CKS Minimize Microservice Vulnerabilities • Complete Question Bank
Complete CKS Minimize Microservice Vulnerabilities question bank — all 0 questions with answers and detailed explanations.
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
runAsUser:
rule: MustRunAsNonRoot
seLinux:
rule: RunAsAny
fsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaimDrag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Provides an identity for processes running in a pod
Stores sensitive data such as passwords, OAuth tokens, and ssh keys
Stores non-sensitive configuration data in key-value pairs
Specifies security settings for a pod or container
Limits resource consumption per namespace to prevent resource exhaustion
Drag a concept onto its matching description — or click a concept then click the description.
Outbound network traffic from a pod to external endpoints
Inbound network traffic to a pod from external sources
Specification of how groups of pods are allowed to communicate
Container Network Interface plugin that implements networking for pods
Infrastructure layer for handling service-to-service communication, often with mTLS
A developer creates a Deployment with the following container spec:
```yaml containers: - name: app image: myapp:latest env: - name: DB_PASSWORD valueFrom: secretKeyRef: name: db-secret key: password ```
Which of the following is a security concern with this approach?
A pod is configured with securityContext: runAsUser: 1000 runAsGroup: 3000 fsGroup: 2000
The volume mounted at /data is owned by user 1000 and group 2000. The container process inside the pod writes to /data. Which statement about file ownership is true?
A pod is running with the following security context:
```yaml securityContext: allowPrivilegeEscalation: false runAsNonRoot: true seccompProfile: type: RuntimeDefault ```
The pod is in a CrashLoopBackOff. The logs show: "exec user process caused: operation not permitted". What is the most likely cause?
An administrator deploys a Gatekeeper ConstraintTemplate with the following Rego policy:
package k8srequiredlabels deny[{"msg": msg}] { input.request.kind.kind == "Pod" not input.request.object.metadata.labels["security-tier"] msg := "Pod must have label 'security-tier'"
}
After creating the Constraint, a user creates a Pod without the 'security-tier' label. What is the expected behavior?
An administrator deploys a Pod with the following security context:
securityContext: runAsNonRoot: true runAsUser: 1000
However, the Pod fails to start with an error: 'container has runAsNonRoot and image will run as root'. What is the most likely cause?
A security engineer runs the following command to inspect a pod's security context:
kubectl get pod secure-pod -o jsonpath='{.spec.containers[0].securityContext.capabilities}'The output is: {"drop":["ALL"]}
What does this indicate?
An OPA/Gatekeeper ConstraintTemplate is defined with the following Rego rule:
violation[{"msg": msg}] { container := input.review.object.spec.containers[_] container.securityContext.runAsNonRoot != true msg := "Container must run as non-root"
}
What happens when a pod is submitted with a container that has runAsNonRoot: true?