Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Cluster Setup and Hardening practice sets

CKS Cluster Setup and Hardening • Complete Question Bank

CKS Cluster Setup and Hardening — All Questions With Answers

Complete CKS Cluster Setup and Hardening question bank — all 0 questions with answers and detailed explanations.

239
Questions
Free
No signup
Certifications/CKS/Practice Test/Cluster Setup and Hardening/All Questions
Question 1mediummulti select
Read the full Cluster Setup and Hardening explanation →

During a security audit, you discover that a container running as root inside a pod has been compromised. The pod uses the default service account. Which two measures should you implement to harden the cluster? (Select TWO)

Question 2hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

A cluster uses Kubernetes v1.24 with Pod Security Admission enabled. The cluster administrator wants to enforce that all pods in the 'production' namespace run with the 'restricted' policy level, but some existing deployments use privileged containers. Which approach ensures that only new pods violating the policy are rejected, while existing pods continue to run?

Question 3easymultiple choice
Read the full Cluster Setup and Hardening explanation →

A security engineer needs to ensure that all communication between nodes and the control plane is encrypted. Which component must be configured with a TLS certificate to achieve this?

Question 4mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

After a security incident, you need to restrict which pods can communicate with each other in the 'finance' namespace. You want to allow only pods with label 'app: api' to connect to pods with label 'app: db' on TCP port 5432, and deny all other traffic. Which NetworkPolicy should you create?

Question 5hardmultiple choice
Read the full NAT/PAT explanation →

A cluster has been configured with the NodeRestriction admission plugin. A developer tries to create a pod that uses a hostPath volume pointing to /var/log. The pod's nodeSelector is set to 'kubernetes.io/hostname: worker-1'. Which statement is true?

Question 6mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which THREE of the following are valid methods to secure etcd in a Kubernetes cluster? (Select THREE)

Question 7easymulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO of the following are recommended practices for securing the Kubernetes API server? (Select TWO)

Question 8hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

A security team wants to ensure that only approved container images can run in their production cluster. Which admission controller should be configured in the kube-apiserver to enforce this policy?

Question 9mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator discovers that a container has been running with root privileges despite a PodSecurityPolicy that should prevent it. What is the most likely cause?

Question 10easymultiple choice
Read the full Cluster Setup and Hardening explanation →

A DevOps engineer needs to restrict the outbound network traffic from pods running in namespace 'secure-ns'. Which NetworkPolicy configuration achieves this by default?

Question 11mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO of the following are valid methods to secure the etcd datastore in a Kubernetes cluster?

Question 12hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

You are a security engineer for a financial services company running a Kubernetes cluster on-premises. The cluster uses kubeadm for bootstrapping and Calico for network policy. Recently, a compliance audit revealed that all nodes in the cluster have the kubelet port 10250 open to the public network, allowing unauthenticated access to the kubelet API. This poses a severe security risk. The cluster has 10 worker nodes and 3 control plane nodes. You need to remediate this without disrupting running workloads. The nodes are behind a corporate firewall, but the internal network is considered untrusted. You have access to the node's iptables and can modify configuration files. Which course of action best secures the kubelet port while maintaining cluster functionality?

Question 13mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

A security engineer is configuring a Kubernetes cluster to meet CIS benchmark recommendations. The cluster uses kubeadm for bootstrapping. Which action should be taken to ensure the kube-apiserver is hardened against unauthorized access?

Question 14hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

A Kubernetes cluster is experiencing issues where pods cannot pull images from a private container registry. The registry requires authentication via imagePullSecrets. The cluster has a pod running with the following spec snippet. What is the likely cause of the failure?

Question 15easymultiple choice
Read the full Cluster Setup and Hardening explanation →

A DevOps team is tasked with upgrading a Kubernetes cluster from version 1.21 to 1.22. They want to minimize downtime and follow best practices. Which approach should they take?

Question 16mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO actions should be taken to secure etcd in a Kubernetes cluster?

