Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCKSDomainsSupply Chain Security
CKSFree — No Signup

Supply Chain Security

Practice CKS Supply Chain Security questions with full explanations on every answer.

190questions

Start practicing

Supply Chain Security — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CKS Domains

Monitoring Logging and Runtime SecurityCluster Setup and HardeningSystem HardeningMinimize Microservice VulnerabilitiesSupply Chain SecurityMonitoring, Logging and Runtime SecurityCluster SetupCluster Hardening

Practice Supply Chain Security questions

10Q20Q30Q50Q

All CKS Supply Chain Security questions (190)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

Which TWO of the following are best practices for securing the container supply chain?

2

Which THREE of the following are required to implement a secure software supply chain using Kubernetes native features?

3

A DevOps team wants to ensure that only signed images from a trusted registry are deployed in the cluster. They plan to use a webhook to intercept pod creation. Which tool is best suited for this task?

4

A security audit reveals that a container image running in production contains a critical vulnerability (CVE-2024-1234). The image was built from a base image that had the vulnerability. What is the MOST effective long-term solution to prevent such issues?

5

An organization uses a private container registry and wants to ensure that only images built from a specific CI/CD pipeline are deployed. Which combination of measures provides the strongest guarantee?

6

You are the lead security engineer for a large financial institution. The organization runs a Kubernetes cluster with 500+ microservices. The supply chain security team has implemented the following measures: (1) All images are built from a minimal base image (distroless) and scanned with Trivy before being pushed to a private registry. (2) Images are signed using cosign with a key stored in a hardware security module (HSM). (3) Kyverno policies enforce that only signed images from the private registry can run, and also enforce that containers run as non-root. (4) A binary authorization (binauthz) style admission controller verifies attestations. Recently, a critical vulnerability (CVE-2024-0001) was discovered in a popular open-source library used by several microservices. The library is included as a dependency in the base image. The vulnerability is remotely exploitable and has a CVSS score of 9.8. The security team needs to remediate this quickly. They have already patched the library and updated the base image. What is the BEST course of action to ensure all running pods use the new image?

7

A development team uses a custom container image for their application, built from a base image that includes multiple CVEs. The security team requires that no container runs with known critical vulnerabilities. Which approach best ensures that only images with no critical vulnerabilities are deployed in production?

8

An organization uses a GitOps workflow with Argo CD to deploy applications to Kubernetes. The security team wants to ensure that container images are immutable and signed. They currently use a private container registry (Harbor) with vulnerability scanning and Cosign for signing. Which combination of controls best enforces that only signed and scanned images are deployed?

9

You are auditing a cluster's supply chain security. You find that many pods are running images from public registries without any pinning or verification. Which TWO actions would most effectively reduce the risk of pulling malicious images?

10

You are a security engineer at a fintech startup. The company runs a Kubernetes cluster in production with hundreds of microservices. Recently, a container image from a public registry was compromised, and the attacker injected a backdoor that exfiltrated customer data. The CISO mandates that all images must come from an internal registry that only stores approved, scanned, and signed images. Currently, developers build images locally and push them to Docker Hub, then reference those images in Kubernetes manifests. You have deployed Harbor as a private registry with vulnerability scanning and Cosign for signing. However, you notice that some pods are still running images directly from Docker Hub. You need to enforce that only images from your internal Harbor registry can be used in the cluster. You cannot change the Kubernetes manifests immediately because of a large backlog. You have access to the cluster's kubelet configuration and can modify cluster-level components. Which single action will most effectively block any pod that tries to use an image not hosted on your internal registry?

11

A DevOps team uses a CI/CD pipeline to build container images and push them to a private registry. To minimize the risk of supply chain attacks, which of the following is the most effective security control to implement?

12

You are securing a Kubernetes cluster that runs workloads from multiple teams. The cluster uses a private container registry and an admission controller to enforce image policies. Which TWO of the following actions are most effective in preventing the use of unapproved or tampered container images? (Choose two correct answers.)

