Certified Kubernetes Security Specialist CKS (CKS) — Questions 901975

997 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
MCQmedium

A Falco rule has priority `WARNING` and output: `Sensitive file opened (user=%user.name command=%proc.cmdline file=%fd.name)`. The rule is triggering correctly. You want to reduce noise from legitimate administrative activity. What is the best approach?

A.Add an exception to the rule to exclude known admin commands
B.Modify the rule condition to add `and not user.name in (admin, root)`
C.Change the rule priority to `INFO`
D.Disable the rule
AnswerA

Falco rule exceptions allow you to specify conditions under which the rule should not trigger, effectively filtering out known good activity.

Why this answer

Falco supports rule exceptions to filter out specific conditions. Adding an exception allows you to exclude known legitimate commands without disabling the rule entirely. Option B modifies the rule condition to ignore certain users, but exceptions are more flexible.

Option C changes priority, but does not reduce noise. Option D disables the rule entirely.

902
MCQmedium

An administrator runs 'aa-status' on a node and sees a profile in 'complain' mode. What does this indicate?

A.The profile logs violations but does not block them.
B.The profile is disabled and has no effect.
C.The profile is enforcing restrictions and blocking violations.
D.The profile is not loaded.
AnswerA

Correct. Complain mode logs but does not enforce.

Why this answer

In complain mode, AppArmor allows all actions but logs violations. It is used for testing and learning without enforcement.

903
MCQhard

An organization uses a private container registry and wants to ensure that only images built from a specific CI/CD pipeline are deployed. Which combination of measures provides the strongest guarantee?

A.Implement network policies to restrict egress from pods to the registry.
B.Grant registry write access only to the CI system's service account.
C.Use a static analysis tool to check the Dockerfile before building.
D.Use a unique registry path and restrict access via firewall rules.
E.Generate signed attestations with in-toto during the CI pipeline and verify them using an admission webhook like Kyverno.
AnswerE

Attestations provide non-repudiation and can be verified at admission time.

Why this answer

Option E is correct because it implements a complete chain of custody for container images. In-toto generates signed attestations that record every step of the CI/CD pipeline (e.g., source code checkout, build, test), and an admission webhook like Kyverno verifies these attestations before allowing a pod to run. This ensures that only images that passed the exact, attested pipeline are deployed, providing the strongest guarantee against unauthorized or tampered images.

Exam trap

CNCF often tests the distinction between access control measures (network policies, RBAC, firewalls) and cryptographic provenance verification; candidates mistakenly think restricting registry access or network egress is sufficient, but the exam emphasizes that only signed attestations with admission control can guarantee the image was built by the intended pipeline.

How to eliminate wrong answers

Option A is wrong because network policies restrict egress from pods to the registry, which controls runtime access but does not verify the provenance or integrity of the image itself; an attacker could still deploy a malicious image that was built outside the CI/CD pipeline. Option B is wrong because granting registry write access only to the CI system's service account prevents unauthorized pushes but does not prevent the CI system itself from being compromised or building images from untrusted sources; it lacks verification of the build process. Option C is wrong because static analysis of the Dockerfile checks for vulnerabilities or misconfigurations in the build instructions but does not provide any cryptographic proof that the resulting image was actually built from that Dockerfile in the approved pipeline.

Option D is wrong because using a unique registry path and firewall rules restricts network access but does not verify the image's supply chain; an attacker who gains access to the registry path could push arbitrary images.

904
MCQhard

You need to create an RBAC role that allows reading secrets only in namespace 'production'. Which ClusterRole and RoleBinding combination is correct?

A.Create a ClusterRole with get and list on secrets, then a RoleBinding in 'production'
B.Create a Role with get and list on secrets in namespace 'production', then a ClusterRoleBinding
C.Create a ClusterRole with get and list on secrets, then a ClusterRoleBinding to bind it to the user
D.Create a Role with get and list on secrets in namespace 'production', then a RoleBinding in 'production'
AnswerD

A Role is namespaced and the RoleBinding binds it within the same namespace, restricting access to 'production'.

Why this answer

Option D is correct because a Role is namespaced and can only grant permissions within a specific namespace, which is 'production' in this case. A RoleBinding then binds that Role to a user, group, or service account within the same namespace, ensuring the permissions are scoped correctly. This combination restricts secret read access exclusively to the 'production' namespace, meeting the requirement precisely.

Exam trap

CNCF often tests the misconception that ClusterRoles are always cluster-wide even when bound via a RoleBinding, but the trap here is that a ClusterRole bound with a RoleBinding actually scopes permissions to that namespace, yet the question's requirement for a Role (not ClusterRole) is the precise answer because a Role is inherently namespaced and avoids any ambiguity about scope.

How to eliminate wrong answers

Option A is wrong because a ClusterRole is cluster-scoped and, when used with a RoleBinding, grants permissions across all namespaces unless explicitly restricted by a RoleBinding's namespace, but the RoleBinding itself does not limit the ClusterRole's scope to a single namespace; the ClusterRole's rules apply cluster-wide, so this would allow reading secrets in all namespaces. Option B is wrong because a Role is namespaced, but a ClusterRoleBinding binds cluster-wide, which would fail as a Role cannot be bound to a ClusterRoleBinding; ClusterRoleBindings only bind ClusterRoles, not Roles. Option C is wrong because a ClusterRole with get and list on secrets, when bound via a ClusterRoleBinding, grants permissions across all namespaces, not just 'production', violating the requirement to restrict access to a single namespace.

905
MCQeasy

Which of the following is a valid method to disable automatic mounting of service account tokens for a pod?

A.Delete the service account token secret
B.Add 'automountServiceAccountToken: false' to the pod spec
C.Use a NetworkPolicy to block access to the token
D.Set the service account's 'automountServiceAccountToken' field to false
AnswerB

This field in the pod spec disables token mounting for that pod.

Why this answer

Option B is correct because setting `automountServiceAccountToken: false` in the pod spec explicitly disables the automatic mounting of the service account token into the pod. This is the most direct and granular way to prevent the token from being available inside the container, which is a key hardening step to reduce the attack surface if the pod does not need to interact with the Kubernetes API.

Exam trap

CNCF often tests the distinction between pod-level and service account-level settings, and candidates mistakenly choose the service account-level option (D) thinking it applies to all pods, but the pod-level setting (B) is the only one that directly and unconditionally disables mounting for that specific pod.

How to eliminate wrong answers

Option A is wrong because deleting the service account token secret does not prevent automatic mounting; Kubernetes will recreate the secret or the pod may still mount a token from a different secret. Option C is wrong because a NetworkPolicy controls network traffic, not filesystem mounts; it cannot block the pod's access to the token file that is already mounted inside the container. Option D is wrong because setting the service account's `automountServiceAccountToken` field to false only affects pods that use that service account by default, but a pod can override this by explicitly setting the field in its own spec; the pod-level setting takes precedence.

906
Multi-Selectmedium

Which TWO of the following are valid methods to verify the integrity of a container image before deployment?

Select 2 answers
A.Run a vulnerability scan on the image
B.Use the latest tag to ensure the most recent version
C.Generate an SBOM for the image
D.Use the image digest (SHA256) instead of a tag
E.Verify the image signature using Cosign
AnswersD, E

Using the digest ensures that the exact image content is used, preventing tag mutability attacks.

Why this answer

Image signing with Cosign allows verification of the image's integrity and origin. Image digest ensures the exact image content is used. SBOM provides a list of components but does not verify integrity.

Vulnerability scanning identifies issues but does not verify integrity. Using latest tag does not provide integrity.

907
MCQmedium

A security policy requires that all pods drop ALL Linux capabilities and disable privilege escalation. Which YAML snippet correctly implements this in the pod's security context?

A.securityContext: privileged: false capabilities: drop: ["ALL"]
B.securityContext: allowPrivilegeEscalation: false capabilities: add: ["NET_ADMIN"]
C.securityContext: capabilities: drop: ["ALL"]
D.securityContext: allowPrivilegeEscalation: false capabilities: drop: ["ALL"]
AnswerD

Correctly sets both fields.

Why this answer

The securityContext must include capabilities.drop with ALL and allowPrivilegeEscalation set to false. Option B has both.

908
MCQmedium

A security team wants to ensure that all communication between the kubelet and the API server is encrypted. Which flag must be set on the kubelet to enforce this?

A.--tls-cert-file
B.--node-status-update-frequency
C.--kubeconfig
D.--require-kubeconfig
AnswerC

The kubeconfig file contains the API server address with HTTPS.

