Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCKSExam Questions

CNCF · Free Practice Questions · Last reviewed May 2026

CKS Exam Questions and Answers

48real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

120 min time limit
8 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Monitoring Logging and Runtime Security2. Cluster Setup and Hardening3. System Hardening4. Minimize Microservice Vulnerabilities5. Supply Chain Security6. Monitoring, Logging and Runtime Security7. Cluster Setup8. Cluster Hardening
1

Domain 1: Monitoring Logging and Runtime Security

All Monitoring Logging and Runtime Security questions
Q1
mediumFull explanation →

A security team wants to detect anomalous process executions in containers without modifying the container images or requiring agents inside containers. Which approach is most suitable?

A

Configure CRI-O to log all container process starts to syslog.

B

Deploy Falco as a DaemonSet using eBPF probe to monitor system calls.

Falco on the host can detect container process anomalies without modifying images.

C

Enable Kubernetes audit logging and parse the logs for process events.

D

Use OPA Gatekeeper to enforce allowed process lists in pod specs.

Why: Falco, deployed as a DaemonSet with an eBPF probe, can monitor system calls at the kernel level without modifying container images or requiring agents inside containers. This allows it to detect anomalous process executions in real time by analyzing syscall events from the host, which is the most suitable approach for runtime security monitoring in Kubernetes.
Q2
hardFull explanation →

An organization uses Kubernetes with multiple namespaces and wants to ensure that containers running as non-root cannot escalate to root via setuid binaries. Which combination of security contexts and Pod Security Standards achieves this?

A

Use an AppArmor profile to block setuid syscalls.

B

Apply the 'restricted' Pod Security Standard at the namespace level.

Restricted enforces runAsNonRoot and disallows privileged escalation.

C

Set 'securityContext.runAsUser: 1000' on each pod spec.

D

Apply the 'baseline' Pod Security Standard with 'seccompProfile: RuntimeDefault'.

Why: The 'restricted' Pod Security Standard (PSS) enforces the strongest set of security constraints, including preventing containers from running as root and disallowing privilege escalation. Specifically, it requires `securityContext.allowPrivilegeEscalation: false` and prohibits running as root, which directly blocks escalation via setuid binaries. Applying this standard at the namespace level ensures all pods in that namespace inherit these controls, meeting the requirement.
Q3
easyFull explanation →

A DevOps engineer notices that a container's stdout logs are not appearing in the `kubectl logs` output. The container runs a legacy application that writes logs to a file inside the container. What is the most efficient way to capture these logs without modifying the application?

A

Configure the kubelet to rotate logs from the container's filesystem.

B

Add a sidecar container that reads the log file and outputs to stdout.

The sidecar pattern streams file logs to stdout for kubectl logs.

C

Use `kubectl cp` to periodically copy logs from the container.

D

Install a syslog daemon in the container to forward logs.

Why: Option B is correct because deploying a sidecar container that tails the log file and writes to its own stdout is the most efficient, Kubernetes-native pattern for capturing logs from applications that write to files. The sidecar container shares the same Pod and volume, reads the log file (e.g., using `tail -F`), and outputs to stdout, which is then collected by `kubectl logs` and the cluster-level logging pipeline. This approach requires no modification to the legacy application and leverages the existing container runtime and kubelet log collection.
Q4
hardFull explanation →

A security auditor requires that all container images used in the cluster are scanned for vulnerabilities before deployment. The team uses a private registry with image signing. Which solution enforces that only signed and scanned images are deployed?

A

Use Cosign to sign images and deploy a webhook that verifies signatures.

Cosign admission controller can enforce signature verification at pod creation.

B

Run Trivy in a CronJob to scan images and update a ConfigMap with allowed images.

C

Use OPA Gatekeeper to verify that the image comes from the private registry.

D

Enable Binary Authorization on the cluster to enforce image attestation.

Why: Cosign is a tool for signing container images, and deploying a validating webhook (e.g., the cosigned admission controller) enforces that only images with valid signatures are admitted. This directly meets the requirement to deploy only signed and scanned images, as the webhook verifies the signature before the pod is created.
Q5
easyFull explanation →

A cluster administrator wants to monitor network traffic between pods for security analysis. Which tool is designed specifically for this purpose and integrates with Kubernetes?

A

Configure Fluentd to collect network logs from each node.

B

Use Prometheus to scrape network metrics from kube-proxy.

C

Run kube-bench to audit network policies.

D

Deploy Cilium with Hubble for network flow visibility.

Cilium/Hubble provides pod-level network monitoring.

Why: D is correct because Cilium, combined with Hubble, is specifically designed to provide deep network flow visibility and monitoring for Kubernetes pods. Hubble leverages eBPF to capture and report network traffic at the kernel level, offering granular observability into pod-to-pod communications, which directly meets the requirement for security analysis of network traffic between pods.
Q6
mediumFull explanation →

Which TWO actions are effective for detecting and preventing container breakout attempts using runtime security tools?

A

Set 'securityContext.seccompProfile.type: Unconfined' to allow all syscalls.

B

Enable Kubernetes audit logging to capture exec commands.

C

Use PodSecurityPolicy to deny privileged containers.

D

Deploy Falco with rules that alert on 'syscall' events like 'clone' or 'unshare'.

Falco can detect breakout attempts via syscall monitoring.

E

Apply a seccomp profile that blocks unneeded syscalls for each container.

Seccomp restricts syscalls, making breakout harder.

