Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCKSDomainsCluster Setup and Hardening
CKSFree — No Signup

Cluster Setup and Hardening

Practice CKS Cluster Setup and Hardening questions with full explanations on every answer.

239questions

Start practicing

Cluster Setup and Hardening — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CKS Domains

Monitoring Logging and Runtime SecurityCluster Setup and HardeningSystem HardeningMinimize Microservice VulnerabilitiesSupply Chain SecurityMonitoring, Logging and Runtime SecurityCluster SetupCluster Hardening

Practice Cluster Setup and Hardening questions

10Q20Q30Q50Q

All CKS Cluster Setup and Hardening questions (239)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

During a security audit, you discover that a container running as root inside a pod has been compromised. The pod uses the default service account. Which two measures should you implement to harden the cluster? (Select TWO)

2

A cluster uses Kubernetes v1.24 with Pod Security Admission enabled. The cluster administrator wants to enforce that all pods in the 'production' namespace run with the 'restricted' policy level, but some existing deployments use privileged containers. Which approach ensures that only new pods violating the policy are rejected, while existing pods continue to run?

3

A security engineer needs to ensure that all communication between nodes and the control plane is encrypted. Which component must be configured with a TLS certificate to achieve this?

4

After a security incident, you need to restrict which pods can communicate with each other in the 'finance' namespace. You want to allow only pods with label 'app: api' to connect to pods with label 'app: db' on TCP port 5432, and deny all other traffic. Which NetworkPolicy should you create?

5

A cluster has been configured with the NodeRestriction admission plugin. A developer tries to create a pod that uses a hostPath volume pointing to /var/log. The pod's nodeSelector is set to 'kubernetes.io/hostname: worker-1'. Which statement is true?

6

Which THREE of the following are valid methods to secure etcd in a Kubernetes cluster? (Select THREE)

7

Which TWO of the following are recommended practices for securing the Kubernetes API server? (Select TWO)

8

A security team wants to ensure that only approved container images can run in their production cluster. Which admission controller should be configured in the kube-apiserver to enforce this policy?

9

An administrator discovers that a container has been running with root privileges despite a PodSecurityPolicy that should prevent it. What is the most likely cause?

10

A DevOps engineer needs to restrict the outbound network traffic from pods running in namespace 'secure-ns'. Which NetworkPolicy configuration achieves this by default?

11

Which TWO of the following are valid methods to secure the etcd datastore in a Kubernetes cluster?

12

You are a security engineer for a financial services company running a Kubernetes cluster on-premises. The cluster uses kubeadm for bootstrapping and Calico for network policy. Recently, a compliance audit revealed that all nodes in the cluster have the kubelet port 10250 open to the public network, allowing unauthenticated access to the kubelet API. This poses a severe security risk. The cluster has 10 worker nodes and 3 control plane nodes. You need to remediate this without disrupting running workloads. The nodes are behind a corporate firewall, but the internal network is considered untrusted. You have access to the node's iptables and can modify configuration files. Which course of action best secures the kubelet port while maintaining cluster functionality?

13

A security engineer is configuring a Kubernetes cluster to meet CIS benchmark recommendations. The cluster uses kubeadm for bootstrapping. Which action should be taken to ensure the kube-apiserver is hardened against unauthorized access?

14

A Kubernetes cluster is experiencing issues where pods cannot pull images from a private container registry. The registry requires authentication via imagePullSecrets. The cluster has a pod running with the following spec snippet. What is the likely cause of the failure?

15

A DevOps team is tasked with upgrading a Kubernetes cluster from version 1.21 to 1.22. They want to minimize downtime and follow best practices. Which approach should they take?

16

Which TWO actions should be taken to secure etcd in a Kubernetes cluster?

17

Arrange the steps to create and enforce a Pod Security Policy (PSP) in a Kubernetes cluster.

18

Order the steps to perform a Kubernetes cluster upgrade from version 1.24 to 1.25.

19

Match each Kubernetes security component to its description.

20

Match each container security context setting to its effect.

21

Which flag must be set on the kube-apiserver to disable anonymous authentication?

22

A security auditor runs kube-bench and reports that the kubelet is not configured with --protect-kernel-defaults. What is the impact of this misconfiguration?

23

You need to enable encryption at rest for secrets in an existing cluster. Which resource should you create?

