Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← System Hardening practice sets

CKS System Hardening • Complete Question Bank

CKS System Hardening — All Questions With Answers

Complete CKS System Hardening question bank — all 0 questions with answers and detailed explanations.

160
Questions
Free
No signup
Certifications/CKS/Practice Test/System Hardening/All Questions
Question 1mediummultiple choice
Read the full System Hardening explanation →

A security team is hardening a Kubernetes cluster. They need to ensure that all control plane components run with the least privilege. Which approach should they take?

Question 2easymultiple choice
Read the full System Hardening explanation →

An administrator wants to restrict pods from running as root. Which admission controller should be enabled?

Question 3hardmultiple choice
Read the full System Hardening explanation →

A cluster has been compromised due to a container running with privileged escalation. The team wants to prevent any container from gaining new privileges. Which configuration should be applied?

Question 4mediummultiple choice
Read the full System Hardening explanation →

During a security audit, it was found that some pods have access to the host network. How can an administrator restrict host network access for all pods in the cluster?

Question 5easymultiple choice
Read the full System Hardening explanation →

A DevOps team wants to ensure that all container images are pulled from a trusted registry only. Which cluster-level configuration should be applied?

Question 6hardmultiple choice
Read the full System Hardening explanation →

An attacker exploited a container escape vulnerability. The team wants to mitigate such attacks by restricting containers from accessing the host's kernel capabilities. Which set of capabilities should be dropped from all containers?

Question 7mediummultiple choice
Read the full System Hardening explanation →

A cluster is running Kubernetes 1.24. The security team wants to enforce that all pods run with a read-only root filesystem. Which approach is most effective?

Question 8easymultiple choice
Read the full System Hardening explanation →

A developer wants to run a container that needs to modify kernel parameters. What is the secure way to achieve this?

Question 9hardmulti select
Read the full System Hardening explanation →

Which TWO of the following are effective methods to harden the kubelet against unauthorized access?

Question 10mediummulti select
Read the full System Hardening explanation →

Which THREE of the following are recommended practices for securing the etcd datastore?

Question 11hardmulti select
Read the full System Hardening explanation →

Which TWO of the following are valid approaches to restrict which nodes a pod can run on?

Question 12mediummultiple choice
Read the full System Hardening explanation →

A pod manifest is shown. What security issue remains in this configuration?

Exhibit

Refer to the exhibit.

```
apiVersion: v1
kind: Pod
metadata:
  name: test-pod
spec:
  containers:
  - name: test
    image: alpine
    securityContext:
      runAsUser: 1000
      runAsGroup: 3000
      allowPrivilegeEscalation: false
      capabilities:
        drop: ["ALL"]
```
Question 13hardmultiple choice
Read the full System Hardening explanation →

Given the exhibit, what will happen when a user creates a pod with an image from an untrusted registry?

Network Topology
$ kube-apiserveradmission-control=PodSecurityenable-admission-plugins=AlwaysPullImagesRefer to the exhibit.```
Question 14hardmultiple choice
Read the full System Hardening explanation →

You are a security engineer for a large e-commerce company. The Kubernetes cluster runs on-premises and hosts critical payment processing applications. Recently, a security scan revealed that several pods are running with privileged escalation enabled, and some have a writable root filesystem. The cluster uses Kubernetes v1.26 with PodSecurity admission controller enabled but currently set to 'privileged' profile for all namespaces. The development teams require flexibility for some legacy applications that need to run with hostNetwork or hostPID. However, the security team wants to enforce a restricted profile for most namespaces while allowing exceptions. The CISO has mandated that no pod should run as root, and all pods must have read-only root filesystem and privilege escalation disabled. Additionally, any pod that requires hostNetwork or hostPID must be explicitly approved and placed in a separate namespace. You need to design a solution that meets these requirements with minimal operational overhead. What is the best course of action?

Question 15mediummultiple choice
Read the full System Hardening explanation →

You are managing a Kubernetes cluster that hosts multiple microservices. The cluster uses Kubernetes v1.25. Recently, a security audit identified that containers are running with the default seccomp profile (unconfined). The security team has requested that all containers use a seccomp profile that blocks unnecessary syscalls. You need to implement this cluster-wide without breaking existing applications. The audit also found that the kubelet's anonymous authentication is enabled, which should be disabled. Additionally, you need to ensure that the kubelet's NodeRestriction admission controller is enabled to limit what nodes can do. Which of the following is the most appropriate sequence of actions?