Why: Option D is correct because Falco is a CNCF runtime security tool that uses eBPF or kernel modules to intercept system calls. By alerting on sensitive syscalls like 'clone' (used to spawn new processes) or 'unshare' (used to create new namespaces), Falco can detect container breakout attempts where an attacker tries to escape the container's isolation. This provides real-time detection of anomalous behavior indicative of a breakout.

Want more Monitoring Logging and Runtime Security practice?

Practice this domain
2

Domain 2: Cluster Setup and Hardening

All Cluster Setup and Hardening questions
Q1
mediumFull explanation →

During a security audit, you discover that a container running as root inside a pod has been compromised. The pod uses the default service account. Which two measures should you implement to harden the cluster? (Select TWO)

A

Apply a PodSecurityPolicy that restricts containers from running as root.

B

Create a new service account with no roles bound and assign it to the pod.

C

Edit the default service account to set automountServiceAccountToken: false.

Prevents automatic mounting of the default SA token in pods that do not specify a service account.

D

Set automountServiceAccountToken: false in the pod spec.

E

Add securityContext: runAsNonRoot: true to the pod spec.

Ensures the container runs as a non-root user, reducing impact of compromise.

Why: Option C is correct because setting `automountServiceAccountToken: false` on the default service account prevents any pod that uses it from automatically mounting the service account token. This reduces the attack surface: if a container is compromised, the attacker cannot use the token to authenticate to the Kubernetes API server. This is a fundamental hardening measure for service accounts that do not require API access.
Q2
hardFull explanation →

A cluster uses Kubernetes v1.24 with Pod Security Admission enabled. The cluster administrator wants to enforce that all pods in the 'production' namespace run with the 'restricted' policy level, but some existing deployments use privileged containers. Which approach ensures that only new pods violating the policy are rejected, while existing pods continue to run?

A

Patch existing deployments to remove privileged containers, then add the label 'pod-security.kubernetes.io/enforce=restricted' to the namespace.

B

Add the namespace label 'pod-security.kubernetes.io/enforce=restricted' and leave existing pods unchanged; new pods violating the policy will be rejected.

Correctly enforces the policy on new pods without affecting existing ones.

C

Create a PodSecurityPolicy that restricts privileged containers and bind it to all service accounts in the namespace.

D

Set the namespace label 'pod-security.kubernetes.io/enforce=restricted' and use the 'inform' mode to allow existing pods.

Why: Option B is correct because Pod Security Admission (PSA) in Kubernetes v1.24 enforces policies via namespace labels. Setting `pod-security.kubernetes.io/enforce=restricted` on the 'production' namespace will reject any new pod that violates the restricted policy, but existing pods are not re-evaluated and continue running. This behavior is by design: PSA evaluates pods at creation or update time, not retroactively, so existing workloads are unaffected.
Q3
easyFull explanation →

A security engineer needs to ensure that all communication between nodes and the control plane is encrypted. Which component must be configured with a TLS certificate to achieve this?

A

kube-proxy

B

etcd

C

kube-scheduler

D

kube-apiserver

The API server serves HTTPS; configuring its TLS certificate encrypts all communication to/from it.

Why: The kube-apiserver is the central gateway for all cluster operations, and it must be configured with a TLS certificate to encrypt communication between nodes (kubelets) and the control plane. The kube-apiserver presents this certificate to authenticate itself and establish encrypted HTTPS connections, ensuring that all traffic from node components (e.g., kubelets, kube-proxy) and other control plane components is secured in transit.
Q4
mediumFull explanation →

After a security incident, you need to restrict which pods can communicate with each other in the 'finance' namespace. You want to allow only pods with label 'app: api' to connect to pods with label 'app: db' on TCP port 5432, and deny all other traffic. Which NetworkPolicy should you create?

A

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-api-to-db namespace: finance spec: podSelector: matchLabels: app: api ingress: - from: - podSelector: matchLabels: app: db ports: - port: 5432

B

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-api-to-db namespace: finance spec: podSelector: matchLabels: app: api egress: - to: - podSelector: matchLabels: app: db ports: - port: 5432

C

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-api-to-db namespace: finance spec: podSelector: matchLabels: app: db ingress: - from: - podSelector: matchLabels: app: api

D

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-api-to-db namespace: finance spec: podSelector: matchLabels: app: db ingress: - from: - podSelector: matchLabels: app: api ports: - port: 5432

Correctly targets db pods, allows ingress from api pods on port 5432, and implicitly denies all other ingress.

Why: Option D is correct because it defines a NetworkPolicy that selects pods with label 'app: db' as the target and allows ingress traffic only from pods with label 'app: api' on TCP port 5432. By default, if no NetworkPolicy exists, all traffic is allowed; once a NetworkPolicy selects a pod, all traffic not explicitly allowed is denied. This policy therefore restricts communication to only the intended api-to-db flow on the specified port.
Q5
hardFull explanation →

A cluster has been configured with the NodeRestriction admission plugin. A developer tries to create a pod that uses a hostPath volume pointing to /var/log. The pod's nodeSelector is set to 'kubernetes.io/hostname: worker-1'. Which statement is true?

A

The pod will be created only if the node label matches the nodeSelector; the hostPath volume is irrelevant.

B

The pod will be rejected because hostPath volumes are not allowed by NodeRestriction.

C

The pod will be created because NodeRestriction does not restrict hostPath volumes.

NodeRestriction only restricts node self-updates, not hostPath.

D

The pod will be rejected because the nodeSelector conflicts with the NodeRestriction plugin.

