Certified Kubernetes Security Specialist CKS (CKS) — Questions 826900

997 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
MCQhard

A CI pipeline fails with the error 'cosign: error: unable to verify image: no matching signatures' when running 'cosign verify --key pubkey.pem myregistry/myapp:latest'. The image was previously signed with a private key. What is the MOST likely cause?

A.The public key is incorrect
B.The registry requires authentication
C.Cosign is not installed correctly
D.The image tag was overwritten without signing
AnswerD

Overwriting a tag with a new, unsigned image removes the previous signature.

Why this answer

If the image tag was overwritten (e.g., pushed again without signing), the old signatures are lost and the new image is unsigned.

827
Multi-Selectmedium

Which TWO of the following are valid audit stages in Kubernetes?

Select 2 answers
A.ResponseReceived
B.Panic
C.ResponseStarted
D.RequestReceived
E.RequestSent
AnswersC, D

ResponseStarted is a valid audit stage that occurs when the response headers are sent.

Why this answer

RequestReceived, ResponseStarted, ResponseComplete, and Panic are valid stages. RequestReceived and ResponseStarted are two of them. 'RequestSent' and 'ResponseReceived' are not standard stages.

828
MCQhard

A pod in namespace 'ns1' has automountServiceAccountToken: false. However, the container still has a mounted service account token at /var/run/secrets/kubernetes.io/serviceaccount. What is the most likely cause?

A.The automountServiceAccountToken field is set in the container spec instead of the pod spec
B.The kubelet is configured to always mount tokens
C.The namespace has a default automountServiceAccountToken: true
D.The pod is using a custom service account with automountServiceAccountToken: true
AnswerA

The field is a pod-level field; setting it at the container level has no effect.

Why this answer

The `automountServiceAccountToken` field is a pod-level setting. If it is set to `false` in the pod spec, the kubelet will not automatically mount the service account token. However, if the field is mistakenly set inside a container spec (which is not a valid field for containers), the pod-level setting is ignored, and the default behavior (mounting the token) applies.

This is why the token still appears mounted despite the intention to disable it.

Exam trap

The trap here is that candidates assume setting `automountServiceAccountToken: false` anywhere in the pod YAML will work, but they overlook that it must be at the pod spec level, not inside a container definition.

How to eliminate wrong answers

Option B is wrong because the kubelet does not have a global configuration to always mount tokens; the decision is controlled by the pod or namespace-level `automountServiceAccountToken` field. Option C is wrong because a namespace-level default only applies if the pod spec does not explicitly set `automountServiceAccountToken`; here the pod spec explicitly sets it to `false`, which overrides the namespace default. Option D is wrong because a custom service account's `automountServiceAccountToken` field only affects pods that use that service account; the pod's own `automountServiceAccountToken: false` in the pod spec takes precedence over the service account's setting.

829
MCQeasy

You need to enforce that all containers in a namespace run with a read-only root filesystem. Which OPA Gatekeeper resource would you use to define the policy?

A.Constraint
B.ValidatingWebhookConfiguration
C.ConstraintTemplate
D.ConfigMap
AnswerC

ConstraintTemplate defines the Rego logic (rules) for the policy.

830
MCQmedium

Which command is used to sign a container image with Cosign and store the signature in an OCI registry?

A.cosign docker-sign myimage:latest
B.cosign verify --key cosign.pub myimage:latest
C.cosign sign --key cosign.key myimage:latest
D.cosign attach signature --key cosign.key myimage:latest
AnswerC

Correct command to sign an image.

Why this answer

The 'cosign sign' command signs the image and pushes the signature to the registry.

831
MCQeasy

Which flag disables anonymous authentication on the Kubernetes API server?

A.--disable-anonymous-auth
B.--anonymous-auth=false
C.--anonymous-auth=true
D.--no-anonymous-auth
AnswerB

Correct flag to disable anonymous authentication.

Why this answer

Option B is correct because the `--anonymous-auth=false` flag explicitly disables anonymous authentication on the Kubernetes API server. By default, anonymous requests are allowed (equivalent to `--anonymous-auth=true`), so setting this flag to `false` prevents unauthenticated users from accessing the API server, which is a key hardening requirement for the CKS exam.

Exam trap

CNCF often tests the exact flag syntax, and the trap here is that candidates may misremember the flag as `--disable-anonymous-auth` or `--no-anonymous-auth` instead of the correct `--anonymous-auth=false` boolean pattern.

How to eliminate wrong answers

Option A is wrong because `--disable-anonymous-auth` is not a valid kube-apiserver flag; the correct flag uses a boolean value with `--anonymous-auth`. Option C is wrong because `--anonymous-auth=true` enables anonymous authentication, which is the default and does not disable it. Option D is wrong because `--no-anonymous-auth` is not a recognized flag; the Kubernetes API server uses `--anonymous-auth` with a boolean argument, not a negated prefix.

832
MCQmedium

A security admin wants to ensure that only images signed with a specific key can run in the cluster. Which admission controller should be enabled?

A.PodSecurityPolicy
B.MutatingAdmissionWebhook
C.ImagePolicyWebhook
D.ValidatingAdmissionWebhook
AnswerC

ImagePolicyWebhook allows an external webhook to validate images based on signatures.

Why this answer

ImagePolicyWebhook is the admission controller that can enforce policies based on image signatures. Option C is correct.

833
MCQeasy

Which flag is used when starting kube-apiserver to enable audit logging?

A.--audit-log-path
B.--audit-webhook-config-file
C.--feature-gates=Audit=true
D.--audit-policy-file
AnswerD

This flag is required to enable audit logging; it points to a YAML file defining the audit policy.

Why this answer

The --audit-policy-file flag specifies the path to the audit policy file, which is required to enable audit logging.

834
MCQeasy

Which of the following is a correct method to enable encryption at rest for secrets in etcd using the EncryptionConfiguration?

A.Use provider: aescbc
B.Use provider: encryption
C.Use provider: secretbox
D.Use provider: aesgcm
AnswerA

aescbc is a valid encryption provider for Kubernetes encryption at rest.

Why this answer

Option A is correct because `aescbc` (AES in Cipher Block Chaining mode) is the only provider listed that is officially supported by Kubernetes for encrypting secrets at rest in etcd. The EncryptionConfiguration resource allows you to specify `aescbc` as a provider, which encrypts data using a 32-byte key and is the recommended default for production clusters.

Exam trap

CNCF often tests the misconception that any encryption provider name like `encryption` or `aesgcm` is valid, but the trap here is that only `aescbc` is the correct and recommended provider for enabling encryption at rest in etcd, while `secretbox` and `aesgcm` are valid but not the intended correct answer in this context.

How to eliminate wrong answers

Option B is wrong because `encryption` is not a valid provider name in the Kubernetes EncryptionConfiguration; valid providers include `aescbc`, `secretbox`, `aesgcm`, and `identity`. Option C is wrong because `secretbox` is a valid provider (using XSalsa20-Poly1305) but it is not the correct answer for this question, which asks for a correct method; however, the question implies selecting the one that is correct among the options, and `aescbc` is the most commonly recommended and correct one. Option D is wrong because `aesgcm` (AES-GCM) is a valid provider but requires careful nonce management and is not recommended for general use due to the risk of nonce reuse; it is not the correct answer here.

835
MCQeasy

A developer wants to run a container that reads a secret from a mounted volume, not as an environment variable. Which volume type should they use?

A.secret
B.emptyDir
C.hostPath
D.configMap
AnswerA

A secret volume mounts a Secret into the container's filesystem.

Why this answer

The secret volume type mounts a Kubernetes Secret as files into a container. ConfigMaps are for non-sensitive data. hostPath is for host filesystem. emptyDir is ephemeral.

