Certified Kubernetes Security Specialist CKS (CKS) — Questions 151225

997 questions total · 14pages · All types, answers revealed

Page 2

Page 3 of 14

Page 4
151
Multi-Selecthard

Which TWO of the following are valid methods to enforce mTLS in an Istio service mesh? (Select 2)

Select 2 answers
A.Create a ServiceEntry for internal services
B.Create a VirtualService with tls termination
C.Create a PeerAuthentication resource with mtls.mode: STRICT
D.Set global.mtls.enabled: true in IstioConfigMap
E.Create a DestinationRule with tls.mode: ISTIO_MUTUAL
AnswersC, E

PeerAuthentication enforces mTLS at the sidecar proxy level.

Why this answer

PeerAuthentication enforces mTLS on the server side, and DestinationRule configures the client side. Both are used together for comprehensive mTLS enforcement.

152
Drag & Dropmedium

Order the steps to configure and use Falco for runtime security in a Kubernetes cluster.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Falco installation, configuration, deployment as DaemonSet, monitoring alerts, and tuning are the key steps.

153
MCQmedium

A security audit reveals that a service account in the 'default' namespace has been granted cluster-admin privileges via a ClusterRoleBinding. What is the best mitigation?

A.Disable the service account token automount
B.Delete the service account
C.Modify the ClusterRoleBinding to use a less privileged role
D.Set --authorization-mode=AlwaysDeny
AnswerC

The best approach is to follow least-privilege: bind the service account to a role with only the necessary permissions.

Why this answer

Option C is correct because the best practice is to apply the principle of least privilege: instead of deleting the service account or disabling its token, you should modify the ClusterRoleBinding to bind the service account to a ClusterRole with only the permissions it actually needs. This retains the service account's functionality while removing excessive cluster-admin privileges, which grant unrestricted access to all cluster resources.

Exam trap

The trap here is that candidates often think disabling the token automount or deleting the service account removes the RBAC permissions, but in reality, the ClusterRoleBinding itself must be updated or deleted to actually revoke the granted privileges.

How to eliminate wrong answers

Option A is wrong because disabling the service account token automount (e.g., via automountServiceAccountToken: false) prevents the token from being mounted into pods, but it does not revoke the already-granted cluster-admin privileges; the ClusterRoleBinding remains in effect. Option B is wrong because deleting the service account removes the identity, but any pods or workloads that depend on it will fail, and the ClusterRoleBinding would become orphaned (pointing to a non-existent subject), which is a disruptive and incomplete fix. Option D is wrong because setting --authorization-mode=AlwaysDeny on the API server would deny all requests cluster-wide, breaking all administrative and workload operations, and is not a targeted mitigation for an over-privileged binding.

154
MCQmedium

You are reviewing RBAC permissions and notice a ClusterRoleBinding that binds the cluster-admin role to a service account in the 'monitoring' namespace. What is the best practice recommendation?

A.Keep the binding as it is required for monitoring
B.Delete the service account
C.Replace cluster-admin with a custom Role granting only necessary permissions
D.Change the binding to a RoleBinding in the monitoring namespace
AnswerC

This follows least-privilege principle.

Why this answer

Option C is correct because the principle of least privilege dictates that a service account should only have the permissions necessary for its function. The cluster-admin role grants superuser access across the entire cluster, which is excessive for a monitoring service account. Replacing it with a custom Role that includes only the required API operations (e.g., get, list, watch on pods and nodes) reduces the attack surface and aligns with Kubernetes security best practices.

Exam trap

CNCF often tests the misconception that a RoleBinding can replace a ClusterRoleBinding for cluster-scoped tasks, but a RoleBinding cannot grant access to cluster-scoped resources like nodes or persistent volumes, so candidates must recognize when a ClusterRoleBinding is necessary even after reducing permissions.

How to eliminate wrong answers

Option A is wrong because keeping a cluster-admin binding for a monitoring service account violates the principle of least privilege and unnecessarily exposes the cluster to privilege escalation if the service account is compromised. Option B is wrong because deleting the service account would break the monitoring functionality; the correct approach is to adjust its permissions, not remove it entirely. Option D is wrong because changing to a RoleBinding in the monitoring namespace would restrict permissions to that namespace only, but the monitoring service account likely needs cluster-scoped access (e.g., to read node metrics) and a RoleBinding cannot grant cluster-scoped permissions.

155
MCQmedium

A security admin runs 'trivy image --severity CRITICAL,HIGH myrepo/myapp:latest' and sees many CVEs. The admin wants to ensure that only images with no CRITICAL or HIGH severity vulnerabilities are deployed to the cluster. Which admission controller should be configured to enforce this policy?

A.PodSecurityPolicy
B.ValidatingAdmissionWebhook
C.MutatingAdmissionWebhook
D.ImagePolicyWebhook
AnswerD

ImagePolicyWebhook is specifically designed to check container images against an external policy service before admission.

Why this answer

An ImagePolicyWebhook admission controller can be used to evaluate container images against a policy, such as requiring scan results to be free of specified vulnerabilities. Options A, B, and D are not designed for this purpose.

156
MCQeasy

Which of the following is the correct command to load an AppArmor profile from a file named 'my-profile'?

A.apparmor_load my-profile
B.apparmor_parser my-profile
C.apparmor_parser -R my-profile
D.systemctl start apparmor my-profile
AnswerB

Correct. apparmor_parser loads the profile.

Why this answer

The correct command to load an AppArmor profile from a file is `apparmor_parser my-profile`. The `apparmor_parser` tool is used to load, replace, or remove AppArmor profiles into the kernel. When invoked without flags, it loads the profile from the specified file into the kernel's AppArmor security module, enforcing the defined access controls.

Exam trap

The trap here is that candidates confuse `apparmor_parser` with a hypothetical `apparmor_load` command or misuse the `-R` flag, thinking it stands for 'run' or 'reload' instead of 'remove'.

How to eliminate wrong answers

Option A is wrong because `apparmor_load` is not a valid command; the correct tool is `apparmor_parser`. Option C is wrong because `apparmor_parser -R my-profile` removes (unloads) the profile from the kernel, not loads it. Option D is wrong because `systemctl start apparmor my-profile` is invalid syntax; `systemctl` manages the AppArmor service itself (e.g., `systemctl start apparmor`), not individual profiles, and passing a profile name as an argument is not supported.

157
Multi-Selecthard

Which THREE of the following are required to secure etcd in a Kubernetes cluster?

Select 3 answers
A.Configure RBAC for etcd
B.Allow anonymous access for monitoring
C.Require client certificate authentication
D.Enable encryption at rest for secrets
E.Use TLS for peer and client communication
AnswersC, D, E

Authenticates clients.

Why this answer

Option C is correct because etcd requires client certificate authentication to verify the identity of clients (such as kube-apiserver) connecting to it. Without mutual TLS (mTLS), an attacker could impersonate a legitimate client and read or modify cluster state, including secrets and configuration data.

Exam trap

CNCF often tests the misconception that etcd has its own RBAC or that anonymous access can be safely allowed for monitoring, when in fact etcd relies solely on TLS certificate authentication and encryption at rest is a separate mandatory control.

158
MCQhard

An administrator wants to use OPA Gatekeeper to enforce that all pods have a resource limits section defined. Which of the following is the correct combination to implement this policy?

A.Create a NetworkPolicy to block pods without limits.
B.Create a MutatingWebhookConfiguration to add resource limits automatically.
C.Create a ValidatingWebhookConfiguration that calls an external service to validate pod limits.
D.Create a ConstraintTemplate with a Rego policy that checks for 'spec.containers[*].resources.limits', then create a Constraint targeting pods.
AnswerD

Gatekeeper uses ConstraintTemplate (Rego) and Constraint to enforce policies. The Rego policy inspects the resource limits.

159
MCQmedium

An organization uses Kyverno to enforce policies. Which Kyverno rule action would you use to require that all images come from a specific registry?

A.verifyImages
B.generate
C.mutate
D.validate
AnswerD

Validate rules enforce conditions; if not met, the resource is denied.

Why this answer

Kyverno policies can validate, mutate, or generate resources. To enforce a condition (e.g., image registry), use the 'validate' action. If the condition fails, the resource is rejected.

160
MCQmedium

A pod is running with AppArmor enabled using a profile named 'k8s-apparmor-profile'. You want to verify that the profile is loaded and set to enforce mode. Which command should you run on the node?

A.aa-status
B.aa-profile --status
C.aa-enabled
D.cat /sys/kernel/security/apparmor/profiles
AnswerA

'aa-status' lists all loaded AppArmor profiles and their modes (enforce/complain).

Why this answer

Option A is correct because `aa-status` is the standard AppArmor utility that displays the status of AppArmor, including which profiles are loaded and their enforcement mode (enforce, complain, or unconfined). Running this command on the node will show whether 'k8s-apparmor-profile' is loaded and set to enforce mode, which directly answers the verification requirement.

Exam trap

The trap here is that candidates may confuse `aa-enabled` (which only checks if AppArmor is enabled) with `aa-status` (which shows loaded profiles and their modes), or they may think the raw kernel interface file is the correct answer, but the CKS exam expects knowledge of the standard user-space tool `aa-status` for verification.

