Practice CKS System Hardening questions with full explanations on every answer.
Start practicing
System Hardening — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security team is hardening a Kubernetes cluster. They need to ensure that all control plane components run with the least privilege. Which approach should they take?
2An administrator wants to restrict pods from running as root. Which admission controller should be enabled?
3A cluster has been compromised due to a container running with privileged escalation. The team wants to prevent any container from gaining new privileges. Which configuration should be applied?
4During a security audit, it was found that some pods have access to the host network. How can an administrator restrict host network access for all pods in the cluster?
5A DevOps team wants to ensure that all container images are pulled from a trusted registry only. Which cluster-level configuration should be applied?
6An attacker exploited a container escape vulnerability. The team wants to mitigate such attacks by restricting containers from accessing the host's kernel capabilities. Which set of capabilities should be dropped from all containers?
7A cluster is running Kubernetes 1.24. The security team wants to enforce that all pods run with a read-only root filesystem. Which approach is most effective?
8A developer wants to run a container that needs to modify kernel parameters. What is the secure way to achieve this?
9Which TWO of the following are effective methods to harden the kubelet against unauthorized access?
10Which THREE of the following are recommended practices for securing the etcd datastore?
11Which TWO of the following are valid approaches to restrict which nodes a pod can run on?
12A pod manifest is shown. What security issue remains in this configuration?
13Given the exhibit, what will happen when a user creates a pod with an image from an untrusted registry?
14You are a security engineer for a large e-commerce company. The Kubernetes cluster runs on-premises and hosts critical payment processing applications. Recently, a security scan revealed that several pods are running with privileged escalation enabled, and some have a writable root filesystem. The cluster uses Kubernetes v1.26 with PodSecurity admission controller enabled but currently set to 'privileged' profile for all namespaces. The development teams require flexibility for some legacy applications that need to run with hostNetwork or hostPID. However, the security team wants to enforce a restricted profile for most namespaces while allowing exceptions. The CISO has mandated that no pod should run as root, and all pods must have read-only root filesystem and privilege escalation disabled. Additionally, any pod that requires hostNetwork or hostPID must be explicitly approved and placed in a separate namespace. You need to design a solution that meets these requirements with minimal operational overhead. What is the best course of action?
15You are managing a Kubernetes cluster that hosts multiple microservices. The cluster uses Kubernetes v1.25. Recently, a security audit identified that containers are running with the default seccomp profile (unconfined). The security team has requested that all containers use a seccomp profile that blocks unnecessary syscalls. You need to implement this cluster-wide without breaking existing applications. The audit also found that the kubelet's anonymous authentication is enabled, which should be disabled. Additionally, you need to ensure that the kubelet's NodeRestriction admission controller is enabled to limit what nodes can do. Which of the following is the most appropriate sequence of actions?
16A security engineer is hardening a Kubernetes node and wants to ensure that kubelet does not accept requests from unauthorized sources. Which kubelet configuration change should be made?
17During a security audit, it is found that containers running in a cluster have CAP_NET_RAW capability by default. The team wants to drop this capability for all containers. Which approach should be taken?
18A cluster has enabled the NodeRestriction admission controller. A developer is trying to create a pod with hostNetwork: true but is getting an error. What is the most likely reason?
19Refer to the exhibit. A security engineer sees that podPidsLimit is set to -1. What security concern does this raise?
20Refer to the exhibit. The pod fails to start with the error 'container has runAsNonRoot but image will run as root'. Which change would fix the issue?
21Which TWO of the following are effective measures to harden the Kubernetes API server against unauthorized access?
22Which THREE of the following are recommended practices for securing container images in a Kubernetes environment?
23A cluster uses a custom mutating admission webhook that adds a sidecar container to all pods. After an upgrade, the webhook crashes and pods cannot be created. What is the best way to prevent this scenario in future?
24A security team wants to ensure that no pod runs with privileged access. They have created a PodSecurityPolicy (PSP) that sets 'privileged: false'. However, a pod with privileged: true still gets created. What is the most likely cause?
25You are a security engineer at a company running a Kubernetes cluster in production. The cluster uses containerd as the container runtime and has been configured with Node Authorizer and NodeRestriction admission controller. Recently, a security audit revealed that several pods running as root have been compromised via container escape vulnerabilities. The audit report recommends hardening the nodes to reduce the attack surface. Specifically, you need to ensure that even if an attacker gains root access inside a container, they cannot execute privileged operations on the host node, such as loading kernel modules, modifying host network settings, or accessing host devices. The cluster runs on Ubuntu 20.04 nodes with Linux kernel 5.4. You have access to modify node-level configurations but must minimize performance impact and avoid breaking existing workloads that rely on standard Linux capabilities. Which of the following actions would most effectively mitigate these risks?
