Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Supply Chain Security practice sets

CKS Supply Chain Security • Complete Question Bank

CKS Supply Chain Security — All Questions With Answers

Complete CKS Supply Chain Security question bank — all 0 questions with answers and detailed explanations.

190
Questions
Free
No signup
Certifications/CKS/Practice Test/Supply Chain Security/All Questions
Question 1mediummulti select
Read the full Supply Chain Security explanation →

Which TWO of the following are best practices for securing the container supply chain?

Question 2hardmulti select
Read the full NAT/PAT explanation →

Which THREE of the following are required to implement a secure software supply chain using Kubernetes native features?

Question 3easymultiple choice
Read the full Supply Chain Security explanation →

A DevOps team wants to ensure that only signed images from a trusted registry are deployed in the cluster. They plan to use a webhook to intercept pod creation. Which tool is best suited for this task?

Question 4mediummultiple choice
Read the full Supply Chain Security explanation →

A security audit reveals that a container image running in production contains a critical vulnerability (CVE-2024-1234). The image was built from a base image that had the vulnerability. What is the MOST effective long-term solution to prevent such issues?

Question 5hardmultiple choice
Read the full NAT/PAT explanation →

An organization uses a private container registry and wants to ensure that only images built from a specific CI/CD pipeline are deployed. Which combination of measures provides the strongest guarantee?

Question 6hardmultiple choice
Read the full NAT/PAT explanation →

You are the lead security engineer for a large financial institution. The organization runs a Kubernetes cluster with 500+ microservices. The supply chain security team has implemented the following measures: (1) All images are built from a minimal base image (distroless) and scanned with Trivy before being pushed to a private registry. (2) Images are signed using cosign with a key stored in a hardware security module (HSM). (3) Kyverno policies enforce that only signed images from the private registry can run, and also enforce that containers run as non-root. (4) A binary authorization (binauthz) style admission controller verifies attestations. Recently, a critical vulnerability (CVE-2024-0001) was discovered in a popular open-source library used by several microservices. The library is included as a dependency in the base image. The vulnerability is remotely exploitable and has a CVSS score of 9.8. The security team needs to remediate this quickly. They have already patched the library and updated the base image. What is the BEST course of action to ensure all running pods use the new image?

Question 7mediummultiple choice
Read the full Supply Chain Security explanation →

A development team uses a custom container image for their application, built from a base image that includes multiple CVEs. The security team requires that no container runs with known critical vulnerabilities. Which approach best ensures that only images with no critical vulnerabilities are deployed in production?

Question 8hardmultiple choice
Read the full NAT/PAT explanation →

An organization uses a GitOps workflow with Argo CD to deploy applications to Kubernetes. The security team wants to ensure that container images are immutable and signed. They currently use a private container registry (Harbor) with vulnerability scanning and Cosign for signing. Which combination of controls best enforces that only signed and scanned images are deployed?

Question 9easymulti select
Read the full Supply Chain Security explanation →

You are auditing a cluster's supply chain security. You find that many pods are running images from public registries without any pinning or verification. Which TWO actions would most effectively reduce the risk of pulling malicious images?

Question 10hardmultiple choice
Read the full Supply Chain Security explanation →

You are a security engineer at a fintech startup. The company runs a Kubernetes cluster in production with hundreds of microservices. Recently, a container image from a public registry was compromised, and the attacker injected a backdoor that exfiltrated customer data. The CISO mandates that all images must come from an internal registry that only stores approved, scanned, and signed images. Currently, developers build images locally and push them to Docker Hub, then reference those images in Kubernetes manifests. You have deployed Harbor as a private registry with vulnerability scanning and Cosign for signing. However, you notice that some pods are still running images directly from Docker Hub. You need to enforce that only images from your internal Harbor registry can be used in the cluster. You cannot change the Kubernetes manifests immediately because of a large backlog. You have access to the cluster's kubelet configuration and can modify cluster-level components. Which single action will most effectively block any pod that tries to use an image not hosted on your internal registry?

Question 11easymultiple choice
Read the full Supply Chain Security explanation →

A DevOps team uses a CI/CD pipeline to build container images and push them to a private registry. To minimize the risk of supply chain attacks, which of the following is the most effective security control to implement?

Question 12hardmulti select
Read the full Supply Chain Security explanation →

You are securing a Kubernetes cluster that runs workloads from multiple teams. The cluster uses a private container registry and an admission controller to enforce image policies. Which TWO of the following actions are most effective in preventing the use of unapproved or tampered container images? (Choose two correct answers.)

Question 13hardmultiple choice
Read the full Supply Chain Security explanation →

Refer to the exhibit. A cluster has the ClusterImagePolicy shown. A developer creates a pod with an image from registry.example.com/myapp:v1, which was built and signed by a GitHub Actions workflow that is NOT defined in the policy (different workflow). Which behavior will occur when the pod is created?