Why: The NodeRestriction admission plugin limits the node labels that a kubelet can set and restricts pods from modifying their node affinity to gain access to node-specific resources. However, it does not restrict the use of hostPath volumes. Therefore, a pod with a hostPath volume pointing to /var/log and a nodeSelector for 'worker-1' will be created, as long as the nodeSelector matches an existing node label and the hostPath volume is otherwise permitted by the PodSecurityPolicy or other security contexts.
Q6
mediumFull explanation →

Which THREE of the following are valid methods to secure etcd in a Kubernetes cluster? (Select THREE)

A

Apply a NetworkPolicy to block traffic to etcd pods.

B

Use RBAC to restrict access to etcd.

RBAC can limit which users/service accounts can access etcd via the API server.

C

Enable TLS peer and client authentication.

TLS ensures encrypted communication and mutual authentication.

D

Expose the etcd client port (2379) to the public internet for monitoring.

E

Set file permissions on etcd data directory to 700.

Restricts access to the etcd user only.

Why: RBAC is a valid method to secure etcd because etcd supports role-based access control for its API, allowing you to define roles and permissions that restrict which users or processes can read or write keys. By enabling RBAC on etcd, you can limit access to sensitive cluster data, such as secrets and configuration, to only authorized components like the Kubernetes API server.

Want more Cluster Setup and Hardening practice?

Practice this domain
3

Domain 3: System Hardening

All System Hardening questions
Q1
mediumFull explanation →

A security team is hardening a Kubernetes cluster. They need to ensure that all control plane components run with the least privilege. Which approach should they take?

A

Use seccomp profiles to block privilege escalation syscalls

B

Apply AppArmor profiles to all control plane pods

C

Configure control plane containers to run as non-root user and with read-only root filesystem

This directly reduces privileges by avoiding root execution and preventing writes to the filesystem.

D

Enable PodSecurityPolicy with 'MustRunAsNonRoot' for control plane namespaces

Why: Option C is correct because running control plane containers as a non-root user and with a read-only root filesystem directly enforces the principle of least privilege at the container level. This approach limits the ability of an attacker who compromises a control plane component to escalate privileges or modify critical system files, which is a fundamental hardening requirement for the control plane.
Q2
easyFull explanation →

An administrator wants to restrict pods from running as root. Which admission controller should be enabled?

A

NodeRestriction

B

AlwaysPullImages

C

ServiceAccount

D

PodSecurity

PodSecurity enforces the Pod Security Standards, including 'restricted' profile which prevents running as root.

Why: The PodSecurity admission controller (D) is the correct choice because it enforces the Pod Security Standards (Privileged, Baseline, Restricted) defined in the Kubernetes documentation. By enabling this controller, the administrator can configure a policy that prevents pods from running as root, typically by setting the 'Restricted' profile which requires 'runAsNonRoot: true' and 'runAsUser: > 10000' in the pod security context.
Q3
hardFull explanation →

A cluster has been compromised due to a container running with privileged escalation. The team wants to prevent any container from gaining new privileges. Which configuration should be applied?

A

Set securityContext.runAsUser: 1000

B

Set securityContext.readOnlyRootFilesystem: true

C

Drop all capabilities with securityContext.capabilities.drop: ["ALL"]

D

Set securityContext.allowPrivilegeEscalation: false

This directly prevents privilege escalation, which is a key security control.

Why: Setting `securityContext.allowPrivilegeEscalation: false` directly prevents a container from gaining new privileges beyond those it was initially granted, such as through setuid binaries or the `NO_NEW_PRIVS` flag. This is the exact control needed to block privilege escalation attacks, as it forces the kernel to deny any request for elevated privileges, even if the binary has the setuid bit set.
Q4
mediumFull explanation →

During a security audit, it was found that some pods have access to the host network. How can an administrator restrict host network access for all pods in the cluster?

A

Set --allow-privileged=false in kubelet configuration

B

Enable PodSecurity admission controller with baseline or restricted profile

The baseline and restricted profiles forbid host networking, effectively restricting it cluster-wide.

C

Enable PodSecurityPolicy with 'hostNetwork: false'

D

Create NetworkPolicies that deny traffic to host network

Why: Option B is correct because the PodSecurity admission controller (GA in Kubernetes v1.25+) enforces predefined security standards (baseline or restricted) that, among other restrictions, prevent pods from using `hostNetwork: true`. This is the recommended replacement for the deprecated PodSecurityPolicy and provides a built-in, cluster-wide mechanism to restrict host network access without requiring external tools.
Q5
easyFull explanation →

A DevOps team wants to ensure that all container images are pulled from a trusted registry only. Which cluster-level configuration should be applied?

A

Configure kubelet with --pod-manifest-path pointing to a whitelist

B

Enable PodSecurity with restricted profile

C

Use NetworkPolicy to block traffic to untrusted registries

D

Enable ImagePolicyWebhook admission controller

ImagePolicyWebhook can reject images from untrusted registries based on external policy.

Why: Option D is correct because the ImagePolicyWebhook admission controller allows you to configure a cluster-level admission plugin that intercepts all Pod creation requests and validates the container images against an external webhook backend. This backend can enforce policies such as allowing only images from a trusted registry (e.g., `mytrustedregistry.io/*`), rejecting any image that does not match the whitelist. It operates at the API server level, ensuring that no Pod with an untrusted image can be created in the cluster.
Q6
hardFull explanation →

An attacker exploited a container escape vulnerability. The team wants to mitigate such attacks by restricting containers from accessing the host's kernel capabilities. Which set of capabilities should be dropped from all containers?

