Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCKSDomainsMinimize Microservice Vulnerabilities
CKSFree — No Signup

Minimize Microservice Vulnerabilities

Practice CKS Minimize Microservice Vulnerabilities questions with full explanations on every answer.

193questions

Start practicing

Minimize Microservice Vulnerabilities — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CKS Domains

Monitoring Logging and Runtime SecurityCluster Setup and HardeningSystem HardeningMinimize Microservice VulnerabilitiesSupply Chain SecurityMonitoring, Logging and Runtime SecurityCluster SetupCluster Hardening

Practice Minimize Microservice Vulnerabilities questions

10Q20Q30Q50Q

All CKS Minimize Microservice Vulnerabilities questions (193)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A microservice running as a Deployment in a Kubernetes cluster needs to authenticate to a third-party API using a static API key. Which is the most secure way to store and inject this secret into the container?

2

During a security audit, a team discovers that their microservice application, deployed on Kubernetes, is vulnerable to container breakout attacks. The containers run as root and have many Linux capabilities. Which set of Pod Security Standards (PSS) enforcement modes and policies would best mitigate this risk?

3

A DevOps engineer wants to ensure that all microservice containers run with a read-only root filesystem to prevent unauthorized writes. What is the simplest way to enforce this at the Pod level?

4

A security scanner reports that a microservice container image contains a critical vulnerability (CVE-2024-1234) in a system library. The team cannot immediately rebuild the image. What is the most effective temporary mitigation at the Kubernetes level?

5

A microservice container needs to perform DNS lookups using TCP rather than UDP. Which Kubernetes security context setting should be configured to allow this?

6

Which TWO of the following are effective measures to minimize the impact of a compromised microservice container in a Kubernetes cluster? (Choose two.)

7

Which THREE of the following practices help protect microservice applications against supply chain attacks? (Choose three.)

8

Given the following PodSecurityPolicy (PSP) snippet, which statement about the allowed containers is correct?

9

A security engineer runs the following command to inspect a container's security context. What vulnerability does this configuration expose?

10

A DevOps team deploys a microservice that needs to access a third-party API using credentials stored in a Kubernetes Secret. The team wants to minimize the risk of credential exposure. Which approach best achieves this goal while following security best practices?

11

You are asked to secure a set of microservices running in a Kubernetes cluster. Which TWO of the following practices help minimize vulnerabilities in microservices?

12

You are a platform engineer at a financial services company. The production cluster runs a set of microservices that handle sensitive customer data. The cluster has been configured with Pod Security Standards (PSS) enforced via OPA/Gatekeeper. Recently, the security team identified that a new deployment of the `payment-processing` microservice is running with the `seccomp` profile set to `Unconfined`. This violates the company policy that requires all containers to use a runtime default seccomp profile. The deployment YAML does not explicitly set any security context for seccomp. The cluster's nodes are running containerd 1.6 with default seccomp profile enabled. The OPA constraint template checks that `securityContext.seccompProfile.type` is set to `RuntimeDefault` or `Localhost`. However, the deployment passes the OPA validation. What is the most likely reason the deployment is not being rejected by OPA, and how should you fix it?

13

Which TWO of the following are best practices for minimizing microservice vulnerabilities in a Kubernetes cluster?

14

You are a Kubernetes administrator for a fintech company that runs a payment processing service in a production cluster. The service consists of multiple microservices that communicate over the network. Recently, a security audit revealed that a compromised pod could potentially send malicious requests to other services because there are no network restrictions between pods. The security team has mandated that all inter-service traffic must be encrypted and authenticated, and that only necessary traffic should be allowed. You need to implement a solution that meets these requirements with minimal changes to the application code and minimal operational overhead. Which approach should you take?

15

Order the steps to configure and apply a NetworkPolicy to restrict pod-to-pod traffic.

16

Arrange the steps to configure and use Trivy to scan container images for vulnerabilities in a CI/CD pipeline.

17

Match each Kubernetes object or feature to its primary security purpose.

18

Match each Kubernetes network security concept to its definition.

19

Which of the following OPA Gatekeeper Rego policies would deny a pod that sets `securityContext.runAsUser: 0`?