26A security auditor reviews a Kubernetes cluster and finds that several nodes have container runtimes with default configurations. Which TWO of the following actions should be taken to harden the container runtime?
27You are a platform engineer for a financial services company. Your Kubernetes cluster runs on bare-metal nodes with Ubuntu 20.04 and uses containerd as the container runtime. The cluster is in production with 50 worker nodes. A recent security scan shows that all nodes have the 'overlayfs' kernel module loaded, which is not required. The security policy requires minimal kernel modules. You need to disable the module without disrupting running containers. What should you do?
28Order the steps to configure and use Falco for runtime security in a Kubernetes cluster.
29Match each etcd security configuration to its description.
30An administrator wants to enforce the Pod Security Standard 'restricted' for all pods in the 'secure' namespace. Which kubectl command correctly enables the PodSecurity admission controller for that namespace?
31A pod is running with AppArmor enabled using a profile named 'k8s-apparmor-profile'. You want to verify that the profile is loaded and set to enforce mode. Which command should you run on the node?
32Which annotation is used to apply an AppArmor profile named 'custom-profile' to a container named 'app' in a pod?
33You are creating a custom seccomp profile for a container that runs a binary requiring the 'write' syscall only. You place the profile JSON file at '/var/lib/kubelet/seccomp/profiles/write-only.json'. In the pod spec, which seccomp configuration correctly uses this profile?
34Which Linux capability must be added to a container to allow it to change the system time (e.g., using the 'date' command)?
35A security policy requires that containers should drop all capabilities and only add back the specific capabilities needed. Which YAML snippet correctly implements this for a container?
36A pod is scheduled on a node that has the AppArmor profile 'my-profile' loaded in complain mode. The pod annotation specifies 'localhost/my-profile' but the container is running without the profile being enforced. What is the most likely cause?
37Which of the following is correct about dropping the 'NET_RAW' capability?
38What is the default seccomp profile applied when a pod's security context has 'seccompProfile.type: RuntimeDefault'?
39You are tasked with reducing the attack surface on a Kubernetes node. Which of the following actions is LEAST effective for hardening the node itself?
40A pod spec includes 'hostPID: true' and 'hostNetwork: true'. What security concern does this raise?
41Which of the following is NOT a valid seccomp profile type in Kubernetes?
42You need to apply a Pod Security Standard that prevents containers from running as root and disallows privileged escalation. Which TWO levels enforce these requirements?
43A security auditor recommends limiting the use of host namespaces in pods. Which THREE of the following fields, if set to true, expose the host namespace to a container?
44Which TWO of the following are valid modes for an AppArmor profile?
45An administrator wants to enforce that no container in a specific namespace runs with the privileged security context. They decide to use Pod Security Standards. Which Pod Security Standard level should be applied to the namespace?
46A security engineer needs to apply a custom AppArmor profile to a pod. The profile is named 'k8s-apparmor-example-deny-write' and is loaded on the node. Which annotation should be added to the pod's metadata to enforce this profile?
47Which command loads an AppArmor profile from a file into the kernel?
48A pod is configured with a custom seccomp profile stored at /var/lib/kubelet/seccomp/custom-profile.json. The pod manifest uses securityContext.seccompProfile with type: Localhost and localhostProfile: "custom-profile.json". The pod fails to start with an error 'seccomp profile not found'. What is the most likely cause?
49Which of the following correctly adds the NET_ADMIN capability to a container in a Kubernetes pod?
50An administrator wants to prevent a container from accessing the host's network. Which pod security context field should be set to false?
51A security policy requires that all containers in the 'staging' namespace drop all Linux capabilities and only add the necessary ones. Which pod security context configuration achieves this?
52Which of the following commands shows all loaded AppArmor profiles?
53A cluster administrator wants to enforce Pod Security Standards at the namespace level using the built-in PodSecurity admission controller. The namespace 'test' should reject any pod that violates the 'baseline' level. Which command applies this correctly?
54A custom seccomp profile is defined as follows: { "defaultAction": "SCMP_ACT_ALLOW", "architectures": ["SCMP_ARCH_X86_64"], "syscalls": [ { "names": ["mkdir", "chmod"], "action": "SCMP_ACT_ERRNO" } ] } The profile is placed at /var/lib/kubelet/seccomp/deny-mkdir.json. Which pod securityContext configuration correctly applies this profile?