Why this answer

Option C is correct because the `--kubeconfig` flag on the kubelet specifies the path to a kubeconfig file that contains the credentials and server address for the API server. When this flag is set, the kubelet uses TLS to authenticate and encrypt all communication with the API server, as the kubeconfig file typically references an HTTPS endpoint and includes client certificates or tokens. Without this flag, the kubelet may fall back to insecure or unencrypted connections, violating the requirement for encrypted communication.

Exam trap

The trap here is that candidates often confuse `--tls-cert-file` (which secures the kubelet's own server) with the flag that secures outbound kubelet-to-API-server communication, leading them to pick Option A instead of the correct `--kubeconfig`.

How to eliminate wrong answers

Option A is wrong because `--tls-cert-file` specifies the certificate file for the kubelet's own TLS server (used when serving its metrics or health endpoints), not for encrypting outbound communication to the API server. Option B is wrong because `--node-status-update-frequency` controls how often the kubelet posts node status to the API server, but has no effect on encryption of the communication channel. Option D is wrong because `--require-kubeconfig` is a deprecated flag that caused the kubelet to exit if no kubeconfig was provided, but it does not itself enforce encryption; the actual encryption is enforced by the presence and content of the kubeconfig file referenced by `--kubeconfig`.

909
MCQmedium

You suspect a container has been compromised and want to perform forensics using kubectl exec. Which command safely collects the container's process list without affecting the container?

A.kubectl attach <pod>
B.kubectl exec <pod> -- ps aux
C.kubectl cp /proc <pod>:/tmp
D.kubectl exec -it <pod> -- /bin/sh
AnswerB

This runs ps aux non-interactively, collecting process list without modifying the container.

Why this answer

kubectl exec with -- ps aux runs the ps command inside the container, capturing processes without altering the container state.

910
MCQmedium

You suspect a container has been compromised. You run 'kubectl exec -it <pod> -- bash' to investigate. Which of the following is the BEST next step to preserve evidence?

A.Use 'kubectl cp' to copy files from the container to a secure location, and 'kubectl logs' to capture log output
B.Install forensic tools inside the container using apt-get
C.Run 'kubectl exec' to capture memory dumps
D.Delete the pod and create a new one for analysis
AnswerA

Why this answer

To preserve evidence, you should first capture the container's filesystem and logs before making changes. Option D creates a tar archive of the container's filesystem from the host. Option A might alter the container state if you install tools.

Option B uses exec which can change in-memory state. Option C would reset the container, losing evidence.

911
MCQeasy

Which container runtime is specifically designed for sandboxing containers with a lightweight kernel?

A.Docker
B.containerd
C.gVisor (runsc)
D.runc
AnswerC

gVisor implements a user-space kernel for sandboxing.

Why this answer

Option B is correct. gVisor (runsc) provides a sandboxed kernel for containers. Kata Containers also provides sandboxing but uses a lightweight VM. Docker and containerd are general-purpose runtimes.

912
Multi-Selecthard

You are securing a cluster and want to ensure that service account tokens are not automatically mounted in pods that do not need them. Which THREE actions should you take?

Select 3 answers
A.Set --service-account-lookup=false on the API server
B.Set automountServiceAccountToken: false in the service account definition for service accounts that do not need tokens
C.Audit all service accounts to determine which ones need token mounting disabled
D.Set automountServiceAccountToken: false in the pod spec for each pod that does not need the token
E.Delete all service accounts except those used by system components
AnswersB, C, D

Correct. This disables mounting for all pods using that service account.

Why this answer

Option B is correct because setting `automountServiceAccountToken: false` in the service account definition prevents the automatic mounting of the service account token into any pod that uses that service account. This is a declarative, scalable approach to disable token mounting for all pods associated with that service account, aligning with the principle of least privilege.

Exam trap

The trap here is that candidates often confuse `automountServiceAccountToken: false` with deleting service accounts or disabling token validation, when the correct approach is to disable mounting at the service account or pod level, not to remove accounts or alter API server flags.

913
MCQeasy

You are using crictl to debug a container. Which command lists all running containers on the node?

A.crictl containers
B.crictl ps
C.crictl get pods
D.crictl list
AnswerB

Correct. crictl ps lists containers.

Why this answer

crictl ps lists containers managed by the CRI runtime. It's analogous to 'docker ps'.

914
MCQhard

You need to ensure a container's filesystem is immutable at runtime except for a temporary volume. Which Pod spec configuration achieves this?

A.containers: - name: app securityContext: runAsNonRoot: true volumeMounts: - mountPath: /tmp name: scratch volumes: - name: scratch emptyDir: {}
B.containers: - name: app securityContext: readOnlyRootFilesystem: true volumeMounts: - mountPath: /tmp name: scratch volumes: - name: scratch emptyDir: {}
C.containers: - name: app securityContext: readOnlyRootFilesystem: false
D.containers: - name: app securityContext: readOnlyRootFilesystem: true volumeMounts: - mountPath: /tmp name: scratch volumes: - name: scratch hostPath: path: /tmp
AnswerB

readOnlyRootFilesystem makes rootfs read-only; emptyDir provides writable tmpfs.

Why this answer

Setting readOnlyRootFilesystem: true and mounting an emptyDir volume for writes allows immutability with a writable scratch space.

915
MCQhard

An administrator applies the following manifest to enable audit logging: apiVersion: audit.k8s.io/v1 kind: Policy metadata: name: audit-policy rules: - level: Metadata resources: - group: "" resources: ["secrets"] Which audit level is being used for requests to the Secrets API?

A.RequestResponse
B.Metadata
C.Request
D.None
AnswerB

Metadata logs request metadata without request/response bodies.

Why this answer

The manifest defines an audit policy rule with `level: Metadata` for the Secrets API (group: "", resources: ["secrets"]). The Metadata level logs only the metadata of the request—such as user, timestamp, and resource—without logging the request body or response body. Therefore, the correct audit level for requests to the Secrets API is Metadata.

Exam trap

CNCF often tests the distinction between audit levels, and the trap here is that candidates may confuse Metadata with Request or RequestResponse, thinking that Secrets require logging the full request/response for security, when in fact Metadata is the recommended level to avoid exposing sensitive data in audit logs.

How to eliminate wrong answers

Option A is wrong because RequestResponse logs both the request and response bodies, which is a higher verbosity level than what is specified in the policy. Option C is wrong because Request logs the request body but not the response body, which is also not the level set in the policy. Option D is wrong because the policy explicitly sets the level to Metadata, so the audit level is not None.

916
Multi-Selecthard

Which THREE of the following are valid Falco rule priorities? (Select THREE.)

Select 3 answers
A.CRITICAL
B.EMERGENCY
C.ALERT
D.HIGH
E.MEDIUM
AnswersA, B, C

Correct.

Why this answer

Falco defines priorities: EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG. 'HIGH', 'MEDIUM', 'LOW' are not standard Falco priorities.

917
MCQeasy

Which flag must be set on the kube-apiserver to disable anonymous authentication?

A.--tls-cert-file=/etc/kubernetes/pki/apiserver.crt
B.--audit-log-path=/var/log/audit.log
C.--anonymous-auth=false
D.--authorization-mode=RBAC
AnswerC

This flag disables anonymous authentication, ensuring all requests are authenticated.

Why this answer

Option C is correct because the `--anonymous-auth=false` flag explicitly disables anonymous authentication on the kube-apiserver. By default, anonymous requests are allowed (the flag defaults to `true`), which can permit unauthenticated users to access the API server. Setting this flag to `false` ensures that all requests must present valid credentials, aligning with the principle of least privilege and hardening the cluster against unauthorized access.

Exam trap

CNCF often tests the distinction between authentication and authorization flags, so candidates may mistakenly choose `--authorization-mode=RBAC` (option D) thinking it controls who can access the API, when in fact it only governs what authenticated users are allowed to do, not whether anonymous users are permitted at all.

How to eliminate wrong answers

Option A is wrong because `--tls-cert-file` specifies the TLS certificate file for serving HTTPS, not authentication; it secures the transport layer but does not control whether anonymous requests are accepted. Option B is wrong because `--audit-log-path` enables audit logging to record API requests, but it does not affect authentication or disable anonymous access. Option D is wrong because `--authorization-mode=RBAC` sets the authorization mode to Role-Based Access Control, which governs what authenticated users can do, but it does not disable anonymous authentication; anonymous users could still be authorized if RBAC grants them permissions.

918
Multi-Selectmedium

Which TWO of the following are valid audit stages in Kubernetes audit logging? (Choose two)

Select 2 answers
A.ResponseStarted
B.RequestReceived
C.ResponseFinished
D.RequestProcessing
E.AuthorizationChecked
AnswersA, B

Valid audit stage.

Why this answer

The valid audit stages are RequestReceived, ResponseStarted, ResponseComplete, and Panic. Options B and D are correct.