20

A developer wants to ensure that all containers in a pod run with a read-only root filesystem except for a specific volume mounted for writing logs. Which container-level security context field should be set to true?

21

Which Istio resource is used to enforce mutual TLS (mTLS) for all services in a namespace, ensuring that traffic between services is encrypted?

22

Which kubectl command would you use to create a ValidatingWebhookConfiguration from a YAML file?

23

A cluster administrator has configured EncryptionConfiguration to encrypt secrets at rest using a local key. After applying the configuration, the administrator creates a new secret. How can they verify that the secret is encrypted at rest?

24

A pod is using a RuntimeClass that specifies gVisor (runsc). Which of the following scenarios is most likely to cause the pod to fail?

25

Which of the following is the best practice for providing sensitive data like passwords to a pod?

26

Which Kubernetes admission controller is responsible for mutating and validating pod requests based on policies defined by OPA Gatekeeper?

27

A cluster administrator wants to ensure that all pods in a namespace run with the `seccomp` profile set to `RuntimeDefault`. Which OPA Gatekeeper ConstraintTemplate would achieve this?

28

A pod fails to start with the error 'Container runtime network not ready', and the node uses Kata Containers (RuntimeClass: kata). What is the most likely cause?

29

Which of the following is the correct way to drop all capabilities in a container's security context?

30

What is the purpose of the `allowPrivilegeEscalation: false` setting in a container's security context?

31

Which TWO of the following are valid ways to securely manage secrets in Kubernetes? (Choose two.)

32

Which THREE of the following are best practices for securing a Kubernetes cluster using OPA Gatekeeper? (Choose three.)

33

Which TWO of the following are valid Kubernetes RuntimeClass handlers for container sandboxing? (Choose two.)

34

You are deploying a microservice that must run as a non-root user and have a read-only root filesystem. Which two fields must be set in the PodSecurityContext or container SecurityContext?

35

You are implementing a Gatekeeper policy to deny pods that run as root. Which Rego rule should you include in the ConstraintTemplate?

36

A security engineer wants to encrypt secrets at rest in an existing Kubernetes cluster. The cluster is already running with the default encryption configuration. After creating an EncryptionConfiguration resource and updating the kube-apiserver manifest, which command should be used to ensure the new configuration is applied without restarting the API server?

37

In the context of service mesh (e.g., Istio), which resource is used to enforce mutual TLS (mTLS) between services in a specific namespace?

38

You need to run a container with a sandboxed runtime using gVisor (runsc). Which Kubernetes resource must be created first to enable this?

39

A pod is failing with 'CrashLoopBackOff'. The pod's securityContext includes 'allowPrivilegeEscalation: false'. The container image is built with a default user of root and attempts to change capabilities. What is the most likely cause of the crash?

40

Which of the following is the best practice for injecting secrets into a pod?

41

You want to drop all Linux capabilities from a container. Which securityContext field should you set?

42

A ValidatingWebhookConfiguration is not working as expected. The webhook server is running and accessible. What is a common misconfiguration that would cause the webhook to not be called?

43

Which of the following is NOT a valid method to enforce pod security standards in a Kubernetes cluster?

44

To encrypt secrets at rest, which file must be modified on the control plane nodes?

45

You have an existing deployment that uses environment variables for secrets. Which kubectl command can be used to update the deployment to mount secrets as volumes without recreating the pods?

46

You need to ensure that all pods in a namespace can only communicate via mTLS. In Istio, which resource should you apply?

47

A Gatekeeper Constraint is not blocking pods that violate the policy. The constraint references a ConstraintTemplate that has been successfully created. What is the most likely cause?

48

Which container runtime is specifically designed for sandboxing containers with a lightweight kernel?

49

Which TWO of the following are valid ways to reduce the attack surface of a container? (Select TWO)

50

Which TWO of the following are valid arguments for the kubectl command to create a secret from a file? (Select TWO)

51

Which THREE of the following are valid approaches to enforce that all pods in a cluster run with a read-only root filesystem? (Select THREE)

52

An administrator needs to enforce that all pods in a namespace run with read-only root filesystem. Which Pod Security Standard should be applied?

