Certified Kubernetes Security Specialist CKS (CKS) — Questions 226300

997 questions total · 14pages · All types, answers revealed

Page 3

Page 4 of 14

Page 5
226
MCQmedium

A cluster administrator has configured EncryptionConfiguration to encrypt secrets at rest using a local key. After applying the configuration, the administrator creates a new secret. How can they verify that the secret is encrypted at rest?

A.Run kubectl get secret -o yaml and check for an encryption annotation.
B.Use kubectl describe secret and look for 'Encrypted: true'.
C.Check the apiserver logs for encryption status messages.
D.Use etcdctl to read the secret directly from etcd and verify it is encrypted.
AnswerD

Directly reading from etcd shows the encrypted value, verifying encryption at rest.

Why this answer

The encryption is transparent to clients; you can verify by reading the raw data from etcd or enabling audit logging. Option A is correct: direct etcd access shows encrypted data.

227
Multi-Selecthard

Which THREE are valid ways to restrict access to the Kubernetes API server?

Select 3 answers
A.Disable anonymous authentication
B.Enable RBAC authorization mode
C.Use webhook token authentication
D.Use TLS client certificate authentication
E.Set the API server's bind address to 0.0.0.0
AnswersA, B, D

Prevents unauthenticated access.

Why this answer

A is correct because disabling anonymous authentication (via the `--anonymous-auth=false` flag on the API server) removes the ability for unauthenticated requests to reach the API server. This forces all requests to present valid credentials, thereby restricting access to only authenticated users.

Exam trap

CNCF often tests the distinction between authentication (who you are) and authorization (what you can do), so candidates may mistakenly think webhook token authentication restricts access when it only identifies the user, and may overlook that binding to 0.0.0.0 is a security risk, not a restriction.

228
MCQhard

A cluster has the ImagePolicyWebhook admission controller enabled. A pod creation is denied with the message 'image policy check failed'. The webhook server returns an error. Which of the following could be a valid reason?

A.The image is not signed by a trusted authority
B.The container runtime is out of date
C.The image tag does not exist in the registry
D.The pod specification has a hostNetwork: true
AnswerA

The webhook can be configured to require signatures, and if missing, the pod is denied.

Why this answer

The ImagePolicyWebhook can reject images based on external policy. If the image is not signed or the signature cannot be verified, the webhook may deny the request.

229
Multi-Selecteasy

Which TWO tools can be used to directly interact with the container runtime (without going through the Kubernetes API) for troubleshooting?

Select 2 answers
A.kubelet
B.docker
C.ctr
D.crictl
E.kubectl
AnswersC, D

Correct. ctr is a CLI for containerd, the underlying runtime.

Why this answer

crictl and ctr are CLI tools for interacting with the CRI-compatible container runtime (e.g., containerd). kubectl goes through the API server. docker is not typically used in Kubernetes nodes (unless using Docker as runtime).

230
MCQhard

You are writing a Rego policy for OPA/Gatekeeper to deny pods that do not have runAsNonRoot set to true. Which Rego statement should the ConstraintTemplate contain?

A.violation[msg] { not input.request.object.spec.securityContext.runAsNonRoot == true }
B.deny[msg] { input.request.object.spec.securityContext.runAsNonRoot == true }
C.allow[msg] { input.request.object.spec.securityContext.runAsNonRoot == false }
D.deny[msg] { input.request.object.spec.containers[_].securityContext.runAsNonRoot == true }
AnswerA

This triggers a violation when runAsNonRoot is not true.

Why this answer

Deny rules in Rego return false to reject the request. A violation is typically a rule that evaluates to true when the policy is violated. The deny or violation rule must return true if the condition is not met.

Option B correctly checks that runAsNonRoot is not true and returns true (violation).

231
Multi-Selecteasy

Which TWO of the following are valid priority levels in Falco rules?

Select 2 answers
A.MEDIUM
B.LOW
C.WARNING
D.HIGH
E.CRITICAL
AnswersC, E

Correct: WARNING is a valid priority.

Why this answer

Falco priority levels include EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG. Option B (HIGH) is not a standard priority; it's CRITICAL. Option D (LOW) is not standard; it's NOTICE or INFO.

Option E (MEDIUM) is not standard; it's WARNING or NOTICE.

232
Multi-Selectmedium

Which TWO of the following are CIS Benchmark recommendations for securing the Kubernetes API server? (Select TWO)

Select 2 answers
A.Disable RBAC
B.Enable audit logging
C.Disable anonymous authentication
D.Enable anonymous authentication
E.Use TLS 1.0
AnswersB, C

Audit logging is recommended to monitor API requests.

Why this answer

Option B is correct because the CIS Benchmark for Kubernetes recommends enabling audit logging to record all API server requests, which is essential for security monitoring, incident response, and compliance. Audit logs capture the sequence of actions performed by users, administrators, and system components, providing an immutable record that can be analyzed for suspicious activity or policy violations.

Exam trap

CNCF often tests the distinction between authentication and authorization, so candidates may confuse disabling anonymous authentication (a correct security practice) with enabling RBAC (also correct), but the trap is that the question asks for two specific CIS Benchmark recommendations, and disabling RBAC is never recommended—it is a dangerous misconfiguration.

233
Multi-Selectmedium

Which two of the following are best practices for container image security? (Select TWO.)

Select 2 answers
A.Maximize the number of layers to improve caching
B.Run containers as a non-root user
C.Use pinned SHA digests for base images
D.Use the 'latest' tag for flexibility
E.Use old base images to avoid breaking changes
AnswersB, C

Non-root users limit the impact of a container compromise.

Why this answer

Options A and C are correct. Using pinned SHA digests ensures immutability and prevents unexpected updates. Running as non-root reduces security risks.

Option B is wrong because the 'latest' tag introduces uncertainty. Option D is wrong; multiple layers increase build time and can hide vulnerabilities. Option E is wrong because base images should be kept up-to-date to fix CVEs.

234
MCQeasy

Which kubectl command creates a validating webhook configuration that calls an external HTTPS endpoint for pod validation?

A.kubectl create admission webhook --validate
B.kubectl run webhook --image=...
C.kubectl apply -f webhook.yaml
D.kubectl create validatingwebhookconfiguration --url=https://...
AnswerC

Correct. The ValidatingWebhookConfiguration is defined in a YAML file and applied with kubectl apply.

Why this answer

The correct way is to create a YAML file for a ValidatingWebhookConfiguration resource and apply it with kubectl apply. There is no kubectl create command for webhook configurations directly; you must use a manifest.

235
MCQmedium

Which kubectl command can be used to view the audit log policy currently in use by the API server?

A.kubectl logs -n kube-system kube-apiserver-<node> | grep audit
B.kubectl describe clusterrolebinding audit
C.kubectl get -n kube-system pods kube-apiserver-<node> -o yaml | grep audit-policy-file
D.kubectl get auditpolicy
AnswerC

This command retrieves the API server manifest and shows the audit policy file path.

Why this answer

Option C is correct because the audit policy file path is specified in the kube-apiserver manifest (usually a static pod YAML in /etc/kubernetes/manifests/). Running `kubectl get pod kube-apiserver-<node> -n kube-system -o yaml` and grepping for `audit-policy-file` reveals the exact path to the policy file currently in use, which is the authoritative way to confirm which audit policy the API server is loading.

Exam trap

The trap here is that candidates assume audit logs can be viewed via `kubectl logs` (Option A) or that audit policies are a native Kubernetes resource (Option D), when in fact the audit policy is a file referenced by a command-line flag in the API server manifest and must be inspected indirectly.

How to eliminate wrong answers

Option A is wrong because `kubectl logs` shows the API server's runtime logs, which may contain audit log entries but does not reveal the audit policy file path or its contents; grepping for 'audit' in logs is unreliable and not the intended method to view the policy. Option B is wrong because `clusterrolebinding audit` is not a standard Kubernetes resource; there is no default ClusterRoleBinding named 'audit' related to audit policies, and this command would fail or return unrelated RBAC information. Option D is wrong because `kubectl get auditpolicy` is not a valid kubectl command; audit policies are not a native Kubernetes API resource and cannot be retrieved with `kubectl get`.

236
Multi-Selecthard

Which TWO of the following are valid AppArmor profile modes? (Select 2 correct answers)

Select 2 answers
A.enforce
B.disabled
C.audit
D.unconfined
E.complain
AnswersA, E

Enforce mode blocks violations and logs them.

Why this answer

AppArmor profiles can be in enforce or complain mode. Unconfined is a state (no profile), not a mode. Profile modes are enforce, complain, and kill (not listed).

Options C and D are not modes.

237
MCQhard

You are investigating a pod suspected of being compromised. Which set of commands would provide the most useful forensic evidence without altering the container's state?

A.kubectl logs <pod> && kubectl describe pod <pod>
B.kubectl cp <pod>:/ -c <container> /tmp/forensic && kubectl logs <pod> --previous
C.kubectl exec <pod> -- cat /proc/1/cmdline && kubectl exec <pod> -- ls -la /
D.kubectl exec -it <pod> -- bash && kubectl exec <pod> -- cat /var/log/syslog
AnswerB

Correct. Copying the entire container filesystem preserves evidence without altering the running container, and --previous logs capture the terminated container's output.

