Certified Kubernetes Security Specialist CKS (CKS) — Questions 301375

997 questions total · 14pages · All types, answers revealed

Page 4

Page 5 of 14

Page 6
301
MCQeasy

Which annotation is used to apply an AppArmor profile to a pod?

A.apparmor.security.kubernetes.io/profile
B.security.kubernetes.io/apparmor
C.container.apparmor.security.beta.kubernetes.io/<container_name>
D.seccomp.security.alpha.kubernetes.io/pod
AnswerC

This is the correct annotation format to apply an AppArmor profile to a container.

Why this answer

The annotation 'container.apparmor.security.beta.kubernetes.io/<container_name>' is used to specify the AppArmor profile for a container. Option A is correct because it uses the proper prefix and container name placeholder.

302
Matchingmedium

Match each Kubernetes security component to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Admission controller that enforces security constraints on pods

Defines how groups of pods can communicate with each other and other network endpoints

Role-based access control for authorization within the cluster

Linux security facility to restrict system calls from a container

Mandatory access control system that confines programs to a limited set of resources

Why these pairings

These components are critical for securing Kubernetes clusters.

303
Multi-Selecthard

Which TWO Falco priority levels are correctly ordered from lowest to highest severity? (Choose two correct sequences)

Select 3 answers
A.WARNING, ERROR, CRITICAL, ALERT, EMERGENCY
B.DEBUG, INFORMATIONAL, NOTICE, WARNING
C.INFORMATIONAL, NOTICE, DEBUG, WARNING
D.ALERT, CRITICAL, ERROR, WARNING
E.NOTICE, WARNING, ERROR, CRITICAL
AnswersA, B, E

This is correct ascending order from WARNING to EMERGENCY.

Why this answer

The correct order from lowest to highest: DEBUG, INFORMATIONAL, NOTICE, WARNING, ERROR, CRITICAL, ALERT, EMERGENCY. Sequences must be in ascending order. Option B is correct order.

Option D is also correct because NOTICE < WARNING < ERROR < CRITICAL.

304
MCQmedium

In an Istio service mesh, you want to enforce mutual TLS (mTLS) between services in a specific namespace. Which resource should you create to set the default mTLS mode to STRICT for all workloads in that namespace?

A.PeerAuthentication
B.VirtualService
C.ServiceEntry
D.DestinationRule
AnswerA

PeerAuthentication defines mTLS policy for workloads; setting mode: STRICT enforces mTLS.

305
MCQeasy

Falco detects a shell being opened inside a container. Which Falco rule field is used to specify the syscall condition for detection?

A.condition
B.priority
C.output
D.rule
AnswerA

condition contains the syscall filter expression.

Why this answer

The 'condition' field in a Falco rule defines the syscall filter expression that triggers the alert.

306
Multi-Selectmedium

Which TWO of the following are valid arguments for etcd encryption at rest?

Select 2 answers
A.kms
B.identity
C.base64
D.secretbox
E.aescbc
AnswersD, E

Correct. secretbox is a supported provider.

Why this answer

Option D (secretbox) is correct because it is a valid encryption provider for etcd data at rest in Kubernetes, using XSalsa20 and Poly1305 for authenticated encryption. It is one of the supported providers alongside aescbc, and is specifically designed for encryption at rest within etcd.

Exam trap

CNCF often tests the distinction between encryption providers and encoding/identity, where candidates mistakenly think 'base64' or 'identity' provide encryption, or confuse KMS (a key management integration) with an etcd encryption provider.

307
MCQmedium

A security audit reveals that the kube-apiserver is using the default insecure port 8080 on a production cluster. Which is the most secure and recommended remediation?

A.Change the --insecure-port flag to 0
B.Set --insecure-port=0 and ensure --secure-port=6443 is configured
C.Set --insecure-port=6443
D.Set --secure-port=8080
AnswerB

Setting insecure-port to 0 disables it, and secure-port=6443 uses TLS.

Why this answer

Setting `--insecure-port=0` disables the unencrypted HTTP port (default 8080), which eliminates the risk of unauthenticated access to the API server. Ensuring `--secure-port=6443` is configured enforces TLS-encrypted communication on the standard secure port, which is the only recommended and secure method for production clusters.

Exam trap

CNCF often tests the misconception that simply changing the insecure port number or setting it to a non-default value is sufficient, whereas the only secure remediation is to disable it entirely with `--insecure-port=0` and explicitly enable the secure port.

How to eliminate wrong answers

Option A is wrong because merely changing the insecure port to 0 without explicitly ensuring the secure port is configured may leave the API server without any listening port if the secure port is also misconfigured or defaulting to an unintended value. Option C is wrong because setting `--insecure-port=6443` would enable the insecure port on the same port as the secure port, causing a conflict and still exposing unauthenticated access. Option D is wrong because setting `--secure-port=8080` would move the TLS-encrypted port to 8080, but this does not disable the insecure port (default 8080), leading to a port conflict and continued exposure of the insecure endpoint.

