Practice CKS Minimize Microservice Vulnerabilities questions with full explanations on every answer.
Start practicing
Minimize Microservice Vulnerabilities — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A microservice running as a Deployment in a Kubernetes cluster needs to authenticate to a third-party API using a static API key. Which is the most secure way to store and inject this secret into the container?
2During a security audit, a team discovers that their microservice application, deployed on Kubernetes, is vulnerable to container breakout attacks. The containers run as root and have many Linux capabilities. Which set of Pod Security Standards (PSS) enforcement modes and policies would best mitigate this risk?
3A DevOps engineer wants to ensure that all microservice containers run with a read-only root filesystem to prevent unauthorized writes. What is the simplest way to enforce this at the Pod level?
4A security scanner reports that a microservice container image contains a critical vulnerability (CVE-2024-1234) in a system library. The team cannot immediately rebuild the image. What is the most effective temporary mitigation at the Kubernetes level?
5A microservice container needs to perform DNS lookups using TCP rather than UDP. Which Kubernetes security context setting should be configured to allow this?
6Which TWO of the following are effective measures to minimize the impact of a compromised microservice container in a Kubernetes cluster? (Choose two.)
7Which THREE of the following practices help protect microservice applications against supply chain attacks? (Choose three.)
8Given the following PodSecurityPolicy (PSP) snippet, which statement about the allowed containers is correct?
9A security engineer runs the following command to inspect a container's security context. What vulnerability does this configuration expose?
10A DevOps team deploys a microservice that needs to access a third-party API using credentials stored in a Kubernetes Secret. The team wants to minimize the risk of credential exposure. Which approach best achieves this goal while following security best practices?
11You are asked to secure a set of microservices running in a Kubernetes cluster. Which TWO of the following practices help minimize vulnerabilities in microservices?
12You are a platform engineer at a financial services company. The production cluster runs a set of microservices that handle sensitive customer data. The cluster has been configured with Pod Security Standards (PSS) enforced via OPA/Gatekeeper. Recently, the security team identified that a new deployment of the `payment-processing` microservice is running with the `seccomp` profile set to `Unconfined`. This violates the company policy that requires all containers to use a runtime default seccomp profile. The deployment YAML does not explicitly set any security context for seccomp. The cluster's nodes are running containerd 1.6 with default seccomp profile enabled. The OPA constraint template checks that `securityContext.seccompProfile.type` is set to `RuntimeDefault` or `Localhost`. However, the deployment passes the OPA validation. What is the most likely reason the deployment is not being rejected by OPA, and how should you fix it?
13Which TWO of the following are best practices for minimizing microservice vulnerabilities in a Kubernetes cluster?
14You are a Kubernetes administrator for a fintech company that runs a payment processing service in a production cluster. The service consists of multiple microservices that communicate over the network. Recently, a security audit revealed that a compromised pod could potentially send malicious requests to other services because there are no network restrictions between pods. The security team has mandated that all inter-service traffic must be encrypted and authenticated, and that only necessary traffic should be allowed. You need to implement a solution that meets these requirements with minimal changes to the application code and minimal operational overhead. Which approach should you take?
15Order the steps to configure and apply a NetworkPolicy to restrict pod-to-pod traffic.
16Arrange the steps to configure and use Trivy to scan container images for vulnerabilities in a CI/CD pipeline.
17Match each Kubernetes object or feature to its primary security purpose.
18Match each Kubernetes network security concept to its definition.
19Which of the following OPA Gatekeeper Rego policies would deny a pod that sets `securityContext.runAsUser: 0`?
20A developer wants to ensure that all containers in a pod run with a read-only root filesystem except for a specific volume mounted for writing logs. Which container-level security context field should be set to true?
21Which Istio resource is used to enforce mutual TLS (mTLS) for all services in a namespace, ensuring that traffic between services is encrypted?
22Which kubectl command would you use to create a ValidatingWebhookConfiguration from a YAML file?