Why this answer

Using 'kubectl exec' with '--' to run commands inside the container is invasive and may alter state. Using 'kubectl cp' to copy the container's filesystem out allows offline analysis without changing the running container. Option C is the most forensically sound approach.

238
MCQmedium

A CI pipeline uses 'checkov' to scan Kubernetes manifests. Which of the following is a common checkov check related to supply chain security?

A.CKV_K8S_2: Ensure that the container has a read-only root filesystem
B.CKV_K8S_4: Ensure that the container uses a non-root user
C.CKV_K8S_3: Ensure that the image is signed
D.CKV_K8S_1: Pod Security Policy
AnswerC

Checkov can check for image signature verification annotations.

Why this answer

Checkov includes checks for verifying image signatures as part of supply chain security.

239
MCQhard

You are responsible for securing a multi-tenant Kubernetes cluster that uses kubeadm for bootstrapping. The cluster has three control plane nodes and five worker nodes, all running Ubuntu 22.04. A recent security scan discovered that the etcd data directory is not encrypted at rest. The cluster stores sensitive customer data in secrets. You plan to enable encryption at rest for etcd. You have already created an encryption configuration file and placed it at /etc/kubernetes/encryption-config.yaml. The cluster is currently running Kubernetes v1.28.0 with etcd v3.5.9. You need to ensure that all existing and new secrets are encrypted. You also want to minimize downtime. Which of the following steps should you take?

A.Edit the etcd configuration to use the encryption config file directly
B.Add --experimental-encryption-provider-config=/etc/kubernetes/encryption-config.yaml to the kube-apiserver manifest and restart the kubelet
C.Move the etcd data directory to an encrypted filesystem using LUKS
D.Add --encryption-provider-config=/etc/kubernetes/encryption-config.yaml to the kube-apiserver manifest, then kubelet will automatically restart the static pod
AnswerD

Correct flag and automatic restart by kubelet.

Why this answer

Option D is correct because in Kubernetes v1.28, the `--experimental-encryption-provider-config` flag has been graduated to stable and renamed to `--encryption-provider-config`. Adding this flag to the kube-apiserver manifest (static pod YAML) causes the kubelet to automatically restart the static pod when the manifest file changes, minimizing downtime. This ensures both existing and new secrets are encrypted using the configured provider (e.g., AES-CBC or secretbox) as the apiserver rewrites existing secrets on startup.

Exam trap

The trap here is that candidates may confuse the deprecated `--experimental-encryption-provider-config` flag with the stable `--encryption-provider-config` flag, or think they need to manually restart the kubelet or modify etcd directly, when in fact the kubelet auto-restarts static pods and the apiserver handles encryption transparently.

How to eliminate wrong answers

Option A is wrong because etcd does not directly consume the encryption configuration file; the kube-apiserver is the component that encrypts/decrypts data before storing it in etcd. Option B is wrong because `--experimental-encryption-provider-config` is deprecated in Kubernetes v1.28 and the correct flag is `--encryption-provider-config`; additionally, restarting the kubelet is unnecessary as the kubelet automatically restarts static pods when their manifest changes. Option C is wrong because moving the etcd data directory to an encrypted filesystem (e.g., LUKS) encrypts data at the filesystem level, not at the Kubernetes API level, and does not satisfy the requirement to encrypt secrets at rest via the encryption configuration; it also requires etcd downtime and does not leverage the native Kubernetes encryption provider mechanism.

240
Drag & Dropmedium

Arrange the steps to configure and use kube-bench to audit a Kubernetes cluster's security.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

kube-bench audits CIS benchmarks. After installation, run it, analyze results, remediate, and re-audit.

241
MCQeasy

Which flag should be set on the kube-apiserver to disable anonymous authentication?

A.--enable-anonymous=false
B.--anonymous-auth=false
C.--anonymous-enabled=false
D.--authentication-mode=Anonymous
AnswerB

This flag disables anonymous authentication.

Why this answer

Option B is correct because the `--anonymous-auth=false` flag explicitly disables anonymous authentication on the kube-apiserver. By default, anonymous requests are allowed (with a system:anonymous user), so setting this flag to false prevents unauthenticated users from accessing the API server. This is a key hardening measure to ensure only authenticated clients can interact with the cluster.

Exam trap

The trap here is that candidates confuse the `--anonymous-auth` flag with non-existent variants like `--enable-anonymous` or `--anonymous-enabled`, or mistakenly think anonymous authentication is controlled via an `--authentication-mode` flag.

How to eliminate wrong answers

Option A is wrong because `--enable-anonymous=false` is not a valid kube-apiserver flag; the correct flag uses `--anonymous-auth`, not `--enable-anonymous`. Option C is wrong because `--anonymous-enabled=false` is not a recognized flag; the kube-apiserver uses `--anonymous-auth` to control anonymous access. Option D is wrong because `--authentication-mode=Anonymous` does not exist; authentication modes are configured via `--authorization-mode` and `--authentication-token-webhook`, and anonymous authentication is controlled by the `--anonymous-auth` flag, not a mode setting.

242
MCQhard

A pod is in a CrashLoopBackOff state. You run 'kubectl logs pod-name' and see: 'Error: failed to start container: exec: "/app": stat /app: no such file or directory'. What is the most likely cause?

A.The pod is out of memory
B.The container's working directory is incorrect
C.The pod has a liveness probe that is failing
D.The container image is missing the /app executable
AnswerD

Correct. The container is trying to run /app, but the file does not exist in the image.

Why this answer

The error message 'exec: "/app": stat /app: no such file or directory' indicates that the container runtime (e.g., containerd) cannot find the executable specified in the container's ENTRYPOINT or CMD. This occurs when the container image does not include the /app binary or script at that path, causing the container to fail immediately on start and enter CrashLoopBackOff. Option D correctly identifies that the container image is missing the /app executable.

Exam trap

CNCF often tests the distinction between container startup failures (e.g., missing executable) and runtime failures (e.g., probe failures or resource limits), so candidates may confuse a liveness probe failure (which occurs after the container is running) with an exec error that prevents the container from starting at all.

How to eliminate wrong answers

Option A is wrong because an out-of-memory (OOM) condition would typically result in an OOMKilled status or a different error in logs, such as 'container exited with code 137', not a 'no such file or directory' exec error. Option B is wrong because an incorrect working directory (WORKDIR) does not prevent the container from starting; the container would still execute the entrypoint, though it might fail later if it tries to access files relative to that directory. Option C is wrong because a failing liveness probe would cause the container to be restarted by kubelet after the probe fails, but the initial startup error is a container runtime exec failure, not a probe-related issue.

243
Drag & Dropmedium

Order the steps to recover a Kubernetes cluster after a control plane failure where the API server certificate has expired.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Recovery involves identifying expired certs, renewing, restarting components, verifying, and updating configs.

244
MCQmedium

A security policy requires that containers should drop all capabilities and only add back the specific capabilities needed. Which YAML snippet correctly implements this for a container?

A.securityContext: capabilities: drop: ["ALL"] add: ["ALL"]
B.securityContext: capabilities: drop: ["ALL"] add: ["NET_BIND_SERVICE"]
C.securityContext: capabilities: drop: ["CHOWN","DAC_OVERRIDE"]
D.securityContext: capabilities: add: ["NET_BIND_SERVICE"] drop: ["ALL"]
AnswerB

Correctly drops all capabilities then adds only the needed one, following the principle of least privilege.

Why this answer

Option B is correct because it first drops all capabilities with `drop: ["ALL"]` and then adds back only the specific capability needed (`NET_BIND_SERVICE`), which satisfies the security policy of least privilege. The order of `drop` and `add` in the YAML does not matter; Kubernetes processes both directives to produce the final capability set.

Exam trap

CNCF often tests the misconception that the order of `add` and `drop` in the YAML matters, or that dropping only a few capabilities is sufficient, when the policy explicitly requires dropping all capabilities first and then adding back only what is needed.

How to eliminate wrong answers

Option A is wrong because it adds back `ALL` capabilities after dropping them, effectively granting every capability and violating the policy of least privilege. Option C is wrong because it only drops two specific capabilities (`CHOWN` and `DAC_OVERRIDE`) but does not drop all capabilities, leaving many others enabled by default. Option D is wrong because although it drops all capabilities and adds `NET_BIND_SERVICE`, the order of `add` and `drop` in the YAML is irrelevant; the real issue is that the answer choices are designed to test recognition of the correct syntax, and D is identical in effect to B but presented in a different order, which is not a technical error but the exam expects the canonical form shown in B.

245
MCQeasy

Which of the following is a best practice when writing a Dockerfile for a containerized application?

A.Run the application as the root user for file permissions
B.Use a minimal base image such as distroless or alpine
C.Hardcode credentials in the Dockerfile for convenience
D.Use the latest tag for the base image to get the newest features
AnswerB

Minimal images reduce the number of packages and potential vulnerabilities.

Why this answer

Using a minimal base image reduces the attack surface. The other options are not best practices.

246
MCQmedium

A security team wants to ensure that all API requests to the cluster are authenticated and uses RBAC for authorization. Which two flags must be set on the kube-apiserver?