Question 16easymultiple choice
Read the full System Hardening explanation →

A security engineer is hardening a Kubernetes node and wants to ensure that kubelet does not accept requests from unauthorized sources. Which kubelet configuration change should be made?

Question 17mediummultiple choice
Read the full System Hardening explanation →

During a security audit, it is found that containers running in a cluster have CAP_NET_RAW capability by default. The team wants to drop this capability for all containers. Which approach should be taken?

Question 18hardmultiple choice
Read the full System Hardening explanation →

A cluster has enabled the NodeRestriction admission controller. A developer is trying to create a pod with hostNetwork: true but is getting an error. What is the most likely reason?

Question 19easymultiple choice
Read the full System Hardening explanation →

Refer to the exhibit. A security engineer sees that podPidsLimit is set to -1. What security concern does this raise?

Exhibit

Refer to the exhibit.
```
$ kubectl get nodes -o yaml | grep -A10 kubeletConfig
    kubeletConfig:
      imageGCHighThresholdPercent: 85
      imageGCLowThresholdPercent: 80
      maxPods: 110
      podPidsLimit: -1
      resolvConf: /etc/resolv.conf
      rotateCertificates: true
```
Question 20mediummultiple choice
Read the full System Hardening explanation →

Refer to the exhibit. The pod fails to start with the error 'container has runAsNonRoot but image will run as root'. Which change would fix the issue?

Exhibit

Refer to the exhibit.
```
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - name: nginx
    image: nginx:1.21
    securityContext:
      runAsNonRoot: true
      runAsUser: 1000
      capabilities:
        add: ["NET_ADMIN"]
```
Question 21hardmulti select
Read the full System Hardening explanation →

Which TWO of the following are effective measures to harden the Kubernetes API server against unauthorized access?

Question 22mediummulti select
Read the full System Hardening explanation →

Which THREE of the following are recommended practices for securing container images in a Kubernetes environment?

Question 23mediummultiple choice
Read the full System Hardening explanation →

A cluster uses a custom mutating admission webhook that adds a sidecar container to all pods. After an upgrade, the webhook crashes and pods cannot be created. What is the best way to prevent this scenario in future?

Question 24hardmultiple choice
Read the full System Hardening explanation →

A security team wants to ensure that no pod runs with privileged access. They have created a PodSecurityPolicy (PSP) that sets 'privileged: false'. However, a pod with privileged: true still gets created. What is the most likely cause?

Question 25hardmultiple choice
Read the full System Hardening explanation →

You are a security engineer at a company running a Kubernetes cluster in production. The cluster uses containerd as the container runtime and has been configured with Node Authorizer and NodeRestriction admission controller. Recently, a security audit revealed that several pods running as root have been compromised via container escape vulnerabilities. The audit report recommends hardening the nodes to reduce the attack surface. Specifically, you need to ensure that even if an attacker gains root access inside a container, they cannot execute privileged operations on the host node, such as loading kernel modules, modifying host network settings, or accessing host devices. The cluster runs on Ubuntu 20.04 nodes with Linux kernel 5.4. You have access to modify node-level configurations but must minimize performance impact and avoid breaking existing workloads that rely on standard Linux capabilities. Which of the following actions would most effectively mitigate these risks?

Question 26mediummulti select
Read the full System Hardening explanation →

A security auditor reviews a Kubernetes cluster and finds that several nodes have container runtimes with default configurations. Which TWO of the following actions should be taken to harden the container runtime?

Question 27easymultiple choice
Read the full System Hardening explanation →

You are a platform engineer for a financial services company. Your Kubernetes cluster runs on bare-metal nodes with Ubuntu 20.04 and uses containerd as the container runtime. The cluster is in production with 50 worker nodes. A recent security scan shows that all nodes have the 'overlayfs' kernel module loaded, which is not required. The security policy requires minimal kernel modules. You need to disable the module without disrupting running containers. What should you do?

Question 28mediumdrag order
Read the full System Hardening explanation →

Order the steps to configure and use Falco for runtime security in a Kubernetes cluster.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 29mediummatching
Read the full System Hardening explanation →

Match each etcd security configuration to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Encrypts communication between etcd clients and the etcd server

Encrypts communication between etcd cluster members

Requires clients to present a valid certificate to access etcd

Encrypts etcd data stored on disk (requires manual configuration)

Limits which users or clients can perform operations on etcd keys

Question 30mediummultiple choice
Read the full System Hardening explanation →

An administrator wants to enforce the Pod Security Standard 'restricted' for all pods in the 'secure' namespace. Which kubectl command correctly enables the PodSecurity admission controller for that namespace?