How to eliminate wrong answers

Option B is wrong because `aa-profile --status` is not a valid AppArmor command; the correct command to check profile status is `aa-status` or `apparmor_status`. Option C is wrong because `aa-enabled` only checks if AppArmor is enabled on the system (returns 0 if enabled, 1 if not), but it does not list loaded profiles or their enforcement mode. Option D is wrong because while `cat /sys/kernel/security/apparmor/profiles` does list loaded profiles and their modes, it is a raw kernel interface that may not be available in all environments (e.g., containers or systems without securityfs mounted) and is less user-friendly than `aa-status`; the question asks for a command to run, and `aa-status` is the standard, reliable tool.

161
MCQhard

A security policy requires that all communication to etcd be encrypted. Which two components must be configured with TLS certificates to achieve this? (Select two)

A.kubelet
B.kube-apiserver
C.kube-scheduler
D.kube-controller-manager
E.etcd
AnswerB, E

The API server connects to etcd as a client.

Why this answer

The kube-apiserver is the only Kubernetes control plane component that directly communicates with etcd. To encrypt this communication, TLS certificates must be configured on both the kube-apiserver (as the client) and etcd (as the server). The kube-apiserver presents its client certificate to etcd, and etcd presents its server certificate to the kube-apiserver, establishing a mutually authenticated TLS session.

Exam trap

The trap here is that candidates often assume all control plane components (scheduler, controller-manager) communicate directly with etcd, but in reality only the kube-apiserver interacts with etcd, while the others only talk to the apiserver.

How to eliminate wrong answers

Option A is wrong because the kubelet communicates with the kube-apiserver, not directly with etcd, so its TLS configuration is for node-to-apiserver encryption, not etcd communication. Option C is wrong because the kube-scheduler communicates only with the kube-apiserver via HTTPS, not directly with etcd, and thus does not require TLS certificates for etcd encryption. Option D is wrong because the kube-controller-manager also communicates solely with the kube-apiserver, not with etcd directly, so its TLS setup is irrelevant to encrypting etcd traffic.

162
Multi-Selectmedium

Which THREE of the following are best practices for securing the software supply chain in a CI/CD pipeline?

Select 3 answers
A.Sign images with Cosign after building
B.Generate an SBOM for each image
C.Scan container images for vulnerabilities using Trivy
D.Use a non-minimal base image to ensure all libraries are available
E.Store secrets in the Dockerfile as build args
AnswersA, B, C

Ensures image integrity and provenance.

Why this answer

Scanning images for vulnerabilities, generating SBOMs, and signing images are all key supply chain security practices.

163
MCQmedium

You need to enable audit logging for the Kubernetes API server. Which two flags must be set?

A.--audit-log-path and --audit-log-maxage
B.--audit-policy-file and --audit-log-maxbackup
C.--audit-log-path and --audit-policy-file
D.--audit-log-path and --authorization-mode=RBAC
AnswerC

Correct. Both are required.

Why this answer

Option C is correct because to enable audit logging in the Kubernetes API server, you must specify both an audit policy file (using --audit-policy-file) to define which events should be logged and at what level, and a log file path (using --audit-log-path) to specify where the audit logs should be written. Without the policy file, the API server does not know which requests to audit; without the log path, the audit events have no output destination.

Exam trap

CNCF often tests the distinction between mandatory flags (--audit-log-path and --audit-policy-file) and optional retention flags (--audit-log-maxage, --audit-log-maxbackup, --audit-log-maxsize), leading candidates to select options that include only retention flags or mix authorization flags with audit flags.

How to eliminate wrong answers

Option A is wrong because --audit-log-maxage is an optional flag that controls the maximum number of days to retain old audit log files, but it is not required to enable audit logging; the two mandatory flags are --audit-log-path and --audit-policy-file. Option B is wrong because --audit-log-maxbackup is also an optional flag that sets the maximum number of old audit log files to retain, and it does not replace the need for --audit-log-path or --audit-policy-file. Option D is wrong because --authorization-mode=RBAC is used to enable Role-Based Access Control for authorization, not for audit logging; audit logging requires the policy file and log path flags.

164
MCQmedium

You are implementing a policy to ensure all containers in a namespace run as non-root. Which of the following is the most appropriate approach to enforce this at the cluster level?

A.Create a PodSecurityPolicy that requires runAsNonRoot
B.Use OPA/Gatekeeper with a ConstraintTemplate that checks runAsNonRoot is set to true
C.Set runAsNonRoot in the securityContext of each Pod spec manually
D.Configure a ValidatingAdmissionPolicy with a CEL rule requiring runAsNonRoot
AnswerB

OPA/Gatekeeper can enforce policies via admission webhooks, and a ConstraintTemplate can validate that all containers have runAsNonRoot: true.

Why this answer

OPA/Gatekeeper uses ConstraintTemplates and Constraints to enforce policies like requiring runAsNonRoot. A PodSecurityPolicy is deprecated. A ValidatingAdmissionPolicy is a beta feature that could be used but is less common than OPA/Gatekeeper for this purpose.

Configuring each Pod manually is not scalable. Setting runAsNonRoot in the PodSecurityContext only applies to that specific pod, not enforced cluster-wide.

165
MCQhard

A DevOps team wants to enforce that all Deployments must have a specific label 'app.kubernetes.io/name'. Which tool can be used to validate this in the admission controller stage?

A.Trivy
B.Cosign
C.Kyverno
D.Syft
AnswerC

Kyverno can enforce policies like requiring specific labels on resources.

Why this answer

Kyverno is a Kubernetes-native policy engine that can validate, mutate, and generate resources using admission controller webhooks. It can enforce that certain labels exist on resources.

166
Multi-Selecthard

Which THREE of the following are recommended steps during incident response for a compromised pod? (Choose three.)

Select 3 answers
A.Take a memory dump of the container for analysis
B.Delete the entire namespace containing the pod
C.Use kubectl logs and kubectl exec to collect forensic data
D.Apply a NetworkPolicy to deny egress traffic from the pod
E.Immediately restart the pod to stop the attack
AnswersA, C, D

Preserves in-memory evidence.

Why this answer

Isolating via egress denial, collecting logs/exec output, and taking a memory dump for forensic analysis are appropriate. Restarting pods may destroy evidence, and deleting the namespace is too drastic.

167
MCQeasy

Which kubectl command checks the CIS Benchmark compliance of a cluster node using the kube-bench tool?

A.kubectl apply -f job.yaml
B.kubectl kube-bench
C.kubectl run kube-bench --image=aquasec/kube-bench
D.kube-bench run --targets=node
AnswerA

kube-bench is often deployed as a Kubernetes Job; applying the job YAML runs the benchmark.

Why this answer

Option A is correct because kube-bench runs as a Kubernetes Job, and the standard way to execute it against a cluster node is to apply a Job YAML manifest that runs the aquasec/kube-bench image. This Job performs CIS Benchmark checks on the node where it is scheduled, and the results are output to the Job's logs. The `kubectl apply -f job.yaml` command deploys the pre-configured Job, which is the recommended method for running kube-bench in a cluster context.

Exam trap

The trap here is that candidates confuse running a container directly with `kubectl run` versus deploying a proper Job manifest, or they assume `kubectl` has a native kube-bench subcommand, when in fact kube-bench must be run as a Kubernetes workload (typically a Job) to comply with the CIS Benchmark scanning methodology.

How to eliminate wrong answers

Option B is wrong because `kubectl kube-bench` is not a valid kubectl subcommand; kubectl does not have a built-in kube-bench plugin, and this command would fail. Option C is wrong because `kubectl run kube-bench --image=aquasec/kube-bench` creates a Pod, not a Job, and kube-bench is designed to run as a Job to properly handle completion and logging; a Pod may not terminate correctly or provide the expected output format. Option D is wrong because `kube-bench run --targets=node` is a direct command-line invocation of the kube-bench binary, not a kubectl command, and the question specifically asks for a kubectl command.

168
MCQmedium

A Falco rule triggers on 'Write below etc' and you see an alert about a process writing to /etc/shadow. Which syscall is Falco most likely using to detect this?

A.open
B.chmod
C.write
D.openat
AnswerC

Falco monitors write syscalls to detect modifications to sensitive files like /etc/shadow.

Why this answer

Falco uses system calls to monitor file writes. The 'write' syscall is used when a process writes data to a file. 'open' and 'openat' are used to open files, but the actual write event is captured by 'write'. 'chmod' changes permissions.

169
MCQmedium

A pod with the following annotation is created: 'container.apparmor.security.beta.kubernetes.io/webserver: localhost/k8s-apparmor-profile'. However, the pod remains in 'Pending' state and the node logs show 'AppArmor not available'. What is the most likely cause?

A.The annotation should be on the pod's securityContext, not as an annotation
B.AppArmor is not loaded or enabled on the node kernel
C.The AppArmor profile name is misspelled
D.The pod is using a privileged security context
AnswerB

The error indicates AppArmor is not available on the node. It needs to be enabled in the kernel and the apparmor_parser used to load profiles.

Why this answer

The node logs explicitly state 'AppArmor not available', which indicates that the AppArmor kernel security module is either not loaded or not enabled on the node's operating system. Without AppArmor support in the kernel, the kubelet cannot enforce the profile specified in the pod annotation, causing the pod to remain in 'Pending' state. This is a prerequisite condition for AppArmor profiles to work in Kubernetes.