13

Refer to the exhibit. A cluster has the ClusterImagePolicy shown. A developer creates a pod with an image from registry.example.com/myapp:v1, which was built and signed by a GitHub Actions workflow that is NOT defined in the policy (different workflow). Which behavior will occur when the pod is created?

14

Arrange the steps to secure etcd in a Kubernetes cluster.

15

Match each Kubernetes API server flag to its security function.

16

You are tasked with ensuring that all container images in your cluster are scanned for vulnerabilities before being deployed. You have set up Trivy in your CI/CD pipeline and want to enforce that only images with no critical vulnerabilities are allowed. Which admission controller should you configure to reject pods using non-compliant images?

17

Which of the following is a best practice for securing container images?

18

A security engineer wants to ensure that only images signed with a specific key are allowed to run in the cluster. Which tool can be used to sign container images?

19

A developer wants to create a Deployment that runs as a non-root user. Which YAML snippet correctly sets the security context to run the container with UID 1000?

20

You are configuring an ImagePolicyWebhook admission controller to allow only images from a trusted registry 'trusted-registry.io'. Which flag must be set in the kube-apiserver configuration to enable the webhook?

21

A security team wants to automatically reject any Pod that uses an image tagged with 'latest'. Which tool can be used to define this policy at the admission level?

22

Developer A runs 'cosign verify --key cosign.pub myregistry/myimage:tag' and receives an error: 'No signatures found'. Developer B previously ran 'cosign sign --key cosign.key myregistry/myimage:tag'. What is the most likely cause of the verification failure?

23

Which tool is commonly used to generate a Software Bill of Materials (SBOM) for a container image?

24

A DevOps engineer is setting up a CI/CD pipeline to scan container images for vulnerabilities. They want to fail the pipeline if any critical vulnerabilities are found. Which command should they use to scan the image and produce a JSON output that can be parsed?

25

You have configured Kyverno to enforce that all Pods must have an image from a trusted registry. However, a newly created Pod is not being rejected even though it uses an untrusted image. What is the most likely reason?

26

Which of the following is a static analysis tool for Kubernetes manifests that can identify security misconfigurations?

27

You need to ensure that all containers in your cluster run with a read-only root filesystem. Which field should be set in the container's security context?

28

Which two of the following are best practices for container image security? (Select TWO.)

29

Which three of the following are valid ways to enforce supply chain security in a Kubernetes cluster? (Select THREE.)

30

Which two of the following are best practices for securing a CI/CD pipeline that builds and deploys container images? (Select TWO.)

31

Which of the following is a best practice for securing container images in a CI/CD pipeline?

32

An administrator runs 'trivy image myapp:1.0' and receives an output with several CRITICAL vulnerabilities. What is the best next step to ensure the image is secure before deployment?

33

A cluster uses ImagePolicyWebhook admission controller. After configuring it, deployments referencing images from an unauthorized registry are blocked. However, some deployments are still being admitted. What is a possible cause?

34

Which command is used to sign a container image with Cosign and store the signature in an OCI registry?

35

A Kubernetes cluster has Kyverno installed. A policy requires that all images come from a trusted registry 'trusted.example.com'. A Deployment uses the image 'nginx:latest'. When the Deployment is created, it is blocked. What Kyverno policy action is being used?

36

Which tool can be used to generate an SBOM (Software Bill of Materials) for a container image?

37

A security policy requires that all container images use SHA-based digests instead of tags. Which approach ensures this in a Deployment YAML?

38

A CI/CD pipeline uses cosign attest to add an SBOM attestation to an image. Later, during deployment, which command verifies the attestation?

39

Which of the following is a recommended Dockerfile best practice to improve container security?

40

An OPA/Gatekeeper constraint requires that all images' registries match a pattern. A Deployment uses 'myregistry.io/app:v1'. The admission controller rejects it. The admin runs 'kubectl get constraints' and sees the constraint is active. What is the next debugging step?