919
MCQhard

An audit policy is configured with the following rule: - level: Metadata resources: - group: "" resources: ["secrets"] What does this rule log for requests to the Secrets API?

A.The full request and response body
B.Metadata about the request, excluding the body
C.Nothing, because secrets are excluded by default
D.The request body only
AnswerB

Correct: Metadata level logs metadata only.

Why this answer

The 'Metadata' level logs request metadata (user, timestamp, resource) but not the request or response body. Option A is RequestResponse level. Option C is Request level.

Option D is None.

920
Multi-Selecthard

Which THREE of the following are best practices for reducing the attack surface of a Kubernetes node?

Select 3 answers
A.Run containers with non-root user and drop all capabilities
B.Install all available security patches and packages
C.Disable unnecessary system services like Bluetooth and ModemManager
D.Remove SSH access from all nodes
E.Use read-only root filesystem for containers where possible
AnswersA, C, E

Least privilege principle reduces potential damage.

Why this answer

Options A, C, and D are best practices for node hardening. Option B is not a best practice because installing unnecessary packages increases attack surface. Option E is not a standard practice; SSH might be needed for admin access but should be restricted, not necessarily removed entirely.

921
MCQmedium

In an Istio service mesh, you want to enforce mutual TLS (mTLS) between all services in the 'default' namespace. Which resource should you create?

A.PeerAuthentication with mTLS mode STRICT
B.Sidecar resource with outboundTrafficPolicy REGISTRY_ONLY
C.ServiceEntry with resolution NONE
D.DestinationRule with trafficPolicy tls mode ISTIO_MUTUAL
AnswerA

PeerAuthentication sets mTLS mode; STRICT requires mTLS for all traffic.

Why this answer

PeerAuthentication defines mTLS mode for workloads. DestinationRule can be used for traffic policies, but PeerAuthentication is the primary resource for mTLS enforcement. ServiceEntry is for external services.

Sidecar is for customizing the sidecar proxy.

922
MCQmedium

A security audit reveals that several pods have the service account token mounted automatically. Which annotation should be added to the pod's service account to prevent automatic mounting?

A.Set 'automountServiceAccountToken: true' in the pod spec.
B.Add annotation 'seccomp.security.alpha.kubernetes.io/pod: "runtime/default"' to the service account.
C.Add annotation 'kubernetes.io/enforce-mountable-secrets: "false"' to the service account.
D.Set 'automountServiceAccountToken: false' in the service account definition.
AnswerD

Setting this field to false on the service account prevents automatic mounting of the token in pods using that service account.

Why this answer

Option D is correct because setting `automountServiceAccountToken: false` in the service account definition prevents pods that use that service account from automatically mounting the service account token. This is the recommended way to disable automatic token mounting at the service account level, as per Kubernetes security best practices.

Exam trap

The trap here is that candidates may confuse the `automountServiceAccountToken` field with other security mechanisms like seccomp profiles or secret mounting annotations, or mistakenly think that setting it to `true` in the pod spec would disable mounting.

How to eliminate wrong answers

Option A is wrong because setting `automountServiceAccountToken: true` in the pod spec explicitly enables automatic mounting, which is the opposite of what is needed to prevent it. Option B is wrong because the annotation `seccomp.security.alpha.kubernetes.io/pod: "runtime/default"` is used to set a seccomp profile for the pod, not to control service account token mounting. Option C is wrong because the annotation `kubernetes.io/enforce-mountable-secrets: "false"` does not exist; the correct annotation for controlling secret mounting is `kubernetes.io/enforce-mountable-secrets` but it is used to restrict which secrets can be mounted, not to disable automatic service account token mounting.

923
MCQmedium

Which of the following is the correct way to disable swap on a Kubernetes node to improve security?

A.Run 'swapoff -a' and remove swap entry from /etc/fstab
B.Set kernel parameter 'vm.swappiness=0'
C.Run 'systemctl stop swap'
D.Run 'kubelet --disable-swap'
AnswerA

This disables swap immediately and permanently.

Why this answer

Disabling swap is a prerequisite for Kubernetes nodes to ensure kubelet works correctly with memory management and resource isolation. Running 'swapoff -a' disables all active swap devices immediately, and removing the swap entry from /etc/fstab prevents swap from being re-enabled after a reboot. This is the standard and complete method recommended by Kubernetes documentation for system hardening.

Exam trap

The trap here is that candidates may think 'vm.swappiness=0' is sufficient to disable swap, but it only minimizes swap usage without actually turning it off, which still violates Kubernetes node requirements.

How to eliminate wrong answers

Option B is wrong because setting 'vm.swappiness=0' only reduces the kernel's tendency to use swap but does not disable it; swap remains active and can still be used, which can cause kubelet instability. Option C is wrong because 'systemctl stop swap' is not a valid systemd command; swap is managed via 'swapoff' or systemd swap units (e.g., 'systemctl stop dev-sda1.swap'), but the generic 'swap' service does not exist. Option D is wrong because 'kubelet --disable-swap' is not a valid kubelet flag; kubelet does not have a built-in option to disable swap, and swap must be disabled at the OS level before starting kubelet.

924
Multi-Selecthard

Which THREE of the following are valid methods to restrict access to the Kubernetes Dashboard? (Choose three.)

Select 3 answers
A.Use a ClusterIP service and only allow access via kubectl proxy
B.Expose the Dashboard via a NodePort service to the internet
C.Use an Ingress with authentication and TLS
D.Apply RBAC policies that restrict who can access the Dashboard
E.Deploy the Dashboard with a hostNetwork: true configuration
AnswersA, C, D

By using a ClusterIP service and kubectl proxy, access is limited to users who have kubectl and cluster access.

Why this answer

Option A is correct because using a ClusterIP service restricts the Dashboard to internal cluster access only. Access is then granted exclusively through `kubectl proxy`, which creates a local proxy server that authenticates the user via their kubeconfig context, ensuring that only authenticated and authorized users can reach the Dashboard without exposing it to the network.

Exam trap

CNCF often tests the misconception that exposing a service via NodePort or hostNetwork is acceptable for internal-only access, when in fact both methods inherently expose the service to the node's network and require additional security measures to restrict access.

925
MCQmedium

You are tasked with enabling audit logging for the Kubernetes API server. You have created an audit policy file at /etc/kubernetes/audit-policy.yaml. Which flag must be added to the API server manifest to enable audit logging?

A.--audit-policy-file=/etc/kubernetes/audit-policy.yaml
B.--audit-log-level=2
C.--enable-audit-log
D.--audit-log-path=/var/log/kubernetes/audit.log
AnswerD

This flag enables audit logging by specifying the output file.

Why this answer

Option D is correct because the `--audit-log-path` flag is required to enable audit logging in the Kubernetes API server. Without specifying a log path, the API server will not write audit events to a file, even if an audit policy is defined. The `--audit-policy-file` flag (Option A) defines the rules for what to audit, but audit logging itself is only activated when a log destination is provided via `--audit-log-path`.

Exam trap

CNCF often tests the misconception that `--audit-policy-file` alone enables audit logging, but the trap is that the log destination flag (`--audit-log-path`) is mandatory to actually start writing audit events.

How to eliminate wrong answers

Option A is wrong because `--audit-policy-file` only specifies the policy file that defines which events to audit; it does not enable the writing of audit logs. Option B is wrong because `--audit-log-level` is not a valid Kubernetes API server flag; audit log verbosity is controlled by the policy file, not a command-line level. Option C is wrong because `--enable-audit-log` is not a real flag; audit logging is enabled implicitly by providing a log path and policy file.

926
MCQmedium

An administrator applies the following Kyverno policy to the cluster. What is the effect of this policy? apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: require-non-root spec: validationFailureAction: enforce rules: - name: check-runAsNonRoot match: resources: kinds: - Pod validate: message: "Running as root is not allowed." pattern: spec: securityContext: runAsNonRoot: true

A.It allows Pods that run as root if they have a reason
B.It applies only to Pods in the default namespace
C.It denies all Pods that do not specify a security context
D.It only audits Pods and does not block them
AnswerC

The policy requires runAsNonRoot: true. If the security context is missing entirely, the field is not set, so the validation fails and the Pod is denied.

Why this answer

The policy enforces that all Pods must have 'runAsNonRoot: true' in their security context. If a Pod does not have this setting, it will be rejected (enforce mode).

927
MCQhard

A security scanner reports that the Kubernetes dashboard is publicly accessible. Which recommended action should be taken?

A.Expose the dashboard as a NodePort service for easy access
B.Configure firewall rules to restrict access to the dashboard's ClusterIP
C.Enable authentication on the dashboard
D.Delete the dashboard deployment and use kubectl proxy to access it
AnswerD

kubectl proxy provides secure local access. Deleting the dashboard or restricting its service is recommended.

