Practice CKS Cluster Setup and Hardening questions with full explanations on every answer.
Start practicing
Cluster Setup and Hardening — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
During a security audit, you discover that a container running as root inside a pod has been compromised. The pod uses the default service account. Which two measures should you implement to harden the cluster? (Select TWO)
2A cluster uses Kubernetes v1.24 with Pod Security Admission enabled. The cluster administrator wants to enforce that all pods in the 'production' namespace run with the 'restricted' policy level, but some existing deployments use privileged containers. Which approach ensures that only new pods violating the policy are rejected, while existing pods continue to run?
3A security engineer needs to ensure that all communication between nodes and the control plane is encrypted. Which component must be configured with a TLS certificate to achieve this?
4After a security incident, you need to restrict which pods can communicate with each other in the 'finance' namespace. You want to allow only pods with label 'app: api' to connect to pods with label 'app: db' on TCP port 5432, and deny all other traffic. Which NetworkPolicy should you create?
5A cluster has been configured with the NodeRestriction admission plugin. A developer tries to create a pod that uses a hostPath volume pointing to /var/log. The pod's nodeSelector is set to 'kubernetes.io/hostname: worker-1'. Which statement is true?
6Which THREE of the following are valid methods to secure etcd in a Kubernetes cluster? (Select THREE)
7Which TWO of the following are recommended practices for securing the Kubernetes API server? (Select TWO)
8A security team wants to ensure that only approved container images can run in their production cluster. Which admission controller should be configured in the kube-apiserver to enforce this policy?
9An administrator discovers that a container has been running with root privileges despite a PodSecurityPolicy that should prevent it. What is the most likely cause?
10A DevOps engineer needs to restrict the outbound network traffic from pods running in namespace 'secure-ns'. Which NetworkPolicy configuration achieves this by default?
11Which TWO of the following are valid methods to secure the etcd datastore in a Kubernetes cluster?
12You are a security engineer for a financial services company running a Kubernetes cluster on-premises. The cluster uses kubeadm for bootstrapping and Calico for network policy. Recently, a compliance audit revealed that all nodes in the cluster have the kubelet port 10250 open to the public network, allowing unauthenticated access to the kubelet API. This poses a severe security risk. The cluster has 10 worker nodes and 3 control plane nodes. You need to remediate this without disrupting running workloads. The nodes are behind a corporate firewall, but the internal network is considered untrusted. You have access to the node's iptables and can modify configuration files. Which course of action best secures the kubelet port while maintaining cluster functionality?
13A security engineer is configuring a Kubernetes cluster to meet CIS benchmark recommendations. The cluster uses kubeadm for bootstrapping. Which action should be taken to ensure the kube-apiserver is hardened against unauthorized access?
14A Kubernetes cluster is experiencing issues where pods cannot pull images from a private container registry. The registry requires authentication via imagePullSecrets. The cluster has a pod running with the following spec snippet. What is the likely cause of the failure?
15A DevOps team is tasked with upgrading a Kubernetes cluster from version 1.21 to 1.22. They want to minimize downtime and follow best practices. Which approach should they take?
16Which TWO actions should be taken to secure etcd in a Kubernetes cluster?
17Arrange the steps to create and enforce a Pod Security Policy (PSP) in a Kubernetes cluster.
18Order the steps to perform a Kubernetes cluster upgrade from version 1.24 to 1.25.
19Match each Kubernetes security component to its description.
20Match each container security context setting to its effect.
21Which flag must be set on the kube-apiserver to disable anonymous authentication?
22A security auditor runs kube-bench and reports that the kubelet is not configured with --protect-kernel-defaults. What is the impact of this misconfiguration?
23You need to enable encryption at rest for secrets in an existing cluster. Which resource should you create?
24An administrator applies the following manifest to enable audit logging: apiVersion: audit.k8s.io/v1 kind: Policy metadata: name: audit-policy rules: - level: Metadata resources: - group: "" resources: ["secrets"] Which audit level is being used for requests to the Secrets API?