41

A cluster has both ImagePolicyWebhook and a mutating webhook that adds a sidecar. The admin notices that even when ImagePolicyWebhook rejects an image, the mutating webhook has already added the sidecar. What admission ordering issue is occurring?

42

Which tool can be used to perform static analysis of Kubernetes manifests for security issues?

43

Which TWO of the following are valid methods to ensure only signed images are deployed in a Kubernetes cluster?

44

Which THREE of the following are best practices for securing the software supply chain in a CI/CD pipeline?

45

Which TWO of the following admission controllers are relevant for supply chain security in Kubernetes?

46

You want to scan a container image for vulnerabilities before deploying it. Which command uses the Trivy tool to scan an image?

47

A security team wants to ensure that only signed images are deployed in the cluster. They have set up an ImagePolicyWebhook admission controller. After configuring the webhook, they notice that pods with unsigned images are still being created. What is the most likely cause?

48

Which of the following is a best practice for securing container images?

49

A developer wants to ensure that a pod always uses a specific version of an image that cannot be changed without updating the manifest. Which image reference should be used?

50

You are auditing your cluster's supply chain security. You need to generate a Software Bill of Materials (SBOM) for a container image. Which tool should you use?

51

An administrator applies the following Kyverno policy to the cluster. What is the effect of this policy? apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: require-non-root spec: validationFailureAction: enforce rules: - name: check-runAsNonRoot match: resources: kinds: - Pod validate: message: "Running as root is not allowed." pattern: spec: securityContext: runAsNonRoot: true

52

A security engineer wants to integrate image scanning into a CI/CD pipeline. They are using a tool that can scan the filesystem of the build context before building the image. Which tool is best suited for this purpose?

53

You want to allow only images from a specific registry (e.g., myregistry.io) to be deployed in your cluster. Which tool or approach is best suited for this requirement?

54

What is the purpose of using a non-root user in a container image?

55

A cluster administrator notices that a pod using an image from a public registry is failing to start. The image was signed with Cosign, and the cluster has an ImagePolicyWebhook configured to require signatures. The error message from the webhook indicates 'signature verification failed'. What is the most likely cause?

56

You are tasked with creating a Kubernetes admission controller that validates image signatures before allowing pods to run. Which admission controller should you configure?

57

Which of the following is a static analysis tool for Kubernetes manifests that can be used to find misconfigurations?

58

Which TWO of the following are benefits of using an SBOM (Software Bill of Materials) in supply chain security?

59

Which TWO of the following are correct methods to verify a signed container image using Cosign?

60

Which THREE of the following are best practices for writing Dockerfiles?

61

An administrator runs 'trivy image --severity HIGH,CRITICAL myapp:v1.0' and sees no vulnerabilities. However, a security scan of the same image using a different tool reports several HIGH severity CVEs. What is the MOST likely reason for this discrepancy?

62

A security policy requires that all container images must be signed using Cosign. Which admission controller enforces signature verification at pod creation time?

63

A developer wants to ensure the container image used in a Deployment is immutable. Which approach BEST guarantees that the exact same image is used every time, preventing tag mutation?

64

Which tool is specifically designed to generate a Software Bill of Materials (SBOM) for container images?

65

A security engineer runs 'kubesec scan deployment.yaml' and receives a score of -1. What does this score indicate?

66

An OPA/Gatekeeper constraint is configured to allow only images from 'trusted-registry.io'. A pod is created with image 'trusted-registry.io/app:v1' but is denied. Which is the MOST likely cause?

67

Which of the following is a BEST practice for container images to reduce the attack surface?

68

An administrator wants to verify that an image was signed by a specific key before deploying. Which Cosign command should be used?

69

Which Kyverno policy action is used to automatically mutate a resource to add a sidecar container for security?