24

An administrator applies the following manifest to enable audit logging: apiVersion: audit.k8s.io/v1 kind: Policy metadata: name: audit-policy rules: - level: Metadata resources: - group: "" resources: ["secrets"] Which audit level is being used for requests to the Secrets API?

25

Which admission plugin should be enabled to prevent kubelets from modifying Node objects they should not have access to?

26

What is the purpose of the --audit-policy-file flag on the kube-apiserver?

27

A cluster administrator wants to ensure that a specific service account (my-sa) cannot have its token mounted automatically in pods. Which annotation should be set on the service account?

28

You run 'kubectl auth can-i --list --as=system:serviceaccount:kube-system:my-sa' and see that my-sa has cluster-admin access. What is the BEST way to reduce privileges?

29

Which of the following is a recommended setting from the CIS Kubernetes Benchmark for the kubelet?

30

An administrator wants to secure etcd communication. Which of the following is required?

31

After running kube-bench, you see a failing check: '1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive'. What is the remediation?

32

Which etcd encryption provider is considered strongest for encrypting secrets at rest?

33

Which TWO admission plugins should be enabled to improve cluster security according to CIS benchmarks? (Choose two.)

34

Which THREE of the following are recommended actions to secure the Kubernetes Dashboard? (Choose three.)

35

Which TWO of the following are valid methods to restrict etcd access? (Choose two.)

36

Which kubectl command can be used to check the CIS benchmark compliance of a Kubernetes cluster?

37

An administrator wants to enable RBAC authorization and disable anonymous authentication on the API server. Which set of flags should be added to the kube-apiserver configuration?

38

During a security audit, you run kube-bench and find that the API server audit logging is not enabled. Which set of flags should be added to the kube-apiserver to enable audit logging with a policy file located at /etc/kubernetes/audit-policy.yaml?

39

You need to enable encryption at rest for secrets in the cluster. Which resource should you create to configure encryption providers?

40

An administrator runs 'kubectl describe nodes' and notices that the node status shows 'Ready,SchedulingDisabled'. What is the most likely cause?

41

Which kubelet flag should be set to ensure the kubelet does not allow anonymous requests?

42

You are creating a ServiceAccount that should not automatically mount its token to pods. Which field should be set in the ServiceAccount manifest?

43

An administrator wants to restrict which nodes a pod can be scheduled on using the NodeRestriction admission plugin. Which flag must be set on the kube-apiserver to enable this plugin?

44

What is the purpose of the Kubernetes Dashboard?

45

Which admission plugin is recommended by the CIS Kubernetes Benchmark to restrict the kubelet's ability to modify nodes?

46

You need to encrypt etcd data at rest using AES-CBC. Which encryption provider should you specify in the EncryptionConfiguration?

47

You are auditing RBAC and find a ClusterRoleBinding that grants cluster-admin to a service account. Which command should you run to list all ClusterRoleBindings in the cluster?

48

Which etcd security measure should be implemented to ensure only authorized clients can access the etcd cluster?

49

An administrator runs 'kubectl get pods' and sees that a pod is in 'Pending' state. What is the most likely reason for this state?

50

You want to ensure that a pod only runs on nodes that have a specific label, 'disktype=ssd'. Which field should be specified in the pod spec?

51

Which TWO of the following are recommended practices for securing the Kubernetes Dashboard? (Select TWO)

52

Which TWO kubelet flags are recommended by the CIS Kubernetes Benchmark to enhance security? (Select TWO)

53

Which THREE of the following are valid ways to secure etcd in a Kubernetes cluster? (Select THREE)

54

Which TWO of the following are recommended settings for the Kubernetes API server according to the CIS Kubernetes Benchmark? (Select TWO)

55

Which THREE of the following are best practices for RBAC hardening in Kubernetes? (Select THREE)

56

Which flag disables anonymous authentication on the API server?

57

An administrator runs 'kube-bench run --targets=master' and sees a failing check for 'Ensure that the --audit-log-path argument is set'. What is the correct remediation?

58

A security audit reveals that etcd does not encrypt data at rest. Which resource must be created to enable encryption?

59

A ClusterRoleBinding named 'admin-binding' binds the cluster-admin ClusterRole to a service account 'sa-admin' in namespace 'ns1'. What is the security concern?