25Which admission plugin should be enabled to prevent kubelets from modifying Node objects they should not have access to?
26What is the purpose of the --audit-policy-file flag on the kube-apiserver?
27A cluster administrator wants to ensure that a specific service account (my-sa) cannot have its token mounted automatically in pods. Which annotation should be set on the service account?
28You run 'kubectl auth can-i --list --as=system:serviceaccount:kube-system:my-sa' and see that my-sa has cluster-admin access. What is the BEST way to reduce privileges?
29Which of the following is a recommended setting from the CIS Kubernetes Benchmark for the kubelet?
30An administrator wants to secure etcd communication. Which of the following is required?
31After running kube-bench, you see a failing check: '1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive'. What is the remediation?
32Which etcd encryption provider is considered strongest for encrypting secrets at rest?
33Which TWO admission plugins should be enabled to improve cluster security according to CIS benchmarks? (Choose two.)
34Which THREE of the following are recommended actions to secure the Kubernetes Dashboard? (Choose three.)
35Which TWO of the following are valid methods to restrict etcd access? (Choose two.)
36Which kubectl command can be used to check the CIS benchmark compliance of a Kubernetes cluster?
37An administrator wants to enable RBAC authorization and disable anonymous authentication on the API server. Which set of flags should be added to the kube-apiserver configuration?
38During a security audit, you run kube-bench and find that the API server audit logging is not enabled. Which set of flags should be added to the kube-apiserver to enable audit logging with a policy file located at /etc/kubernetes/audit-policy.yaml?
39You need to enable encryption at rest for secrets in the cluster. Which resource should you create to configure encryption providers?
40An administrator runs 'kubectl describe nodes' and notices that the node status shows 'Ready,SchedulingDisabled'. What is the most likely cause?
41Which kubelet flag should be set to ensure the kubelet does not allow anonymous requests?
42You are creating a ServiceAccount that should not automatically mount its token to pods. Which field should be set in the ServiceAccount manifest?
43An administrator wants to restrict which nodes a pod can be scheduled on using the NodeRestriction admission plugin. Which flag must be set on the kube-apiserver to enable this plugin?
44What is the purpose of the Kubernetes Dashboard?
45Which admission plugin is recommended by the CIS Kubernetes Benchmark to restrict the kubelet's ability to modify nodes?
46You need to encrypt etcd data at rest using AES-CBC. Which encryption provider should you specify in the EncryptionConfiguration?
47You are auditing RBAC and find a ClusterRoleBinding that grants cluster-admin to a service account. Which command should you run to list all ClusterRoleBindings in the cluster?
48Which etcd security measure should be implemented to ensure only authorized clients can access the etcd cluster?
49An administrator runs 'kubectl get pods' and sees that a pod is in 'Pending' state. What is the most likely reason for this state?
50You want to ensure that a pod only runs on nodes that have a specific label, 'disktype=ssd'. Which field should be specified in the pod spec?
51Which TWO of the following are recommended practices for securing the Kubernetes Dashboard? (Select TWO)
52Which TWO kubelet flags are recommended by the CIS Kubernetes Benchmark to enhance security? (Select TWO)
53Which THREE of the following are valid ways to secure etcd in a Kubernetes cluster? (Select THREE)
54Which TWO of the following are recommended settings for the Kubernetes API server according to the CIS Kubernetes Benchmark? (Select TWO)
55Which THREE of the following are best practices for RBAC hardening in Kubernetes? (Select THREE)
56Which flag disables anonymous authentication on the API server?
57An administrator runs 'kube-bench run --targets=master' and sees a failing check for 'Ensure that the --audit-log-path argument is set'. What is the correct remediation?
58A security audit reveals that etcd does not encrypt data at rest. Which resource must be created to enable encryption?
59A ClusterRoleBinding named 'admin-binding' binds the cluster-admin ClusterRole to a service account 'sa-admin' in namespace 'ns1'. What is the security concern?
60Which kubectl command creates a Role named 'pod-reader' that allows only 'get', 'list', and 'watch' on pods in namespace 'ns1'?