A

SYS_ADMIN, SYS_MODULE, SYS_PTRACE

These capabilities allow kernel module loading, system administration, and process tracing, which can be exploited for escape.

B

CHOWN, DAC_OVERRIDE, FOWNER

C

KILL, SETPCAP, SYS_CHROOT

D

NET_RAW, NET_ADMIN, NET_BIND_SERVICE

Why: Option A is correct because SYS_ADMIN, SYS_MODULE, and SYS_PTRACE are the most dangerous capabilities that enable container escape. SYS_ADMIN grants broad administrative privileges (e.g., mounting filesystems, accessing /proc/1/environ), SYS_MODULE allows loading kernel modules, and SYS_PTRACE permits tracing processes outside the container. Dropping these three capabilities is a key mitigation against kernel-level escapes.

Want more System Hardening practice?

Practice this domain
4

Domain 4: Minimize Microservice Vulnerabilities

All Minimize Microservice Vulnerabilities questions
Q1
mediumFull explanation →

A microservice running as a Deployment in a Kubernetes cluster needs to authenticate to a third-party API using a static API key. Which is the most secure way to store and inject this secret into the container?

A

Store the API key in a ConfigMap and expose it as an environment variable

B

Hardcode the API key in the container image

C

Store the API key in a Kubernetes Secret and mount it as a volume inside the container

Secrets are designed for sensitive data; volume mounts avoid exposure in environment variable listings.

D

Store the API key in a Kubernetes Secret and expose it as an environment variable

Why: Option C is correct because mounting a Kubernetes Secret as a volume provides the most secure method for injecting sensitive data into a container. Unlike environment variables, which can be exposed through process listings, container logs, or `/proc` filesystem, a volume mount stores the secret in the container's filesystem with permissions restricted to the runtime user. This approach also supports automatic rotation of secret values without restarting the pod, as the filesystem is updated in place when the Secret object changes.
Q2
hardFull explanation →

During a security audit, a team discovers that their microservice application, deployed on Kubernetes, is vulnerable to container breakout attacks. The containers run as root and have many Linux capabilities. Which set of Pod Security Standards (PSS) enforcement modes and policies would best mitigate this risk?

A

Use 'privileged' PSS with Warn mode

B

Use 'baseline' PSS with Audit mode

C

Use 'restricted' PSS with Enforce mode

Restricted profile requires non-root and drops all capabilities except net bind service.

D

Use 'baseline' PSS with Enforce mode

Why: The 'restricted' Pod Security Standard with 'Enforce' mode is the correct choice because it mandates the most stringent security controls, including dropping all Linux capabilities and preventing containers from running as root. This directly mitigates container breakout attacks by eliminating the excessive privileges that enable such exploits. 'Enforce' mode actively blocks non-compliant pods, ensuring the policy is applied without relying on user awareness or audit logs.
Q3
easyFull explanation →

A DevOps engineer wants to ensure that all microservice containers run with a read-only root filesystem to prevent unauthorized writes. What is the simplest way to enforce this at the Pod level?

A

Set `securityContext.runAsNonRoot: true` in the Pod spec

B

Mount an emptyDir volume to the container's writable directories

C

Set `securityContext.readOnlyRootFilesystem: true` in the Pod spec

This directly enforces a read-only root filesystem for all containers in the Pod.

D

Set `securityContext.privileged: false` in the Pod spec

Why: Option C is correct because setting `securityContext.readOnlyRootFilesystem: true` in the Pod spec directly enforces that the container's root filesystem is read-only, preventing any unauthorized writes to the root filesystem. This is the simplest and most direct way to achieve the requirement at the Pod level, as it applies to all containers in the Pod unless overridden at the container level.
Q4
mediumFull explanation →

A security scanner reports that a microservice container image contains a critical vulnerability (CVE-2024-1234) in a system library. The team cannot immediately rebuild the image. What is the most effective temporary mitigation at the Kubernetes level?

A

Apply a NetworkPolicy to block egress traffic from the Pod

B

Apply a custom seccomp profile that blocks the vulnerable syscall

Seccomp can filter system calls, directly mitigating exploitation of syscall-related CVEs.

C

Apply an AppArmor profile to the Pod

D

Use a PodSecurityPolicy to drop all capabilities

Why: Option B is correct because a custom seccomp (secure computing mode) profile can restrict the system calls (syscalls) a container is allowed to make. By blocking the specific vulnerable syscall exploited by CVE-2024-1234, you can prevent the vulnerability from being triggered at runtime without rebuilding the image. This is a temporary, Kubernetes-native mitigation that directly addresses the attack vector at the syscall level.
Q5
hardFull explanation →

A microservice container needs to perform DNS lookups using TCP rather than UDP. Which Kubernetes security context setting should be configured to allow this?

A

Add `DAC_OVERRIDE` capability

B

Add `NET_RAW` capability

TCP DNS may require raw socket access on some configurations.

C

Add `NET_ADMIN` capability

D

Add `NET_BIND_SERVICE` capability

Why: Option B is correct because DNS queries typically use UDP, but when a response is truncated or when zone transfers are involved, TCP is required. The `NET_RAW` capability allows a container to create raw sockets, which is necessary for crafting and sending TCP packets for DNS lookups at the transport layer. Without this capability, the container's network stack may be restricted to only UDP-based DNS resolution.
Q6
mediumFull explanation →

Which TWO of the following are effective measures to minimize the impact of a compromised microservice container in a Kubernetes cluster? (Choose two.)

A

Set resource limits (CPU/memory) on the container

Resource limits prevent a compromised container from exhausting cluster resources.