53

A developer creates a Deployment with the following container spec: ```yaml containers: - name: app image: myapp:latest env: - name: DB_PASSWORD valueFrom: secretKeyRef: name: db-secret key: password ``` Which of the following is a security concern with this approach?

54

An administrator wants to use OPA Gatekeeper to enforce that all pods have a resource limits section defined. Which of the following is the correct combination to implement this policy?

55

A security engineer wants to enable mutual TLS (mTLS) between services in an Istio service mesh. Which Istio resource should be used to define the mTLS mode for the entire mesh?

56

Which kubectl command creates a secret named 'mysecret' from a file called 'credentials.json'?

57

A pod is configured with securityContext: runAsUser: 1000 runAsGroup: 3000 fsGroup: 2000 The volume mounted at /data is owned by user 1000 and group 2000. The container process inside the pod writes to /data. Which statement about file ownership is true?

58

An administrator needs to encrypt secrets at rest in etcd. Which of the following steps is required?

59

Which of the following is a valid way to drop all capabilities from a container?

60

An administrator wants to use gVisor to sandbox containers in a Kubernetes cluster. Which resource must be created to enable this?

61

A pod is running with the following security context: ```yaml securityContext: allowPrivilegeEscalation: false runAsNonRoot: true seccompProfile: type: RuntimeDefault ``` The pod is in a CrashLoopBackOff. The logs show: "exec user process caused: operation not permitted". What is the most likely cause?

62

Which of the following commands creates a ValidatingWebhookConfiguration that uses an OPA Gatekeeper webhook?

63

What is the primary purpose of using a service mesh like Istio for microservices security?

64

Which TWO of the following are valid Rego keywords used in OPA policies for Gatekeeper? (Select TWO)

65

Which THREE of the following are valid ways to manage secrets in a Kubernetes environment? (Select THREE)

66

Which TWO of the following are correct about container sandboxing technologies? (Select TWO)

67

You need to ensure that all containers in a pod run as non-root. Which security context field should you set to enforce this?

68

A security policy requires that all pods drop ALL Linux capabilities and disable privilege escalation. Which YAML snippet correctly implements this in the pod's security context?

69

You are using Open Policy Agent (OPA) Gatekeeper to enforce pod security. You want to create a constraint that denies pods unless they have readOnlyRootFilesystem set to true. Which Rego rule in a ConstraintTemplate correctly implements this?

70

A security best practice is to avoid storing secrets in environment variables. Which is a secure alternative for injecting secrets into a pod?

71

You want to enable mutual TLS (mTLS) between services in a namespace using Istio. Which custom resource should you configure to enforce STRICT mTLS for all workloads in the namespace?

72

You are configuring encryption at rest for Kubernetes secrets. After creating an EncryptionConfiguration with aescbc provider, which additional step is required to enable encryption?

73

Which admission controller is responsible for validating and mutating requests based on webhooks?

74

You need to use gVisor as a container runtime for a set of workloads in the cluster. Which Kubernetes resource must be created to reference the runtime class?

75

You are deploying a ValidatingWebhookConfiguration. The webhook server is running in the 'webhook' namespace, service name 'svc', port 443. Which clientConfig should you specify?

76

A pod uses a Secret mounted as a volume. The Secret is updated. How can the pod consume the updated values without restarting?

77

You need to enforce that no pod runs with privileged containers or runs as root. Which tool can define policies that block such pods at admission time?

78

Which command can be used to view the current set of admission webhooks in the cluster?

79

Which TWO of the following are recommended practices for securing container images and runtime?

80

Which THREE of the following are characteristics of container sandboxing runtimes like gVisor and Kata Containers?

81

Which TWO of the following are valid approaches to manage secrets in a Kubernetes cluster?

82

You need to enforce that all pods in the 'production' namespace run with read-only root filesystems. Which OPA Gatekeeper resource do you create first?

83

A security auditor requires that all pods in a cluster must not run as root. Which Pod Security Standard (PSS) and enforcement mode should be applied at the namespace level?

84

You have deployed a service mesh with Istio and want to enforce mutual TLS (mTLS) for all traffic between services in the 'mesh' namespace. Which resource should you create?