Exam trap

CNCF often tests the distinction between a profile being misconfigured (e.g., wrong name) versus the underlying kernel module not being available; the trap here is that candidates may assume a spelling error (Option C) when the node logs clearly point to a missing kernel feature.

How to eliminate wrong answers

Option A is wrong because the AppArmor profile is correctly specified as a pod annotation per the Kubernetes beta API (container.apparmor.security.beta.kubernetes.io/<container_name>), not in the securityContext. Option C is wrong because the node logs do not indicate a profile name mismatch; they explicitly state 'AppArmor not available', which is a kernel-level issue, not a name misspelling. Option D is wrong because a privileged security context does not prevent AppArmor from being available; it may bypass AppArmor enforcement, but the error here is about the kernel module not being present, not about privilege escalation.

170
MCQhard

You want to configure an audit policy to log all requests to the 'secrets' resource with the body at the 'RequestResponse' level. Other resources should be logged at 'Metadata' level. Which audit policy YAML snippet is correct?

A.rules: - level: Body resources: ["secrets"] - level: Metadata resources: ["*"]
B.apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: RequestResponse resources: - group: "" resources: ["secrets"] - level: Metadata resources: - group: "" resources: ["*"]
C.policies: - level: RequestResponse resources: ["secrets"] - level: Metadata resources: ["*"]
D.rules: - level: RequestResponse resources: - group: "" resources: ["secrets"] - level: Metadata resources: - group: "" resources: ["*"]
AnswerB, D

Additionally includes apiVersion and kind, which are required. This is the correct complete YAML.

Why this answer

Option D is correct: it uses a list of rules with a specific rule for secrets at RequestResponse level, and a catch-all rule for other resources at Metadata level. Option A has the structure backwards. Option B uses an invalid 'rules' field name.

Option C has an invalid 'level' value 'Body'.

171
MCQeasy

Which YAML field in a Deployment specifies the container user should not run as root?

A.spec.containers[].securityContext.readOnlyRootFilesystem
B.spec.containers[].securityContext.runAsUser: 0
C.spec.containers[].securityContext.runAsNonRoot
D.spec.containers[].securityContext.allowPrivilegeEscalation
AnswerC

Setting runAsNonRoot: true ensures the container runs with a non-root user.

Why this answer

The 'runAsNonRoot' field in the security context enforces that the container cannot run as root. Option B is correct.

172
MCQeasy

A DevOps team uses a CI/CD pipeline to build container images and push them to a private registry. To minimize the risk of supply chain attacks, which of the following is the most effective security control to implement?

A.Scan all images for vulnerabilities using Trivy before pushing to the registry.
B.Restrict access to the registry using Kubernetes RBAC and service accounts.
C.Implement network policies to restrict traffic to the registry endpoint.
D.Sign all container images using a private key and verify the signature before deployment.
AnswerD

Image signing provides cryptographic assurance of image integrity and origin, a core supply chain security control.

Why this answer

Option D is correct because signing container images with a private key and verifying the signature before deployment ensures image integrity and authenticity, directly mitigating supply chain attacks where an attacker could tamper with images in transit or at rest. This control, often implemented using tools like Notary or Cosign (part of the Sigstore project), provides cryptographic proof that the image was produced by a trusted source and has not been altered. Without signature verification, even a vulnerability-scanned image could be replaced with a malicious one, bypassing other controls.

Exam trap

The trap here is that candidates often confuse vulnerability scanning (which detects known flaws) with image signing (which ensures integrity and provenance), and mistakenly choose scanning as the primary defense against supply chain attacks, overlooking that a scanned image can still be replaced or tampered with.

How to eliminate wrong answers

Option A is wrong because vulnerability scanning (e.g., with Trivy) only identifies known CVEs in the image content; it does not prevent an attacker from replacing the image with a different, malicious one after scanning or during transit. Option B is wrong because restricting registry access via Kubernetes RBAC and service addresses only controls who can push or pull images, but does not verify the integrity or origin of the image itself—an authorized user could still push a tampered image. Option C is wrong because network policies limit traffic to the registry endpoint but do not protect against image tampering; an attacker who gains access to the registry or intercepts traffic could still modify images without detection.

173
MCQmedium

An administrator discovers that a container has been running with root privileges despite a PodSecurityPolicy that should prevent it. What is the most likely cause?

A.The PodSecurityPolicy is applied in the wrong order and a less restrictive policy overrides it.
B.The pod's service account lacks RBAC permissions to use the PSP.
C.The PodSecurityPolicy admission controller is not enabled in the kube-apiserver.
D.The PodSecurityPolicy resource is misconfigured with an empty allowPrivilegeEscalation field.
AnswerC

Without the admission controller, PSPs are not enforced regardless of RBAC.

Why this answer

Option C is correct because the PodSecurityPolicy (PSP) admission controller must be explicitly enabled in the kube-apiserver's `--enable-admission-plugins` flag. Without it, PSP resources are stored in etcd but never enforced, allowing any pod to run with root privileges regardless of PSP definitions.

Exam trap

CNCF often tests the distinction between creating a policy resource and actually enabling the admission controller that enforces it, tricking candidates into focusing on RBAC or policy content rather than the fundamental admission plugin flag.

How to eliminate wrong answers

Option A is wrong because PSPs are evaluated in an additive manner; the most restrictive policy is applied, not the least restrictive, and order does not override. Option B is wrong because RBAC permissions for PSPs control which service accounts can use a PSP, but if the admission controller is not enabled, no PSP is enforced at all. Option D is wrong because an empty `allowPrivilegeEscalation` field defaults to `true` in Kubernetes, but this only matters if the PSP admission controller is active; without it, the field is irrelevant.

174
MCQhard

A CI/CD pipeline uses cosign attest to add an SBOM attestation to an image. Later, during deployment, which command verifies the attestation?

A.cosign verify --key cosign.pub myimage:latest
B.cosign attest --key cosign.key --predicate sbom.json myimage:latest
C.cosign verify-attestation --key cosign.pub myimage:latest
D.cosign download attestation myimage:latest
AnswerC

Correct command to verify attestations.

Why this answer

'cosign verify-attestation' verifies the attestation against a public key.

175
MCQeasy

Which tool is used to generate a Software Bill of Materials (SBOM) for a container image?

A.Syft
B.Kubesec
C.Checkov
D.Trivy
AnswerA

Syft is a CLI tool that generates SBOMs for container images and filesystems.

Why this answer

Syft is a tool specifically designed for generating SBOMs from container images and filesystems.

176
Multi-Selecteasy

Which TWO of the following are valid AppArmor profile modes? (Select two.)

Select 2 answers
A.Audit
B.Disabled
C.Complain
D.Enforce
E.Unconfined
AnswersC, D

Logs violations but does not enforce.

Why this answer

AppArmor has three modes: enforce, complain, and unconfined. The question asks for two valid modes, so 'enforce' and 'complain' are correct. 'Unconfined' is also valid but is a mode that disables AppArmor for a profile. Since the question asks for two, we can pick enforce and complain. 'Disabled' is not a valid mode, and 'audit' is not a mode.

177
Multi-Selectmedium

Which TWO of the following are valid methods to apply a seccomp profile to a pod in Kubernetes?

Select 2 answers
A.Setting 'securityContext.seccompProfile.type' in the pod spec
B.Adding annotation 'container.apparmor.security.beta.kubernetes.io/<container>'
C.Including 'seccomp' profile in PodSecurityPolicy
D.Including 'seccompProfile' under 'spec.securityContext' at the pod level
E.Adding annotation 'seccomp.security.alpha.kubernetes.io/pod'
AnswersA, E

This is the current recommended way.

Why this answer

Option A is correct because the `securityContext.seccompProfile.type` field in the pod spec is the current, stable method to apply a seccomp profile to a pod in Kubernetes (since v1.19). This field directly specifies the seccomp profile type (e.g., `RuntimeDefault`, `Localhost`, or `Unconfined`) at the container or pod level, and is the recommended approach in modern clusters.

Exam trap

CNCF often tests the distinction between deprecated/removed features (like PodSecurityPolicy) and current stable APIs, and the trap here is that candidates confuse the old annotation-based approach (`seccomp.security.alpha.kubernetes.io/pod`) with the modern `securityContext.seccompProfile.type` field, or mistake AppArmor annotations for seccomp annotations.

178
MCQmedium

An administrator runs `kubectl run nginx --image=nginx:latest` and the pod remains in ImagePullBackoff. The cluster uses containerd as the container runtime. What is the most likely cause?

A.The image tag 'latest' is not recommended
B.The container runtime is not configured correctly
C.The image name is misspelled
D.The cluster does not have authentication to pull from Docker Hub
AnswerD

The default nginx image is on Docker Hub, and if the cluster cannot authenticate (e.g., rate limiting), it will fail to pull.

Why this answer

`ImagePullBackoff` indicates that the kubelet is unable to pull the image. Using `latest` tag can lead to pull failures if the tag is not found or if there is a registry issue, but more commonly, it's due to authentication or network issues. However, the most likely cause among the options is that the image requires authentication and no image pull secrets are configured.

179
MCQmedium

A security team wants to detect any attempt to read the /etc/shadow file inside a container. Which Falco rule condition would trigger an alert for such an event?