B

Set the container's root filesystem as read-only

C

Apply a NetworkPolicy that restricts egress traffic to only necessary services

Network policies limit the ability of a compromised container to communicate with other services.

D

Run the container as root to simplify debugging

E

Use hostNetwork: true to share the host's network namespace

Why: Setting resource limits (CPU/memory) on a container is correct because it prevents a compromised microservice from consuming excessive cluster resources, which could lead to a denial-of-service (DoS) attack against other workloads. By enforcing limits via the container's cgroup constraints, the kernel throttles or OOM-kills the container if it exceeds its allocated resources, containing the blast radius of the compromise.

Want more Minimize Microservice Vulnerabilities practice?

Practice this domain
5

Domain 5: Supply Chain Security

All Supply Chain Security questions
Q1
mediumFull explanation →

Which TWO of the following are best practices for securing the container supply chain?

A

Scan images for vulnerabilities in a CI pipeline before deploying.

Scanning helps catch known vulnerabilities early.

B

Use image signing and verification (e.g., with cosign) to ensure image integrity.

Signing images ensures they have not been tampered with.

C

Embed API keys directly in container images for authentication.

D

Allow all images from any registry without verification to speed up development.

E

Use mutable tags like 'latest' for easier updates.

Why: Scanning images for vulnerabilities in a CI pipeline before deployment is a best practice because it catches known CVEs early, preventing vulnerable images from reaching production. Tools like Trivy, Clair, or Grype integrate into CI/CD to enforce policy gates, ensuring only compliant images proceed.
Q2
hardFull explanation →

Which THREE of the following are required to implement a secure software supply chain using Kubernetes native features?

A

Use vulnerability scanning tools like Trivy or Grype in the CI/CD pipeline.

Scanning prevents deployment of images with known vulnerabilities.

B

Disable admission controllers to reduce latency in pod creation.

C

Integrate image signature verification into the admission webhook (e.g., using cosign and Kyverno).

Verification ensures images are signed by trusted parties.

D

Run all containers as root inside the pod to avoid permission issues.

E

Enforce policies using OPA Gatekeeper or Kyverno to restrict allowed registries and image constraints.

Policy enforcement ensures only trusted images are used.

Why: Option A is correct because vulnerability scanning tools like Trivy or Grype are essential for identifying known CVEs in container images before deployment. Integrating these tools into the CI/CD pipeline ensures that only images with an acceptable vulnerability posture are built and pushed to the registry, forming a foundational security gate in the software supply chain.
Q3
easyFull explanation →

A DevOps team wants to ensure that only signed images from a trusted registry are deployed in the cluster. They plan to use a webhook to intercept pod creation. Which tool is best suited for this task?

A

kubectl with --validate flag

B

Helm with signed charts

C

etcd with encryption at rest

D

Kyverno with a verifyImages rule

Kyverno supports image signature verification via cosign.

E

Prometheus with alerting rules

Why: Kyverno is a Kubernetes-native policy engine that can enforce image signature verification via its `verifyImages` rule. It intercepts pod creation through a dynamic admission webhook, checking that container images are signed with a trusted key (e.g., using Sigstore/Cosign) before the pod is admitted. This directly meets the requirement to only allow signed images from a trusted registry.
Q4
mediumFull explanation →

A security audit reveals that a container image running in production contains a critical vulnerability (CVE-2024-1234). The image was built from a base image that had the vulnerability. What is the MOST effective long-term solution to prevent such issues?

A

Use a runtime security tool like Falco to detect exploitation attempts.

B

Patch the vulnerability by installing a security update inside the running container.

C

Add an admission controller that rejects images with vulnerabilities.

D

Rebuild the image using a patched base image and integrate vulnerability scanning into the CI pipeline.

Fixing the base image and scanning prevent vulnerable images from being built.

E

Switch to a different container runtime that is immune to the vulnerability.

Why: Option D is the most effective long-term solution because it addresses the root cause by rebuilding the image from a patched base image, eliminating the vulnerability at the source. Integrating vulnerability scanning into the CI pipeline ensures that future images are automatically checked for known CVEs before deployment, preventing vulnerable images from reaching production. This aligns with the principle of shifting security left in the software supply chain.
Q5
hardFull explanation →

An organization uses a private container registry and wants to ensure that only images built from a specific CI/CD pipeline are deployed. Which combination of measures provides the strongest guarantee?

A

Implement network policies to restrict egress from pods to the registry.

B

Grant registry write access only to the CI system's service account.

C

Use a static analysis tool to check the Dockerfile before building.

D

Use a unique registry path and restrict access via firewall rules.

E

Generate signed attestations with in-toto during the CI pipeline and verify them using an admission webhook like Kyverno.

Attestations provide non-repudiation and can be verified at admission time.

Why: Option E is correct because it implements a complete chain of custody for container images. In-toto generates signed attestations that record every step of the CI/CD pipeline (e.g., source code checkout, build, test), and an admission webhook like Kyverno verifies these attestations before allowing a pod to run. This ensures that only images that passed the exact, attested pipeline are deployed, providing the strongest guarantee against unauthorized or tampered images.
Q6
hardFull explanation →

You are the lead security engineer for a large financial institution. The organization runs a Kubernetes cluster with 500+ microservices. The supply chain security team has implemented the following measures: (1) All images are built from a minimal base image (distroless) and scanned with Trivy before being pushed to a private registry. (2) Images are signed using cosign with a key stored in a hardware security module (HSM). (3) Kyverno policies enforce that only signed images from the private registry can run, and also enforce that containers run as non-root. (4) A binary authorization (binauthz) style admission controller verifies attestations. Recently, a critical vulnerability (CVE-2024-0001) was discovered in a popular open-source library used by several microservices. The library is included as a dependency in the base image. The vulnerability is remotely exploitable and has a CVSS score of 9.8. The security team needs to remediate this quickly. They have already patched the library and updated the base image. What is the BEST course of action to ensure all running pods use the new image?