A.--anonymous-auth=false --authorization-mode=Webhook
B.--enable-admission-plugins=NodeRestriction --authorization-mode=AlwaysAllow
C.--anonymous-auth=true --authorization-mode=ABAC
D.--anonymous-auth=false --authorization-mode=RBAC
AnswerD

Setting --anonymous-auth=false disables anonymous access, and --authorization-mode=RBAC enables RBAC authorization. Together they enforce authenticated access with RBAC.

Why this answer

Option D is correct because setting --anonymous-auth=false disables unauthenticated requests, ensuring all API calls require authentication, and --authorization-mode=RBAC enforces Role-Based Access Control for authorization. This combination aligns with the security team's requirement for authenticated and RBAC-authorized API requests, as RBAC is the standard Kubernetes authorization mode for fine-grained access control.

Exam trap

The trap here is that candidates may confuse authentication with authorization, thinking that setting --anonymous-auth=false alone satisfies the requirement, or they may mistakenly choose ABAC (option C) because it is an authorization mode, but the question explicitly requires RBAC, not ABAC.

How to eliminate wrong answers

Option A is wrong because --authorization-mode=Webhook delegates authorization to an external HTTP service, not RBAC, and --anonymous-auth=false alone does not enforce RBAC. Option B is wrong because --authorization-mode=AlwaysAllow permits all requests without any authorization checks, violating the requirement for RBAC, and --enable-admission-plugins=NodeRestriction is an admission controller, not an authorization mode. Option C is wrong because --anonymous-auth=true allows unauthenticated requests, bypassing authentication, and --authorization-mode=ABAC uses Attribute-Based Access Control, not RBAC.

247
Multi-Selectmedium

Which TWO of the following are valid methods to apply a seccomp profile to a Kubernetes pod? (Select two.)

Select 2 answers
A.Using the field: spec.seccompProfile
B.Using the pod annotation: seccomp.security.alpha.kubernetes.io/pod
C.Using the field: securityContext.seccompProfile.type
D.Using the command line flag: --seccomp-profile when running kubectl run
E.Using the pod annotation: container.seccomp.security.alpha.kubernetes.io
AnswersB, C

This deprecated annotation can still be used to apply seccomp profiles.

Why this answer

Option B is correct because the seccomp.security.alpha.kubernetes.io/pod annotation was the original method to apply a seccomp profile to an entire pod in Kubernetes versions prior to v1.19. This annotation specifies the seccomp profile path or type (e.g., 'runtime/default' or 'localhost/<profile>') for the pod's containers, and it remains valid in older clusters or when using legacy configurations.

Exam trap

CNCF often tests the distinction between the GA field (securityContext.seccompProfile) and the deprecated annotation method, and candidates may confuse the incomplete annotation format (e.g., missing container name) with a valid option.

248
Multi-Selectmedium

Which TWO of the following are secure practices for managing secrets in Kubernetes? (Select TWO.)

Select 2 answers
A.Store secrets as environment variables
B.Use a CSI driver to mount secrets as volumes
C.Embed secrets in container images
D.Use an external secrets manager like Vault with a sidecar
E.Store secrets in a ConfigMap
AnswersB, D

Correct.

Why this answer

Mounting secrets as volumes and using external secret managers like HashiCorp Vault are recommended practices.

249
MCQhard

You have a Pod that uses a ServiceAccount token mounted via a projected volume. You want to ensure that the token has an expiration time and that the pod is not using a long-lived token. What is the most secure way to mount the token?

A.Mount the default service account token at /var/run/secrets/kubernetes.io/serviceaccount
B.Use a projected volume with 'serviceAccountToken' and set 'expirationSeconds'
C.Set automountServiceAccountToken: false and manually mount a Secret containing a token
D.Use a ConfigMap to inject the token
AnswerB

Projected volumes allow you to request a time-bound token.

250
MCQmedium

Which of the following is the correct kubectl command to view the OPA Gatekeeper ConstraintTemplates in the cluster?

A.kubectl get gatekeeper-constrainttemplates
B.kubectl describe opa constrainttemplate
C.kubectl get constrainttemplates
D.kubectl get crd -o name | grep constraint
AnswerC

This lists all ConstraintTemplate resources.

Why this answer

Option B is correct. Gatekeeper ConstraintTemplates are custom resources, typically listed with `kubectl get constrainttemplates`. Option A uses an incorrect resource name.

Option C uses a different command. Option D is a generic command that might not list all ConstraintTemplates.

251
Multi-Selecthard

Which THREE of the following are recommended steps during incident response for a compromised pod?

Select 3 answers
A.Apply a NetworkPolicy to isolate the pod
B.Restart the pod by deleting and recreating it
C.Delete the pod immediately to stop the attack
D.Use kubectl exec to collect running processes and network connections
E.Preserve the pod and its logs for investigation
AnswersA, D, E

Isolation prevents further damage.

Why this answer

Isolating the pod via NetworkPolicy, preserving evidence by not deleting the pod, and collecting forensic data using kubectl exec are recommended. Deleting the pod immediately and restarting it are not recommended as they destroy evidence.

252
Multi-Selecthard

Which TWO practices improve supply chain security for container images? (Select two.)

Select 2 answers
A.Scanning images for CVEs before deployment
B.Storing secrets in the Dockerfile
C.Signing images with Cosign
D.Using the 'latest' tag for easy updates
E.Running containers as root
AnswersA, C

Scanning detects known vulnerabilities and reduces risk.

Why this answer

Using signed images and scanning for vulnerabilities are key supply chain security practices. Options A and C are correct.

253
Multi-Selectmedium

Which THREE of the following are restrictions enforced by the 'baseline' Pod Security Standard? (Select three.)

Select 3 answers
A.Host network access (hostNetwork) is not allowed
B.Capabilities must be limited to a minimal set (drop: ["ALL"] is not required but must not add dangerous capabilities)
C.Seccomp profile must be set to RuntimeDefault or Localhost
D.Privilege escalation must be disabled (AllowPrivilegeEscalation: false)
E.Containers must run as non-root (runAsNonRoot: true)
AnswersB, D, E

Baseline restricts capabilities but does not require dropping all.

Why this answer

The baseline standard restricts: (A) privilege escalation (allowPrivilegeEscalation must be false), (B) running as root (must set runAsNonRoot: true), and (C) adds some capability restrictions. (D) is not a baseline restriction; hostNetwork is allowed in baseline. (E) is not a restriction; seccomp is not required in baseline.

254
MCQmedium

An administrator wants to perform static analysis on Kubernetes manifest files to find security misconfigurations. Which tool is specifically designed for this?

A.Trivy
B.Cosign
C.Kubesec
D.Syft
AnswerC

Kubesec is a static analysis tool that evaluates Kubernetes YAML files against security best practices.

Why this answer

Kubesec is a static analysis tool for Kubernetes resources. Checkov and others serve similar but broader purposes, but Kubesec is specifically named.

255
MCQeasy

Which of the following is a recommended Dockerfile best practice to improve container security?

A.Hardcode secrets in environment variables in the Dockerfile
B.Run the container as root to simplify permission management
C.Use a non-root user with USER directive
D.Copy the entire host filesystem into the image
AnswerC

Non-root user minimizes privileges.

Why this answer

Using a non-root user limits the privileges within the container, reducing the impact of a compromise.

256
Multi-Selectmedium

Which TWO of the following are recommended actions to harden service account security in a Kubernetes cluster? (Select TWO)

Select 2 answers
A.Delete all service accounts except the default one
B.Use a single service account for all workloads
C.Avoid granting cluster-admin ClusterRole to service accounts
D.Grant cluster-admin to all service accounts for simplicity
E.Disable automountServiceAccountToken for pods that do not require API access
AnswersC, E

Cluster-admin should be reserved for break-glass scenarios.

Why this answer

Option C is correct because granting the cluster-admin ClusterRole to a service account provides unrestricted superuser access across the entire cluster, violating the principle of least privilege. The CKS exam emphasizes that service accounts should be bound only to the minimal RBAC permissions required for their function, and cluster-admin should never be used for routine workloads.

Exam trap

CNCF often tests the misconception that deleting all non-default service accounts or using a single shared service account simplifies management, when in fact these actions break security boundaries and are explicitly discouraged in Kubernetes hardening guides.

257
MCQmedium

You want to ensure that a pod only runs on nodes that have a specific label, 'disktype=ssd'. Which field should be specified in the pod spec?

A.affinity.nodeAffinity
B.nodeName
C.nodeSelector
D.tolerations
AnswerC

nodeSelector is a simple field that selects nodes with matching labels.

Why this answer

C is correct because `nodeSelector` is the simplest and most direct field in a Pod spec for constraining which nodes the Pod can be scheduled on based on node labels. By setting `nodeSelector` with `disktype: ssd`, the scheduler will only place the Pod on nodes that have that exact label key-value pair, making it the ideal choice for this straightforward label-based scheduling requirement.

Exam trap

CNCF often tests the distinction between `nodeSelector` (simple label match) and `nodeAffinity` (advanced label matching with operators), leading candidates to overcomplicate and choose `nodeAffinity` when `nodeSelector` is the correct, minimal answer.