61Which admission plugin is recommended by the CIS Benchmark to restrict what nodes can modify?
62An administrator wants to prevent the kubelet from serving anonymous requests. Which flag should be set on the kubelet?
63A pod in namespace 'ns1' has automountServiceAccountToken: false. However, the container still has a mounted service account token at /var/run/secrets/kubernetes.io/serviceaccount. What is the most likely cause?
64Which flag must be set on the API server to enable audit logging?
65What is the purpose of the CIS Kubernetes Benchmark?
66An administrator runs 'kubectl auth can-i --list --as=system:serviceaccount:ns1:my-sa' and sees that the service account has 'create pods' permission via a RoleBinding. Which command can be used to delete that RoleBinding?
67A security scanner reports that the Kubernetes dashboard is publicly accessible. Which recommended action should be taken?
68Which flag is used to restrict the kubelet's ability to modify node status and pods?
69What is the recommended way to provide TLS certificates to the API server?
70Which command can be used to check if the API server has anonymous authentication enabled?
71Which TWO actions are recommended by the CIS Kubernetes Benchmark for securing etcd?
72Which THREE flags should be set on the kubelet to comply with the CIS Benchmark for worker node security?
73Which TWO resources can be used to implement RBAC in Kubernetes?
74Which TWO checks are performed by kube-bench for the master node?
75Which THREE are valid ways to restrict access to the Kubernetes API server?
76Which flag should be set on the kube-apiserver to disable anonymous authentication?
77An administrator runs kube-bench and receives a failing result for CIS control 1.1.1. What does this control typically check?
78A security policy requires that all communication to etcd be encrypted. Which two components must be configured with TLS certificates to achieve this? (Select two)
79Which TWO of the following are recommended practices for securing the Kubernetes dashboard?
80Which kube-apiserver flag enables encryption at rest for secrets?
81A security audit reveals that a ServiceAccount named 'monitor' has a ClusterRoleBinding to the cluster-admin role. What is the best remediation?
82Which kubelet flag prevents the kubelet from serving anonymous requests?
83Which THREE of the following are valid encryption providers that can be used in EncryptionConfiguration for encryption at rest?
84Which kube-apiserver flag enables audit logging?
85A cluster administrator wants to ensure that pods cannot modify node objects. Which admission plugin should be enabled?
86You need to run kube-bench on a control plane node. Which command should you use?
87A security policy requires that all ServiceAccounts in a namespace do not automatically mount their tokens. How can this be achieved at the namespace level?
88Which TWO admission plugins are recommended to be enabled for security hardening?
89What is the default authorization mode for a new Kubernetes cluster?
90You run 'kubectl auth can-i --list --as=admin' and see that the admin user has full cluster-admin access. Which command would create a ClusterRoleBinding for a user named 'viewer' with read-only access to all resources?
91Which kubectl command will disable anonymous authentication on a kube-apiserver?
92You have a requirement to encrypt secrets at rest in etcd. Which resource and apiVersion should be used?
93A security auditor runs kube-bench on your cluster and reports that the apiserver is using default service account tokens. Which admission plugin should be enabled to address this?
94You need to create a ClusterRole that allows listing secrets, but only in namespaces that have a specific label 'security-level=high'. Which approach should you use?
95You run 'kube-bench' and see a failure: '1.2.7 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate'. What is the impact of this misconfiguration?
96Which flag on the kubelet disables anonymous access?
97You are asked to ensure that a specific Kubernetes dashboard (e.g., kubernetes-dashboard) is not publicly accessible. The dashboard is deployed in the 'kube-system' namespace. Which NetworkPolicy should you apply?
98You need to audit all API requests to the cluster. Which set of apiserver flags should be configured?
99Which RBAC resource should be used to grant cluster-wide permissions to a user?
100A service account 'monitor' needs to list pods in all namespaces. Which minimal RBAC configuration should you use?
101You are auditing RBAC and find a ClusterRoleBinding named 'admin-binding' that binds the 'cluster-admin' ClusterRole to the service account 'default' in namespace 'kube-system'. What is the risk?