A

Update the image tag in each Deployment's spec to point to the new patched image, then perform a rolling update. The admission controller will verify signatures and attestations for the new image.

This ensures all pods are updated with a verified, patched image in a controlled manner.

B

SSH into each node, pull the new image, and use kubectl exec to update the library inside running containers.

C

Temporarily disable the admission controller that verifies signatures and then update the image tags.

D

Delete all running pods and let the ReplicaSets recreate them from the existing image.

Why: Option A is correct because updating the image tag in each Deployment triggers a rolling update, which creates new pods with the patched image. The admission controller (Kyverno) will verify the cosign signature and binary authorization attestation for the new image, ensuring supply chain security is maintained. This approach is the standard Kubernetes method for deploying image updates while preserving security controls.

Want more Supply Chain Security practice?

Practice this domain
6

Domain 6: Monitoring, Logging and Runtime Security

All Monitoring, Logging and Runtime Security questions
Q1
mediumFull explanation →

You are investigating a pod that is suspected of being compromised. You need to preserve the container's filesystem for forensic analysis. Which `crictl` command should you use to export the container's filesystem as a tar archive?

A

crictl logs <container-id>

B

crictl export <container-id>

Correct: crictl export exports the container's filesystem as a tar archive.

C

crictl inspect <container-id>

D

crictl exec <container-id> tar cvf /tmp/fs.tar /

Why: `crictl export` exports the container's filesystem as a tar archive. `crictl inspect` shows container metadata, not filesystem content. `crictl logs` retrieves logs. `crictl exec` runs commands in the container but does not export filesystem.
Q2
hardFull explanation →

A Falco rule is written to detect when a shell is spawned inside a container. The rule condition is: `spawned_process and container and proc.name = bash`. The rule is not triggering. Which of the following is the most likely reason?

A

The rule is missing `proc.name in (bash, sh, zsh)` because only bash is checked

B

Falco is not running with the required syscall capabilities

C

The `spawned_process` macro may not match because the process was inherited (not spawned), e.g., from an entrypoint

`spawned_process` typically checks for newly created processes; inherited processes may not match.

D

The priority is set to `ERROR` but the output is being filtered

Why: The condition requires both `spawned_process` and `container` macro fields, which are typical. Option B is the most likely because the `spawned_process` macro might not include all shell spawn scenarios (e.g., inherited processes). Option A is correct but less likely. Options C and D are incorrect.
Q3
mediumFull explanation →

You are configuring Kubernetes audit logging. You want to log all requests to the `secrets` resource in the `kube-system` namespace at the `RequestResponse` level, while logging all other requests at the `Metadata` level. Which audit policy configuration achieves this?

A

rules: [- level: RequestResponse, resources: [group: '', resources: [*]], - level: Metadata]

B

rules: [- level: RequestResponse, resources: [group: '', resources: [secrets]], namespaces: [kube-system], - level: Metadata]

Correct: first rule matches secrets in kube-system with RequestResponse, second rule catches all other requests with Metadata.

C

rules: [- level: Metadata, resources: [group: '', resources: [secrets]], namespaces: [kube-system], - level: RequestResponse]

D

rules: [- level: Metadata, resources: [group: '', resources: [secrets]], namespaces: [kube-system], omitStages: [RequestReceived], - level: RequestResponse]

Why: Option A is correct because it defines a rule for secrets in kube-system with level RequestResponse, then a default rule for all other resources with level Metadata. Option B incorrectly uses `omitStages` instead of `level`. Option C does not target the specific resource. Option D reverses the levels.
Q4
easyFull explanation →

You have deployed a pod and set `securityContext.readOnlyRootFilesystem: true`. The pod is failing to start with an error about writing to `/tmp`. What is the most likely cause?

A

The `securityContext` is misspelled

B

The pod is missing an emptyDir volume mounted at `/tmp`

An emptyDir volume provides a writable location on an otherwise read-only root filesystem.

C

The container image does not have `/tmp` directory

D

The container is running as a non-root user

Why: When `readOnlyRootFilesystem` is true, the container cannot write to any path on the root filesystem unless a writable volume is mounted. `/tmp` is on the root filesystem by default, so the container needs an emptyDir volume mounted at `/tmp` to write there.
Q5
mediumFull explanation →

An administrator runs `kubectl exec -it nginx-pod -- sh` and inside the container runs `curl http://example.com`. This succeeds. However, the administrator wants to detect such outbound connections using Falco. Which syscall should Falco monitor to detect this network connection?

A

open

B

connect

The connect syscall is used to initiate a connection to a remote socket, making it appropriate for detecting outbound connections.

C

execve

D

bind

Why: Falco monitors system calls. Establishing an outbound TCP connection involves the `connect` syscall. Other syscalls like `open`, `execve`, `bind` are not directly related to initiating outbound connections.
Q6
hardFull explanation →

You are writing a Falco rule to detect when a container tries to read the file `/etc/shadow`. Which condition in the Falco rule correctly matches this event?

