Certified Kubernetes Security Specialist CKS (CKS) — Questions 676750

997 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQmedium

You need to set up a ValidatingWebhookConfiguration to deny pods that run as root. The webhook server is deployed in the 'webhook' namespace with service 'webhook-svc' on port 443. Which of the following is a correct snippet for the webhook configuration?

A.clientConfig: service: name: webhook-svc namespace: webhook path: /validate port: 443
B.clientConfig: url: https://10.96.0.1:443/validate
C.clientConfig: url: https://webhook-svc.webhook.svc:443/validate
D.clientConfig: service: name: webhook-svc namespace: webhook path: /validate caBundle: <base64>
AnswerA

This correctly references the service within the cluster.

677
MCQeasy

Which of the following is the correct way to drop all capabilities in a container's security context?

A.securityContext: capabilities: drop: ['ALL']
B.securityContext: capabilities: remove: ['ALL']
C.securityContext: capabilities: []
D.securityContext: capabilities: add: []
AnswerA

This drops all capabilities.

Why this answer

The correct YAML is `capabilities: drop: ['ALL']` under securityContext.

678
Multi-Selectmedium

Which TWO of the following are valid methods to verify the integrity of a container image in a Kubernetes supply chain? (Select 2)

Select 2 answers
A.Signing the image with Cosign and verifying the signature before deployment
B.Running the container in a separate namespace
C.Using a SHA256 digest instead of a tag in the image reference
D.Scanning the image for vulnerabilities using Trivy
E.Using a base image with the latest tag
AnswersA, C

Image signing ensures the image has not been tampered with and originated from a trusted source.

Why this answer

Image signing with Cosign and using SHA digests are both methods to verify image integrity. Scanning for CVEs does not verify integrity but finds vulnerabilities. Namespace isolation is not related to image verification.

679
MCQeasy

Which kubectl command can be used to execute a shell inside a running container for forensic analysis?

A.kubectl delete pod <pod>
B.kubectl logs <pod>
C.kubectl describe pod <pod>
D.kubectl exec -it <pod> -- /bin/sh
AnswerD

Correct: This starts an interactive shell.

Why this answer

'kubectl exec' with '-it' and a shell command allows interactive shell access. Option B is for logs, option C is for describing resources, option D is for deleting.

680
MCQmedium

A security engineer is configuring a Kubernetes cluster to meet CIS benchmark recommendations. The cluster uses kubeadm for bootstrapping. Which action should be taken to ensure the kube-apiserver is hardened against unauthorized access?

A.Set --insecure-port=8080 on the kube-apiserver
B.Disable the NodeRestriction admission plugin
C.Enable encryption at rest for secrets in etcd
D.Set --anonymous-auth=false on the kube-apiserver
AnswerD

Disables anonymous requests, requiring authentication for all API access.

Why this answer

Option D is correct because setting `--anonymous-auth=false` on the kube-apiserver disables anonymous requests, ensuring that all API requests must be authenticated. This directly addresses CIS benchmark recommendations for hardening the API server against unauthorized access by preventing unauthenticated users from reaching the API.

Exam trap

CNCF often tests the distinction between authentication hardening (anonymous-auth) and authorization or encryption controls, leading candidates to confuse enabling encryption at rest (Option C) with preventing unauthorized API access.

How to eliminate wrong answers

Option A is wrong because setting `--insecure-port=8080` enables an unencrypted, non-authenticated HTTP port, which is a severe security risk and explicitly deprecated in Kubernetes; the CIS benchmark recommends disabling the insecure port entirely. Option B is wrong because disabling the NodeRestriction admission plugin would allow compromised nodes to modify their own Node and Pod objects, reducing security; the CIS benchmark recommends enabling it to enforce node authorization. Option C is wrong because enabling encryption at rest for secrets in etcd protects data confidentiality at the storage layer but does not prevent unauthorized access to the kube-apiserver itself; it addresses a different control (data protection) rather than authentication hardening.

681
MCQhard

A cluster has a PodSecurityPolicy that requires 'RunAsAny' for the user. An administrator wants to enforce that all pods in namespace 'production' must run with a specific seccomp profile. Which approach is recommended given PSP is deprecated?

A.Enable PodSecurity admission with 'restricted' policy in enforce mode
B.Create a new PSP with seccomp profile and assign it to the namespace
C.Set seccomp profile in the kubelet configuration
D.Use a mutating admission webhook to add seccomp profile
AnswerA

Enforces seccomp as part of the restricted policy.

Why this answer

Option A is correct because PodSecurity admission (the replacement for PSP) allows enforcing a 'restricted' policy that mandates a seccomp profile (e.g., RuntimeDefault) at the namespace level. This directly meets the requirement without relying on deprecated PSPs, and the 'enforce' mode ensures pods violating the policy are rejected.

Exam trap

CNCF often tests the deprecation of PSP and the shift to PodSecurity admission; the trap here is that candidates may still choose a PSP-based option (B) or overcomplicate with webhooks (D), missing the built-in, recommended replacement.

How to eliminate wrong answers

Option B is wrong because PSP is deprecated and will be removed in Kubernetes 1.25+, so creating a new PSP is not a recommended long-term solution; also, PSPs are cluster-scoped and cannot be directly assigned to a namespace without additional RBAC. Option C is wrong because kubelet configuration sets a default seccomp profile for all pods on the node, not per-namespace enforcement, and it cannot selectively target the 'production' namespace. Option D is wrong because while a mutating admission webhook could add the seccomp profile, it is more complex and less standard than using the built-in PodSecurity admission controller, which is the recommended approach per Kubernetes documentation.

682
Multi-Selecthard

Which THREE of the following are valid methods to secure etcd?

Select 3 answers
A.Use HTTP instead of HTTPS to reduce overhead
B.Encrypt secrets at rest using EncryptionConfiguration
C.Enable RBAC authorization on etcd
D.Open etcd port 2379 to all network interfaces
E.Enable TLS client certificates for authentication
AnswersB, C, E

This encrypts data stored in etcd.

Why this answer

Option B is correct because Kubernetes supports encrypting secrets at rest in etcd via an EncryptionConfiguration object. This configuration specifies which resources (e.g., secrets) should be encrypted and which encryption provider (e.g., AES-CBC, secretbox) to use, ensuring that data stored on disk is protected against unauthorized access to the etcd data directory.

Exam trap

The trap here is that candidates may think HTTP reduces overhead and is acceptable for internal cluster traffic, but the CKS exam strictly requires TLS encryption for all etcd communication, and exposing ports to all interfaces is a clear security violation.

683
MCQhard

An administrator wants to ensure that containers in a pod cannot run with any Linux capabilities except the minimal required for the container runtime. The pod is subject to the 'restricted' Pod Security Standard. Which capability configuration should be set in the pod's security context?

A.capabilities: drop: ["ALL"]
B.capabilities: drop: ["NET_RAW", "CHOWN"]
C.capabilities: add: ["NET_BIND_SERVICE"]
D.capabilities: add: ["ALL"]
AnswerA

Under the restricted profile, you must drop all capabilities. Adding capabilities is not allowed.

Why this answer

The 'restricted' Pod Security Standard (PSS) requires that all Linux capabilities be dropped except those essential for the container runtime (e.g., CAP_NET_BIND_SERVICE is allowed by default in some runtimes, but the standard explicitly mandates dropping all capabilities). Option A correctly uses `drop: ["ALL"]` to remove every capability, ensuring the container runs with the minimal set required by the runtime, which aligns with the PSS 'restricted' profile. This approach enforces the principle of least privilege by preventing the container from gaining any unnecessary kernel privileges.

Exam trap

CNCF often tests the misconception that dropping only specific dangerous capabilities (like `NET_RAW` and `CHOWN`) is sufficient for the 'restricted' PSS, when in fact the standard requires dropping all capabilities to achieve the minimal privilege level.

How to eliminate wrong answers

Option B is wrong because dropping only `NET_RAW` and `CHOWN` does not satisfy the 'restricted' PSS requirement to drop all capabilities; it leaves other potentially dangerous capabilities (e.g., `SYS_ADMIN`, `NET_ADMIN`) intact, violating the standard. Option C is wrong because adding `NET_BIND_SERVICE` is unnecessary and contradicts the 'restricted' PSS, which expects no capabilities to be added; the runtime already provides minimal capabilities, and explicit adds can introduce privileges beyond the allowed set. Option D is wrong because adding `ALL` capabilities grants every Linux capability to the container, which directly violates the 'restricted' PSS and defeats the purpose of capability dropping, creating a severe security risk.