Question 31mediummultiple choice
Read the full System Hardening explanation →

A pod is running with AppArmor enabled using a profile named 'k8s-apparmor-profile'. You want to verify that the profile is loaded and set to enforce mode. Which command should you run on the node?

Question 32easymultiple choice
Read the full System Hardening explanation →

Which annotation is used to apply an AppArmor profile named 'custom-profile' to a container named 'app' in a pod?

Question 33hardmultiple choice
Read the full System Hardening explanation →

You are creating a custom seccomp profile for a container that runs a binary requiring the 'write' syscall only. You place the profile JSON file at '/var/lib/kubelet/seccomp/profiles/write-only.json'. In the pod spec, which seccomp configuration correctly uses this profile?

Question 34easymultiple choice
Read the full System Hardening explanation →

Which Linux capability must be added to a container to allow it to change the system time (e.g., using the 'date' command)?

Question 35mediummultiple choice
Read the full System Hardening explanation →

A security policy requires that containers should drop all capabilities and only add back the specific capabilities needed. Which YAML snippet correctly implements this for a container?

Question 36hardmultiple choice
Read the full System Hardening explanation →

A pod is scheduled on a node that has the AppArmor profile 'my-profile' loaded in complain mode. The pod annotation specifies 'localhost/my-profile' but the container is running without the profile being enforced. What is the most likely cause?

Question 37mediummultiple choice
Read the full System Hardening explanation →

Which of the following is correct about dropping the 'NET_RAW' capability?

Question 38easymultiple choice
Read the full System Hardening explanation →

What is the default seccomp profile applied when a pod's security context has 'seccompProfile.type: RuntimeDefault'?

Question 39hardmultiple choice
Read the full System Hardening explanation →

You are tasked with reducing the attack surface on a Kubernetes node. Which of the following actions is LEAST effective for hardening the node itself?

Question 40mediummultiple choice
Read the full System Hardening explanation →

A pod spec includes 'hostPID: true' and 'hostNetwork: true'. What security concern does this raise?

Question 41mediummultiple choice
Read the full System Hardening explanation →

Which of the following is NOT a valid seccomp profile type in Kubernetes?

Question 42mediummulti select
Read the full System Hardening explanation →

You need to apply a Pod Security Standard that prevents containers from running as root and disallows privileged escalation. Which TWO levels enforce these requirements?

Question 43hardmulti select
Read the full System Hardening explanation →

A security auditor recommends limiting the use of host namespaces in pods. Which THREE of the following fields, if set to true, expose the host namespace to a container?

Question 44easymulti select
Read the full System Hardening explanation →

Which TWO of the following are valid modes for an AppArmor profile?

Question 45mediummultiple choice
Read the full System Hardening explanation →

An administrator wants to enforce that no container in a specific namespace runs with the privileged security context. They decide to use Pod Security Standards. Which Pod Security Standard level should be applied to the namespace?

Question 46mediummultiple choice
Read the full System Hardening explanation →

A security engineer needs to apply a custom AppArmor profile to a pod. The profile is named 'k8s-apparmor-example-deny-write' and is loaded on the node. Which annotation should be added to the pod's metadata to enforce this profile?

Question 47easymultiple choice
Read the full System Hardening explanation →

Which command loads an AppArmor profile from a file into the kernel?

Question 48hardmultiple choice
Read the full System Hardening explanation →

A pod is configured with a custom seccomp profile stored at /var/lib/kubelet/seccomp/custom-profile.json. The pod manifest uses securityContext.seccompProfile with type: Localhost and localhostProfile: "custom-profile.json". The pod fails to start with an error 'seccomp profile not found'. What is the most likely cause?

Question 49mediummultiple choice
Read the full System Hardening explanation →

Which of the following correctly adds the NET_ADMIN capability to a container in a Kubernetes pod?

Question 50easymultiple choice
Read the full System Hardening explanation →

An administrator wants to prevent a container from accessing the host's network. Which pod security context field should be set to false?

Question 51mediummultiple choice
Read the full System Hardening explanation →

A security policy requires that all containers in the 'staging' namespace drop all Linux capabilities and only add the necessary ones. Which pod security context configuration achieves this?