23A cluster administrator has configured EncryptionConfiguration to encrypt secrets at rest using a local key. After applying the configuration, the administrator creates a new secret. How can they verify that the secret is encrypted at rest?
24A pod is using a RuntimeClass that specifies gVisor (runsc). Which of the following scenarios is most likely to cause the pod to fail?
25Which of the following is the best practice for providing sensitive data like passwords to a pod?
26Which Kubernetes admission controller is responsible for mutating and validating pod requests based on policies defined by OPA Gatekeeper?
27A cluster administrator wants to ensure that all pods in a namespace run with the `seccomp` profile set to `RuntimeDefault`. Which OPA Gatekeeper ConstraintTemplate would achieve this?
28A pod fails to start with the error 'Container runtime network not ready', and the node uses Kata Containers (RuntimeClass: kata). What is the most likely cause?
29Which of the following is the correct way to drop all capabilities in a container's security context?
30What is the purpose of the `allowPrivilegeEscalation: false` setting in a container's security context?
31Which TWO of the following are valid ways to securely manage secrets in Kubernetes? (Choose two.)
32Which THREE of the following are best practices for securing a Kubernetes cluster using OPA Gatekeeper? (Choose three.)
33Which TWO of the following are valid Kubernetes RuntimeClass handlers for container sandboxing? (Choose two.)
34You are deploying a microservice that must run as a non-root user and have a read-only root filesystem. Which two fields must be set in the PodSecurityContext or container SecurityContext?
35You are implementing a Gatekeeper policy to deny pods that run as root. Which Rego rule should you include in the ConstraintTemplate?
36A security engineer wants to encrypt secrets at rest in an existing Kubernetes cluster. The cluster is already running with the default encryption configuration. After creating an EncryptionConfiguration resource and updating the kube-apiserver manifest, which command should be used to ensure the new configuration is applied without restarting the API server?
37In the context of service mesh (e.g., Istio), which resource is used to enforce mutual TLS (mTLS) between services in a specific namespace?
38You need to run a container with a sandboxed runtime using gVisor (runsc). Which Kubernetes resource must be created first to enable this?
39A pod is failing with 'CrashLoopBackOff'. The pod's securityContext includes 'allowPrivilegeEscalation: false'. The container image is built with a default user of root and attempts to change capabilities. What is the most likely cause of the crash?
40Which of the following is the best practice for injecting secrets into a pod?
41You want to drop all Linux capabilities from a container. Which securityContext field should you set?
42A ValidatingWebhookConfiguration is not working as expected. The webhook server is running and accessible. What is a common misconfiguration that would cause the webhook to not be called?
43Which of the following is NOT a valid method to enforce pod security standards in a Kubernetes cluster?
44To encrypt secrets at rest, which file must be modified on the control plane nodes?
45You have an existing deployment that uses environment variables for secrets. Which kubectl command can be used to update the deployment to mount secrets as volumes without recreating the pods?
46You need to ensure that all pods in a namespace can only communicate via mTLS. In Istio, which resource should you apply?
47A Gatekeeper Constraint is not blocking pods that violate the policy. The constraint references a ConstraintTemplate that has been successfully created. What is the most likely cause?
48Which container runtime is specifically designed for sandboxing containers with a lightweight kernel?
49Which TWO of the following are valid ways to reduce the attack surface of a container? (Select TWO)
50Which TWO of the following are valid arguments for the kubectl command to create a secret from a file? (Select TWO)
51Which THREE of the following are valid approaches to enforce that all pods in a cluster run with a read-only root filesystem? (Select THREE)
52An administrator needs to enforce that all pods in a namespace run with read-only root filesystem. Which Pod Security Standard should be applied?
53A developer creates a Deployment with the following container spec: ```yaml containers: - name: app image: myapp:latest env: - name: DB_PASSWORD valueFrom: secretKeyRef: name: db-secret key: password ``` Which of the following is a security concern with this approach?