684
Multi-Selecthard

Which THREE of the following are valid ways to manage secrets in a Kubernetes environment? (Select THREE)

Select 3 answers
A.Use an external secret manager like HashiCorp Vault and inject secrets via sidecar or CSI driver.
B.Store secrets in environment variables directly in the Deployment YAML.
C.Use Kubernetes Secret objects mounted as volumes in pods.
D.Encrypt Secret objects at rest using EncryptionConfiguration.
E.Store secrets in ConfigMaps and reference them in pods.
AnswersA, C, D

External secret managers provide secure storage and dynamic secrets.

685
MCQmedium

A security team wants to ensure that all containers in a pod run with only the minimum required Linux capabilities. Which of the following approaches is BEST?

A.Set securityContext.capabilities.drop: ['ALL'] with no add
B.Leave capabilities unset to use the default set
C.Add only the necessary capabilities without dropping
D.Set securityContext.capabilities.drop: ['ALL'] and add only necessary capabilities
AnswerD

Correct. Drop all default capabilities and add only those needed reduces the attack surface.

Why this answer

Option D is correct because it implements the principle of least privilege by first dropping all capabilities with `drop: ['ALL']` and then explicitly adding back only those capabilities that are strictly necessary for the container to function. This ensures that the container runs with the absolute minimum set of Linux capabilities, reducing the attack surface and adhering to Kubernetes security best practices for system hardening.

Exam trap

CNCF often tests the misconception that simply dropping all capabilities is sufficient, but the trap here is that dropping all without adding necessary ones can break the application, while adding capabilities without dropping all leaves unnecessary capabilities enabled, both of which fail the 'minimum required' requirement.

How to eliminate wrong answers

Option A is wrong because dropping all capabilities without adding any back may cause the container to fail if it requires any capabilities to operate (e.g., `NET_BIND_SERVICE` for binding to privileged ports), leading to runtime errors. Option B is wrong because leaving capabilities unset uses the default set, which includes many capabilities (e.g., `CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`, `AUDIT_WRITE`, `SETFCAP`) that are often unnecessary and increase the risk of privilege escalation. Option C is wrong because adding only necessary capabilities without first dropping all capabilities leaves the default capabilities intact, which still includes potentially dangerous capabilities that are not required, violating the principle of least privilege.

686
MCQeasy

Which of the following is a recommended CIS Benchmark control for etcd?

A.Use HTTP for client communication
B.Enable TLS for etcd peer and client communication
C.Disable audit logging
D.Enable anonymous authentication
AnswerB

TLS encryption for etcd communication is a key recommendation.

Why this answer

The CIS Kubernetes Benchmark recommends enabling TLS for etcd communication to ensure data in transit is encrypted.

687
MCQmedium

An administrator runs 'kubectl get clusterrolebindings' and notices a ClusterRoleBinding named 'admin-binding' that binds the 'cluster-admin' ClusterRole to a service account in the 'default' namespace. What security concern does this raise?

A.The service account can now perform any action across all namespaces, which violates least-privilege.
B.The service account can only access resources in the 'default' namespace.
C.No concern; service accounts are allowed to have cluster-admin.
D.The ClusterRoleBinding should be replaced with a RoleBinding.
AnswerA

cluster-admin grants full cluster-level permissions, which is excessive for most service accounts.

Why this answer

A ClusterRoleBinding grants cluster-wide permissions, and the 'cluster-admin' ClusterRole provides superuser access to perform any action on any resource across all namespaces. Binding this to a service account violates the principle of least privilege because the service account gains unrestricted access to the entire cluster, including sensitive system resources, rather than being limited to only the permissions necessary for its function.

Exam trap

The trap here is that candidates may think a service account bound to a ClusterRole is limited to its namespace, or that 'cluster-admin' is acceptable for any service account, when the CKS exam specifically tests the principle of least privilege and the distinction between RoleBindings (namespace-scoped) and ClusterRoleBindings (cluster-scoped).

How to eliminate wrong answers

Option B is wrong because a ClusterRoleBinding applies cluster-wide, not just to the 'default' namespace; the service account can access resources in all namespaces. Option C is wrong because while service accounts can be bound to cluster-admin, doing so without justification is a significant security concern that violates least-privilege and should be avoided unless absolutely necessary. Option D is wrong because replacing the ClusterRoleBinding with a RoleBinding would limit the binding to a single namespace, but the core issue is the excessive privilege of the 'cluster-admin' ClusterRole, not the binding type; a RoleBinding with 'cluster-admin' is not possible (RoleBindings can only reference ClusterRoles for resources in the same namespace, but 'cluster-admin' still grants cluster-wide scope via a RoleBinding).

688
Matchingmedium

Match each Kubernetes network security concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Outbound network traffic from a pod to external endpoints

Inbound network traffic to a pod from external sources

Specification of how groups of pods are allowed to communicate

Container Network Interface plugin that implements networking for pods

Infrastructure layer for handling service-to-service communication, often with mTLS

Why these pairings

Understanding these concepts is important for implementing network security.

689
MCQeasy

What is the purpose of the --audit-policy-file flag on the kube-apiserver?

A.To specify the location of the audit log file
B.To enable audit logging
C.To specify the audit policy configuration
D.To configure the retention of audit logs
AnswerC

The audit policy file defines which API requests are audited and at what level.

Why this answer

The `--audit-policy-file` flag on the kube-apiserver specifies the path to a YAML or JSON file that defines the audit policy configuration. This policy determines which events (e.g., requests to the API server) should be logged and at what level (e.g., Metadata, Request, RequestResponse). It does not directly enable audit logging or set the log file location; it only provides the rules for filtering and structuring audit events.

Exam trap

The trap here is that candidates confuse the `--audit-policy-file` flag with enabling audit logging or setting the log output path, when in fact audit logging is always on and the policy file only filters which events are recorded.

How to eliminate wrong answers

Option A is wrong because the location of the audit log file is specified by the `--audit-log-path` flag, not `--audit-policy-file`. Option B is wrong because audit logging is enabled by default when the kube-apiserver starts; the `--audit-policy-file` flag controls what gets logged, not whether logging is active. Option D is wrong because retention of audit logs (e.g., rotation and max age) is configured via flags like `--audit-log-maxage`, `--audit-log-maxbackup`, and `--audit-log-maxsize`, not the policy file.

690
Multi-Selectmedium

Which TWO of the following are valid methods to apply a custom seccomp profile to a pod in Kubernetes?

Select 2 answers
A.Setting the annotation 'seccomp.security.alpha.kubernetes.io/pod' on the pod
B.Using 'securityContext.seccompProfile.type: RuntimeDefault' with 'localhostProfile' set
C.Configuring the kubelet with --seccomp-default-profile flag
D.Using 'securityContext.seccompProfile.type: Localhost' with 'localhostProfile' set
E.Adding a seccomp profile to the container image and referencing it in the pod spec
AnswersA, D

This is a valid (though deprecated) method.

Why this answer

Option A is correct because the annotation 'seccomp.security.alpha.kubernetes.io/pod' was the original method to apply a seccomp profile to a pod in Kubernetes versions prior to 1.19. This annotation is still valid in older clusters or when using the alpha API, and it directly specifies the seccomp profile path or type for the pod.

Exam trap

CNCF often tests the distinction between the deprecated annotation method and the current 'securityContext.seccompProfile' field, and the trap here is that candidates may think 'localhostProfile' can be combined with 'RuntimeDefault' or that profiles can be embedded in container images, which is incorrect.

691
Multi-Selectmedium

Which TWO of the following are best practices for minimizing microservice vulnerabilities in a Kubernetes cluster?

Select 2 answers
A.Enable mutual TLS (mTLS) for service-to-service communication using a service mesh.
B.Run containers as root to avoid permission issues.
C.Allow all egress traffic from pods to simplify network management.
D.Set resource limits (CPU/memory) on containers to prevent resource exhaustion attacks.
E.Use hostNetwork: true for pods to improve network performance.
AnswersA, D

mTLS provides encryption and mutual authentication, reducing vulnerability to eavesdropping and impersonation.

Why this answer

Mutual TLS (mTLS) encrypts and authenticates all service-to-service traffic within the cluster, preventing eavesdropping, man-in-the-middle attacks, and unauthorized access. A service mesh like Istio or Linkerd transparently enforces mTLS without requiring application code changes, ensuring that only verified services can communicate. This directly minimizes the attack surface for microservice vulnerabilities by enforcing zero-trust network principles.