Question 52easymultiple choice
Read the full System Hardening explanation →

Which of the following commands shows all loaded AppArmor profiles?

Question 53mediummultiple choice
Read the full System Hardening explanation →

A cluster administrator wants to enforce Pod Security Standards at the namespace level using the built-in PodSecurity admission controller. The namespace 'test' should reject any pod that violates the 'baseline' level. Which command applies this correctly?

Question 54hardmultiple choice
Read the full System Hardening explanation →

A custom seccomp profile is defined as follows:

{
  "defaultAction": "SCMP_ACT_ALLOW",
  "architectures": ["SCMP_ARCH_X86_64"],
  "syscalls": [
    {
      "names": ["mkdir", "chmod"],
      "action": "SCMP_ACT_ERRNO"
    }
  ]
}

The profile is placed at /var/lib/kubelet/seccomp/deny-mkdir.json. Which pod securityContext configuration correctly applies this profile?

Question 55mediummultiple choice
Read the full System Hardening explanation →

A pod in namespace 'secure' has the following securityContext: securityContext: runAsNonRoot: true runAsUser: 1000 capabilities: drop: ["ALL"] add: ["NET_BIND_SERVICE"] The pod fails to start. The namespace is enforced with the 'restricted' Pod Security Standard. What is the most likely reason?

Question 56hardmultiple choice
Read the full System Hardening explanation →

An administrator wants to reduce the attack surface of a Kubernetes node by disabling unnecessary system services. Which of the following services is considered unnecessary on a dedicated Kubernetes worker node and can be safely disabled?

Question 57mediummulti select
Read the full System Hardening explanation →

Which TWO of the following are valid methods to apply a seccomp profile to a Kubernetes pod? (Select two.)

Question 58mediummulti select
Read the full System Hardening explanation →

Which TWO of the following are valid AppArmor profile modes? (Select two.)

Question 59hardmulti select
Read the full System Hardening explanation →

Which THREE of the following are best practices for minimizing host access from containers to reduce the attack surface? (Select three.)

Question 60mediummultiple choice
Read the full System Hardening explanation →

A security engineer wants to enforce that all containers in a namespace run without any unnecessary Linux capabilities, dropping all capabilities by default and only adding back what is needed. Which Pod Security Standard should be applied to that namespace using PodSecurity admission?

Question 61hardmultiple choice
Read the full System Hardening explanation →

A cluster administrator wants to apply a custom seccomp profile located at '/var/lib/kubelet/seccomp/audit.json' to a pod. Which YAML snippet correctly configures the pod's security context to use this profile?

Question 62easymultiple choice
Read the full System Hardening explanation →

Which kubectl command is used to check the AppArmor status on a Kubernetes node?

Question 63mediummultiple choice
Read the full System Hardening explanation →

A pod with the following annotation is created: 'container.apparmor.security.beta.kubernetes.io/webserver: localhost/k8s-apparmor-profile'. However, the pod remains in 'Pending' state and the node logs show 'AppArmor not available'. What is the most likely cause?

Question 64mediummultiple choice
Read the full System Hardening explanation →

A DevOps engineer wants to ensure that all pods in a namespace have seccomp set to RuntimeDefault unless explicitly overridden. Which approach should be used to enforce this?

Question 65hardmultiple choice
Read the full System Hardening explanation →

An administrator wants to use AppArmor to confine a container. They have loaded a profile named 'my-custom-profile' using apparmor_parser. Which annotation should be added to the pod to enforce this profile?

Question 66easymultiple choice
Read the full System Hardening explanation →

Which Linux capability should be dropped to prevent a container from gaining new privileges via setuid binaries?

Question 67mediummultiple choice
Read the full System Hardening explanation →

A pod is scheduled on a node that has AppArmor enabled, and the pod has the annotation 'container.apparmor.security.beta.kubernetes.io/nginx: localhost/deny-write'. The profile 'deny-write' is loaded. However, the nginx container is able to write to the filesystem. What is the most likely issue?

Question 68easymultiple choice
Read the full System Hardening explanation →

Which of the following is the correct way to drop all capabilities from a container in a pod specification?

Question 69mediummultiple choice
Read the full System Hardening explanation →

A cluster has PodSecurity admission enabled. A developer creates a pod with the following security context: 'securityContext: { capabilities: { drop: ["ALL"], add: ["NET_ADMIN"] } }'. The namespace is labeled 'pod-security.kubernetes.io/enforce: baseline'. Will the pod be allowed?

