Sample questions
Certified Kubernetes Security Specialist CKS practice questions
Match each etcd security configuration to its description.
Drag a concept onto its matching description — or click a concept then click the description.
Encrypts communication between etcd clients and the etcd server
Encrypts communication between etcd cluster members
Requires clients to present a valid certificate to access etcd
Encrypts etcd data stored on disk (requires manual configuration)
Limits which users or clients can perform operations on etcd keys
Match each Kubernetes security component to its description.
Drag a concept onto its matching description — or click a concept then click the description.
Admission controller that enforces security constraints on pods
Defines how groups of pods can communicate with each other and other network endpoints
Role-based access control for authorization within the cluster
Linux security facility to restrict system calls from a container
Mandatory access control system that confines programs to a limited set of resources
Match each Kubernetes security tool or feature to its purpose.
Drag a concept onto its matching description — or click a concept then click the description.
Checks whether Kubernetes is deployed securely according to CIS benchmarks
Penetration testing tool for Kubernetes clusters
Policy engine for enforcing custom policies on Kubernetes resources
Runtime security monitoring tool that detects abnormal behavior
Vulnerability scanner for container images, filesystems, and Git repos
Match each Kubernetes certificate type to its usage.
Drag a concept onto its matching description — or click a concept then click the description.
Used by kubelet to serve the kubelet API (e.g., exec, logs)
Used by kubelet to authenticate to the API server
Used by the API server to serve HTTPS endpoints
Used to sign service account tokens so they can be verified
Used by an administrator to authenticate to the cluster with full privileges
Arrange the steps to enable and configure audit logging in Kubernetes.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Arrange the steps to configure and use kube-bench to audit a Kubernetes cluster's security.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Order the steps to rotate a Kubernetes API server certificate.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Order the steps to recover a Kubernetes cluster after a control plane failure where the API server certificate has expired.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
A cluster uses RBAC and a ServiceAccount 'monitor' in namespace 'observability'. The account needs to list pods in all namespaces. Which ClusterRole and binding should be created?
Trap 1: Role with 'list' on pods, RoleBinding in observability
Role is namespace-scoped.
Trap 2: ClusterRole with 'get' on pods, ClusterRoleBinding
'get' is for a specific pod, not list.
Trap 3: ClusterRole with 'list' on pods, RoleBinding in observability
RoleBinding only grants access in its namespace.
- A
Role with 'list' on pods, RoleBinding in observability
Why wrong: Role is namespace-scoped.
- B
ClusterRole with 'get' on pods, ClusterRoleBinding
Why wrong: 'get' is for a specific pod, not list.
- C
ClusterRole with 'list' on pods, RoleBinding in observability
Why wrong: RoleBinding only grants access in its namespace.
- D
ClusterRole with 'list' on pods, ClusterRoleBinding
Correct scope and verb for listing pods across all namespaces.
Which TWO of the following are best practices for securing container images?
Trap 1: Always use the latest tag
Unpredictable and mutable.
Trap 2: Run containers as root
Increases risk.
Trap 3: Run containers in privileged mode
Grants excessive capabilities.
- A
Always use the latest tag
Why wrong: Unpredictable and mutable.
- B
Use minimal base images like distroless
Reduces attack surface.
- C
Run containers as root
Why wrong: Increases risk.
- D
Run containers in privileged mode
Why wrong: Grants excessive capabilities.
- E
Use image vulnerability scanning
Identifies known vulnerabilities.
A company uses kube-bench to scan their cluster. The report shows a warning: 'Ensure that the --authorization-mode argument is set to Node,RBAC'. What is the best way to fix this?
Trap 1: Add --authorization-mode=AlwaysDeny to the API server
AlwaysDeny is not a valid mode; it should be Node,RBAC.
Trap 2: Restart the API server with --authorization-webhook-config-file
Webhook is additional, not a replacement.
Trap 3: Set --authorization-mode=RBAC only
Missing Node mode.
- A
Add --authorization-mode=AlwaysDeny to the API server
Why wrong: AlwaysDeny is not a valid mode; it should be Node,RBAC.
- B
Restart the API server with --authorization-webhook-config-file
Why wrong: Webhook is additional, not a replacement.
- C
Set --authorization-mode=RBAC only
Why wrong: Missing Node mode.
- D
Edit the kube-apiserver manifest to add --authorization-mode=Node,RBAC
Sets both Node and RBAC as required.
A security engineer runs kube-hunter against a production cluster and receives the above output. The cluster uses kubeadm with default settings. Which two actions should the engineer take to remediate the vulnerabilities?
Trap 1: Set the kubelet flag --authentication-token-webhook=true
This enables token review but does not disable anonymous access.
Trap 2: Enable the NodeRestriction admission controller
NodeRestriction limits node self-updates to the API server, but does not secure the kubelet API.
Trap 3: Modify the kube-apiserver manifest to set --anonymous-auth=false
This affects the API server, not the kubelet's anonymous access.
- A
Upgrade the cluster to Kubernetes 1.14 or later to fix CVE-2019-11245
The vulnerability is fixed in kubelet versions 1.13.9+, 1.14.5+, and 1.15.2+.