Exam trap

CNCF often tests the misconception that 'simplifying network management' (e.g., allowing all egress traffic) is a security best practice, when in fact it removes critical network segmentation controls required for microservice isolation.

692
Multi-Selecteasy

Which TWO crictl commands can be used to inspect a running container?

Select 2 answers
A.crictl logs <container-id>
B.crictl run <image>
C.crictl create <pod-config>
D.crictl stats <container-id>
E.crictl exec <container-id> <command>
AnswersA, E

Shows container logs.

Why this answer

crictl logs shows logs, crictl exec runs a command in the container.

693
Multi-Selectmedium

Which TWO of the following are best practices for securing secrets in Kubernetes?

Select 2 answers
A.Storing secrets as environment variables
B.Using the default secret type (Opaque) for all secrets
C.Enabling encryption at rest for secrets
D.Limiting the number of secrets in the cluster
E.Using an external secrets management system like HashiCorp Vault
AnswersC, E

Encryption at rest protects secrets if etcd is compromised.

Why this answer

Options B and D are best practices. Option B: Using external secret managers provides rotation and auditing. Option D: Encryption at rest protects secrets stored in etcd.

Option A is not a best practice because secrets can be exposed. Option C: Reducing the number of secrets does not directly improve security; proper management is better. Option E: The default `type: Opaque` is not secure; using encrypted secrets is better.

694
MCQmedium

Which of the following is NOT a recommended method to reduce the attack surface on Kubernetes nodes?

A.Using read-only root filesystems
B.Running containers as non-root
C.Running containers with privileged: true
D.Disabling unnecessary system services on nodes
AnswerC

Privileged containers have elevated capabilities, increasing attack surface.

Why this answer

Running containers with privileged access increases the attack surface. The other options are recommended hardening measures.

695
Multi-Selecteasy

You are auditing a cluster for runtime security best practices. Which TWO of the following actions are recommended to improve container runtime security?

Select 2 answers
A.Deploy Falco to monitor system calls and detect anomalous behavior.
B.Disable the container runtime's security engine to reduce overhead.
C.Run containers in privileged mode for better performance.
D.Enable seccomp profiles to restrict available system calls.
E.Set AppArmor to unconfined for all pods to avoid profile conflicts.
AnswersA, D

Falco is a standard runtime security tool.

Why this answer

Falco is a CNCF-graduated runtime security tool that uses eBPF or kernel modules to monitor system calls in real time, detecting anomalous behavior such as unexpected process execution or file writes. Deploying Falco is a recommended best practice for runtime security because it provides deep visibility into container activity without requiring application changes, and it can trigger alerts or actions based on customizable rules.

Exam trap

CNCF often tests the misconception that disabling security features (like seccomp or AppArmor) improves performance without understanding the severe security trade-offs, or that privileged mode is an acceptable performance tuning technique.

696
Multi-Selectmedium

Which TWO resources can be used to implement RBAC in Kubernetes?

Select 2 answers
A.ClusterRole
B.NetworkPolicy
C.PodSecurityPolicy
D.ServiceAccount
E.Role
AnswersA, E

ClusterRole defines cluster-scoped permissions or can be used in namespaces.

Why this answer

A is correct because ClusterRole is a Kubernetes RBAC resource that defines a set of permissions (rules) that are not namespaced, allowing cluster-wide access. RBAC in Kubernetes uses Role and ClusterRole objects to specify allowed verbs (e.g., get, list, create) on resources (e.g., pods, secrets), and they are bound to subjects via RoleBinding or ClusterRoleBinding.

Exam trap

CNCF often tests the distinction between RBAC authorization resources (Role/ClusterRole) and other Kubernetes objects that deal with security but serve different purposes, such as NetworkPolicy (network segmentation) or PodSecurityPolicy (pod security constraints), leading candidates to confuse authorization with other security controls.

697
Multi-Selectmedium

Which TWO of the following are valid admission controllers in Kubernetes? (Select TWO)

Select 2 answers
A.PodSecurityPolicy
B.MutatingAdmissionWebhook
C.ImagePolicyWebhook
D.NodeRestriction
E.OPA
AnswersB, C

MutatingAdmissionWebhook is a standard admission controller that mutates objects.

Why this answer

ImagePolicyWebhook and MutatingAdmissionWebhook are valid admission controllers. PodSecurityPolicy is deprecated, NodeRestriction is not an admission controller, and OPA is a tool not an admission controller itself.

698
MCQhard

Refer to the exhibit. A cluster has the ClusterImagePolicy shown. A developer creates a pod with an image from registry.example.com/myapp:v1, which was built and signed by a GitHub Actions workflow that is NOT defined in the policy (different workflow). Which behavior will occur when the pod is created?

A.The pod is admitted because keyless signing does not enforce identity matching.
B.The pod is admitted because the policy only applies to images with a tag 'v*'.
C.The pod is admitted because the image is from the allowed registry.
D.The pod is denied because the image's signer identity does not match the policy.
AnswerD

The identity check fails, so cosigned denies the admission.

Why this answer

Option D is correct because the ClusterImagePolicy enforces that images must be signed by a specific identity (the GitHub Actions workflow defined in the policy). The image from registry.example.com/myapp:v1 was signed by a different workflow, so the signer identity does not match the policy's required identity. Sigstore keyless signing verifies the OIDC identity embedded in the signature, and if the identity does not match the policy's `issuer` and `subject` patterns, the admission controller denies the pod.

Exam trap

CNCF often tests the misconception that keyless signing only verifies the signature's cryptographic validity, not the identity of the signer, but in reality the policy enforces identity matching via OIDC claims.

How to eliminate wrong answers

Option A is wrong because keyless signing does enforce identity matching via OIDC tokens; the policy specifies allowed identities, and mismatches cause denial. Option B is wrong because the policy uses a regex `v*` which matches any tag starting with 'v', and 'v1' matches that pattern, so the policy applies. Option C is wrong because the policy restricts based on signer identity, not just registry; the image is from an allowed registry but the signer identity does not match, so admission is denied.

699
Drag & Dropmedium

Arrange the steps to enable and configure audit logging in Kubernetes.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Audit logging requires a policy file, mounting it, adding flags, restarting, and verifying logs.

700
MCQmedium

A cluster has PodSecurity admission enabled. A developer creates a pod with the following security context: 'securityContext: { capabilities: { drop: ["ALL"], add: ["NET_ADMIN"] } }'. The namespace is labeled 'pod-security.kubernetes.io/enforce: baseline'. Will the pod be allowed?

A.No, because baseline requires dropping ALL first
B.Yes, because the pod drops all capabilities before adding specific ones
C.No, because dropping ALL capabilities is not allowed by baseline
D.Yes, because the baseline policy allows adding NET_ADMIN
AnswerD

Baseline allows NET_ADMIN to be added.

Why this answer

Option D is correct because the Pod Security Standards (PSS) baseline policy explicitly allows adding the NET_ADMIN capability. The baseline policy restricts certain capabilities but does not prohibit adding NET_ADMIN; it only restricts capabilities that could lead to host-level privilege escalation. Dropping ALL capabilities first and then adding NET_ADMIN is a valid pattern that satisfies the baseline policy's requirements.

Exam trap

The trap here is that candidates assume 'baseline' is more restrictive than it actually is, or they confuse the 'restricted' policy's capability restrictions with the 'baseline' policy, leading them to incorrectly think NET_ADMIN is forbidden.

How to eliminate wrong answers

Option A is wrong because baseline does not require dropping ALL capabilities first; it only restricts a specific set of capabilities (e.g., CAP_SYS_ADMIN, CAP_NET_RAW) but allows others like NET_ADMIN. Option B is wrong because while the pod does drop ALL and then add NET_ADMIN, the reason it is allowed is not simply because of that order but because NET_ADMIN is permitted by baseline. Option C is wrong because dropping ALL capabilities is not prohibited by baseline; in fact, dropping ALL is a common security hardening practice and is allowed.

701
MCQmedium

You need to preserve evidence (container logs) from a compromised pod before deleting it. Which command should you run first?

A.kubectl exec <pod> -- cat /var/log/*
B.kubectl cp <pod>:/var/log ./pod-logs
C.kubectl logs <pod> --tail=-1 > pod.log
D.kubectl delete pod <pod>
AnswerC

Why this answer

kubectl logs with --tail=-1 fetches all lines from the logs.

702
Multi-Selectmedium

Which TWO of the following are recommended practices for etcd security?