Question 70hardmultiple choice
Read the full System Hardening explanation →

A security auditor wants to ensure that no container in the cluster has the CAP_SYS_ADMIN capability. Which of the following is the most effective way to enforce this cluster-wide?

Question 71easymultiple choice
Read the full System Hardening explanation →

Which of the following host access settings should be disabled to reduce the attack surface of a container?

Question 72mediummulti select
Read the full System Hardening explanation →

Which TWO of the following are valid methods to apply a custom seccomp profile to a pod in Kubernetes?

Question 73mediummulti select
Read the full System Hardening explanation →

Which THREE of the following are best practices for reducing the attack surface of Kubernetes nodes?

Question 74hardmulti select
Read the full System Hardening explanation →

Which TWO of the following are true about AppArmor profiles in Kubernetes?

Question 75mediummultiple choice
Read the full System Hardening explanation →

An administrator wants to enforce that all pods in a namespace use the restricted Pod Security Standard. Which of the following commands correctly enables this enforcement?

Question 76mediummultiple choice
Read the full System Hardening explanation →

A security team wants to ensure that all containers in a pod run with only the minimum required Linux capabilities. Which of the following approaches is BEST?

Question 77easymultiple choice
Read the full System Hardening explanation →

Which of the following is the correct annotation to apply an AppArmor profile named 'my-profile' to a container named 'app' in a pod?

Question 78mediummultiple choice
Read the full System Hardening explanation →

A pod is running with a custom seccomp profile located at /var/lib/kubelet/seccomp/my-profile.json. Which securityContext configuration correctly applies this profile?

Question 79hardmultiple choice
Read the full System Hardening explanation →

A cluster administrator has applied a PodSecurityPolicy (PSP) to restrict privileged containers. After upgrading to Kubernetes 1.25, they notice that PSPs are no longer working. What is the MOST likely reason?

Question 80easymultiple choice
Read the full System Hardening explanation →

Which kubectl command is used to check whether AppArmor is enabled and which profiles are loaded on a node?

Question 81mediummultiple choice
Read the full System Hardening explanation →

A pod has the following security context: capabilities: { drop: ['ALL'] } and privileged: false. The pod fails to start because it requires the ability to run iptables commands. Which of the following should be added to the pod's security context?

Question 82easymultiple choice
Read the full System Hardening explanation →

Which of the following fields in a PodSecurityPolicy (or Pod Security Standards) prevents a container from running as root?

Question 83mediummultiple choice
Read the full System Hardening explanation →

A security auditor wants to verify that the AppArmor profile 'my-profile' is in enforce mode on a running container. Which command should they run inside the node?

Question 84hardmultiple choice
Read the full System Hardening explanation →

A pod is in a Pending state with the event: 'failed to generate spec: failed to validate seccomp profile: seccomp profile not found'. The profile is stored at /var/lib/kubelet/seccomp/custom.json on the node. Which of the following is the MOST likely cause?

Question 85mediummultiple choice
Read the full System Hardening explanation →

Which of the following is the correct way to apply an AppArmor profile named 'my-profile' to a pod using the annotation?

Question 86hardmultiple choice
Read the full System Hardening explanation →

A pod is configured with securityContext: { seccompProfile: { type: RuntimeDefault } }. Which of the following is true about this configuration?

Question 87easymultiple choice
Read the full System Hardening explanation →

Which of the following is the correct command to load an AppArmor profile from a file named 'my-profile'?

Question 88mediummultiple choice
Read the full System Hardening explanation →

A container runs with the default seccomp profile but the application needs to make a specific syscall that is blocked. Which approach should be taken?

Question 89easymultiple choice
Read the full System Hardening explanation →

Which of the following securityContext settings prevents a container from using host network namespace?

Question 90mediummulti select
Read the full System Hardening explanation →

Which TWO of the following are valid ways to reduce the attack surface of a Kubernetes node? (Select 2)

Question 91mediummulti select
Read the full System Hardening explanation →

Which TWO of the following are valid Pod Security Standard levels? (Select 2)

Question 92hardmulti select
Read the full System Hardening explanation →

Which THREE of the following are correct statements about seccomp in Kubernetes? (Select 3)

Question 93easymultiple choice
Read the full System Hardening explanation →

Which annotation is used to apply an AppArmor profile to a pod?

