CKS Exam Questions
135 real CKS exam questions with expert-verified answers and explanations. Page 3 of 3.
- Question #58Minimize Microservice Vulnerabilities
PART B -- FIX ONE prominent security/best-practice issue in the Deployment manifest. 4) Open the manifest `vi /home/candidate/subtle-bee/deployment.yaml` 5) Change ONLY ONE existin...
Pod Security ContextLeast PrivilegeDeployment ManifestContainer Hardening - Question #58Cluster Hardening
Context: For testing purposes, the kubeadm provisioned cluster 's API server was configured to allow unauthenticated and unauthorized access. Task: First, secure the cluster 's API...
API Server SecurityAuthenticationAuthorizationAdmission Controllers - Question #59Monitoring, Logging, and Runtime Security
Question: 53 SIMULATION Context A Pod is misbehaving and poses a security threat to the system. Task One of the Pods belonging to the application ollama is misbehaving. It is direc...
Runtime SecurityKubernetes PodsDeployment ScalingSecurity Incident Response - Question #60Monitoring, Logging, and Runtime Security
Context You must implement auditing for the kubeadm provisioned cluster. Task First, reconfigure the cluster 's API server, so that: . the basic audit policy located at /etc/kubern...
Kubernetes AuditingAPI Server ConfigurationAudit PolicyLog Management - Question #61Cluster Hardening
3) Edit the ImagePolicyWebhook config. One of these is true on your cluster: Option 1 (most common in these tasks): ImagePolicyWebhook config is a standalone file. Option 2: ImageP...
ImagePolicyWebhookAdmission ControllersKubernetes ConfigurationPolicy Enforcement - Question #61Minimize Microservice Vulnerabilities
You must connect to the correct host (e.g., via `ssh cks000031`). You are required to implement NetworkPolicies controlling the traffic flow of existing Deployments across namespac...
Kubernetes NetworkPoliciesIngress ControlNamespace IsolationTraffic Segmentation - Question #62Minimize Microservice Vulnerabilities
Context: You must expose a web application using HTTPS routes. Task: Create an Ingress resource named web in the prod namespace and configure it as follows: . Route traffic for hos...
Kubernetes IngressTLS TerminationHTTPS RedirectService Exposure - Question #62Supply Chain Security
PART C -- Point backend configuration to https://smooth-yak.local/review. 4) Edit the webhook kubeconfig to use the scanner endpoint.
WebhookKubeconfigVulnerability ScanningAdmission Control - Question #63Minimize Microservice Vulnerabilities
A security audit has identified a Deployment improperly handling service account tokens, which could lead to security vulnerabilities. First, modify the existing ServiceAccount sta...
Service Account SecurityProjected VolumesToken ManagementKubernetes Security Configuration - Question #63Cluster Hardening
PART D -- Restart effect (make sure API server picks up config).
API Server ConfigurationService RestartApplying Security PoliciesKubernetes Core Components - Question #64Cluster Setup
Context: The kubeadm provisioned cluster was recently upgraded, leaving one node on a slightly older version due to workload compatibility concerns. Task: Upgrade the cluster node...
kubeadmnode upgradeversion managementcluster maintenance - Question #64Cluster Hardening
PART E -- Test: apply vulnerable workload and confirm it is denied. 5) Use admin kubeconfig (because old kubectl config may break). 6) Deploy the test resource (should be DENIED).
Admission ControlPolicy EnforcementVulnerable WorkloadsKubernetes Security - Question #65Monitoring, Logging, and Runtime Security
PART F -- Verify the scanner was called (log check). 7) Check scanner access log. Quick "what to check if it doesn't deny"
log analysissecurity scanningscanner verificationtroubleshooting - Question #65Supply Chain Security
Task: The alpine Deployment in the alpine namespace has three containers that run different versions of the alpine image. First, find out which version of the alpine image contains...
SBOM GenerationContainer Image AnalysisKubernetes Deployment ManagementSoftware Supply Chain Security - Question #66Minimize Microservice Vulnerabilities
Question: 52 SIMULATION You must connect to the correct host. Failure to do so may result in a zero score. Analyze and edit the Dockerfile located at /home/candidate/subtle-bee/bui...
Dockerfile SecurityKubernetes Manifest SecurityLeast PrivilegeContainer Hardening - Question #66Cluster Hardening
For compliance, all user namespaces enforce the restricted Pod Security Standard. The confidential namespace contains a Deployment that is not compliant with the restricted Pod Sec...
Pod Security StandardsSecurity ContextDeploymentKubernetes Compliance - Question #67Minimize Microservice Vulnerabilities
Fix one prominent security/best-practice issue in the Deployment manifest located at `/home/candidate/subtle-bee/deployment.yaml`. You must change ONLY ONE existing field that is a...