836
Matchingmedium

Match each Kubernetes certificate type to its usage.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Used by kubelet to serve the kubelet API (e.g., exec, logs)

Used by kubelet to authenticate to the API server

Used by the API server to serve HTTPS endpoints

Used to sign service account tokens so they can be verified

Used by an administrator to authenticate to the cluster with full privileges

Why these pairings

Certificate management is essential for securing communication in Kubernetes.

837
MCQmedium

An administrator wants to enable RBAC authorization and disable anonymous authentication on the API server. Which set of flags should be added to the kube-apiserver configuration?

A.--enable-admission-plugins=NodeRestriction --anonymous-auth=false
B.--authorization-mode=AlwaysAllow --anonymous-auth=false
C.--authorization-mode=RBAC --anonymous-auth=false
D.--authorization-mode=Node --anonymous-auth=true
AnswerC

These flags enable RBAC authorization and disable anonymous access, following CIS recommendations.

Why this answer

Option C is correct because to enable RBAC authorization on the API server, you must set `--authorization-mode=RBAC`. Disabling anonymous authentication is achieved with `--anonymous-auth=false`, which prevents unauthenticated requests from being processed. Together, these flags enforce role-based access control and block anonymous access, meeting the administrator's requirements.

Exam trap

The trap here is confusing admission controllers (like NodeRestriction) with authorization modes, or thinking that `--authorization-mode=Node` alone provides full RBAC, when it only handles node-specific authorization and must be combined with RBAC in a chain (e.g., `--authorization-mode=Node,RBAC`).

How to eliminate wrong answers

Option A is wrong because `--enable-admission-plugins=NodeRestriction` is an admission controller flag, not an authorization mode; it restricts node self-updates but does not enable RBAC or disable anonymous auth. Option B is wrong because `--authorization-mode=AlwaysAllow` permits all requests without any authorization checks, which directly contradicts the goal of enabling RBAC. Option D is wrong because `--authorization-mode=Node` only authorizes node-specific requests (e.g., kubelet API calls) and `--anonymous-auth=true` leaves anonymous authentication enabled, failing both requirements.

838
Multi-Selecthard

Which THREE of the following are recommended practices for minimizing microservice vulnerabilities related to container security?

Select 3 answers
A.Set securityContext.runAsNonRoot: true
B.Drop all capabilities via securityContext.capabilities.drop: ["ALL"]
C.Set high CPU requests to ensure performance
D.Set securityContext.readOnlyRootFilesystem: true
E.Expose secrets as environment variables for convenience
AnswersA, B, D

Prevents the container from running as root, reducing the impact of a compromise.

Why this answer

Running as non-root, read-only root filesystem, and dropping all capabilities are recommended for least privilege. Setting CPU requests high does not reduce vulnerabilities; it may cause resource contention. Using secrets in environment variables is insecure as they can be exposed in logs or via /proc.

839
MCQhard

A pod is failing with status 'CrashLoopBackOff'. The pod manifest includes a liveness probe that runs every 10 seconds. You suspect the probe is causing the crash. Which command would you use to verify the liveness probe configuration?

A.kubectl logs <pod>
B.kubectl exec <pod> -- cat /etc/kubernetes/manifests/pod.yaml
C.kubectl describe pod <pod>
D.kubectl get pod <pod> -o yaml
AnswerC

'kubectl describe pod' shows the liveness probe configuration under the container section, including the command, initial delay, period, etc.

Why this answer

Option C is correct because `kubectl describe pod <pod>` displays the pod's full configuration, including the liveness probe's exact parameters (e.g., initialDelaySeconds, periodSeconds, failureThreshold, and the probe action like HTTP GET, TCP socket, or exec command). This allows you to verify if the probe is misconfigured (e.g., too aggressive or pointing to a non-existent endpoint) and causing the CrashLoopBackOff.

Exam trap

CNCF often tests the distinction between `kubectl describe` (human-readable, includes probe status and events) and `kubectl get -o yaml` (full API object, more verbose but less immediate for troubleshooting), leading candidates to pick the latter when the former is more efficient for verifying probe configuration.

How to eliminate wrong answers

Option A is wrong because `kubectl logs <pod>` shows the container's stdout/stderr output, which may reveal crash reasons but does not show the liveness probe configuration. Option B is wrong because `kubectl exec <pod> -- cat /etc/kubernetes/manifests/pod.yaml` attempts to read a static pod manifest from inside the container, which typically does not exist (static manifests are on the node's filesystem, not inside the container), and even if it did, it would not reflect the live probe configuration from the API. Option D is wrong because `kubectl get pod <pod> -o yaml` outputs the pod's full YAML manifest from the API server, which includes the liveness probe, but `kubectl describe pod` is more concise and human-readable for quickly verifying probe details like periodSeconds and failureThreshold.

840
MCQeasy

Which of the following is a best practice for securing a Dockerfile?

A.Hardcode API keys as environment variables
B.Use a minimal base image like alpine
C.Run the container as root to avoid permission issues
D.Use the latest tag for all images
AnswerB

Minimal base images reduce the number of packages and potential vulnerabilities.

Why this answer

Using a minimal base image like alpine reduces the attack surface. Running as root (option A) is insecure. Hardcoding secrets (option C) is a bad practice.

Using latest tags (option D) can lead to unexpected changes; pinned versions are preferred.

841
MCQmedium

A pod spec includes the following securityContext: securityContext: seccompProfile: type: Localhost localhostProfile: custom-profile.json Where should the custom seccomp profile 'custom-profile.json' be placed on the node?

A./etc/seccomp/
B./etc/kubernetes/seccomp/
C./var/lib/kubelet/seccomp/profiles/
D./var/lib/kubelet/seccomp/
AnswerD

This is the default directory where kubelet looks for localhost seccomp profiles.

Why this answer

The default directory for localhost seccomp profiles is /var/lib/kubelet/seccomp/. The profile file must be located there.

842
MCQmedium

A security audit reveals that a service account 'monitor' is bound to the cluster-admin ClusterRole, which violates least-privilege. What is the best remediation?

A.Delete the service account and recreate it without any role binding
B.Keep the binding but add a Deny policy for write actions
C.Set automountServiceAccountToken: false in the pod spec
D.Create a new ClusterRoleBinding that binds 'monitor' to a less privileged role (e.g., view) and delete the cluster-admin binding
AnswerD

Replacing with a read-only role like 'view' follows least-privilege.

Why this answer

Option D is correct because it directly addresses the violation of least-privilege by replacing the overly permissive cluster-admin ClusterRoleBinding with a binding to a more restrictive role like 'view'. This ensures the 'monitor' service account retains only the necessary read permissions, adhering to the principle of least privilege without disrupting its functionality.

Exam trap

The trap here is that candidates may think setting automountServiceAccountToken to false (Option C) is sufficient to revoke permissions, but it only prevents token mounting in pods, not the underlying RBAC permissions that remain active for the service account.

How to eliminate wrong answers

Option A is wrong because deleting and recreating the service account without any role binding would remove all permissions, potentially breaking the monitoring functionality that requires some level of access. Option B is wrong because Kubernetes does not support a native 'Deny policy' for write actions on a ClusterRoleBinding; access control is managed via RBAC roles, not deny policies, and keeping the binding still violates least-privilege. Option C is wrong because setting automountServiceAccountToken: false in the pod spec only prevents automatic mounting of the service account token, but does not revoke the excessive permissions granted by the cluster-admin binding; the service account still has full cluster access if used elsewhere.

843
MCQeasy

Which of the following is a valid way to drop all capabilities from a container?

A.securityContext: dropCapabilities: true
B.securityContext: privileged: false
C.securityContext: capabilities: remove: ["ALL"]
D.securityContext: capabilities: drop: ["ALL"]
AnswerD

The drop field accepts an array of capabilities; "ALL" is a wildcard to drop all capabilities.

844
MCQhard

An OPA/Gatekeeper constraint is configured to require all container images to be from a specific registry. A user creates a Pod with image 'gcr.io/myimage:v1'. Which admission controller will first reject this Pod?