- B
Set the kubelet flag --authentication-token-webhook=true
Why wrong: This enables token review but does not disable anonymous access.
- C
Configure the kubelet to set --anonymous-auth=false and restart the kubelet service
This stops the kubelet from allowing unauthenticated requests.
- D
Enable the NodeRestriction admission controller
Why wrong: NodeRestriction limits node self-updates to the API server, but does not secure the kubelet API.
- E
Modify the kube-apiserver manifest to set --anonymous-auth=false
Why wrong: This affects the API server, not the kubelet's anonymous access.
Match each Kubernetes admission controller to its role in security.
Drag a concept onto its matching description — or click a concept then click the description.
Limits the Node and Pod objects a kubelet can modify
Ensures images are always pulled, preventing use of local images
Denies pods with certain security context settings (deprecated)
Implements automation for service accounts
Enforces namespace-level node selector restrictions
Match each Kubernetes command to its function related to security.
Drag a concept onto its matching description — or click a concept then click the description.
Check whether an action is allowed for a user or service account
Approve a certificate signing request (CSR)
Run a temporary interactive pod for troubleshooting
Create a secret from literals, files, or directories
Apply a PodSecurityPolicy configuration (deprecated)
A cluster is using kubeadm and the control plane components are running as static pods. Where are the static pod manifests for the API server located by default?
Trap 1: /var/lib/kubelet/
This is the kubelet working directory.
Trap 2: /etc/kubernetes/admin.conf
This is a kubeconfig file.
Trap 3: /etc/kubernetes/
This directory contains config files, not static pod manifests.
- A
/var/lib/kubelet/
Why wrong: This is the kubelet working directory.
- B
/etc/kubernetes/manifests/
Default static pod manifest directory.
- C
/etc/kubernetes/admin.conf
Why wrong: This is a kubeconfig file.
- D
/etc/kubernetes/
Why wrong: This directory contains config files, not static pod manifests.
A security team wants to ensure that all communication between the kubelet and the API server is encrypted. Which flag must be set on the kubelet to enforce this?
Trap 1: --tls-cert-file
This is for serving certificates, not for client connections.
Trap 2: --node-status-update-frequency
This controls update frequency, not encryption.
Trap 3: --require-kubeconfig
This flag is deprecated.
- A
--tls-cert-file
Why wrong: This is for serving certificates, not for client connections.
- B
--node-status-update-frequency
Why wrong: This controls update frequency, not encryption.
- C
--kubeconfig
The kubeconfig file contains the API server address with HTTPS.
- D
--require-kubeconfig
Why wrong: This flag is deprecated.
A developer created a ClusterRole 'pod-reader' with rules to get, list, and watch pods. They bound it to a user via ClusterRoleBinding. The user reports they cannot list pods in namespace 'test'. What is the most likely cause?
Trap 1: The ClusterRole must be bound with a RoleBinding
ClusterRoleBinding is correct for cluster-wide access.
Trap 2: The user needs a ServiceAccount
Users authenticate via certificates, not ServiceAccounts.
Trap 3: The pod-reader ClusterRole is missing 'list' verb
The stem says it includes list.
- A
The ClusterRole must be bound with a RoleBinding
Why wrong: ClusterRoleBinding is correct for cluster-wide access.
- B
The user needs a ServiceAccount
Why wrong: Users authenticate via certificates, not ServiceAccounts.
- C
The ClusterRoleBinding might have a namespace set
If namespace is set, it becomes namespace-scoped, breaking access.
- D
The pod-reader ClusterRole is missing 'list' verb
Why wrong: The stem says it includes list.
An administrator wants to prevent pods from running as root. Which SecurityContext field should be set at the pod level?
Trap 1: fsGroup: 2000
Sets filesystem group for volumes.
Trap 2: runAsGroup: 3000
Only sets group ID.
Trap 3: runAsUser: 1000
Sets a specific user, but could be root if set to 0.
- A
fsGroup: 2000
Why wrong: Sets filesystem group for volumes.
- B
runAsGroup: 3000
Why wrong: Only sets group ID.
- C
runAsUser: 1000
Why wrong: Sets a specific user, but could be root if set to 0.
- D
runAsNonRoot: true
Explicitly prevents root.
Which Kubernetes resource should be used to restrict egress traffic from pods?
Trap 1: PodSecurityPolicy
Deprecated and does not control network.
Trap 2: iptables rules on nodes
Not a Kubernetes resource.
Trap 3: NetworkPolicy with ingress rules
Controls inbound traffic.
- A
NetworkPolicy with egress rules
Directly restricts egress.
- B
PodSecurityPolicy
Why wrong: Deprecated and does not control network.
- C
iptables rules on nodes
Why wrong: Not a Kubernetes resource.
- D
NetworkPolicy with ingress rules
Why wrong: Controls inbound traffic.
Which THREE practices help ensure the integrity and confidentiality of container logs in a Kubernetes cluster?
Trap 1: Set container 'stdout' logging only, avoiding file-based logs.
Stdout logs are not encrypted unless the container output is encrypted.
