Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›CKS›Objectives›Cluster Hardening
Objective 2.0

Cluster Hardening

CKS Practice Questions

Use this page to practise Cluster Hardening questions for this certification. Focus on how the exam tests cluster hardening in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Full Practice Test →All Objectives

What this objective tests

CKS Cluster Hardening — Key Topics

Cluster Hardening questions on this certification test your ability to deploy and manage cluster hardening concepts in scenario-based situations.

  • Core Cluster Hardening concepts and how they apply in real-world cloud scenarios.
  • How to deploy cluster hardening correctly and verify the outcome.
  • Troubleshooting cluster hardening issues by interpreting error output and system state.
  • Cloud best practices and Cluster Hardening design trade-offs tested by this certification.

Common exam traps

Where candidates lose marks on Cluster Hardening

  • ⚠Selecting the most expensive service when a simpler managed option meets the requirement.
  • ⚠Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • ⚠Choosing a global service fix when the issue is region-specific.
  • ⚠Overlooking cost implications of cross-region data transfer in architecture questions.

CKS Cluster Hardening — Practice Questions

15 questions from this objective

Question 2hardmultiple choice
Full question →

A security team wants to ensure that all pods in a namespace run with a restricted seccomp profile. Which Pod Security Standard admission controller mode should be used to enforce this without blocking necessary pods?

Question 3mediummultiple choice
Full question →

A cluster uses RBAC and a ServiceAccount 'monitor' in namespace 'observability'. The account needs to list pods in all namespaces. Which ClusterRole and binding should be created?

Question 4easymultiple choice
Full question →

An administrator wants to prevent pods from running as root. Which SecurityContext field should be set at the pod level?

Question 5mediummultiple choice
Full question →

A company uses kube-bench to scan their cluster. The report shows a warning: 'Ensure that the --authorization-mode argument is set to Node,RBAC'. What is the best way to fix this?

Question 6hardmultiple choice
Full question →

A pod is failing to start with: 'Error: container has runAsNonRoot and image will run as root'. The pod spec sets securityContext.runAsNonRoot: true. The container image is 'nginx:latest' which runs as root. Which change allows the pod to run while maintaining security?

Question 7easymultiple choice
Full question →

Which Kubernetes resource should be used to restrict egress traffic from pods?

Question 8mediummultiple choice
Full question →

A developer created a ClusterRole 'pod-reader' with rules to get, list, and watch pods. They bound it to a user via ClusterRoleBinding. The user reports they cannot list pods in namespace 'test'. What is the most likely cause?

Question 9hardmultiple choice
Full question →

A cluster has a PodSecurityPolicy that requires 'RunAsAny' for the user. An administrator wants to enforce that all pods in namespace 'production' must run with a specific seccomp profile. Which approach is recommended given PSP is deprecated?

Question 10mediummulti select
Full question →

Which TWO of the following are valid ways to restrict access to the Kubernetes API server?

Question 11hardmulti select
Full question →

Which THREE of the following are required to secure etcd in a Kubernetes cluster?

Question 12easymulti select
Full question →

Which TWO of the following are best practices for securing container images?

Question 13hardmulti select
Full question →

Which THREE of the following are valid methods to enforce pod security standards in a Kubernetes cluster?

Question 14hardmultiple choice
Full question →

You are the security engineer for a multi-tenant Kubernetes cluster. The cluster uses kubeadm and runs Kubernetes v1.24. Each tenant has a dedicated namespace. A new tenant, 'acme-corp', requires that all pods in their namespace run with a read-only root filesystem and must not be able to escalate privileges. They also need to run a legacy container that must listen on a port below 1024. The cluster currently uses PodSecurityPolicy (PSP) but is planning to migrate to Pod Security Admission (PSA). The legacy container needs to run as non-root with the NET_BIND_SERVICE capability to bind to port 80. You need to configure security policies for the 'acme-corp' namespace without affecting other tenants. Which approach best meets these requirements while following Kubernetes best practices?

Question 15mediumdrag order
Full question →

Arrange the steps to enable and configure audit logging in Kubernetes.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 16mediummatching
Full question →

Match each Kubernetes security tool or feature to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Checks whether Kubernetes is deployed securely according to CIS benchmarks

Penetration testing tool for Kubernetes clusters

Policy engine for enforcing custom policies on Kubernetes resources

Runtime security monitoring tool that detects abnormal behavior

Vulnerability scanner for container images, filesystems, and Git repos

←

Previous objective

Cluster Setup

All CKS Objectives

  • 1.Cluster Setup
  • 2.Cluster Hardening