308
MCQmedium

A cluster administrator needs to run a workload that uses gVisor (runsc) for container sandboxing. Which Kubernetes resource is required to enable this?

A.RuntimeClass
B.PriorityClass
C.NetworkPolicy
D.PodSecurityPolicy
AnswerA

RuntimeClass allows selecting a different container runtime, such as gVisor.

Why this answer

RuntimeClass specifies the container runtime to use for pods. It must be defined and referenced in the pod spec. PodSecurityPolicy is deprecated.

PriorityClass is for scheduling priority. NetworkPolicy is for network rules.

309
MCQmedium

Which of the following commands creates a ValidatingWebhookConfiguration that uses an OPA Gatekeeper webhook?

A.kubectl apply -f validatingwebhook.yaml where the webhook's service reference points to the gatekeeper-validating-webhook service.
B.kubectl apply -f constraint.yaml with a ConstraintTemplate.
C.kubectl create validatingwebhook gatekeeper --from-file=webhook.yaml
D.kubectl run gatekeeper-webhook --image=openpolicyagent/gatekeeper:v3.14.0
AnswerA

Gatekeeper registers a ValidatingWebhookConfiguration that points to its service.

310
MCQhard

An administrator wants to set an immutable root filesystem for a container in a Pod. Which securityContext field should be set to true?

A.allowPrivilegeEscalation
B.readOnlyRootFilesystem
C.runAsNonRoot
D.privileged
AnswerB

Setting readOnlyRootFilesystem to true makes the root filesystem immutable.

Why this answer

The 'readOnlyRootFilesystem' field, when true, mounts the container's root filesystem as read-only, preventing writes.

311
MCQeasy

Which Pod Security Standard level allows the use of hostNetwork, hostPID, and hostIPC?

A.None of the above
B.Baseline
C.Privileged
D.Restricted
AnswerC

Privileged level allows unrestricted access to host namespaces.

Why this answer

The Privileged Pod Security Standard (PSS) level is the most permissive, allowing unrestricted access to host-level resources, including hostNetwork, hostPID, and hostIPC. These settings grant the pod direct access to the host's network namespace, process table, and inter-process communication mechanisms, which are explicitly prohibited in the Baseline and Restricted levels. The Privileged level is designed for system-level workloads that require such elevated permissions, such as CNI plugins or monitoring agents.

Exam trap

CNCF often tests the misconception that Baseline allows host-level namespace sharing, when in fact Baseline only permits a limited set of non-host-level privileges, while hostNetwork, hostPID, and hostIPC are exclusive to the Privileged level.

How to eliminate wrong answers

Option A is wrong because 'None of the above' is incorrect; the Privileged level explicitly allows hostNetwork, hostPID, and hostIPC. Option B is wrong because the Baseline level prohibits hostNetwork, hostPID, and hostIPC by default, as defined in the Kubernetes Pod Security Standards documentation. Option D is wrong because the Restricted level is the most restrictive, enforcing the strongest security controls and disallowing all host namespace sharing, including hostNetwork, hostPID, and hostIPC.

312
MCQmedium

Which command would you run to check if anonymous authentication is enabled on the API server?

A.ps aux | grep kube-apiserver | grep anonymous-auth
B.kubectl get nodes -o yaml | grep anonymous
C.kubectl describe configmap anonymous
D.kubectl get clusterrolebinding anonymous
AnswerA

This shows the command-line flags of the API server process.

Why this answer

Option A is correct because the `--anonymous-auth` flag on the kube-apiserver binary controls whether anonymous requests are allowed. Running `ps aux | grep kube-apiserver | grep anonymous-auth` directly inspects the running process arguments to see if the flag is set to `true` (enabled) or `false` (disabled). This is the most direct way to check the runtime configuration of the API server.

Exam trap

CNCF often tests the ability to distinguish between runtime process inspection and Kubernetes API resource queries, leading candidates to mistakenly use `kubectl` commands that query non-existent or irrelevant resources instead of checking the actual process arguments.

How to eliminate wrong answers

Option B is wrong because `kubectl get nodes -o yaml` retrieves node objects, which do not contain any information about the API server's authentication configuration. Option C is wrong because there is no standard Kubernetes resource called `configmap anonymous`; ConfigMaps are namespaced and unrelated to API server authentication settings. Option D is wrong because `ClusterRoleBinding` named `anonymous` does not exist by default; anonymous access is controlled by the `system:anonymous` user and `system:unauthenticated` group, not by a dedicated ClusterRoleBinding.

313
MCQeasy

A DevOps team is tasked with upgrading a Kubernetes cluster from version 1.21 to 1.22. They want to minimize downtime and follow best practices. Which approach should they take?

A.Upgrade worker nodes first, then the control plane
B.Upgrade etcd to 1.22 first, then the API server
C.Upgrade the control plane from 1.21 to 1.22 first, then upgrade worker nodes
D.Drain all nodes, then upgrade all components to 1.22 at once
AnswerC

Component upgrades must follow version skew policy; control plane first.