85

You need to encrypt secrets at rest in a Kubernetes cluster. What must be configured?

86

Which of the following is a best practice for storing sensitive data like passwords in Kubernetes?

87

You want to run a container with gVisor for sandboxing. After installing gVisor and creating a RuntimeClass named 'gvisor', which Pod configuration enables it?

88

Which command creates a ResourceQuota in the 'team-a' namespace?

89

A pod fails to start with 'CrashLoopBackOff'. The pod's YAML includes securityContext: { allowPrivilegeEscalation: false, capabilities: { drop: ['ALL'] } }. What is the likely cause?

90

You have created a ValidatingWebhookConfiguration to reject pods without resource limits. When you try to create a pod without limits, it is created successfully. What is the most likely reason?

91

You need to ensure that all pods in a namespace have the label 'security: high' added automatically upon creation. Which admission controller should you use?

92

Which flag enables the PodSecurity admission plugin in kube-apiserver?

93

You run 'kubectl auth can-i create pods --as=system:serviceaccount:default:sa1 -n default' and get 'no'. What does this mean?

94

Which TWO actions help minimize vulnerabilities in microservices by securing secrets? (Choose two)

95

Which THREE of the following are valid Rego policy constructs used in OPA Gatekeeper ConstraintTemplates to enforce security policies? (Choose three)

96

Which TWO container sandboxing technologies are supported in Kubernetes via RuntimeClass? (Choose two)

97

Which field must be set in a Pod's security context to prevent the container from running as the root user?

98

An administrator deploys a Gatekeeper ConstraintTemplate with the following Rego policy: package k8srequiredlabels deny[{"msg": msg}] { input.request.kind.kind == "Pod" not input.request.object.metadata.labels["security-tier"] msg := "Pod must have label 'security-tier'" } After creating the Constraint, a user creates a Pod without the 'security-tier' label. What is the expected behavior?

99

You are configuring an Istio service mesh for mTLS between services. Which resource defines the TLS mode for traffic between services in a namespace?

100

A cluster administrator wants to ensure that all Secrets are encrypted at rest using AES-CBC with a key managed by the local Kubernetes API server. Which configuration is required?

101

A security team wants to enforce that containers in a specific namespace cannot gain new capabilities. Which Pod security context field is used to achieve this?

102

Which command creates a validating webhook configuration that checks all pods in the cluster?

103

A developer asks you to run a container with gVisor runtime. The cluster has a RuntimeClass named 'gvisor' defined. Which field must be added to the Pod spec to use gVisor?

104

A pod's container tries to read environment variables that contain database credentials. The cluster has an external secrets manager (HashiCorp Vault) integrated via a sidecar. Which approach is MOST secure for exposing secrets to the container?

105

An OPA Gatekeeper ConstraintTemplate uses a Rego rule that denies pods without a specific label. The Constraint is created but pods without the label are still being allowed. What is the MOST likely cause?

106

Which kubectl command lists all MutatingWebhookConfigurations in the cluster?

107

A cluster has EncryptionConfiguration with aescbc provider. After rotating the encryption key, what must be done to re-encrypt existing Secrets with the new key?

108

You need to drop all Linux capabilities from a container. Which YAML snippet is correct?

109

Which TWO of the following are valid ways to enforce that containers cannot run as root in a Kubernetes cluster? (Select TWO.)

110

Which THREE of the following are true about Istio PeerAuthentication? (Select THREE.)

111

Which TWO of the following are secure practices for managing secrets in Kubernetes? (Select TWO.)

112

A security admin wants to ensure that no container in a specific namespace runs as root. Which Gatekeeper ConstraintTemplate and Constraint configuration should be used?

113

Which of the following is the correct kubectl command to view the OPA Gatekeeper ConstraintTemplates in the cluster?

114

An admin wants to enforce that all pods in a namespace use a read-only root filesystem except for a specific deployment that needs to write to a temporary directory. Which approach best meets this requirement?

115

Which field in a Pod's securityContext prevents privilege escalation by the container?

116

A security admin wants to ensure all pods in a cluster drop ALL Linux capabilities. Which of the following YAML snippets should be added to a PodSecurityPolicy (assuming PSP is enabled) or a pod spec?