70

A CI pipeline fails with the error 'cosign: error: unable to verify image: no matching signatures' when running 'cosign verify --key pubkey.pem myregistry/myapp:latest'. The image was previously signed with a private key. What is the MOST likely cause?

71

Which admission controller runs FIRST in the Kubernetes admission flow?

72

A security best practice for Dockerfiles is to avoid hardcoded secrets. Which Dockerfile instruction is MOST likely to contain a hardcoded secret?

73

Which TWO are benefits of using a distroless base image over a full OS image like Ubuntu? (Select two.)

74

Which THREE are valid methods to enforce that only images from a specific registry can be deployed in a Kubernetes cluster? (Select three.)

75

Which TWO are recommended practices for securing a CI/CD pipeline that builds container images? (Select two.)

76

A security engineer wants to scan a container image for vulnerabilities using Trivy. Which command should they use?

77

A DevOps engineer wants to enforce that all container images running in the cluster are signed using Cosign. Which Kubernetes admission controller is designed for this purpose?

78

An administrator runs 'kubectl describe pod secure-pod' and sees that the pod is in a Pending state with the event 'Error: ImagePullBackOff' and the message 'unauthorized: authentication required'. The image is stored in a private registry. What is the most likely cause?

79

Which of the following is a best practice for securing a Dockerfile?

80

An administrator wants to ensure that only images from a specific registry (e.g., myregistry.internal) can run in the cluster. Which tool can be used to enforce this via admission control?

81

A security team wants to generate an SBOM for a container image. Which tool should they use?

82

An administrator runs 'kubectl run test-pod --image=nginx:latest' and the pod fails to start. The event log shows 'ImagePullBackOff' with error 'manifest for nginx:latest not found: manifest unknown'. The image 'nginx:latest' exists in the registry. What is the most likely cause?

83

Which admission controller is responsible for invoking external webhooks to validate or mutate resources?

84

An organization wants to implement supply chain security by signing all container images and verifying them before deployment. Which combination of tools is appropriate?

85

A pod is running in a namespace that has a Kyverno policy requiring all images to come from a trusted registry. The pod is using an image from an untrusted registry. What will happen when the pod is created?

86

Which of the following is a static analysis tool for Kubernetes manifests?

87

An administrator wants to ensure that a Deployment uses a specific image digest (SHA256) instead of a tag. Which field in the Deployment YAML should be modified?

88

Which TWO of the following are valid methods to verify the integrity of a container image before deployment?

89

Which THREE of the following are best practices for securing the software supply chain in Kubernetes?

90

Which TWO of the following are tools that can be used to generate an SBOM for a container image?

91

A security admin runs 'trivy image --severity CRITICAL,HIGH myrepo/myapp:latest' and sees many CVEs. The admin wants to ensure that only images with no CRITICAL or HIGH severity vulnerabilities are deployed to the cluster. Which admission controller should be configured to enforce this policy?

92

A developer wants to sign a container image using Cosign. Which command should they run after building and pushing the image to a registry?

93

An administrator wants to ensure that all containers in a deployment run as a non-root user. Which YAML snippet correctly sets the security context to run as user ID 1000?

94

A security engineer wants to enforce that all images in the cluster must come from a trusted registry 'trusted-registry.io'. They are using OPA/Gatekeeper. Which constraint template and constraint combination would achieve this?

95

Which tool is used to generate a Software Bill of Materials (SBOM) for a container image?

96

A CI/CD pipeline builds a Docker image and pushes it to a registry. To ensure supply chain security, the pipeline should scan the image for vulnerabilities before deployment. Which of the following is the correct command to scan a local Docker image using Trivy?

97

A Kyverno policy is written to require all images to use SHA256 digests instead of tags. The policy uses a 'validate' rule with 'pattern' on 'spec.containers[*].image'. Which pattern would match an image reference like 'registry.example.com/myapp@sha256:abc123...'?