Select 2 answers
A.Use anonymous authentication for etcd
B.Disable TLS for performance
C.Restrict etcd access to only the API server and kubelets using firewall rules
D.Expose etcd on a public IP for monitoring
E.Enable TLS client certificate authentication
AnswersC, E

Network restrictions limit which hosts can connect to etcd.

Why this answer

Option C is correct because etcd stores sensitive cluster data (secrets, config maps, state). Restricting network access to only the API server and kubelets via firewall rules (e.g., iptables or cloud security groups) minimizes the attack surface and prevents unauthorized nodes or external actors from reaching the etcd data store. This aligns with the principle of least privilege for control plane components.

Exam trap

CNCF often tests the misconception that disabling TLS or exposing etcd is acceptable for monitoring or performance, when in reality etcd must always be isolated and encrypted to protect the cluster's root of trust.

703
MCQmedium

You run 'kubectl auth can-i create pods --as=system:serviceaccount:default:sa1 -n default' and get 'no'. What does this mean?

A.The command is invalid because 'system:serviceaccount' is not a valid user
B.The service account 'sa1' does not exist
C.The service account 'sa1' does not have permission to create pods in the default namespace
D.The service account 'sa1' is not allowed to perform any actions
AnswerC

The kubectl auth can-i command checks whether a user or service account can perform an action. 'no' means insufficient permissions.

Why this answer

kubectl auth can-i is used to verify if a user (including service accounts) has permission to perform a specific action. A 'no' response indicates that the action is denied by RBAC.

704
MCQmedium

During a CI/CD pipeline, you run 'trivy image myapp:latest' and get a high number of vulnerabilities. What is the BEST action to reduce the vulnerability count?

A.Increase CPU and memory limits for the container
B.Switch to a distroless base image
C.Sign the image with Cosign
D.Remove all environment variables from the Dockerfile
AnswerB

Distroless images have fewer components, reducing the attack surface and vulnerability count.

Why this answer

Option A is correct. Using a minimal base image like distroless or alpine reduces the number of packages and thus vulnerabilities. Option B is about secrets.

Option C is about resources. Option D is about signing, not vulnerability reduction.

705
MCQeasy

Which kubectl command is used to check the AppArmor status on a Kubernetes node?

A.kubectl describe node <node> | grep AppArmor
B.kubectl get apparmor
C.kubectl node-shell <node> -- aa-status
D.kubectl exec <pod> -- aa-status
AnswerC

Using 'kubectl node-shell' (or similar) to run 'aa-status' on the node is correct.

Why this answer

Option C is correct because `kubectl node-shell` provides a shell into the node's filesystem, allowing you to run `aa-status` directly on the node to check the AppArmor status. This is the standard method to verify AppArmor profiles and their enforcement state on a Kubernetes node, as AppArmor operates at the host kernel level and is not managed via the Kubernetes API.

Exam trap

The trap here is that candidates assume AppArmor status can be checked via standard Kubernetes API commands like `kubectl describe node` or `kubectl get`, when in reality it requires direct node-level access because AppArmor is a host-level security mechanism not abstracted by the Kubernetes API.

How to eliminate wrong answers

Option A is wrong because `kubectl describe node <node> | grep AppArmor` only shows the AppArmor annotations on the node object (like whether a pod requests a profile), not the actual AppArmor status or loaded profiles on the node. Option B is wrong because `kubectl get apparmor` is not a valid kubectl command; AppArmor is not a Kubernetes resource and cannot be queried via the API. Option D is wrong because `kubectl exec <pod> -- aa-status` runs the command inside a container, which typically lacks the necessary privileges and access to the host's AppArmor subsystem; `aa-status` must be executed on the node itself.

706
Multi-Selectmedium

During a security audit, you discover that a container running as root inside a pod has been compromised. The pod uses the default service account. Which two measures should you implement to harden the cluster? (Select TWO)

Select 2 answers
A.Apply a PodSecurityPolicy that restricts containers from running as root.
B.Create a new service account with no roles bound and assign it to the pod.
C.Edit the default service account to set automountServiceAccountToken: false.
D.Set automountServiceAccountToken: false in the pod spec.
E.Add securityContext: runAsNonRoot: true to the pod spec.
AnswersC, E

Prevents automatic mounting of the default SA token in pods that do not specify a service account.

Why this answer

Option C is correct because setting `automountServiceAccountToken: false` on the default service account prevents any pod that uses it from automatically mounting the service account token. This reduces the attack surface: if a container is compromised, the attacker cannot use the token to authenticate to the Kubernetes API server. This is a fundamental hardening measure for service accounts that do not require API access.

Exam trap

CNCF often tests the distinction between disabling token mounting at the service account level versus the pod spec level, and candidates may incorrectly think that creating a new service account with no roles is sufficient, overlooking that the token itself is still mounted and could be used for reconnaissance or privilege escalation even without bound roles.

707
MCQhard

An administrator wants to enable Kubernetes audit logging with the following requirements: log all requests at the Metadata level, but log all responses at the Request level. Which audit policy configuration achieves this?

A.Set default level to Metadata and use a dynamic level based on request size
B.Use the --audit-log-maxbackup flag to adjust levels
C.Set default level to Metadata and use a rule with level: Request for specific resources
D.Use separate rules with 'stages: ["RequestReceived"]' level Metadata, and 'stages: ["ResponseComplete"]' level Request
AnswerD

Correct: stages allow different levels per request vs response.

Why this answer

Audit policies are defined with a 'level' per rule or default. To have different levels for requests and responses, you must use different stages. Option B correctly sets the default stage for 'RequestReceived' to Metadata and for 'ResponseComplete' to Request.

708
Multi-Selecthard

Which THREE of the following are valid audit stages in Kubernetes audit logging? (Select THREE.)

Select 3 answers
A.ResponseStarted
B.RequestReceived
C.ResponseBuffered
D.RequestProcessing
E.ResponseComplete
AnswersA, B, E

Correct. Occurs when response headers are sent.

Why this answer

Audit stages are: RequestReceived, ResponseStarted, ResponseComplete, Panic. 'RequestProcessing' and 'ResponseBuffered' are not valid stages.

709
Multi-Selectmedium

Which TWO of the following are recommended CIS Kubernetes Benchmark controls for securing the kube-apiserver?

Select 2 answers
A.Enable insecure port 8080
B.Disable anonymous authentication
C.Set --authorization-mode to AlwaysAllow
D.Enable audit logging
E.Disable TLS
AnswersB, D

Correct. CIS recommends --anonymous-auth=false.

Why this answer

Option B is correct because the CIS Kubernetes Benchmark recommends disabling anonymous authentication to ensure that all requests to the kube-apiserver are authenticated. This prevents unauthenticated users from accessing the API server, which is a critical security control. Option D is correct because enabling audit logging is a recommended control to record all API requests, providing an audit trail for security monitoring and incident response.

Exam trap

CNCF often tests the misconception that disabling anonymous authentication is optional or that audit logging is only for compliance, but both are mandatory for a hardened control plane per the CIS Benchmark.

710
MCQhard

You want to detect any attempt to run a shell inside a container that is not running as root. Which Falco condition would you use?

A.evt.type=execve and proc.name in (bash, sh) and container.id != host and user.name != root
B.evt.type=execve and proc.aname in (bash, sh) and container.id != host and user.name != root
C.evt.type=execve and proc.name in (bash, sh) and container.id != host
D.evt.type=execve and proc.name in (bash, sh) and container.id != host and user.name = root
AnswerA

Correctly detects shell execution by non-root users in containers.

Why this answer

Option C checks for execve of bash or sh, with container.id != host, and user.name != root. Option A doesn't check user. Option B uses proc.aname=parent (parent process name) which is not standard.

Option D checks user.name=root, which is opposite.

711
MCQeasy

Which kubectl flag disables anonymous authentication on the API server?

A.--anonymous-enabled=false
B.--no-anonymous
C.--anonymous-auth=false
D.--disable-anonymous
AnswerC

Correct flag to disable anonymous authentication.

Why this answer

Option C is correct because the kube-apiserver uses the `--anonymous-auth` flag to control whether anonymous requests are allowed. Setting `--anonymous-auth=false` disables anonymous authentication, meaning the API server will reject requests that do not present valid credentials. This is a critical hardening step to ensure only authenticated users can access the cluster.

Exam trap

The trap here is that candidates may confuse the `--anonymous-auth` flag with other authentication-related flags or invent plausible-sounding flag names like `--disable-anonymous`, while the actual flag uses the `--<setting>-auth` naming convention with a boolean value.