117

An admin has created an EncryptionConfiguration to encrypt secrets at rest in etcd. After applying the configuration and restarting the kube-apiserver, existing secrets are still stored in plaintext. What is the most likely reason?

118

Which of the following is a best practice for storing sensitive information like database passwords in Kubernetes?

119

What is the primary benefit of using external secret managers (e.g., HashiCorp Vault) in Kubernetes?

120

An administrator wants to enforce mutual TLS (mTLS) between all services in an Istio service mesh. Which resource should be configured?

121

A cluster administrator wants to run some workloads in a sandboxed environment using gVisor. Which Kubernetes resource must be created first to allow pods to request the gVisor runtime?

122

Which of the following is a characteristic of Kata Containers compared to gVisor?

123

An admin has deployed a ValidatingWebhookConfiguration that denies pods with `runAsNonRoot: false`. After creating a pod that does not set `runAsNonRoot` at all, the pod is created successfully. Why did the webhook not deny it?

124

Which TWO of the following are valid ways to enforce that containers run with a read-only root filesystem?

125

Which THREE of the following are required to configure encryption of secrets at rest in Kubernetes?

126

Which TWO of the following are best practices for securing secrets in Kubernetes?

127

You need to ensure that all pods in a cluster run with read-only root filesystems. Which Pod Security Standard (PSS) control field should be set to true?

128

An administrator wants to enforce a policy that all containers must drop ALL capabilities and not allow privilege escalation. Which YAML snippet correctly implements this requirement in a PodSecurityPolicy-like manner using a security context? (Note: PodSecurityPolicy is deprecated; consider using a ValidatingAdmissionPolicy or OPA/Gatekeeper, but for this question choose the correct security context fields.)

129

A security team wants to use OPA/Gatekeeper to enforce that all namespaces must have a label 'security-tier' with value 'high' or 'medium'. What is the correct approach?

130

You need to encrypt Kubernetes secrets at rest. Which resource should you configure?

131

A pod runs with a service mesh sidecar (Istio). The team wants to enforce mutual TLS (mTLS) for all traffic between services in the 'production' namespace. Which resource should be applied?

132

An admin runs 'kubectl run test-pod --image=busybox --command -- sleep 3600' and then executes 'kubectl exec test-pod -- cat /var/run/secrets/kubernetes.io/serviceaccount/token'. The admin wants to prevent such access to the service account token. What is the correct action?

133

Which command correctly creates a secret from a file named 'config.json'?

134

You want to run a container with gVisor (runsc) runtime for sandboxing. Which resource is required to use a non-default runtime?

135

An OPA/Gatekeeper ConstraintTemplate is written to enforce that all Deployments have the label 'app.kubernetes.io/name'. However, the Constraint does not deny Deployments without the label. What is the most likely cause?

136

An administrator wants to prevent pods from using secrets as environment variables and enforce that secrets are only mounted as volumes. Which admission controller could be used to achieve this?

137

Which kubectl command creates a validating webhook configuration that calls an external HTTPS endpoint for pod validation?

138

You are using External Secrets Operator to sync secrets from HashiCorp Vault. The operator is deployed but secrets are not being created. Which resource defines the mapping between Vault secrets and Kubernetes secrets?

139

Which TWO of the following are valid methods to securely manage secrets in Kubernetes? (Select 2)

140

Which TWO of the following are valid Pod Security Context settings to harden a container? (Select 2)

141

Which THREE of the following are valid ways to enforce mTLS in an Istio service mesh? (Select 3)

142

Which field in a PodSecurityContext ensures that the container cannot gain privileges beyond its parent process?

143

You need to enforce that all containers in a namespace run with a read-only root filesystem. Which OPA Gatekeeper resource would you use to define the policy?

144

An administrator creates a Pod with the following securityContext: securityContext: runAsUser: 1000 runAsGroup: 3000 fsGroup: 2000 The container image has a binary that requires read/write access to /data, which is an emptyDir volume mounted by the Pod. The container fails to start with 'Permission denied' when writing to /data. What is the most likely cause?