54An administrator wants to use OPA Gatekeeper to enforce that all pods have a resource limits section defined. Which of the following is the correct combination to implement this policy?
55A security engineer wants to enable mutual TLS (mTLS) between services in an Istio service mesh. Which Istio resource should be used to define the mTLS mode for the entire mesh?
56Which kubectl command creates a secret named 'mysecret' from a file called 'credentials.json'?
57A pod is configured with securityContext: runAsUser: 1000 runAsGroup: 3000 fsGroup: 2000 The volume mounted at /data is owned by user 1000 and group 2000. The container process inside the pod writes to /data. Which statement about file ownership is true?
58An administrator needs to encrypt secrets at rest in etcd. Which of the following steps is required?
59Which of the following is a valid way to drop all capabilities from a container?
60An administrator wants to use gVisor to sandbox containers in a Kubernetes cluster. Which resource must be created to enable this?
61A pod is running with the following security context: ```yaml securityContext: allowPrivilegeEscalation: false runAsNonRoot: true seccompProfile: type: RuntimeDefault ``` The pod is in a CrashLoopBackOff. The logs show: "exec user process caused: operation not permitted". What is the most likely cause?
62Which of the following commands creates a ValidatingWebhookConfiguration that uses an OPA Gatekeeper webhook?
63What is the primary purpose of using a service mesh like Istio for microservices security?
64Which TWO of the following are valid Rego keywords used in OPA policies for Gatekeeper? (Select TWO)
65Which THREE of the following are valid ways to manage secrets in a Kubernetes environment? (Select THREE)
66Which TWO of the following are correct about container sandboxing technologies? (Select TWO)
67You need to ensure that all containers in a pod run as non-root. Which security context field should you set to enforce this?
68A security policy requires that all pods drop ALL Linux capabilities and disable privilege escalation. Which YAML snippet correctly implements this in the pod's security context?
69You are using Open Policy Agent (OPA) Gatekeeper to enforce pod security. You want to create a constraint that denies pods unless they have readOnlyRootFilesystem set to true. Which Rego rule in a ConstraintTemplate correctly implements this?
70A security best practice is to avoid storing secrets in environment variables. Which is a secure alternative for injecting secrets into a pod?
71You want to enable mutual TLS (mTLS) between services in a namespace using Istio. Which custom resource should you configure to enforce STRICT mTLS for all workloads in the namespace?
72You are configuring encryption at rest for Kubernetes secrets. After creating an EncryptionConfiguration with aescbc provider, which additional step is required to enable encryption?
73Which admission controller is responsible for validating and mutating requests based on webhooks?
74You need to use gVisor as a container runtime for a set of workloads in the cluster. Which Kubernetes resource must be created to reference the runtime class?
75You are deploying a ValidatingWebhookConfiguration. The webhook server is running in the 'webhook' namespace, service name 'svc', port 443. Which clientConfig should you specify?
76A pod uses a Secret mounted as a volume. The Secret is updated. How can the pod consume the updated values without restarting?
77You need to enforce that no pod runs with privileged containers or runs as root. Which tool can define policies that block such pods at admission time?
78Which command can be used to view the current set of admission webhooks in the cluster?
79Which TWO of the following are recommended practices for securing container images and runtime?
80Which THREE of the following are characteristics of container sandboxing runtimes like gVisor and Kata Containers?
81Which TWO of the following are valid approaches to manage secrets in a Kubernetes cluster?
82You need to enforce that all pods in the 'production' namespace run with read-only root filesystems. Which OPA Gatekeeper resource do you create first?
83A security auditor requires that all pods in a cluster must not run as root. Which Pod Security Standard (PSS) and enforcement mode should be applied at the namespace level?
84You have deployed a service mesh with Istio and want to enforce mutual TLS (mTLS) for all traffic between services in the 'mesh' namespace. Which resource should you create?
85You need to encrypt secrets at rest in a Kubernetes cluster. What must be configured?