How to eliminate wrong answers

Option A is wrong because `--anonymous-enabled=false` is not a valid kube-apiserver flag; the correct flag is `--anonymous-auth`. Option B is wrong because `--no-anonymous` is not a recognized flag; the kube-apiserver uses boolean flags like `--anonymous-auth` rather than negated prefixes. Option D is wrong because `--disable-anonymous` is not a valid flag; the API server uses `--anonymous-auth` with a boolean value to control anonymous access.

712
Matchingmedium

Match each Kubernetes security tool or feature to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Checks whether Kubernetes is deployed securely according to CIS benchmarks

Penetration testing tool for Kubernetes clusters

Policy engine for enforcing custom policies on Kubernetes resources

Runtime security monitoring tool that detects abnormal behavior

Vulnerability scanner for container images, filesystems, and Git repos

Why these pairings

These tools are widely used in the Kubernetes security ecosystem.

713
MCQmedium

You need to configure Kubernetes audit logging to log all requests to the 'secrets' resource at the RequestResponse level. Which audit policy rule would achieve this?

A.- level: Metadata resources: - group: "" resources: ["secrets"]
B.- level: RequestResponse resources: - group: "" resources: ["secrets"]
C.- level: RequestResponse resources: - group: "" resources: ["pods"]
D.- level: Request resources: - group: "" resources: ["secrets"]
AnswerB

Correct. This rule matches all API groups (empty string) and the secrets resource, logging at RequestResponse level.

Why this answer

An audit policy rule with resources: groups: [""]; resources: ["secrets"]; level: RequestResponse will log all requests to secrets at the RequestResponse level (metadata + request + response).

714
MCQeasy

Which of the following host access settings should be disabled to reduce the attack surface of a container?

A.hostNetwork: true
B.hostPID: true
C.hostIPC: true
D.hostPID: false
AnswerD

Setting hostPID to false disables access to host processes, reducing attack surface.

Why this answer

Option D is correct because setting `hostPID: false` explicitly disables the container's access to the host's process ID namespace, which reduces the attack surface by preventing the container from seeing or interacting with host processes. In Kubernetes, when `hostPID` is set to `true`, the container shares the host's PID namespace, allowing it to potentially escalate privileges or interfere with other workloads. Disabling this setting (i.e., `false`) is a recommended security best practice to enforce process isolation.

Exam trap

The trap here is that candidates often confuse the boolean value that should be set to disable the feature (i.e., `false`) with the dangerous setting itself (i.e., `true`), so they might incorrectly select `hostPID: true` as the answer to disable, when the question explicitly asks for the disabled setting.

How to eliminate wrong answers

Option A is wrong because `hostNetwork: true` enables the container to use the host's network stack directly, bypassing network isolation and exposing the container to host network attacks, but the question asks for a setting that should be disabled to reduce the attack surface, and `hostNetwork: true` is a dangerous setting that should be disabled (set to false), not enabled. Option B is wrong because `hostPID: true` is the dangerous setting that should be disabled; the question asks for the disabled setting, and `hostPID: true` is the enabled state, not the disabled one. Option C is wrong because `hostIPC: true` allows the container to use the host's inter-process communication (IPC) namespace, which can lead to shared memory attacks or information leakage, but again, the question asks for the disabled setting, and `hostIPC: true` is the enabled state that should be disabled.

715
MCQhard

You deploy the Kubernetes Dashboard using the official YAML manifests. Which of the following is the MOST secure approach to expose the Dashboard?

A.Use 'kubectl proxy' to access it locally
B.Create a NodePort Service to expose it on a port
C.Expose it with a LoadBalancer Service
D.Use an Ingress with a public DNS
AnswerA

This method uses your existing kubectl authentication and does not expose the Dashboard to the network.

Why this answer

The most secure approach is to use 'kubectl proxy' because it creates a local HTTP proxy between your workstation and the Kubernetes API server, authenticating your requests using your kubeconfig credentials. This ensures the Dashboard is never exposed to the network, eliminating any attack surface from external or internal cluster access. All traffic is tunneled through the API server, which enforces RBAC and audit logging.

Exam trap

CNCF often tests the misconception that exposing the Dashboard via a Service (NodePort, LoadBalancer, or Ingress) is acceptable if TLS is enabled, but the trap is that any network exposure increases the attack surface and violates the principle of least privilege, whereas 'kubectl proxy' provides no network exposure at all.

How to eliminate wrong answers

Option B is wrong because a NodePort Service exposes the Dashboard on a static port on every node's IP address, making it accessible from within the cluster network and potentially from outside if network policies are misconfigured, violating the principle of least exposure. Option C is wrong because a LoadBalancer Service provisions a public-facing cloud load balancer, directly exposing the Dashboard to the internet or broader network, which is unnecessary and increases the attack surface significantly. Option D is wrong because using an Ingress with a public DNS exposes the Dashboard via a hostname, often terminating TLS at the ingress controller, but still making the service reachable from outside the cluster and requiring additional security controls like authentication and network policies that are easy to misconfigure.

716
MCQmedium

A security engineer runs 'kubesec scan deployment.yaml' and receives a score of -1. What does this score indicate?

A.The deployment passed all security checks
B.The deployment is not secure and needs immediate attention
C.The scan failed due to an error or invalid YAML
D.The deployment has critical vulnerabilities
AnswerC

Kubesec returns -1 when the file cannot be parsed or scanned correctly.

Why this answer

Kubesec uses a scoring system where -1 indicates a failed scan due to an error or misconfiguration in the file.

717
MCQhard

You are writing a Falco rule to detect privilege escalation via setuid binaries. Which syscall should the rule monitor?

A.open
B.execve
C.connect
D.setuid
AnswerD

Correct. The setuid syscall is used to set the user ID of the current process, which can escalate privileges.

Why this answer

setuid and setgid syscalls are used to change user/group identity, which can be used for privilege escalation. Falco can monitor these syscalls to detect unauthorized attempts.

718
Drag & Dropmedium

Order the steps to perform a Kubernetes cluster upgrade from version 1.24 to 1.25.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Upgrade involves upgrading kubeadm, draining, applying upgrade, upgrading worker nodes, and verifying.

719
MCQmedium

You are configuring etcd encryption at rest. After placing the EncryptionConfiguration YAML file, you must modify which file to point the API server to it?

A./etc/kubernetes/manifests/kube-apiserver.yaml
B./etc/kubernetes/admin.conf
C./etc/kubernetes/pki/etcd/ca.crt
D./etc/kubernetes/kubelet.conf
AnswerA

Correct file to modify for API server flags.

Why this answer

Option A is correct because the API server is deployed as a static pod in a typical Kubernetes cluster, with its manifest located at /etc/kubernetes/manifests/kube-apiserver.yaml. To enable encryption at rest, you must add the `--encryption-provider-config` flag to this manifest, pointing to the EncryptionConfiguration YAML file. The kubelet automatically detects the change and restarts the API server pod to apply the new encryption configuration.

Exam trap

CNCF often tests the distinction between static pod manifests and kubeconfig files; the trap here is that candidates may confuse /etc/kubernetes/admin.conf or /etc/kubernetes/kubelet.conf with the API server's configuration, thinking they need to modify a kubeconfig file instead of the static pod manifest.

How to eliminate wrong answers

Option B is wrong because /etc/kubernetes/admin.conf is the kubeconfig file used by kubectl and administrators for cluster authentication and authorization, not a configuration file for the API server itself. Option C is wrong because /etc/kubernetes/pki/etcd/ca.crt is the CA certificate for etcd, used for TLS communication between etcd members and clients; it has no role in configuring API server encryption at rest. Option D is wrong because /etc/kubernetes/kubelet.conf is the kubeconfig file for the kubelet to authenticate to the API server, not a file that controls API server encryption settings.

720
MCQmedium

Which admission plugin should be enabled on the kube-apiserver to restrict kubelet permissions and prevent nodes from modifying their own Node objects?

A.ServiceAccount
B.AlwaysPullImages
C.NodeRestriction
D.PodSecurityPolicy
AnswerC

The NodeRestriction admission plugin limits the kubelet to only modify its own Node object and pods bound to it.

Why this answer

The NodeRestriction admission plugin limits the kubelet's permissions to only modify labels, annotations, and status on its own Node object, preventing a compromised or misconfigured node from altering other Node objects or escalating privileges. This is a critical hardening measure for cluster setup, as it enforces the principle of least privilege on kubelet API access.

Exam trap

The trap here is that candidates often confuse admission plugins that restrict pod behavior (like PodSecurityPolicy or AlwaysPullImages) with those that restrict node/kubelet behavior, leading them to pick a security-focused but irrelevant option for this specific kubelet permission control question.