Why this answer

Option C is correct because the Kubernetes upgrade process mandates upgrading the control plane first, as it is the authoritative source for cluster state and API operations. Worker nodes can then be upgraded to match the control plane version, ensuring compatibility and minimizing downtime by allowing workloads to continue running during the node upgrade phase.

Exam trap

The trap here is that candidates often assume upgrading worker nodes first is safer to avoid control plane downtime, but Kubernetes requires the control plane to be upgraded first to maintain version skew compatibility and cluster stability.

How to eliminate wrong answers

Option A is wrong because upgrading worker nodes before the control plane violates the Kubernetes version skew policy, which requires the control plane to be at the highest version; doing so could cause API server incompatibility with node components like kubelet. Option B is wrong because etcd is upgraded as part of the control plane upgrade process, not independently first, and the API server must be upgraded before or simultaneously with etcd to maintain cluster stability. Option D is wrong because draining all nodes before upgrading any component would cause unnecessary total cluster downtime, and upgrading all components at once ignores the required sequential upgrade order (control plane first, then nodes) and version skew support.

314
Multi-Selectmedium

Which TWO of the following are valid AppArmor profile modes?

Select 2 answers
A.Complain
B.Enforce
C.Audit
D.Disable
E.Permissive
AnswersA, B

In complain mode, violations are logged but not blocked.

Why this answer

AppArmor has three modes: enforce (profiles are enforced), complain (violations are logged but not blocked), and unconfined (no AppArmor). Options A and C are correct. 'audit' is not a mode; 'disable' is not a mode.

315
MCQmedium

You run 'trivy image myapp:latest' and the scan reports several critical CVEs. What is the best action to take?

A.Use kubectl delete pod to remove the running container
B.Delete the image from the registry
C.Rebuild the image with updated base images and re-deploy
D.Ignore the CVEs because the image is running in a non-production environment
AnswerC

Rebuilding with patched base images resolves the vulnerabilities.

Why this answer

You should rebuild the image using updated base images that include security patches. Option C is correct.

316
MCQhard

During a security audit, you run kube-bench and find that the API server audit logging is not enabled. Which set of flags should be added to the kube-apiserver to enable audit logging with a policy file located at /etc/kubernetes/audit-policy.yaml?

A.--audit-log-path=/var/log/kubernetes/audit.log --audit-policy-file=/etc/kubernetes/audit-policy.yaml
B.--audit-log-maxage=30 --audit-policy-file=/etc/kubernetes/audit-policy.yaml
C.--audit-log-path=/var/log/kubernetes/audit.log --audit-log-maxbackup=10
D.--audit-log-path=/var/log/kubernetes/audit.log --audit-webhook-config-file=/etc/kubernetes/audit-policy.yaml
AnswerA

These flags enable audit logging to the specified file and use the policy file to control what is logged.

Why this answer

Option A is correct because enabling audit logging in kube-apiserver requires both `--audit-log-path` to specify the output file and `--audit-policy-file` to define the audit policy rules. Without the policy file, the API server will not know which events to log, and without the log path, no audit logs will be written.

Exam trap

The trap here is that candidates often confuse `--audit-policy-file` with `--audit-webhook-config-file` or assume that providing only the log path or only the policy file is sufficient, when both are required for local audit logging to function.

How to eliminate wrong answers

Option B is wrong because it includes `--audit-log-maxage=30` but omits `--audit-log-path`, so no audit log file is created; the policy file alone cannot enable logging. Option C is wrong because it provides `--audit-log-path` and `--audit-log-maxbackup=10` but lacks `--audit-policy-file`, meaning the API server will not apply any audit policy and will not log events. Option D is wrong because `--audit-webhook-config-file` is used for sending audit events to an external webhook, not for specifying a local policy file; the correct flag for a local policy is `--audit-policy-file`.

317
MCQhard

You need to run kube-bench on a control plane node. Which command should you use?

A.kube-bench run --targets=controlplane
B.kube-bench run --targets=master
C.kube-bench run --targets=node
D.kube-bench run --targets=etcd
AnswerB

This runs checks for control plane components.

Why this answer

Option B is correct because `kube-bench` uses the `--targets` flag to specify which CIS benchmark targets to scan, and for control plane nodes, the correct target is `master` (not `controlplane`). This is because the CIS Kubernetes Benchmark historically refers to the control plane node as the 'master' node, and `kube-bench` follows that naming convention.

Exam trap

The trap here is that candidates assume the target name matches the modern Kubernetes terminology 'controlplane', but `kube-bench` still uses the legacy term 'master' for backward compatibility with the CIS Benchmark.

How to eliminate wrong answers

Option A is wrong because `--targets=controlplane` is not a valid target in `kube-bench`; the tool uses `master` for control plane nodes. Option C is wrong because `--targets=node` targets worker nodes, not the control plane. Option D is wrong because `--targets=etcd` only scans the etcd component, not the full control plane node.

318
MCQhard

To encrypt secrets at rest in Kubernetes, an administrator configures an EncryptionConfiguration. What is the correct flag to pass to the kube-apiserver to use this configuration?