A.PodSecurity
B.ImagePolicyWebhook
C.ValidatingAdmissionWebhook
D.MutatingAdmissionWebhook
AnswerC

Gatekeeper enforces constraints via ValidatingAdmissionWebhook, which runs after mutating webhooks.

Why this answer

Gatekeeper's validating webhook (part of ValidatingAdmissionWebhook) enforces constraints. The admission flow: MutatingAdmissionWebhooks run first, then ValidatingAdmissionWebhooks. Since OPA/Gatekeeper uses a ValidatingAdmissionWebhook, it runs after mutating webhooks but before the final validation.

845
MCQeasy

An administrator wants to monitor runtime security events in Kubernetes using Falco. Which component must be deployed as a DaemonSet to capture system calls from containers?

A.Falco driver
B.Kube-bench
C.Falcoctl
D.Falco
AnswerD

Falco itself runs as a DaemonSet to monitor syscalls on each node.

Why this answer

Falco runs as a DaemonSet to ensure each node has an instance that can intercept system calls from containers using kernel modules or eBPF.

846
MCQmedium

A developer wants to ensure that all containers in a pod run with a read-only root filesystem except for a specific volume mounted for writing logs. Which container-level security context field should be set to true?

A.allowPrivilegeEscalation
B.readOnlyRootFilesystem
C.privileged
D.runAsNonRoot
AnswerB

This makes the root filesystem read-only, which is the correct setting.

Why this answer

The field `readOnlyRootFilesystem: true` makes the container's root filesystem read-only, which forces all writes to go to mounted volumes.

847
Multi-Selecthard

Which THREE of the following are best practices for RBAC hardening in Kubernetes? (Select THREE)

Select 3 answers
A.Avoid using the cluster-admin ClusterRole for service accounts
B.Grant cluster-admin to all service accounts for simplicity
C.Apply the principle of least privilege when creating Roles and ClusterRoles
D.Use the default namespace for all service accounts
E.Regularly audit ClusterRoleBindings for excessive permissions
AnswersA, C, E

Service accounts should have only the permissions they need.

Why this answer

Option A is correct because the cluster-admin ClusterRole grants unrestricted access to all Kubernetes resources across all namespaces, which violates the principle of least privilege. Service accounts should be assigned only the specific permissions required for their function, not full administrative access. Using cluster-admin for service accounts increases the blast radius of a potential compromise and is a common misconfiguration that the CKS exam penalizes.

Exam trap

CNCF often tests the misconception that 'simplicity' (Option B) or 'using the default namespace' (Option D) are acceptable shortcuts, when in fact the CKS exam strictly enforces least privilege and namespace isolation as core hardening principles.

848
Multi-Selectmedium

Which TWO of the following are valid methods to detect a container spawning a shell (e.g., /bin/bash) using Falco? (Select two.)

Select 2 answers
A.Use the rule 'Launch Sensitive Mount'
B.Check if proc.name is 'bash' and container is true
C.Use the macro 'spawned_process' combined with a container filter
D.Check if the process's parent is 'sshd'
E.Check if evt.type is 'execve' and fd.name contains 'bash'
AnswersB, C

Why this answer

Falco can detect shell spawning by checking spawned_process and container conditions, and specific process names.

849
MCQeasy

Which command would scan a Kubernetes Pod manifest for security issues?

A.checkov -f pod.yaml
B.trivy image pod.yaml
C.cosign verify pod.yaml
D.kubesec scan pod.yaml
AnswerD

Kubesec scans Kubernetes manifests for security issues.

Why this answer

Kubesec is a tool that scans Kubernetes resource manifests and provides security scores based on security best practices.

850
MCQhard

A pod is using a RuntimeClass that specifies gVisor (runsc). Which of the following scenarios is most likely to cause the pod to fail?

A.The pod runs a web server listening on port 8080.
B.The pod attempts to mount a hostPath directory with privileged access.
C.The pod mounts a ConfigMap as a volume.
D.The pod uses a PersistentVolumeClaim for storage.
AnswerB

gVisor restricts host access and may not allow privileged hostPath mounts, causing the pod to fail.

Why this answer

gVisor intercepts system calls and may not support all of them, especially ones that require direct hardware access. Option C is most likely to fail.

851
MCQeasy

You are a Kubernetes administrator for a fintech company that runs a payment processing service in a production cluster. The service consists of multiple microservices that communicate over the network. Recently, a security audit revealed that a compromised pod could potentially send malicious requests to other services because there are no network restrictions between pods. The security team has mandated that all inter-service traffic must be encrypted and authenticated, and that only necessary traffic should be allowed. You need to implement a solution that meets these requirements with minimal changes to the application code and minimal operational overhead. Which approach should you take?

A.Encrypt traffic by configuring TLS certificates in each pod's environment variables and updating the application code to use HTTPS.
B.Use Kubernetes NetworkPolicies to restrict pod-to-pod communication based on labels and namespaces, and enable TLS in each service's code.
C.Deploy Istio as a service mesh with mutual TLS enabled and configure AuthorizationPolicy resources to allow only required traffic between services.
D.Move all services to a separate overlay network using Weave Net and enforce egress rules with iptables on each node.
AnswerC

Istio provides transparent mTLS and fine-grained authorization without code changes, meeting all requirements.

Why this answer

Option C is correct because deploying Istio as a service mesh with mutual TLS (mTLS) provides transparent encryption and authentication of all inter-service traffic without modifying application code. Istio's AuthorizationPolicy resources allow fine-grained, label-based access control to enforce the principle of least privilege, meeting the security mandate with minimal operational overhead through sidecar proxy injection.

Exam trap

The trap here is that candidates may think NetworkPolicies alone satisfy the encryption requirement, but NetworkPolicies only filter traffic at L3/L4 and do not provide any encryption or authentication, which is explicitly required by the security audit.

How to eliminate wrong answers

Option A is wrong because configuring TLS certificates via environment variables and updating application code to use HTTPS requires significant code changes and does not address network-level restrictions; it also lacks centralized policy enforcement. Option B is wrong because while NetworkPolicies restrict traffic at the network layer, they do not provide encryption or authentication; enabling TLS in each service's code still requires application modifications and does not offer mutual authentication by default. Option D is wrong because moving services to a separate overlay network with Weave Net and enforcing egress rules via iptables adds complexity, does not encrypt traffic, and requires manual per-node configuration, failing to meet the minimal operational overhead requirement.

852
MCQeasy

An administrator wants to prevent pods from running as root. Which SecurityContext field should be set at the pod level?

A.fsGroup: 2000
B.runAsGroup: 3000
C.runAsUser: 1000
D.runAsNonRoot: true
AnswerD

Explicitly prevents root.

Why this answer

Option D is correct because setting `runAsNonRoot: true` at the pod-level SecurityContext enforces that all containers in the pod must run with a non-root user (UID > 0). If a container image specifies a user with UID 0 (root) or does not specify a user, the container will fail to start, preventing privilege escalation from root access.

Exam trap

CNCF often tests the distinction between setting a specific user ID (runAsUser) and enforcing a non-root requirement (runAsNonRoot), where candidates mistakenly think that setting runAsUser to a non-zero value alone prevents root execution, but it does not block an image that runs as root by default if runAsUser is omitted or set to 0.

How to eliminate wrong answers

Option A is wrong because `fsGroup: 2000` sets the group ID for volume ownership, not the user identity, and does not prevent running as root. Option B is wrong because `runAsGroup: 3000` sets the primary group ID for the container process but does not restrict the user to a non-root UID. Option C is wrong because `runAsUser: 1000` sets a specific user ID (1000) for the container process, but it does not enforce that the container cannot run as root; if the image runs as root by default, this field overrides it, but the pod could still be configured with a root UID, and the field itself does not block root execution.