55A pod in namespace 'secure' has the following securityContext: securityContext: runAsNonRoot: true runAsUser: 1000 capabilities: drop: ["ALL"] add: ["NET_BIND_SERVICE"] The pod fails to start. The namespace is enforced with the 'restricted' Pod Security Standard. What is the most likely reason?
56An administrator wants to reduce the attack surface of a Kubernetes node by disabling unnecessary system services. Which of the following services is considered unnecessary on a dedicated Kubernetes worker node and can be safely disabled?
57Which TWO of the following are valid methods to apply a seccomp profile to a Kubernetes pod? (Select two.)
58Which TWO of the following are valid AppArmor profile modes? (Select two.)
59Which THREE of the following are best practices for minimizing host access from containers to reduce the attack surface? (Select three.)
60A security engineer wants to enforce that all containers in a namespace run without any unnecessary Linux capabilities, dropping all capabilities by default and only adding back what is needed. Which Pod Security Standard should be applied to that namespace using PodSecurity admission?
61A cluster administrator wants to apply a custom seccomp profile located at '/var/lib/kubelet/seccomp/audit.json' to a pod. Which YAML snippet correctly configures the pod's security context to use this profile?
62Which kubectl command is used to check the AppArmor status on a Kubernetes node?
63A pod with the following annotation is created: 'container.apparmor.security.beta.kubernetes.io/webserver: localhost/k8s-apparmor-profile'. However, the pod remains in 'Pending' state and the node logs show 'AppArmor not available'. What is the most likely cause?
64A DevOps engineer wants to ensure that all pods in a namespace have seccomp set to RuntimeDefault unless explicitly overridden. Which approach should be used to enforce this?
65An administrator wants to use AppArmor to confine a container. They have loaded a profile named 'my-custom-profile' using apparmor_parser. Which annotation should be added to the pod to enforce this profile?
66Which Linux capability should be dropped to prevent a container from gaining new privileges via setuid binaries?
67A pod is scheduled on a node that has AppArmor enabled, and the pod has the annotation 'container.apparmor.security.beta.kubernetes.io/nginx: localhost/deny-write'. The profile 'deny-write' is loaded. However, the nginx container is able to write to the filesystem. What is the most likely issue?
68Which of the following is the correct way to drop all capabilities from a container in a pod specification?
69A cluster has PodSecurity admission enabled. A developer creates a pod with the following security context: 'securityContext: { capabilities: { drop: ["ALL"], add: ["NET_ADMIN"] } }'. The namespace is labeled 'pod-security.kubernetes.io/enforce: baseline'. Will the pod be allowed?
70A security auditor wants to ensure that no container in the cluster has the CAP_SYS_ADMIN capability. Which of the following is the most effective way to enforce this cluster-wide?
71Which of the following host access settings should be disabled to reduce the attack surface of a container?
72Which TWO of the following are valid methods to apply a custom seccomp profile to a pod in Kubernetes?
73Which THREE of the following are best practices for reducing the attack surface of Kubernetes nodes?
74Which TWO of the following are true about AppArmor profiles in Kubernetes?
75An administrator wants to enforce that all pods in a namespace use the restricted Pod Security Standard. Which of the following commands correctly enables this enforcement?
76A security team wants to ensure that all containers in a pod run with only the minimum required Linux capabilities. Which of the following approaches is BEST?
77Which of the following is the correct annotation to apply an AppArmor profile named 'my-profile' to a container named 'app' in a pod?
78A pod is running with a custom seccomp profile located at /var/lib/kubelet/seccomp/my-profile.json. Which securityContext configuration correctly applies this profile?
79A cluster administrator has applied a PodSecurityPolicy (PSP) to restrict privileged containers. After upgrading to Kubernetes 1.25, they notice that PSPs are no longer working. What is the MOST likely reason?
80Which kubectl command is used to check whether AppArmor is enabled and which profiles are loaded on a node?
81A pod has the following security context: capabilities: { drop: ['ALL'] } and privileged: false. The pod fails to start because it requires the ability to run iptables commands. Which of the following should be added to the pod's security context?
82Which of the following fields in a PodSecurityPolicy (or Pod Security Standards) prevents a container from running as root?
83A security auditor wants to verify that the AppArmor profile 'my-profile' is in enforce mode on a running container. Which command should they run inside the node?
84A pod is in a Pending state with the event: 'failed to generate spec: failed to validate seccomp profile: seccomp profile not found'. The profile is stored at /var/lib/kubelet/seccomp/custom.json on the node. Which of the following is the MOST likely cause?