A.--encryption-provider-config=/path/to/config.yaml
B.--feature-gates=EncryptionAtRest=true
C.--encryption-key=/path/to/config.yaml
D.--encryption-config=/path/to/config.yaml
AnswerA

The --encryption-provider-config flag specifies the path to the EncryptionConfiguration file.

Why this answer

The kube-apiserver uses --encryption-provider-config to load the EncryptionConfiguration YAML file that defines how etcd data is encrypted.

319
MCQeasy

Which command loads an AppArmor profile from a file into the kernel?

A.apparmor_load /path/to/profile
B.apparmor_parser -r /path/to/profile
C.aa-status
D.aa-enforce /path/to/profile
AnswerB

This command loads or replaces an AppArmor profile.

Why this answer

The 'apparmor_parser' command is used to load AppArmor profiles into the kernel. Option A is correct. Options B, C, and D are not valid commands for loading AppArmor profiles.

320
MCQhard

An admin creates the following EncryptionConfiguration to encrypt secrets at rest. After applying it, what must the admin do to ensure existing secrets are encrypted?

A.Re-create the existing secrets
B.Restart the kube-apiserver
C.Delete the existing secrets and wait for them to be recreated automatically
D.Nothing, the existing secrets are automatically encrypted
AnswerA

Existing secrets are not automatically encrypted; they must be re-created to be encrypted.

Why this answer

The EncryptionConfiguration only encrypts newly created secrets. Existing secrets must be re-created (e.g., by replacing them) to be encrypted. The kube-apiserver does not automatically rewrite existing resources.

321
MCQmedium

A cluster administrator wants to encrypt secrets at rest in etcd. Which resource must be created to configure encryption?

A.KMSProvider
B.EncryptionConfiguration
C.SecretEncryptionConfig
D.EncryptionConfig
AnswerB

This is the correct resource for configuring encryption at rest.

Why this answer

The correct resource is an EncryptionConfiguration object, which is a Kubernetes API resource that defines how to encrypt secrets at rest in etcd. It specifies providers (such as aesgcm, secretbox, or kms) and their order of precedence for encrypting and decrypting data. This configuration is passed to the kube-apiserver via the --encryption-provider-config flag.

Exam trap

The trap here is that candidates confuse the generic term 'encryption config' with the exact Kubernetes API resource name 'EncryptionConfiguration', or they mistakenly think a KMS provider is a standalone resource rather than a provider type within the EncryptionConfiguration.

How to eliminate wrong answers

Option A is wrong because KMSProvider is not a Kubernetes resource; it is a type of encryption provider (e.g., using a Key Management Service) that can be referenced within an EncryptionConfiguration, not a standalone resource. Option C is wrong because SecretEncryptionConfig is not a valid Kubernetes API resource; the correct resource name is EncryptionConfiguration. Option D is wrong because EncryptionConfig is not a valid Kubernetes resource; the exact API resource name is EncryptionConfiguration (v1) in the apiserver.config.k8s.io group.

322
MCQmedium

An administrator runs 'trivy image myapp:1.0' and receives an output with several CRITICAL vulnerabilities. What is the best next step to ensure the image is secure before deployment?

A.Delete the image entirely and do not deploy
B.Rebuild the image using updated base images and fix the identified vulnerabilities
C.Deploy the image anyway because vulnerabilities are common
D.Ignore the output and re-run the scan
AnswerB

Rebuilding with patches remediates vulnerabilities.

Why this answer

Rebuilding the image with updated packages and fixes is the appropriate action to remediate the vulnerabilities found by the scan.

323
MCQhard

You need to enable Kubernetes audit logging with the following requirements: log all requests at the 'RequestResponse' level, but only for successful responses. Which audit stage should you specify in the policy?

A.Panic
B.ResponseComplete
C.ResponseStarted
D.RequestReceived
AnswerB

Correct. This stage fires after the entire response is sent, capturing the full response.

Why this answer

To capture both request and response for successful requests, you want events after the response is complete. The 'ResponseComplete' stage fires after the response is sent. 'RequestResponse' is not a stage; it's a level.

324
MCQmedium

What is the default seccomp profile for Kubernetes containers when no seccompProfile is specified?

A.Localhost
B.No profile is applied
C.RuntimeDefault
D.Unconfined
AnswerC

Correct. The default is RuntimeDefault.

Why this answer

As of Kubernetes 1.29, the default seccomp profile for containers is RuntimeDefault, which uses the container runtime's default profile.

325
MCQmedium

You need to configure a Kubernetes Pod to have an immutable root filesystem. Which field should you set in the Pod spec?

A.spec.hostPID: true
B.securityContext.allowPrivilegeEscalation: false
C.securityContext.runAsUser: 1000
D.securityContext.readOnlyRootFilesystem: true
AnswerD

Correct: This setting makes the root filesystem read-only, preventing writes.

Why this answer

The 'securityContext.readOnlyRootFilesystem' field, when set to true, makes the container's root filesystem read-only. Option B is for running as a specific user. Option C is about privilege escalation.