Why this answer

The Kubernetes Dashboard is a powerful administrative tool that should never be exposed to the public internet. Deleting the dashboard deployment and using `kubectl proxy` to access it locally is the recommended action because it eliminates the attack surface entirely and ensures that access is restricted to the machine running the kubectl command, leveraging the API server's built-in authentication and authorization.

Exam trap

CNCF often tests the misconception that adding authentication or network restrictions is sufficient to secure an exposed dashboard, when the correct answer is to remove the public-facing component and use a secure, authenticated proxy method like `kubectl proxy`.

How to eliminate wrong answers

Option A is wrong because exposing the dashboard as a NodePort service makes it accessible on every node's IP address at a high port, which directly contradicts the goal of restricting public access and increases the attack surface. Option B is wrong because configuring firewall rules to restrict access to the dashboard's ClusterIP is ineffective; ClusterIP is only reachable from within the cluster, so the scanner's report of public accessibility indicates the dashboard is already exposed via a different service type (e.g., LoadBalancer or NodePort), and firewall rules on ClusterIP do not address the actual exposure. Option C is wrong because enabling authentication on the dashboard does not prevent public network-level access; the dashboard would still be reachable from the internet, and authentication alone does not protect against denial-of-service attacks or unauthorized network scanning.

928
MCQeasy

Which of the following is the correct annotation to apply an AppArmor profile named 'my-profile' to a container named 'app' in a pod?

A.security.alpha.kubernetes.io/apparmor/app: localhost/my-profile
B.container.apparmor.security.beta.kubernetes.io/app: localhost/my-profile
C.pod.apparmor.security.beta.kubernetes.io/app: my-profile
D.container.apparmor.security.beta.kubernetes.io/app: my-profile
AnswerB

Correct. The annotation key targets the container, and the value includes the profile name with 'localhost/' prefix.

Why this answer

Option B is correct because the AppArmor profile annotation for a container must follow the format `container.apparmor.security.beta.kubernetes.io/<container_name>: localhost/<profile_name>`. This annotation is in the `security.beta.kubernetes.io` API group (beta, not alpha) and targets the specific container by name. The value must include the `localhost/` prefix to indicate a profile loaded on the node, not a built-in or default profile.

Exam trap

CNCF often tests the exact annotation format, specifically the `localhost/` prefix and the `security.beta.kubernetes.io` API group, to catch candidates who confuse AppArmor with Seccomp (which uses `security.alpha.kubernetes.io/seccomp`) or who forget the per-container targeting.

How to eliminate wrong answers

Option A is wrong because it uses the `security.alpha.kubernetes.io` prefix, which is an older, deprecated API group for AppArmor; the correct group is `security.beta.kubernetes.io`. Option C is wrong because it uses `pod.apparmor.security.beta.kubernetes.io`, which is not a valid annotation key; AppArmor annotations are per-container, not per-pod. Option D is wrong because it omits the required `localhost/` prefix in the value; the profile name must be specified as `localhost/my-profile` to reference a locally loaded profile, not just `my-profile`.

929
MCQeasy

Which of the following is a static analysis tool for Kubernetes manifests that can identify security misconfigurations?

A.Clair
B.kubesec
C.OPA/Gatekeeper
D.Notary
AnswerB

kubesec performs static analysis of Kubernetes YAML files to identify security risks.

Why this answer

Option A is correct. kubesec is a tool that analyzes Kubernetes resource manifests for security issues. Clair is for image scanning. Notary is for image signing.

OPA/Gatekeeper is for admission control, not static analysis.

930
MCQeasy

What is the primary purpose of using a service mesh like Istio for microservices security?

A.To replace Kubernetes NetworkPolicies for network segmentation.
B.To provide a centralized logging solution.
C.To automatically scale pods based on CPU usage.
D.To provide mTLS communication between services for encrypted and authenticated traffic.
AnswerD

One of the main features of a service mesh is to enable mTLS between services transparently.

931
MCQeasy

You need to configure the Kubernetes API server to enable audit logging at the 'Metadata' level for all requests. Which flag should be used when starting the kube-apiserver?

A.--feature-gates=Auditing=true
B.--audit-log-path=/var/log/audit.log
C.--audit-policy-file=/etc/kubernetes/audit-policy.yaml
D.--audit-log-maxsize=100
AnswerC

Correct. The audit policy file is required to enable audit logging and define levels.

Why this answer

Audit logging is enabled by specifying --audit-policy-file pointing to a policy file. The policy file defines the level. The flag itself is --audit-policy-file.

932
MCQhard

You are tasked with creating a Kubernetes admission controller that validates image signatures before allowing pods to run. Which admission controller should you configure?

A.ImagePolicyWebhook
B.MutatingAdmissionWebhook
C.ValidatingAdmissionWebhook
D.NodeRestriction
AnswerA

ImagePolicyWebhook is an admission controller specifically for image policy validation, often used with image signing.

Why this answer

ImagePolicyWebhook is the admission controller that can be configured to validate images against an external webhook, typically used for image signature verification.

933
Multi-Selecthard

Which THREE of the following are recommended practices for hardening RBAC in a Kubernetes cluster? (Select 3)

Select 3 answers
A.Use the default service account in each namespace with cluster-admin.
B.Regularly audit ClusterRoleBindings and RoleBindings for over-privileged subjects.
C.Grant only the minimum permissions necessary for each subject.
D.Avoid binding cluster-admin to service accounts unless absolutely necessary.
E.Use RoleBindings with ClusterRoles in the same namespace to increase security.
AnswersB, C, D

Auditing helps identify and reduce excessive permissions.

Why this answer

Option B is correct because regular auditing of ClusterRoleBindings and RoleBindings helps identify over-privileged subjects, such as service accounts or users with excessive permissions, which is a key hardening practice. This aligns with the principle of least privilege and is recommended by Kubernetes security best practices to reduce the attack surface.

Exam trap

CNCF often tests the misconception that using RoleBindings with ClusterRoles is always more secure, but the trap here is that ClusterRoles can contain cluster-scoped permissions that are not namespace-restricted, potentially granting broader access than intended if not carefully reviewed.

934
Multi-Selectmedium

Which TWO of the following tools can be used to generate or analyze SBOMs? (Select 2)

Select 2 answers
A.Cosign
B.Kubesec
C.Syft
D.Trivy
E.Checkov
AnswersC, D

Syft is a dedicated SBOM generation tool.

Why this answer

Syft generates SBOMs, and Trivy can also generate SBOMs (in addition to vulnerability scanning). Cosign is for signing, Kubesec is for manifest analysis, and Checkov is for infrastructure-as-code scanning.

935
MCQeasy

Which command correctly creates a secret from a file named 'config.json'?

A.kubectl create configmap my-secret --from-file=config.json
B.kubectl create secret generic my-secret --from-file=config.json
C.kubectl create secret tls my-secret --cert=config.json
D.kubectl create secret generic my-secret --from-literal=config.json
AnswerB

Correct. This creates a secret named my-secret with the file contents as the value, key defaults to 'config.json'.

Why this answer

The 'kubectl create secret generic' command with '--from-file' flag creates a secret from a file. The syntax is 'kubectl create secret generic <name> --from-file=<key>=<source>' or just '--from-file=<source>' where the key defaults to the filename.

936
Multi-Selecthard

Which THREE of the following are required when setting up a Kubernetes control plane with kubeadm for a production environment?

Select 3 answers
A.Ensure the Kubernetes version is not downgraded
B.Specify --pod-network-cidr to define the pod network range
C.Specify --control-plane-endpoint for high availability
D.Specify --apiserver-advertise-address
E.Generate a bootstrap token with kubeadm token create
AnswersA, B, C

kubeadm prevents downgrading.

Why this answer

Option A is correct because kubeadm enforces a strict version skew policy: the kubelet version must not be newer than the control plane version, and downgrading the control plane (e.g., from v1.28 to v1.27) is not supported. Attempting a downgrade can lead to API version mismatches, schema incompatibilities, and cluster instability. In production, you must plan upgrades carefully and never downgrade the control plane components.

Exam trap

CNCF often tests the misconception that --apiserver-advertise-address is mandatory for all control plane setups, but it is only needed when the node has multiple network interfaces or you need to override the default IP detection.

937
MCQmedium

A cluster administrator wants to enforce Pod Security Standards at the namespace level using the built-in PodSecurity admission controller. The namespace 'test' should reject any pod that violates the 'baseline' level. Which command applies this correctly?

A.kubectl annotate ns test pod-security.kubernetes.io/enforce-version=baseline
B.kubectl label ns test pod-security.kubernetes.io/enforce=baseline
C.kubectl label ns test pod-security.kubernetes.io/warn=baseline
D.kubectl label ns test pod-security.kubernetes.io/audit=baseline
AnswerB

This label enforces the baseline Pod Security Standard on the namespace.