102You want to ensure that kubelets only serve pods that have been scheduled by the API server. Which admission plugin should be enabled?
103Which TWO of the following are recommendations from the CIS Kubernetes Benchmark?
104Which THREE of the following are valid methods to secure etcd?
105Which TWO of the following are best practices for hardening Kubernetes Dashboard?
106An administrator runs `kube-bench` on a Kubernetes node and receives a warning that the kubelet is configured with `--anonymous-auth=true`. Which kubectl command should be used to fix this on the kubelet?
107You are tasked with enabling audit logging for the Kubernetes API server. Which API server flag must be used to specify the audit log file path?
108A security scan reports that the etcd cluster does not encrypt data at rest. The cluster uses aescbc encryption. Which resource type should be created to configure encryption at rest?
109Which admission plugin should be enabled on the kubelet to ensure it only registers nodes and sets labels as allowed by the Node REST API?
110An administrator wants to ensure that a service account used by a deployment cannot automatically mount its token. Which field should be set to `false` in the Pod spec?
111You need to create an RBAC role that allows reading secrets only in namespace 'production'. Which ClusterRole and RoleBinding combination is correct?
112Which of the following flags should be set to `false` to disable anonymous authentication to the Kubernetes API server?
113A pod runs with a service account that has a ClusterRoleBinding granting cluster-admin. What is the best practice to reduce the risk of privilege escalation?
114You are securing etcd. Which of the following is required to enable TLS client authentication for etcd?
115The Kubernetes Dashboard is deployed in the cluster. To secure it, which of the following is a recommended practice?
116Which flag enables the NodeRestriction admission plugin on the API server?
117An administrator runs `kube-bench` and sees that the check 'Ensure that the --protect-kernel-defaults flag is set to true' has failed. Which component does this check apply to?
118Which two of the following are recommended by the CIS Kubernetes Benchmark? (Choose two.)
119Which three of the following are valid methods to restrict access to etcd? (Choose three.)
120Which two of the following are correct ways to enforce least privilege for service accounts? (Choose two.)
121Which kubectl command checks the CIS Benchmark compliance of a cluster node using the kube-bench tool?
122An administrator wants to disable anonymous authentication to the Kubernetes API server. Which flag should be added to the kube-apiserver configuration?
123Which admission plugin should be enabled to ensure that kubelet only serves pods bound to its node and prevents unauthorized node access?
124You have enabled etcd encryption at rest using an EncryptionConfiguration with aescbc provider. After applying the configuration, you create a new Secret. Which of the following is true regarding the encrypted Secret?
125What is the purpose of the --audit-log-path flag on the kube-apiserver?
126An administrator runs 'kubectl get clusterrolebindings' and notices a ClusterRoleBinding named 'admin-binding' that binds the 'cluster-admin' ClusterRole to a service account in the 'default' namespace. What security concern does this raise?
127Which flag must be set on the kubelet to prevent it from using the default namespace for pods and to enforce that pods only use namespaces that match the node's assigned namespace?
128A security auditor recommends enabling audit logging for the Kubernetes API server with a policy that logs all requests at the Metadata level. Which configuration ensures this requirement?
129Which of the following is a valid method to disable automatic mounting of service account tokens for a pod?
130An administrator wants to secure etcd communication. Which of the following is required to enable TLS for client-to-etcd communication?
131A ClusterRole named 'secret-reader' is defined with rules to get, list, and watch secrets. A RoleBinding in namespace 'app' binds this ClusterRole to a service account. Which of the following best describes the permissions of the service account?
132Which of the following is a recommended practice when securing the Kubernetes Dashboard?
133Which TWO of the following are CIS Benchmark recommendations for securing the Kubernetes API server? (Select TWO)
134Which THREE of the following are valid methods to restrict access to etcd in a Kubernetes cluster? (Select THREE)
135Which TWO of the following are recommended actions to harden service account security in a Kubernetes cluster? (Select TWO)
136Which flag should you set on the kube-apiserver to disable anonymous authentication?