98

Which admission controller is responsible for validating and modifying images based on an external webhook in Kubernetes?

99

A DevOps engineer wants to ensure that a container image is signed and the signature is verified before deployment. Which Cosign command verifies an image signature?

100

An administrator wants to perform static analysis on Kubernetes manifest files to find security misconfigurations. Which tool is specifically designed for this?

101

A pod is stuck in Pending state. 'kubectl describe pod' shows '0/1 nodes are available: 1 node(s) had taint {node-role.kubernetes.io/control-plane: }, that the pod didn't tolerate.' The pod does not specify any tolerations. What is the most likely cause?

102

Which of the following is a best practice when writing a Dockerfile for a containerized application?

103

Which TWO of the following are valid methods to verify the integrity of a container image in a Kubernetes supply chain? (Select 2)

104

Which THREE of the following are correct statements about Kubernetes admission controllers in the context of supply chain security? (Select 3)

105

Which TWO of the following tools can be used to generate or analyze SBOMs? (Select 2)

106

An administrator wants to ensure that only images from a trusted registry 'myregistry.io' can run in the cluster. Which admission controller should be configured?

107

Which command is used with Cosign to sign a container image?

108

A DevOps engineer runs 'trivy image myapp:latest' and finds a critical CVE in the base image. Which Dockerfile change would BEST address this?

109

An OPA/Gatekeeper constraint is configured to require all container images to be from a specific registry. A user creates a Pod with image 'gcr.io/myimage:v1'. Which admission controller will first reject this Pod?

110

A security policy requires that all container images must have a signed attestation. Which Cosign command would an admin add to the CI pipeline to create this attestation?

111

Which tool is used to generate an SBOM (Software Bill of Materials) for a container image?

112

An admin runs 'kubectl run test-pod --image=nginx:latest' and the Pod is created but immediately enters 'CrashLoopBackOff'. 'kubectl describe pod test-pod' shows 'Back-off restarting failed container'. Which admission controller might cause this if misconfigured?

113

A security scan report shows that a container image has several high-severity CVEs. The team wants to implement automated scanning in CI/CD pipeline. Which tool would you recommend for scanning container images in a CI pipeline?

114

An organization uses Kyverno to enforce policies. Which Kyverno rule action would you use to require that all images come from a specific registry?

115

A user creates a Deployment with image 'alpine:3.18' and the Pod status is 'ErrImagePull'. The admin checks the image policy and sees that only images with SHA digests are allowed. What is the fix?

116

Which command would scan a Kubernetes Pod manifest for security issues?

117

An administrator wants to enforce that all pods run with read-only root filesystem. Which admission controller can achieve this without writing custom code?

118

Which TWO are best practices for Dockerfile security? (Select 2)

119

Which THREE are valid methods to verify the integrity and origin of a container image? (Select 3)

120

Which TWO are tools for static analysis of Kubernetes manifests? (Select 2)

121

A security admin wants to ensure that all container images in a Kubernetes cluster are scanned for known vulnerabilities before being deployed. Which tool can be integrated into a CI/CD pipeline to scan container images for CVEs?

122

An administrator wants to ensure that only signed container images are deployed in the cluster. Which admission controller can be used to enforce this policy?

123

Which command is used to sign a container image with Cosign?

124

You have a Kyverno policy that validates image registries. The policy should allow only images from `myregistry.example.com`. Which Kyverno rule field should be used to check the image registry?

125

An administrator runs `kubectl run nginx --image=nginx:latest` and the pod remains in ImagePullBackoff. The cluster uses containerd as the container runtime. What is the most likely cause?

126

Which of the following is a best practice for Dockerfiles to improve supply chain security?

127

A DevOps team wants to enforce that all Deployments must have a specific label 'app.kubernetes.io/name'. Which tool can be used to validate this in the admission controller stage?

128

What does SBOM stand for in the context of supply chain security?