How to eliminate wrong answers

Option A (ServiceAccount) is wrong because it automates the creation of service account tokens and mounts them into pods, but it does not restrict kubelet permissions or prevent node object modifications. Option B (AlwaysPullImages) is wrong because it forces every pod to pull images from the registry on each start, which addresses image freshness and security but has no effect on kubelet authorization or node object mutations. Option D (PodSecurityPolicy) is wrong because it enforces security constraints on pod specifications (e.g., privileged containers, host namespaces) but does not control kubelet-level access to the Node API; it was also deprecated in Kubernetes v1.21 and removed in v1.25.

721
MCQmedium

A container has been compromised. You need to isolate it by denying all network traffic. Which NetworkPolicy manifest achieves this?

A.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: isolate spec: podSelector: matchLabels: app: compromised ingress: [] egress: []
B.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: isolate spec: podSelector: matchLabels: app: compromised policyTypes: - Ingress ingress: - from: - podSelector: {}
C.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: isolate spec: podSelector: matchLabels: app: compromised policyTypes: - Egress egress: - to: - podSelector: {}
D.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: isolate spec: podSelector: matchLabels: app: compromised policyTypes: - Ingress - Egress
AnswerA, D

Empty ingress and egress arrays block all traffic when policyTypes includes both.

Why this answer

A NetworkPolicy with podSelector matching the pod and no ingress or egress rules blocks all traffic by default when policyIsolation is enabled (which is the default).

722
Multi-Selectmedium

Which TWO of the following are valid audit stages in Kubernetes audit logging?

Select 2 answers
A.ResponseStarted
B.ResponseDelay
C.ResponseComplete
D.RequestProcessing
E.RequestReceived
AnswersA, E

Correct: This is a valid stage.

Why this answer

Valid audit stages are RequestReceived, ResponseStarted, ResponseComplete, and Panic. Option D (RequestProcessing) is not a valid stage. Option E (ResponseDelay) is not.

723
MCQmedium

You are using `crictl` to debug a container that is not responding. Which command should you use to get the list of running containers?

A.crictl pods
B.crictl ps
C.crictl images
D.crictl stats
AnswerB

crictl ps lists containers (including running, paused, exited).

Why this answer

`crictl ps` lists containers, similar to `docker ps`. `crictl pods` lists pods (sandboxes). `crictl images` lists images. `crictl stats` displays resource usage.

724
MCQeasy

Which flag on the kubelet helps ensure it runs securely by enforcing kernel defaults?

A.--read-only-port=0
B.--security-context
C.--protect-kernel-defaults
D.--kernel-security
AnswerC

The --protect-kernel-defaults flag ensures the kubelet enforces kernel security settings.

Why this answer

The `--protect-kernel-defaults` flag on the kubelet ensures that the node's kernel parameters are set to secure defaults, preventing container escapes or privilege escalations that could exploit weak kernel settings. This flag enforces the kubelet's built-in kernel validator, which checks that critical sysctls (e.g., `net.ipv4.ip_forward`, `kernel.panic`) are set to safe values, and fails to start if they are not. It is a key hardening measure for cluster nodes, directly addressing kernel-level security.

Exam trap

CNCF often tests the distinction between kubelet flags that control network ports (like `--read-only-port`) and those that enforce kernel-level security, leading candidates to confuse `--protect-kernel-defaults` with non-existent or unrelated flags such as `--kernel-security` or `--security-context`.

How to eliminate wrong answers

Option A is wrong because `--read-only-port=0` disables the read-only port (10255) on the kubelet, which prevents unauthenticated access to node metrics, but it does not enforce kernel defaults. Option B is wrong because `--security-context` is not a valid kubelet flag; security contexts are configured at the Pod or container level via the Kubernetes API, not on the kubelet itself. Option D is wrong because `--kernel-security` is not a recognized kubelet flag; the correct flag for enforcing kernel defaults is `--protect-kernel-defaults`.

725
Multi-Selectmedium

Which TWO of the following are valid methods to securely manage secrets in Kubernetes? (Select 2)

Select 2 answers
A.Use an external secrets manager like HashiCorp Vault with a CSI driver or operator
B.Store secrets directly in container images as files
C.Mount secrets as volumes using projected volumes or secret volumes
D.Store secrets in ConfigMaps
E.Pass secrets as environment variables from a Secret resource
AnswersA, C

External managers provide rotation and access control.

Why this answer

Mounting secrets as volumes (option A) is secure because the secret is not exposed in environment variables or command arguments. Using external secret managers like Vault (option C) is a best practice for centralized secret management. Option B (env vars) is insecure as secrets can be leaked in process listings.

Option D (hardcoded in images) is insecure. Option E (ConfigMaps) is for non-sensitive data.

726
MCQhard

A security auditor requires that all container images used in the cluster are scanned for vulnerabilities before deployment. The team uses a private registry with image signing. Which solution enforces that only signed and scanned images are deployed?

A.Use Cosign to sign images and deploy a webhook that verifies signatures.
B.Run Trivy in a CronJob to scan images and update a ConfigMap with allowed images.
C.Use OPA Gatekeeper to verify that the image comes from the private registry.
D.Enable Binary Authorization on the cluster to enforce image attestation.
AnswerA

Cosign admission controller can enforce signature verification at pod creation.

Why this answer

Cosign is a tool for signing container images, and deploying a validating webhook (e.g., the cosigned admission controller) enforces that only images with valid signatures are admitted. This directly meets the requirement to deploy only signed and scanned images, as the webhook verifies the signature before the pod is created.

Exam trap

CNCF often tests the distinction between admission-time enforcement (webhooks) and post-deployment scanning (CronJobs), and the trap here is that candidates confuse scanning with enforcement, or assume Binary Authorization is a generic Kubernetes feature when it is actually GKE-specific.

How to eliminate wrong answers

Option B is wrong because a CronJob scanning images and updating a ConfigMap does not enforce admission-time control; it only provides a reactive list of allowed images, which can be bypassed or become stale. Option C is wrong because OPA Gatekeeper verifying the registry origin (e.g., checking the image path) does not verify image signatures or scan results; it only ensures the image comes from the private registry, not that it is signed or scanned. Option D is wrong because Binary Authorization is a Google Cloud-specific service (GKE) and is not a generic Kubernetes-native solution; it is not available in a standard CKS cluster environment.

727
Multi-Selectmedium

Which TWO of the following are valid methods to supply a Kubernetes manifest to kubesec for static analysis?

Select 2 answers
A.cat deploy.yaml | kubesec scan /dev/stdin
B.kubectl apply -f deploy.yaml | kubesec scan
C.kubectl get deployment myapp -o yaml | kubesec scan
D.kubesec scan deploy.yaml
E.kubesec curl https://example.com/deploy.yaml
AnswersA, D

kubesec can read from stdin.

Why this answer

Correct answers: B and D. kubesec can analyze YAML from stdin or a file. Option A (curl) is not a kubesec command. Option C (kubectl apply) is for deployment.

Option E (kubectl get) retrieves manifests but is not direct input to kubesec; you would pipe it.

728
MCQeasy

Which RBAC resource should be used to grant cluster-wide permissions to a user?

A.Role
B.RoleBinding
C.ClusterRole
D.ClusterRoleBinding
AnswerD

ClusterRoleBinding grants ClusterRole permissions cluster-wide.

Why this answer

ClusterRoleBinding is the correct resource because it binds a ClusterRole (which defines cluster-wide permissions) to a user, granting permissions across all namespaces. A ClusterRole itself only defines the rules; the binding is what actually grants those permissions to a specific subject. Therefore, to grant cluster-wide permissions to a user, you need a ClusterRoleBinding referencing a ClusterRole.

Exam trap

The trap here is that candidates often confuse a ClusterRole (which only defines rules) with a ClusterRoleBinding (which actually grants those rules to a subject), leading them to select Option C instead of D.

How to eliminate wrong answers

Option A is wrong because a Role is namespaced and can only grant permissions within a single namespace, not cluster-wide. Option B is wrong because a RoleBinding binds a Role (or ClusterRole) to a user but only within a specific namespace, so it cannot grant cluster-wide permissions. Option C is wrong because a ClusterRole only defines the set of permissions (rules) but does not grant them to any user; a binding is required to actually assign those permissions.

729
MCQmedium

Which kubectl command signs a container image using Cosign?

A.crictl sign myimage:latest
B.kubectl sign image myimage:latest
C.cosign sign myimage:latest
D.kubectl cosign sign myimage:latest
AnswerC

Cosign's sign command signs a container image.