Question 94mediummultiple choice
Read the full System Hardening explanation →

A security admin wants to drop all Linux capabilities for a container and then add only CAP_NET_BIND_SERVICE. Which YAML snippet correctly achieves this?

Question 95mediummultiple choice
Read the full System Hardening explanation →

An admin runs 'kubectl describe pod secure-pod' and sees 'seccompProfile: RuntimeDefault' under the container's security context. Which seccomp profile is being used?

Question 96hardmultiple choice
Read the full System Hardening explanation →

A cluster administrator wants to enforce the Pod Security Standard 'restricted' at the namespace level. Which command applies the PodSecurity admission label to the 'prod' namespace?

Question 97easymultiple choice
Read the full System Hardening explanation →

Which command loads an AppArmor profile into the kernel?

Question 98mediummultiple choice
Read the full System Hardening explanation →

A pod is created with the following security context: securityContext: seccompProfile: type: Localhost localhostProfile: profiles/audit.json Where must the 'audit.json' file be placed on the node?

Question 99hardmultiple choice
Read the full System Hardening explanation →

A container runs as non-root and needs to perform operations that require CAP_SYS_PTRACE. Which YAML snippet correctly adds only this capability while following the principle of least privilege?

Question 100easymultiple choice
Read the full System Hardening explanation →

Which Pod Security Standard level allows the use of hostNetwork, hostPID, and hostIPC?

Question 101mediummultiple choice
Read the full System Hardening explanation →

An administrator runs 'kubectl run test-pod --image=nginx --dry-run=client -o yaml > pod.yaml', then adds 'hostPID: true' and 'hostNetwork: true' to the pod's spec. After applying with 'kubectl apply -f pod.yaml', the pod is created but immediately goes into 'CrashLoopBackOff'. What is the likely cause?

Question 102mediummultiple choice
Read the full System Hardening explanation →

Which of the following is the correct way to disable swap on a Kubernetes node to improve security?

Question 103hardmultiple choice
Read the full System Hardening explanation →

A custom seccomp profile is created at /var/lib/kubelet/seccomp/custom-profile.json. Which YAML snippet applies this profile to a container?

Question 104easymultiple choice
Read the full System Hardening explanation →

An admin wants to check which AppArmor profiles are loaded. Which command should they run?

Question 105mediummulti select
Read the full System Hardening explanation →

Which TWO of the following are valid methods to apply a seccomp profile to a pod in Kubernetes?

Question 106hardmulti select
Read the full System Hardening explanation →

Which THREE of the following are best practices for reducing the attack surface of a Kubernetes node?

Question 107mediummulti select
Read the full System Hardening explanation →

Which TWO of the following are valid AppArmor profile modes?

Question 108mediummultiple choice
Read the full System Hardening explanation →

An administrator wants to enforce a custom AppArmor profile named 'k8s-apparmor-example' on a pod. The profile has been loaded on the node. Which annotation should be added to the pod's metadata to apply this profile?

Question 109easymultiple choice
Read the full System Hardening explanation →

Which command is used to load an AppArmor profile into the kernel?

Question 110mediummultiple choice
Read the full System Hardening explanation →

A pod spec includes the following securityContext:

securityContext: seccompProfile: type: Localhost localhostProfile: custom-profile.json

Where should the custom seccomp profile 'custom-profile.json' be placed on the node?

Question 111hardmultiple choice
Read the full System Hardening explanation →

A cluster administrator wants to prevent all containers in a namespace from running with the NET_RAW capability. They plan to use a PodSecurityPolicy (PSP) but PSP is deprecated. Which approach should they use instead?

Question 112mediummultiple choice
Read the full System Hardening explanation →

A container is running with the following securityContext:

securityContext: capabilities: drop: ["ALL"] add: ["NET_BIND_SERVICE"]

Which capabilities will the container have?

Question 113easymultiple choice
Read the full System Hardening explanation →

To reduce the attack surface, a security best practice is to drop all capabilities from a container and add only those required. Which securityContext field is used to drop all capabilities?

Question 114hardmultiple choice
Read the full System Hardening explanation →

A security auditor reports that a container can sniff network traffic on the host. Which field in the pod spec should be checked and set to false to prevent this?

Question 115mediummultiple choice
Read the full System Hardening explanation →

An administrator needs to enforce the restricted Pod Security Standard on a namespace 'secure-ns'. Which kubectl command should they use?

