimize Microservice Vulnerabilities
Note: Don't add or remove configuration settings; only modify the existing configuration settings, so that two configuration settings each are no longer security/best-practice conc...
Dockerfile SecurityKubernetes Security ContextsLeast PrivilegeContainer Hardening - Question #37Minimize Microservice Vulnerabilities
You can switch the cluster/configuration context using the following command: `[desk@cli]$ kubectl config use-context dev` A default-deny NetworkPolicy avoid to accidentally expose...
NetworkPolicyKubernetes SecurityMicroservice IsolationTraffic Filtering - Question #37Monitoring, Logging, and Runtime Security
Question: 32 SIMULATION You can switch the cluster/configuration context using the following command: `[desk@cli] $ kubectl config use-context test-account` Task: Enable audit logs...
Kubernetes Audit LoggingAPI Server ConfigurationAudit PolicySecurity Logging - Question #38Runtime Security
Context: Cluster: gvisor, Master node: master1, Worker node: worker1 You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-c...
RuntimeClassgVisorContainer IsolationPod Configuration - Question #39Cluster Hardening
You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context prod-account Context: A Role bound to a Pod's ServiceAccount g...
RBACRolesRoleBindingsServiceAccounts - Question #39Minimize Microservice Vulnerabilities
You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context qa Context: A pod fails to run because of an incorrectly speci...
Kubernetes ServiceAccountsPod SecurityAccess ControlYAML Configuration - Question #40Cluster Hardening
You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context dev Context: A CIS Benchmark tool was run against the kubeadm...
CIS BenchmarksAPI Server ConfigurationAuthorization ModesKubelet Hardening - Question #40Monitoring, Logging, and Runtime Security
You must complete this task on the following cluster/nodes: Cluster: trace Master node: master Worker node: worker1 You can switch the cluster/configuration context using the follo...
FalcoSysdigRuntime SecurityProcess Monitoring - Question #41Cluster Hardening
Ensure that the anonymous-auth argument is set to FAIL in kubelet configuration. Ensure the authorization-mode argument is not set to AlwaysAllow (use Webhook/AuthZ where possible)...
Kubelet HardeningAPI Server HardeningEtcd SecurityAuthentication & Authorization - Question #41Cluster Hardening
Cluster: dev Master node: master1 Worker node: worker1 You can switch the cluster/configuration context using the following command:
kubectlkubeconfigcontext managementcluster access - Question #42Monitoring, Logging, and Runtime Security
Question 42: SIMULATION (Task description not found in provided pages).
Kubernetes SecurityRuntime SecuritySecurity Best PracticesPractical Application - Question #42Minimize Microservice Vulnerabilities
You are in the `dev` context. Task: 1. Retrieve the content of the existing secret named `adam` in the `safe` namespace. Store the username field in a file named `/home/cert-master...
Kubernetes SecretsSecret ManagementPodsVolume Mounts - Question #43Runtime Security
Create a RuntimeClass named sandboxed using the prepared runtime handler named runsc. Update all Pods in the namespace server to run on gVisor. You can find a skeleton manifest fil...
RuntimeClassgVisorContainer isolationPod security - Question #43Runtime Security
Cluster: scanner. Master node: controlplane. Worker node: worker1. You can switch the cluster/configuration context using the command: `kubectl config use-context scanner`. Task: U...
Container image scanningVulnerability managementPod securityRuntime security - Question #44Minimize Microservice Vulnerabilities
You must complete this task on the following cluster/nodes: Cluster: KSCH00301 Master node: ksch00301-master Worker node: ksch00301-worker1 You can switch the cluster/configuration...
ServiceAccount ConfigurationAPI Credential SecurityLeast PrivilegeResource Cleanup - Question #44Minimize Microservice Vulnerabilities
You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context dev A default-deny NetworkPolicy avoid to accidentally expose...
Kubernetes NetworkPolicyDefault-denyNetwork SegmentationIngress/Egress Control - Question #45Runtime Security
Context: Cluster: gvisor Master node: master1 Worker node: worker1 You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-con...
RuntimeClassgVisorContainer RuntimesPod Security - Question #45Minimize Microservice Vulnerabilities
Create a new default-deny NetworkPolicy named defaultdeny in the namespace testing for all traffic of type Egress. The new NetworkPolicy must deny all Egress traffic in the namespa...
NetworkPolicyEgress FilteringDefault DenyNamespace Security - Question #46Cluster Hardening
You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context prod-account Context: A Role bound to a Pod's ServiceAccount g...
RBACServiceAccountsLeast PrivilegeKubernetes Security - Question #46Supply Chain Security
Analyze and edit the given Dockerfile /home/candidate/KSSC00301/Dockerfile (based on the ubuntu:16.04 image), fixing two instructions present in the file that are prominent securit...