A.evt.type=open and proc.name=bash and fd.name=/etc/shadow
B.evt.type=open and fd.name contains /etc
C.evt.type=open and fd.name=/etc/shadow and evt.arg.flags contains O_WRONLY
D.evt.type=open and fd.name=/etc/shadow and evt.arg.flags contains O_RDONLY
AnswerD

Why this answer

Falco uses the open or openat system calls with flags indicating read access. The condition checks for a file descriptor opened for reading on /etc/shadow. Option A correctly uses evt.type=open and fd.name=/etc/shadow with a read-only flag.

Option B uses write access, Option C is too broad, Option D only matches a specific process.

180
MCQhard

A security team wants to ensure that only approved container images can run in their production cluster. Which admission controller should be configured in the kube-apiserver to enforce this policy?

A.PodSecurityPolicy
B.AlwaysPullImages
C.NodeRestriction
D.ImagePolicyWebhook
AnswerD

ImagePolicyWebhook allows integration with an external webhook to enforce image admission policies.

Why this answer

The ImagePolicyWebhook admission controller allows a cluster to enforce a policy that only approved container images can run by sending image admission requests to an external webhook backend. This webhook can validate images against an allowlist, a trusted registry, or a custom policy engine, and it returns an admission decision (allow or deny) before the pod is created. This directly meets the requirement of restricting which container images are permitted in the cluster.

Exam trap

The trap here is that candidates confuse PodSecurityPolicy (which restricts pod security attributes) with image admission control, or they assume AlwaysPullImages can enforce image approval because it forces a fresh pull, but it never checks the image source or registry allowlist.

How to eliminate wrong answers

Option A is wrong because PodSecurityPolicy (PSP) is a deprecated admission controller that enforces security context constraints (e.g., privilege escalation, host namespaces) on pods, not image approval or registry allowlisting. Option B is wrong because AlwaysPullImages forces the kubelet to pull images with the specified pull policy every time a pod is created, but it does not validate whether the image is from an approved source or registry. Option C is wrong because NodeRestriction limits the permissions of kubelet nodes to modify their own node and pod objects via the Kubernetes API, and it has no role in image admission control.

181
MCQhard

A security team wants to detect any attempt to read /etc/shadow from within a container using Falco. Which condition in a Falco rule would match this behavior?

A.proc.name contains "shadow" and evt.type=read
B.evt.type=read and fd.name contains "shadow"
C.evt.type=open and fd.name=/etc/shadow
D.container and fd.name=/etc/shadow
AnswerC

Why this answer

The condition checks for an open system call on the file /etc/shadow.

182
MCQhard

You are a security engineer for a financial services company running a Kubernetes cluster on-premises. The cluster uses kubeadm for bootstrapping and Calico for network policy. Recently, a compliance audit revealed that all nodes in the cluster have the kubelet port 10250 open to the public network, allowing unauthenticated access to the kubelet API. This poses a severe security risk. The cluster has 10 worker nodes and 3 control plane nodes. You need to remediate this without disrupting running workloads. The nodes are behind a corporate firewall, but the internal network is considered untrusted. You have access to the node's iptables and can modify configuration files. Which course of action best secures the kubelet port while maintaining cluster functionality?

A.Use iptables on each node to allow incoming connections to port 10250 only from the cluster's CIDR (e.g., 10.0.0.0/8).
B.Configure a Calico GlobalNetworkPolicy to block inbound traffic to port 10250 on all nodes.
C.Change the kubelet port to a non-standard port (e.g., 10260) and update all kubelet configurations.
D.Set the --anonymous-auth flag to false on each kubelet and restart them one by one.
AnswerA

Restricting source IPs to the cluster network reduces exposure while allowing legitimate kubelet API calls from the control plane and other nodes.

Why this answer

Option A is correct because using iptables to restrict access to port 10250 to only the cluster's internal CIDR (e.g., 10.0.0.0/8) directly addresses the audit finding by blocking unauthenticated public access while allowing necessary kubelet API communication from within the cluster. This approach does not disrupt running workloads, as it only modifies firewall rules without restarting kubelet or changing its configuration. It leverages the existing network infrastructure (iptables) and is consistent with the principle of least privilege for an untrusted internal network.

Exam trap

The trap here is that candidates often confuse Kubernetes network policies (like Calico) with host-level firewall rules, assuming they can block node ports, when in fact network policies only apply to pod-to-pod traffic and cannot control access to the kubelet's host network interface.

How to eliminate wrong answers

Option B is wrong because Calico GlobalNetworkPolicy operates at the Kubernetes network policy layer, which applies to pods and their traffic, not to node-level ports like the kubelet API (port 10250) which is a host network service; Calico policies cannot block traffic to the node's own kubelet endpoint. Option C is wrong because changing the kubelet port to a non-standard port (e.g., 10260) does not address the root cause of unauthenticated access; it only obscures the port, and the new port would still be open to the public network unless additional firewall rules are applied, plus it requires restarting kubelet which could disrupt workloads. Option D is wrong because setting --anonymous-auth to false only disables anonymous requests but does not block unauthenticated access from other sources (e.g., requests with valid but compromised credentials); the audit finding specifically highlights unauthenticated access, and this flag does not prevent network-level exposure of the port.

183
MCQmedium

A pod is running with securityContext.seccompProfile.type: Unconfined. Which statement is true?

A.The container is limited to a set of allowed syscalls as defined by the runtime.
B.The container can make any system call.
C.Seccomp is not supported on this node.
D.The container is running with the host's seccomp profile.
AnswerB

Unconfined disables seccomp, so no syscall filtering occurs.

Why this answer

Unconfined means no seccomp filtering is applied, so the container can make any syscall. Option B is correct.

184
MCQmedium

An administrator wants to enforce a custom AppArmor profile named 'k8s-apparmor-example' on a pod. The profile has been loaded on the node. Which annotation should be added to the pod's metadata to apply this profile?

A.container.apparmor.security.beta.kubernetes.io/nginx: localhost/k8s-apparmor-example
B.container.apparmor.security.beta.kubernetes.io/pod: localhost/k8s-apparmor-example
C.apparmor.security.beta.kubernetes.io/pod: k8s-apparmor-example
D.container.apparmor.security.beta.kubernetes.io/nginx: localhost/k8s-apparmor-example
AnswerA

This correctly specifies the container name and the profile using 'localhost/' prefix.

Why this answer

Option A is correct because the annotation format for applying an AppArmor profile to a container in a pod is `container.apparmor.security.beta.kubernetes.io/<container_name>`. The value `localhost/k8s-apparmor-example` specifies that the profile named `k8s-apparmor-example` is loaded locally on the node. This annotation enforces the profile on the container named 'nginx'.

Exam trap

CNCF often tests the exact annotation syntax, specifically that the key must include `container.` and the container name, and the value must include `localhost/` for a custom profile, leading candidates to confuse the pod-level annotation with the container-level one.

How to eliminate wrong answers

Option B is wrong because the annotation key uses `pod` instead of the actual container name (`nginx`); the annotation must target a specific container, not the pod. Option C is wrong because the annotation key is missing the `container.` prefix and uses `pod` instead of the container name, and the value lacks the `localhost/` prefix required for a locally loaded profile. Option D is wrong because it is identical to Option A and is listed as correct, but the question expects only one correct answer; however, in the provided options, Option A is marked as correct and Option D is a duplicate, so Option D is considered wrong in the context of the answer set because it is not the designated correct choice.

185
MCQhard

A security auditor reports that a container can sniff network traffic on the host. Which field in the pod spec should be checked and set to false to prevent this?

A.hostNetwork: false
B.hostNetwork: true
C.hostIPC: true
D.hostPID: true
AnswerA

Setting hostNetwork to false prevents the container from using the host network, thus preventing sniffing.

Why this answer

Setting 'hostNetwork: true' gives the container access to the host's network stack, allowing it to sniff traffic. Setting it to false prevents this.

186
MCQeasy

Which of the following commands shows all loaded AppArmor profiles?

A.apparmor_parser
B.aa-status
C.aa-disable
D.aa-enforce
AnswerB

aa-status displays loaded AppArmor profiles and their modes.

Why this answer

The `aa-status` command displays the current status of AppArmor, including all loaded profiles, their enforcement mode (enforce/complain), and which processes are confined by them. This is the standard tool for listing active AppArmor profiles on a system.

Exam trap

The trap here is that candidates confuse `apparmor_parser` (which loads profiles) with `aa-status` (which lists them), or assume that `aa-enforce` or `aa-disable` somehow show profile status, when they are actually mode-changing commands.

How to eliminate wrong answers

Option A is wrong because `apparmor_parser` is used to load or compile AppArmor profiles from text files into the kernel, not to list currently loaded profiles. Option C is wrong because `aa-disable` is used to disable an AppArmor profile by removing its symbolic link from `/etc/apparmor.d/`, not to display profiles. Option D is wrong because `aa-enforce` is used to set a profile to enforce mode (actively blocking violations), not to list loaded profiles.

187
MCQhard

A pod is stuck in Pending state. 'kubectl describe pod' shows '0/1 nodes are available: 1 node(s) had taint {node-role.kubernetes.io/control-plane: }, that the pod didn't tolerate.' The pod does not specify any tolerations. What is the most likely cause?

A.The pod's image pull secret is missing
B.The pod uses an untrusted image that was rejected by an admission webhook
C.The pod's resource requests exceed the available node capacity
D.The cluster only has control-plane nodes and the pod does not tolerate the control-plane taint
AnswerD

Control-plane nodes typically have a taint that prevents regular pods from scheduling. If there are no worker nodes, the pod will remain Pending.