86Which of the following is a best practice for storing sensitive data like passwords in Kubernetes?
87You want to run a container with gVisor for sandboxing. After installing gVisor and creating a RuntimeClass named 'gvisor', which Pod configuration enables it?
88Which command creates a ResourceQuota in the 'team-a' namespace?
89A pod fails to start with 'CrashLoopBackOff'. The pod's YAML includes securityContext: { allowPrivilegeEscalation: false, capabilities: { drop: ['ALL'] } }. What is the likely cause?
90You have created a ValidatingWebhookConfiguration to reject pods without resource limits. When you try to create a pod without limits, it is created successfully. What is the most likely reason?
91You need to ensure that all pods in a namespace have the label 'security: high' added automatically upon creation. Which admission controller should you use?
92Which flag enables the PodSecurity admission plugin in kube-apiserver?
93You run 'kubectl auth can-i create pods --as=system:serviceaccount:default:sa1 -n default' and get 'no'. What does this mean?
94Which TWO actions help minimize vulnerabilities in microservices by securing secrets? (Choose two)
95Which THREE of the following are valid Rego policy constructs used in OPA Gatekeeper ConstraintTemplates to enforce security policies? (Choose three)
96Which TWO container sandboxing technologies are supported in Kubernetes via RuntimeClass? (Choose two)
97Which field must be set in a Pod's security context to prevent the container from running as the root user?
98An administrator deploys a Gatekeeper ConstraintTemplate with the following Rego policy: package k8srequiredlabels deny[{"msg": msg}] { input.request.kind.kind == "Pod" not input.request.object.metadata.labels["security-tier"] msg := "Pod must have label 'security-tier'" } After creating the Constraint, a user creates a Pod without the 'security-tier' label. What is the expected behavior?
99You are configuring an Istio service mesh for mTLS between services. Which resource defines the TLS mode for traffic between services in a namespace?
100A cluster administrator wants to ensure that all Secrets are encrypted at rest using AES-CBC with a key managed by the local Kubernetes API server. Which configuration is required?
101A security team wants to enforce that containers in a specific namespace cannot gain new capabilities. Which Pod security context field is used to achieve this?
102Which command creates a validating webhook configuration that checks all pods in the cluster?
103A developer asks you to run a container with gVisor runtime. The cluster has a RuntimeClass named 'gvisor' defined. Which field must be added to the Pod spec to use gVisor?
104A pod's container tries to read environment variables that contain database credentials. The cluster has an external secrets manager (HashiCorp Vault) integrated via a sidecar. Which approach is MOST secure for exposing secrets to the container?
105An OPA Gatekeeper ConstraintTemplate uses a Rego rule that denies pods without a specific label. The Constraint is created but pods without the label are still being allowed. What is the MOST likely cause?
106Which kubectl command lists all MutatingWebhookConfigurations in the cluster?
107A cluster has EncryptionConfiguration with aescbc provider. After rotating the encryption key, what must be done to re-encrypt existing Secrets with the new key?
108You need to drop all Linux capabilities from a container. Which YAML snippet is correct?
109Which TWO of the following are valid ways to enforce that containers cannot run as root in a Kubernetes cluster? (Select TWO.)
110Which THREE of the following are true about Istio PeerAuthentication? (Select THREE.)
111Which TWO of the following are secure practices for managing secrets in Kubernetes? (Select TWO.)
112A security admin wants to ensure that no container in a specific namespace runs as root. Which Gatekeeper ConstraintTemplate and Constraint configuration should be used?
113Which of the following is the correct kubectl command to view the OPA Gatekeeper ConstraintTemplates in the cluster?
114An admin wants to enforce that all pods in a namespace use a read-only root filesystem except for a specific deployment that needs to write to a temporary directory. Which approach best meets this requirement?
115Which field in a Pod's securityContext prevents privilege escalation by the container?