Exhibit

Refer to the exhibit.

apiVersion: cosigned.sigstore.dev/v1beta1
kind: ClusterImagePolicy
metadata:
  name: image-policy
spec:
  images:
  - glob: registry.example.com/*
  authorities:
  - keyless:
      identities:
      - issuer: https://accounts.example.com
        subject: https://github.com/example/actions/.github/workflows/release.yml@refs/heads/main
Question 14mediumdrag order
Read the full Supply Chain Security explanation →

Arrange the steps to secure etcd in a Kubernetes cluster.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 15mediummatching
Read the full Supply Chain Security explanation →

Match each Kubernetes API server flag to its security function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Enables RBAC authorization

Comma-separated list of admission controllers to enable

Disables anonymous requests to the API server

Path to a CA file for verifying kubelet certificates

File containing PEM-encoded x509 RSA or ECDSA private or public keys for service account token signing

Question 16mediummultiple choice
Read the full Supply Chain Security explanation →

You are tasked with ensuring that all container images in your cluster are scanned for vulnerabilities before being deployed. You have set up Trivy in your CI/CD pipeline and want to enforce that only images with no critical vulnerabilities are allowed. Which admission controller should you configure to reject pods using non-compliant images?

Question 17mediummultiple choice
Read the full Supply Chain Security explanation →

Which of the following is a best practice for securing container images?

Question 18easymultiple choice
Read the full Supply Chain Security explanation →

A security engineer wants to ensure that only images signed with a specific key are allowed to run in the cluster. Which tool can be used to sign container images?

Question 19mediummultiple choice
Read the full Supply Chain Security explanation →

A developer wants to create a Deployment that runs as a non-root user. Which YAML snippet correctly sets the security context to run the container with UID 1000?

Question 20hardmultiple choice
Read the full Supply Chain Security explanation →

You are configuring an ImagePolicyWebhook admission controller to allow only images from a trusted registry 'trusted-registry.io'. Which flag must be set in the kube-apiserver configuration to enable the webhook?

Question 21mediummultiple choice
Read the full Supply Chain Security explanation →

A security team wants to automatically reject any Pod that uses an image tagged with 'latest'. Which tool can be used to define this policy at the admission level?

Question 22hardmultiple choice
Read the full NAT/PAT explanation →

Developer A runs 'cosign verify --key cosign.pub myregistry/myimage:tag' and receives an error: 'No signatures found'. Developer B previously ran 'cosign sign --key cosign.key myregistry/myimage:tag'. What is the most likely cause of the verification failure?

Question 23easymultiple choice
Read the full Supply Chain Security explanation →

Which tool is commonly used to generate a Software Bill of Materials (SBOM) for a container image?

Question 24mediummultiple choice
Read the full Supply Chain Security explanation →

A DevOps engineer is setting up a CI/CD pipeline to scan container images for vulnerabilities. They want to fail the pipeline if any critical vulnerabilities are found. Which command should they use to scan the image and produce a JSON output that can be parsed?

Question 25hardmultiple choice
Read the full Supply Chain Security explanation →

You have configured Kyverno to enforce that all Pods must have an image from a trusted registry. However, a newly created Pod is not being rejected even though it uses an untrusted image. What is the most likely reason?

Question 26easymultiple choice
Read the full Supply Chain Security explanation →

Which of the following is a static analysis tool for Kubernetes manifests that can identify security misconfigurations?

Question 27mediummultiple choice
Read the full Supply Chain Security explanation →

You need to ensure that all containers in your cluster run with a read-only root filesystem. Which field should be set in the container's security context?

Question 28mediummulti select
Read the full Supply Chain Security explanation →

Which two of the following are best practices for container image security? (Select TWO.)

Question 29hardmulti select
Read the full Supply Chain Security explanation →

Which three of the following are valid ways to enforce supply chain security in a Kubernetes cluster? (Select THREE.)

Question 30mediummulti select
Read the full Supply Chain Security explanation →

Which two of the following are best practices for securing a CI/CD pipeline that builds and deploys container images? (Select TWO.)

Question 31easymultiple choice
Read the full Supply Chain Security explanation →

Which of the following is a best practice for securing container images in a CI/CD pipeline?

Question 32mediummultiple choice
Read the full Supply Chain Security explanation →

An administrator runs 'trivy image myapp:1.0' and receives an output with several CRITICAL vulnerabilities. What is the best next step to ensure the image is secure before deployment?

Question 33hardmultiple choice
Read the full Supply Chain Security explanation →

A cluster uses ImagePolicyWebhook admission controller. After configuring it, deployments referencing images from an unauthorized registry are blocked. However, some deployments are still being admitted. What is a possible cause?

Question 34mediummultiple choice
Read the full NAT/PAT explanation →

Which command is used to sign a container image with Cosign and store the signature in an OCI registry?

Question 35mediummultiple choice
Read the full Supply Chain Security explanation →

A Kubernetes cluster has Kyverno installed. A policy requires that all images come from a trusted registry 'trusted.example.com'. A Deployment uses the image 'nginx:latest'. When the Deployment is created, it is blocked. What Kyverno policy action is being used?

Question 36easymultiple choice
Read the full Supply Chain Security explanation →

Which tool can be used to generate an SBOM (Software Bill of Materials) for a container image?