Why this answer

The taint on the control-plane node prevents pods without tolerations from being scheduled. The pod must either tolerate the taint or be scheduled to a worker node that does not have this taint.

188
Multi-Selecthard

Which THREE of the following are best practices for minimizing host access from containers to reduce the attack surface? (Select three.)

Select 3 answers
A.Avoid setting hostPID to true
B.Avoid setting hostNetwork to true
C.Avoid setting hostIPC to true
D.Disable swap on nodes
E.Avoid using hostPort in container port mappings
AnswersA, B, C

hostPID gives containers access to the host process namespace, which increases risk.

Why this answer

Setting hostPID to true allows a container to share the host's process ID namespace, enabling it to see all host processes and potentially access sensitive information or perform privilege escalation. Avoiding this setting reduces the attack surface by preventing containers from interacting with host-level processes, which is a key principle of namespace isolation in Kubernetes.

Exam trap

CNCF often tests the distinction between host access (namespace sharing) and host exposure (port mapping or resource limits), so candidates may mistakenly select options like hostPort or swap disabling as host access controls when they are actually about network exposure or system performance.

189
MCQmedium

You need to create a NetworkPolicy that denies all ingress traffic to pods with label 'app: web' in the 'frontend' namespace, except for traffic from pods with label 'app: ingress' in the 'ingress' namespace. Which NetworkPolicy spec correctly achieves this?

A.ingress: - from: - namespaceSelector: matchLabels: name: ingress podSelector: matchLabels: app: ingress
B.ingress: - from: - namespaceSelector: matchLabels: app: ingress podSelector: {}
C.ingress: - from: - podSelector: matchLabels: app: ingress - namespaceSelector: matchLabels: kubernetes.io/metadata.name: ingress
D.ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: ingress podSelector: matchLabels: app: ingress
AnswerD

This allows ingress only from pods matching both selectors; default deny is implied if no other rules.

190
MCQhard

A cluster administrator wants to allow only images from a specific registry (e.g., 'myregistry.io') to be deployed in the cluster. Which tool can be used to enforce this via admission control?

A.OPA/Gatekeeper
B.Helm
C.Calico
D.Prometheus
AnswerA

OPA/Gatekeeper can define policies to restrict image registries using a ConstraintTemplate.

Why this answer

OPA/Gatekeeper can create a Constraint that validates image registry. Option A is correct.

191
MCQeasy

Which of the following is a recommended setting from the CIS Kubernetes Benchmark for the kubelet?

A.--authorization-mode=AlwaysAllow
B.--anonymous-auth=true
C.--anonymous-auth=false
D.--read-only-port=10255
AnswerC

Disabling anonymous authentication is a CIS recommendation.

Why this answer

The CIS Kubernetes Benchmark recommends disabling anonymous authentication on the kubelet to ensure that all requests are authenticated. Setting `--anonymous-auth=false` forces the kubelet to reject requests from unauthenticated users, reducing the attack surface and preventing unauthorized access to the kubelet API.

Exam trap

The trap here is that candidates often confuse `--anonymous-auth` with authorization modes, mistakenly thinking that disabling anonymous auth is less important than setting a strict authorization mode, but the CIS Benchmark prioritizes disabling anonymous access as a foundational security control.

How to eliminate wrong answers

Option A is wrong because `--authorization-mode=AlwaysAllow` disables authorization checks, allowing any authenticated request to proceed, which violates the principle of least privilege and is not recommended by the CIS Benchmark. Option B is wrong because `--anonymous-auth=true` allows unauthenticated requests to the kubelet, which is explicitly discouraged as it opens the node to potential exploitation. Option D is wrong because `--read-only-port=10255` is a legacy insecure port that exposes read-only kubelet endpoints without authentication; the CIS Benchmark recommends disabling this port (setting it to 0) to avoid unauthenticated information disclosure.

192
Multi-Selectmedium

Which TWO of the following are valid techniques to detect and respond to runtime incidents in a Kubernetes cluster? (Select TWO.)

Select 2 answers
A.Deleting the compromised pod immediately to stop the attack
B.Using crictl images to list container images on the node
C.Applying a NetworkPolicy to isolate a compromised pod
D.Using kubectl exec to gather forensic data from a running container
E.Running kubectl logs --previous to view logs of a terminated container
AnswersC, D

Correct. NetworkPolicy can deny all traffic to/from the pod.

Why this answer

'kubectl exec' can be used for forensics by executing commands inside a container. NetworkPolicy can isolate compromised pods. 'kubectl delete pod' removes evidence. 'crictl images' lists images, not running containers. 'kubectl logs --previous' shows logs of crashed pods but is not a response technique.

193
Multi-Selecthard

Which TWO of the following are effective methods to harden the kubelet against unauthorized access?

Select 2 answers
A.Set --read-only-port=10255
B.Enable --authentication-token-webhook
C.Enable the NodeRestriction admission controller
D.Configure --client-ca-file and --tls-cert-file to require client certificates
E.Set --anonymous-auth=true
AnswersC, D

NodeRestriction limits the kubelet's ability to modify node and pod objects, reducing the impact of a compromised kubelet.

Why this answer

Option C is correct because the NodeRestriction admission controller limits the Node and Pod objects a kubelet can modify, preventing a compromised node from escalating privileges or tampering with other workloads. This is a key Kubernetes-native control to harden the kubelet's authorization scope.

Exam trap

CNCF often tests the distinction between authentication (verifying identity) and authorization (limiting actions); candidates may confuse enabling authentication (Option B) with hardening authorization, but the question specifically asks for methods that harden against unauthorized access, which includes both authentication and authorization controls, and the correct answers (C and D) focus on authorization and mutual TLS authentication respectively.

194
MCQeasy

Which of the following is a recommended CIS benchmark setting for the kubelet?

A.--anonymous-auth=true
B.--anonymous-auth=false
C.--protect-kernel-defaults=false
D.--read-only-port=10255
AnswerB

This disables anonymous access.

Why this answer

The CIS benchmark for Kubernetes recommends disabling anonymous authentication on the kubelet to ensure that all requests to the kubelet API are authenticated. Setting `--anonymous-auth=false` forces the kubelet to reject requests from unauthenticated users, preventing potential unauthorized access to node-level operations such as pod logs, exec, and port-forwarding.

Exam trap

CNCF often tests the distinction between kubelet flags that control authentication versus authorization, and candidates may confuse `--anonymous-auth` with `--authentication-token-webhook` or incorrectly assume that disabling anonymous auth also blocks legitimate service account tokens.

How to eliminate wrong answers

Option A is wrong because `--anonymous-auth=true` allows unauthenticated requests to the kubelet, which violates the CIS benchmark and exposes the node to unauthorized access. Option C is wrong because `--protect-kernel-defaults=false` disables kernel parameter protection, which is a security hardening setting that should be `true`, not `false`, to ensure the kubelet enforces safe kernel defaults. Option D is wrong because `--read-only-port=10255` enables the read-only port on the kubelet, which serves unauthenticated read-only access and is deprecated; the CIS benchmark recommends disabling this port entirely (setting it to `0`).

195
Multi-Selectmedium

Which THREE of the following are valid methods to secure etcd in a Kubernetes cluster? (Select THREE)

Select 3 answers
A.Apply a NetworkPolicy to block traffic to etcd pods.
B.Use RBAC to restrict access to etcd.
C.Enable TLS peer and client authentication.
D.Expose the etcd client port (2379) to the public internet for monitoring.
E.Set file permissions on etcd data directory to 700.
AnswersB, C, E

RBAC can limit which users/service accounts can access etcd via the API server.

Why this answer

RBAC is a valid method to secure etcd because etcd supports role-based access control for its API, allowing you to define roles and permissions that restrict which users or processes can read or write keys. By enabling RBAC on etcd, you can limit access to sensitive cluster data, such as secrets and configuration, to only authorized components like the Kubernetes API server.

Exam trap

CNCF often tests the misconception that NetworkPolicy can secure etcd, but candidates forget that etcd may not be a regular pod subject to NetworkPolicy, or that NetworkPolicy only controls pod-to-pod traffic and not external access to the etcd port.

196
MCQmedium

You want to ensure that kubelet does not allow anonymous requests. Which flag must be set on the kubelet?

A.--anonymous-auth=false
B.--authentication-anonymous=false
C.--allow-anonymous=false
D.--read-only-port=0
AnswerA

Correct.

Why this answer

The kubelet's `--anonymous-auth` flag controls whether anonymous requests to the kubelet API are permitted. Setting `--anonymous-auth=false` explicitly denies all anonymous requests, ensuring that only authenticated users can interact with the kubelet. This is a critical hardening step to prevent unauthenticated access to node-level operations.

Exam trap

CNCF often tests the exact flag name `--anonymous-auth` versus similar-sounding alternatives like `--authentication-anonymous` or `--allow-anonymous`, exploiting the fact that candidates may guess based on generic naming conventions rather than knowing the precise kubelet flag syntax.

How to eliminate wrong answers

Option B is wrong because `--authentication-anonymous=false` is not a valid kubelet flag; the correct flag name is `--anonymous-auth`. Option C is wrong because `--allow-anonymous=false` does not exist as a kubelet flag; the kubelet uses `--anonymous-auth` for this purpose. Option D is wrong because `--read-only-port=0` disables the read-only port (port 10255) but does not affect anonymous authentication on the main kubelet API port (10250); anonymous requests can still be made on the secure port unless `--anonymous-auth=false` is set.