116A security admin wants to ensure all pods in a cluster drop ALL Linux capabilities. Which of the following YAML snippets should be added to a PodSecurityPolicy (assuming PSP is enabled) or a pod spec?
117An admin has created an EncryptionConfiguration to encrypt secrets at rest in etcd. After applying the configuration and restarting the kube-apiserver, existing secrets are still stored in plaintext. What is the most likely reason?
118Which of the following is a best practice for storing sensitive information like database passwords in Kubernetes?
119What is the primary benefit of using external secret managers (e.g., HashiCorp Vault) in Kubernetes?
120An administrator wants to enforce mutual TLS (mTLS) between all services in an Istio service mesh. Which resource should be configured?
121A cluster administrator wants to run some workloads in a sandboxed environment using gVisor. Which Kubernetes resource must be created first to allow pods to request the gVisor runtime?
122Which of the following is a characteristic of Kata Containers compared to gVisor?
123An admin has deployed a ValidatingWebhookConfiguration that denies pods with `runAsNonRoot: false`. After creating a pod that does not set `runAsNonRoot` at all, the pod is created successfully. Why did the webhook not deny it?
124Which TWO of the following are valid ways to enforce that containers run with a read-only root filesystem?
125Which THREE of the following are required to configure encryption of secrets at rest in Kubernetes?
126Which TWO of the following are best practices for securing secrets in Kubernetes?
127You need to ensure that all pods in a cluster run with read-only root filesystems. Which Pod Security Standard (PSS) control field should be set to true?
128An administrator wants to enforce a policy that all containers must drop ALL capabilities and not allow privilege escalation. Which YAML snippet correctly implements this requirement in a PodSecurityPolicy-like manner using a security context? (Note: PodSecurityPolicy is deprecated; consider using a ValidatingAdmissionPolicy or OPA/Gatekeeper, but for this question choose the correct security context fields.)
129A security team wants to use OPA/Gatekeeper to enforce that all namespaces must have a label 'security-tier' with value 'high' or 'medium'. What is the correct approach?
130You need to encrypt Kubernetes secrets at rest. Which resource should you configure?
131A pod runs with a service mesh sidecar (Istio). The team wants to enforce mutual TLS (mTLS) for all traffic between services in the 'production' namespace. Which resource should be applied?
132An admin runs 'kubectl run test-pod --image=busybox --command -- sleep 3600' and then executes 'kubectl exec test-pod -- cat /var/run/secrets/kubernetes.io/serviceaccount/token'. The admin wants to prevent such access to the service account token. What is the correct action?
133Which command correctly creates a secret from a file named 'config.json'?
134You want to run a container with gVisor (runsc) runtime for sandboxing. Which resource is required to use a non-default runtime?
135An OPA/Gatekeeper ConstraintTemplate is written to enforce that all Deployments have the label 'app.kubernetes.io/name'. However, the Constraint does not deny Deployments without the label. What is the most likely cause?
136An administrator wants to prevent pods from using secrets as environment variables and enforce that secrets are only mounted as volumes. Which admission controller could be used to achieve this?
137Which kubectl command creates a validating webhook configuration that calls an external HTTPS endpoint for pod validation?
138You are using External Secrets Operator to sync secrets from HashiCorp Vault. The operator is deployed but secrets are not being created. Which resource defines the mapping between Vault secrets and Kubernetes secrets?
139Which TWO of the following are valid methods to securely manage secrets in Kubernetes? (Select 2)
140Which TWO of the following are valid Pod Security Context settings to harden a container? (Select 2)
141Which THREE of the following are valid ways to enforce mTLS in an Istio service mesh? (Select 3)
142Which field in a PodSecurityContext ensures that the container cannot gain privileges beyond its parent process?
143You need to enforce that all containers in a namespace run with a read-only root filesystem. Which OPA Gatekeeper resource would you use to define the policy?