How to eliminate wrong answers

Option A is wrong because `affinity.nodeAffinity` provides more complex and flexible scheduling rules (e.g., required vs. preferred constraints, matchExpressions with operators like In/NotIn), but it is not the simplest field for a basic label match; the question asks for a field to ensure the pod only runs on nodes with a specific label, and `nodeSelector` is the correct minimal field. Option B is wrong because `nodeName` directly assigns the Pod to a specific node by name, bypassing the scheduler entirely and ignoring labels; it does not use the `disktype=ssd` label and would fail if the named node does not have that label. Option D is wrong because `tolerations` allow a Pod to be scheduled on nodes with matching taints, but they do not actively select nodes based on labels; tolerations only permit scheduling on tainted nodes, they do not enforce that a node must have a specific label.

258
MCQhard

A security incident occurred in a pod running in the 'default' namespace. You need to isolate the pod to prevent further damage while preserving evidence. Which set of commands would BEST achieve this?

A.kubectl label pod pod-name isolate=true
B.kubectl cordon node-name && kubectl drain node-name
C.kubectl apply -f networkpolicy.yaml (deny all ingress/egress) && kubectl exec -it pod-name -- bash
D.kubectl delete pod pod-name
AnswerC

Applies a NetworkPolicy to isolate the pod and uses exec to collect evidence.

Why this answer

Option A correctly isolates the pod by applying a NetworkPolicy that denies all ingress and egress, and then uses 'kubectl exec' to collect forensic data. Options B, C, and D either do not preserve evidence or fail to isolate the pod.

259
MCQmedium

A cluster uses a custom mutating admission webhook that adds a sidecar container to all pods. After an upgrade, the webhook crashes and pods cannot be created. What is the best way to prevent this scenario in future?

A.Run multiple replicas of the webhook
B.Set the webhook's failurePolicy to Ignore
C.Disable admission webhooks in the cluster
D.Create a validating webhook as a backup
AnswerB

Allows pod creation to proceed if webhook is unavailable.

Why this answer

Setting the webhook's failurePolicy to Ignore ensures that if the webhook fails (e.g., crashes or times out), the API server will bypass the webhook and allow the pod creation to proceed. This prevents a single point of failure from blocking all pod creation, which is critical for cluster availability. The default failurePolicy is Fail, which would cause the entire admission request to fail if the webhook is unreachable.

Exam trap

The trap here is that candidates often think high availability (multiple replicas) is sufficient, but the CKS exam tests the understanding that failurePolicy is the direct mechanism to prevent a single webhook failure from blocking all pod creation, regardless of replica count.

How to eliminate wrong answers

Option A is wrong because running multiple replicas of the webhook improves availability but does not prevent the scenario where all replicas crash or the webhook service becomes unreachable; the failurePolicy must be set to Ignore to handle such cases. Option C is wrong because disabling admission webhooks entirely removes the sidecar injection capability and is an overreaction that breaks the intended functionality, not a best practice for resilience. Option D is wrong because a validating webhook cannot serve as a backup for a mutating webhook; it operates on a different phase and cannot perform mutations, and it would also suffer from the same failurePolicy issue if not configured correctly.

260
MCQhard

You are using Open Policy Agent (OPA) Gatekeeper to enforce pod security. You want to create a constraint that denies pods unless they have readOnlyRootFilesystem set to true. Which Rego rule in a ConstraintTemplate correctly implements this?

A.violation[{"msg": msg}] { container := input.review.object.spec.containers[_] container.securityContext.readOnlyRootFilesystem == true msg := "readOnlyRootFilesystem must be true" }
B.violation[{"msg": msg}] { container := input.review.object.spec.containers[_] not container.securityContext.readOnlyRootFilesystem msg := "readOnlyRootFilesystem must be true" }
C.violation[{"msg": msg}] { container := input.review.object.spec.containers[_] not container.securityContext.readOnlyRootFilesystem == false msg := "readOnlyRootFilesystem must be true" }
D.violation[{"msg": msg}] { container := input.review.object.spec.containers[_] container.securityContext.readOnlyRootFilesystem == false msg := "readOnlyRootFilesystem must be true" }
AnswerB

Correctly denies when readOnlyRootFilesystem is not set or false.

Why this answer

The Rego rule should deny when the violation condition holds: the pod spec contains a container without readOnlyRootFilesystem set to true. Option C uses 'not input.review.object.spec.containers[_].securityContext.readOnlyRootFilesystem' to detect missing true.

261
Multi-Selecthard

Which TWO of the following are true about AppArmor profiles in Kubernetes?

Select 2 answers
A.AppArmor profiles can be loaded in 'enforce' or 'complain' mode
B.The profile name in the annotation should be just the profile name without the 'localhost/' prefix
C.If the profile is not loaded on the node, the pod will be rejected
D.The annotation key for a container is 'container.apparmor.security.beta.kubernetes.io/<profile_name>'
E.AppArmor profiles are automatically loaded from a ConfigMap
AnswersA, C

Correct: enforce blocks violations, complain logs them.

Why this answer

Option A is correct because AppArmor profiles operate in two modes: 'enforce' (where violations are blocked and logged) and 'complain' (where violations are only logged without blocking). This is a fundamental characteristic of AppArmor, and Kubernetes supports both modes when referencing profiles via annotations.

Exam trap

The trap here is that candidates often confuse the annotation key format (thinking it uses the profile name instead of the container name) or forget that the 'localhost/' prefix is mandatory when referencing a node-local profile.

262
Multi-Selectmedium

Which TWO admission plugins are recommended by the CIS benchmark to be enabled on the kube-apiserver? (Choose two.)

Select 2 answers
A.AlwaysDeny
B.NodeRestriction
C.ServiceAccount
D.AlwaysAdmit
E.PodSecurityPolicy
AnswersB, C

NodeRestriction limits kubelet permissions and is recommended by CIS.

Why this answer

The CIS Benchmark for Kubernetes recommends enabling the NodeRestriction and ServiceAccount admission plugins on the kube-apiserver. NodeRestriction limits the Node identity's ability to modify Node and Pod objects, enforcing the principle of least privilege for kubelets. ServiceAccount ensures that every Pod is assigned a default ServiceAccount and that the token is automatically mounted, which is essential for secure pod-to-API-server communication.

Exam trap

CNCF often tests the misconception that deprecated or removed plugins like PodSecurityPolicy are still recommended, or that blanket deny/admit plugins are viable hardening measures, when in fact the CIS Benchmark focuses on least-privilege and default-secure plugins like NodeRestriction and ServiceAccount.

263
MCQhard

A security engineer wants to enforce that all images in the cluster must come from a trusted registry 'trusted-registry.io'. They are using OPA/Gatekeeper. Which constraint template and constraint combination would achieve this?

A.A constraint template that checks 'spec.containers[*].image' contains 'trusted-registry.io' and a constraint that denies if it does.
B.A constraint template that allows all images and a constraint that audits violations.
C.A constraint template that checks 'spec.containers[*].image' starts with 'trusted-registry.io/' and a constraint that denies if it does not.
D.A constraint template that checks 'spec.containers[*].image' equals 'trusted-registry.io' and a constraint that denies if it does not.
AnswerC

This correctly validates that every container image originates from the trusted registry.

Why this answer

A Gatekeeper constraint template that validates image registries against an allowed list is appropriate. The other options either allow any registry or use incorrect logic.

264
MCQeasy

A developer wants to sign a container image using Cosign. Which command should they run after building and pushing the image to a registry?

A.cosign sign myrepo/myapp:latest
B.cosign verify myrepo/myapp:latest
C.cosign attest myrepo/myapp:latest
D.cosign generate-key-pair
AnswerA

cosign sign creates a signature for the specified image.

Why this answer

The cosign sign command signs a container image and generates a signature. The other options are incorrect commands or actions.

265
MCQeasy

Which of the following is a characteristic of Kata Containers compared to gVisor?

A.Kata Containers require no additional configuration in Kubernetes
B.Kata Containers have lower overhead than gVisor
C.Kata Containers use lightweight VMs to isolate containers
D.Kata Containers provide a user-space kernel that intercepts system calls
AnswerC

Kata Containers run each container in its own VM for strong isolation.

Why this answer

Option B is correct. Kata Containers use lightweight virtual machines to provide strong isolation, while gVisor uses a user-space kernel for sandboxing. Option A is true for gVisor, not Kata.

Option C is not correct; both have overhead. Option D is not correct; both have similar integration complexity.

266
MCQeasy

What is the recommended way to provide TLS certificates to the API server?

A.Use --tls-cert-file and --tls-private-key-file flags
B.Store certificates in a ConfigMap and mount them
C.Place certificates in /etc/kubernetes/pki/ without additional flags
D.Use --client-ca-file only
AnswerA

These flags directly specify the certificate and key files.

Why this answer

The recommended way to provide TLS certificates to the API server is by using the `--tls-cert-file` and `--tls-private-key-file` flags. These flags explicitly point the kube-apiserver to the certificate and key files, ensuring the server presents a valid TLS certificate for encrypted HTTPS communication. This is the standard, documented method for configuring TLS on the API server, as it allows the server to authenticate itself to clients.