Question 17mediumdrag order
Read the full Cluster Setup and Hardening explanation →

Arrange the steps to create and enforce a Pod Security Policy (PSP) in a Kubernetes cluster.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 18mediumdrag order
Read the full Cluster Setup and Hardening explanation →

Order the steps to perform a Kubernetes cluster upgrade from version 1.24 to 1.25.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 19mediummatching
Read the full Cluster Setup and Hardening explanation →

Match each Kubernetes security component to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Admission controller that enforces security constraints on pods

Defines how groups of pods can communicate with each other and other network endpoints

Role-based access control for authorization within the cluster

Linux security facility to restrict system calls from a container

Mandatory access control system that confines programs to a limited set of resources

Question 20mediummatching
Read the full Cluster Setup and Hardening explanation →

Match each container security context setting to its effect.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Prevents processes from gaining more privileges than their parent

Ensures the container runs with a user ID that is not 0 (root)

Mounts the container's root filesystem as read-only

Drops all Linux capabilities, minimizing kernel privileges

Disables privileged mode, preventing access to host devices

Question 21easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which flag must be set on the kube-apiserver to disable anonymous authentication?

Question 22mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

A security auditor runs kube-bench and reports that the kubelet is not configured with --protect-kernel-defaults. What is the impact of this misconfiguration?

Question 23mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

You need to enable encryption at rest for secrets in an existing cluster. Which resource should you create?

Question 24hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator applies the following manifest to enable audit logging: apiVersion: audit.k8s.io/v1 kind: Policy metadata: name: audit-policy rules: - level: Metadata resources: - group: "" resources: ["secrets"] Which audit level is being used for requests to the Secrets API?

Question 25mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

Which admission plugin should be enabled to prevent kubelets from modifying Node objects they should not have access to?

Question 26easymultiple choice
Read the full Cluster Setup and Hardening explanation →

What is the purpose of the --audit-policy-file flag on the kube-apiserver?

Question 27hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

A cluster administrator wants to ensure that a specific service account (my-sa) cannot have its token mounted automatically in pods. Which annotation should be set on the service account?

Question 28mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

You run 'kubectl auth can-i --list --as=system:serviceaccount:kube-system:my-sa' and see that my-sa has cluster-admin access. What is the BEST way to reduce privileges?

Question 29easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which of the following is a recommended setting from the CIS Kubernetes Benchmark for the kubelet?

Question 30mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator wants to secure etcd communication. Which of the following is required?

Question 31hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

After running kube-bench, you see a failing check: '1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive'. What is the remediation?

Question 32mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

Which etcd encryption provider is considered strongest for encrypting secrets at rest?

Question 33mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO admission plugins should be enabled to improve cluster security according to CIS benchmarks? (Choose two.)

Question 34hardmulti select
Read the full Cluster Setup and Hardening explanation →

Which THREE of the following are recommended actions to secure the Kubernetes Dashboard? (Choose three.)

Question 35easymulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO of the following are valid methods to restrict etcd access? (Choose two.)

Question 36easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which kubectl command can be used to check the CIS benchmark compliance of a Kubernetes cluster?

Question 37mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator wants to enable RBAC authorization and disable anonymous authentication on the API server. Which set of flags should be added to the kube-apiserver configuration?

Question 38hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

During a security audit, you run kube-bench and find that the API server audit logging is not enabled. Which set of flags should be added to the kube-apiserver to enable audit logging with a policy file located at /etc/kubernetes/audit-policy.yaml?

Question 39mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

You need to enable encryption at rest for secrets in the cluster. Which resource should you create to configure encryption providers?

Question 40mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator runs 'kubectl describe nodes' and notices that the node status shows 'Ready,SchedulingDisabled'. What is the most likely cause?

Question 41easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which kubelet flag should be set to ensure the kubelet does not allow anonymous requests?

Question 42mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

You are creating a ServiceAccount that should not automatically mount its token to pods. Which field should be set in the ServiceAccount manifest?

Question 43hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator wants to restrict which nodes a pod can be scheduled on using the NodeRestriction admission plugin. Which flag must be set on the kube-apiserver to enable this plugin?

Question 44mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

What is the purpose of the Kubernetes Dashboard?

Question 45easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which admission plugin is recommended by the CIS Kubernetes Benchmark to restrict the kubelet's ability to modify nodes?

Question 46mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

You need to encrypt etcd data at rest using AES-CBC. Which encryption provider should you specify in the EncryptionConfiguration?

Question 47hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

You are auditing RBAC and find a ClusterRoleBinding that grants cluster-admin to a service account. Which command should you run to list all ClusterRoleBindings in the cluster?

Question 48mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

Which etcd security measure should be implemented to ensure only authorized clients can access the etcd cluster?

Question 49easymultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator runs 'kubectl get pods' and sees that a pod is in 'Pending' state. What is the most likely reason for this state?