Question 37mediummultiple choice
Read the full Supply Chain Security explanation →

A security policy requires that all container images use SHA-based digests instead of tags. Which approach ensures this in a Deployment YAML?

Question 38hardmultiple choice
Read the full Supply Chain Security explanation →

A CI/CD pipeline uses cosign attest to add an SBOM attestation to an image. Later, during deployment, which command verifies the attestation?

Question 39easymultiple choice
Read the full Supply Chain Security explanation →

Which of the following is a recommended Dockerfile best practice to improve container security?

Question 40mediummultiple choice
Read the full NAT/PAT explanation →

An OPA/Gatekeeper constraint requires that all images' registries match a pattern. A Deployment uses 'myregistry.io/app:v1'. The admission controller rejects it. The admin runs 'kubectl get constraints' and sees the constraint is active. What is the next debugging step?

Question 41hardmultiple choice
Read the full Supply Chain Security explanation →

A cluster has both ImagePolicyWebhook and a mutating webhook that adds a sidecar. The admin notices that even when ImagePolicyWebhook rejects an image, the mutating webhook has already added the sidecar. What admission ordering issue is occurring?

Question 42mediummultiple choice
Read the full Supply Chain Security explanation →

Which tool can be used to perform static analysis of Kubernetes manifests for security issues?

Question 43mediummulti select
Read the full Supply Chain Security explanation →

Which TWO of the following are valid methods to ensure only signed images are deployed in a Kubernetes cluster?

Question 44mediummulti select
Read the full Supply Chain Security explanation →

Which THREE of the following are best practices for securing the software supply chain in a CI/CD pipeline?

Question 45hardmulti select
Read the full Supply Chain Security explanation →

Which TWO of the following admission controllers are relevant for supply chain security in Kubernetes?

Question 46easymultiple choice
Read the full Supply Chain Security explanation →

You want to scan a container image for vulnerabilities before deploying it. Which command uses the Trivy tool to scan an image?

Question 47mediummultiple choice
Read the full Supply Chain Security explanation →

A security team wants to ensure that only signed images are deployed in the cluster. They have set up an ImagePolicyWebhook admission controller. After configuring the webhook, they notice that pods with unsigned images are still being created. What is the most likely cause?

Question 48easymultiple choice
Read the full Supply Chain Security explanation →

Which of the following is a best practice for securing container images?

Question 49mediummultiple choice
Read the full Supply Chain Security explanation →

A developer wants to ensure that a pod always uses a specific version of an image that cannot be changed without updating the manifest. Which image reference should be used?

Question 50hardmultiple choice
Read the full Supply Chain Security explanation →

You are auditing your cluster's supply chain security. You need to generate a Software Bill of Materials (SBOM) for a container image. Which tool should you use?

Question 51mediummultiple choice
Read the full NAT/PAT explanation →

An administrator applies the following Kyverno policy to the cluster. What is the effect of this policy?

apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: require-non-root spec: validationFailureAction: enforce rules: - name: check-runAsNonRoot match: resources: kinds: - Pod validate: message: "Running as root is not allowed." pattern: spec: securityContext: runAsNonRoot: true

Question 52mediummultiple choice
Read the full Supply Chain Security explanation →

A security engineer wants to integrate image scanning into a CI/CD pipeline. They are using a tool that can scan the filesystem of the build context before building the image. Which tool is best suited for this purpose?

Question 53hardmultiple choice
Read the full Supply Chain Security explanation →

You want to allow only images from a specific registry (e.g., myregistry.io) to be deployed in your cluster. Which tool or approach is best suited for this requirement?

Question 54easymultiple choice
Read the full Supply Chain Security explanation →

What is the purpose of using a non-root user in a container image?

Question 55mediummultiple choice
Read the full NAT/PAT explanation →

A cluster administrator notices that a pod using an image from a public registry is failing to start. The image was signed with Cosign, and the cluster has an ImagePolicyWebhook configured to require signatures. The error message from the webhook indicates 'signature verification failed'. What is the most likely cause?

Question 56hardmultiple choice
Read the full NAT/PAT explanation →

You are tasked with creating a Kubernetes admission controller that validates image signatures before allowing pods to run. Which admission controller should you configure?

Question 57mediummultiple choice
Read the full Supply Chain Security explanation →

Which of the following is a static analysis tool for Kubernetes manifests that can be used to find misconfigurations?

Question 58mediummulti select
Read the full Supply Chain Security explanation →

Which TWO of the following are benefits of using an SBOM (Software Bill of Materials) in supply chain security?

Question 59hardmulti select
Read the full Supply Chain Security explanation →

Which TWO of the following are correct methods to verify a signed container image using Cosign?

Question 60easymulti select
Read the full Supply Chain Security explanation →

Which THREE of the following are best practices for writing Dockerfiles?

Question 61mediummultiple choice
Read the full Supply Chain Security explanation →

An administrator runs 'trivy image --severity HIGH,CRITICAL myapp:v1.0' and sees no vulnerabilities. However, a security scan of the same image using a different tool reports several HIGH severity CVEs. What is the MOST likely reason for this discrepancy?