145

You are deploying an application that needs to access a database password stored in a Kubernetes Secret. To minimize risk, you should mount the Secret as a volume rather than using environment variables. Which of the following is the primary security benefit of using mounted volumes over environment variables?

146

In an Istio service mesh, you want to enforce mutual TLS (mTLS) between services in a specific namespace. Which resource should you create to set the default mTLS mode to STRICT for all workloads in that namespace?

147

You have enabled encryption at rest for Kubernetes Secrets by configuring an EncryptionConfiguration object and restarting the API server. After the configuration, you create a new Secret. However, when you retrieve the Secret using 'kubectl get secret mysecret -o yaml', the 'data' field still shows base64-encoded plaintext. Is the Secret encrypted at rest?

148

You need to set up a ValidatingWebhookConfiguration to deny pods that run as root. The webhook server is deployed in the 'webhook' namespace with service 'webhook-svc' on port 443. Which of the following is a correct snippet for the webhook configuration?

149

You want to run a workload in a sandboxed container using gVisor. You have created a RuntimeClass named 'gvisor' that references the 'runsc' handler. Which of the following Pod specs correctly uses this RuntimeClass?

150

You are writing a Rego policy for OPA Gatekeeper to deny pods that do not have 'runAsNonRoot: true' set in their security context. The ConstraintTemplate expects an input parameter 'runAsNonRoot' that is a boolean. Which Rego rule correctly denies such pods?

151

You have a Pod that uses a ServiceAccount token mounted via a projected volume. You want to ensure that the token has an expiration time and that the pod is not using a long-lived token. What is the most secure way to mount the token?

152

You need to create a NetworkPolicy that denies all ingress traffic to pods with label 'app: web' in the 'frontend' namespace, except for traffic from pods with label 'app: ingress' in the 'ingress' namespace. Which NetworkPolicy spec correctly achieves this?

153

Which kubectl command would you use to create a Secret from a file named 'db-password.txt'?

154

Which TWO of the following are valid ways to enforce that a container runs as a non-root user?

155

Which THREE of the following are capabilities that should typically be dropped from a container to minimize vulnerabilities?

156

You want to use an external secret management system like HashiCorp Vault to manage database credentials for your application. Which of the following are valid approaches to integrate Vault with Kubernetes?

157

A security engineer needs to ensure that all containers in a cluster run as non-root users. Which Pod Security Context field should be set to enforce this requirement?

158

You are tasked with creating a ConstraintTemplate in OPA/Gatekeeper that denies pods running with the 'latest' image tag. Which Rego rule should the ConstraintTemplate include?

159

An administrator deploys a Pod with the following security context: securityContext: runAsNonRoot: true runAsUser: 1000 However, the Pod fails to start with an error: 'container has runAsNonRoot and image will run as root'. What is the most likely cause?

160

A security best practice is to avoid storing sensitive data in environment variables. Instead, secrets should be mounted as volumes. Which of the following YAML snippets correctly mounts a Kubernetes Secret named 'db-secret' as a volume at /etc/secrets?

161

An administrator wants to enforce mTLS between all services in the 'mesh' namespace using Istio. Which resource should be applied to require mutual TLS for all workloads in that namespace?

162

To encrypt secrets at rest in Kubernetes, an administrator configures an EncryptionConfiguration. What is the correct flag to pass to the kube-apiserver to use this configuration?

163

A cluster administrator wants to audit all pod creations and modifications using an admission webhook. Which resource type should be created to register the webhook?

164

Which of the following is a valid approach to enforce that containers cannot escalate privileges?

165

An administrator wants to use gVisor as the container runtime for specific high-security workloads. After installing gVisor, what Kubernetes resource must be created to allow pods to request gVisor?

166

A security engineer runs the following command to inspect a pod's security context: kubectl get pod secure-pod -o jsonpath='{.spec.containers[0].securityContext.capabilities}' The output is: {"drop":["ALL"]} What does this indicate?

167

An OPA/Gatekeeper ConstraintTemplate is defined with the following Rego rule: violation[{"msg": msg}] { container := input.review.object.spec.containers[_] container.securityContext.runAsNonRoot != true msg := "Container must run as non-root" } What happens when a pod is submitted with a container that has runAsNonRoot: true?