Why this answer

Cosign is a standalone CLI tool, not a kubectl command. Option B correctly uses the cosign binary.

730
MCQmedium

You need to enforce that no pod runs with privileged containers or runs as root. Which tool can define policies that block such pods at admission time?

A.Kubernetes Secret
B.PodDisruptionBudget
C.OPA Gatekeeper
D.NetworkPolicy
AnswerC

OPA Gatekeeper is an admission webhook that enforces policies, including security policies.

Why this answer

OPA Gatekeeper allows enforcing custom policies via ConstraintTemplates and Constraints. It can deny pods that violate the policies.

731
MCQeasy

You need to ensure that all pods in a cluster run with read-only root filesystems. Which Pod Security Standard (PSS) control field should be set to true?

A.spec.readOnlyRootFilesystem
B.securityContext.privileged: false
C.container.readOnly
D.securityContext.readOnlyRootFilesystem
AnswerD

Correct. Setting this field to true enforces a read-only root filesystem for the container.

Why this answer

The 'readOnlyRootFilesystem' field in the security context of a container, when set to true, ensures the root filesystem is read-only. This is a common security hardening measure.

732
MCQhard

A cluster administrator wants to ensure that a specific service account (my-sa) cannot have its token mounted automatically in pods. Which annotation should be set on the service account?

A.automountServiceAccountToken: "false"
B.automountServiceAccountToken: false
C.mount-token: "false"
D.kubernetes.io/enforce-mountable-secrets: "true"
AnswerD

This annotation on a service account prevents automatic mounting of its token in pods.

Why this answer

Option D is correct because the annotation `kubernetes.io/enforce-mountable-secrets: "true"` on a service account prevents pods that use that service account from automatically mounting its token. This annotation enforces that the token is only mounted if explicitly requested via `automountServiceAccountToken: true` in the pod spec or service account. It is a Kubernetes-specific annotation that directly controls token mounting behavior at the service account level.

Exam trap

CNCF often tests the distinction between annotations and spec fields, so the trap here is that candidates confuse the `automountServiceAccountToken` field (which can be set in the service account spec) with an annotation, leading them to pick option A or B instead of the correct annotation-based solution.

How to eliminate wrong answers

Option A is wrong because `automountServiceAccountToken: "false"` is not a valid annotation; it is a field in the pod spec or service account spec, not an annotation. Option B is wrong because `automountServiceAccountToken: false` is a field (not an annotation) that can be set in the service account spec to disable automatic token mounting, but the question explicitly asks for an annotation. Option C is wrong because `mount-token: "false"` is not a recognized Kubernetes annotation or field; it is a fabricated key that does not exist in the Kubernetes API.

733
MCQmedium

A security team wants to detect any attempt to read the /etc/shadow file inside a container. Which Falco rule condition would detect this syscall?

A.evt.type in (open, openat) and fd.name=/etc/shadow
B.evt.type=read and fd.name=/etc/shadow
C.evt.type=open and fd.name contains /etc/shadow
D.proc.name=cat and fd.name=/etc/shadow
AnswerA

Correct: open/openat syscall with exact match on shadow file.

Why this answer

Falco uses the 'open' or 'openat' syscall with the 'fd.name' field to check file paths. Option C correctly checks for open and openat syscalls and matches the filename.

734
Multi-Selecteasy

Which THREE of the following are best practices for writing Dockerfiles?

Select 3 answers
A.Minimize the number of layers
B.Use the 'latest' tag for base images
C.Use specific tags or digests for base images
D.Install all packages that might be needed for debugging
E.Run containers as a non-root user
AnswersA, C, E

Fewer layers reduce image size and attack surface.

Why this answer

Using specific base image tags, running as non-root, and minimizing layers are best practices. Using latest tag and installing unnecessary packages are not.

735
MCQhard

A ClusterRoleBinding named 'admin-binding' binds the cluster-admin ClusterRole to a service account 'sa-admin' in namespace 'ns1'. What is the security concern?

A.The service account 'sa-admin' can access resources in all namespaces
B.ClusterRoleBinding should be replaced by RoleBinding for cluster-scoped resources
C.The service account token is automatically mounted
D.ClusterRoleBinding should not be used for service accounts
AnswerA

cluster-admin grants unrestricted access across the entire cluster.

Why this answer

A ClusterRoleBinding grants permissions cluster-wide, meaning the service account 'sa-admin' in namespace 'ns1' can access resources in all namespaces, not just its own. This violates the principle of least privilege by providing excessive access beyond the intended scope.

Exam trap

The trap here is that candidates may overlook that a ClusterRoleBinding grants permissions across all namespaces, focusing instead on the service account's namespace or token mounting, rather than the scope of the binding.

How to eliminate wrong answers

Option B is wrong because ClusterRoleBinding is specifically designed for cluster-scoped resources, not RoleBinding; RoleBinding is for namespace-scoped resources. Option C is wrong because automatic token mounting is a separate concern about pod security, not a direct security issue of the binding itself. Option D is wrong because ClusterRoleBinding can and should be used for service accounts when cluster-wide access is required, but the concern here is the unnecessary scope of access.

736
Multi-Selectmedium

Which TWO kubelet flags are recommended by the CIS Kubernetes Benchmark to enhance security? (Select TWO)

Select 2 answers
A.--anonymous-auth=false
B.--authentication-token-webhook=false
C.--read-only-port=10255
D.--protect-kernel-defaults=true
E.--authorization-mode=AlwaysAllow
AnswersA, D

Disables anonymous access to the kubelet.

Why this answer

Option A is correct because setting --anonymous-auth=false disables anonymous requests to the kubelet API, which is a CIS Benchmark recommendation to prevent unauthenticated access. Option D is correct because --protect-kernel-defaults=true ensures the kubelet checks and enforces kernel hardening parameters (e.g., sysctl settings) at startup, reducing the attack surface.

Exam trap

CNCF often tests the distinction between authentication and authorization flags, tricking candidates into thinking that disabling webhook authentication (--authentication-token-webhook=false) is secure, when in fact it removes a key validation layer.

737
MCQmedium

You need to configure Kubernetes audit logging to log all requests to the 'secrets' API. Which audit policy level captures the body of the request?

A.Request
B.None
C.RequestResponse
D.Metadata
AnswerC

Why this answer

RequestResponse logs request metadata and the request and response body.

738
MCQmedium

You are tasked with ensuring that all container images in your cluster are scanned for vulnerabilities before being deployed. You have set up Trivy in your CI/CD pipeline and want to enforce that only images with no critical vulnerabilities are allowed. Which admission controller should you configure to reject pods using non-compliant images?

A.ImagePolicyWebhook
B.ValidatingAdmissionWebhook
C.PodSecurityPolicy (PSP)
D.ResourceQuota
AnswerA

ImagePolicyWebhook is the admission controller designed to intercept image-related requests and can be configured to reject images based on external scanning results.

Why this answer

Option C is correct. ImagePolicyWebhook is a Kubernetes admission controller that can be configured to call an external webhook to validate container images. It can reject pods based on policies such as vulnerability scan results.

Other options are not designed for this purpose.

739
MCQhard

After deploying a pod with an AppArmor profile, the pod status shows 'ContainerCreating' for a long time and then fails. What is the most likely cause?

A.The AppArmor profile is not in the same namespace as the pod
B.The AppArmor profile is not loaded on the node
C.The pod's securityContext does not have 'apparmor: enabled'
D.The node does not support AppArmor
AnswerB

The container runtime checks for the profile; if missing, it fails to start.

Why this answer

If the AppArmor profile specified in the annotation is not loaded on the node, the container runtime will fail to start the container. Option A is correct. Option B is incorrect because the profile does not need to be in the same namespace.

Option C is incorrect because AppArmor profiles do not require a specific security context setting beyond the annotation. Option D is incorrect because the node must have AppArmor enabled.

740
MCQhard

An administrator wants to enable encryption at rest for secrets in a Kubernetes cluster. They create the following EncryptionConfiguration and place it at /etc/kubernetes/enc/enc.yaml. Which flag must be added to the kube-apiserver to use this configuration?

A.--feature-gates=EncryptionAtRest=true
B.--enable-encryption
C.--encryption-config=/etc/kubernetes/enc/enc.yaml
D.--encryption-provider-config=/etc/kubernetes/enc/enc.yaml
AnswerD

This is the correct flag to enable encryption at rest.