Question 62mediummultiple choice
Read the full NAT/PAT explanation →

A security policy requires that all container images must be signed using Cosign. Which admission controller enforces signature verification at pod creation time?

Question 63hardmultiple choice
Read the full Supply Chain Security explanation →

A developer wants to ensure the container image used in a Deployment is immutable. Which approach BEST guarantees that the exact same image is used every time, preventing tag mutation?

Question 64easymultiple choice
Read the full Supply Chain Security explanation →

Which tool is specifically designed to generate a Software Bill of Materials (SBOM) for container images?

Question 65mediummultiple choice
Read the full Supply Chain Security explanation →

A security engineer runs 'kubesec scan deployment.yaml' and receives a score of -1. What does this score indicate?

Question 66hardmultiple choice
Read the full Supply Chain Security explanation →

An OPA/Gatekeeper constraint is configured to allow only images from 'trusted-registry.io'. A pod is created with image 'trusted-registry.io/app:v1' but is denied. Which is the MOST likely cause?

Question 67easymultiple choice
Read the full Supply Chain Security explanation →

Which of the following is a BEST practice for container images to reduce the attack surface?

Question 68mediummultiple choice
Read the full Supply Chain Security explanation →

An administrator wants to verify that an image was signed by a specific key before deploying. Which Cosign command should be used?

Question 69mediummultiple choice
Read the full Supply Chain Security explanation →

Which Kyverno policy action is used to automatically mutate a resource to add a sidecar container for security?

Question 70hardmultiple choice
Read the full NAT/PAT explanation →

A CI pipeline fails with the error 'cosign: error: unable to verify image: no matching signatures' when running 'cosign verify --key pubkey.pem myregistry/myapp:latest'. The image was previously signed with a private key. What is the MOST likely cause?

Question 71mediummultiple choice
Read the full Supply Chain Security explanation →

Which admission controller runs FIRST in the Kubernetes admission flow?

Question 72easymultiple choice
Read the full Supply Chain Security explanation →

A security best practice for Dockerfiles is to avoid hardcoded secrets. Which Dockerfile instruction is MOST likely to contain a hardcoded secret?

Question 73mediummulti select
Read the full Supply Chain Security explanation →

Which TWO are benefits of using a distroless base image over a full OS image like Ubuntu? (Select two.)

Question 74hardmulti select
Read the full Supply Chain Security explanation →

Which THREE are valid methods to enforce that only images from a specific registry can be deployed in a Kubernetes cluster? (Select three.)

Question 75mediummulti select
Read the full Supply Chain Security explanation →

Which TWO are recommended practices for securing a CI/CD pipeline that builds container images? (Select two.)

Question 76easymultiple choice
Read the full Supply Chain Security explanation →

A security engineer wants to scan a container image for vulnerabilities using Trivy. Which command should they use?

Question 77mediummultiple choice
Read the full Supply Chain Security explanation →

A DevOps engineer wants to enforce that all container images running in the cluster are signed using Cosign. Which Kubernetes admission controller is designed for this purpose?

Question 78hardmultiple choice
Read the full Supply Chain Security explanation →

An administrator runs 'kubectl describe pod secure-pod' and sees that the pod is in a Pending state with the event 'Error: ImagePullBackOff' and the message 'unauthorized: authentication required'. The image is stored in a private registry. What is the most likely cause?

Question 79easymultiple choice
Read the full Supply Chain Security explanation →

Which of the following is a best practice for securing a Dockerfile?

Question 80mediummultiple choice
Read the full Supply Chain Security explanation →

An administrator wants to ensure that only images from a specific registry (e.g., myregistry.internal) can run in the cluster. Which tool can be used to enforce this via admission control?

Question 81hardmultiple choice
Read the full Supply Chain Security explanation →

A security team wants to generate an SBOM for a container image. Which tool should they use?

Question 82mediummultiple choice
Read the full Supply Chain Security explanation →

An administrator runs 'kubectl run test-pod --image=nginx:latest' and the pod fails to start. The event log shows 'ImagePullBackOff' with error 'manifest for nginx:latest not found: manifest unknown'. The image 'nginx:latest' exists in the registry. What is the most likely cause?

Question 83mediummultiple choice
Read the full Supply Chain Security explanation →

Which admission controller is responsible for invoking external webhooks to validate or mutate resources?

Question 84hardmultiple choice
Read the full NAT/PAT explanation →

An organization wants to implement supply chain security by signing all container images and verifying them before deployment. Which combination of tools is appropriate?

Question 85mediummultiple choice
Read the full Supply Chain Security explanation →

A pod is running in a namespace that has a Kyverno policy requiring all images to come from a trusted registry. The pod is using an image from an untrusted registry. What will happen when the pod is created?

Question 86easymultiple choice
Read the full Supply Chain Security explanation →

Which of the following is a static analysis tool for Kubernetes manifests?

Question 87mediummultiple choice
Read the full Supply Chain Security explanation →

An administrator wants to ensure that a Deployment uses a specific image digest (SHA256) instead of a tag. Which field in the Deployment YAML should be modified?