Exam trap

The trap here is that candidates often confuse the purpose of `--client-ca-file` (for client authentication) with the server TLS flags, or assume that placing certificates in `/etc/kubernetes/pki/` is sufficient without setting the corresponding flags, because kubeadm automates this but the exam tests manual configuration knowledge.

How to eliminate wrong answers

Option B is wrong because ConfigMaps are designed for storing non-sensitive configuration data, not TLS private keys, which must be kept confidential; mounting a ConfigMap would expose the private key in plaintext, violating security best practices. Option C is wrong because while `/etc/kubernetes/pki/` is the default directory for certificates on a kubeadm cluster, the API server does not automatically load certificates from this path without the corresponding `--tls-cert-file` and `--tls-private-key-file` flags being set. Option D is wrong because `--client-ca-file` is used to specify the CA certificate for verifying client certificates (mutual TLS), not for providing the server's own TLS certificate and key.

267
MCQmedium

Which of the following is a best practice for storing sensitive information like database passwords in Kubernetes?

A.Use environment variables in the pod spec to pass secrets
B.Mount secrets as volumes in the pod
C.Embed secrets as literals in the pod YAML file
D.Store them in ConfigMaps
AnswerB

Mounting as volumes reduces the risk of exposure through environment variables.

Why this answer

Option C is correct. Mounting secrets as volumes is more secure than using environment variables because secrets are not exposed in the process list or logs. Option A is insecure.

Option B is insecure. Option D is not a standard practice.

268
MCQmedium

You run 'kube-bench' and see a failure: '1.2.7 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate'. What is the impact of this misconfiguration?

A.The apiserver will use the kubelet's own certificate
B.The kubelet will refuse to register with the cluster
C.The apiserver will use anonymous authentication when connecting to kubelets
D.The apiserver will reject all requests to kubelets
AnswerC

kubelet may allow anonymous access if --anonymous-auth is true.

Why this answer

When the API server lacks a properly configured client certificate and key for kubelet communication, it falls back to anonymous authentication when making requests to kubelets. This means the kubelet cannot verify the API server's identity, allowing any unauthenticated request to be processed, which violates the principle of mutual TLS (mTLS) and weakens cluster security.

Exam trap

The trap here is that candidates often assume the API server will simply fail or reject requests when missing client certificates, but in reality, Kubernetes defaults to allowing anonymous authentication unless explicitly disabled, so the impact is a security bypass rather than a denial of service.

How to eliminate wrong answers

Option A is wrong because the API server does not use the kubelet's own certificate; it uses its own client certificate to authenticate to the kubelet, and the kubelet's certificate is used for the server side of the TLS handshake. Option B is wrong because kubelet registration with the cluster depends on the kubelet's bootstrap token or client certificate, not on the API server's kubelet client certificate; the kubelet will still register even if this flag is missing. Option D is wrong because the API server does not reject all requests; instead, it falls back to anonymous authentication, which may still allow requests to succeed but without proper authentication.

269
MCQhard

A security auditor wants to ensure that no container in the cluster has the CAP_SYS_ADMIN capability. Which of the following is the most effective way to enforce this cluster-wide?

A.Add a PodSecurityPolicy that drops CAP_SYS_ADMIN
B.Modify the kubelet to disallow CAP_SYS_ADMIN
C.Implement a mutating admission webhook that automatically drops CAP_SYS_ADMIN from all pods
D.Configure each namespace with 'pod-security.kubernetes.io/enforce: restricted'
AnswerC

An admission webhook can enforce policies cluster-wide automatically.

Why this answer

Option C is correct because a mutating admission webhook intercepts Pod creation requests and can automatically modify the pod spec to drop CAP_SYS_ADMIN before the pod is persisted. This approach works cluster-wide, is not deprecated like PodSecurityPolicy, and does not require modifying node-level components or relying on namespace-level enforcement that only warns or rejects but does not automatically drop capabilities.

Exam trap

The trap here is that candidates confuse Pod Security Standards (PSS) with automatic capability dropping, but the 'restricted' profile only enforces a deny-list on explicit capability requests, not a mutation to drop inherited capabilities.

How to eliminate wrong answers

Option A is wrong because PodSecurityPolicy (PSP) is deprecated since Kubernetes 1.21 and removed in 1.25, so it is not a viable cluster-wide enforcement mechanism for current clusters. Option B is wrong because the kubelet does not have a configuration to disallow specific Linux capabilities; capability enforcement is a pod-level security context concern, not a kubelet-level setting. Option D is wrong because the 'restricted' Pod Security Standard (PSS) profile does not automatically drop CAP_SYS_ADMIN; it only rejects pods that explicitly request it, but pods that do not explicitly set capabilities may still inherit it from the container runtime default.

270
MCQmedium

An administrator runs 'kube-bench run --targets=master' and sees a failing check for 'Ensure that the --audit-log-path argument is set'. What is the correct remediation?

A.Add '--audit-policy-file=/etc/kubernetes/audit-policy.yaml' to the API server
B.Add '--audit-log-path=/var/log/audit.log' to the kube-apiserver
C.Add '--audit-log-path=/var/log/audit.log' to the kube-controller-manager
D.Add '--audit-log-maxsize=100' to the API server
AnswerB

The API server audit log path is set with this flag.

Why this answer

The kube-bench check for 'Ensure that the --audit-log-path argument is set' specifically targets the kube-apiserver component, as it is the primary component that handles API requests and should log them for audit purposes. The correct remediation is to add '--audit-log-path=/var/log/audit.log' to the kube-apiserver's startup arguments, which enables writing audit logs to a specified file path. This ensures that all API server requests are recorded for security monitoring and compliance.

Exam trap

The trap here is that candidates often confuse the audit policy file argument with the audit log path argument, or mistakenly think audit logging applies to other control plane components like the controller-manager, when in fact it is exclusively a kube-apiserver configuration.

How to eliminate wrong answers

Option A is wrong because '--audit-policy-file' defines the audit policy rules (what to log), not the log file path; it is a separate required setting but does not satisfy the check for '--audit-log-path'. Option C is wrong because the kube-controller-manager does not handle API requests directly and is not the target of this audit logging requirement; audit logging is a kube-apiserver responsibility. Option D is wrong because '--audit-log-maxsize' controls the maximum size of a log file before rotation, not the path where logs are written; it is an auxiliary setting, not the primary remediation for the missing log path.

271
MCQhard

You need to detect any unexpected outbound connections from pods in the 'production' namespace. Which Falco rule condition is MOST appropriate?

A.evt.type=sendto and fd.sip != "0.0.0.0"
B.evt.type=connect and container.id != host and not fd.snet in ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8")
C.container.id != host and evt.type=accept
D.proc.name = curl and evt.type=connect
AnswerB

This checks for connect syscalls from containers to non-private IPs, indicating outbound connections to the internet.

Why this answer

The condition should check for outbound connections (evt.type=connect) from a container (container.id != host) to external IPs (not RFC 1918 private IPs or loopback). Option A matches this.

272
MCQmedium

An administrator wants to ensure that no service account in the 'development' namespace has cluster-admin privileges. Which command should be used to identify such bindings?

A.kubectl get serviceaccounts -n development
B.kubectl get clusterrolebindings -o yaml | grep -B 10 namespace: development
C.kubectl get rolebindings -n development --all-namespaces
D.kubectl describe clusterrole cluster-admin
AnswerB

This searches for cluster role bindings that include subjects from the development namespace.

Why this answer

Option B is correct because `ClusterRoleBindings` are cluster-scoped resources that grant permissions across all namespaces, including the `development` namespace. By piping the YAML output through `grep -B 10 namespace: development`, you can identify which `ClusterRoleBinding` references a service account in the `development` namespace, revealing any binding that could grant cluster-admin privileges to that namespace's service accounts.

Exam trap

The trap here is that candidates often confuse `RoleBindings` (namespace-scoped) with `ClusterRoleBindings` (cluster-scoped), assuming that `RoleBindings` can grant cluster-admin privileges, or they mistakenly think listing service accounts or describing the ClusterRole itself will reveal the bindings.

How to eliminate wrong answers

Option A is wrong because `kubectl get serviceaccounts -n development` only lists service accounts in the namespace, not the bindings that grant them permissions; it cannot reveal whether any service account has cluster-admin privileges. Option C is wrong because `kubectl get rolebindings -n development --all-namespaces` is syntactically incorrect (you cannot combine `-n` with `--all-namespaces`), and even if corrected, `RoleBindings` are namespace-scoped and cannot grant cluster-admin privileges (which require a `ClusterRoleBinding`). Option D is wrong because `kubectl describe clusterrole cluster-admin` only describes the permissions of the `cluster-admin` ClusterRole, but does not show which subjects (users, groups, or service accounts) are bound to it, so it cannot identify bindings in the `development` namespace.

273
MCQhard

A Kubernetes cluster is experiencing issues where pods cannot pull images from a private container registry. The registry requires authentication via imagePullSecrets. The cluster has a pod running with the following spec snippet. What is the likely cause of the failure?

A.The secret 'regcred' does not exist in the namespace
B.The service account lacks RBAC permissions to use the secret
C.The pod does not set serviceAccountName to the service account that has the imagePullSecrets
D.The imagePullSecret is of type 'Opaque' instead of 'kubernetes.io/dockerconfigjson'
AnswerC

Without explicit service account, pod uses 'default' SA which has no imagePullSecrets.