Why this answer

Option B is correct because the PodSecurity admission controller uses the label `pod-security.kubernetes.io/enforce` to enforce the specified Pod Security Standard (e.g., `baseline`) at the namespace level. Pods that violate the enforced level are rejected by the admission controller. The `enforce` label triggers the admission webhook to block non-compliant pods, which matches the requirement to reject violations.

Exam trap

CNCF often tests the distinction between the three Pod Security Standard modes (`enforce`, `warn`, `audit`) and the fact that only `enforce` actually blocks pods, while `warn` and `audit` are non-blocking; candidates frequently confuse `warn` or `audit` with enforcement.

How to eliminate wrong answers

Option A is wrong because it uses `kubectl annotate` with the key `pod-security.kubernetes.io/enforce-version`, which is not a valid label for enforcement; the correct key is `pod-security.kubernetes.io/enforce`, and it must be set as a label, not an annotation. Option C is wrong because `pod-security.kubernetes.io/warn=baseline` only generates a warning for violations but does not reject the pod, so it does not meet the requirement to reject violations. Option D is wrong because `pod-security.kubernetes.io/audit=baseline` only logs violations in the audit log without rejecting or warning, which also fails to enforce rejection.

938
MCQmedium

A security auditor runs kube-bench on your cluster and reports that the apiserver is using default service account tokens. Which admission plugin should be enabled to address this?

A.DefaultStorageClass
B.PodSecurity
C.NodeRestriction
D.ServiceAccount
AnswerB

PodSecurity (or legacy PodSecurityPolicy) can enforce policies that require automountServiceAccountToken: false.

Why this answer

The correct answer is B (PodSecurity) because the PodSecurity admission plugin (replacing the deprecated PodSecurityPolicy) enforces a restricted security context on pods, preventing them from automatically mounting the default service account token. By default, Kubernetes mounts a service account token into every pod, which can be exploited if an attacker gains access to a pod. Enabling PodSecurity with a policy that restricts automounting of service account tokens addresses the kube-bench finding.

Exam trap

The trap here is that candidates often confuse the ServiceAccount admission plugin (which handles token creation) with the PodSecurity plugin (which enforces restrictions on token mounting), leading them to select D instead of B.

How to eliminate wrong answers

Option A is wrong because DefaultStorageClass is an admission plugin that sets a default storage class for PersistentVolumeClaims, not related to service account token security. Option C is wrong because NodeRestriction limits the Node API permissions for kubelets, preventing them from modifying pods or secrets on other nodes, but does not control service account token mounting. Option D is wrong because ServiceAccount is an admission plugin that handles service account creation and token binding, but it does not enforce restrictions on automatic token mounting; in fact, it is the plugin that enables the default behavior of mounting tokens.

939
MCQmedium

Refer to the exhibit. The pod fails to start with the error 'container has runAsNonRoot but image will run as root'. Which change would fix the issue?

A.Set runAsNonRoot: false
B.Change runAsUser to 0
C.Use a different image that runs as non-root
D.Add NET_ADMIN capability
AnswerA

Removes the non-root requirement, allowing the image to run as root.

Why this answer

The error 'container has runAsNonRoot but image will run as root' occurs because the Pod's security context sets `runAsNonRoot: true`, but the container image is configured to run as root (UID 0). Setting `runAsNonRoot: false` removes the enforcement, allowing the container to run as root as the image expects. This directly resolves the conflict between the security context constraint and the image's default user.

Exam trap

CNCF often tests the misconception that you must change the image or add capabilities to fix a `runAsNonRoot` violation, when in fact the simplest fix is to adjust the security context setting to match the image's behavior.

How to eliminate wrong answers

Option B is wrong because changing `runAsUser` to 0 explicitly sets the container to run as root, which still violates the `runAsNonRoot: true` constraint and would produce the same error. Option C is wrong because while using a different image that runs as non-root would technically fix the issue, it is not the only or most direct change; the question asks which change would fix the issue, and modifying the security context is a simpler, valid approach. Option D is wrong because adding `NET_ADMIN` capability does not affect the user ID the container runs as; it only grants network administration privileges and does not address the root/non-root mismatch.

940
MCQeasy

Which admission plugin should be enabled on the kube-apiserver to enforce that kubelets cannot modify nodes they are not assigned to?

A.AlwaysPullImages
B.NodeSelector
C.PodSecurity
D.NodeRestriction
AnswerD

NodeRestriction ensures kubelets can only modify their own node objects.

Why this answer

The NodeRestriction admission plugin ensures that kubelets can only modify their own Node API objects and pods bound to them. When enabled, it prevents a kubelet from modifying nodes it is not assigned to, enforcing the principle of least privilege and limiting the blast radius of a compromised kubelet.

Exam trap

The trap here is that candidates confuse admission plugins that control pod behavior (like PodSecurity or AlwaysPullImages) with those that restrict kubelet actions, or they mistakenly think NodeSelector is a security control rather than a scheduling feature.

How to eliminate wrong answers

Option A is wrong because AlwaysPullImages forces every pod to pull container images from the registry on each start, but it does not restrict kubelet actions on nodes. Option B is wrong because NodeSelector is a scheduling constraint that limits which nodes a pod can run on, not a mechanism to control kubelet node modifications. Option C is wrong because PodSecurity (formerly PodSecurityPolicy) enforces security contexts on pods, such as privilege escalation or host namespace usage, but does not regulate kubelet behavior regarding node objects.

941
MCQmedium

You need to run a container with a sandboxed runtime using gVisor (runsc). Which Kubernetes resource must be created first to enable this?

A.A RuntimeClass resource with handler: runsc
B.A PodSecurityPolicy that allows the runsc runtime
C.A ValidatingWebhookConfiguration to validate the runtime
D.A priorityClass with a high priority
AnswerA

RuntimeClass defines the container runtime to use for pods.

Why this answer

Option B is correct. A RuntimeClass resource must be defined to reference the gVisor runtime handler. The pod's spec then sets 'runtimeClassName' to that RuntimeClass.

Options A, C, and D are not required for using a runtime class.

942
MCQmedium

An administrator runs kubectl get clusterrolebindings and sees a binding named 'system:node'. This binding is part of the legacy node authorization. According to CIS benchmarks, what should be done with it?

A.Delete it and rely on NodeRestriction and Node authorizer
B.Modify the role to include only necessary permissions
C.Keep it as it is required for cluster functionality
D.Add a condition to limit it to read-only
AnswerA

CIS recommends removing the system:node binding and using NodeRestriction.

Why this answer

The 'system:node' ClusterRoleBinding is a legacy binding that grants the 'system:node' cluster role to all nodes, effectively bypassing the Node Authorizer and NodeRestriction admission plugin. The CIS Benchmark for Kubernetes (section 5.1.1) recommends deleting this binding because it allows nodes to have broad, unrestricted access to the API server, which undermines the principle of least privilege. Instead, the Node Authorizer and NodeRestriction plugin should be used to enforce fine-grained, node-specific permissions based on the node's identity and the pods it runs.

Exam trap

The trap here is that candidates may think the 'system:node' binding is essential for node-to-API-server communication, but in reality, the Node Authorizer and NodeRestriction plugin handle this securely, making the legacy binding a security risk that should be removed.

How to eliminate wrong answers

Option B is wrong because modifying the role to include only necessary permissions does not address the fundamental issue: the binding itself grants the 'system:node' role to all nodes, which is a legacy mechanism that bypasses the Node Authorizer; the correct action is to delete the binding entirely and rely on the Node Authorizer. Option C is wrong because the binding is not required for cluster functionality; modern Kubernetes clusters use the Node Authorizer and NodeRestriction plugin to manage node permissions, making this legacy binding obsolete and a security risk. Option D is wrong because adding a read-only condition does not solve the problem; the binding still grants broad access to all nodes, and the Node Authorizer provides more granular, dynamic permissions based on the node's identity and the pods it runs, which is the recommended approach.

943
MCQeasy

Which of the following is a best practice for securing container images?

A.Run containers as root to ensure all permissions are available
B.Use the 'latest' tag for base images to get the latest features
C.Use distroless base images to minimize the attack surface
D.Embed secrets directly in the Dockerfile for easy access
AnswerC

Distroless images contain only essential components, reducing the number of potential vulnerabilities.

Why this answer

Using minimal base images reduces the attack surface. Distroless images contain only the application and its runtime dependencies, reducing vulnerabilities.

944
MCQhard

You are asked to ensure that a specific Kubernetes dashboard (e.g., kubernetes-dashboard) is not publicly accessible. The dashboard is deployed in the 'kube-system' namespace. Which NetworkPolicy should you apply?