Question 88mediummulti select
Read the full Supply Chain Security explanation →

Which TWO of the following are valid methods to verify the integrity of a container image before deployment?

Question 89hardmulti select
Read the full Supply Chain Security explanation →

Which THREE of the following are best practices for securing the software supply chain in Kubernetes?

Question 90easymulti select
Read the full Supply Chain Security explanation →

Which TWO of the following are tools that can be used to generate an SBOM for a container image?

Question 91mediummultiple choice
Read the full Supply Chain Security explanation →

A security admin runs 'trivy image --severity CRITICAL,HIGH myrepo/myapp:latest' and sees many CVEs. The admin wants to ensure that only images with no CRITICAL or HIGH severity vulnerabilities are deployed to the cluster. Which admission controller should be configured to enforce this policy?

Question 92easymultiple choice
Read the full Supply Chain Security explanation →

A developer wants to sign a container image using Cosign. Which command should they run after building and pushing the image to a registry?

Question 93mediummultiple choice
Read the full Supply Chain Security explanation →

An administrator wants to ensure that all containers in a deployment run as a non-root user. Which YAML snippet correctly sets the security context to run as user ID 1000?

Question 94hardmultiple choice
Read the full NAT/PAT explanation →

A security engineer wants to enforce that all images in the cluster must come from a trusted registry 'trusted-registry.io'. They are using OPA/Gatekeeper. Which constraint template and constraint combination would achieve this?

Question 95easymultiple choice
Read the full Supply Chain Security explanation →

Which tool is used to generate a Software Bill of Materials (SBOM) for a container image?

Question 96mediummultiple choice
Read the full Supply Chain Security explanation →

A CI/CD pipeline builds a Docker image and pushes it to a registry. To ensure supply chain security, the pipeline should scan the image for vulnerabilities before deployment. Which of the following is the correct command to scan a local Docker image using Trivy?

Question 97hardmultiple choice
Read the full NAT/PAT explanation →

A Kyverno policy is written to require all images to use SHA256 digests instead of tags. The policy uses a 'validate' rule with 'pattern' on 'spec.containers[*].image'. Which pattern would match an image reference like 'registry.example.com/myapp@sha256:abc123...'?

Question 98easymultiple choice
Read the full Supply Chain Security explanation →

Which admission controller is responsible for validating and modifying images based on an external webhook in Kubernetes?

Question 99mediummultiple choice
Read the full NAT/PAT explanation →

A DevOps engineer wants to ensure that a container image is signed and the signature is verified before deployment. Which Cosign command verifies an image signature?

Question 100mediummultiple choice
Read the full Supply Chain Security explanation →

An administrator wants to perform static analysis on Kubernetes manifest files to find security misconfigurations. Which tool is specifically designed for this?

Question 101hardmultiple choice
Read the full Supply Chain Security explanation →

A pod is stuck in Pending state. 'kubectl describe pod' shows '0/1 nodes are available: 1 node(s) had taint {node-role.kubernetes.io/control-plane: }, that the pod didn't tolerate.' The pod does not specify any tolerations. What is the most likely cause?

Question 102easymultiple choice
Read the full Supply Chain Security explanation →

Which of the following is a best practice when writing a Dockerfile for a containerized application?

Question 103mediummulti select
Read the full Supply Chain Security explanation →

Which TWO of the following are valid methods to verify the integrity of a container image in a Kubernetes supply chain? (Select 2)

Question 104hardmulti select
Read the full Supply Chain Security explanation →

Which THREE of the following are correct statements about Kubernetes admission controllers in the context of supply chain security? (Select 3)

Question 105mediummulti select
Read the full Supply Chain Security explanation →

Which TWO of the following tools can be used to generate or analyze SBOMs? (Select 2)

Question 106mediummultiple choice
Read the full Supply Chain Security explanation →

An administrator wants to ensure that only images from a trusted registry 'myregistry.io' can run in the cluster. Which admission controller should be configured?

Question 107easymultiple choice
Read the full Supply Chain Security explanation →

Which command is used with Cosign to sign a container image?

Question 108mediummultiple choice
Read the full Supply Chain Security explanation →

A DevOps engineer runs 'trivy image myapp:latest' and finds a critical CVE in the base image. Which Dockerfile change would BEST address this?

Question 109hardmultiple choice
Read the full Supply Chain Security explanation →

An OPA/Gatekeeper constraint is configured to require all container images to be from a specific registry. A user creates a Pod with image 'gcr.io/myimage:v1'. Which admission controller will first reject this Pod?

Question 110mediummultiple choice
Read the full Supply Chain Security explanation →

A security policy requires that all container images must have a signed attestation. Which Cosign command would an admin add to the CI pipeline to create this attestation?

Question 111easymultiple choice
Read the full Supply Chain Security explanation →

Which tool is used to generate an SBOM (Software Bill of Materials) for a container image?

Question 112hardmultiple choice
Read the full Supply Chain Security explanation →

An admin runs 'kubectl run test-pod --image=nginx:latest' and the Pod is created but immediately enters 'CrashLoopBackOff'. 'kubectl describe pod test-pod' shows 'Back-off restarting failed container'. Which admission controller might cause this if misconfigured?