85Which of the following is the correct way to apply an AppArmor profile named 'my-profile' to a pod using the annotation?
86A pod is configured with securityContext: { seccompProfile: { type: RuntimeDefault } }. Which of the following is true about this configuration?
87Which of the following is the correct command to load an AppArmor profile from a file named 'my-profile'?
88A container runs with the default seccomp profile but the application needs to make a specific syscall that is blocked. Which approach should be taken?
89Which of the following securityContext settings prevents a container from using host network namespace?
90Which TWO of the following are valid ways to reduce the attack surface of a Kubernetes node? (Select 2)
91Which TWO of the following are valid Pod Security Standard levels? (Select 2)
92Which THREE of the following are correct statements about seccomp in Kubernetes? (Select 3)
93Which annotation is used to apply an AppArmor profile to a pod?
94A security admin wants to drop all Linux capabilities for a container and then add only CAP_NET_BIND_SERVICE. Which YAML snippet correctly achieves this?
95An admin runs 'kubectl describe pod secure-pod' and sees 'seccompProfile: RuntimeDefault' under the container's security context. Which seccomp profile is being used?
96A cluster administrator wants to enforce the Pod Security Standard 'restricted' at the namespace level. Which command applies the PodSecurity admission label to the 'prod' namespace?
97Which command loads an AppArmor profile into the kernel?
98A pod is created with the following security context: securityContext: seccompProfile: type: Localhost localhostProfile: profiles/audit.json Where must the 'audit.json' file be placed on the node?
99A container runs as non-root and needs to perform operations that require CAP_SYS_PTRACE. Which YAML snippet correctly adds only this capability while following the principle of least privilege?
100Which Pod Security Standard level allows the use of hostNetwork, hostPID, and hostIPC?
101An administrator runs 'kubectl run test-pod --image=nginx --dry-run=client -o yaml > pod.yaml', then adds 'hostPID: true' and 'hostNetwork: true' to the pod's spec. After applying with 'kubectl apply -f pod.yaml', the pod is created but immediately goes into 'CrashLoopBackOff'. What is the likely cause?
102Which of the following is the correct way to disable swap on a Kubernetes node to improve security?
103A custom seccomp profile is created at /var/lib/kubelet/seccomp/custom-profile.json. Which YAML snippet applies this profile to a container?
104An admin wants to check which AppArmor profiles are loaded. Which command should they run?
105Which TWO of the following are valid methods to apply a seccomp profile to a pod in Kubernetes?
106Which THREE of the following are best practices for reducing the attack surface of a Kubernetes node?
107Which TWO of the following are valid AppArmor profile modes?
108An administrator wants to enforce a custom AppArmor profile named 'k8s-apparmor-example' on a pod. The profile has been loaded on the node. Which annotation should be added to the pod's metadata to apply this profile?
109Which command is used to load an AppArmor profile into the kernel?
110A pod spec includes the following securityContext: securityContext: seccompProfile: type: Localhost localhostProfile: custom-profile.json Where should the custom seccomp profile 'custom-profile.json' be placed on the node?
111A cluster administrator wants to prevent all containers in a namespace from running with the NET_RAW capability. They plan to use a PodSecurityPolicy (PSP) but PSP is deprecated. Which approach should they use instead?
112A container is running with the following securityContext: securityContext: capabilities: drop: ["ALL"] add: ["NET_BIND_SERVICE"] Which capabilities will the container have?
113To reduce the attack surface, a security best practice is to drop all capabilities from a container and add only those required. Which securityContext field is used to drop all capabilities?
114A security auditor reports that a container can sniff network traffic on the host. Which field in the pod spec should be checked and set to false to prevent this?
115An administrator needs to enforce the restricted Pod Security Standard on a namespace 'secure-ns'. Which kubectl command should they use?
116Which of the following seccomp profile types should be used to apply the container runtime's default seccomp profile?
117A pod is running with securityContext.seccompProfile.type: Unconfined. Which statement is true?
118An AppArmor profile is loaded in 'complain' mode. What happens when a pod with that profile attempts an action that violates the profile?
119Which of the following is NOT a recommended method to reduce the attack surface on Kubernetes nodes?
120Which TWO of the following are valid methods to apply a seccomp profile to a container? (Select 2 correct answers)
121Which THREE of the following actions help reduce the attack surface of containers? (Select 3 correct answers)
122Which TWO of the following are valid AppArmor profile modes? (Select 2 correct answers)
123A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?