144An administrator creates a Pod with the following securityContext: securityContext: runAsUser: 1000 runAsGroup: 3000 fsGroup: 2000 The container image has a binary that requires read/write access to /data, which is an emptyDir volume mounted by the Pod. The container fails to start with 'Permission denied' when writing to /data. What is the most likely cause?
145You are deploying an application that needs to access a database password stored in a Kubernetes Secret. To minimize risk, you should mount the Secret as a volume rather than using environment variables. Which of the following is the primary security benefit of using mounted volumes over environment variables?
146In an Istio service mesh, you want to enforce mutual TLS (mTLS) between services in a specific namespace. Which resource should you create to set the default mTLS mode to STRICT for all workloads in that namespace?
147You have enabled encryption at rest for Kubernetes Secrets by configuring an EncryptionConfiguration object and restarting the API server. After the configuration, you create a new Secret. However, when you retrieve the Secret using 'kubectl get secret mysecret -o yaml', the 'data' field still shows base64-encoded plaintext. Is the Secret encrypted at rest?
148You need to set up a ValidatingWebhookConfiguration to deny pods that run as root. The webhook server is deployed in the 'webhook' namespace with service 'webhook-svc' on port 443. Which of the following is a correct snippet for the webhook configuration?
149You want to run a workload in a sandboxed container using gVisor. You have created a RuntimeClass named 'gvisor' that references the 'runsc' handler. Which of the following Pod specs correctly uses this RuntimeClass?
150You are writing a Rego policy for OPA Gatekeeper to deny pods that do not have 'runAsNonRoot: true' set in their security context. The ConstraintTemplate expects an input parameter 'runAsNonRoot' that is a boolean. Which Rego rule correctly denies such pods?
151You have a Pod that uses a ServiceAccount token mounted via a projected volume. You want to ensure that the token has an expiration time and that the pod is not using a long-lived token. What is the most secure way to mount the token?
152You need to create a NetworkPolicy that denies all ingress traffic to pods with label 'app: web' in the 'frontend' namespace, except for traffic from pods with label 'app: ingress' in the 'ingress' namespace. Which NetworkPolicy spec correctly achieves this?
153Which kubectl command would you use to create a Secret from a file named 'db-password.txt'?
154Which TWO of the following are valid ways to enforce that a container runs as a non-root user?
155Which THREE of the following are capabilities that should typically be dropped from a container to minimize vulnerabilities?
156You want to use an external secret management system like HashiCorp Vault to manage database credentials for your application. Which of the following are valid approaches to integrate Vault with Kubernetes?
157A security engineer needs to ensure that all containers in a cluster run as non-root users. Which Pod Security Context field should be set to enforce this requirement?
158You are tasked with creating a ConstraintTemplate in OPA/Gatekeeper that denies pods running with the 'latest' image tag. Which Rego rule should the ConstraintTemplate include?
159An administrator deploys a Pod with the following security context: securityContext: runAsNonRoot: true runAsUser: 1000 However, the Pod fails to start with an error: 'container has runAsNonRoot and image will run as root'. What is the most likely cause?
160A security best practice is to avoid storing sensitive data in environment variables. Instead, secrets should be mounted as volumes. Which of the following YAML snippets correctly mounts a Kubernetes Secret named 'db-secret' as a volume at /etc/secrets?
161An administrator wants to enforce mTLS between all services in the 'mesh' namespace using Istio. Which resource should be applied to require mutual TLS for all workloads in that namespace?
162To encrypt secrets at rest in Kubernetes, an administrator configures an EncryptionConfiguration. What is the correct flag to pass to the kube-apiserver to use this configuration?
163A cluster administrator wants to audit all pod creations and modifications using an admission webhook. Which resource type should be created to register the webhook?
164Which of the following is a valid approach to enforce that containers cannot escalate privileges?
165An administrator wants to use gVisor as the container runtime for specific high-security workloads. After installing gVisor, what Kubernetes resource must be created to allow pods to request gVisor?