Why this answer

The pod spec snippet shows that the pod does not have a `serviceAccountName` field set, meaning it uses the default service account in the namespace. The default service account typically does not have `imagePullSecrets` attached. Even if the secret 'regcred' exists, the pod cannot use it unless the service account associated with the pod has that secret linked via `imagePullSecrets` in the service account definition.

Therefore, the pod fails to authenticate to the private registry.

Exam trap

CNCF often tests the nuance that simply referencing a secret in a pod spec via `imagePullSecrets` is not enough; the pod must be associated with a service account that has that secret attached, or the pod must explicitly list the secret in its own `imagePullSecrets` field.

How to eliminate wrong answers

Option A is wrong because the question states the cluster has a pod running with the given spec, and the secret 'regcred' is referenced in the spec; if the secret did not exist, the pod would fail with a different error (e.g., 'secret not found') and the spec would not be valid. Option B is wrong because RBAC permissions are not required for a service account to use a secret as an imagePullSecret; the secret is referenced directly in the pod spec or via the service account, and no RBAC authorization is needed for pulling images. Option D is wrong because while an Opaque secret is not the correct type for docker registry credentials, the pod spec references 'regcred' which is assumed to be of the correct type; the core issue is the missing service account linkage, not the secret type.

274
MCQhard

You run kube-bench on a node and it reports a failure for control plane component etcd. The check says 'Ensure that the --cert-file and --key-file arguments are set as appropriate'. You examine the etcd manifest file and find that the cert-file and key-file are configured with a self-signed certificate. What is the BEST action to remediate this finding?

A.Add the --trusted-ca-file flag pointing to the CA certificate.
B.Remove the --cert-file and --key-file flags to disable TLS.
C.Change the self-signed certificate to one signed by the Kubernetes CA.
D.Set the --auto-tls flag to true to let etcd automatically generate a certificate.
AnswerC

Using a certificate signed by the Kubernetes CA is a valid approach that satisfies the benchmark.

Why this answer

Option C is correct because kube-bench expects etcd to use certificates signed by a trusted CA (typically the Kubernetes CA) for secure communication. Self-signed certificates are not trusted by default and can lead to man-in-the-middle attacks or connection failures. Replacing the self-signed certificate with one signed by the Kubernetes CA ensures that the certificate chain is validated, aligning with the CIS Benchmark requirement for etcd.

Exam trap

The trap here is that candidates may confuse 'self-signed' with 'auto-generated' (option D) or think that adding a CA file (option A) fixes the issue, but the core requirement is that the certificate itself must be signed by a trusted CA, not just that a CA file is present.

How to eliminate wrong answers

Option A is wrong because adding --trusted-ca-file alone does not address the requirement that the server certificate itself must be signed by a trusted CA; it only specifies which CA to trust for client connections, but the self-signed cert still lacks a proper CA signature. Option B is wrong because removing --cert-file and --key-file disables TLS entirely, which violates the CIS Benchmark requirement for encrypted communication and exposes etcd to unencrypted traffic. Option D is wrong because setting --auto-tls to true enables automatic self-signed certificate generation, which still results in a self-signed certificate that is not trusted by the Kubernetes CA, failing the same check.

275
Multi-Selecthard

Which THREE practices help ensure the integrity and confidentiality of container logs in a Kubernetes cluster?

Select 3 answers
A.Configure the log collector to use TLS when shipping logs to a central system.
B.Set container 'stdout' logging only, avoiding file-based logs.
C.Store logs in a backend that supports encryption at rest (e.g., S3 with SSE).
D.Run log collectors in a dedicated namespace with network policies limiting access.
E.Disable log rotation to prevent log tampering during rotation.
AnswersA, C, D

TLS encrypts logs in transit.

Why this answer

Option A is correct because configuring the log collector to use TLS (e.g., Fluentd with TLS output plugin or Filebeat with SSL/TLS) encrypts log data in transit, preventing eavesdropping or tampering during shipping to a central system like Elasticsearch or Splunk. This directly protects confidentiality and integrity against man-in-the-middle attacks on the network path.

Exam trap

CNCF often tests the misconception that disabling log rotation improves security, but in reality, rotation is a standard operational practice that does not inherently compromise integrity; the trap is confusing operational controls with security controls.

276
MCQhard

A pod runs with 'hostNetwork: true' and 'hostPID: true'. Which security concern is MOST directly increased?

A.The container can access host processes and potentially escape
B.The container can modify iptables rules
C.The container can sniff network traffic of other pods
D.The container can mount the host filesystem
AnswerA

Correct. With hostPID, the container can see all host processes, increasing the risk of container escape.

Why this answer

Both hostNetwork and hostPID expose the container to host-level resources, but hostPID allows the container to see all host processes and potentially interfere with them, which is a direct risk to other workloads and the host itself.

277
Multi-Selectmedium

Which two of the following are recommended by the CIS Kubernetes Benchmark? (Choose two.)

Select 2 answers
A.Use NodePort services for internal communication
B.Enable the insecure port on the API server
C.Disable anonymous authentication on the API server
D.Use the default service account for all pods
E.Enable audit logging on the API server
AnswersC, E

CIS benchmark recommends setting --anonymous-auth=false.

Why this answer

Option C is correct because the CIS Kubernetes Benchmark explicitly recommends disabling anonymous authentication on the API server to prevent unauthenticated access. Anonymous requests bypass all authentication checks and can lead to unauthorized cluster operations if RBAC is not properly scoped. Setting the `--anonymous-auth=false` flag on the API server ensures that only authenticated users can interact with the cluster.

Exam trap

CNCF often tests the misconception that NodePort services are suitable for internal cluster communication, but the trap is that NodePort is designed for external access and introduces unnecessary network exposure, while ClusterIP is the correct internal service type.

278
MCQeasy

Which crictl command is used to view logs from a specific container?

A.crictl exec <container-id>
B.crictl inspect <container-id>
C.crictl ps
D.crictl logs <container-id>
AnswerD

Why this answer

crictl logs <container-id> fetches logs from a container.

279
MCQmedium

An administrator wants to ensure that only images from a specific registry (e.g., myregistry.internal) can run in the cluster. Which tool can be used to enforce this via admission control?

A.Cosign
B.Notary
C.Trivy
D.OPA/Gatekeeper
AnswerD

OPA/Gatekeeper can enforce admission policies, such as restricting images to trusted registries.

Why this answer

OPA/Gatekeeper can enforce policies that restrict allowed registries. Trivy scans images but doesn't enforce policies. Cosign signs images.

Kyverno can also enforce policies, but OPA/Gatekeeper is a common choice for registry allowlisting.

280
MCQmedium

An admin wants to scan a local filesystem for vulnerabilities using Trivy. Which command should they use?

A.trivy image
B.trivy config
C.trivy fs
D.trivy repo
AnswerC

trivy fs scans a filesystem for vulnerabilities.

Why this answer

`trivy fs` is the command to scan a filesystem for vulnerabilities, including configuration files and source code.

281
MCQmedium

A security engineer wants to detect any attempt to spawn a shell inside a container. Which Falco rule condition would trigger on a shell being spawned in a container (e.g., /bin/bash or /bin/sh)?

A.spawned_process and container and proc.name in (bash, sh, zsh)
B.evt.type=open and fd.name contains /bin/bash
C.evt.type=execve and container and proc.name in (bash, sh, zsh)
D.proc.name = bash and container
AnswerA

Correctly uses 'spawned_process' to detect new process creation and filters on shell binaries within containers.

Why this answer

Falco uses syscall events. Container spawning a shell is detected by looking for spawned processes with a shell binary, excluding the container's own entrypoint. The condition 'spawned_process and container and proc.name in (bash, sh, zsh)' is correct.

282
MCQeasy

Which audit policy level logs the request metadata and the request body?

A.None
B.Metadata
C.RequestResponse
D.Request
AnswerD

Request logs request metadata and request body.

Why this answer

The `Request` level logs metadata (like user, timestamp) and the request body. `Metadata` logs only metadata. `RequestResponse` logs metadata, request body, and response body. `None` logs nothing.

283
MCQmedium

You need to ensure that all containers in your cluster run with a read-only root filesystem. Which field should be set in the container's security context?

A.readOnlyRootFilesystem: true
B.allowPrivilegeEscalation: false
C.capabilities.drop: ['ALL']
D.runAsNonRoot: true
AnswerA

Setting readOnlyRootFilesystem to true mounts the container's root filesystem as read-only, preventing writes.

Why this answer

Option B is correct. 'readOnlyRootFilesystem: true' in the security context makes the container's root filesystem read-only. Option A is for running as non-root. Option C is for dropping capabilities.

Option D is for privilege escalation.

284
MCQhard

A ClusterRoleBinding grants cluster-admin to a service account in the 'kube-system' namespace. What is the best way to audit this for least privilege?

A.Use 'kubectl auth can-i --list' to check the service account's permissions.
B.Delete the ClusterRoleBinding immediately.
C.Run 'kubectl get clusterrolebindings' to list all bindings.
D.Review the permissions granted by cluster-admin and create a custom Role with only necessary permissions, then bind it.
AnswerD

This follows the least privilege principle by scoping permissions to only what is needed.