Question 113mediummultiple choice
Read the full Supply Chain Security explanation →

A security scan report shows that a container image has several high-severity CVEs. The team wants to implement automated scanning in CI/CD pipeline. Which tool would you recommend for scanning container images in a CI pipeline?

Question 114mediummultiple choice
Read the full Supply Chain Security explanation →

An organization uses Kyverno to enforce policies. Which Kyverno rule action would you use to require that all images come from a specific registry?

Question 115hardmultiple choice
Read the full Supply Chain Security explanation →

A user creates a Deployment with image 'alpine:3.18' and the Pod status is 'ErrImagePull'. The admin checks the image policy and sees that only images with SHA digests are allowed. What is the fix?

Question 116easymultiple choice
Read the full Supply Chain Security explanation →

Which command would scan a Kubernetes Pod manifest for security issues?

Question 117mediummultiple choice
Read the full Supply Chain Security explanation →

An administrator wants to enforce that all pods run with read-only root filesystem. Which admission controller can achieve this without writing custom code?

Question 118mediummulti select
Read the full Supply Chain Security explanation →

Which TWO are best practices for Dockerfile security? (Select 2)

Question 119hardmulti select
Read the full Supply Chain Security explanation →

Which THREE are valid methods to verify the integrity and origin of a container image? (Select 3)

Question 120mediummulti select
Read the full Supply Chain Security explanation →

Which TWO are tools for static analysis of Kubernetes manifests? (Select 2)

Question 121mediummultiple choice
Read the full Supply Chain Security explanation →

A security admin wants to ensure that all container images in a Kubernetes cluster are scanned for known vulnerabilities before being deployed. Which tool can be integrated into a CI/CD pipeline to scan container images for CVEs?

Question 122mediummultiple choice
Read the full Supply Chain Security explanation →

An administrator wants to ensure that only signed container images are deployed in the cluster. Which admission controller can be used to enforce this policy?

Question 123easymultiple choice
Read the full Supply Chain Security explanation →

Which command is used to sign a container image with Cosign?

Question 124hardmultiple choice
Read the full Supply Chain Security explanation →

You have a Kyverno policy that validates image registries. The policy should allow only images from `myregistry.example.com`. Which Kyverno rule field should be used to check the image registry?

Question 125mediummultiple choice
Read the full Supply Chain Security explanation →

An administrator runs `kubectl run nginx --image=nginx:latest` and the pod remains in ImagePullBackoff. The cluster uses containerd as the container runtime. What is the most likely cause?

Question 126mediummultiple choice
Read the full Supply Chain Security explanation →

Which of the following is a best practice for Dockerfiles to improve supply chain security?

Question 127hardmultiple choice
Read the full Supply Chain Security explanation →

A DevOps team wants to enforce that all Deployments must have a specific label 'app.kubernetes.io/name'. Which tool can be used to validate this in the admission controller stage?

Question 128easymultiple choice
Read the full Supply Chain Security explanation →

What does SBOM stand for in the context of supply chain security?

Question 129mediummultiple choice
Read the full Supply Chain Security explanation →

An admin wants to scan a local filesystem for vulnerabilities using Trivy. Which command should they use?

Question 130mediummultiple choice
Read the full Supply Chain Security explanation →

Which tool can generate an SBOM for a container image?

Question 131hardmultiple choice
Read the full Supply Chain Security explanation →

A cluster has the ImagePolicyWebhook admission controller enabled. A pod creation is denied with the message 'image policy check failed'. The webhook server returns an error. Which of the following could be a valid reason?

Question 132easymultiple choice
Read the full Supply Chain Security explanation →

Which Kubernetes admission controller ensures that a pod only uses images from a specific registry?

Question 133mediummulti select
Read the full Supply Chain Security explanation →

Which TWO of the following are best practices for securing the container supply chain? (Select 2)

Question 134hardmulti select
Read the full Supply Chain Security explanation →

Which THREE of the following can be used to enforce policies on container images in a Kubernetes cluster? (Select 3)

Question 135mediummulti select
Read the full Supply Chain Security explanation →

Which TWO of the following are valid methods to verify the integrity of a container image? (Select 2)

Question 136mediummultiple choice
Read the full Supply Chain Security explanation →

You are implementing supply chain security for container images. Which tool would you use to scan a local directory of Dockerfiles and Kubernetes manifests for known vulnerabilities?

Question 137easymultiple choice
Read the full Supply Chain Security explanation →

Which of the following is a best practice for securing container images in a Kubernetes environment?

Question 138mediummultiple choice
Read the full Supply Chain Security explanation →

You need to enforce that all images deployed in the cluster are signed by a trusted key. Which Kubernetes admission control mechanism would you use?

Question 139hardmultiple choice
Read the full Supply Chain Security explanation →

A cluster administrator wants to allow only images from a specific registry (e.g., 'myregistry.io') to be deployed in the cluster. Which tool can be used to enforce this via admission control?

Question 140mediummultiple choice
Read the full Supply Chain Security explanation →

What is the purpose of an SBOM (Software Bill of Materials) in the context of supply chain security?