197
MCQhard

A cluster has enabled the NodeRestriction admission controller. A developer is trying to create a pod with hostNetwork: true but is getting an error. What is the most likely reason?

A.The error is unrelated to NodeRestriction; the issue is likely a missing PodSecurityPolicy or Pod Security Admission that denies hostNetwork
B.The NodeRestriction admission controller blocks pods with hostNetwork
C.The nodeSelector on the pod conflicts with NodeRestriction
D.The developer lacks RBAC permissions to create pods
AnswerA

NodeRestriction does not affect pod creation; the error likely comes from PSP/PSA.

Why this answer

The NodeRestriction admission controller only limits node self-updates to kubelet nodes, preventing them from modifying their own labels, taints, or other node objects. It does not block pods with `hostNetwork: true`. The error is most likely caused by a missing PodSecurityPolicy or Pod Security Admission (PSA) that denies pods with `hostNetwork: true`, as these are the mechanisms that enforce host namespace restrictions.

Exam trap

The trap here is that candidates confuse NodeRestriction (which restricts kubelet node updates) with PodSecurityPolicy or Pod Security Admission (which restrict pod security contexts like hostNetwork), leading them to incorrectly attribute the error to NodeRestriction.

How to eliminate wrong answers

Option B is wrong because NodeRestriction does not block pods with `hostNetwork`; it restricts kubelet modifications to node objects. Option C is wrong because `nodeSelector` is not affected by NodeRestriction; NodeRestriction only applies to node updates by the kubelet, not pod scheduling. Option D is wrong because the error is about admission control, not RBAC; if the developer lacked RBAC permissions to create pods, they would get a Forbidden error, not an admission-related error.

198
MCQeasy

Which command can be used to view the current set of admission webhooks in the cluster?

A.kubectl get webhooks
B.kubectl get validatingwebhookconfigurations
C.kubectl get webhookconfigurations
D.kubectl get admissionwebhooks
AnswerB

This lists the ValidatingWebhookConfiguration resources, which define the webhooks.

Why this answer

ValidatingWebhookConfiguration and MutatingWebhookConfiguration are cluster-scoped resources that can be listed with kubectl get.

199
Multi-Selecthard

Which THREE of the following are best practices for reducing the attack surface of Kubernetes nodes? (Select three.)

Select 3 answers
A.Use read-only root filesystems for containers where possible
B.Allow privileged containers for debugging
C.Disable unnecessary system services on nodes
D.Run containers as root to simplify management
E.Minimize host access from containers (avoid hostPID, hostNetwork, hostIPC)
AnswersA, C, E

Prevents containers from writing to the filesystem, reducing risk of malware.

Why this answer

Option A is correct because using a read-only root filesystem for containers (e.g., setting `readOnlyRootFilesystem: true` in the container's security context) prevents attackers from writing malicious binaries or modifying system files inside the container, even if they gain code execution. This reduces the attack surface by limiting the container's ability to persist changes or escalate privileges through file system manipulation.

Exam trap

CNCF often tests the misconception that privileged containers are acceptable for debugging in production, but the CKS exam emphasizes that privileged mode should never be used in production environments because it disables all security controls and grants host-level capabilities.

200
MCQmedium

A cluster is running Kubernetes 1.24. The security team wants to enforce that all pods run with a read-only root filesystem. Which approach is most effective?

A.Use OPA Gatekeeper to deny pods without readOnlyRootFilesystem
B.Enable PodSecurityPolicy with readOnlyRootFilesystem: true
C.Enable PodSecurity admission controller with restricted profile
D.Set --read-only-port=0 in kubelet
AnswerC

The restricted profile enforces readOnlyRootFilesystem: true as part of the policy.

Why this answer

Option C is correct because in Kubernetes 1.24, PodSecurityPolicy (PSP) has been removed, and the PodSecurity admission controller with the restricted profile is the built-in replacement that enforces a read-only root filesystem for all pods. The restricted profile sets `securityContext.readOnlyRootFilesystem: true` by default, ensuring compliance without external tools.

Exam trap

CNCF often tests the removal of PodSecurityPolicy in Kubernetes 1.25 and expects candidates to know that the PodSecurity admission controller with the restricted profile is the direct replacement, not OPA Gatekeeper or deprecated PSP.

How to eliminate wrong answers

Option A is wrong because OPA Gatekeeper is an external admission controller that requires additional installation and maintenance; while it can enforce readOnlyRootFilesystem, it is not the most effective built-in approach in Kubernetes 1.24. Option B is wrong because PodSecurityPolicy was deprecated in Kubernetes 1.21 and removed in 1.25, so it is unavailable in a 1.24 cluster (though still present, it is deprecated and not the recommended approach). Option D is wrong because `--read-only-port=0` in kubelet disables the read-only port (10255) for the kubelet API, which is unrelated to enforcing a read-only root filesystem for pods.

201
MCQmedium

The Kubernetes Dashboard is deployed in the cluster. To secure it, which of the following is a recommended practice?

A.Create a NodePort service to access it externally
B.Access it via kubectl proxy
C.Use an Ingress without TLS
D.Expose it using a LoadBalancer service for easy access
AnswerB

kubectl proxy provides a secure way to access the Dashboard locally with proper authentication.

Why this answer

Accessing the Kubernetes Dashboard via `kubectl proxy` is recommended because it creates an authenticated HTTP proxy between your local machine and the Kubernetes API server. This ensures that all traffic to the Dashboard is tunneled through the API server's authentication and authorization mechanisms, preventing direct exposure of the Dashboard to the network and reducing the attack surface.

Exam trap

CNCF often tests the misconception that exposing the Dashboard via a NodePort or LoadBalancer is acceptable for convenience, but the trap is that these methods bypass the API server's authentication layer, which is a fundamental security requirement for the Dashboard.

How to eliminate wrong answers

Option A is wrong because creating a NodePort service exposes the Dashboard on a high port across all cluster nodes, bypassing API server authentication and allowing potential network-level attacks. Option C is wrong because using an Ingress without TLS exposes the Dashboard over unencrypted HTTP, making it vulnerable to man-in-the-middle attacks and credential interception. Option D is wrong because exposing the Dashboard via a LoadBalancer service grants direct external access without the API server's authentication proxy, violating the principle of least privilege and increasing the risk of unauthorized access.

202
MCQeasy

Which Falco rule priority is used to indicate a potentially malicious activity that should be investigated?

A.INFO
B.ERROR
C.DEBUG
D.WARNING
AnswerD

WARNING is the priority for potentially malicious activities that should be investigated.

Why this answer

Falco rule priorities are: EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG. WARNING is used for potentially malicious activities that warrant investigation.

203
MCQmedium

An administrator deploys a Pod with the following security context: securityContext: runAsNonRoot: true runAsUser: 1000 However, the Pod fails to start with an error: 'container has runAsNonRoot and image will run as root'. What is the most likely cause?

A.The container runtime does not support runAsNonRoot
B.The pod is missing a seccomp profile
C.The runAsUser field is set to 1000, which is a non-root user
D.The container image specifies USER root in its Dockerfile
AnswerD

runAsNonRoot: true checks the image's default user; if the image runs as root (USER root), the pod is rejected even if runAsUser: 1000 is set.

Why this answer

runAsNonRoot: true requires that the image's default user is not root (UID 0). Even though runAsUser overrides the user, the validation checks the image's USER directive first.

204
Multi-Selecthard

A security engineer runs kube-hunter against a production cluster and receives the above output. The cluster uses kubeadm with default settings. Which two actions should the engineer take to remediate the vulnerabilities?

Select 2 answers
A.Upgrade the cluster to Kubernetes 1.14 or later to fix CVE-2019-11245
B.Set the kubelet flag --authentication-token-webhook=true
C.Configure the kubelet to set --anonymous-auth=false and restart the kubelet service
D.Enable the NodeRestriction admission controller
E.Modify the kube-apiserver manifest to set --anonymous-auth=false
AnswersA, C

The vulnerability is fixed in kubelet versions 1.13.9+, 1.14.5+, and 1.15.2+.

Why this answer

Option A is correct because CVE-2019-11245 affects kubelet container runtime exec probes in Kubernetes versions prior to 1.14, where containers could restart unexpectedly due to a race condition. Upgrading to 1.14 or later patches this vulnerability. Option C is correct because setting --anonymous-auth=false on the kubelet disables unauthenticated access to the kubelet API, which is a common finding from kube-hunter when default kubeadm settings leave anonymous authentication enabled.

Exam trap

The trap here is that candidates confuse the kubelet's anonymous-auth flag with the API server's anonymous-auth flag, or think that enabling webhook authentication alone (Option B) disables anonymous access, when in fact anonymous auth must be explicitly disabled on the kubelet.

205
MCQmedium

A security scanner reports that a microservice container image contains a critical vulnerability (CVE-2024-1234) in a system library. The team cannot immediately rebuild the image. What is the most effective temporary mitigation at the Kubernetes level?

A.Apply a NetworkPolicy to block egress traffic from the Pod
B.Apply a custom seccomp profile that blocks the vulnerable syscall
C.Apply an AppArmor profile to the Pod
D.Use a PodSecurityPolicy to drop all capabilities
AnswerB

Seccomp can filter system calls, directly mitigating exploitation of syscall-related CVEs.