60

Which kubectl command creates a Role named 'pod-reader' that allows only 'get', 'list', and 'watch' on pods in namespace 'ns1'?

61

Which admission plugin is recommended by the CIS Benchmark to restrict what nodes can modify?

62

An administrator wants to prevent the kubelet from serving anonymous requests. Which flag should be set on the kubelet?

63

A pod in namespace 'ns1' has automountServiceAccountToken: false. However, the container still has a mounted service account token at /var/run/secrets/kubernetes.io/serviceaccount. What is the most likely cause?

64

Which flag must be set on the API server to enable audit logging?

65

What is the purpose of the CIS Kubernetes Benchmark?

66

An administrator runs 'kubectl auth can-i --list --as=system:serviceaccount:ns1:my-sa' and sees that the service account has 'create pods' permission via a RoleBinding. Which command can be used to delete that RoleBinding?

67

A security scanner reports that the Kubernetes dashboard is publicly accessible. Which recommended action should be taken?

68

Which flag is used to restrict the kubelet's ability to modify node status and pods?

69

What is the recommended way to provide TLS certificates to the API server?

70

Which command can be used to check if the API server has anonymous authentication enabled?

71

Which TWO actions are recommended by the CIS Kubernetes Benchmark for securing etcd?

72

Which THREE flags should be set on the kubelet to comply with the CIS Benchmark for worker node security?

73

Which TWO resources can be used to implement RBAC in Kubernetes?

74

Which TWO checks are performed by kube-bench for the master node?

75

Which THREE are valid ways to restrict access to the Kubernetes API server?

76

Which flag should be set on the kube-apiserver to disable anonymous authentication?

77

An administrator runs kube-bench and receives a failing result for CIS control 1.1.1. What does this control typically check?

78

A security policy requires that all communication to etcd be encrypted. Which two components must be configured with TLS certificates to achieve this? (Select two)

79

Which TWO of the following are recommended practices for securing the Kubernetes dashboard?

80

Which kube-apiserver flag enables encryption at rest for secrets?

81

A security audit reveals that a ServiceAccount named 'monitor' has a ClusterRoleBinding to the cluster-admin role. What is the best remediation?

82

Which kubelet flag prevents the kubelet from serving anonymous requests?

83

Which THREE of the following are valid encryption providers that can be used in EncryptionConfiguration for encryption at rest?

84

Which kube-apiserver flag enables audit logging?

85

A cluster administrator wants to ensure that pods cannot modify node objects. Which admission plugin should be enabled?

86

You need to run kube-bench on a control plane node. Which command should you use?

87

A security policy requires that all ServiceAccounts in a namespace do not automatically mount their tokens. How can this be achieved at the namespace level?

88

Which TWO admission plugins are recommended to be enabled for security hardening?

89

What is the default authorization mode for a new Kubernetes cluster?

90

You run 'kubectl auth can-i --list --as=admin' and see that the admin user has full cluster-admin access. Which command would create a ClusterRoleBinding for a user named 'viewer' with read-only access to all resources?

91

Which kubectl command will disable anonymous authentication on a kube-apiserver?

92

You have a requirement to encrypt secrets at rest in etcd. Which resource and apiVersion should be used?

93

A security auditor runs kube-bench on your cluster and reports that the apiserver is using default service account tokens. Which admission plugin should be enabled to address this?

94

You need to create a ClusterRole that allows listing secrets, but only in namespaces that have a specific label 'security-level=high'. Which approach should you use?

95

You run 'kube-bench' and see a failure: '1.2.7 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate'. What is the impact of this misconfiguration?

96

Which flag on the kubelet disables anonymous access?

97

You are asked to ensure that a specific Kubernetes dashboard (e.g., kubernetes-dashboard) is not publicly accessible. The dashboard is deployed in the 'kube-system' namespace. Which NetworkPolicy should you apply?

98

You need to audit all API requests to the cluster. Which set of apiserver flags should be configured?

99

Which RBAC resource should be used to grant cluster-wide permissions to a user?

100

A service account 'monitor' needs to list pods in all namespaces. Which minimal RBAC configuration should you use?

101

You are auditing RBAC and find a ClusterRoleBinding named 'admin-binding' that binds the 'cluster-admin' ClusterRole to the service account 'default' in namespace 'kube-system'. What is the risk?