Why this answer

Option D is correct because the cluster-admin ClusterRole grants superuser access across all namespaces, which violates the principle of least privilege. The best practice is to review the specific permissions required by the service account, create a custom Role with only those necessary permissions, and bind it via a RoleBinding or ClusterRoleBinding scoped appropriately. This minimizes the attack surface and aligns with Kubernetes RBAC hardening guidelines.

Exam trap

The trap here is that candidates may think simply listing or checking permissions (Options A or C) is sufficient for auditing, when the core requirement is to reduce permissions to the minimum necessary, which involves creating a custom Role.

How to eliminate wrong answers

Option A is wrong because 'kubectl auth can-i --list' only shows what the current user can do, not the permissions of a specific service account; to check a service account's permissions, you must use '--as' impersonation or inspect the RBAC bindings directly. Option B is wrong because immediately deleting the ClusterRoleBinding without understanding the service account's actual needs could break critical cluster functionality, such as controllers or add-ons running in kube-system. Option C is wrong because simply listing all ClusterRoleBindings does not audit for least privilege; it only provides a list without analyzing whether the bound permissions are excessive.

285
MCQmedium

You need to configure Kubernetes audit logging to log all requests at the Metadata level for a specific namespace. Which audit policy level should you use?

A.Request
B.None
C.RequestResponse
D.Metadata
AnswerD

Metadata logs request metadata, which is appropriate for logging all requests.

Why this answer

Metadata level logs request metadata (user, timestamp, verb, resource) but not the request or response body. It is suitable for logging all requests without exposing sensitive data.

286
Multi-Selectmedium

Which TWO admission plugins should be enabled to improve cluster security according to CIS benchmarks? (Choose two.)

Select 2 answers
A.PodSecurity
B.NodeRestriction
C.NamespaceLifecycle
D.PodSecurityPolicy
E.ServiceAccount
AnswersA, B

Enforces Pod Security Standards.

Why this answer

PodSecurity is correct because it replaces the deprecated PodSecurityPolicy (PSP) and enforces the Pod Security Standards (baseline, restricted, privileged) via admission webhooks or built-in admission controllers. This prevents pods from running with excessive privileges, such as privileged containers or hostPath mounts, directly aligning with CIS benchmarks for Kubernetes hardening. NodeRestriction is correct because it limits the Node and Pod objects a kubelet can modify, preventing a compromised node from escalating privileges or modifying other nodes' statuses, which is a key CIS control for node-level security.

Exam trap

CNCF often tests the distinction between PodSecurity (current) and PodSecurityPolicy (deprecated/removed), and candidates mistakenly choose PSP because they recall it from older CKA exams, not realizing CIS benchmarks now mandate PodSecurity.

287
MCQhard

You are a security engineer at a fintech startup. The company runs a Kubernetes cluster in production with hundreds of microservices. Recently, a container image from a public registry was compromised, and the attacker injected a backdoor that exfiltrated customer data. The CISO mandates that all images must come from an internal registry that only stores approved, scanned, and signed images. Currently, developers build images locally and push them to Docker Hub, then reference those images in Kubernetes manifests. You have deployed Harbor as a private registry with vulnerability scanning and Cosign for signing. However, you notice that some pods are still running images directly from Docker Hub. You need to enforce that only images from your internal Harbor registry can be used in the cluster. You cannot change the Kubernetes manifests immediately because of a large backlog. You have access to the cluster's kubelet configuration and can modify cluster-level components. Which single action will most effectively block any pod that tries to use an image not hosted on your internal registry?

A.Enforce a PodSecurityStandard that restricts containers from running with root privileges.
B.Apply a Kubernetes NetworkPolicy that blocks egress traffic from nodes to Docker Hub.
C.Configure the containerd configuration on each node to use Harbor as a mirror for all registries and set endpoint to Harbor only, disabling direct pull from public registries.
D.Deploy an admission webhook (e.g., OPA/Gatekeeper) that denies pods whose image registry is not the internal Harbor.
AnswerC

This forces all image pulls to go through Harbor, and if the image is not cached or allowed, the pull fails.

Why this answer

Option C is correct because configuring containerd to use Harbor as a mirror for all registries and setting the endpoint to Harbor only effectively blocks pulls from any external registry at the container runtime level. This approach works even if Kubernetes manifests reference Docker Hub images, as the kubelet will redirect all image pull requests to the internal Harbor registry, preventing direct pulls from public registries. It enforces the policy without requiring immediate changes to existing manifests, which aligns with the constraint of not modifying them due to a large backlog.

Exam trap

CNCF often tests the distinction between admission control (webhooks) and runtime enforcement (container runtime configuration), where candidates mistakenly choose an admission webhook because it seems like a direct policy enforcement tool, but the question explicitly states that manifests cannot be changed immediately, making runtime-level enforcement the only viable option to block pulls without modifying existing resources.

How to eliminate wrong answers

Option A is wrong because PodSecurityStandard restricting root privileges does not control which image registry is used; it only enforces security context constraints on containers, not image source validation. Option B is wrong because a Kubernetes NetworkPolicy that blocks egress traffic to Docker Hub only prevents network-level communication from nodes to Docker Hub, but it does not prevent the kubelet or container runtime from pulling images if the DNS resolution or caching still allows it; moreover, it does not block pulls from other public registries and can be bypassed if the image is cached locally. Option D is wrong because deploying an admission webhook like OPA/Gatekeeper would require modifying Kubernetes manifests or applying policies that could be circumvented if the webhook is not properly configured or if there is a delay in policy enforcement; it also does not address the immediate need to block images without changing manifests, as the webhook would deny pods at admission time but does not prevent runtime pulls if the image is already cached or if the webhook is bypassed.

288
Multi-Selecteasy

Which TWO of the following are best practices for securing container images?

Select 2 answers
A.Always use the latest tag
B.Use minimal base images like distroless
C.Run containers as root
D.Run containers in privileged mode
E.Use image vulnerability scanning
AnswersB, E

Reduces attack surface.

Why this answer

Option B is correct because minimal base images like distroless reduce the attack surface by eliminating unnecessary packages, libraries, and shell access. This aligns with the principle of least functionality, making it harder for attackers to exploit vulnerabilities or execute arbitrary commands within the container. Distroless images typically contain only the application and its runtime dependencies, significantly lowering the risk of privilege escalation or lateral movement.

Exam trap

CNCF often tests the misconception that using the 'latest' tag is safe or recommended, when in fact it is a security anti-pattern that undermines image integrity and reproducibility.

289
MCQmedium

You need to generate an SBOM for a container image. Which command should you use?

A.cosign sbom <image>
B.trivy sbom <image>
C.syft <image>
D.kubectl sbom <pod>
AnswerC

Syft generates a software bill of materials for the given image.

Why this answer

Syft generates SBOMs from container images. Option A is correct.

290
MCQeasy

A security engineer is hardening a Kubernetes node and wants to ensure that kubelet does not accept requests from unauthorized sources. Which kubelet configuration change should be made?

A.Set --anonymous-auth=true
B.Set --read-only-port=10255
C.Set --authentication-token-webhook=false
D.Set --anonymous-auth=false
AnswerD

Disables anonymous authentication, preventing unauthorized access.

Why this answer

Setting `--anonymous-auth=false` on the kubelet disables anonymous requests, meaning the kubelet will reject any request that does not present valid authentication credentials. This is a critical hardening measure to ensure only authenticated and authorized sources (e.g., the API server) can interact with the kubelet’s HTTPS API, preventing unauthorized nodes or attackers from querying or modifying pod/container state.

Exam trap

CNCF often tests the misconception that disabling anonymous auth is unnecessary if the read-only port is closed, but the trap is that anonymous auth controls the main HTTPS port (10250), which is the primary attack surface for kubelet API abuse.

How to eliminate wrong answers

Option A is wrong because `--anonymous-auth=true` explicitly allows unauthenticated requests, which is the opposite of what hardening requires. Option B is wrong because `--read-only-port=10255` opens an unsecured, read-only HTTP endpoint that bypasses authentication entirely, exposing sensitive node and pod information without any authorization checks. Option C is wrong because `--authentication-token-webhook=false` disables the webhook token review mechanism, which would prevent the kubelet from validating bearer tokens against the API server; this weakens authentication rather than strengthening it.

291
MCQmedium

A security team wants to automatically reject any Pod that uses an image tagged with 'latest'. Which tool can be used to define this policy at the admission level?

A.ResourceQuota
B.NetworkPolicy
C.PodSecurityPolicy (PSP)
D.OPA/Gatekeeper
AnswerD

OPA/Gatekeeper allows you to create custom admission policies, such as rejecting images with the 'latest' tag.

Why this answer

Option C is correct. OPA/Gatekeeper can enforce custom policies using constraints, including checking image tags. Option A (PodSecurityPolicy) is deprecated.

Option B (NetworkPolicy) controls network traffic. Option D (ResourceQuota) limits resources.

292
MCQeasy

Which kube-apiserver flag enables audit logging?

A.--audit-log-path
B.--audit-log-dir
C.--enable-audit
D.--audit-policy-file
AnswerA

This flag enables audit logging to a file.