Option D is for sharing the host's PID namespace.

326
MCQmedium

Which of the following correctly adds the NET_ADMIN capability to a container in a Kubernetes pod?

A.securityContext: capabilities: cap_add: - ALL
B.securityContext: capabilities: add: - NET_ADMIN
C.securityContext: capabilities: cap_add: - NET_ADMIN (but placed at pod spec level)
D.securityContext: capabilities: cap_add: - NET_ADMIN
AnswerD

This is the correct syntax to add NET_ADMIN capability to a container.

Why this answer

Option D is correct because in Kubernetes, the correct field to add a specific Linux capability to a container is `capabilities.add`, and the correct YAML key is `add`, not `cap_add`. The `cap_add` key is used in Docker Compose, not in Kubernetes pod or container security contexts. The `NET_ADMIN` capability allows the container to perform network administration tasks such as interface configuration, firewall management, and routing table manipulation.

Exam trap

CNCF often tests the distinction between Docker Compose syntax (`cap_add`) and Kubernetes syntax (`add`), and the requirement that `capabilities` must be set at the container level, not the pod level, to catch candidates who confuse container runtime configuration with Kubernetes API fields.

How to eliminate wrong answers

Option A is wrong because it uses `cap_add` (a Docker Compose key) instead of the Kubernetes `add` field, and it adds `ALL` capabilities, which violates the principle of least privilege and is not a targeted addition of `NET_ADMIN`. Option B is wrong because although it uses the correct `add` field, it is placed at the pod spec level (`securityContext` at the pod level) rather than at the container level, where `capabilities` must be defined; pod-level `securityContext` does not support a `capabilities` field. Option C is wrong because it uses `cap_add` (a Docker Compose key) instead of the Kubernetes `add` field, even though it is placed at the pod spec level, which is also incorrect.

327
MCQeasy

An admin runs 'kubectl get pod web -o yaml' and sees the following security context. Which setting prevents privilege escalation?

A.allowPrivilegeEscalation: false
B.Both B and C
C.runAsNonRoot: true
D.capabilities: drop: [ALL]
AnswerA

This setting explicitly disallows privilege escalation.

Why this answer

allowPrivilegeEscalation: false directly prevents processes from gaining more privileges than their parent. Dropping all capabilities reduces attack surface but does not itself prevent privilege escalation. runAsNonRoot ensures the container does not run as root but does not prevent escalation if the container could still gain capabilities.

328
MCQeasy

Which field in a Pod's securityContext prevents privilege escalation by the container?

A.capabilities.add: ["SYS_ADMIN"]
B.runAsNonRoot
C.allowPrivilegeEscalation
D.privileged
AnswerC

Setting allowPrivilegeEscalation: false prevents privilege escalation inside the container.

Why this answer

Option C is correct. `allowPrivilegeEscalation` controls whether a process can gain more privileges than its parent. Setting it to false prevents escalation. Option A controls whether the container has root privileges.

Option B controls if the container is a privileged container. Option D controls if the container can gain privileges, but the specific field is `allowPrivilegeEscalation`.

329
Multi-Selectmedium

Which TWO actions are recommended by the CIS Kubernetes Benchmark for securing etcd?

Select 2 answers
A.Enable TLS client-to-server and peer communication
B.Disable anonymous authentication on etcd
C.Run etcd as a Service type LoadBalancer
D.Restrict access to etcd using RBAC
E.Use etcd's built-in encryption at rest
AnswersA, D

Enabling TLS encrypts communication and verifies identities.

Why this answer

Option A is correct because the CIS Kubernetes Benchmark recommends enabling TLS for both client-to-server and peer communication in etcd to ensure data in transit is encrypted and authenticated. This prevents man-in-the-middle attacks and unauthorized access to the etcd cluster, which stores all cluster state and secrets.

Exam trap

The trap here is that candidates often confuse etcd's built-in encryption at rest (which is not recommended by the CIS Benchmark) with the Kubernetes API server's encryption provider, leading them to select option E instead of focusing on TLS and RBAC as the benchmark's explicit recommendations.

330
MCQhard

You need to restrict access to etcd so that only the API server can communicate with it. Which method should you use?

A.Configure etcd with TLS client certificates and require authentication
B.Set the etcd flag --peer-auto-tls=true
C.Configure etcd to use RBAC with a role that allows only the API server
D.Use a firewall rule to restrict access to etcd's port from the API server's IP
AnswerA

TLS client authentication ensures only authorized clients can connect.

Why this answer

Option A is correct because etcd supports mutual TLS (mTLS) authentication, which requires clients to present a valid TLS certificate signed by a trusted CA. By configuring etcd with `--client-cert-auth=true` and providing the API server's client certificate, you ensure that only the API server (or any client with a valid certificate) can communicate with etcd. This is the recommended Kubernetes approach to restrict access to etcd, as it cryptographically verifies the identity of the client.