Question 50mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

You want to ensure that a pod only runs on nodes that have a specific label, 'disktype=ssd'. Which field should be specified in the pod spec?

Question 51mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO of the following are recommended practices for securing the Kubernetes Dashboard? (Select TWO)

Question 52mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO kubelet flags are recommended by the CIS Kubernetes Benchmark to enhance security? (Select TWO)

Question 53hardmulti select
Read the full Cluster Setup and Hardening explanation →

Which THREE of the following are valid ways to secure etcd in a Kubernetes cluster? (Select THREE)

Question 54easymulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO of the following are recommended settings for the Kubernetes API server according to the CIS Kubernetes Benchmark? (Select TWO)

Question 55hardmulti select
Read the full Cluster Setup and Hardening explanation →

Which THREE of the following are best practices for RBAC hardening in Kubernetes? (Select THREE)

Question 56easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which flag disables anonymous authentication on the API server?

Question 57mediummultiple choice
Read the full NAT/PAT explanation →

An administrator runs 'kube-bench run --targets=master' and sees a failing check for 'Ensure that the --audit-log-path argument is set'. What is the correct remediation?

Question 58mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

A security audit reveals that etcd does not encrypt data at rest. Which resource must be created to enable encryption?

Question 59hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

A ClusterRoleBinding named 'admin-binding' binds the cluster-admin ClusterRole to a service account 'sa-admin' in namespace 'ns1'. What is the security concern?

Question 60mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

Which kubectl command creates a Role named 'pod-reader' that allows only 'get', 'list', and 'watch' on pods in namespace 'ns1'?

Question 61easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which admission plugin is recommended by the CIS Benchmark to restrict what nodes can modify?

Question 62mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator wants to prevent the kubelet from serving anonymous requests. Which flag should be set on the kubelet?

Question 63hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

A pod in namespace 'ns1' has automountServiceAccountToken: false. However, the container still has a mounted service account token at /var/run/secrets/kubernetes.io/serviceaccount. What is the most likely cause?

Question 64mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

Which flag must be set on the API server to enable audit logging?

Question 65easymultiple choice
Read the full Cluster Setup and Hardening explanation →

What is the purpose of the CIS Kubernetes Benchmark?

Question 66mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator runs 'kubectl auth can-i --list --as=system:serviceaccount:ns1:my-sa' and sees that the service account has 'create pods' permission via a RoleBinding. Which command can be used to delete that RoleBinding?

Question 67hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

A security scanner reports that the Kubernetes dashboard is publicly accessible. Which recommended action should be taken?

Question 68mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

Which flag is used to restrict the kubelet's ability to modify node status and pods?

Question 69easymultiple choice
Read the full Cluster Setup and Hardening explanation →

What is the recommended way to provide TLS certificates to the API server?

Question 70mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

Which command can be used to check if the API server has anonymous authentication enabled?

Question 71mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO actions are recommended by the CIS Kubernetes Benchmark for securing etcd?

Question 72hardmulti select
Read the full Cluster Setup and Hardening explanation →

Which THREE flags should be set on the kubelet to comply with the CIS Benchmark for worker node security?

Question 73mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO resources can be used to implement RBAC in Kubernetes?

Question 74easymulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO checks are performed by kube-bench for the master node?

Question 75hardmulti select
Read the full Cluster Setup and Hardening explanation →

Which THREE are valid ways to restrict access to the Kubernetes API server?

Question 76easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which flag should be set on the kube-apiserver to disable anonymous authentication?

Question 77mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator runs kube-bench and receives a failing result for CIS control 1.1.1. What does this control typically check?

Question 78hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

A security policy requires that all communication to etcd be encrypted. Which two components must be configured with TLS certificates to achieve this? (Select two)

Question 79mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO of the following are recommended practices for securing the Kubernetes dashboard?

Question 80easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which kube-apiserver flag enables encryption at rest for secrets?

Question 81mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

A security audit reveals that a ServiceAccount named 'monitor' has a ClusterRoleBinding to the cluster-admin role. What is the best remediation?

Question 82mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

Which kubelet flag prevents the kubelet from serving anonymous requests?

Question 83hardmulti select
Read the full Cluster Setup and Hardening explanation →

Which THREE of the following are valid encryption providers that can be used in EncryptionConfiguration for encryption at rest?