A.NetworkPolicy with podSelector: matchLabels: app: kubernetes-dashboard, policyTypes: [Ingress], ingress: [{from: [{namespaceSelector: {matchLabels: {}}}]}]
B.NetworkPolicy with podSelector: matchLabels: app: kubernetes-dashboard, policyTypes: [Ingress], ingress: []
C.NetworkPolicy with podSelector: matchLabels: app: kubernetes-dashboard, policyTypes: [Ingress], ingress: [{from: [{podSelector: {matchLabels: {app: kubernetes-dashboard}}}]}]
D.NetworkPolicy with podSelector: matchLabels: app: kubernetes-dashboard, policyTypes: [Egress], egress: [{to: [{podSelector: {}}]}]
AnswerB

An empty ingress list with Ingress policy type denies all ingress traffic.

Why this answer

Option B is correct because a NetworkPolicy with an empty `ingress` array (i.e., `ingress: []`) explicitly denies all inbound traffic to the selected pods. This ensures that the kubernetes-dashboard pod in the kube-system namespace is not publicly accessible, as no ingress rules are defined to allow any source. By default, if no NetworkPolicy selects a pod, all traffic is allowed; applying this policy changes the default to deny for ingress.

Exam trap

The trap here is that candidates often think an empty `ingress: []` means 'no restriction' (like an empty allow list) or confuse it with omitting the `ingress` field entirely, but in NetworkPolicy, an empty array explicitly denies all ingress traffic, while omitting the field leaves the default allow behavior unchanged.

How to eliminate wrong answers

Option A is wrong because it uses `namespaceSelector: {matchLabels: {}}` which matches all namespaces (since an empty label selector matches everything), effectively allowing traffic from any namespace, thus not restricting public access. Option C is wrong because it allows ingress only from pods with the same label `app: kubernetes-dashboard`, which would permit traffic from other dashboard pods (e.g., replicas) but still denies external traffic; however, the goal is to deny all ingress, and this rule still allows some internal traffic, which is not the strictest deny. Option D is wrong because it defines an Egress policy (controlling outbound traffic) instead of an Ingress policy, and it allows egress to all pods (`podSelector: {}`), which does not address inbound access to the dashboard.

945
MCQmedium

A security auditor requires that all pods in a cluster must not run as root. Which Pod Security Standard (PSS) and enforcement mode should be applied at the namespace level?

A.Baseline profile with enforce mode
B.Restricted profile with enforce mode
C.Baseline profile with warn mode
D.Privileged profile with audit mode
AnswerB

The Restricted profile requires runAsNonRoot: true, which prevents pods from running as root. Enforce mode rejects non-compliant pods.

Why this answer

The Restricted Pod Security Standard enforces runAsNonRoot: true, which is the requirement. Using enforce mode ensures that any pod violating this policy is rejected at admission.

946
Multi-Selectmedium

Which THREE options are valid methods to secure etcd in a Kubernetes cluster?

Select 3 answers
A.Set --auto-compaction-mode=periodic
B.Enable TLS with peer and client certificates
C.Use a firewall to restrict access to etcd's port
D.Encrypt secrets at rest using EncryptionConfiguration
E.Enable RBAC authorization in etcd
AnswersB, C, D

Encrypts communication and authenticates clients.

Why this answer

Option B is correct because enabling TLS with peer and client certificates encrypts all communication between etcd members and between etcd and the Kubernetes API server, preventing man-in-the-middle attacks and unauthorized access. This is a fundamental security requirement for etcd in production clusters, as etcd stores all cluster state and secrets.

Exam trap

The trap here is that candidates may confuse etcd's maintenance features (like compaction) with security controls, or assume that Kubernetes RBAC extends to etcd, when in fact etcd has its own separate access control mechanisms.

947
MCQmedium

Which of the following is a recommended practice when securing the Kubernetes Dashboard?

A.Access the Dashboard using 'kubectl proxy' and never expose it publicly.
B.Expose the Dashboard via a LoadBalancer service for easy access.
C.Disable authentication for the Dashboard to simplify access.
D.Grant the Dashboard service account cluster-admin permissions.
AnswerA

kubectl proxy provides a secure way to access the Dashboard without exposing it to the network.

Why this answer

Accessing the Kubernetes Dashboard via 'kubectl proxy' is recommended because it creates a local HTTP proxy between your workstation and the API server, ensuring the Dashboard is never exposed to external networks. This approach leverages the API server's authentication and authorization mechanisms, avoiding the need to open network ports or expose the Dashboard directly, which aligns with the principle of least privilege and reduces the attack surface.

Exam trap

The trap here is that candidates often assume exposing the Dashboard via a LoadBalancer or NodePort is acceptable for convenience, but Cisco tests the understanding that the Dashboard must never be publicly accessible and should only be accessed through the API server proxy to enforce authentication and authorization.

How to eliminate wrong answers

Option B is wrong because exposing the Dashboard via a LoadBalancer service makes it publicly accessible over the internet, which violates security best practices by increasing the attack surface and potentially allowing unauthorized access. Option C is wrong because disabling authentication for the Dashboard removes all access controls, allowing anyone who can reach the Dashboard URL to perform actions with the Dashboard's service account permissions, which is a severe security risk. Option D is wrong because granting the Dashboard service account cluster-admin permissions provides unrestricted superuser access across the entire cluster, violating the principle of least privilege and enabling privilege escalation if the Dashboard is compromised.

948
MCQhard

You want to ensure that kubelets only serve pods that have been scheduled by the API server. Which admission plugin should be enabled?

A.ServiceAccount
B.AlwaysPullImages
C.PodNodeSelector
D.NodeRestriction
AnswerD

This plugin restricts kubelet self-modification and ensures pods are bound to the node.

Why this answer

The NodeRestriction admission plugin limits the Node and Pod objects a kubelet can modify. When enabled, each kubelet can only create/modify pods bound to its own node, and only pods that have been scheduled by the API server (i.e., have a non-empty `spec.nodeName` set by the scheduler). This prevents a compromised kubelet from creating arbitrary pods or modifying pods on other nodes, enforcing that only the API server schedules pods.

Exam trap

The trap here is that candidates confuse admission plugins that control pod placement (like PodNodeSelector) with the plugin that restricts kubelet actions (NodeRestriction), leading them to select PodNodeSelector because it sounds related to node selection, but it does not enforce that pods are only created by the API server.

How to eliminate wrong answers

Option A is wrong because ServiceAccount is an admission plugin that enforces service account automounting and token projection, not node-level pod scheduling restrictions. Option B is wrong because AlwaysPullImages forces every pod to pull its images with credentials, which is a security measure for image integrity, not for restricting pod scheduling to API-server-scheduled pods. Option C is wrong because PodNodeSelector enforces namespace-level node selector constraints on pods, but it does not prevent a kubelet from creating or modifying pods that were not scheduled by the API server.

949
Multi-Selecthard

Which THREE flags should be set on the kubelet to comply with the CIS Benchmark for worker node security?

Select 3 answers
A.--authentication-token-webhook=false
B.--read-only-port=10255
C.--anonymous-auth=false
D.--protect-kernel-defaults=true
E.--authorization-mode=Webhook
AnswersC, D, E

Disables anonymous authentication.

Why this answer

Option C is correct because the CIS Benchmark for Kubernetes requires disabling anonymous authentication on the kubelet by setting `--anonymous-auth=false`. This ensures that all requests to the kubelet are authenticated, preventing unauthenticated access to the kubelet API, which could allow an attacker to execute commands or retrieve sensitive node information.

Exam trap

CNCF often tests the distinction between authentication and authorization flags, leading candidates to confuse `--authentication-token-webhook=false` (which weakens security) with the required `--authorization-mode=Webhook` (which strengthens it).

950
MCQhard

A security audit reveals that a Deployment uses an image with a mutable tag 'app:latest'. Which change ensures the image is immutable and traceable?

A.Change tag to 'app:stable'
B.Set 'replicas: 1'
C.Use 'image: app@sha256:abc123...'
D.Add 'imagePullPolicy: Always'
AnswerC

Using a digest ensures the exact image layer is used, providing immutability.

Why this answer

Using a SHA digest ensures the image is immutable and exactly the same version each time. Option C is correct.

951
MCQmedium

An administrator wants to enforce a policy that all containers must drop ALL capabilities and not allow privilege escalation. Which YAML snippet correctly implements this requirement in a PodSecurityPolicy-like manner using a security context? (Note: PodSecurityPolicy is deprecated; consider using a ValidatingAdmissionPolicy or OPA/Gatekeeper, but for this question choose the correct security context fields.)