Why this answer

Option B is correct because a custom seccomp (secure computing mode) profile can restrict the system calls (syscalls) a container is allowed to make. By blocking the specific vulnerable syscall exploited by CVE-2024-1234, you can prevent the vulnerability from being triggered at runtime without rebuilding the image. This is a temporary, Kubernetes-native mitigation that directly addresses the attack vector at the syscall level.

Exam trap

CNCF often tests the distinction between seccomp (syscall filtering) and AppArmor/SELinux (MAC on files and capabilities), leading candidates to confuse AppArmor as a syscall blocker when it is not.

How to eliminate wrong answers

Option A is wrong because blocking egress traffic with a NetworkPolicy only prevents outbound network connections; it does not prevent exploitation of a local system library vulnerability, which typically does not require network egress. Option C is wrong because AppArmor profiles enforce mandatory access control (MAC) on file paths, network, and capabilities, but they do not filter syscalls; seccomp is the correct mechanism for syscall-level restriction. Option D is wrong because dropping all capabilities with a PodSecurityPolicy (or Pod Security Admission) removes Linux capabilities like CAP_NET_RAW, but it does not block specific syscalls; the vulnerable syscall may still be invoked even with no capabilities.

206
MCQmedium

You have enabled encryption at rest for Kubernetes Secrets by configuring an EncryptionConfiguration object and restarting the API server. After the configuration, you create a new Secret. However, when you retrieve the Secret using 'kubectl get secret mysecret -o yaml', the 'data' field still shows base64-encoded plaintext. Is the Secret encrypted at rest?

A.No, because only Secrets in namespaces with a specific annotation are encrypted.
B.Yes, but only if the Secret was created after the API server restart.
C.No, because the data is still visible in the API response.
D.Yes, because encryption at rest applies to the storage layer (etcd), not the API response.
AnswerD

EncryptionConfiguration encrypts data written to etcd; the API server decrypts it when serving requests.

207
MCQmedium

A developer creates a pod with the following YAML: apiVersion: v1 kind: Pod metadata: name: mypod spec: serviceAccountName: default automountServiceAccountToken: true containers: - name: app image: nginx What is the security concern with this configuration?

A.The pod does not specify resource limits
B.The container runs as root
C.The service account token is automatically mounted, potentially providing excessive permissions
D.The pod uses the 'default' namespace
AnswerC

Automounting the default service account token can be a security risk if the token has broad permissions.

Why this answer

Option C is correct because setting `automountServiceAccountToken: true` (or omitting it, as it defaults to true) causes the pod to automatically mount the service account token of the `default` service account into the container. This token can grant excessive permissions if the default service account has been bound to roles with broad access, such as cluster-admin or other privileged RBAC bindings, which is a common misconfiguration. An attacker who compromises the container can then use this token to authenticate to the Kubernetes API server and perform unauthorized actions within the cluster.

Exam trap

CNCF often tests the misconception that the `default` service account is always safe or that the namespace choice is the primary risk, when in fact the automatic mounting of the service account token—especially when combined with overly permissive RBAC bindings—is the direct security concern.

How to eliminate wrong answers

Option A is wrong because while resource limits are a best practice for preventing resource starvation, their absence is not a direct security concern related to service account token exposure or privilege escalation. Option B is wrong because running as root inside a container is a security concern, but the provided YAML does not explicitly set `securityContext.runAsNonRoot` or `runAsUser`, so it is not guaranteed that the container runs as root; the nginx image may run as a non-root user by default in newer versions, and the question specifically asks about the security concern with the given configuration, which highlights the token mount. Option D is wrong because using the 'default' namespace is not inherently a security issue; namespaces are logical isolation boundaries, and the security risk comes from the service account token being mounted, not the namespace itself.

208
Multi-Selectmedium

Which TWO of the following are tools for image signing and verification? (Select TWO)

Select 2 answers
A.Cosign
B.Trivy
C.kubesec
D.Syft
E.Notary
AnswersA, E

Cosign supports signing and verification of container images.

Why this answer

Cosign is for signing and verifying images. Notary is a signing framework. Trivy scans for vulnerabilities, Syft generates SBOMs, and kubesec analyzes manifests.

209
MCQmedium

You run 'kubectl exec -it <pod> -- /bin/sh' inside a pod that has an immutable root filesystem. What happens?

A.The command fails with an error because the container has an immutable root filesystem
B.The shell starts and can write to any directory because 'exec' bypasses the restriction
C.The shell starts successfully, but any attempt to write to the root filesystem will be denied
D.The pod is restarted with a writable filesystem
AnswerC

The shell can run, but writes to the root filesystem (e.g., creating files in /) will fail due to readOnlyRootFilesystem.

Why this answer

An immutable root filesystem (readOnlyRootFilesystem: true) prevents any writes to the container's root filesystem. However, /tmp is often a tmpfs mount that is writable, and /proc is a virtual filesystem. The exec command itself runs a process; it does not write to the filesystem.

The shell can still run, but any attempt to write to the root filesystem will fail.

210
MCQeasy

What is the purpose of the 'automountServiceAccountToken: false' setting in a Pod spec?

A.It disables the service account controller
B.It prevents the automatic mounting of the service account token into the pod
C.It deletes the service account after the pod starts
D.It prevents the pod from using any service account
AnswerB

This is the correct definition.

Why this answer

Setting `automountServiceAccountToken: false` in a Pod spec prevents the automatic mounting of the Kubernetes service account token (a JWT) into the Pod's filesystem at `/var/run/secrets/kubernetes.io/serviceaccount/token`. This is a security hardening measure to reduce the attack surface for compromised containers, as the token can be used to authenticate to the Kubernetes API server. By default, Kubernetes mounts this token into every Pod, so explicitly disabling it is necessary when the Pod does not require API access.

Exam trap

CNCF often tests the misconception that disabling token mounting also disables the service account entirely, but the service account remains assignable and usable for other purposes (e.g., RBAC bindings), and the token can still be manually mounted if needed.

How to eliminate wrong answers

Option A is wrong because disabling the automatic mount of the service account token does not affect the service account controller; the controller continues to manage service accounts and their tokens independently. Option C is wrong because the setting does not delete the service account after the Pod starts; service accounts are persistent resources that remain until explicitly deleted. Option D is wrong because the Pod can still use a service account (e.g., via `serviceAccountName`), but the token is not automatically mounted; the Pod could still access the token if manually mounted or if the service account is used for other purposes like pod identity.

211
MCQmedium

A DevOps engineer wants to ensure that a container image is signed and the signature is verified before deployment. Which Cosign command verifies an image signature?

A.cosign sign
B.cosign check
C.cosign verify
D.cosign attest
AnswerC

cosign verify checks the signature of a signed image.

Why this answer

cosign verify is the correct command to verify an image signature. The other options are for signing or other operations.

212
MCQmedium

A container needs to run with the NET_ADMIN capability to modify network settings. The cluster enforces the baseline Pod Security Standard. Which securityContext configuration should be used?

A.capabilities: add: ["NET_ADMIN"]
B.linuxCapabilities: add: ["NET_ADMIN"]
C.capabilities: drop: ["ALL"] add: ["NET_ADMIN"]
D.capabilities: drop: ["NET_ADMIN"]
AnswerA

Baseline allows adding NET_ADMIN.

Why this answer

Option A is correct because the baseline Pod Security Standard (PSS) restricts only privileged capabilities but allows adding specific capabilities like NET_ADMIN via the `capabilities.add` field in the securityContext. The baseline profile permits most capabilities except those that are explicitly restricted (e.g., CAP_SYS_ADMIN), so adding NET_ADMIN directly is compliant without needing to drop all capabilities first.

Exam trap

CNCF often tests the distinction between the baseline and restricted Pod Security Standards, where candidates mistakenly think they must drop all capabilities (as required by restricted) even when the baseline profile is in effect, leading them to choose option C unnecessarily.

How to eliminate wrong answers

Option B is wrong because `linuxCapabilities` is not a valid field in the Kubernetes securityContext; the correct field is `capabilities`. Option C is wrong because dropping all capabilities (`drop: ["ALL"]`) is unnecessary under the baseline PSS, which does not require dropping all capabilities, and it would remove capabilities that the container might need for normal operation, potentially breaking functionality. Option D is wrong because dropping NET_ADMIN would remove the very capability required to modify network settings, making the container unable to perform its intended task.

213
Multi-Selecthard

Which TWO of the following are correct methods to verify a signed container image using Cosign?

Select 2 answers
A.cosign verify --fulcio-url https://fulcio.example.com myimage:latest
B.cosign verify myimage:latest
C.cosign sign --key privkey.pem myimage:latest
D.cosign verify --insecure-ignore-sigs myimage:latest
E.cosign verify --key pubkey.pem myimage:latest
AnswersA, E

This uses keyless verification with Fulcio.

Why this answer

Cosign verify can be used with a public key or with keyless verification using Fulcio. The command 'cosign verify' is not correct; it must specify the key or use keyless.

214
MCQeasy

Which flag should you set on the kube-apiserver to disable anonymous authentication?

A.--disable-anonymous=true
B.--anonymous-auth=false
C.--enable-anonymous-auth=false
D.--auth-mode=RBAC
AnswerB

This flag disables anonymous authentication.