853
MCQhard

A pod is running with the following security context: ```yaml securityContext: allowPrivilegeEscalation: false runAsNonRoot: true seccompProfile: type: RuntimeDefault ``` The pod is in a CrashLoopBackOff. The logs show: "exec user process caused: operation not permitted". What is the most likely cause?

A.The container image is set to run as root, which conflicts with runAsNonRoot.
B.The container is missing the CAP_SYS_ADMIN capability.
C.The allowPrivilegeEscalation: false prevents the container from starting.
D.The seccomp profile is blocking necessary system calls.
AnswerA

runAsNonRoot: true requires the container to run as a non-root user. If the image defaults to root, the container fails to start.

854
MCQmedium

Which admission plugin should be enabled to prevent kubelets from modifying Node objects they should not have access to?

A.NamespaceLifecycle
B.NodeRestriction
C.PodSecurity
D.ServiceAccount
AnswerB

NodeRestriction restricts what a kubelet can modify on its node object.

Why this answer

The NodeRestriction admission plugin limits the kubelet's ability to modify Node and Pod objects to only those it is authorized to manage based on its credentials. It ensures a kubelet can only label, taint, or update status on its own Node object and cannot modify other Nodes, preventing privilege escalation or misconfiguration.

Exam trap

CNCF often tests the distinction between admission plugins that control Pod security (PodSecurity) versus those that control Node-level access (NodeRestriction), leading candidates to confuse PodSecurity with Node-level restrictions.

How to eliminate wrong answers

Option A is wrong because NamespaceLifecycle ensures namespaces exist and prevents deletion of system namespaces, but it does not restrict kubelet actions on Node objects. Option C is wrong because PodSecurity enforces Pod Security Standards (e.g., privileged, baseline, restricted) on Pods, not Node-level modifications. Option D is wrong because ServiceAccount manages automatic creation and mounting of service account tokens, but it has no role in controlling kubelet access to Node objects.

855
Multi-Selectmedium

Which TWO are recommended practices for securing a CI/CD pipeline that builds container images? (Select two.)

Select 2 answers
A.Run containers as root for compatibility
B.Scan images for vulnerabilities before pushing
C.Store secrets in the image as environment variables
D.Sign images after building
E.Use the 'latest' tag for simplicity
AnswersB, D

Scanning catches CVEs early.

Why this answer

Scanning images for vulnerabilities and signing images are key supply chain security practices.

856
MCQeasy

Which of the following is a best practice for securing container images in a Kubernetes environment?

A.Store secrets directly in the Dockerfile for convenience
B.Run containers as root to have full access to system resources
C.Use the latest tag for all base images to get the newest features
D.Use minimal base images such as distroless or Alpine to reduce attack surface
AnswerD

Minimal images reduce the number of packages and thus potential vulnerabilities.

Why this answer

Using minimal base images like distroless or Alpine reduces the attack surface by including only necessary packages. Option B is correct.

857
MCQmedium

Which kubelet flag prevents the kubelet from serving anonymous requests?

A.--authentication-anonymous=false
B.--anonymous-auth=false
C.--enable-anonymous=false
D.--anonymous-requests=false
AnswerB

This flag disables anonymous authentication on the kubelet.

Why this answer

The kubelet flag `--anonymous-auth=false` disables anonymous authentication, preventing unauthenticated requests from being served. By default, anonymous requests are enabled (`--anonymous-auth=true`), which allows any user without credentials to access the kubelet API. Setting this flag to `false` enforces authentication for all requests, a critical hardening step for cluster security.

Exam trap

CNCF often tests the exact flag name `--anonymous-auth` versus similar-sounding alternatives like `--authentication-anonymous` or `--enable-anonymous`, exploiting candidates' tendency to guess based on generic naming patterns rather than precise Kubernetes documentation.

How to eliminate wrong answers

Option A is wrong because `--authentication-anonymous=false` is not a valid kubelet flag; the correct flag uses `anonymous-auth`, not `authentication-anonymous`. Option C is wrong because `--enable-anonymous=false` does not exist; the kubelet uses `--anonymous-auth` to control anonymous access. Option D is wrong because `--anonymous-requests=false` is not a recognized kubelet flag; the correct parameter is `--anonymous-auth`.

858
MCQeasy

Which of the following is a valid approach to enforce that containers cannot escalate privileges?

A.Set securityContext.readOnlyRootFilesystem: true
B.Set securityContext.privileged: false
C.Set securityContext.capabilities.drop: ["ALL"]
D.Set securityContext.allowPrivilegeEscalation: false
AnswerD

allowPrivilegeEscalation: false prevents processes in the container from gaining more privileges than their parent process.

Why this answer

allowPrivilegeEscalation controls whether a process can gain more privileges than its parent. Setting it to false is the direct way to prevent privilege escalation.

859
MCQmedium

A cluster administrator wants to enforce that all pods in the 'restricted' namespace use the Restricted Pod Security Standard. Which command achieves this?

A.kubectl annotate ns restricted pod-security.kubernetes.io/restricted=restricted
B.kubectl label ns restricted pod-security.kubernetes.io/enforce=privileged
C.kubectl create podsecuritypolicy restricted --namespace restricted
D.kubectl label ns restricted pod-security.kubernetes.io/enforce=restricted
AnswerD

This correctly labels the namespace with the 'enforce' level set to 'restricted'.

860
MCQeasy

Which admission plugin is recommended by the CIS Benchmark to restrict what nodes can modify?

A.PodSecurity
B.AlwaysPullImages
C.ServiceAccount
D.NodeRestriction
AnswerD

NodeRestriction limits kubelet permissions.

Why this answer

The NodeRestriction admission plugin is recommended by the CIS Benchmark for Kubernetes to restrict what nodes can modify. It limits the Node and Pod objects a kubelet can modify, ensuring that a node can only modify its own Node object and Pods bound to it. This prevents a compromised node from affecting other nodes or pods in the cluster.

Exam trap

CNCF often tests the distinction between admission plugins that enforce security at the pod level (like PodSecurity) versus those that restrict node-level actions (like NodeRestriction), causing candidates to confuse the scope of each plugin.

How to eliminate wrong answers

Option A is wrong because PodSecurity is a deprecated admission plugin (replaced by Pod Security Admission) that enforces pod security standards, not node modification restrictions. Option B is wrong because AlwaysPullImages forces image pull policy to Always, ensuring images are always pulled from the registry, but does not restrict node-level modifications. Option C is wrong because ServiceAccount is an admission plugin that manages service account automounting and token projection, not node modification controls.

861
MCQeasy

Which command can be used to view the logs of a container using the container runtime interface (crictl)?

A.crictl status <container-id>
B.crictl logs <container-id>
C.crictl inspect <container-id>
D.crictl log <container-id>
AnswerB

Correct. crictl logs displays logs from the container.

Why this answer

crictl logs is the command to fetch logs of a container, similar to 'docker logs'.

862
MCQmedium

During a security audit, it was found that some pods have access to the host network. How can an administrator restrict host network access for all pods in the cluster?

A.Set --allow-privileged=false in kubelet configuration
B.Enable PodSecurity admission controller with baseline or restricted profile
C.Enable PodSecurityPolicy with 'hostNetwork: false'
D.Create NetworkPolicies that deny traffic to host network
AnswerB

The baseline and restricted profiles forbid host networking, effectively restricting it cluster-wide.

Why this answer

Option B is correct because the PodSecurity admission controller (GA in Kubernetes v1.25+) enforces predefined security standards (baseline or restricted) that, among other restrictions, prevent pods from using `hostNetwork: true`. This is the recommended replacement for the deprecated PodSecurityPolicy and provides a built-in, cluster-wide mechanism to restrict host network access without requiring external tools.

Exam trap

CNCF often tests the deprecation of PodSecurityPolicy (PSP) and expects candidates to know that the PodSecurity admission controller is the current and correct replacement, not the legacy PSP or network-level controls like NetworkPolicies.