Exam trap

The trap here is that candidates often confuse network-level restrictions (firewall rules) with identity-based authentication (mTLS), or mistakenly think etcd supports RBAC like Kubernetes, leading them to choose options D or C.

How to eliminate wrong answers

Option B is wrong because `--peer-auto-tls=true` enables automatic TLS for etcd peer-to-peer communication between etcd members, not for client-to-server communication; it does not restrict client access. Option C is wrong because etcd does not support RBAC natively; RBAC is a Kubernetes API server feature, not an etcd feature, and etcd uses certificate-based authentication, not role-based access control. Option D is wrong because a firewall rule only restricts network access at the IP/port level, but it does not authenticate the API server's identity; any process on the API server's node could potentially connect to etcd, and it does not protect against compromised nodes or spoofed IPs.

331
MCQhard

You are a security engineer at a company running a Kubernetes cluster in production. The cluster uses containerd as the container runtime and has been configured with Node Authorizer and NodeRestriction admission controller. Recently, a security audit revealed that several pods running as root have been compromised via container escape vulnerabilities. The audit report recommends hardening the nodes to reduce the attack surface. Specifically, you need to ensure that even if an attacker gains root access inside a container, they cannot execute privileged operations on the host node, such as loading kernel modules, modifying host network settings, or accessing host devices. The cluster runs on Ubuntu 20.04 nodes with Linux kernel 5.4. You have access to modify node-level configurations but must minimize performance impact and avoid breaking existing workloads that rely on standard Linux capabilities. Which of the following actions would most effectively mitigate these risks?

A.Configure containerd to use a default seccomp profile that blocks unprivileged user namespaces and restricts kernel modules loading, and apply it to all pods via a mutating admission webhook.
B.Enable user namespaces for all containers by setting the 'hostUsers: false' option in the pod spec, which maps container root to a non-root user on the host.
C.Remove the CAP_SYS_ADMIN and CAP_NET_ADMIN capabilities from all containers by setting a default PodSecurityPolicy that drops these capabilities.
D.Enable AppArmor on all nodes and apply a custom profile that denies all mount and network-related system calls.
AnswerA

A default seccomp profile that blocks risky syscalls (e.g., those used for kernel module loading, user namespace creation) effectively prevents many container escapes without breaking most workloads. Applying it via a webhook ensures all pods use it.

Why this answer

Option A is correct because seccomp (secure computing mode) can filter system calls at the kernel level, and by configuring containerd to use a default seccomp profile that blocks syscalls related to unprivileged user namespaces (e.g., `clone` with `CLONE_NEWUSER`) and kernel module loading (e.g., `init_module`, `finit_module`), you prevent container escapes from performing privileged host operations. This approach is runtime-level, applies globally without modifying pod specs, and minimizes performance impact since seccomp uses a BPF-based filter that adds negligible overhead.

Exam trap

CNCF often tests the misconception that dropping capabilities alone is sufficient for host-level hardening, but the trap here is that capabilities only restrict privileged operations that require them, while seccomp provides syscall-level filtering that can block escape vectors even when the container runs as root.

How to eliminate wrong answers

Option B is wrong because setting `hostUsers: false` in the pod spec enables user namespace remapping, which maps the container's root user to a non-root user on the host, but this feature is not supported by containerd in Kubernetes versions prior to 1.27 and requires specific runtime support; it also does not block kernel module loading or host network modifications if the container retains capabilities like CAP_SYS_MODULE. Option C is wrong because dropping CAP_SYS_ADMIN and CAP_NET_ADMIN reduces the attack surface but does not prevent an attacker from using other capabilities (e.g., CAP_SYS_MODULE to load kernel modules) or exploiting syscalls that do not require capabilities, such as `mount` with `MS_BIND` if the container runs as root. Option D is wrong because AppArmor profiles deny system calls at the LSM level, but applying a custom profile that denies all mount and network-related syscalls would break standard container operations (e.g., creating network interfaces, mounting tmpfs) and is not a default or easily maintainable solution; additionally, AppArmor is not enabled by default on all Ubuntu 20.04 nodes and requires kernel configuration.

332
MCQhard

A pod fails to start with the error 'Container runtime network not ready', and the node uses Kata Containers (RuntimeClass: kata). What is the most likely cause?

A.The node has insufficient memory
B.The pod is trying to mount a hostPath volume
C.The CNI plugin is not configured correctly for the kata RuntimeClass
D.The pod's securityContext sets runAsNonRoot: true
AnswerC

Kata requires specific CNI configuration; misconfiguration leads to network not ready.

Why this answer

Kata Containers run inside a lightweight VM with its own kernel. Network configuration can be complex, and if the CNI plugin is not properly configured for Kata, the network may not be ready.

333
MCQmedium

A DevOps engineer wants to enforce that all container images running in the cluster are signed using Cosign. Which Kubernetes admission controller is designed for this purpose?

A.MutatingAdmissionWebhook
B.ImagePolicyWebhook
C.PodSecurityPolicy (deprecated)
D.ValidatingAdmissionWebhook
AnswerB

ImagePolicyWebhook is the admission controller that allows integration with external services to verify image signatures.