124Which annotation is used to apply an AppArmor profile to a pod in Kubernetes?
125An administrator creates a custom seccomp profile and wants to apply it to a pod. The profile file is named 'audit.json' and is placed in the default seccomp directory on the node. Which securityContext field should be used?
126A security team wants to enforce that no container in the 'restricted' namespace runs with added Linux capabilities beyond the default set (according to the restricted Pod Security Standard). Which PodSecurityConfiguration should be applied to the namespace?
127Which command loads an AppArmor profile from a file into the kernel?
128You need to apply a seccomp profile to all containers in a pod. The profile is named 'custom-profile.json' and is stored on each node at /var/lib/kubelet/seccomp/. Complete the following YAML snippet: ```yaml apiVersion: v1 kind: Pod metadata: name: secure-pod spec: securityContext: seccompProfile: type: Localhost localhostProfile: ??? ``` What should replace ???
129An administrator wants to ensure that containers in a pod cannot run with any Linux capabilities except the minimal required for the container runtime. The pod is subject to the 'restricted' Pod Security Standard. Which capability configuration should be set in the pod's security context?
130A node in your cluster is running unnecessary services that increase the attack surface. Which of the following is the BEST approach to reduce the attack surface on the node?
131Which of the following is a valid way to check the status of AppArmor profiles on a node?
132A container needs to run with the NET_ADMIN capability to modify network settings. The cluster enforces the baseline Pod Security Standard. Which securityContext configuration should be used?
133Which of the following host access settings should be avoided to minimize the attack surface from containers? (Select the setting that increases risk the most.)
134What is the purpose of the 'seccomp' feature in Kubernetes?
135After deploying a pod with an AppArmor profile, the pod status shows 'ContainerCreating' for a long time and then fails. What is the most likely cause?
136Which of the following is the correct way to drop all Linux capabilities for a container?
137An administrator wants to prevent containers from using hostNetwork, hostPID, and hostIPC. Which Pod Security Standard level enforces these restrictions?
138Which TWO of the following are valid seccomp profile types in Kubernetes? (Select two.)
139Which THREE of the following are best practices for reducing the attack surface of Kubernetes nodes? (Select three.)
140Which TWO of the following are valid AppArmor profile modes? (Select two.)
141Which THREE of the following are restrictions enforced by the 'baseline' Pod Security Standard? (Select three.)
142Which TWO of the following are correct ways to apply a seccomp profile named 'audit.json' located on each node? (Select two.)
143Which annotation is used to apply an AppArmor profile to a pod in Kubernetes?
144An administrator wants to run a container that requires the SYS_TIME capability. Which field should be used in the securityContext to add this capability?
145A pod is using a custom seccomp profile stored at /var/lib/kubelet/seccomp/custom-profile.json. Which securityContext configuration correctly references this profile?
146An administrator runs 'aa-status' on a node and sees a profile in 'complain' mode. What does this indicate?
147What is the effect of setting 'hostPID: true' in a pod's spec?
148Which Pod Security Standard level allows the most relaxed security controls?
149A cluster uses PodSecurity admission. A namespace has the label 'pod-security.kubernetes.io/enforce: baseline'. A user creates a pod that runs a container with 'privileged: true'. What happens?
150An administrator wants to drop all capabilities for a container and then add back only NET_BIND_SERVICE. Which securityContext configuration is correct?
151Which tool is used to load AppArmor profiles on a node?
152What is the default seccomp profile for Kubernetes containers when no seccompProfile is specified?
153A pod runs with 'hostNetwork: true' and 'hostPID: true'. Which security concern is MOST directly increased?
154An administrator creates a custom seccomp profile and places it at /var/lib/kubelet/seccomp/myprofile.json. Which securityContext field is used to apply this profile to a container?
155Which TWO of the following are valid Pod Security Standards levels?
156Which THREE of the following are recommended measures to reduce the attack surface of Kubernetes nodes?
157Which TWO of the following are valid AppArmor profile modes?
158A cluster administrator wants to enforce that all pods in the 'restricted' namespace use the Restricted Pod Security Standard. Which command achieves this?
159You have built a custom seccomp profile at /var/lib/kubelet/seccomp/audit.json. Which YAML snippet correctly applies this profile to a container?
160Which TWO AppArmor modes are available? (Select 2)
The System Hardening domain covers the key concepts tested in this area of the CKS exam blueprint published by CNCF. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CKS domains — no account required.
The Courseiva CKS question bank contains 160 questions in the System Hardening domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the System Hardening domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included