How to eliminate wrong answers

Option A is wrong because `--allow-privileged=false` in kubelet configuration only prevents privileged containers on that specific node, but does not restrict the `hostNetwork` setting; a pod can still set `hostNetwork: true` without being privileged. Option C is wrong because PodSecurityPolicy (PSP) has been deprecated since Kubernetes v1.21 and removed in v1.25; while a PSP with `hostNetwork: false` would work in older clusters, it is no longer a viable solution for current CKS exam contexts. Option D is wrong because NetworkPolicies operate at Layer 3/4 and cannot block a pod from binding to the host's network stack; `hostNetwork: true` bypasses the pod network entirely, making NetworkPolicies ineffective.

863
MCQeasy

Which kube-apiserver flag enables encryption at rest for secrets?

A.--encryption-provider-config
B.--encryption-key-file
C.--secret-encryption
D.--enable-encryption
AnswerA

This flag specifies the EncryptionConfiguration file.

Why this answer

The `--encryption-provider-config` flag is the correct answer because it is the kube-apiserver flag that specifies the path to a configuration file containing the encryption providers (like `aescbc`, `secretbox`, or `aesgcm`) and the associated keys for encrypting Kubernetes secrets at rest. This flag enables the encryption at rest feature for secrets and other resources, as defined in the encryption configuration file.

Exam trap

The trap here is that candidates may confuse the `--encryption-provider-config` flag with a non-existent flag like `--enable-encryption` or `--secret-encryption`, assuming encryption at rest is enabled by a simple boolean flag rather than a configuration file reference.

How to eliminate wrong answers

Option B is wrong because `--encryption-key-file` is not a valid kube-apiserver flag; encryption keys are defined within the encryption provider configuration file, not via a separate key file flag. Option C is wrong because `--secret-encryption` is not a real kube-apiserver flag; the encryption at rest feature is configured through the encryption provider configuration, not a dedicated secret encryption flag. Option D is wrong because `--enable-encryption` is not a valid kube-apiserver flag; the encryption at rest feature is enabled by providing the `--encryption-provider-config` flag, not a boolean enable flag.

864
MCQmedium

An administrator creates a Pod with the following securityContext: securityContext: runAsUser: 1000 runAsGroup: 3000 fsGroup: 2000 The container image has a binary that requires read/write access to /data, which is an emptyDir volume mounted by the Pod. The container fails to start with 'Permission denied' when writing to /data. What is the most likely cause?

A.The container's base image has a restrictive umask that overrides the pod's security context.
B.The fsGroup is set but the volume's fsGroupChangePolicy is missing.
C.The emptyDir volume is not writable by default; it needs to be explicitly configured.
D.The container is running as user 1000, but the volume is owned by root (uid 0) and the fsGroup 2000 does not give write permission.
865
MCQhard

You are configuring an ImagePolicyWebhook admission controller to allow only images from a trusted registry 'trusted-registry.io'. Which flag must be set in the kube-apiserver configuration to enable the webhook?

A.--pod-security-policy
B.--admission-control-config-file
C.--image-policy-webhook-config
D.--enable-admission-plugins=ImagePolicyWebhook
AnswerB

This flag points to a file that contains the configuration for ImagePolicyWebhook and other admission plugins.

Why this answer

Option C is correct. The --admission-control-config-file flag points to a configuration file that specifies the image policy webhook and other admission plugins. Option A is not a valid flag.

Option B is for enabling the webhook but does not specify the configuration file. Option D is for the old PodSecurityPolicy.

866
Multi-Selectmedium

Which TWO of the following are valid Pod Security Standard levels? (Select 2)

Select 2 answers
A.medium
B.high
C.default
D.privileged
E.restricted
AnswersD, E

Privileged is the most permissive level.

Why this answer

Option D is correct because the Pod Security Standards (PSS) define three levels: privileged, baseline, and restricted. The privileged level is the most permissive, allowing known privilege escalations and is intended for system-level workloads that require unrestricted access to host resources. It is explicitly listed in the Kubernetes documentation as one of the three valid PSS levels.

Exam trap

CNCF often tests the exact three Pod Security Standard levels (privileged, baseline, restricted) and expects candidates to recognize that 'medium', 'high', and 'default' are distractors that sound plausible but are not part of the official Kubernetes specification.

867
MCQhard

A security team wants to generate an SBOM for a container image. Which tool should they use?

A.Clair
B.Trivy
C.Cosign
D.Syft
AnswerD

Syft is a tool designed to generate Software Bill of Materials (SBOM) from container images and filesystems.

Why this answer

Syft generates SBOMs for container images. Trivy and Clair are vulnerability scanners. Cosign is for signing.

Syft is specifically designed for SBOM generation.

868
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Delete the namespace and redeploy all workloads
B.Increase the memory limit in the pod's container resource specification
C.Delete and recreate the pod to clear the crash loop
D.Increase the CPU request for the container
AnswerB

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

Option B is correct. OOMKilled means the container exceeded its memory limit and was killed by the kernel OOM killer. The solution is to increase the memory limit in the container's resource specification.

Option A would not help — restarting the pod without addressing the root cause will result in the same failure. Option C addresses CPU, not memory. Option D (deleting the namespace) is destructive and unnecessary.

869
MCQeasy

Which tool can generate an SBOM (Software Bill of Materials) from a container image?

A.syft
B.kubesec
C.trivy
D.checkov
AnswerA

Syft produces SBOMs in various formats (SPDX, CycloneDX) from container images.

Why this answer

Syft is a tool specifically designed to generate SBOMs from container images. Option A is correct.

870
MCQmedium

You need to enforce that all pods in the 'production' namespace run with read-only root filesystems. Which OPA Gatekeeper resource do you create first?

A.A ConfigMap containing the Rego policy, then reference it in a custom admission controller
B.A ConstraintTemplate containing a Rego policy that checks for readOnlyRootFilesystem: true
C.A Constraint resource that enforces the readOnlyRootFilesystem rule
D.A ValidatingWebhookConfiguration that points to the Gatekeeper service
AnswerB

ConstraintTemplate defines the Rego policy logic and parameters. It must be created before instantiating a Constraint.

Why this answer

In OPA Gatekeeper, the ConstraintTemplate defines the policy (Rego) and the schema for parameters. A Constraint instantiates the template with specific parameters. The ValidatingWebhookConfiguration is typically created by the Gatekeeper installation, not as a first step by the user.

871
Multi-Selecthard

Which TWO of the following are valid approaches to restrict which nodes a pod can run on?

Select 2 answers
A.Use nodeSelector in pod spec
B.Define NetworkPolicy to allow only certain nodes
C.Enable PodSecurity with baseline profile
D.Use tolerations in pod spec
E.Use nodeAffinity in pod spec
AnswersA, E

nodeSelector matches nodes with specific labels.

Why this answer

Option A is correct because `nodeSelector` is a simple field in the Pod spec that constrains which nodes a Pod can be scheduled on by matching against node labels. This is a native Kubernetes scheduling mechanism that directly restricts node placement based on key-value pairs defined on nodes.

Exam trap

CNCF often tests the distinction between scheduling constraints (`nodeSelector`, `nodeAffinity`) and scheduling permissions (`tolerations`), where candidates mistakenly think tolerations restrict placement when they actually only allow scheduling on tainted nodes.

872
MCQmedium

An administrator wants to ensure that only images from a trusted registry 'myregistry.io' can run in the cluster. Which admission controller should be configured?

A.NodeRestriction
B.MutatingAdmissionWebhook
C.ImagePolicyWebhook
D.PodSecurity
AnswerC

This admission controller calls a webhook to validate container images against a policy, e.g., allowlisting registries.