A

container.name=shadow and evt.type=open

B

evt.type=read and fd.name=/etc/shadow

C

proc.name=cat and fd.name=/etc/shadow

D

evt.type=open and fd.name=/etc/shadow

The open syscall is used to open files, and fd.name contains the file path. This correctly detects attempts to open /etc/shadow.

Why: Falco uses `evt.type` for syscall type (e.g., open, openat, read) and `fd.name` for the file path. The `open` syscall is typically used to open files; reading can also happen via `openat` or `read`. Option B is correct because it checks for the open syscall and the file path. Option A checks for the `read` syscall but `fd.name` may not be available for read events. Option C uses `proc.name` which is process name, not file. Option D uses `container.name` which is not relevant.

Want more Monitoring, Logging and Runtime Security practice?

Practice this domain
7

Domain 7: Cluster Setup

All Cluster Setup questions
Q1
easyFull explanation →

A team needs to set up a highly available Kubernetes control plane across three availability zones. What is the minimum number of etcd members required to achieve fault tolerance against one zone failure?

A

5

B

1

C

3

3 members tolerate one member failure, maintaining majority.

D

7

Why: For a highly available Kubernetes control plane across three availability zones, the etcd cluster must tolerate the loss of one entire zone. With three etcd members, one per zone, the cluster requires a majority (2) to form quorum. If one zone fails, the remaining two members still constitute a majority, ensuring continued operation. This matches the minimum odd number greater than one that provides fault tolerance against a single failure.
Q2
mediumFull explanation →

A security audit reveals that the kube-apiserver is using the default insecure port 8080 on a production cluster. Which is the most secure and recommended remediation?

A

Change the --insecure-port flag to 0

B

Set --insecure-port=0 and ensure --secure-port=6443 is configured

Setting insecure-port to 0 disables it, and secure-port=6443 uses TLS.

C

Set --insecure-port=6443

D

Set --secure-port=8080

Why: Setting `--insecure-port=0` disables the unencrypted HTTP port (default 8080), which eliminates the risk of unauthenticated access to the API server. Ensuring `--secure-port=6443` is configured enforces TLS-encrypted communication on the standard secure port, which is the only recommended and secure method for production clusters.
Q3
hardFull explanation →

During a cluster upgrade, the kubelet on a worker node fails to start after updating the kubelet binary. The kubelet logs show: 'failed to load bootstrap client certificate: open /var/lib/kubelet/pki/kubelet-client-current.pem: no such file or directory'. What is the most likely cause?

A

The kubelet's node IP has changed

B

The kubelet's certificate has expired

C

The kubelet is using an outdated kubeconfig

D

The bootstrap kubeconfig file is missing or misconfigured

The bootstrap kubeconfig is used to initially request a client certificate; missing file leads to this error.

Why: The error 'failed to load bootstrap client certificate: open /var/lib/kubelet/pki/kubelet-client-current.pem: no such file or directory' indicates that the kubelet cannot find the bootstrap client certificate file. This file is generated from the bootstrap kubeconfig file during the initial TLS bootstrapping process. If the bootstrap kubeconfig file is missing or misconfigured, the kubelet cannot request or renew its client certificate, leading to this failure.
Q4
mediumFull explanation →

Which TWO of the following are valid methods to secure the etcd cluster in a Kubernetes setup?

A

Enable encryption at rest for etcd data

B

Configure RBAC on etcd

C

Enable TLS with peer certificates for etcd member communication

Peer certificates secure inter-etcd communication.

D

Enable TLS with client certificates for etcd client communication

Client certificates secure communication between API server and etcd.

E

Apply NetworkPolicies to etcd pods

Why: Option C is correct because etcd uses the Raft consensus protocol for distributed coordination, and enabling TLS with peer certificates ensures that all communication between etcd members (nodes) is encrypted and authenticated. This prevents man-in-the-middle attacks and unauthorized nodes from joining the cluster, which is a core security requirement for the control plane's data store.
Q5
hardFull explanation →

Which THREE of the following are required when setting up a Kubernetes control plane with kubeadm for a production environment?

A

Ensure the Kubernetes version is not downgraded

kubeadm prevents downgrading.

B

Specify --pod-network-cidr to define the pod network range

Required for pod networking.

C

Specify --control-plane-endpoint for high availability

Required for HA control plane setup.

D

Specify --apiserver-advertise-address

E

Generate a bootstrap token with kubeadm token create

Why: Option A is correct because kubeadm enforces a strict version skew policy: the kubelet version must not be newer than the control plane version, and downgrading the control plane (e.g., from v1.28 to v1.27) is not supported. Attempting a downgrade can lead to API version mismatches, schema incompatibilities, and cluster instability. In production, you must plan upgrades carefully and never downgrade the control plane components.
Q6
easyFull explanation →

A cluster is using kubeadm and the control plane components are running as static pods. Where are the static pod manifests for the API server located by default?

A

/var/lib/kubelet/

B

/etc/kubernetes/manifests/

Default static pod manifest directory.

C

/etc/kubernetes/admin.conf

D

/etc/kubernetes/

Why: In a kubeadm-deployed cluster, the control plane components (API server, controller manager, scheduler) run as static pods. The kubelet watches a specific directory for pod manifests to create these static pods. By default, kubeadm places the manifests for the API server (and other control plane components) in /etc/kubernetes/manifests/. This directory is specified via the --pod-manifest-path or staticPodPath in the kubelet configuration.

Want more Cluster Setup practice?

Practice this domain
8

Domain 8: Cluster Hardening

All Cluster Hardening questions
Q1
hardFull explanation →

A security team wants to ensure that all pods in a namespace run with a restricted seccomp profile. Which Pod Security Standard admission controller mode should be used to enforce this without blocking necessary pods?