Why this answer

The `--audit-log-path` flag is the correct kube-apiserver flag to enable audit logging because it specifies the file path where audit logs are written. When this flag is set, the API server starts recording audit events to the designated file, effectively enabling the audit logging feature. Without this flag, audit logging is disabled by default, even if other audit-related flags like `--audit-policy-file` are provided.

Exam trap

The trap here is that candidates often confuse `--audit-policy-file` (which defines what to log) with the flag that actually enables logging, or they assume a non-existent `--enable-audit` flag exists because other Kubernetes components use similar enable flags.

How to eliminate wrong answers

Option B is wrong because `--audit-log-dir` is not a valid kube-apiserver flag; the correct flag for specifying a directory is `--audit-log-path`, which accepts a full file path, not a directory. Option C is wrong because `--enable-audit` does not exist as a kube-apiserver flag; audit logging is implicitly enabled when `--audit-log-path` is set, and there is no separate boolean flag to enable it. Option D is wrong because `--audit-policy-file` defines the audit policy rules (what events to log) but does not enable audit logging itself; audit logging remains disabled unless `--audit-log-path` is also specified.

293
MCQeasy

Which Kubernetes resource is used to define audit logging configuration?

A.A YAML file specified via `--audit-policy-file`
B.PodSecurityPolicy
C.ConfigMap in kube-system
D.AuditPolicy CRD
AnswerA

The audit policy is configured as a file on the apiserver's filesystem, specified by the `--audit-policy-file` flag.

Why this answer

The audit policy is defined in a YAML file and passed to the kube-apiserver via the `--audit-policy-file` flag. There is no CRD or ConfigMap standard; it's a plain file.

294
MCQeasy

Which flag enables the NodeRestriction admission plugin on the API server?

A.--enable-admission-plugins=NodeRestriction
B.--admission-control=NodeRestriction
C.--kubelet-restriction=NodeRestriction
D.--node-restriction=true
AnswerA

This flag enables the NodeRestriction admission plugin.

Why this answer

The `--enable-admission-plugins` flag is the correct parameter to activate admission controllers in the kube-apiserver. The NodeRestriction plugin limits the Node and Pod objects a kubelet can modify, enforcing the principle of least privilege. Option A correctly uses this flag with the plugin name.

Exam trap

The trap here is that candidates confuse the deprecated `--admission-control` flag with the current `--enable-admission-plugins` flag, or they invent non-existent flags like `--kubelet-restriction` or `--node-restriction` that sound plausible but are not valid API server options.

How to eliminate wrong answers

Option B is wrong because `--admission-control` is a deprecated flag from older Kubernetes versions (pre-1.10) and is no longer supported; the correct flag is `--enable-admission-plugins`. Option C is wrong because `--kubelet-restriction` is not a valid kube-apiserver flag; it does not exist in the Kubernetes API server options. Option D is wrong because `--node-restriction` is not a valid boolean flag; the NodeRestriction feature is an admission plugin, not a simple boolean toggle.

295
Multi-Selecthard

Which three of the following are valid ways to enforce supply chain security in a Kubernetes cluster? (Select THREE.)

Select 3 answers
A.Use Cosign to sign images and configure verification in the cluster
B.Configure ImagePolicyWebhook to reject images from untrusted registries
C.Use ResourceQuota to limit the number of images that can be pulled
D.Use NetworkPolicy to block egress traffic to unknown registries
E.Use OPA/Gatekeeper to enforce that container images come from an allowed list of registries
AnswersA, B, E

Cosign provides image signing and verification capabilities.

Why this answer

Options A, B, and D are correct. Using ImagePolicyWebhook enforces image policies. OPA/Gatekeeper can enforce policies like allowed registries.

Cosign is used for image signing and verification. Option C is wrong because NetworkPolicy does not enforce image policies. Option E is wrong because ResourceQuota does not enforce image policies.

296
MCQhard

An incident responder needs to isolate a compromised pod immediately without deleting it. Which action should they take?

A.Modify the pod's labels to prevent it from receiving traffic
B.Delete the pod to stop its activity
C.Apply a NetworkPolicy that denies all traffic to and from the pod's labels
D.Scale down the deployment to zero replicas
AnswerC

Correct: A NetworkPolicy with empty podSelector and policyTypes: [Ingress, Egress] denies all traffic.

Why this answer

Applying a NetworkPolicy that denies all ingress and egress traffic to the pod isolates it from network communication while preserving the pod for forensic analysis. Option B (deleting the pod) removes evidence. Option C (scaling down) is not immediate.

Option D (changing labels) may not be sufficient.

297
Multi-Selecthard

Which THREE of the following are correct statements about Kubernetes admission controllers in the context of supply chain security? (Select 3)

Select 3 answers
A.Admission controllers are executed in a specific order that can affect the final state of the resource
B.ValidatingAdmissionWebhook can be used to enforce policies like requiring all images to be signed
C.MutatingAdmissionWebhook can only modify pods, not other resources
D.ImagePolicyWebhook is used to validate container images against an external policy
E.OPA/Gatekeeper uses MutatingAdmissionWebhook to enforce policies
AnswersA, B, D

The order of admission controllers can impact the final resource, especially when mutating and validating are mixed.

Why this answer

Admission controllers can be chained, ImagePolicyWebhook is for image validation, and ValidatingAdmissionWebhooks can enforce custom policies. MutatingAdmissionWebhooks can modify pods but are not the only way to inject sidecars. OPA/Gatekeeper uses constraint templates for policy.

298
Multi-Selecthard

Which THREE of the following are valid ways to restrict access to etcd? (Select 3)

Select 3 answers
A.Enable etcd RBAC to restrict read/write access
B.Use HTTP instead of HTTPS
C.Disable client authentication for simplicity
D.Use firewall rules to restrict network access to etcd
E.Use TLS client certificates for authentication
AnswersA, D, E

etcd RBAC can limit access to keys.

Why this answer

Option A is correct because etcd supports Role-Based Access Control (RBAC) that allows you to define roles and permissions to restrict read and write access to keys. By enabling etcd RBAC, you can enforce fine-grained authorization, ensuring that only authenticated and authorized clients (e.g., the Kubernetes API server) can perform specific operations on etcd data.

Exam trap

CNCF often tests the misconception that disabling security features (like authentication or encryption) can simplify access control, but in reality, these features are essential for restricting access, and candidates may incorrectly think that network-level controls alone are insufficient or that HTTP is acceptable for internal traffic.

299
MCQmedium

A security team wants to ensure that only signed images are deployed in the cluster. They have set up an ImagePolicyWebhook admission controller. After configuring the webhook, they notice that pods with unsigned images are still being created. What is the most likely cause?

A.The ImagePolicyWebhook is failing open due to a misconfigured failure policy
B.The container runtime does not support image signing
C.The images are signed but the signature is invalid
D.The ImagePolicyWebhook is not enabled in the kube-apiserver configuration
AnswerD

The ImagePolicyWebhook must be enabled via the --admission-control flag or the Kubernetes API server configuration file. If not enabled, it will not be invoked.

Why this answer

The ImagePolicyWebhook admission controller is an external admission controller that must be properly configured and registered. If the webhook is not reachable or returns an error, Kubernetes may allow the request to proceed depending on the failure policy. However, the most common issue is that the ImagePolicyWebhook is not enabled in the API server or the webhook configuration is incorrect.

300
MCQeasy

A DevOps engineer wants to ensure that all microservice containers run with a read-only root filesystem to prevent unauthorized writes. What is the simplest way to enforce this at the Pod level?

A.Set `securityContext.runAsNonRoot: true` in the Pod spec
B.Mount an emptyDir volume to the container's writable directories
C.Set `securityContext.readOnlyRootFilesystem: true` in the Pod spec
D.Set `securityContext.privileged: false` in the Pod spec
AnswerC

This directly enforces a read-only root filesystem for all containers in the Pod.

Why this answer

Option C is correct because setting `securityContext.readOnlyRootFilesystem: true` in the Pod spec directly enforces that the container's root filesystem is read-only, preventing any unauthorized writes to the root filesystem. This is the simplest and most direct way to achieve the requirement at the Pod level, as it applies to all containers in the Pod unless overridden at the container level.

Exam trap

CNCF often tests the distinction between security contexts that control user identity (runAsNonRoot) versus those that control filesystem permissions (readOnlyRootFilesystem), and the trap here is that candidates may confuse 'non-root' with 'read-only' or assume that disabling privileged mode is sufficient to prevent writes.

How to eliminate wrong answers

Option A is wrong because `runAsNonRoot: true` only ensures the container runs as a non-root user, but does not restrict writes to the root filesystem; a non-root user can still write to writable directories. Option B is wrong because mounting an emptyDir volume to writable directories is a workaround to allow specific writes while keeping the root filesystem read-only, but it does not enforce the read-only root filesystem itself; the root filesystem remains writable unless explicitly set to read-only. Option D is wrong because `privileged: false` is the default and simply disables privileged mode, but it does not prevent writes to the root filesystem; a non-privileged container can still modify the root filesystem if it is not explicitly set to read-only.

Page 3

Page 4 of 14

Page 5