Question 84easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which kube-apiserver flag enables audit logging?

Question 85mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

A cluster administrator wants to ensure that pods cannot modify node objects. Which admission plugin should be enabled?

Question 86hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

You need to run kube-bench on a control plane node. Which command should you use?

Question 87mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

A security policy requires that all ServiceAccounts in a namespace do not automatically mount their tokens. How can this be achieved at the namespace level?

Question 88mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO admission plugins are recommended to be enabled for security hardening?

Question 89easymultiple choice
Read the full Cluster Setup and Hardening explanation →

What is the default authorization mode for a new Kubernetes cluster?

Question 90mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

You run 'kubectl auth can-i --list --as=admin' and see that the admin user has full cluster-admin access. Which command would create a ClusterRoleBinding for a user named 'viewer' with read-only access to all resources?

Question 91easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which kubectl command will disable anonymous authentication on a kube-apiserver?

Question 92mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

You have a requirement to encrypt secrets at rest in etcd. Which resource and apiVersion should be used?

Question 93mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

A security auditor runs kube-bench on your cluster and reports that the apiserver is using default service account tokens. Which admission plugin should be enabled to address this?

Question 94hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

You need to create a ClusterRole that allows listing secrets, but only in namespaces that have a specific label 'security-level=high'. Which approach should you use?

Question 95mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

You run 'kube-bench' and see a failure: '1.2.7 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate'. What is the impact of this misconfiguration?

Question 96easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which flag on the kubelet disables anonymous access?

Question 97hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

You are asked to ensure that a specific Kubernetes dashboard (e.g., kubernetes-dashboard) is not publicly accessible. The dashboard is deployed in the 'kube-system' namespace. Which NetworkPolicy should you apply?

Question 98mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

You need to audit all API requests to the cluster. Which set of apiserver flags should be configured?

Question 99easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which RBAC resource should be used to grant cluster-wide permissions to a user?

Question 100mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

A service account 'monitor' needs to list pods in all namespaces. Which minimal RBAC configuration should you use?

Question 101mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

You are auditing RBAC and find a ClusterRoleBinding named 'admin-binding' that binds the 'cluster-admin' ClusterRole to the service account 'default' in namespace 'kube-system'. What is the risk?

Question 102hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

You want to ensure that kubelets only serve pods that have been scheduled by the API server. Which admission plugin should be enabled?

Question 103mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO of the following are recommendations from the CIS Kubernetes Benchmark?

Question 104hardmulti select
Read the full Cluster Setup and Hardening explanation →

Which THREE of the following are valid methods to secure etcd?

Question 105mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO of the following are best practices for hardening Kubernetes Dashboard?

Question 106mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator runs `kube-bench` on a Kubernetes node and receives a warning that the kubelet is configured with `--anonymous-auth=true`. Which kubectl command should be used to fix this on the kubelet?

Question 107mediummultiple choice
Read the full NAT/PAT explanation →

You are tasked with enabling audit logging for the Kubernetes API server. Which API server flag must be used to specify the audit log file path?

Question 108mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

A security scan reports that the etcd cluster does not encrypt data at rest. The cluster uses aescbc encryption. Which resource type should be created to configure encryption at rest?

Question 109easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which admission plugin should be enabled on the kubelet to ensure it only registers nodes and sets labels as allowed by the Node REST API?

Question 110mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator wants to ensure that a service account used by a deployment cannot automatically mount its token. Which field should be set to `false` in the Pod spec?

Question 111hardmultiple choice
Read the full NAT/PAT explanation →

You need to create an RBAC role that allows reading secrets only in namespace 'production'. Which ClusterRole and RoleBinding combination is correct?

Question 112easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which of the following flags should be set to `false` to disable anonymous authentication to the Kubernetes API server?

Question 113mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

A pod runs with a service account that has a ClusterRoleBinding granting cluster-admin. What is the best practice to reduce the risk of privilege escalation?

Question 114hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

You are securing etcd. Which of the following is required to enable TLS client authentication for etcd?

Question 115mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

The Kubernetes Dashboard is deployed in the cluster. To secure it, which of the following is a recommended practice?

Question 116easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which flag enables the NodeRestriction admission plugin on the API server?

Question 117mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator runs `kube-bench` and sees that the check 'Ensure that the --protect-kernel-defaults flag is set to true' has failed. Which component does this check apply to?