102

You want to ensure that kubelets only serve pods that have been scheduled by the API server. Which admission plugin should be enabled?

103

Which TWO of the following are recommendations from the CIS Kubernetes Benchmark?

104

Which THREE of the following are valid methods to secure etcd?

105

Which TWO of the following are best practices for hardening Kubernetes Dashboard?

106

An administrator runs `kube-bench` on a Kubernetes node and receives a warning that the kubelet is configured with `--anonymous-auth=true`. Which kubectl command should be used to fix this on the kubelet?

107

You are tasked with enabling audit logging for the Kubernetes API server. Which API server flag must be used to specify the audit log file path?

108

A security scan reports that the etcd cluster does not encrypt data at rest. The cluster uses aescbc encryption. Which resource type should be created to configure encryption at rest?

109

Which admission plugin should be enabled on the kubelet to ensure it only registers nodes and sets labels as allowed by the Node REST API?

110

An administrator wants to ensure that a service account used by a deployment cannot automatically mount its token. Which field should be set to `false` in the Pod spec?

111

You need to create an RBAC role that allows reading secrets only in namespace 'production'. Which ClusterRole and RoleBinding combination is correct?

112

Which of the following flags should be set to `false` to disable anonymous authentication to the Kubernetes API server?

113

A pod runs with a service account that has a ClusterRoleBinding granting cluster-admin. What is the best practice to reduce the risk of privilege escalation?

114

You are securing etcd. Which of the following is required to enable TLS client authentication for etcd?

115

The Kubernetes Dashboard is deployed in the cluster. To secure it, which of the following is a recommended practice?

116

Which flag enables the NodeRestriction admission plugin on the API server?

117

An administrator runs `kube-bench` and sees that the check 'Ensure that the --protect-kernel-defaults flag is set to true' has failed. Which component does this check apply to?

118

Which two of the following are recommended by the CIS Kubernetes Benchmark? (Choose two.)

119

Which three of the following are valid methods to restrict access to etcd? (Choose three.)

120

Which two of the following are correct ways to enforce least privilege for service accounts? (Choose two.)

121

Which kubectl command checks the CIS Benchmark compliance of a cluster node using the kube-bench tool?

122

An administrator wants to disable anonymous authentication to the Kubernetes API server. Which flag should be added to the kube-apiserver configuration?

123

Which admission plugin should be enabled to ensure that kubelet only serves pods bound to its node and prevents unauthorized node access?

124

You have enabled etcd encryption at rest using an EncryptionConfiguration with aescbc provider. After applying the configuration, you create a new Secret. Which of the following is true regarding the encrypted Secret?

125

What is the purpose of the --audit-log-path flag on the kube-apiserver?

126

An administrator runs 'kubectl get clusterrolebindings' and notices a ClusterRoleBinding named 'admin-binding' that binds the 'cluster-admin' ClusterRole to a service account in the 'default' namespace. What security concern does this raise?

127

Which flag must be set on the kubelet to prevent it from using the default namespace for pods and to enforce that pods only use namespaces that match the node's assigned namespace?

128

A security auditor recommends enabling audit logging for the Kubernetes API server with a policy that logs all requests at the Metadata level. Which configuration ensures this requirement?

129

Which of the following is a valid method to disable automatic mounting of service account tokens for a pod?

130

An administrator wants to secure etcd communication. Which of the following is required to enable TLS for client-to-etcd communication?

131

A ClusterRole named 'secret-reader' is defined with rules to get, list, and watch secrets. A RoleBinding in namespace 'app' binds this ClusterRole to a service account. Which of the following best describes the permissions of the service account?

132

Which of the following is a recommended practice when securing the Kubernetes Dashboard?

133

Which TWO of the following are CIS Benchmark recommendations for securing the Kubernetes API server? (Select TWO)

134

Which THREE of the following are valid methods to restrict access to etcd in a Kubernetes cluster? (Select THREE)

135

Which TWO of the following are recommended actions to harden service account security in a Kubernetes cluster? (Select TWO)

136

Which flag should you set on the kube-apiserver to disable anonymous authentication?

137

An administrator runs 'kube-bench master' and receives a warning that etcd has no client certificate authentication. What is the recommended remediation?