Kubernetes SecurityPod Security StandardsDeployment ConfigurationVulnerability Remediation - Question #67System Hardening
Perform the following tasks to secure the cluster node cks000037 : Remove user developer from the docker group. Do not remove the user from any other group. Reconfigure and restart...
Docker securityUser and group managementDaemon configurationSocket security - Question #68Minimize Microservice Vulnerabilities
Perform the following tasks to secure an existing application's Layer 4 (L4) transport communication using Istio.
IstioService MeshmTLSL4 Security - Question #68Monitoring, Logging, and Runtime Security
One of the Pods belonging to the application ollama is misbehaving. It is directly accessing the system's memory reading from the sensitive file /dev/mem. The cluster uses the Dock...
Runtime SecurityContainer TroubleshootingPod IdentificationDeployment Scaling - Question #69Runtime Security
You must connect to the correct host. Failure to do so may result in a zero score. [candidate@base]$ ssh cks000028 Context You must update an existing Pod to ensure the immutabilit...
Container SecurityPod SecurityContextRead-Only Root FilesystemPrivilege Escalation - Question #69Minimize Microservice Vulnerabilities
Ensure that all Pods in the `mtls` namespace have the `istio-proxy` sidecar injected. Then, configure mutual authentication in `strict` mode for all workloads in the `mtls` namespa...
IstioService MeshmTLSNetwork Security - Question #70Monitoring, Logging, and Runtime Security
Context You must implement auditing for the kubeadm provisioned cluster. Task First, reconfigure the cluster 's API server, so that: . the basic audit policy located at /etc/kubern...
Kubernetes AuditingAPI Server ConfigurationAudit PolicyLogging Configuration - Question #70Minimize Microservice Vulnerabilities
You must complete securing access to a web server using SSL files stored in a TLS Secret. Create a TLS Secret named `clever-cactus` in the `clever-cactus` namespace for an existing...
Kubernetes TLS SecretsSSL/TLSSecrets ManagementWeb Security - Question #71Runtime Security
You must connect to the correct host. Failure to do so may result in a zero score. Context You must implement NetworkPolicies controlling the traffic flow of existing Deployments a...
NetworkPolicyKubernetes networkingNamespace isolationIngress rules - Question #72Cluster Hardening
PART A -- Deny ALL ingress traffic in prod namespace. Requirement: NetworkPolicy name: deny-policy, Namespace: prod (namespace is labeled env=prod), Effect: block all ingress.
Kubernetes NetworkPolicyIngress controlNetwork securityNamespace isolation - Question #73Cluster Hardening
PART B -- Allow ingress to data ONLY from Pods in prod. Requirement: NetworkPolicy name: allow-from-prod, Namespace: data (namespace is labeled env=data), Allow ingress only from P...
Kubernetes NetworkPolicyNetwork Policy IngressNamespace LabelsNetwork Segmentation - Question #74Minimize Microservice Vulnerabilities
A security audit has identified a Deployment improperly handling service account tokens, which could lead to security vulnerabilities. First, modify the existing ServiceAccount sta...
ServiceAccount SecurityAPI Credentials ManagementProjected VolumesDeployment Hardening - Question #75Cluster Hardening
Upgrade the cluster node compute-0 to match the version of the control plane node. You must connect to the correct host. Failure to do so may result in a zero score. [candidate@bas...
Kubernetes upgradeskubeadmNode management - Question #76Supply Chain Security
The alpine Deployment in the alpine namespace has three containers that run different versions of the alpine image. First, find out which version of the alpine image contains the l...
SBOM GenerationContainer Image AnalysisKubernetes Deployment UpdatePackage Version Identification - Question #77Cluster Hardening
For compliance, all user namespaces enforce the restricted Pod Security Standard. The confidential namespace contains a Deployment that is not compliant with the restricted Pod Sec...
Pod Security StandardsKubernetes Security ContextDeploymentCompliance - Question #78System Hardening
Perform the following tasks to secure the cluster node cks000037: Remove user developer from the docker group. Do not remove the user from any other group. Reconfigure and restart...
Docker daemon hardeningSystem securityUser access controlSocket security - Question #79Monitoring, Logging, and Runtime Security
Context: A microservices-based application using unencrypted Layer 4 (L4) transport must be secured with Istio. Task: Perform the following tasks to secure an existing application'...
IstioService MeshmTLSMicroservices Security - Question #80Minimize Microservice Vulnerabilities
Istio is installed to secure Layer 4 (L4) communications. You may use your browser to access Istio's documentation. First, ensure that all Pods in the mtls namespace have the istio...
IstioMutual TLSService Mesh SecuritySidecar Proxy - Question #81Minimize Microservice Vulnerabilities
You must complete securing access to a web server using SSL files stored in a TLS Secret. Create a TLS Secret named clever-cactus in the clever-cactus namespace for an existing Dep...
Kubernetes SecretsTLS SecretSecure CommunicationCertificates