Question 118mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which two of the following are recommended by the CIS Kubernetes Benchmark? (Choose two.)

Question 119hardmulti select
Read the full Cluster Setup and Hardening explanation →

Which three of the following are valid methods to restrict access to etcd? (Choose three.)

Question 120mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which two of the following are correct ways to enforce least privilege for service accounts? (Choose two.)

Question 121easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which kubectl command checks the CIS Benchmark compliance of a cluster node using the kube-bench tool?

Question 122mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator wants to disable anonymous authentication to the Kubernetes API server. Which flag should be added to the kube-apiserver configuration?

Question 123mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

Which admission plugin should be enabled to ensure that kubelet only serves pods bound to its node and prevents unauthorized node access?

Question 124hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

You have enabled etcd encryption at rest using an EncryptionConfiguration with aescbc provider. After applying the configuration, you create a new Secret. Which of the following is true regarding the encrypted Secret?

Question 125easymultiple choice
Read the full NAT/PAT explanation →

What is the purpose of the --audit-log-path flag on the kube-apiserver?

Question 126mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator runs 'kubectl get clusterrolebindings' and notices a ClusterRoleBinding named 'admin-binding' that binds the 'cluster-admin' ClusterRole to a service account in the 'default' namespace. What security concern does this raise?

Question 127mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

Which flag must be set on the kubelet to prevent it from using the default namespace for pods and to enforce that pods only use namespaces that match the node's assigned namespace?

Question 128hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

A security auditor recommends enabling audit logging for the Kubernetes API server with a policy that logs all requests at the Metadata level. Which configuration ensures this requirement?

Question 129easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which of the following is a valid method to disable automatic mounting of service account tokens for a pod?

Question 130mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator wants to secure etcd communication. Which of the following is required to enable TLS for client-to-etcd communication?

Question 131hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

A ClusterRole named 'secret-reader' is defined with rules to get, list, and watch secrets. A RoleBinding in namespace 'app' binds this ClusterRole to a service account. Which of the following best describes the permissions of the service account?

Question 132mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

Which of the following is a recommended practice when securing the Kubernetes Dashboard?

Question 133mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO of the following are CIS Benchmark recommendations for securing the Kubernetes API server? (Select TWO)

Question 134hardmulti select
Read the full Cluster Setup and Hardening explanation →

Which THREE of the following are valid methods to restrict access to etcd in a Kubernetes cluster? (Select THREE)

Question 135mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO of the following are recommended actions to harden service account security in a Kubernetes cluster? (Select TWO)

Question 136easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which flag should you set on the kube-apiserver to disable anonymous authentication?

Question 137mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator runs 'kube-bench master' and receives a warning that etcd has no client certificate authentication. What is the recommended remediation?

Question 138hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

You are configuring kubelet security. Which flag prevents containers from modifying kernel parameters?

Question 139easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which admission plugin should be enabled on the kube-apiserver to enforce that kubelets cannot modify nodes they are not assigned to?

Question 140mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator creates an EncryptionConfiguration with aescbc and saves it to /etc/kubernetes/enc/enc.yaml. Which flag must be added to the kube-apiserver to enable encryption at rest?

Question 141easymultiple choice
Read the full Cluster Setup and Hardening explanation →

To disable service account token automount for a pod, which field should be set to false in the pod spec?

Question 142mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

You want to ensure that the Kubernetes Dashboard is accessed only by authenticated users with specific permissions. What is the BEST approach?

Question 143mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

Which kubectl command can be used to view the audit log policy currently in use by the API server?

Question 144hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

A security scan reports that the etcd data directory is not encrypted at rest. The cluster uses etcd v3.5. Which steps are required to enable encryption?

Question 145easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which of the following is a recommended CIS benchmark setting for the kubelet?

Question 146mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

A developer created a ClusterRoleBinding that grants cluster-admin to a service account. What is the security concern?

Question 147mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

Which command would you run to check if anonymous authentication is enabled on the API server?

Question 148mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO of the following are recommended practices for etcd security?

Question 149hardmulti select
Read the full Cluster Setup and Hardening explanation →

Which THREE of the following are valid flags for enabling admission plugins on the API server?

Question 150mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO actions are part of the CIS Kubernetes Benchmark recommendations?

Question 151easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which flag must be set on the kube-apiserver to disable anonymous authentication?