Why this answer

ImagePolicyWebhook allows you to configure an external webhook to validate images. OPA/Gatekeeper can also enforce registry allowlisting through constraint templates. However, ImagePolicyWebhook is the built-in admission controller specifically designed for image policy enforcement.

873
MCQhard

Which of the following is NOT a valid priority level in a Falco rule?

A.NOTICE
B.HIGH
C.CRITICAL
D.WARNING
AnswerB

Why this answer

Falco priorities are: EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG. 'HIGH' is not a valid priority.

874
MCQhard

A Falco rule is written to detect access to /etc/shadow inside a container. Which condition should be used?

A.evt.type=read and fd.name=/etc/shadow
B.spawned_process and proc.name in (cat, less) and container
C.evt.type=execve and proc.name=cat and fd.name=/etc/shadow
D.evt.type=open and fd.name=/etc/shadow
AnswerD

Correct. open syscall with fd.name exactly matching /etc/shadow.

Why this answer

Access to a file is detected by the 'open' syscall event. To detect reads of /etc/shadow, use 'evt.type=open' and 'fd.name' containing the path.

875
Multi-Selecteasy

Which TWO checks are performed by kube-bench for the master node?

Select 2 answers
A.Ensure that the kubelet uses the NodeRestriction admission plugin
B.Ensure that the API server uses TLS 1.2
C.Ensure that the container runtime is Docker
D.Ensure that the --anonymous-auth argument is set to false
E.Ensure that the --audit-log-path argument is set
AnswersD, E

This is a CIS check for the API server.

Why this answer

Option D is correct because kube-bench checks that the kubelet's `--anonymous-auth` argument is set to `false` to prevent unauthenticated requests from reaching the kubelet API. This is a CIS Kubernetes Benchmark recommendation (e.g., 4.2.1) to enforce authentication for all kubelet requests. Setting this to false ensures that anonymous users cannot perform operations on the kubelet, reducing the attack surface.

Exam trap

CNCF often tests the distinction between kube-bench checks for the master node vs. worker node, and candidates mistakenly think kube-bench checks for container runtime type (like Docker) or TLS version specifics, when in reality kube-bench focuses on CIS benchmark items like authentication settings and audit logging.

876
Multi-Selectmedium

Which THREE are valid admission controllers in Kubernetes? (Select three.)

Select 3 answers
A.ServiceAccount
B.NetworkPolicy
C.ImagePolicyWebhook
D.MutatingAdmissionWebhook
E.PodSecurity
AnswersC, D, E

It is an admission controller that validates images.

Why this answer

MutatingAdmissionWebhook, ImagePolicyWebhook, and PodSecurity are valid admission controllers. Options A, C, and E are correct.

877
MCQmedium

An administrator runs `kube-bench` and sees that the check 'Ensure that the --protect-kernel-defaults flag is set to true' has failed. Which component does this check apply to?

A.etcd
B.API server
C.Kubelet
D.Controller manager
AnswerC

The flag belongs to the kubelet to protect kernel defaults.

Why this answer

The `--protect-kernel-defaults` flag is a kubelet-specific security option that ensures the kubelet does not modify kernel parameters that could weaken node security. When set to true, it enforces that the kubelet respects kernel defaults, preventing privilege escalation via sysctl overrides. This check is part of the CIS Benchmark for the kubelet component, not for etcd, the API server, or the controller manager.

Exam trap

The trap here is that candidates often associate kernel parameter protection with the kubelet's sysctl management, but mistakenly attribute it to the API server or controller manager, which handle authorization and scheduling, not node-level kernel interactions.

How to eliminate wrong answers

Option A is wrong because etcd does not have a `--protect-kernel-defaults` flag; etcd uses flags like `--auto-compaction-retention` and `--peer-cert-file` for security. Option B is wrong because the API server does not have a `--protect-kernel-defaults` flag; its security flags include `--anonymous-auth`, `--authorization-mode`, and `--tls-cert-file`. Option D is wrong because the controller manager does not have a `--protect-kernel-defaults` flag; its relevant security flags are `--use-service-account-credentials` and `--root-ca-file`.

878
MCQeasy

An administrator wants to restrict pods from running as root. Which admission controller should be enabled?

A.NodeRestriction
B.AlwaysPullImages
C.ServiceAccount
D.PodSecurity
AnswerD

PodSecurity enforces the Pod Security Standards, including 'restricted' profile which prevents running as root.

Why this answer

The PodSecurity admission controller (D) is the correct choice because it enforces the Pod Security Standards (Privileged, Baseline, Restricted) defined in the Kubernetes documentation. By enabling this controller, the administrator can configure a policy that prevents pods from running as root, typically by setting the 'Restricted' profile which requires 'runAsNonRoot: true' and 'runAsUser: > 10000' in the pod security context.

Exam trap

CNCF often tests the misconception that NodeRestriction or ServiceAccount can enforce pod-level security policies, but these controllers serve entirely different purposes—NodeRestriction is for kubelet authorization, and ServiceAccount is for identity management, not for restricting root access.

How to eliminate wrong answers

Option A (NodeRestriction) is wrong because it limits the Node API access for kubelets, preventing them from modifying sensitive node objects, but it does not enforce any pod-level security policies like preventing root containers. Option B (AlwaysPullImages) is wrong because it ensures that container images are always pulled from the registry, which is a security measure against stale or tampered images, but it has no effect on the user ID under which a container runs. Option C (ServiceAccount) is wrong because it manages the automatic creation and mounting of service account tokens into pods, but it does not restrict the security context or user ID of the containers.

879
MCQmedium

A CI/CD pipeline builds a Docker image and pushes it to a registry. To ensure supply chain security, the pipeline should scan the image for vulnerabilities before deployment. Which of the following is the correct command to scan a local Docker image using Trivy?

A.trivy fs --image myimage:latest
B.trivy image myimage:latest
C.trivy scan myimage:latest
D.trivy check myimage:latest
AnswerB

This command scans the specified container image for vulnerabilities.

Why this answer

The correct command to scan a local image with Trivy is 'trivy image <image-name>'. The other options are incorrect flags or commands.

880
Multi-Selectmedium

Which TWO of the following are valid steps to respond to a runtime security incident where a container is suspected to be compromised? (Select two.)

Select 2 answers
A.Apply a NetworkPolicy that denies all ingress and egress to the pod
B.Immediately delete the pod to stop the attack
C.Add a taint to the node to evict the pod
D.Use kubectl logs to capture container logs before taking action
E.Restart the kubelet on the node
AnswersA, D

Why this answer

Valid incident response steps include isolating the pod via NetworkPolicy and capturing container logs for evidence.

881
MCQhard

An etcd cluster uses TLS for peer and client communication. You need to secure etcd further by enabling RBAC. Which flag do you set on the etcd process to enable authentication?

A.--client-cert-auth=true
B.--enable-rbac=true
C.--authentication-mode=RBAC
D.--auth-mode=rbac
AnswerA

This enables client certificate authentication, which is required for RBAC.

Why this answer

In etcd, RBAC is not enabled by a dedicated RBAC flag; instead, authentication must first be turned on using `--client-cert-auth=true`. This flag requires clients to present a valid TLS certificate, which is the prerequisite for enabling RBAC. After setting this flag, you can use `etcdctl` commands like `etcdctl role add` and `etcdctl user add` to configure RBAC roles and users.

Exam trap

The trap here is that candidates often assume there is a direct `--enable-rbac` or `--auth-mode` flag for RBAC, but etcd requires `--client-cert-auth=true` first, and then RBAC is enabled via the etcd API or `etcdctl` commands.

How to eliminate wrong answers

Option B is wrong because `--enable-rbac=true` is not a valid etcd flag; etcd does not have a direct flag to enable RBAC. Option C is wrong because `--authentication-mode=RBAC` is not a recognized etcd flag; authentication in etcd is controlled via TLS client certificate authentication, not a mode parameter. Option D is wrong because `--auth-mode=rbac` is not a valid etcd flag; etcd uses `--client-cert-auth` for authentication and then RBAC is configured via the API or `etcdctl` commands.