Why this answer

The ImagePolicyWebhook admission controller allows integration with external image verification services like Cosign to enforce image signing policies. The other options are not specifically for image signing.

334
Multi-Selectmedium

Which TWO actions help minimize vulnerabilities in microservices by securing secrets? (Choose two)

Select 2 answers
A.Base64 encode the secret in the YAML manifest
B.Set the secret as a label on the pod
C.Mount Secrets as volumes instead of environment variables
D.Use an external secrets manager like HashiCorp Vault
E.Store secrets in ConfigMaps to leverage ConfigMap encryption
AnswersC, D

Mounting as volumes reduces exposure in process listing and logs.

Why this answer

Best practices for secrets include mounting as volumes (avoiding environment variables) and using external secret management solutions for enhanced security features.

335
MCQmedium

A security audit reveals that the etcd datastore is not encrypted at rest. Which resource should be created to enable encryption of secrets at rest?

A.EncryptionConfiguration
B.EtcdEncryption
C.EncryptionConfig
D.SecretEncryption
AnswerA

This resource defines providers and keys for encryption at rest.

Why this answer

To enable encryption of secrets at rest in Kubernetes, you must create an EncryptionConfiguration resource. This resource defines which encryption providers (e.g., AES-CBC, secretbox) to use and how to encrypt resources stored in etcd. The kube-apiserver reads this configuration via the --encryption-provider-config flag and applies it to all resources in the specified resource group, such as secrets.

Exam trap

CNCF often tests the exact API resource name, and candidates mistakenly pick 'EtcdEncryption' or 'EncryptionConfig' because they sound plausible, but only 'EncryptionConfiguration' is the correct Kubernetes resource defined in the apiserver configuration.

How to eliminate wrong answers

Option B is wrong because EtcdEncryption is not a valid Kubernetes API resource; the correct resource is EncryptionConfiguration. Option C is wrong because EncryptionConfig is not a Kubernetes resource name; it might be confused with the kube-apiserver configuration file but does not exist as an API object. Option D is wrong because SecretEncryption is not a Kubernetes resource; encryption at rest applies to multiple resource types, not just secrets, and the resource is named EncryptionConfiguration.

336
MCQmedium

You run 'kube-bench' on a cluster node and get a failure for the test 'Ensure that the --anonymous-auth argument is set to false' (ID: 1.2.1). Which file do you need to modify to fix this issue?

A./etc/kubernetes/kubelet.conf
B./etc/kubernetes/manifests/kube-apiserver.yaml
C./etc/kubernetes/pki/
D./var/lib/kubelet/config.yaml
AnswerB

This is the static pod manifest for the API server in kubeadm clusters.

Why this answer

The kube-bench test ID 1.2.1 checks the kube-apiserver configuration for the `--anonymous-auth` flag. The API server is a static pod managed by the kubelet, and its configuration is defined in the manifest file `/etc/kubernetes/manifests/kube-apiserver.yaml`. To fix the failure, you must edit this file to set `--anonymous-auth=false`.

Exam trap

The trap here is that candidates often confuse the kubelet configuration file (`/var/lib/kubelet/config.yaml`) with the API server manifest, but the `--anonymous-auth` flag is specific to the API server, not the kubelet.

How to eliminate wrong answers

Option A is wrong because `/etc/kubernetes/kubelet.conf` is the kubelet's bootstrap configuration file, not the API server's manifest; it does not control the `--anonymous-auth` flag. Option C is wrong because `/etc/kubernetes/pki/` is a directory containing TLS certificates and keys, not configuration files for the API server. Option D is wrong because `/var/lib/kubelet/config.yaml` is the kubelet's own configuration file, which does not contain the `--anonymous-auth` argument for the API server.

337
Multi-Selecteasy

Which TWO of the following are valid methods to restrict etcd access? (Choose two.)

Select 2 answers
A.Use firewall rules to restrict access to etcd port 2379
B.Use TLS client certificates for authentication
C.Enable etcd RBAC
D.Use etcd's built-in password authentication
E.Set the --etcd-certfile flag on kube-apiserver
AnswersB, C

TLS client certificates authenticate clients to etcd.

Why this answer

Option B is correct because etcd supports mutual TLS (mTLS) authentication, where the client (e.g., kube-apiserver) presents a client certificate signed by the etcd CA. This ensures that only authenticated clients can communicate with etcd, effectively restricting access. Option C is correct because etcd has its own Role-Based Access Control (RBAC) system, which can be enabled to restrict read/write operations to specific users or roles, providing fine-grained access control.

Exam trap

The trap here is that candidates often confuse network-level controls (firewall rules) or API server flags with actual etcd authentication/authorization mechanisms, or mistakenly believe etcd supports password authentication like traditional databases.

338
Drag & Dropmedium

Order the steps to configure and apply a NetworkPolicy to restrict pod-to-pod traffic.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

NetworkPolicy must be created and applied, then tested by deploying pods and checking connectivity. The policy is enforced immediately.