Question 152mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

You run 'kube-bench' on a cluster node and get a failure for the test 'Ensure that the --anonymous-auth argument is set to false' (ID: 1.2.1). Which file do you need to modify to fix this issue?

Question 153hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator wants to enable encryption at rest for secrets in a Kubernetes cluster. They create the following EncryptionConfiguration and place it at /etc/kubernetes/enc/enc.yaml. Which flag must be added to the kube-apiserver to use this configuration?

Question 154mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

You need to ensure that the kubelet only serves authenticated and authorized requests. Which flag(s) should be set on the kubelet?

Question 155easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which admission plugin should be enabled to prevent kubelets from modifying nodes or pods they do not own?

Question 156mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

You are reviewing RBAC permissions and notice a ClusterRoleBinding that binds the cluster-admin role to a service account in the 'monitoring' namespace. What is the best practice recommendation?

Question 157hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

An etcd cluster uses TLS for peer and client communication. You need to secure etcd further by enabling RBAC. Which flag do you set on the etcd process to enable authentication?

Question 158mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

To enforce Pod Security Standards at the namespace level, which admission plugin must be enabled on the API server?

Question 159easymultiple choice
Read the full Cluster Setup and Hardening explanation →

What is the purpose of the 'automountServiceAccountToken: false' setting in a Pod spec?

Question 160hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

You deploy the Kubernetes Dashboard using the official YAML manifests. Which of the following is the MOST secure approach to expose the Dashboard?

Question 161mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

You need to enable audit logging for the Kubernetes API server. Which three flags must be set?

Question 162mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

You are configuring etcd encryption at rest. After placing the EncryptionConfiguration YAML file, you must modify which file to point the API server to it?

Question 163mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO of the following are recommended practices according to the CIS Kubernetes Benchmark? (Select 2)

Question 164hardmulti select
Read the full Cluster Setup and Hardening explanation →

Which THREE of the following are valid ways to restrict access to etcd? (Select 3)

Question 165mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO admission plugins should be enabled to improve cluster security according to the CIS Benchmark? (Select 2)

Question 166easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which kubectl command runs kube-bench against a Kubernetes cluster?

Question 167mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator runs kube-bench on a node and sees a warning about the kubelet anonymous authentication being enabled. Which kubelet flag should be set to disable anonymous access?

Question 168mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

A security team wants to ensure that all API requests to the cluster are authenticated and uses RBAC for authorization. Which two flags must be set on the kube-apiserver?

Question 169hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

A pod running in the cluster is in a CrashLoopBackOff state. You run 'kubectl describe pod <pod>' and see the following event: 'Warning BackOff Back-off restarting failed container'. Which command would you run to see the standard error output of the container?

Question 170mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator wants to enable audit logging for the Kubernetes API server. Which of the following is required?

Question 171hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

After setting up etcd encryption at rest using EncryptionConfiguration with aescbc, which resource stores the encryption key?

Question 172easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which of the following is a CIS benchmark recommendation for securing the Kubernetes API server?

Question 173mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

A security audit reveals that a service account in the 'default' namespace has been granted cluster-admin privileges via a ClusterRoleBinding. What is the best mitigation?

Question 174mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

Which admission plugin should be enabled on the kube-apiserver to restrict kubelet permissions and prevent nodes from modifying their own Node objects?

Question 175easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which flag on the kubelet helps ensure it runs securely by enforcing kernel defaults?

Question 176hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

A pod is failing with status 'CrashLoopBackOff'. The pod manifest includes a liveness probe that runs every 10 seconds. You suspect the probe is causing the crash. Which command would you use to verify the liveness probe configuration?

Question 177mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

Which of the following YAML snippets correctly configures a ServiceAccount with automountServiceAccountToken set to false?

Question 178mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO of the following are recommended CIS benchmark practices for securing etcd? (Choose two.)

Question 179mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO admission plugins are recommended by the CIS benchmark to be enabled on the kube-apiserver? (Choose two.)

Question 180hardmulti select
Read the full Cluster Setup and Hardening explanation →

Which THREE of the following are valid methods to restrict access to the Kubernetes Dashboard? (Choose three.)

Question 181easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which kubectl flag disables anonymous authentication on the API server?

Question 182mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

You run kube-bench on a node and it reports a failure for 'Ensure that the --anonymous-auth argument is set to false' for the kubelet service. Which file must you modify to fix this?

Question 183easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which admission plugin enforces that kubelets cannot modify pods they do not own?