129

An admin wants to scan a local filesystem for vulnerabilities using Trivy. Which command should they use?

130

Which tool can generate an SBOM for a container image?

131

A cluster has the ImagePolicyWebhook admission controller enabled. A pod creation is denied with the message 'image policy check failed'. The webhook server returns an error. Which of the following could be a valid reason?

132

Which Kubernetes admission controller ensures that a pod only uses images from a specific registry?

133

Which TWO of the following are best practices for securing the container supply chain? (Select 2)

134

Which THREE of the following can be used to enforce policies on container images in a Kubernetes cluster? (Select 3)

135

Which TWO of the following are valid methods to verify the integrity of a container image? (Select 2)

136

You are implementing supply chain security for container images. Which tool would you use to scan a local directory of Dockerfiles and Kubernetes manifests for known vulnerabilities?

137

Which of the following is a best practice for securing container images in a Kubernetes environment?

138

You need to enforce that all images deployed in the cluster are signed by a trusted key. Which Kubernetes admission control mechanism would you use?

139

A cluster administrator wants to allow only images from a specific registry (e.g., 'myregistry.io') to be deployed in the cluster. Which tool can be used to enforce this via admission control?

140

What is the purpose of an SBOM (Software Bill of Materials) in the context of supply chain security?

141

Which command would you use to sign a container image with Cosign?

142

You run 'trivy image myapp:latest' and the scan reports several critical CVEs. What is the best action to take?

143

A security engineer wants to ensure that all container images in a Kubernetes cluster have a non-root user. Which admission controller can enforce this requirement?

144

What is the correct way to specify a container image using a SHA digest instead of a tag for immutable deployments?

145

Which static analysis tool can be used to check Kubernetes manifests for security misconfigurations?

146

In a CI/CD pipeline, at which stage should container image scanning be performed?

147

You need to generate an SBOM for a container image. Which command should you use?

148

Which TWO of the following are valid admission controllers in Kubernetes? (Select TWO)

149

Which THREE of the following are best practices for Dockerfile security? (Select THREE)

150

Which TWO of the following are tools for image signing and verification? (Select TWO)

151

Which command scans a Docker image for CVEs using Trivy?

152

A security admin wants to ensure that only images signed with a specific key can run in the cluster. Which admission controller should be enabled?

153

A developer creates a Dockerfile with 'FROM ubuntu:latest'. The security team recommends using a minimal base image. Which change minimizes the attack surface?

154

An admin runs 'kubectl run nginx --image=nginx' and the pod fails with 'ImagePullBackOff'. The cluster has an OPA/Gatekeeper constraint that only allows images from 'myregistry.io'. How can the admin quickly test the restriction?

155

Which tool can generate an SBOM (Software Bill of Materials) from a container image?

156

A security audit reveals that a Deployment uses an image with a mutable tag 'app:latest'. Which change ensures the image is immutable and traceable?

157

Which kubectl command signs a container image using Cosign?

158

Which YAML field in a Deployment specifies the container user should not run as root?

159

A cluster uses Kyverno to enforce that all images come from a trusted registry. A new Deployment fails with a message that the image 'docker.io/library/nginx:latest' is not allowed. What Kyverno policy rule likely caused this?

160

To verify a signed container image, which command should be used?

161

Which static analysis tool is specifically designed to evaluate Kubernetes manifests against security best practices?

162

In a CI/CD pipeline, which step is MOST effective for detecting known vulnerabilities in a container image before deployment?

163

Which TWO practices improve supply chain security for container images? (Select two.)

164

Which THREE are valid admission controllers in Kubernetes? (Select three.)

165

Which TWO tools can generate an SBOM for a container image? (Select two.)

166

A security team wants to ensure that all container images in a cluster are scanned for critical CVEs before they are run. They decide to use an admission controller. Which Kubernetes built-in admission controller should they configure?