882
MCQeasy

You need to ensure that all containers in a pod run as non-root. Which security context field should you set to enforce this?

A.privileged: false
B.readOnlyRootFilesystem: true
C.allowPrivilegeEscalation: false
D.runAsNonRoot: true
AnswerD

This field enforces that the container runs as a non-root user.

Why this answer

Setting runAsNonRoot: true in the security context enforces that the container runs as a non-root user; if the container attempts to run as root, it will be denied.

883
Multi-Selectmedium

Which TWO admission plugins should be enabled to improve cluster security according to the CIS Benchmark? (Select 2)

Select 2 answers
A.NodeRestriction
B.PodSecurity
C.AlwaysPullImages
D.NamespaceLifecycle
E.ServiceAccount
AnswersA, B

CIS recommends enabling NodeRestriction to limit kubelet permissions.

Why this answer

NodeRestriction (A) is correct because it limits the permissions of kubelet nodes to only modify their own pods and node objects, preventing a compromised node from accessing or modifying other nodes' resources. PodSecurity (B) is correct because it enforces Pod Security Standards (Privileged, Baseline, Restricted) at the namespace level, replacing the deprecated PodSecurityPolicy and ensuring pods comply with security contexts like running as non-root or dropping capabilities. Both are explicitly recommended in the CIS Benchmark for Kubernetes to reduce the attack surface.

Exam trap

CNCF often tests the distinction between plugins that are 'recommended for security' (like NodeRestriction and PodSecurity) versus those that are 'useful but not CIS-mandated' (like AlwaysPullImages), leading candidates to over-select based on general security benefits rather than the specific CIS Benchmark requirements.

884
MCQmedium

Which of the following host access settings should be avoided to minimize the attack surface from containers? (Select the setting that increases risk the most.)

A.hostPID: true
B.securityContext: capabilities: drop: ["ALL"]
C.readOnlyRootFilesystem: true
D.resources: limits: memory: "512Mi"
AnswerA

Allows container to see host processes, increasing attack surface.

Why this answer

Setting 'hostPID: true' allows the container to see all processes on the host, which greatly increases the attack surface. Option A is correct. Options B, C, and D are less risky: readOnlyRootFilesystem reduces risk, resource limits are good, and dropping capabilities reduces risk.

885
MCQmedium

A Falco rule detects unexpected outbound connections. Which condition would identify a connection to an external IP not in the allowed list?

A.evt.type=connect and fd.ip not in (allowed_ips)
B.evt.type=accept and fd.ip not in (allowed_ips)
C.evt.type=listen and fd.ip not in (allowed_ips)
D.evt.type=bind and fd.ip not in (allowed_ips)
AnswerA

This matches connect syscalls to IPs not in the allowed list.

Why this answer

The evt.type=connect and fd.ip checks the destination IP; combined with a not in list condition detects unexpected outbound connections.

886
Multi-Selecthard

You need to preserve forensic evidence from a compromised pod. Which TWO actions should you take?

Select 2 answers
A.Delete the pod immediately
B.Take a snapshot of the container's filesystem
C.Apply a NetworkPolicy to allow all traffic
D.Capture the container logs using kubectl logs
E.Restart the container
AnswersB, D

Preserves the filesystem state for analysis.

Why this answer

Taking a snapshot of the container filesystem (e.g., using crictl export) and capturing the container logs are standard forensic steps.

887
MCQhard

You are creating a custom seccomp profile for a container that runs a binary requiring the 'write' syscall only. You place the profile JSON file at '/var/lib/kubelet/seccomp/profiles/write-only.json'. In the pod spec, which seccomp configuration correctly uses this profile?

A.securityContext: seccompProfile: type: RuntimeDefault localhostProfile: profiles/write-only.json
B.securityContext: seccompProfile: type: Localhost localhostProfile: /var/lib/kubelet/seccomp/profiles/write-only.json
C.securityContext: seccompProfile: type: Localhost localhostProfile: profiles/write-only.json
D.securityContext: seccompProfile: type: Localhost profile: write-only.json
AnswerC

Correctly specifies type Localhost and the profile path relative to /var/lib/kubelet/seccomp/.

Why this answer

Option C is correct because when using a custom seccomp profile with type 'Localhost', the 'localhostProfile' field must specify a path relative to the kubelet's seccomp root directory (default: /var/lib/kubelet/seccomp). The path 'profiles/write-only.json' is relative and resolves to /var/lib/kubelet/seccomp/profiles/write-only.json, matching the file location. The 'type' field must be 'Localhost' to reference a local profile file.

Exam trap

CNCF often tests the distinction between relative and absolute paths for 'localhostProfile', and the trap here is that candidates mistakenly use an absolute path (option B) or confuse the field name 'localhostProfile' with 'profile' (option D), while also testing that 'type: RuntimeDefault' cannot be combined with a custom profile path.

How to eliminate wrong answers

Option A is wrong because 'type: RuntimeDefault' uses the container runtime's default seccomp profile, not a custom one, and 'localhostProfile' is ignored when type is not Localhost. Option B is wrong because 'localhostProfile' must be a relative path from the kubelet's seccomp root directory, not an absolute path; using '/var/lib/kubelet/seccomp/profiles/write-only.json' would cause the kubelet to look for the file at /var/lib/kubelet/seccomp/var/lib/kubelet/seccomp/profiles/write-only.json, which does not exist. Option D is wrong because the field name is 'localhostProfile', not 'profile', and 'profile' is not a valid key in the seccompProfile object.

888
MCQhard

An AppArmor profile is loaded in 'complain' mode. What happens when a pod with that profile attempts an action that violates the profile?

A.The pod is terminated.
B.The action is allowed but a log entry is created.
C.The action is allowed and no log is generated.
D.The action is blocked and an audit log is generated.
AnswerB

Complain mode allows the action and logs the violation.

Why this answer

In AppArmor, 'complain' mode (also known as 'learning' mode) allows all actions, including those that violate the profile, but logs the violation to the system audit log (typically via auditd or syslog). This is distinct from 'enforce' mode, which blocks violating actions. Therefore, when a pod runs with a profile in complain mode, prohibited actions are permitted and recorded.

Exam trap

CNCF often tests the distinction between AppArmor modes, and the trap here is confusing 'complain' mode with 'enforce' mode, leading candidates to think violations are blocked or that no logging occurs.

How to eliminate wrong answers

Option A is wrong because termination only occurs in 'enforce' mode when a violation is blocked, not in complain mode. Option C is wrong because complain mode explicitly generates a log entry for each violation; no log would only happen if the profile were not loaded or in 'audit' mode without logging. Option D is wrong because blocking the action is the behavior of 'enforce' mode, not complain mode; audit logs are generated in both modes, but in complain mode the action is allowed.

889
MCQeasy

Which tool is commonly used to generate a Software Bill of Materials (SBOM) for a container image?

A.kubesec
B.syft
C.trivy
D.cosign
AnswerB

Syft is designed to generate SBOMs from container images and filesystems.

Why this answer

Option D is correct. Syft is a CLI tool that generates SBOMs for container images. Trivy is for vulnerability scanning.

Cosign is for signing. Kubesec is for manifest scanning.

890
MCQmedium

An administrator runs 'kube-bench master' and receives a warning that etcd has no client certificate authentication. What is the recommended remediation?

A.Remove the --client-cert-auth flag
B.Set --anonymous-auth=true on etcd
C.Use etcdctl to enable authentication
D.Set --client-cert-auth=true and --trusted-ca-file on the etcd process
AnswerD

This enables mutual TLS authentication for etcd clients.