A.securityContext: { privileged: false, capabilities: { drop: ["ALL"] } }
B.securityContext: { allowPrivilegeEscalation: false, capabilities: { drop: ["ALL"] } }
C.securityContext: { allowPrivilegeEscalation: false, capabilities: { add: ["ALL"] } }
D.spec: { allowPrivilegeEscalation: false, capabilities: { drop: ["ALL"] } }
AnswerB

Correctly sets both fields at the container security context level.

Why this answer

The correct approach is to set 'allowPrivilegeEscalation: false' and 'capabilities.drop: ["ALL"]' under the container's securityContext. This ensures no privilege escalation and drops all capabilities.

952
MCQmedium

A pod has securityContext.readOnlyRootFilesystem: true. What happens if a process inside the container tries to write to the root filesystem?

A.The write will succeed because tmpfs is used
B.The write will fail with an error
C.The kernel will allow the write but log it
D.The pod will be restarted
AnswerB

Why this answer

The write will fail because the root filesystem is read-only.

953
MCQmedium

You are deploying a microservice that must run as a non-root user and have a read-only root filesystem. Which two fields must be set in the PodSecurityContext or container SecurityContext?

A.allowPrivilegeEscalation: false
B.seLinuxOptions
C.runAsUser: 1000
D.readOnlyRootFilesystem: true
E.runAsNonRoot: true
AnswerD, E

Makes the container's root filesystem read-only.

Why this answer

The correct options are A and B. runAsNonRoot: true ensures the container runs as a non-root user; readOnlyRootFilesystem: true makes the root filesystem read-only. Option C is unrelated, D disables privilege escalation but does not enforce non-root/read-only root, and E is a deprecated field.

954
MCQhard

You have a Falco rule that triggers on 'spawned a shell in a container'. The rule is firing too many false positives. Which field in the Falco rule could you modify to reduce false positives?

A.filter
B.output
C.format
D.priority
AnswerD

Why this answer

Falco rules have an 'output' field for message, but the 'priority' field allows you to set the severity (e.g., WARNING, CRITICAL). Changing the priority helps filter alerts. Option C is correct.

Option A is about the message text. Option B is not a standard field. Option D is used to specify the rule output format.

955
Drag & Dropmedium

Arrange the steps to secure etcd in a Kubernetes cluster.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Securing etcd involves TLS configuration, restarting, health verification, and network restriction.

956
MCQeasy

Which of the following seccomp profile types should be used to apply the container runtime's default seccomp profile?

A.Unconfined
B.RuntimeDefault
C.Default
D.Localhost
AnswerB

RuntimeDefault applies the container runtime's default seccomp profile.

Why this answer

The 'RuntimeDefault' type tells the runtime to use its default seccomp profile.

957
MCQmedium

An administrator wants to enforce that all containers in a Kubernetes cluster run as non-root and have read-only root filesystems using OPA/Gatekeeper. Which two resources must be created?

A.NetworkPolicy and RoleBinding
B.PodSecurityPolicy and ClusterRole
C.ValidatingWebhookConfiguration and MutatingWebhookConfiguration
D.ConstraintTemplate and Constraint
AnswerD

ConstraintTemplate contains the Rego policy; Constraint applies it to specific resources.

Why this answer

In OPA/Gatekeeper, a ConstraintTemplate defines the Rego logic (policy), and a Constraint instantiates that policy with specific parameters and scope. Pod Security Policies are deprecated; PodSecurity admission is a separate mechanism. ValidatingWebhookConfiguration is auto-managed by Gatekeeper.

958
MCQhard

You are writing a Rego policy for OPA Gatekeeper to deny pods that do not have 'runAsNonRoot: true' set in their security context. The ConstraintTemplate expects an input parameter 'runAsNonRoot' that is a boolean. Which Rego rule correctly denies such pods?

A.violation[{"msg": msg}] { container := input.review.object.spec.containers[_] not container.securityContext.runAsNonRoot msg := "Container must run as non-root" } violation[{"msg": msg}] { pod := input.review.object not pod.spec.securityContext.runAsNonRoot msg := "Pod must run as non-root" }
B.violation[{"msg": msg}] { container := input.review.object.spec.containers[_] not has_field(container, "securityContext") or not container.securityContext.runAsNonRoot msg := "Container must set runAsNonRoot: true" }
C.violation[{"msg": msg}] { container := input.review.object.spec.containers[_] not container.securityContext.runAsNonRoot msg := "Container must run as non-root" }
D.violation[{"msg": msg}] { pod := input.review.object not pod.spec.securityContext.runAsNonRoot msg := "Pod must run as non-root" }
959
Multi-Selecteasy

Which TWO tools can be used to directly interact with a container runtime on a Kubernetes node without using kubectl?

Select 2 answers
A.systemctl
B.kubectl
C.ctr
D.docker
E.crictl
AnswersC, E

ctr is a CLI for containerd.

Why this answer

crictl and ctr are CLI tools for interacting with CRI-compatible container runtimes. kubectl and docker are not available on nodes by default; docker is not always the runtime.

960
Multi-Selecthard

Which THREE of the following are capabilities that should typically be dropped from a container to minimize vulnerabilities?

Select 3 answers
A.CHOWN
B.NET_ADMIN
C.NET_RAW
D.KILL
E.SETUID
AnswersB, C, E

Allows network administration; often dropped.

961
MCQeasy

To encrypt secrets at rest, which file must be modified on the control plane nodes?

A./etc/kubernetes/scheduler.conf
B./etc/kubernetes/manifests/kube-apiserver.yaml
C./etc/kubernetes/etcd.yaml
D./etc/kubernetes/kubelet.conf
AnswerB

This is the static pod manifest for the API server; you add the --encryption-provider-config flag here.

Why this answer

Option C is correct. The EncryptionConfiguration is a resource that is passed to the kube-apiserver via the --encryption-provider-config flag. The API server configuration is typically in a YAML file passed to the API server.

Options A and B are not relevant. Option D is for etcd.

962
MCQmedium

Which audit stage in Kubernetes audit logging captures the stage after a request is processed and before a response is sent?

A.ResponseComplete
B.Panic
C.RequestReceived
D.ResponseStarted
AnswerD

Why this answer

ResponseStarted captures the stage after the request is processed but before the response body is sent.

963
MCQeasy

Which kubectl command can be used to view the live logs of a container in a pod named 'my-pod'?

A.kubectl attach my-pod
B.kubectl logs my-pod --tail 10
C.kubectl logs -f my-pod
D.kubectl exec my-pod -- journalctl
AnswerC

Correct: -f follows log output.

Why this answer

The correct command is 'kubectl logs -f my-pod'. The -f flag streams logs in real time.

964
MCQeasy

Which admission plugin should be enabled on the API server to ensure that the kubelet cannot modify its own Node object beyond its assigned node?

A.PodSecurityPolicy
B.AlwaysPullImages
C.ServiceAccount
D.NodeRestriction
AnswerD

This plugin enforces node-level restrictions.

Why this answer

The NodeRestriction admission plugin limits the kubelet's ability to modify its own Node object, ensuring it can only label, taint, or update status on its assigned Node. This prevents a compromised kubelet from impersonating other nodes or escalating privileges. It is the correct plugin for enforcing node-scoped kubelet permissions.

Exam trap

CNCF often tests the trap where candidates confuse NodeRestriction with PodSecurityPolicy or other admission controllers that deal with pod security, not kubelet node permissions.

How to eliminate wrong answers

Option A is wrong because PodSecurityPolicy is a deprecated admission controller that enforces security constraints on pods (e.g., privileged containers, host namespaces), not on kubelet node modifications. Option B is wrong because AlwaysPullImages forces image pull policy to Always for all pods, addressing image freshness and registry authentication, not node object restrictions. Option C is wrong because ServiceAccount manages service account creation and token mounting for pods, not kubelet node access control.

965
MCQmedium

A pod named 'compromised-pod' is suspected of making unauthorized outbound connections. You want to isolate the pod using a NetworkPolicy. Which policy correctly denies all egress traffic from the pod?

A.NetworkPolicy with podSelector: {} and egress: [{to: [{ipBlock: {cidr: 0.0.0.0/0}}]}]
B.NetworkPolicy with podSelector: matchLabels: app: compromised and policyTypes: ["Ingress"]
C.NetworkPolicy with podSelector: matchLabels: app: compromised and egress: []
D.NetworkPolicy with podSelector: matchLabels: app: compromised and egress: [{to: [{podSelector: {}}]}]
AnswerC

Correct: empty egress list denies all egress from the selected pod.

Why this answer

To deny all egress traffic, a NetworkPolicy must have podSelector matching the pod and an empty egress rules list (or a rule with no to). Option B matches the pod and has no egress rules, defaulting to deny.