Question 116easymultiple choice
Read the full System Hardening explanation →

Which of the following seccomp profile types should be used to apply the container runtime's default seccomp profile?

Question 117mediummultiple choice
Read the full System Hardening explanation →

A pod is running with securityContext.seccompProfile.type: Unconfined. Which statement is true?

Question 118hardmultiple choice
Read the full System Hardening explanation →

An AppArmor profile is loaded in 'complain' mode. What happens when a pod with that profile attempts an action that violates the profile?

Question 119mediummultiple choice
Read the full System Hardening explanation →

Which of the following is NOT a recommended method to reduce the attack surface on Kubernetes nodes?

Question 120mediummulti select
Read the full System Hardening explanation →

Which TWO of the following are valid methods to apply a seccomp profile to a container? (Select 2 correct answers)

Question 121mediummulti select
Read the full System Hardening explanation →

Which THREE of the following actions help reduce the attack surface of containers? (Select 3 correct answers)

Question 122hardmulti select
Read the full System Hardening explanation →

Which TWO of the following are valid AppArmor profile modes? (Select 2 correct answers)

Question 123mediummultiple choice
Read the full System Hardening explanation →

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

Question 124easymultiple choice
Read the full System Hardening explanation →

Which annotation is used to apply an AppArmor profile to a pod in Kubernetes?

Question 125mediummultiple choice
Read the full System Hardening explanation →

An administrator creates a custom seccomp profile and wants to apply it to a pod. The profile file is named 'audit.json' and is placed in the default seccomp directory on the node. Which securityContext field should be used?

Question 126hardmultiple choice
Read the full System Hardening explanation →

A security team wants to enforce that no container in the 'restricted' namespace runs with added Linux capabilities beyond the default set (according to the restricted Pod Security Standard). Which PodSecurityConfiguration should be applied to the namespace?

Question 127easymultiple choice
Read the full System Hardening explanation →

Which command loads an AppArmor profile from a file into the kernel?