168

Which of the following is a MutatingAdmissionWebhook that is built into Kubernetes and can automatically inject a sidecar proxy for service mesh?

169

Which TWO of the following are best practices for securing secrets in Kubernetes? (Select 2)

170

Which THREE of the following security context settings help mitigate container breakout attacks? (Select 3)

171

Which TWO of the following are valid methods to enforce mTLS in an Istio service mesh? (Select 2)

172

An administrator wants to enforce that all containers in a Kubernetes cluster run as non-root and have read-only root filesystems using OPA/Gatekeeper. Which two resources must be created?

173

A developer wants to run a container that reads a secret from a mounted volume, not as an environment variable. Which volume type should they use?

174

An admin creates the following EncryptionConfiguration to encrypt secrets at rest. After applying it, what must the admin do to ensure existing secrets are encrypted?

175

In an Istio service mesh, you want to enforce mutual TLS (mTLS) between all services in the 'default' namespace. Which resource should you create?

176

Which kubectl command creates a valid webhook configuration that validates pods against a policy?

177

A cluster administrator needs to run a workload that uses gVisor (runsc) for container sandboxing. Which Kubernetes resource is required to enable this?

178

A pod manifests with securityContext: { runAsNonRoot: true, runAsUser: 1001 }. However, the container image expects to run as root (UID 0). What will happen when the pod is created?

179

You are writing a Rego policy for OPA/Gatekeeper to deny pods that do not have runAsNonRoot set to true. Which Rego statement should the ConstraintTemplate contain?

180

An admin runs 'kubectl get pod web -o yaml' and sees the following security context. Which setting prevents privilege escalation?

181

A team wants to use an external secret manager (HashiCorp Vault) to inject secrets into pods. Which approach is most aligned with Kubernetes best practices?

182

A cluster has a ValidatingWebhookConfiguration that intercepts Pod CREATE requests. The webhook server is unavailable. What happens when a user tries to create a pod?

183

Which TWO of the following are valid methods to restrict a container's filesystem to read-only in Kubernetes?

184

Which TWO of the following are required to enable encryption of Kubernetes Secrets at rest?

185

Which THREE of the following are valid capabilities that should be dropped for a container running a typical non-privileged application to adhere to the principle of least privilege?

186

Which TWO of the following are valid RuntimeClass handlers for container sandboxing?

187

You are implementing a policy to ensure all containers in a namespace run as non-root. Which of the following is the most appropriate approach to enforce this at the cluster level?

188

You need to encrypt Secrets at rest in an existing Kubernetes cluster. You create an EncryptionConfiguration file specifying aescbc as the provider. After updating the API server kube-apiserver.yaml with the new configuration, you create a new Secret. Which of the following statements is true?

189

Which kubectl command is used to create a Constraint object in OPA/Gatekeeper?

190

Which TWO of the following are valid ways to enable mTLS between services in a service mesh (e.g., Istio)?

191

Which THREE of the following are recommended practices for minimizing microservice vulnerabilities related to container security?

192

Which TWO of the following are valid methods to securely manage secrets in Kubernetes?

193

Which THREE of the following are features of container sandboxing solutions like gVisor or Kata Containers?

Practice all 193 Minimize Microservice Vulnerabilities questions

Other CKS exam domains

Monitoring Logging and Runtime SecurityCluster Setup and HardeningSystem HardeningSupply Chain SecurityMonitoring, Logging and Runtime SecurityCluster SetupCluster Hardening

Frequently asked questions

What does the Minimize Microservice Vulnerabilities domain cover on the CKS exam?

The Minimize Microservice Vulnerabilities domain covers the key concepts tested in this area of the CKS exam blueprint published by CNCF. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CKS domains — no account required.

How many Minimize Microservice Vulnerabilities questions are in the CKS question bank?

The Courseiva CKS question bank contains 193 questions in the Minimize Microservice Vulnerabilities domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Minimize Microservice Vulnerabilities for CKS?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Minimize Microservice Vulnerabilities questions for CKS?

Yes — the session launcher on this page draws questions exclusively from the Minimize Microservice Vulnerabilities domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CKS domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CKACKADSY0-701