Trap 2: Disable log rotation to prevent log tampering during rotation.
Disabling rotation causes disk full and data loss.
- A
Configure the log collector to use TLS when shipping logs to a central system.
TLS encrypts logs in transit.
- B
Set container 'stdout' logging only, avoiding file-based logs.
Why wrong: Stdout logs are not encrypted unless the container output is encrypted.
- C
Store logs in a backend that supports encryption at rest (e.g., S3 with SSE).
Encryption at rest protects stored logs.
- D
Run log collectors in a dedicated namespace with network policies limiting access.
Isolation and network policies restrict unauthorized access.
- E
Disable log rotation to prevent log tampering during rotation.
Why wrong: Disabling rotation causes disk full and data loss.
A security team wants to detect anomalous process executions in containers without modifying the container images or requiring agents inside containers. Which approach is most suitable?
Trap 1: Configure CRI-O to log all container process starts to syslog.
CRI-O does not provide process-level logging; would require runtime modification.
Trap 2: Enable Kubernetes audit logging and parse the logs for process…
Audit logs capture API requests, not container process syscalls.
Trap 3: Use OPA Gatekeeper to enforce allowed process lists in pod specs.
OPA/Gatekeeper validates admission, not runtime process execution.
- A
Configure CRI-O to log all container process starts to syslog.
Why wrong: CRI-O does not provide process-level logging; would require runtime modification.
- B
Deploy Falco as a DaemonSet using eBPF probe to monitor system calls.
Falco on the host can detect container process anomalies without modifying images.
- C
Enable Kubernetes audit logging and parse the logs for process events.
Why wrong: Audit logs capture API requests, not container process syscalls.
- D
Use OPA Gatekeeper to enforce allowed process lists in pod specs.
Why wrong: OPA/Gatekeeper validates admission, not runtime process execution.
A security auditor requires that all container images used in the cluster are scanned for vulnerabilities before deployment. The team uses a private registry with image signing. Which solution enforces that only signed and scanned images are deployed?
Trap 1: Run Trivy in a CronJob to scan images and update a ConfigMap with…
ConfigMap approach is not real-time and can be bypassed.
Trap 2: Use OPA Gatekeeper to verify that the image comes from the private…
Registry source does not guarantee scanning or signing.
Trap 3: Enable Binary Authorization on the cluster to enforce image…
Binary Authorization is a GCP-specific feature, not general Kubernetes.
- A
Use Cosign to sign images and deploy a webhook that verifies signatures.
Cosign admission controller can enforce signature verification at pod creation.
- B
Run Trivy in a CronJob to scan images and update a ConfigMap with allowed images.
Why wrong: ConfigMap approach is not real-time and can be bypassed.
- C
Use OPA Gatekeeper to verify that the image comes from the private registry.
Why wrong: Registry source does not guarantee scanning or signing.
- D
Enable Binary Authorization on the cluster to enforce image attestation.
Why wrong: Binary Authorization is a GCP-specific feature, not general Kubernetes.
A cluster administrator wants to monitor network traffic between pods for security analysis. Which tool is designed specifically for this purpose and integrates with Kubernetes?
Trap 1: Configure Fluentd to collect network logs from each node.
Fluentd is a log collector, not a network monitor.
Trap 2: Use Prometheus to scrape network metrics from kube-proxy.
Prometheus collects metrics, not network flows.
Trap 3: Run kube-bench to audit network policies.
Kube-bench checks CIS benchmarks, not live traffic.
- A
Configure Fluentd to collect network logs from each node.
Why wrong: Fluentd is a log collector, not a network monitor.
- B
Use Prometheus to scrape network metrics from kube-proxy.
Why wrong: Prometheus collects metrics, not network flows.
- C
Run kube-bench to audit network policies.
Why wrong: Kube-bench checks CIS benchmarks, not live traffic.
- D
Deploy Cilium with Hubble for network flow visibility.
Cilium/Hubble provides pod-level network monitoring.
Which TWO actions are effective for detecting and preventing container breakout attempts using runtime security tools?
Trap 1: Set 'securityContext.seccompProfile.type: Unconfined' to allow all…
Unconfined disables seccomp, increasing risk.
Trap 2: Enable Kubernetes audit logging to capture exec commands.
Audit logs record events, not prevent breakouts.
Trap 3: Use PodSecurityPolicy to deny privileged containers.
PSP is deprecated and does not detect breakouts.
- A
Set 'securityContext.seccompProfile.type: Unconfined' to allow all syscalls.
Why wrong: Unconfined disables seccomp, increasing risk.
- B
Enable Kubernetes audit logging to capture exec commands.
Why wrong: Audit logs record events, not prevent breakouts.
- C
Use PodSecurityPolicy to deny privileged containers.
Why wrong: PSP is deprecated and does not detect breakouts.
- D
Deploy Falco with rules that alert on 'syscall' events like 'clone' or 'unshare'.
Falco can detect breakout attempts via syscall monitoring.
- E
Apply a seccomp profile that blocks unneeded syscalls for each container.
Seccomp restricts syscalls, making breakout harder.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.