A

Enable the PodSecurity admission plugin with the 'restricted' policy and 'enforce' mode

'enforce' blocks non-compliant pods, and 'restricted' requires seccomp.

B

Use a mutating admission webhook to automatically add seccomp profiles

C

Enable the PodSecurity admission plugin with the 'baseline' policy and 'enforce' mode

D

Enable the PodSecurity admission plugin with the 'restricted' policy and 'warn' mode

Why: The Pod Security Standards (PSS) define three policies: privileged, baseline, and restricted. The restricted policy enforces the most stringent security controls, including requiring a seccomp profile to be set to 'RuntimeDefault' or 'localhost/*'. Using the PodSecurity admission plugin with 'enforce' mode ensures that any pod failing the restricted policy is immediately rejected, guaranteeing that only compliant pods run in the namespace.
Q2
mediumFull explanation →

A cluster uses RBAC and a ServiceAccount 'monitor' in namespace 'observability'. The account needs to list pods in all namespaces. Which ClusterRole and binding should be created?

A

Role with 'list' on pods, RoleBinding in observability

B

ClusterRole with 'get' on pods, ClusterRoleBinding

C

ClusterRole with 'list' on pods, RoleBinding in observability

D

ClusterRole with 'list' on pods, ClusterRoleBinding

Correct scope and verb for listing pods across all namespaces.

Why: A ServiceAccount that needs to list pods across all namespaces requires a ClusterRole with the 'list' verb on pods, because ClusterRoles are not namespaced and can grant permissions cluster-wide. A ClusterRoleBinding is necessary to bind that ClusterRole to the ServiceAccount, as RoleBindings only apply within a single namespace and cannot grant cluster-scoped permissions.
Q3
easyFull explanation →

An administrator wants to prevent pods from running as root. Which SecurityContext field should be set at the pod level?

A

fsGroup: 2000

B

runAsGroup: 3000

C

runAsUser: 1000

D

runAsNonRoot: true

Explicitly prevents root.

Why: Option D is correct because setting `runAsNonRoot: true` at the pod-level SecurityContext enforces that all containers in the pod must run with a non-root user (UID > 0). If a container image specifies a user with UID 0 (root) or does not specify a user, the container will fail to start, preventing privilege escalation from root access.
Q4
mediumFull explanation →

A company uses kube-bench to scan their cluster. The report shows a warning: 'Ensure that the --authorization-mode argument is set to Node,RBAC'. What is the best way to fix this?

A

Add --authorization-mode=AlwaysDeny to the API server

B

Restart the API server with --authorization-webhook-config-file

C

Set --authorization-mode=RBAC only

D

Edit the kube-apiserver manifest to add --authorization-mode=Node,RBAC

Sets both Node and RBAC as required.

Why: Option D is correct because kube-bench checks that the API server's `--authorization-mode` includes both `Node` and `RBAC` in that order. The `Node` authorizer must come first to handle node-specific requests efficiently, followed by `RBAC` for user and service account authorization. Editing the kube-apiserver manifest (typically `/etc/kubernetes/manifests/kube-apiserver.yaml`) to add `--authorization-mode=Node,RBAC` ensures the static pod is automatically restarted by the kubelet with the correct configuration.
Q5
hardFull explanation →

A pod is failing to start with: 'Error: container has runAsNonRoot and image will run as root'. The pod spec sets securityContext.runAsNonRoot: true. The container image is 'nginx:latest' which runs as root. Which change allows the pod to run while maintaining security?

A

Remove runAsNonRoot: true

B

Add a PodSecurityPolicy that allows root

C

Set runAsUser: 1000 in the container securityContext

Runs as non-root user, satisfying runAsNonRoot.

D

Use a mutating webhook to change the image

Why: Option C is correct because setting `runAsUser: 1000` in the container's securityContext overrides the default user (root) in the image, ensuring the container process runs as a non-root user (UID 1000). This satisfies the `runAsNonRoot: true` constraint at the pod level, which requires that the container's user ID is non-zero, while still maintaining security by not running as root.
Q6
easyFull explanation →

Which Kubernetes resource should be used to restrict egress traffic from pods?

A

NetworkPolicy with egress rules

Directly restricts egress.

B

PodSecurityPolicy

C

iptables rules on nodes

D

NetworkPolicy with ingress rules

Why: NetworkPolicy with egress rules is the correct Kubernetes-native resource to restrict outbound traffic from pods. It uses label selectors, IP blocks, and port specifications to define which external destinations pods can reach, enforcing zero-trust network segmentation at the pod level.

Want more Cluster Hardening practice?

Practice this domain

Frequently asked questions

How many questions are on the CKS exam?

The CKS exam is performance-based — there are no multiple-choice questions. It is a hands-on lab exam completed within 120 minutes. You complete practical tasks in a live or simulated environment. Courseiva practice questions cover the underlying concepts.

What types of questions appear on the CKS exam?

Hands-on Kubernetes security tasks in a live cluster environment.

How are CKS questions organised by domain?

The exam covers 8 domains: Monitoring Logging and Runtime Security, Cluster Setup and Hardening, System Hardening, Minimize Microservice Vulnerabilities, Supply Chain Security, Monitoring, Logging and Runtime Security, Cluster Setup, Cluster Hardening. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual CKS exam questions?

No. These are original exam-style practice questions written against the official CNCF CKS exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice CKS?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all CKS questionsTake a timed practice test