Dockerfile SecurityImage HardeningNon-root UserReduce Attack Surface - Question #47Cluster Hardening
You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context dev Context: A CIS Benchmark tool was run against the kubeadm...
CIS BenchmarksAPI Server HardeningKubelet HardeningKubernetes Authorization - Question #47Minimize Microservice Vulnerabilities
Analyze and edit the given manifest file /home/candidate/KSSC00301/deployment.yaml, fixing two fields present in the file that are prominent security/best-practice issues. Don't ad...
Kubernetes SecurityContextLeast PrivilegeContainer SecurityPod Security Best Practices - Question #48Cluster Hardening
Fix all of the following violations that were found against etcd: 4.2.1 Ensure that the anonymous-auth argument is set to false (Use Webhook autumn/authz where possible). 2.2 Ensur...
etcd securityauthenticationcluster hardeningcontrol plane security - Question #48Cluster Hardening
Reconfigure the cluster's Kubernetes API server to ensure that only authenticated and authorized REST requests are allowed. Use authorization mode Node,RBAC and admission controlle...
API Server SecurityAuthorization ModesAdmission ControllersCluster Hardening - Question #49Cluster Hardening
Context For testing purposes, the kubeadm provisioned cluster 's API server was configured to allow unauthenticated and unauthorized access. Task First, secure the cluster 's API s...
API Server ConfigurationAuthenticationAuthorizationAdmission Controllers - Question #50Minimize Microservice Vulnerabilities
Your organization's security policy includes: - ServiceAccounts must not automount API credentials - ServiceAccount names must end in "-sa" The Pod specified in the manifest file `...
ServiceAccountsSecurity PolicyAPI Access ControlLeast Privilege - Question #50Cluster Hardening
Next, to clean up, remove the ClusterRoleBinding system:anonymous.
RBACClusterRoleBindingAccess ControlCluster Hardening - Question #51Supply Chain Security
Context You must fully integrate a container image scanner into the kubeadm provisioned cluster. Task Given an incomplete configuration located at /etc/kubernetes/bouncer and a fun...
Admission ControllersImage Policykube-apiserver ConfigurationWebhook Integration - Question #51Cluster Hardening
You must complete this task on the `kscs002` cluster, with master node `kscs00201-master` and worker node `kscs00201-worker1`. You can switch the cluster/configuration context usin...
CIS BenchmarksControl Plane HardeningKubelet HardeningAuthentication and Authorization - Question #52Cluster Hardening
Edit the ImagePolicyWebhook config. One of these is true on your cluster: Option 1 (most common in these tasks): ImagePolicyWebhook config is a standalone file. Option 2: ImagePoli...
ImagePolicyWebhookAdmission ControllersKubernetes SecurityDefault Deny - Question #52Cluster Hardening
Create a new default-deny NetworkPolicy named defaultdeny in the namespace testing for all traffic of type Egress. The new NetworkPolicy must deny all Egress traffic in the namespa...
NetworkPolicyEgress ControlDefault DenyKubernetes Security - Question #53Cluster Hardening
Create a new PodSecurityPolicy named prevent-psp-policy, which prevents the creation of privileged Pods. Create a new ClusterRole named restrict-access-role, which uses the newly c...
PodSecurityPolicyRBACServiceAccountPrivileged Containers - Question #53Supply Chain Security
PART C -- Point backend configuration to https://smooth-yak.local/review. Edit the webhook kubeconfig to use the scanner endpoint.
Admission WebhooksWebhook ConfigurationSupply Chain SecurityPolicy Enforcement - Question #54Cluster Hardening
Use admin kubeconfig (because old kubectl config may break).
kubeconfigkubectl configurationadmin accesscluster access - Question #55Cluster Hardening
Deploy the test resource (should be DENIED).
Admission ControlRBACPolicy EnforcementDeployment Security - Question #56Cluster Hardening
Reconfigure the cluster's Kubernetes API server to ensure that only authenticated and authorized REST requests are allowed. Use authorization mode Node,RBAC and admission controlle...
API Server ConfigurationRBACAdmission ControllersAuthentication and Authorization - Question #56Monitoring, Logging, and Runtime Security
PART F -- Verify the scanner was called (log check).
Log checkingScanner verificationRuntime securityMonitoring - Question #57Cluster Hardening
You can use the cluster's original `kubectl` configuration file `/etc/kubernetes/admin.conf`, located on the cluster's master node, to ensure that authenticated and authorized requ...
kubectl configurationadmin.confAuthenticationAuthorization - Question #57Minimize Microservice Vulnerabilities
SIMULATION. You must connect to the correct host. Failure to do so may result in a zero score. Analyze and edit the Dockerfile located at /home/candidate/subtle-bee/build/Dockerfil...
Dockerfile hardeningKubernetes securityContextNon-root userMicroservice security