137An administrator runs 'kube-bench master' and receives a warning that etcd has no client certificate authentication. What is the recommended remediation?
138You are configuring kubelet security. Which flag prevents containers from modifying kernel parameters?
139Which admission plugin should be enabled on the kube-apiserver to enforce that kubelets cannot modify nodes they are not assigned to?
140An administrator creates an EncryptionConfiguration with aescbc and saves it to /etc/kubernetes/enc/enc.yaml. Which flag must be added to the kube-apiserver to enable encryption at rest?
141To disable service account token automount for a pod, which field should be set to false in the pod spec?
142You want to ensure that the Kubernetes Dashboard is accessed only by authenticated users with specific permissions. What is the BEST approach?
143Which kubectl command can be used to view the audit log policy currently in use by the API server?
144A security scan reports that the etcd data directory is not encrypted at rest. The cluster uses etcd v3.5. Which steps are required to enable encryption?
145Which of the following is a recommended CIS benchmark setting for the kubelet?
146A developer created a ClusterRoleBinding that grants cluster-admin to a service account. What is the security concern?
147Which command would you run to check if anonymous authentication is enabled on the API server?
148Which TWO of the following are recommended practices for etcd security?
149Which THREE of the following are valid flags for enabling admission plugins on the API server?
150Which TWO actions are part of the CIS Kubernetes Benchmark recommendations?
151Which flag must be set on the kube-apiserver to disable anonymous authentication?
152You run 'kube-bench' on a cluster node and get a failure for the test 'Ensure that the --anonymous-auth argument is set to false' (ID: 1.2.1). Which file do you need to modify to fix this issue?
153An administrator wants to enable encryption at rest for secrets in a Kubernetes cluster. They create the following EncryptionConfiguration and place it at /etc/kubernetes/enc/enc.yaml. Which flag must be added to the kube-apiserver to use this configuration?
154You need to ensure that the kubelet only serves authenticated and authorized requests. Which flag(s) should be set on the kubelet?
155Which admission plugin should be enabled to prevent kubelets from modifying nodes or pods they do not own?
156You are reviewing RBAC permissions and notice a ClusterRoleBinding that binds the cluster-admin role to a service account in the 'monitoring' namespace. What is the best practice recommendation?
157An etcd cluster uses TLS for peer and client communication. You need to secure etcd further by enabling RBAC. Which flag do you set on the etcd process to enable authentication?
158To enforce Pod Security Standards at the namespace level, which admission plugin must be enabled on the API server?
159What is the purpose of the 'automountServiceAccountToken: false' setting in a Pod spec?
160You deploy the Kubernetes Dashboard using the official YAML manifests. Which of the following is the MOST secure approach to expose the Dashboard?
161You need to enable audit logging for the Kubernetes API server. Which three flags must be set?
162You are configuring etcd encryption at rest. After placing the EncryptionConfiguration YAML file, you must modify which file to point the API server to it?
163Which TWO of the following are recommended practices according to the CIS Kubernetes Benchmark? (Select 2)
164Which THREE of the following are valid ways to restrict access to etcd? (Select 3)
165Which TWO admission plugins should be enabled to improve cluster security according to the CIS Benchmark? (Select 2)
166Which kubectl command runs kube-bench against a Kubernetes cluster?
167An administrator runs kube-bench on a node and sees a warning about the kubelet anonymous authentication being enabled. Which kubelet flag should be set to disable anonymous access?
168A security team wants to ensure that all API requests to the cluster are authenticated and uses RBAC for authorization. Which two flags must be set on the kube-apiserver?
169A pod running in the cluster is in a CrashLoopBackOff state. You run 'kubectl describe pod <pod>' and see the following event: 'Warning BackOff Back-off restarting failed container'. Which command would you run to see the standard error output of the container?
170An administrator wants to enable audit logging for the Kubernetes API server. Which of the following is required?
171After setting up etcd encryption at rest using EncryptionConfiguration with aescbc, which resource stores the encryption key?
