Back to Certified Kubernetes Security Specialist CKS

CNCF exam questions

Certified Kubernetes Security Specialist CKS practice test

Practise Certified Kubernetes Security Specialist CKS practice test — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

997
practice questions
8
topics covered
CKS
exam code
CNCF
vendor

Study modes

Three ways to study

Start with the Study Sheet to learn the material, switch to Practice Tests for active recall, then take a Mock Exam to simulate the real thing.

Study Sheet

All 997 questions with correct answers and explanations already visible. Read at your own pace — no time pressure.

Start reading →

Practice Test

Answer first, then see feedback and explanation. Tracks your score per session. Best for active recall and identifying weak areas.

Mock Exam

Full timed simulation with countdown. Answers hidden until the end. Includes all question types just like the real exam.

Start mock exam →

Study Sheet

All 997 CKS questions with answers

Every question in the bank, paginated 75 per page. Correct answers and full explanations are revealed upfront — ideal for first-pass learning and pre-exam review.

14 pages · 75 questions per page · 997 total

Related practice questions

Study CKS by topic

Topic pages go deep on individual concepts — each one covers a specific exam topic with questions, explanations, and study notes.

Courseiva uses original exam-style practice questions created for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps. Learn the difference →

Sample questions

Certified Kubernetes Security Specialist CKS practice questions

Start practice test

Match each etcd security configuration to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Encrypts communication between etcd clients and the etcd server

Encrypts communication between etcd cluster members

Requires clients to present a valid certificate to access etcd

Encrypts etcd data stored on disk (requires manual configuration)

Limits which users or clients can perform operations on etcd keys

Match each Kubernetes security component to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Admission controller that enforces security constraints on pods

Defines how groups of pods can communicate with each other and other network endpoints

Role-based access control for authorization within the cluster

Linux security facility to restrict system calls from a container

Mandatory access control system that confines programs to a limited set of resources

Match each Kubernetes security tool or feature to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Checks whether Kubernetes is deployed securely according to CIS benchmarks

Penetration testing tool for Kubernetes clusters

Policy engine for enforcing custom policies on Kubernetes resources

Runtime security monitoring tool that detects abnormal behavior

Vulnerability scanner for container images, filesystems, and Git repos

Match each Kubernetes certificate type to its usage.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Used by kubelet to serve the kubelet API (e.g., exec, logs)

Used by kubelet to authenticate to the API server

Used by the API server to serve HTTPS endpoints

Used to sign service account tokens so they can be verified

Used by an administrator to authenticate to the cluster with full privileges

Arrange the steps to enable and configure audit logging in Kubernetes.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Arrange the steps to configure and use kube-bench to audit a Kubernetes cluster's security.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Order the steps to rotate a Kubernetes API server certificate.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Order the steps to recover a Kubernetes cluster after a control plane failure where the API server certificate has expired.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

A cluster uses RBAC and a ServiceAccount 'monitor' in namespace 'observability'. The account needs to list pods in all namespaces. Which ClusterRole and binding should be created?

Which TWO of the following are best practices for securing container images?

Question 11mediummultiple choice
Read the full Cluster Hardening explanation →

A company uses kube-bench to scan their cluster. The report shows a warning: 'Ensure that the --authorization-mode argument is set to Node,RBAC'. What is the best way to fix this?

A security engineer runs kube-hunter against a production cluster and receives the above output. The cluster uses kubeadm with default settings. Which two actions should the engineer take to remediate the vulnerabilities?

Network Topology
$ kube-hunterreport jsonlog warnRefer to the exhibit.Exhibit:```"vulnerability": "CVE-2020-8558","component": "kubelet","severity": "medium",},"vulnerability": "CVE-2019-11245","severity": "high",

Match each Kubernetes admission controller to its role in security.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Limits the Node and Pod objects a kubelet can modify

Ensures images are always pulled, preventing use of local images

Denies pods with certain security context settings (deprecated)

Implements automation for service accounts

Enforces namespace-level node selector restrictions

Match each Kubernetes command to its function related to security.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Check whether an action is allowed for a user or service account

Approve a certificate signing request (CSR)

Run a temporary interactive pod for troubleshooting

Create a secret from literals, files, or directories

Apply a PodSecurityPolicy configuration (deprecated)

Question 15easymultiple choice
Read the full Cluster Setup explanation →

A cluster is using kubeadm and the control plane components are running as static pods. Where are the static pod manifests for the API server located by default?

Question 16mediummultiple choice
Read the full Cluster Setup explanation →

A security team wants to ensure that all communication between the kubelet and the API server is encrypted. Which flag must be set on the kubelet to enforce this?

Question 17mediummultiple choice
Read the full Cluster Hardening explanation →

A developer created a ClusterRole 'pod-reader' with rules to get, list, and watch pods. They bound it to a user via ClusterRoleBinding. The user reports they cannot list pods in namespace 'test'. What is the most likely cause?

An administrator wants to prevent pods from running as root. Which SecurityContext field should be set at the pod level?

Which Kubernetes resource should be used to restrict egress traffic from pods?

Which THREE practices help ensure the integrity and confidentiality of container logs in a Kubernetes cluster?

A security team wants to detect anomalous process executions in containers without modifying the container images or requiring agents inside containers. Which approach is most suitable?

A security auditor requires that all container images used in the cluster are scanned for vulnerabilities before deployment. The team uses a private registry with image signing. Which solution enforces that only signed and scanned images are deployed?

A cluster administrator wants to monitor network traffic between pods for security analysis. Which tool is designed specifically for this purpose and integrates with Kubernetes?

Which TWO actions are effective for detecting and preventing container breakout attempts using runtime security tools?

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

Exam question guide

How to use these CKS questions

Use these questions as active recall, not passive reading. Try the question first, review the answer choices, then open the explanation and connect the result back to the exam topic.

Quick answer

Certified Kubernetes Security Specialist CKS questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

These CKS practice questions are part of Courseiva's free CNCF certification practice question bank. Courseiva provides original exam-style CKS questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.