Question 184mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

You are tasked with enabling audit logging for the Kubernetes API server. You have created an audit policy file at /etc/kubernetes/audit-policy.yaml. Which flag must be added to the API server manifest to enable audit logging?

Question 185hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

An etcd cluster uses TLS for peer and client communication. Which command correctly tests connectivity to an etcd member with client certificate authentication?

Question 186mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

A security audit reveals that a service account 'monitor' is bound to the cluster-admin ClusterRole, which violates least-privilege. What is the best remediation?

Question 187easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which of the following is a recommended CIS Benchmark control for etcd?

Question 188hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

You need to encrypt Kubernetes secrets at rest using aescbc. Which YAML snippet defines the EncryptionConfiguration correctly?

Question 189mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator runs kubectl get clusterrolebindings and sees a binding named 'system:node'. This binding is part of the legacy node authorization. According to CIS benchmarks, what should be done with it?

Question 190mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

You are configuring kubelet to protect kernel defaults. Which flag enables this?

Question 191hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

A cluster's API server is configured with --authorization-mode=RBAC,Node. A kubelet attempts to create a ConfigMap. Which authorizer will evaluate the request?

Question 192easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which admission plugin should be used to enforce Pod Security Standards at the namespace level?

Question 193mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO of the following are CIS Benchmark recommendations for securing the API server?

Question 194mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO actions would help secure the Kubernetes Dashboard?

Question 195hardmulti select
Read the full Cluster Setup and Hardening explanation →

Which THREE of the following are valid methods to disable automount of service account tokens for a pod?

Question 196easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which flag disables anonymous authentication on the Kubernetes API server?

Question 197mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator runs kube-bench on a cluster node and receives failures for CIS benchmark checks related to kubelet configuration. Which kubelet flag should be set to ensure that kernel defaults are not used when they might be insecure?

Question 198mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

A security audit reveals that the etcd datastore is not encrypted at rest. Which resource should be created to enable encryption of secrets at rest?

Question 199hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

You are tasked with securing a Kubernetes cluster. You want to ensure that the kubelet only serves APIs that are explicitly allowed and that it does not allow anonymous requests. Which kubelet configuration flags should you set?

Question 200easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which admission plugin should be enabled on the API server to ensure that the kubelet cannot modify its own Node object beyond its assigned node?

Question 201mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator wants to enable audit logging on the API server. Which three flags are required to set up basic audit logging?

Question 202mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

A developer creates a pod with the following YAML: apiVersion: v1 kind: Pod metadata: name: mypod spec: serviceAccountName: default automountServiceAccountToken: true containers: - name: app image: nginx

What is the security concern with this configuration?

Question 203hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

You need to restrict access to etcd so that only the API server can communicate with it. Which method should you use?

Question 204easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which kubectl command can be used to determine if anonymous authentication is enabled on the API server?

Question 205mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator wants to ensure that no service account in the 'development' namespace has cluster-admin privileges. Which command should be used to identify such bindings?

Question 206mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

What is the purpose of the --authorization-mode=RBAC flag on the API server?

Question 207hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

A cluster has been hardened by setting --anonymous-auth=false and enabling RBAC. However, kube-bench still reports a failure for the kubelet check 'Ensure that the --anonymous-auth argument is set to false'. What could be the reason?

Question 208mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO actions are recommended by the CIS Kubernetes Benchmark to secure the API server?

Question 209mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which THREE options are valid methods to secure etcd in a Kubernetes cluster?

Question 210hardmulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO practices help secure the Kubernetes Dashboard?

Question 211easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which of the following flags should be set on the kube-apiserver to disable anonymous authentication?

Question 212mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

An administrator wants to restrict a service account to only be able to create pods in the 'development' namespace. Which RBAC configuration should be used?

Question 213hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

You run kube-bench on a node and it reports a failure for control plane component etcd. The check says 'Ensure that the --cert-file and --key-file arguments are set as appropriate'. You examine the etcd manifest file and find that the cert-file and key-file are configured with a self-signed certificate. What is the BEST action to remediate this finding?

Question 214mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

A security audit reveals that several pods have the service account token mounted automatically. Which annotation should be added to the pod's service account to prevent automatic mounting?

Question 215easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which of the following is the correct flag to enable audit logging on the kube-apiserver?