138

You are configuring kubelet security. Which flag prevents containers from modifying kernel parameters?

139

Which admission plugin should be enabled on the kube-apiserver to enforce that kubelets cannot modify nodes they are not assigned to?

140

An administrator creates an EncryptionConfiguration with aescbc and saves it to /etc/kubernetes/enc/enc.yaml. Which flag must be added to the kube-apiserver to enable encryption at rest?

141

To disable service account token automount for a pod, which field should be set to false in the pod spec?

142

You want to ensure that the Kubernetes Dashboard is accessed only by authenticated users with specific permissions. What is the BEST approach?

143

Which kubectl command can be used to view the audit log policy currently in use by the API server?

144

A security scan reports that the etcd data directory is not encrypted at rest. The cluster uses etcd v3.5. Which steps are required to enable encryption?

145

Which of the following is a recommended CIS benchmark setting for the kubelet?

146

A developer created a ClusterRoleBinding that grants cluster-admin to a service account. What is the security concern?

147

Which command would you run to check if anonymous authentication is enabled on the API server?

148

Which TWO of the following are recommended practices for etcd security?

149

Which THREE of the following are valid flags for enabling admission plugins on the API server?

150

Which TWO actions are part of the CIS Kubernetes Benchmark recommendations?

151

Which flag must be set on the kube-apiserver to disable anonymous authentication?

152

You run 'kube-bench' on a cluster node and get a failure for the test 'Ensure that the --anonymous-auth argument is set to false' (ID: 1.2.1). Which file do you need to modify to fix this issue?

153

An administrator wants to enable encryption at rest for secrets in a Kubernetes cluster. They create the following EncryptionConfiguration and place it at /etc/kubernetes/enc/enc.yaml. Which flag must be added to the kube-apiserver to use this configuration?

154

You need to ensure that the kubelet only serves authenticated and authorized requests. Which flag(s) should be set on the kubelet?

155

Which admission plugin should be enabled to prevent kubelets from modifying nodes or pods they do not own?

156

You are reviewing RBAC permissions and notice a ClusterRoleBinding that binds the cluster-admin role to a service account in the 'monitoring' namespace. What is the best practice recommendation?

157

An etcd cluster uses TLS for peer and client communication. You need to secure etcd further by enabling RBAC. Which flag do you set on the etcd process to enable authentication?

158

To enforce Pod Security Standards at the namespace level, which admission plugin must be enabled on the API server?

159

What is the purpose of the 'automountServiceAccountToken: false' setting in a Pod spec?

160

You deploy the Kubernetes Dashboard using the official YAML manifests. Which of the following is the MOST secure approach to expose the Dashboard?

161

You need to enable audit logging for the Kubernetes API server. Which three flags must be set?

162

You are configuring etcd encryption at rest. After placing the EncryptionConfiguration YAML file, you must modify which file to point the API server to it?

163

Which TWO of the following are recommended practices according to the CIS Kubernetes Benchmark? (Select 2)

164

Which THREE of the following are valid ways to restrict access to etcd? (Select 3)

165

Which TWO admission plugins should be enabled to improve cluster security according to the CIS Benchmark? (Select 2)

166

Which kubectl command runs kube-bench against a Kubernetes cluster?

167

An administrator runs kube-bench on a node and sees a warning about the kubelet anonymous authentication being enabled. Which kubelet flag should be set to disable anonymous access?

168

A security team wants to ensure that all API requests to the cluster are authenticated and uses RBAC for authorization. Which two flags must be set on the kube-apiserver?

169

A pod running in the cluster is in a CrashLoopBackOff state. You run 'kubectl describe pod <pod>' and see the following event: 'Warning BackOff Back-off restarting failed container'. Which command would you run to see the standard error output of the container?

170

An administrator wants to enable audit logging for the Kubernetes API server. Which of the following is required?

171

After setting up etcd encryption at rest using EncryptionConfiguration with aescbc, which resource stores the encryption key?

172

Which of the following is a CIS benchmark recommendation for securing the Kubernetes API server?

173

A security audit reveals that a service account in the 'default' namespace has been granted cluster-admin privileges via a ClusterRoleBinding. What is the best mitigation?

174

Which admission plugin should be enabled on the kube-apiserver to restrict kubelet permissions and prevent nodes from modifying their own Node objects?