966
MCQmedium

Which Falco rule condition would detect an attempt to read the /etc/shadow file in a container?

A.evt.type=open and fd.name=/etc/shadow
B.evt.type=write and fd.name=/etc/shadow
C.evt.type=read and fd.name=/etc/shadow
D.evt.type=execve and proc.name=shadow
AnswerA

This condition correctly matches open syscalls on /etc/shadow.

Why this answer

Falco uses conditions like 'evt.type=open' and 'fd.name=/etc/shadow' to detect file access. The open syscall is used for opening files.

967
Multi-Selectmedium

Which TWO of the following are best practices for securing the container supply chain?

Select 2 answers
A.Scan images for vulnerabilities in a CI pipeline before deploying.
B.Use image signing and verification (e.g., with cosign) to ensure image integrity.
C.Embed API keys directly in container images for authentication.
D.Allow all images from any registry without verification to speed up development.
E.Use mutable tags like 'latest' for easier updates.
AnswersA, B

Scanning helps catch known vulnerabilities early.

Why this answer

Scanning images for vulnerabilities in a CI pipeline before deployment is a best practice because it catches known CVEs early, preventing vulnerable images from reaching production. Tools like Trivy, Clair, or Grype integrate into CI/CD to enforce policy gates, ensuring only compliant images proceed.

Exam trap

CNCF often tests the distinction between 'scanning for vulnerabilities' (Option A) and 'signing for integrity' (Option B) as complementary but distinct practices, and the trap is that candidates might think only one is needed or confuse signing with scanning.

968
Multi-Selectmedium

Which TWO of the following are recommended practices according to the CIS Kubernetes Benchmark? (Select 2)

Select 2 answers
A.Enable audit logging on the API server
B.Disable anonymous authentication on the API server
C.Enable anonymous authentication on the kubelet
D.Use the AlwaysAllow authorization mode
E.Disable the NodeRestriction admission plugin
AnswersA, B

CIS recommends enabling audit logging with a policy file.

Why this answer

Option A is correct because the CIS Kubernetes Benchmark recommends enabling audit logging on the API server to record all requests and responses, which is essential for security monitoring, forensics, and compliance. Option B is correct because disabling anonymous authentication on the API server prevents unauthenticated requests from being processed, reducing the attack surface. The benchmark specifically advises setting `--anonymous-auth=false` on the API server to enforce authentication for all requests.

Exam trap

CNCF often tests the distinction between the API server and the kubelet: candidates may incorrectly assume that disabling anonymous authentication on the API server also applies to the kubelet, or they may confuse the recommendation to disable anonymous authentication on the API server with enabling it on the kubelet, which is a common trap.

969
Multi-Selectmedium

Which THREE of the following are best practices for reducing the attack surface of Kubernetes nodes?

Select 3 answers
A.Minimize host access from containers (e.g., disable hostPID, hostNetwork)
B.Use minimal base container images
C.Disable unnecessary system services on nodes
D.Expose the host network to containers for better performance
E.Run containers as root to simplify permissions
AnswersA, B, C

Reduces the container's ability to affect the host.

Why this answer

Option A is correct because disabling hostPID and hostNetwork prevents containers from accessing the host's process namespace and network stack, which would otherwise allow privilege escalation or network sniffing. This aligns with the principle of least privilege and reduces the node's attack surface by isolating container workloads from the host OS.

Exam trap

CNCF often tests the misconception that hostNetwork improves performance without security trade-offs, or that running as root is acceptable for legacy apps, but the CKS exam expects strict adherence to least privilege and namespace isolation.

970
MCQmedium

A NodePort service is not accessible from outside the cluster. Which command should you use to check if the service's endpoints are correctly populated?

A.kubectl get svc <service-name> -o yaml
B.kubectl get pods -l <selector>
C.kubectl describe service <service-name>
D.kubectl get endpoints <service-name>
AnswerD

This command shows the endpoints (pod IPs) associated with the service.

Why this answer

kubectl get endpoints lists the endpoints for a service, showing the IPs and ports of the pods backing the service. If endpoints are missing, the service won't route traffic.

971
MCQhard

A developer wants to ensure the container image used in a Deployment is immutable. Which approach BEST guarantees that the exact same image is used every time, preventing tag mutation?

A.Use the image digest like 'myapp@sha256:abc123'
B.Use a tag like 'v1.0-20231001' with a date
C.Use the tag 'v1.0' in the image field
D.Pin the image using a 'latest' tag
AnswerA

Digests are immutable and guarantee the exact image content.

Why this answer

Using a digest (SHA256) ensures that the image identifier is unique to the content, making it immutable. Tags like 'v1.0' can be overwritten.

972
MCQeasy

An administrator wants to prevent a container from accessing the host's network. Which pod security context field should be set to false?

A.hostIPC
B.privileged
C.hostPID
D.hostNetwork
AnswerD

Setting hostNetwork: false prevents the container from using the host's network.

Why this answer

The `hostNetwork` field in the Pod Security Context, when set to `true`, allows the container to use the host's network namespace directly, bypassing the pod's own network stack. Setting it to `false` (the default) ensures the container uses an isolated network namespace, preventing direct access to host network interfaces, iptables rules, and network services. This is the correct field to disable to meet the requirement of preventing container access to the host's network.

Exam trap

CNCF often tests the distinction between `hostNetwork` and `privileged` — candidates mistakenly think that disabling `privileged` alone prevents host network access, but `privileged` controls capabilities and device access, not namespace isolation, so `hostNetwork` must be explicitly set to `false`.

How to eliminate wrong answers

Option A is wrong because `hostIPC` controls access to the host's Inter-Process Communication (IPC) namespace (e.g., shared memory segments), not network access. Option B is wrong because `privileged` grants the container all capabilities and removes most kernel-level restrictions, but it does not specifically control network namespace sharing; a privileged container can still have `hostNetwork: false` and be isolated from the host network. Option C is wrong because `hostPID` allows the container to see all host processes via the PID namespace, which is unrelated to network access.

973
Multi-Selecthard

Which THREE of the following are required to implement a secure software supply chain using Kubernetes native features?

Select 3 answers
A.Use vulnerability scanning tools like Trivy or Grype in the CI/CD pipeline.
B.Disable admission controllers to reduce latency in pod creation.
C.Integrate image signature verification into the admission webhook (e.g., using cosign and Kyverno).
D.Run all containers as root inside the pod to avoid permission issues.
E.Enforce policies using OPA Gatekeeper or Kyverno to restrict allowed registries and image constraints.
AnswersA, C, E

Scanning prevents deployment of images with known vulnerabilities.

Why this answer

Option A is correct because vulnerability scanning tools like Trivy or Grype are essential for identifying known CVEs in container images before deployment. Integrating these tools into the CI/CD pipeline ensures that only images with an acceptable vulnerability posture are built and pushed to the registry, forming a foundational security gate in the software supply chain.

Exam trap

CNCF often tests the misconception that disabling security controls (like admission controllers) is acceptable for performance, when in fact it undermines the entire supply chain security model.

974
Multi-Selectmedium

Which TWO of the following tools can generate an SBOM (Software Bill of Materials) for a container image?

Select 2 answers
A.syft
B.cosign attest
C.Clair
D.kubesec
E.Snyk
AnswersA, B

syft is a dedicated SBOM generation tool.

Why this answer

Correct answers: A and D. syft and cosign attest (specifically 'cosign attest --predicate sbom' or using cosign with an SBOM) are tools that can generate SBOMs. Trivy can also generate SBOMs (trivy image --format spdx), but the question asks specifically for tools that can generate SBOM. Trivy is primarily a scanner, but it can generate SBOM.

However, the most common dedicated SBOM tools are syft and cosign attest. Clair and Snyk are vulnerability scanners, not SBOM generators. Option E (kubesec) is for static analysis of manifests.

975
Multi-Selectmedium

Which TWO of the following are recommendations from the CIS Kubernetes Benchmark?

Select 2 answers
A.Enable audit logging
B.Use TokenReview API for authentication
C.Disable anonymous authentication
D.Set --protect-kernel-defaults=false on kubelet
E.Enable the insecure port for kubelet
AnswersA, C

CIS recommends enabling audit logging.

Why this answer

The CIS Kubernetes Benchmark recommends enabling audit logging to record all API server requests, which is essential for security monitoring and forensic analysis. It also recommends disabling anonymous authentication to ensure that all requests are authenticated, preventing unauthenticated access to the cluster.

Exam trap

CNCF often tests the exact wording of CIS Benchmark recommendations, so candidates may confuse 'disable anonymous authentication' with 'disable authentication entirely' or mistakenly think the TokenReview API is a benchmark recommendation when it is just a standard API object.

Page 12

Page 13 of 14

Page 14