Why this answer

Option D is correct because the kube-apiserver requires the `--encryption-provider-config` flag to specify the path to the EncryptionConfiguration YAML file. This flag tells the API server which encryption providers (e.g., `aescbc`, `secretbox`) to use for encrypting secrets at rest in etcd. Without this flag, the EncryptionConfiguration file is ignored and secrets remain unencrypted.

Exam trap

The trap here is that candidates may confuse the flag name `--encryption-provider-config` with the similar-sounding but incorrect `--encryption-config`, or assume a feature gate or generic enable flag is sufficient without providing the configuration file path.

How to eliminate wrong answers

Option A is wrong because `--feature-gates=EncryptionAtRest=true` is not a valid flag; encryption at rest is enabled via the `--encryption-provider-config` flag, not a feature gate. Option B is wrong because `--enable-encryption` does not exist as a kube-apiserver flag; the correct flag requires specifying the configuration file path. Option C is wrong because `--encryption-config` is not a recognized flag; the correct flag name is `--encryption-provider-config`.

741
MCQeasy

Which Kubernetes resource should be used to restrict egress traffic from pods?

A.NetworkPolicy with egress rules
B.PodSecurityPolicy
C.iptables rules on nodes
D.NetworkPolicy with ingress rules
AnswerA

Directly restricts egress.

Why this answer

NetworkPolicy with egress rules is the correct Kubernetes-native resource to restrict outbound traffic from pods. It uses label selectors, IP blocks, and port specifications to define which external destinations pods can reach, enforcing zero-trust network segmentation at the pod level.

Exam trap

The trap here is that candidates confuse egress (outbound) with ingress (inbound) rules, or assume PodSecurityPolicy can restrict network traffic, when it only governs pod security contexts like privileged mode and host namespaces.

How to eliminate wrong answers

Option B is wrong because PodSecurityPolicy (deprecated in Kubernetes 1.21 and removed in 1.25) controls security contexts and pod-level privileges, not network traffic direction. Option C is wrong because iptables rules on nodes are a low-level, node-centric approach that bypasses Kubernetes API management, lacks pod identity awareness, and is not a declarative Kubernetes resource. Option D is wrong because NetworkPolicy with ingress rules only controls incoming traffic to pods, not outgoing egress traffic.

742
MCQmedium

A Falco rule has the following output: 'Sensitive file opened for reading (user=root command=cat /etc/shadow)'. Which macro is most likely used in the rule condition?

A.shell_procs
B.outbound
C.binaries
D.sensitive_file_names
AnswerD

Correct. This macro is defined in Falco's default rules to detect access to sensitive files.

Why this answer

Falco has a macro called 'sensitive_file_names' that includes files like /etc/shadow, /etc/passwd, etc. The rule likely uses that macro to match on open syscalls targeting those files.

743
MCQhard

A security engineer wants to ensure that all container images in a Kubernetes cluster have a non-root user. Which admission controller can enforce this requirement?

A.ServiceAccount
B.PodSecurityPolicy (deprecated)
C.NodeRestriction
D.Kyverno
AnswerD

Kyverno can enforce policies like requiring runAsNonRoot: true.

Why this answer

Kyverno can validate pod security contexts to ensure runAsNonRoot is set. Option D is correct.

744
Multi-Selectmedium

Which TWO actions would help secure the Kubernetes Dashboard?

Select 2 answers
A.Restrict access to the Dashboard using NetworkPolicies or authentication
B.Use minimal RBAC permissions for Dashboard service account
C.Deploy Dashboard in the kube-system namespace
D.Bind Dashboard service account to cluster-admin
E.Expose Dashboard via NodePort for easy access
AnswersA, B

Network policies and strong authentication help secure the Dashboard.

Why this answer

Option A is correct because Kubernetes NetworkPolicies can restrict ingress traffic to the Dashboard pod, ensuring only authorized sources can reach it. Additionally, enabling authentication (e.g., using the built-in token-based login or OIDC) prevents unauthenticated access, which is critical since the Dashboard has powerful cluster management capabilities.

Exam trap

CNCF often tests the misconception that placing a component in the kube-system namespace or using NodePort is acceptable for 'convenience,' but the CKS exam emphasizes that security controls like NetworkPolicies and minimal RBAC are mandatory, not optional.

745
Multi-Selecthard

Which THREE of the following are valid encryption providers that can be used in EncryptionConfiguration for encryption at rest?

Select 3 answers
A.aescbc
B.kms
C.aesgcm
D.rsa
E.secretbox
AnswersA, B, E

AES-CBC is a valid encryption provider.

Why this answer

Option A (aescbc) is correct because AES-CBC is a symmetric encryption algorithm that Kubernetes supports natively in EncryptionConfiguration for encrypting Secrets at rest. It uses a 32-byte key for AES-256 encryption and is the most commonly used provider for this purpose.

Exam trap

CNCF often tests that candidates confuse AES-GCM (which is not supported) with AES-CBC (which is supported), or assume RSA (asymmetric) can be used for at-rest encryption when Kubernetes only supports symmetric or KMS-based providers.

746
Multi-Selectmedium

Which TWO of the following are benefits of using an SBOM (Software Bill of Materials) in supply chain security?

Select 2 answers
A.It allows for faster image pulls
B.It helps in identifying known vulnerabilities in dependencies
C.It ensures license compliance by tracking open source components
D.It reduces the size of the container image
E.It automatically patches vulnerabilities
AnswersB, C

By listing components, you can cross-reference with vulnerability databases.

Why this answer

An SBOM provides a list of all components in a software artifact, which helps in identifying vulnerabilities and ensuring license compliance.

747
Multi-Selectmedium

Which TWO of the following are valid AppArmor profile modes? (Select two.)

Select 2 answers
A.kill
B.complain
C.enforce
D.audit
E.permissive
AnswersB, C

Complain mode logs violations but does not enforce.

Why this answer

AppArmor has two primary profile modes: 'complain' (also known as 'learning' mode) and 'enforce' (also known as 'confined' mode). In complain mode, policy violations are logged but not blocked, allowing administrators to test profiles. In enforce mode, violations are both logged and blocked, actively enforcing the security policy.

Exam trap

CNCF often tests the distinction between AppArmor and SELinux modes, so the trap here is that candidates confuse SELinux's 'permissive' and 'enforcing' modes with AppArmor's 'complain' and 'enforce' modes, or incorrectly assume 'audit' or 'kill' are valid AppArmor profile modes.

748
MCQhard

You have a Kyverno policy that validates image registries. The policy should allow only images from `myregistry.example.com`. Which Kyverno rule field should be used to check the image registry?

A.mutate
B.resources
C.imageRegistry
D.generate
AnswerC

imageRegistry is the correct field to define allowed image registries in a Kyverno rule.

Why this answer

The `imageRegistry` field in Kyverno allows you to specify a regular expression to match allowed image registries.

749
MCQmedium

A security scan report shows that a container image has several high-severity CVEs. The team wants to implement automated scanning in CI/CD pipeline. Which tool would you recommend for scanning container images in a CI pipeline?

A.Syft
B.Checkov
C.Kubesec
D.Trivy
AnswerD

Trivy scans container images for known vulnerabilities.

Why this answer

Trivy is a popular open-source vulnerability scanner for container images, filesystems, and Git repos. It can be easily integrated into CI/CD pipelines.

750
MCQeasy

Which admission plugin should be enabled to prevent kubelets from modifying nodes or pods they do not own?

A.AlwaysPullImages
B.PodSecurity
C.NodeRestriction
D.ServiceAccount
AnswerC

This plugin restricts kubelet permissions to only objects on its node.

Why this answer

The NodeRestriction admission plugin ensures that kubelets can only modify the Node and Pod objects they are assigned to. It enforces that a kubelet with a specific node identity can only label, taint, or update its own Node object and can only create/modify Pods that are bound to that node. This prevents a compromised or misconfigured kubelet from tampering with other nodes or pods in the cluster.

Exam trap

CNCF often tests the NodeRestriction plugin by pairing it with other admission controllers like AlwaysPullImages or PodSecurity, leading candidates to confuse security-focused plugins with node-level access control.

How to eliminate wrong answers

Option A is wrong because AlwaysPullImages forces every Pod to pull its image from the registry each time it starts, which addresses image freshness and prevents use of cached images, but does not restrict kubelet modifications to nodes or pods. Option B is wrong because PodSecurity (formerly PodSecurityPolicy) enforces security contexts and pod-level controls, but does not limit kubelet actions on node or pod objects. Option D is wrong because ServiceAccount controls how pods authenticate to the API server, but does not restrict a kubelet's ability to modify nodes or pods it does not own.

Page 9

Page 10 of 14

Page 11