Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCKSTopicsCluster Setup and Hardening
Free · No Signup RequiredCNCF · CKS

CKS Cluster Setup and Hardening Practice Questions

20+ practice questions focused on Cluster Setup and Hardening — one of the most tested topics on the Certified Kubernetes Security Specialist CKS exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Cluster Setup and Hardening Practice

Exam Domains

Monitoring Logging and Runtime SecurityCluster Setup and HardeningSystem HardeningMinimize Microservice VulnerabilitiesSupply Chain SecurityMonitoring, Logging and Runtime SecurityCluster SetupAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Cluster Setup and Hardening Questions

Practice all 20+ →
1.

During a security audit, you discover that a container running as root inside a pod has been compromised. The pod uses the default service account. Which two measures should you implement to harden the cluster? (Select TWO)

A.Apply a PodSecurityPolicy that restricts containers from running as root.
B.Create a new service account with no roles bound and assign it to the pod.
C.Edit the default service account to set automountServiceAccountToken: false.
D.Set automountServiceAccountToken: false in the pod spec.

Explanation: Option C is correct because setting `automountServiceAccountToken: false` on the default service account prevents any pod that uses it from automatically mounting the service account token. This reduces the attack surface: if a container is compromised, the attacker cannot use the token to authenticate to the Kubernetes API server. This is a fundamental hardening measure for service accounts that do not require API access.

2.

A cluster uses Kubernetes v1.24 with Pod Security Admission enabled. The cluster administrator wants to enforce that all pods in the 'production' namespace run with the 'restricted' policy level, but some existing deployments use privileged containers. Which approach ensures that only new pods violating the policy are rejected, while existing pods continue to run?

A.Patch existing deployments to remove privileged containers, then add the label 'pod-security.kubernetes.io/enforce=restricted' to the namespace.
B.Add the namespace label 'pod-security.kubernetes.io/enforce=restricted' and leave existing pods unchanged; new pods violating the policy will be rejected.
C.Create a PodSecurityPolicy that restricts privileged containers and bind it to all service accounts in the namespace.
D.Set the namespace label 'pod-security.kubernetes.io/enforce=restricted' and use the 'inform' mode to allow existing pods.

Explanation: Option B is correct because Pod Security Admission (PSA) in Kubernetes v1.24 enforces policies via namespace labels. Setting `pod-security.kubernetes.io/enforce=restricted` on the 'production' namespace will reject any new pod that violates the restricted policy, but existing pods are not re-evaluated and continue running. This behavior is by design: PSA evaluates pods at creation or update time, not retroactively, so existing workloads are unaffected.

3.

A security engineer needs to ensure that all communication between nodes and the control plane is encrypted. Which component must be configured with a TLS certificate to achieve this?

A.kube-proxy
B.etcd
C.kube-scheduler
D.kube-apiserver

Explanation: The kube-apiserver is the central gateway for all cluster operations, and it must be configured with a TLS certificate to encrypt communication between nodes (kubelets) and the control plane. The kube-apiserver presents this certificate to authenticate itself and establish encrypted HTTPS connections, ensuring that all traffic from node components (e.g., kubelets, kube-proxy) and other control plane components is secured in transit.

4.

After a security incident, you need to restrict which pods can communicate with each other in the 'finance' namespace. You want to allow only pods with label 'app: api' to connect to pods with label 'app: db' on TCP port 5432, and deny all other traffic. Which NetworkPolicy should you create?

A.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-api-to-db namespace: finance spec: podSelector: matchLabels: app: api ingress: - from: - podSelector: matchLabels: app: db ports: - port: 5432
B.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-api-to-db namespace: finance spec: podSelector: matchLabels: app: api egress: - to: - podSelector: matchLabels: app: db ports: - port: 5432
C.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-api-to-db namespace: finance spec: podSelector: matchLabels: app: db ingress: - from: - podSelector: matchLabels: app: api
D.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-api-to-db namespace: finance spec: podSelector: matchLabels: app: db ingress: - from: - podSelector: matchLabels: app: api ports: - port: 5432

Explanation: Option D is correct because it defines a NetworkPolicy that selects pods with label 'app: db' as the target and allows ingress traffic only from pods with label 'app: api' on TCP port 5432. By default, if no NetworkPolicy exists, all traffic is allowed; once a NetworkPolicy selects a pod, all traffic not explicitly allowed is denied. This policy therefore restricts communication to only the intended api-to-db flow on the specified port.

5.

A cluster has been configured with the NodeRestriction admission plugin. A developer tries to create a pod that uses a hostPath volume pointing to /var/log. The pod's nodeSelector is set to 'kubernetes.io/hostname: worker-1'. Which statement is true?

A.The pod will be created only if the node label matches the nodeSelector; the hostPath volume is irrelevant.
B.The pod will be rejected because hostPath volumes are not allowed by NodeRestriction.
C.The pod will be created because NodeRestriction does not restrict hostPath volumes.
D.The pod will be rejected because the nodeSelector conflicts with the NodeRestriction plugin.

Explanation: The NodeRestriction admission plugin limits the node labels that a kubelet can set and restricts pods from modifying their node affinity to gain access to node-specific resources. However, it does not restrict the use of hostPath volumes. Therefore, a pod with a hostPath volume pointing to /var/log and a nodeSelector for 'worker-1' will be created, as long as the nodeSelector matches an existing node label and the hostPath volume is otherwise permitted by the PodSecurityPolicy or other security contexts.

+15 more Cluster Setup and Hardening questions available

Practice all Cluster Setup and Hardening questions

How to master Cluster Setup and Hardening for CKS

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Cluster Setup and Hardening. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Cluster Setup and Hardening questions on the CKS frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many CKS Cluster Setup and Hardening questions are on the real exam?

The exact number varies per candidate. Cluster Setup and Hardening is tested as part of the Certified Kubernetes Security Specialist CKS blueprint. Practicing with targeted Cluster Setup and Hardening questions ensures you can handle any format or difficulty that appears.

Are these CKS Cluster Setup and Hardening practice questions free?

Yes. Courseiva provides free CKS practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Cluster Setup and Hardening one of the harder CKS topics?

Difficulty is subjective, but Cluster Setup and Hardening is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Cluster Setup and Hardening practice session with instant scoring and detailed explanations.

Start Cluster Setup and Hardening Practice →

Topic Info

Topic

Cluster Setup and Hardening

Exam

CKS

Questions available

20+