Why this answer

The warning indicates that etcd is running without client certificate authentication, which means any client can communicate with etcd without verifying its identity. Setting `--client-cert-auth=true` enables TLS-based client certificate authentication, and `--trusted-ca-file` specifies the CA certificate used to validate client certificates. This is the recommended remediation because it ensures only clients with valid certificates signed by the trusted CA can access etcd, preventing unauthorized access to the cluster's key-value store.

Exam trap

The trap here is that candidates might think enabling authentication via `etcdctl` (Option C) is sufficient, but etcd's client certificate authentication must be configured at the server process level via startup flags, not through a client command.

How to eliminate wrong answers

Option A is wrong because removing the `--client-cert-auth` flag would disable client certificate authentication entirely, which is the opposite of the required remediation and would worsen the security issue. Option B is wrong because setting `--anonymous-auth=true` on etcd allows unauthenticated anonymous requests, which would bypass authentication and increase the attack surface, not fix the missing client certificate authentication. Option C is wrong because `etcdctl` is a client tool for interacting with etcd, not a mechanism to enable client certificate authentication on the etcd server process; authentication must be configured via etcd's startup flags or configuration file.

891
MCQeasy

Which kubectl command lists all MutatingWebhookConfigurations in the cluster?

A.kubectl get webhooks
B.kubectl list webhooks
C.kubectl get mutatingwebhookconfigurations
D.kubectl get mutating-webhooks
AnswerC

Correct.

Why this answer

The correct command is 'kubectl get mutatingwebhookconfigurations'.

892
MCQmedium

A security admin wants to ensure that all container images in a Kubernetes cluster are scanned for known vulnerabilities before being deployed. Which tool can be integrated into a CI/CD pipeline to scan container images for CVEs?

A.kubesec
B.Trivy
C.Helm
D.kubectl
AnswerB

Trivy is a popular open-source vulnerability scanner for container images, supporting multiple formats and databases.

Why this answer

Trivy is a comprehensive vulnerability scanner for container images, filesystems, and Git repositories. It can be integrated into CI/CD pipelines to scan images before deployment.

893
Multi-Selecthard

Which TWO practices help secure the Kubernetes Dashboard?

Select 2 answers
A.Enable anonymous access to the Dashboard
B.Use a ClusterIP service and access it via kubectl proxy
C.Grant the Dashboard service account cluster-admin role for full functionality
D.Use RBAC to restrict Dashboard service account permissions to read-only
E.Expose the Dashboard via a NodePort service for easy access
AnswersB, D

Access via proxy avoids public exposure.

Why this answer

Option B is correct because accessing the Kubernetes Dashboard via `kubectl proxy` creates a secure, authenticated HTTP proxy between your local machine and the API server. This method leverages the API server's built-in authentication and authorization, ensuring that only users with valid kubeconfig credentials can reach the Dashboard. It also avoids exposing the Dashboard directly to the network, reducing the attack surface.

Exam trap

The trap here is that candidates often think exposing the Dashboard via a NodePort or granting it cluster-admin is acceptable for 'full functionality,' but the CKS exam strictly enforces least privilege and network security, making RBAC-restricted access via kubectl proxy the only secure approach among the options.

894
MCQhard

You need to ensure that all containers in a pod cannot write to their root filesystem except for a specific directory `/data`. You set `securityContext.readOnlyRootFilesystem: true` and mount an emptyDir volume at `/data`. However, the container still cannot write to `/data`. What is the most likely cause?

A.The emptyDir volume is not mounted correctly in the pod spec
B.The container user does not have write permission on the emptyDir volume
C.The emptyDir volume is using a read-only storage class
D.readOnlyRootFilesystem also applies to mounted volumes
AnswerB

The emptyDir volume's permissions may not allow writing by the container's user. You may need to set `fsGroup` or `runAsUser` to ensure write access.

Why this answer

The emptyDir volume is mounted at `/data`, but the container process may not have write permissions on the emptyDir volume's default permissions (typically 755 owned by root). The container user must have write access. Option A suggests the emptyDir is not mounted; that would cause a different error.

Option C is incorrect because readOnlyRootFilesystem applies to the root filesystem, not the volume. Option D is unrelated.

895
Multi-Selectmedium

Which TWO are valid stages in a Kubernetes audit event? (Select 2)

Select 2 answers
A.RequestReceived
B.ResponseStarted
C.PreProcessing
D.None
E.PostProcessing
AnswersA, B

RequestReceived is a valid stage.

Why this answer

The valid stages are RequestReceived, ResponseStarted, ResponseComplete, and Panic. 'PreProcessing' and 'PostProcessing' are not valid stages.

896
Multi-Selecthard

Which THREE of the following are capabilities required for a Falco rule to detect privilege escalation via setuid binary execution? (Choose three.)

Select 3 answers
A.fd.name contains /dev/tcp
B.proc.name in (su, sudo)
C.proc.uid=0
D.evt.type=execve
E.evt.type=open
AnswersB, C, D

Common setuid binaries for privilege escalation.

Why this answer

Falco detects privilege escalation by monitoring the 'execve' syscall, the process name (e.g., 'su', 'sudo'), and the user ID changes (e.g., 'proc.uid'). Options A, B, and E are relevant. Option C (network) is not directly related.

Option D (file modification) is not directly about execution.

897
Multi-Selectmedium

Which TWO of the following are valid ways to restrict access to etcd? (Select 2)

Select 2 answers
A.Enable RBAC on etcd by setting --auth-token=jwt and configuring roles.
B.Use --peer-auto-tls=true to auto-generate certificates.
C.Use --admission-control=NodeRestriction on etcd.
D.Use TLS client certificates for authentication.
E.Set --client-cert-auth=false to disable authentication.
AnswersA, D

etcd supports RBAC with JWT tokens to restrict access.

Why this answer

Option A is correct because etcd supports Role-Based Access Control (RBAC) when you enable it with the `--auth-token=jwt` flag and then configure roles and users via `etcdctl`. This allows you to restrict which clients can read or write to the etcd key-value store, which is critical for securing Kubernetes cluster state. Without RBAC, any client that can reach the etcd port can access all secrets and configuration data.

Exam trap

The trap here is that candidates confuse etcd's `--client-cert-auth` flag (which enables TLS client certificate authentication) with the Kubernetes API server's `--admission-control` flag, or they assume that peer TLS options restrict client access.

898
Drag & Dropmedium

Order the steps to rotate a Kubernetes API server certificate.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Certificate rotation involves generating new certs, replacing files, restarting the service, and verifying. Kubeconfig updates may be needed if CA changes.

899
MCQhard

A cluster has both ImagePolicyWebhook and a mutating webhook that adds a sidecar. The admin notices that even when ImagePolicyWebhook rejects an image, the mutating webhook has already added the sidecar. What admission ordering issue is occurring?

A.Validating webhooks should run before mutating webhooks
B.Use a validating webhook instead of ImagePolicyWebhook
C.The mutating webhook should be configured to skip pods with certain images
D.The ImagePolicyWebhook should be placed before the mutating webhook in the webhook configuration
AnswerD

Reordering ensures the image policy is evaluated before any mutation.

Why this answer

Mutating webhooks run before validating webhooks. If a mutating webhook runs first, it may modify the pod spec, and the validation may see the modified version.

900
MCQhard

You want to allow only images from a specific registry (e.g., myregistry.io) to be deployed in your cluster. Which tool or approach is best suited for this requirement?

A.Use OPA/Gatekeeper to create a constraint that checks the image registry
B.Set up a NetworkPolicy to block traffic from other registries
C.Configure an ImagePolicyWebhook
D.Modify the kubelet configuration to only pull from a specific registry
AnswerA

Gatekeeper can enforce policies on images, including allowing only certain registries.

Why this answer

OPA/Gatekeeper can be used to create a ConstraintTemplate that validates image registries. Kyverno is another option, but Gatekeeper is specifically designed for policy enforcement.

Page 11

Page 12 of 14

Page 13