Why this answer

The `--anonymous-auth` flag on the kube-apiserver controls whether anonymous requests are allowed. Setting `--anonymous-auth=false` explicitly disables anonymous authentication, meaning requests without valid credentials will be rejected with a 401 Unauthorized response. This is the correct parameter to harden the API server against unauthenticated access.

Exam trap

The trap here is that candidates confuse authentication flags with authorization flags (like `--authorization-mode=RBAC`) or invent non-existent flags like `--disable-anonymous`, when the actual flag uses a simple boolean `--anonymous-auth`.

How to eliminate wrong answers

Option A is wrong because `--disable-anonymous=true` is not a valid kube-apiserver flag; the correct flag is `--anonymous-auth`. Option C is wrong because `--enable-anonymous-auth=false` does not exist; the flag uses the `--anonymous-auth` boolean directly, not a negated form. Option D is wrong because `--auth-mode=RBAC` is not a valid flag; RBAC is configured via `--authorization-mode=RBAC` and controls authorization, not authentication, so it does not disable anonymous access.

215
MCQmedium

A security engineer wants to enable mutual TLS (mTLS) between services in an Istio service mesh. Which Istio resource should be used to define the mTLS mode for the entire mesh?

A.DestinationRule with trafficPolicy.tls.mode: ISTIO_MUTUAL
B.PeerAuthentication with mTLS mode set to STRICT
C.VirtualService with tls configuration
D.ServiceEntry with mTLS enabled
AnswerB

PeerAuthentication defines the mTLS mode for workloads. Setting mode: STRICT enforces mTLS.

216
MCQeasy

What is the default seccomp profile applied when a pod's security context has 'seccompProfile.type: RuntimeDefault'?

A.The profile defined in /var/lib/kubelet/seccomp/default.json
B.Unconfined (no seccomp)
C.The Docker default profile, which blocks around 300 syscalls
D.The container runtime's default seccomp profile, which blocks around 40 syscalls
AnswerD

RuntimeDefault instructs the container runtime (e.g., containerd) to apply its own default seccomp policy.

Why this answer

Option D is correct because when `seccompProfile.type: RuntimeDefault` is set in a pod's security context, the container runtime (e.g., containerd or CRI-O) applies its own default seccomp profile. This runtime default profile is a curated allowlist that blocks approximately 40 syscalls known to be dangerous or unnecessary for containers, providing a balance between security and compatibility. It is not the Docker default (which blocks ~300 syscalls) but a more permissive profile tailored to the runtime's container model.

Exam trap

CNCF often tests the misconception that `RuntimeDefault` refers to Docker's legacy default profile (which blocks ~300 syscalls), when in fact it refers to the container runtime's own default (which blocks ~40 syscalls), and candidates may confuse it with `Unconfined` or a custom localhost path.

How to eliminate wrong answers

Option A is wrong because `/var/lib/kubelet/seccomp/default.json` is a custom seccomp profile path that can be specified via `seccompProfile.type: Localhost`, not the default applied by `RuntimeDefault`. Option B is wrong because `Unconfined` is a separate seccomp profile type (`seccompProfile.type: Unconfined`) that disables seccomp entirely, whereas `RuntimeDefault` explicitly enables the runtime's default restrictions. Option C is wrong because the Docker default profile blocks around 300 syscalls and is not the profile applied by `RuntimeDefault`; the runtime default (e.g., containerd's) is more permissive, blocking only about 40 syscalls, and is independent of Docker's profile.

217
Multi-Selectmedium

Which THREE of the following are valid fields in an EncryptionConfiguration YAML to encrypt secrets at rest?

Select 3 answers
A.providers
B.resources
C.apiVersion
D.key
E.kind
AnswersB, C, E

Correct. Specifies which resources to encrypt.

Why this answer

Option B is correct because `resources` is a valid field in an EncryptionConfiguration YAML that specifies which Kubernetes resources (e.g., secrets) should be encrypted. The EncryptionConfiguration object defines how to encrypt data at rest in etcd, and the `resources` field lists the resource types to encrypt, such as `secrets`. Without this field, the encryption configuration would not know which resources to apply encryption to.

Exam trap

CNCF often tests the distinction between top-level fields and nested fields in EncryptionConfiguration, so candidates mistakenly select `providers` as a top-level field when it actually belongs under `resources`.

218
MCQmedium

A security best practice is to avoid storing sensitive data in environment variables. Instead, secrets should be mounted as volumes. Which of the following YAML snippets correctly mounts a Kubernetes Secret named 'db-secret' as a volume at /etc/secrets?

A.volumes: - name: secret-volume secret: name: db-secret containers: - name: app volumeMounts: - name: secret-volume mountPath: /etc/secrets
B.volumes: - name: secret-volume configMap: name: db-secret containers: - name: app volumeMounts: - name: secret-volume mountPath: /etc/secrets
C.volumes: - name: secret-volume secret: secretName: db-secret containers: - name: app volumeMounts: - name: secret-volume mountPath: /etc/secrets
D.containers: - name: app env: - name: DB_PASSWORD valueFrom: secretKeyRef: name: db-secret key: password
AnswerC

This correctly defines a secret volume and mounts it at /etc/secrets.

Why this answer

Option A shows the correct syntax for mounting a secret as a volume. Option B uses ConfigMap, C has wrong field name, D uses env var.

219
MCQmedium

You need to detect any attempt to read /etc/shadow inside a container using Falco. Which macro would you use in the condition?

A.open_write and fd.name=/etc/shadow
B.open_read and fd.name=/etc/shadow
C.syscall.type=open and fd.name=/etc/shadow
D.spawned_process and proc.name=cat
AnswerB

open_read matches read opens, and fd.name checks the file path.

Why this answer

The 'open_read' macro matches open syscalls with read access. The 'fd.name' field matches the file path. Combining them detects reads to /etc/shadow.

220
Multi-Selecthard

Which THREE of the following are best practices for securing the software supply chain in Kubernetes?

Select 3 answers
A.Run containers as root to avoid permission issues
B.Sign container images and verify signatures in the CI/CD pipeline
C.Use admission controllers like OPA/Gatekeeper to enforce image policies
D.Use mutable tags like 'latest' for easier updates
E.Scan container images for known vulnerabilities before deployment
AnswersB, C, E

Signing ensures image integrity and authenticity.

Why this answer

Scanning images for vulnerabilities, signing images, and enforcing policies with admission controllers are key practices. Running containers as root is insecure. Using mutable tags (like latest) is discouraged.

221
Multi-Selecthard

Which THREE of the following are characteristics of container sandboxing runtimes like gVisor and Kata Containers?

Select 3 answers
A.They eliminate the need for seccomp profiles
B.They require setting spec.runtimeClassName in the pod spec
C.They have higher performance overhead compared to runc
D.They share the host kernel directly
E.They provide stronger isolation than default runc
AnswersB, C, E

To use a specific runtime, you set runtimeClassName to a RuntimeClass that defines the handler.

Why this answer

They provide stronger isolation than default runc, have performance overhead, and are selected via RuntimeClass. They do not share the host kernel directly; Kata uses a lightweight VM, gVisor uses a user-space kernel.

222
Multi-Selectmedium

Which TWO of the following are valid audit levels in a Kubernetes audit policy? (Select TWO.)

Select 2 answers
A.Response
B.None
C.Metadata
D.Log
E.Full
AnswersB, C

Correct. None means do not log events.

Why this answer

Audit levels are None, Metadata, Request, RequestResponse. 'Full' is not valid; 'Response' is not a level; 'Log' is not a level.

223
MCQhard

A cluster uses PodSecurity admission. A namespace has the label 'pod-security.kubernetes.io/enforce: baseline'. A user creates a pod that runs a container with 'privileged: true'. What happens?

A.The pod is rejected by the admission controller.
B.The pod is created but flagged with a warning.
C.The pod is created successfully because privileged is allowed at baseline.
D.The pod is created but the privileged setting is ignored.
AnswerA

Correct. The enforce level blocks pods that violate the policy.

Why this answer

The baseline policy does not allow privileged containers. The admission controller will reject the pod creation.

224
MCQhard

A cluster has audit logging enabled with a policy that sets 'RequestResponse' level for all resources. The cluster is experiencing high etcd write load. Which change would reduce the load MOST effectively?

A.Change the policy level to 'Metadata' for high-volume resources
B.Add a rule to log 'RequestResponse' only for create and delete operations
C.Change the policy level to 'Request' for all resources
D.Set the audit log backend to 'webhook' instead of 'log'
AnswerA

Why this answer

RequestResponse logs the full request and response objects, which are large and increase load. Changing the level to Metadata reduces the amount of data written. Option A is correct.

Option B increases load. Option C captures even more data. Option D is not a valid stage to modify for reducing load.

225
MCQmedium

Which of the following is a best practice for securing container images?

A.Hardcode passwords in Dockerfile as environment variables for convenience
B.Use minimal base images like distroless or Alpine
C.Use the latest tag for base images to get the newest features
D.Run containers as root to simplify permission management
AnswerB

Minimal images reduce the attack surface and number of vulnerabilities.

Why this answer

Option D is correct. Using distroless or Alpine base images reduces the attack surface by minimizing packages and vulnerabilities. Options A, B, and C are insecure practices.

Page 2

Page 3 of 14

Page 4