167

A developer runs 'trivy image myapp:latest' and gets a report with several CRITICAL CVEs. Which action would BEST address the supply chain security risk?

168

An administrator wants to enforce that only images signed by a trusted key can run in the cluster. They have configured cosign and want to use a Kubernetes admission controller. Which tool should they deploy?

169

You are asked to generate an SBOM for a container image and attach it as an attestation using cosign. Which two commands would you run in sequence?

170

A Kubernetes cluster has Kyverno installed. You want to enforce that all container images come from a trusted registry 'trusted-registry.example.com'. Which Kyverno policy rule type would you use?

171

Which of the following is a BEST practice for securing container images in a Dockerfile?

172

A CI pipeline uses 'checkov' to scan Kubernetes manifests. Which of the following is a common checkov check related to supply chain security?

173

A pod is stuck in Pending state. 'kubectl describe pod' shows the event: '0/4 nodes are available: 1 node had taint {node-role.kubernetes.io/control-plane: }, that the pod didn't tolerate, 3 Insufficient memory.' The pod YAML does not specify any tolerations. Which command would allow the pod to schedule on the control-plane node?

174

You need to sign a container image using cosign with a key stored in an environment variable. Which command should you use?

175

What is the primary purpose of an SBOM in supply chain security?

176

You have a Kyverno policy that validates images are from a specific registry. However, a pod using an image from that registry is still blocked. The pod YAML includes 'imagePullPolicy: Always'. What could be the issue?

177

Which TWO of the following are valid ways to verify a container image signature using cosign?

178

Which TWO of the following are best practices for securing the software supply chain in a CI/CD pipeline?

179

Which THREE of the following are valid approaches to prevent containers from running as root in a Kubernetes cluster?

180

Which THREE of the following are tools used for static analysis of Kubernetes manifests?

181

A security team wants to ensure that only container images from a trusted registry (mytrustedregistry.io) are deployed in the cluster. They plan to use OPA/Gatekeeper. Which kind of Gatekeeper constraint template and constraint should they create?

182

You are configuring ImagePolicyWebhook admission controller to reject images not signed by a trusted authority. After deploying the webhook, you notice that pods are being rejected even for images that are properly signed. Which configuration change is MOST likely to fix this?

183

A developer wants to verify the signature of a container image before deploying it. Which command should they use along with Cosign?

184

During a CI/CD pipeline, you run 'trivy image myapp:latest' and get a high number of vulnerabilities. What is the BEST action to reduce the vulnerability count?

185

A security policy requires that all container images must reference a specific SHA256 digest instead of a tag. You need to enforce this using Kyverno. Which Kyverno rule type and pattern would you use?

186

Which TWO of the following are valid methods to supply a Kubernetes manifest to kubesec for static analysis?

187

Which TWO of the following are best practices for Dockerfile security according to CKS guidelines?

188

Which THREE of the following are valid admission controllers involved in the Kubernetes admission flow that can be used for supply chain security?

189

Which TWO of the following tools can generate an SBOM (Software Bill of Materials) for a container image?

190

Which THREE of the following are valid flags for the 'trivy image' command to output results in different formats?

Practice all 190 Supply Chain Security questions

Other CKS exam domains

Monitoring Logging and Runtime SecurityCluster Setup and HardeningSystem HardeningMinimize Microservice VulnerabilitiesMonitoring, Logging and Runtime SecurityCluster SetupCluster Hardening

Frequently asked questions

What does the Supply Chain Security domain cover on the CKS exam?

The Supply Chain Security domain covers the key concepts tested in this area of the CKS exam blueprint published by CNCF. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CKS domains — no account required.

How many Supply Chain Security questions are in the CKS question bank?

The Courseiva CKS question bank contains 190 questions in the Supply Chain Security domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Supply Chain Security for CKS?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Supply Chain Security questions for CKS?

Yes — the session launcher on this page draws questions exclusively from the Supply Chain Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CKS domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CKACKADSY0-701