175

Which flag on the kubelet helps ensure it runs securely by enforcing kernel defaults?

176

A pod is failing with status 'CrashLoopBackOff'. The pod manifest includes a liveness probe that runs every 10 seconds. You suspect the probe is causing the crash. Which command would you use to verify the liveness probe configuration?

177

Which of the following YAML snippets correctly configures a ServiceAccount with automountServiceAccountToken set to false?

178

Which TWO of the following are recommended CIS benchmark practices for securing etcd? (Choose two.)

179

Which TWO admission plugins are recommended by the CIS benchmark to be enabled on the kube-apiserver? (Choose two.)

180

Which THREE of the following are valid methods to restrict access to the Kubernetes Dashboard? (Choose three.)

181

Which kubectl flag disables anonymous authentication on the API server?

182

You run kube-bench on a node and it reports a failure for 'Ensure that the --anonymous-auth argument is set to false' for the kubelet service. Which file must you modify to fix this?

183

Which admission plugin enforces that kubelets cannot modify pods they do not own?

184

You are tasked with enabling audit logging for the Kubernetes API server. You have created an audit policy file at /etc/kubernetes/audit-policy.yaml. Which flag must be added to the API server manifest to enable audit logging?

185

An etcd cluster uses TLS for peer and client communication. Which command correctly tests connectivity to an etcd member with client certificate authentication?

186

A security audit reveals that a service account 'monitor' is bound to the cluster-admin ClusterRole, which violates least-privilege. What is the best remediation?

187

Which of the following is a recommended CIS Benchmark control for etcd?

188

You need to encrypt Kubernetes secrets at rest using aescbc. Which YAML snippet defines the EncryptionConfiguration correctly?

189

An administrator runs kubectl get clusterrolebindings and sees a binding named 'system:node'. This binding is part of the legacy node authorization. According to CIS benchmarks, what should be done with it?

190

You are configuring kubelet to protect kernel defaults. Which flag enables this?

191

A cluster's API server is configured with --authorization-mode=RBAC,Node. A kubelet attempts to create a ConfigMap. Which authorizer will evaluate the request?

192

Which admission plugin should be used to enforce Pod Security Standards at the namespace level?

193

Which TWO of the following are CIS Benchmark recommendations for securing the API server?

194

Which TWO actions would help secure the Kubernetes Dashboard?

195

Which THREE of the following are valid methods to disable automount of service account tokens for a pod?

196

Which flag disables anonymous authentication on the Kubernetes API server?

197

An administrator runs kube-bench on a cluster node and receives failures for CIS benchmark checks related to kubelet configuration. Which kubelet flag should be set to ensure that kernel defaults are not used when they might be insecure?

198

A security audit reveals that the etcd datastore is not encrypted at rest. Which resource should be created to enable encryption of secrets at rest?

199

You are tasked with securing a Kubernetes cluster. You want to ensure that the kubelet only serves APIs that are explicitly allowed and that it does not allow anonymous requests. Which kubelet configuration flags should you set?

200

Which admission plugin should be enabled on the API server to ensure that the kubelet cannot modify its own Node object beyond its assigned node?

201

An administrator wants to enable audit logging on the API server. Which three flags are required to set up basic audit logging?

202

A developer creates a pod with the following YAML: apiVersion: v1 kind: Pod metadata: name: mypod spec: serviceAccountName: default automountServiceAccountToken: true containers: - name: app image: nginx What is the security concern with this configuration?

203

You need to restrict access to etcd so that only the API server can communicate with it. Which method should you use?

204

Which kubectl command can be used to determine if anonymous authentication is enabled on the API server?

205

An administrator wants to ensure that no service account in the 'development' namespace has cluster-admin privileges. Which command should be used to identify such bindings?

206

What is the purpose of the --authorization-mode=RBAC flag on the API server?

207

A cluster has been hardened by setting --anonymous-auth=false and enabling RBAC. However, kube-bench still reports a failure for the kubelet check 'Ensure that the --anonymous-auth argument is set to false'. What could be the reason?

208

Which TWO actions are recommended by the CIS Kubernetes Benchmark to secure the API server?

209

Which THREE options are valid methods to secure etcd in a Kubernetes cluster?

210

Which TWO practices help secure the Kubernetes Dashboard?