Question 128mediummultiple choice
Read the full System Hardening explanation →

You need to apply a seccomp profile to all containers in a pod. The profile is named 'custom-profile.json' and is stored on each node at /var/lib/kubelet/seccomp/. Complete the following YAML snippet:

```yaml apiVersion: v1 kind: Pod metadata: name: secure-pod spec: securityContext: seccompProfile: type: Localhost localhostProfile: ??? ``` What should replace ???

Question 129hardmultiple choice
Read the full System Hardening explanation →

An administrator wants to ensure that containers in a pod cannot run with any Linux capabilities except the minimal required for the container runtime. The pod is subject to the 'restricted' Pod Security Standard. Which capability configuration should be set in the pod's security context?

Question 130mediummultiple choice
Read the full System Hardening explanation →

A node in your cluster is running unnecessary services that increase the attack surface. Which of the following is the BEST approach to reduce the attack surface on the node?

Question 131easymultiple choice
Read the full System Hardening explanation →

Which of the following is a valid way to check the status of AppArmor profiles on a node?

Question 132mediummultiple choice
Read the full System Hardening explanation →

A container needs to run with the NET_ADMIN capability to modify network settings. The cluster enforces the baseline Pod Security Standard. Which securityContext configuration should be used?

Question 133mediummultiple choice
Read the full System Hardening explanation →

Which of the following host access settings should be avoided to minimize the attack surface from containers? (Select the setting that increases risk the most.)

Question 134easymultiple choice
Read the full System Hardening explanation →

What is the purpose of the 'seccomp' feature in Kubernetes?

Question 135hardmultiple choice
Read the full System Hardening explanation →

After deploying a pod with an AppArmor profile, the pod status shows 'ContainerCreating' for a long time and then fails. What is the most likely cause?

Question 136mediummultiple choice
Read the full System Hardening explanation →

Which of the following is the correct way to drop all Linux capabilities for a container?

Question 137hardmultiple choice
Read the full System Hardening explanation →

An administrator wants to prevent containers from using hostNetwork, hostPID, and hostIPC. Which Pod Security Standard level enforces these restrictions?

Question 138mediummulti select
Read the full System Hardening explanation →

Which TWO of the following are valid seccomp profile types in Kubernetes? (Select two.)

Question 139hardmulti select
Read the full System Hardening explanation →

Which THREE of the following are best practices for reducing the attack surface of Kubernetes nodes? (Select three.)

Question 140easymulti select
Read the full System Hardening explanation →

Which TWO of the following are valid AppArmor profile modes? (Select two.)

Question 141mediummulti select
Read the full System Hardening explanation →

Which THREE of the following are restrictions enforced by the 'baseline' Pod Security Standard? (Select three.)

Question 142hardmulti select
Read the full System Hardening explanation →

Which TWO of the following are correct ways to apply a seccomp profile named 'audit.json' located on each node? (Select two.)

Question 143easymultiple choice
Read the full System Hardening explanation →

Which annotation is used to apply an AppArmor profile to a pod in Kubernetes?

Question 144mediummultiple choice
Read the full System Hardening explanation →

An administrator wants to run a container that requires the SYS_TIME capability. Which field should be used in the securityContext to add this capability?

Question 145hardmultiple choice
Read the full System Hardening explanation →

A pod is using a custom seccomp profile stored at /var/lib/kubelet/seccomp/custom-profile.json. Which securityContext configuration correctly references this profile?

Question 146mediummultiple choice
Read the full System Hardening explanation →

An administrator runs 'aa-status' on a node and sees a profile in 'complain' mode. What does this indicate?

Question 147mediummultiple choice
Read the full System Hardening explanation →

What is the effect of setting 'hostPID: true' in a pod's spec?

Question 148easymultiple choice
Read the full System Hardening explanation →

Which Pod Security Standard level allows the most relaxed security controls?

Question 149hardmultiple choice
Read the full System Hardening explanation →

A cluster uses PodSecurity admission. A namespace has the label 'pod-security.kubernetes.io/enforce: baseline'. A user creates a pod that runs a container with 'privileged: true'. What happens?

Question 150mediummultiple choice
Read the full System Hardening explanation →

An administrator wants to drop all capabilities for a container and then add back only NET_BIND_SERVICE. Which securityContext configuration is correct?

Question 151easymultiple choice
Read the full System Hardening explanation →

Which tool is used to load AppArmor profiles on a node?

Question 152mediummultiple choice
Read the full System Hardening explanation →

What is the default seccomp profile for Kubernetes containers when no seccompProfile is specified?

Question 153hardmultiple choice
Read the full System Hardening explanation →

A pod runs with 'hostNetwork: true' and 'hostPID: true'. Which security concern is MOST directly increased?

Question 154mediummultiple choice
Read the full System Hardening explanation →

An administrator creates a custom seccomp profile and places it at /var/lib/kubelet/seccomp/myprofile.json. Which securityContext field is used to apply this profile to a container?

Question 155mediummulti select
Read the full System Hardening explanation →

Which TWO of the following are valid Pod Security Standards levels?

Question 156hardmulti select
Read the full System Hardening explanation →

Which THREE of the following are recommended measures to reduce the attack surface of Kubernetes nodes?

Question 157mediummulti select
Read the full System Hardening explanation →

Which TWO of the following are valid AppArmor profile modes?

Question 158mediummultiple choice
Read the full System Hardening explanation →

A cluster administrator wants to enforce that all pods in the 'restricted' namespace use the Restricted Pod Security Standard. Which command achieves this?

Question 159hardmultiple choice
Read the full System Hardening explanation →

You have built a custom seccomp profile at /var/lib/kubelet/seccomp/audit.json. Which YAML snippet correctly applies this profile to a container?

Question 160mediummulti select
Read the full System Hardening explanation →

Which TWO AppArmor modes are available? (Select 2)

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CKS Practice Test 1 — 10 Questions→CKS Practice Test 2 — 10 Questions→CKS Practice Test 3 — 10 Questions→CKS Practice Test 4 — 10 Questions→CKS Practice Test 5 — 10 Questions→CKS Practice Exam 1 — 20 Questions→CKS Practice Exam 2 — 20 Questions→CKS Practice Exam 3 — 20 Questions→CKS Practice Exam 4 — 20 Questions→Free CKS Practice Test 1 — 30 Questions→Free CKS Practice Test 2 — 30 Questions→Free CKS Practice Test 3 — 30 Questions→CKS Practice Questions 1 — 50 Questions→CKS Practice Questions 2 — 50 Questions→CKS Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Monitoring Logging and Runtime SecurityCluster Setup and HardeningSystem HardeningMinimize Microservice VulnerabilitiesSupply Chain SecurityMonitoring, Logging and Runtime SecurityCluster SetupCluster Hardening

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All System Hardening setsAll System Hardening questionsCKS Practice Hub