Question 141easymultiple choice
Read the full Supply Chain Security explanation →

Which command would you use to sign a container image with Cosign?

Question 142mediummultiple choice
Read the full Supply Chain Security explanation →

You run 'trivy image myapp:latest' and the scan reports several critical CVEs. What is the best action to take?

Question 143hardmultiple choice
Read the full Supply Chain Security explanation →

A security engineer wants to ensure that all container images in a Kubernetes cluster have a non-root user. Which admission controller can enforce this requirement?

Question 144mediummultiple choice
Read the full Supply Chain Security explanation →

What is the correct way to specify a container image using a SHA digest instead of a tag for immutable deployments?

Question 145easymultiple choice
Read the full Supply Chain Security explanation →

Which static analysis tool can be used to check Kubernetes manifests for security misconfigurations?

Question 146mediummultiple choice
Read the full Supply Chain Security explanation →

In a CI/CD pipeline, at which stage should container image scanning be performed?

Question 147mediummultiple choice
Read the full Supply Chain Security explanation →

You need to generate an SBOM for a container image. Which command should you use?

Question 148mediummulti select
Read the full Supply Chain Security explanation →

Which TWO of the following are valid admission controllers in Kubernetes? (Select TWO)

Question 149hardmulti select
Read the full Supply Chain Security explanation →

Which THREE of the following are best practices for Dockerfile security? (Select THREE)

Question 150mediummulti select
Read the full Supply Chain Security explanation →

Which TWO of the following are tools for image signing and verification? (Select TWO)

Question 151easymultiple choice
Read the full Supply Chain Security explanation →

Which command scans a Docker image for CVEs using Trivy?

Question 152mediummultiple choice
Read the full Supply Chain Security explanation →

A security admin wants to ensure that only images signed with a specific key can run in the cluster. Which admission controller should be enabled?

Question 153hardmultiple choice
Read the full Supply Chain Security explanation →

A developer creates a Dockerfile with 'FROM ubuntu:latest'. The security team recommends using a minimal base image. Which change minimizes the attack surface?

Question 154mediummultiple choice
Read the full Supply Chain Security explanation →

An admin runs 'kubectl run nginx --image=nginx' and the pod fails with 'ImagePullBackOff'. The cluster has an OPA/Gatekeeper constraint that only allows images from 'myregistry.io'. How can the admin quickly test the restriction?

Question 155easymultiple choice
Read the full Supply Chain Security explanation →

Which tool can generate an SBOM (Software Bill of Materials) from a container image?

Question 156hardmultiple choice
Read the full Supply Chain Security explanation →

A security audit reveals that a Deployment uses an image with a mutable tag 'app:latest'. Which change ensures the image is immutable and traceable?

Question 157mediummultiple choice
Read the full Supply Chain Security explanation →

Which kubectl command signs a container image using Cosign?

Question 158easymultiple choice
Read the full Supply Chain Security explanation →

Which YAML field in a Deployment specifies the container user should not run as root?

Question 159hardmultiple choice
Read the full Supply Chain Security explanation →

A cluster uses Kyverno to enforce that all images come from a trusted registry. A new Deployment fails with a message that the image 'docker.io/library/nginx:latest' is not allowed. What Kyverno policy rule likely caused this?

Question 160mediummultiple choice
Read the full Supply Chain Security explanation →

To verify a signed container image, which command should be used?

Question 161mediummultiple choice
Read the full Supply Chain Security explanation →

Which static analysis tool is specifically designed to evaluate Kubernetes manifests against security best practices?

Question 162easymultiple choice
Read the full Supply Chain Security explanation →

In a CI/CD pipeline, which step is MOST effective for detecting known vulnerabilities in a container image before deployment?

Question 163hardmulti select
Read the full Supply Chain Security explanation →

Which TWO practices improve supply chain security for container images? (Select two.)

Question 164mediummulti select
Read the full Supply Chain Security explanation →

Which THREE are valid admission controllers in Kubernetes? (Select three.)

Question 165mediummulti select
Read the full Supply Chain Security explanation →

Which TWO tools can generate an SBOM for a container image? (Select two.)

Question 166mediummultiple choice
Read the full Supply Chain Security explanation →

A security team wants to ensure that all container images in a cluster are scanned for critical CVEs before they are run. They decide to use an admission controller. Which Kubernetes built-in admission controller should they configure?

Question 167easymultiple choice
Read the full Supply Chain Security explanation →

A developer runs 'trivy image myapp:latest' and gets a report with several CRITICAL CVEs. Which action would BEST address the supply chain security risk?

Question 168mediummultiple choice
Read the full Supply Chain Security explanation →

An administrator wants to enforce that only images signed by a trusted key can run in the cluster. They have configured cosign and want to use a Kubernetes admission controller. Which tool should they deploy?

Question 169hardmultiple choice
Read the full Supply Chain Security explanation →

You are asked to generate an SBOM for a container image and attach it as an attestation using cosign. Which two commands would you run in sequence?