211

Which of the following flags should be set on the kube-apiserver to disable anonymous authentication?

212

An administrator wants to restrict a service account to only be able to create pods in the 'development' namespace. Which RBAC configuration should be used?

213

You run kube-bench on a node and it reports a failure for control plane component etcd. The check says 'Ensure that the --cert-file and --key-file arguments are set as appropriate'. You examine the etcd manifest file and find that the cert-file and key-file are configured with a self-signed certificate. What is the BEST action to remediate this finding?

214

A security audit reveals that several pods have the service account token mounted automatically. Which annotation should be added to the pod's service account to prevent automatic mounting?

215

Which of the following is the correct flag to enable audit logging on the kube-apiserver?

216

A cluster administrator wants to encrypt secrets at rest in etcd. Which resource must be created to configure encryption?

217

You are tasked with securing the kubelet. Which flag must be set on the kubelet to enable the NodeRestriction admission plugin?

218

Which of the following is a recommended practice for securing Kubernetes Dashboard?

219

An admin runs 'kubectl auth reconcile -f rbac.yaml' and gets an error that the user does not have permission to create ClusterRoleBindings. What is the most likely cause?

220

To protect kernel defaults on a node, which flag should be set on the kubelet?

221

A ClusterRoleBinding grants cluster-admin to a service account in the 'kube-system' namespace. What is the best way to audit this for least privilege?

222

Which of the following is a correct method to enable encryption at rest for secrets in etcd using the EncryptionConfiguration?

223

Which TWO of the following are recommended settings from the CIS Kubernetes Benchmark for the kube-apiserver? (Select 2)

224

Which TWO of the following are valid ways to restrict access to etcd? (Select 2)

225

Which THREE of the following are recommended practices for hardening RBAC in a Kubernetes cluster? (Select 3)

226

Which flag must be set on the kube-apiserver to disable anonymous authentication?

227

A security auditor runs kube-bench on a Kubernetes node and reports that the check '1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive' fails. What is the most appropriate remediation?

228

You need to enable audit logging for the Kubernetes API server. Which two flags must be set?

229

An etcd cluster is configured with TLS. You need to enforce that only the API server can read and write to etcd. Which method should you use?

230

You want to ensure that kubelet does not allow anonymous requests. Which flag must be set on the kubelet?

231

Which admission plugin should be enabled on the API server to enforce that kubelet cannot modify nodes other than its own?

232

You are auditing RBAC and find a ClusterRoleBinding named 'admin-binding' that binds the 'cluster-admin' ClusterRole to a service account in the 'default' namespace. What is the security concern?

233

A pod is in a CrashLoopBackOff state. You run 'kubectl logs pod-name' and see: 'Error: failed to start container: exec: "/app": stat /app: no such file or directory'. What is the most likely cause?

234

Which TWO of the following are recommended CIS Kubernetes Benchmark controls for securing the kube-apiserver?

235

Which TWO of the following are valid arguments for etcd encryption at rest?

236

Which THREE of the following are recommended practices for securing Kubernetes Dashboard?

237

Which TWO of the following flags are used to secure the kubelet?

238

Which THREE of the following are valid fields in an EncryptionConfiguration YAML to encrypt secrets at rest?

239

You are securing a cluster and want to ensure that service account tokens are not automatically mounted in pods that do not need them. Which THREE actions should you take?

Practice all 239 Cluster Setup and Hardening questions

Other CKS exam domains

Monitoring Logging and Runtime SecuritySystem HardeningMinimize Microservice VulnerabilitiesSupply Chain SecurityMonitoring, Logging and Runtime SecurityCluster SetupCluster Hardening

Frequently asked questions

What does the Cluster Setup and Hardening domain cover on the CKS exam?

The Cluster Setup and Hardening domain covers the key concepts tested in this area of the CKS exam blueprint published by CNCF. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CKS domains — no account required.

How many Cluster Setup and Hardening questions are in the CKS question bank?

The Courseiva CKS question bank contains 239 questions in the Cluster Setup and Hardening domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Cluster Setup and Hardening for CKS?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Cluster Setup and Hardening questions for CKS?

Yes — the session launcher on this page draws questions exclusively from the Cluster Setup and Hardening domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CKS domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CKACKADSY0-701