Question 216mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

A cluster administrator wants to encrypt secrets at rest in etcd. Which resource must be created to configure encryption?

Question 217hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

You are tasked with securing the kubelet. Which flag must be set on the kubelet to enable the NodeRestriction admission plugin?

Question 218easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which of the following is a recommended practice for securing Kubernetes Dashboard?

Question 219mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

An admin runs 'kubectl auth reconcile -f rbac.yaml' and gets an error that the user does not have permission to create ClusterRoleBindings. What is the most likely cause?

Question 220mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

To protect kernel defaults on a node, which flag should be set on the kubelet?

Question 221hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

A ClusterRoleBinding grants cluster-admin to a service account in the 'kube-system' namespace. What is the best way to audit this for least privilege?

Question 222easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which of the following is a correct method to enable encryption at rest for secrets in etcd using the EncryptionConfiguration?

Question 223mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO of the following are recommended settings from the CIS Kubernetes Benchmark for the kube-apiserver? (Select 2)

Question 224mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO of the following are valid ways to restrict access to etcd? (Select 2)

Question 225hardmulti select
Read the full Cluster Setup and Hardening explanation →

Which THREE of the following are recommended practices for hardening RBAC in a Kubernetes cluster? (Select 3)

Question 226easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which flag must be set on the kube-apiserver to disable anonymous authentication?

Question 227mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

A security auditor runs kube-bench on a Kubernetes node and reports that the check '1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive' fails. What is the most appropriate remediation?

Question 228mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

You need to enable audit logging for the Kubernetes API server. Which two flags must be set?

Question 229hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

An etcd cluster is configured with TLS. You need to enforce that only the API server can read and write to etcd. Which method should you use?

Question 230mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

You want to ensure that kubelet does not allow anonymous requests. Which flag must be set on the kubelet?

Question 231easymultiple choice
Read the full Cluster Setup and Hardening explanation →

Which admission plugin should be enabled on the API server to enforce that kubelet cannot modify nodes other than its own?

Question 232mediummultiple choice
Read the full Cluster Setup and Hardening explanation →

You are auditing RBAC and find a ClusterRoleBinding named 'admin-binding' that binds the 'cluster-admin' ClusterRole to a service account in the 'default' namespace. What is the security concern?

Question 233hardmultiple choice
Read the full Cluster Setup and Hardening explanation →

A pod is in a CrashLoopBackOff state. You run 'kubectl logs pod-name' and see: 'Error: failed to start container: exec: "/app": stat /app: no such file or directory'. What is the most likely cause?

Question 234mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO of the following are recommended CIS Kubernetes Benchmark controls for securing the kube-apiserver?

Question 235mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO of the following are valid arguments for etcd encryption at rest?

Question 236hardmulti select
Read the full Cluster Setup and Hardening explanation →

Which THREE of the following are recommended practices for securing Kubernetes Dashboard?

Question 237easymulti select
Read the full Cluster Setup and Hardening explanation →

Which TWO of the following flags are used to secure the kubelet?

Question 238mediummulti select
Read the full Cluster Setup and Hardening explanation →

Which THREE of the following are valid fields in an EncryptionConfiguration YAML to encrypt secrets at rest?

Question 239hardmulti select
Read the full Cluster Setup and Hardening explanation →

You are securing a cluster and want to ensure that service account tokens are not automatically mounted in pods that do not need them. Which THREE actions should you take?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CKS Practice Test 1 — 10 Questions→CKS Practice Test 2 — 10 Questions→CKS Practice Test 3 — 10 Questions→CKS Practice Test 4 — 10 Questions→CKS Practice Test 5 — 10 Questions→CKS Practice Exam 1 — 20 Questions→CKS Practice Exam 2 — 20 Questions→CKS Practice Exam 3 — 20 Questions→CKS Practice Exam 4 — 20 Questions→Free CKS Practice Test 1 — 30 Questions→Free CKS Practice Test 2 — 30 Questions→Free CKS Practice Test 3 — 30 Questions→CKS Practice Questions 1 — 50 Questions→CKS Practice Questions 2 — 50 Questions→CKS Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Monitoring Logging and Runtime SecurityCluster Setup and HardeningSystem HardeningMinimize Microservice VulnerabilitiesSupply Chain SecurityMonitoring, Logging and Runtime SecurityCluster SetupCluster Hardening

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Cluster Setup and Hardening setsAll Cluster Setup and Hardening questionsCKS Practice Hub