172Which of the following is a CIS benchmark recommendation for securing the Kubernetes API server?
173A security audit reveals that a service account in the 'default' namespace has been granted cluster-admin privileges via a ClusterRoleBinding. What is the best mitigation?
174Which admission plugin should be enabled on the kube-apiserver to restrict kubelet permissions and prevent nodes from modifying their own Node objects?
175Which flag on the kubelet helps ensure it runs securely by enforcing kernel defaults?
176A pod is failing with status 'CrashLoopBackOff'. The pod manifest includes a liveness probe that runs every 10 seconds. You suspect the probe is causing the crash. Which command would you use to verify the liveness probe configuration?
177Which of the following YAML snippets correctly configures a ServiceAccount with automountServiceAccountToken set to false?
178Which TWO of the following are recommended CIS benchmark practices for securing etcd? (Choose two.)
179Which TWO admission plugins are recommended by the CIS benchmark to be enabled on the kube-apiserver? (Choose two.)
180Which THREE of the following are valid methods to restrict access to the Kubernetes Dashboard? (Choose three.)
181Which kubectl flag disables anonymous authentication on the API server?
182You run kube-bench on a node and it reports a failure for 'Ensure that the --anonymous-auth argument is set to false' for the kubelet service. Which file must you modify to fix this?
183Which admission plugin enforces that kubelets cannot modify pods they do not own?
184You are tasked with enabling audit logging for the Kubernetes API server. You have created an audit policy file at /etc/kubernetes/audit-policy.yaml. Which flag must be added to the API server manifest to enable audit logging?
185An etcd cluster uses TLS for peer and client communication. Which command correctly tests connectivity to an etcd member with client certificate authentication?
186A security audit reveals that a service account 'monitor' is bound to the cluster-admin ClusterRole, which violates least-privilege. What is the best remediation?
187Which of the following is a recommended CIS Benchmark control for etcd?
188You need to encrypt Kubernetes secrets at rest using aescbc. Which YAML snippet defines the EncryptionConfiguration correctly?
189An administrator runs kubectl get clusterrolebindings and sees a binding named 'system:node'. This binding is part of the legacy node authorization. According to CIS benchmarks, what should be done with it?
190You are configuring kubelet to protect kernel defaults. Which flag enables this?
191A cluster's API server is configured with --authorization-mode=RBAC,Node. A kubelet attempts to create a ConfigMap. Which authorizer will evaluate the request?
192Which admission plugin should be used to enforce Pod Security Standards at the namespace level?
193Which TWO of the following are CIS Benchmark recommendations for securing the API server?
194Which TWO actions would help secure the Kubernetes Dashboard?
195Which THREE of the following are valid methods to disable automount of service account tokens for a pod?
196Which flag disables anonymous authentication on the Kubernetes API server?
197An administrator runs kube-bench on a cluster node and receives failures for CIS benchmark checks related to kubelet configuration. Which kubelet flag should be set to ensure that kernel defaults are not used when they might be insecure?
198A security audit reveals that the etcd datastore is not encrypted at rest. Which resource should be created to enable encryption of secrets at rest?
199You are tasked with securing a Kubernetes cluster. You want to ensure that the kubelet only serves APIs that are explicitly allowed and that it does not allow anonymous requests. Which kubelet configuration flags should you set?
200Which admission plugin should be enabled on the API server to ensure that the kubelet cannot modify its own Node object beyond its assigned node?
201An administrator wants to enable audit logging on the API server. Which three flags are required to set up basic audit logging?
202A developer creates a pod with the following YAML: apiVersion: v1 kind: Pod metadata: name: mypod spec: serviceAccountName: default automountServiceAccountToken: true containers: - name: app image: nginx What is the security concern with this configuration?
203You need to restrict access to etcd so that only the API server can communicate with it. Which method should you use?
204Which kubectl command can be used to determine if anonymous authentication is enabled on the API server?
205An administrator wants to ensure that no service account in the 'development' namespace has cluster-admin privileges. Which command should be used to identify such bindings?