Question 170mediummultiple choice
Read the full Supply Chain Security explanation →

A Kubernetes cluster has Kyverno installed. You want to enforce that all container images come from a trusted registry 'trusted-registry.example.com'. Which Kyverno policy rule type would you use?

Question 171easymultiple choice
Read the full Supply Chain Security explanation →

Which of the following is a BEST practice for securing container images in a Dockerfile?

Question 172mediummultiple choice
Read the full Supply Chain Security explanation →

A CI pipeline uses 'checkov' to scan Kubernetes manifests. Which of the following is a common checkov check related to supply chain security?

Question 173hardmultiple choice
Read the full Supply Chain Security explanation →

A pod is stuck in Pending state. 'kubectl describe pod' shows the event: '0/4 nodes are available: 1 node had taint {node-role.kubernetes.io/control-plane: }, that the pod didn't tolerate, 3 Insufficient memory.' The pod YAML does not specify any tolerations. Which command would allow the pod to schedule on the control-plane node?

Question 174mediummultiple choice
Read the full Supply Chain Security explanation →

You need to sign a container image using cosign with a key stored in an environment variable. Which command should you use?

Question 175easymultiple choice
Read the full Supply Chain Security explanation →

What is the primary purpose of an SBOM in supply chain security?

Question 176hardmultiple choice
Read the full Supply Chain Security explanation →

You have a Kyverno policy that validates images are from a specific registry. However, a pod using an image from that registry is still blocked. The pod YAML includes 'imagePullPolicy: Always'. What could be the issue?

Question 177mediummulti select
Read the full NAT/PAT explanation →

Which TWO of the following are valid ways to verify a container image signature using cosign?

Question 178mediummulti select
Read the full Supply Chain Security explanation →

Which TWO of the following are best practices for securing the software supply chain in a CI/CD pipeline?

Question 179hardmulti select
Read the full Supply Chain Security explanation →

Which THREE of the following are valid approaches to prevent containers from running as root in a Kubernetes cluster?

Question 180easymulti select
Read the full Supply Chain Security explanation →

Which THREE of the following are tools used for static analysis of Kubernetes manifests?

Question 181mediummultiple choice
Read the full Supply Chain Security explanation →

A security team wants to ensure that only container images from a trusted registry (mytrustedregistry.io) are deployed in the cluster. They plan to use OPA/Gatekeeper. Which kind of Gatekeeper constraint template and constraint should they create?

Question 182hardmultiple choice
Read the full Supply Chain Security explanation →

You are configuring ImagePolicyWebhook admission controller to reject images not signed by a trusted authority. After deploying the webhook, you notice that pods are being rejected even for images that are properly signed. Which configuration change is MOST likely to fix this?

Question 183easymultiple choice
Read the full NAT/PAT explanation →

A developer wants to verify the signature of a container image before deploying it. Which command should they use along with Cosign?

Question 184mediummultiple choice
Read the full Supply Chain Security explanation →

During a CI/CD pipeline, you run 'trivy image myapp:latest' and get a high number of vulnerabilities. What is the BEST action to reduce the vulnerability count?

Question 185hardmultiple choice
Read the full NAT/PAT explanation →

A security policy requires that all container images must reference a specific SHA256 digest instead of a tag. You need to enforce this using Kyverno. Which Kyverno rule type and pattern would you use?

Question 186mediummulti select
Read the full Supply Chain Security explanation →

Which TWO of the following are valid methods to supply a Kubernetes manifest to kubesec for static analysis?

Question 187mediummulti select
Read the full Supply Chain Security explanation →

Which TWO of the following are best practices for Dockerfile security according to CKS guidelines?

Question 188hardmulti select
Read the full Supply Chain Security explanation →

Which THREE of the following are valid admission controllers involved in the Kubernetes admission flow that can be used for supply chain security?

Question 189mediummulti select
Read the full Supply Chain Security explanation →

Which TWO of the following tools can generate an SBOM (Software Bill of Materials) for a container image?

Question 190easymulti select
Read the full Supply Chain Security explanation →

Which THREE of the following are valid flags for the 'trivy image' command to output results in different formats?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CKS Practice Test 1 — 10 Questions→CKS Practice Test 2 — 10 Questions→CKS Practice Test 3 — 10 Questions→CKS Practice Test 4 — 10 Questions→CKS Practice Test 5 — 10 Questions→CKS Practice Exam 1 — 20 Questions→CKS Practice Exam 2 — 20 Questions→CKS Practice Exam 3 — 20 Questions→CKS Practice Exam 4 — 20 Questions→Free CKS Practice Test 1 — 30 Questions→Free CKS Practice Test 2 — 30 Questions→Free CKS Practice Test 3 — 30 Questions→CKS Practice Questions 1 — 50 Questions→CKS Practice Questions 2 — 50 Questions→CKS Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Monitoring Logging and Runtime SecurityCluster Setup and HardeningSystem HardeningMinimize Microservice VulnerabilitiesSupply Chain SecurityMonitoring, Logging and Runtime SecurityCluster SetupCluster Hardening

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Supply Chain Security setsAll Supply Chain Security questionsCKS Practice Hub