166A security engineer runs the following command to inspect a pod's security context: kubectl get pod secure-pod -o jsonpath='{.spec.containers[0].securityContext.capabilities}' The output is: {"drop":["ALL"]} What does this indicate?
167An OPA/Gatekeeper ConstraintTemplate is defined with the following Rego rule: violation[{"msg": msg}] { container := input.review.object.spec.containers[_] container.securityContext.runAsNonRoot != true msg := "Container must run as non-root" } What happens when a pod is submitted with a container that has runAsNonRoot: true?
168Which of the following is a MutatingAdmissionWebhook that is built into Kubernetes and can automatically inject a sidecar proxy for service mesh?
169Which TWO of the following are best practices for securing secrets in Kubernetes? (Select 2)
170Which THREE of the following security context settings help mitigate container breakout attacks? (Select 3)
171Which TWO of the following are valid methods to enforce mTLS in an Istio service mesh? (Select 2)
172An administrator wants to enforce that all containers in a Kubernetes cluster run as non-root and have read-only root filesystems using OPA/Gatekeeper. Which two resources must be created?
173A developer wants to run a container that reads a secret from a mounted volume, not as an environment variable. Which volume type should they use?
174An admin creates the following EncryptionConfiguration to encrypt secrets at rest. After applying it, what must the admin do to ensure existing secrets are encrypted?
175In an Istio service mesh, you want to enforce mutual TLS (mTLS) between all services in the 'default' namespace. Which resource should you create?
176Which kubectl command creates a valid webhook configuration that validates pods against a policy?
177A cluster administrator needs to run a workload that uses gVisor (runsc) for container sandboxing. Which Kubernetes resource is required to enable this?
178A pod manifests with securityContext: { runAsNonRoot: true, runAsUser: 1001 }. However, the container image expects to run as root (UID 0). What will happen when the pod is created?
179You are writing a Rego policy for OPA/Gatekeeper to deny pods that do not have runAsNonRoot set to true. Which Rego statement should the ConstraintTemplate contain?
180An admin runs 'kubectl get pod web -o yaml' and sees the following security context. Which setting prevents privilege escalation?
181A team wants to use an external secret manager (HashiCorp Vault) to inject secrets into pods. Which approach is most aligned with Kubernetes best practices?
182A cluster has a ValidatingWebhookConfiguration that intercepts Pod CREATE requests. The webhook server is unavailable. What happens when a user tries to create a pod?
183Which TWO of the following are valid methods to restrict a container's filesystem to read-only in Kubernetes?
184Which TWO of the following are required to enable encryption of Kubernetes Secrets at rest?
185Which THREE of the following are valid capabilities that should be dropped for a container running a typical non-privileged application to adhere to the principle of least privilege?
186Which TWO of the following are valid RuntimeClass handlers for container sandboxing?
187You are implementing a policy to ensure all containers in a namespace run as non-root. Which of the following is the most appropriate approach to enforce this at the cluster level?
188You need to encrypt Secrets at rest in an existing Kubernetes cluster. You create an EncryptionConfiguration file specifying aescbc as the provider. After updating the API server kube-apiserver.yaml with the new configuration, you create a new Secret. Which of the following statements is true?
189Which kubectl command is used to create a Constraint object in OPA/Gatekeeper?
190Which TWO of the following are valid ways to enable mTLS between services in a service mesh (e.g., Istio)?
191Which THREE of the following are recommended practices for minimizing microservice vulnerabilities related to container security?
192Which TWO of the following are valid methods to securely manage secrets in Kubernetes?
193Which THREE of the following are features of container sandboxing solutions like gVisor or Kata Containers?
The Minimize Microservice Vulnerabilities domain covers the key concepts tested in this area of the CKS exam blueprint published by CNCF. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CKS domains — no account required.
The Courseiva CKS question bank contains 193 questions in the Minimize Microservice Vulnerabilities domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Minimize Microservice Vulnerabilities domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included