206What is the purpose of the --authorization-mode=RBAC flag on the API server?
207A cluster has been hardened by setting --anonymous-auth=false and enabling RBAC. However, kube-bench still reports a failure for the kubelet check 'Ensure that the --anonymous-auth argument is set to false'. What could be the reason?
208Which TWO actions are recommended by the CIS Kubernetes Benchmark to secure the API server?
209Which THREE options are valid methods to secure etcd in a Kubernetes cluster?
210Which TWO practices help secure the Kubernetes Dashboard?
211Which of the following flags should be set on the kube-apiserver to disable anonymous authentication?
212An administrator wants to restrict a service account to only be able to create pods in the 'development' namespace. Which RBAC configuration should be used?
213You run kube-bench on a node and it reports a failure for control plane component etcd. The check says 'Ensure that the --cert-file and --key-file arguments are set as appropriate'. You examine the etcd manifest file and find that the cert-file and key-file are configured with a self-signed certificate. What is the BEST action to remediate this finding?
214A security audit reveals that several pods have the service account token mounted automatically. Which annotation should be added to the pod's service account to prevent automatic mounting?
215Which of the following is the correct flag to enable audit logging on the kube-apiserver?
216A cluster administrator wants to encrypt secrets at rest in etcd. Which resource must be created to configure encryption?
217You are tasked with securing the kubelet. Which flag must be set on the kubelet to enable the NodeRestriction admission plugin?
218Which of the following is a recommended practice for securing Kubernetes Dashboard?
219An admin runs 'kubectl auth reconcile -f rbac.yaml' and gets an error that the user does not have permission to create ClusterRoleBindings. What is the most likely cause?
220To protect kernel defaults on a node, which flag should be set on the kubelet?
221A ClusterRoleBinding grants cluster-admin to a service account in the 'kube-system' namespace. What is the best way to audit this for least privilege?
222Which of the following is a correct method to enable encryption at rest for secrets in etcd using the EncryptionConfiguration?
223Which TWO of the following are recommended settings from the CIS Kubernetes Benchmark for the kube-apiserver? (Select 2)
224Which TWO of the following are valid ways to restrict access to etcd? (Select 2)
225Which THREE of the following are recommended practices for hardening RBAC in a Kubernetes cluster? (Select 3)
226Which flag must be set on the kube-apiserver to disable anonymous authentication?
227A security auditor runs kube-bench on a Kubernetes node and reports that the check '1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive' fails. What is the most appropriate remediation?
228You need to enable audit logging for the Kubernetes API server. Which two flags must be set?
229An etcd cluster is configured with TLS. You need to enforce that only the API server can read and write to etcd. Which method should you use?
230You want to ensure that kubelet does not allow anonymous requests. Which flag must be set on the kubelet?
231Which admission plugin should be enabled on the API server to enforce that kubelet cannot modify nodes other than its own?
232You are auditing RBAC and find a ClusterRoleBinding named 'admin-binding' that binds the 'cluster-admin' ClusterRole to a service account in the 'default' namespace. What is the security concern?
233A pod is in a CrashLoopBackOff state. You run 'kubectl logs pod-name' and see: 'Error: failed to start container: exec: "/app": stat /app: no such file or directory'. What is the most likely cause?
234Which TWO of the following are recommended CIS Kubernetes Benchmark controls for securing the kube-apiserver?
235Which TWO of the following are valid arguments for etcd encryption at rest?
236Which THREE of the following are recommended practices for securing Kubernetes Dashboard?
237Which TWO of the following flags are used to secure the kubelet?
238Which THREE of the following are valid fields in an EncryptionConfiguration YAML to encrypt secrets at rest?
239You are securing a cluster and want to ensure that service account tokens are not automatically mounted in pods that do not need them. Which THREE actions should you take?
The Cluster Setup and Hardening domain covers the key concepts tested in this area of the CKS exam blueprint published by CNCF. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CKS domains — no account required.
The Courseiva CKS question bank contains 239 questions in the Cluster Setup and Hardening domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Cluster Setup and Hardening domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included