339
MCQeasy

A team needs to set up a highly available Kubernetes control plane across three availability zones. What is the minimum number of etcd members required to achieve fault tolerance against one zone failure?

A.5
B.1
C.3
D.7
AnswerC

3 members tolerate one member failure, maintaining majority.

Why this answer

For a highly available Kubernetes control plane across three availability zones, the etcd cluster must tolerate the loss of one entire zone. With three etcd members, one per zone, the cluster requires a majority (2) to form quorum. If one zone fails, the remaining two members still constitute a majority, ensuring continued operation.

This matches the minimum odd number greater than one that provides fault tolerance against a single failure.

Exam trap

CNCF often tests the misconception that you need an even number of etcd members for high availability, but the Raft consensus algorithm requires an odd number to avoid split-brain scenarios, and the minimum for fault tolerance against one failure is three, not five or seven.

How to eliminate wrong answers

Option A is wrong because 5 etcd members would provide fault tolerance against two zone failures, which is more than required and not the minimum. Option B is wrong because a single etcd member has no fault tolerance; if that member or its zone fails, the entire cluster loses quorum and becomes unavailable. Option D is wrong because 7 etcd members provide fault tolerance against three zone failures, far exceeding the minimum needed for one zone failure and introducing unnecessary overhead.

340
MCQmedium

An administrator runs kube-bench on a node and sees a warning about the kubelet anonymous authentication being enabled. Which kubelet flag should be set to disable anonymous access?

A.--anonymous-auth=false
B.--anonymous-auth=true
C.--enable-anonymous=false
D.--disable-anonymous=true
AnswerA

Setting --anonymous-auth=false disables anonymous authentication for the kubelet, which is a CIS benchmark recommendation.

Why this answer

Option A is correct because the kubelet's `--anonymous-auth` flag controls whether requests to the kubelet API that are not rejected by other authentication modules are treated as anonymous requests. Setting `--anonymous-auth=false` disables anonymous access, requiring all requests to present valid credentials. This directly addresses the kube-bench warning about anonymous authentication being enabled, which is a security concern as it allows unauthenticated access to the kubelet's API.

Exam trap

The trap here is that candidates may confuse the kubelet's `--anonymous-auth` flag with similar-sounding but non-existent flags like `--enable-anonymous` or `--disable-anonymous`, or mistakenly think that setting the flag to `true` disables anonymous access.

How to eliminate wrong answers

Option B is wrong because `--anonymous-auth=true` enables anonymous access, which is the opposite of what is needed to disable it. Option C is wrong because `--enable-anonymous=false` is not a valid kubelet flag; the correct flag is `--anonymous-auth`. Option D is wrong because `--disable-anonymous=true` is not a valid kubelet flag; the kubelet uses `--anonymous-auth` with a boolean value to control anonymous access.

341
Multi-Selectmedium

Which TWO of the following are valid methods to restrict a container's filesystem to read-only in Kubernetes?

Select 2 answers
A.Use a ConfigMap volume with defaultMode 0444
B.Set readOnly: true on a hostPath volume mount
C.Set readOnlyRootFilesystem: true in the container's securityContext
D.Mount an emptyDir volume with readOnly: true
AnswersC, D

This makes the container's root filesystem read-only.

Why this answer

Setting readOnlyRootFilesystem: true in the container securityContext makes the root filesystem read-only. Using an emptyDir volume with readOnly: true mounts an emptyDir as read-only, but the root filesystem remains writable. hostPath is not read-only by default. ConfigMap volumes are typically mounted read-only by default, but the question asks about restricting the container's filesystem.

Option A directly makes the root filesystem read-only. Option D also works by mounting a volume read-only, but it does not restrict the root filesystem. However, the question says 'restrict a container's filesystem to read-only' which can include specific mounts.

The intended correct answers are A and D. (Note: In many contexts, 'filesystem' refers to the root filesystem, but volumes are also part of the filesystem.)

342
Multi-Selectmedium

Which TWO of the following are valid methods to secure the etcd cluster in a Kubernetes setup?

Select 2 answers
A.Enable encryption at rest for etcd data
B.Configure RBAC on etcd
C.Enable TLS with peer certificates for etcd member communication
D.Enable TLS with client certificates for etcd client communication
E.Apply NetworkPolicies to etcd pods
AnswersC, D

Peer certificates secure inter-etcd communication.

Why this answer

Option C is correct because etcd uses the Raft consensus protocol for distributed coordination, and enabling TLS with peer certificates ensures that all communication between etcd members (nodes) is encrypted and authenticated. This prevents man-in-the-middle attacks and unauthorized nodes from joining the cluster, which is a core security requirement for the control plane's data store.

Exam trap

CNCF often tests the distinction between securing the etcd cluster itself (via TLS for communication) versus securing the data at rest or using Kubernetes-level controls like RBAC or NetworkPolicies, which do not apply to the etcd process running outside the pod network.

343
MCQeasy

Which command would you use to sign a container image with Cosign?

A.cosign push <image>
B.cosign verify <image>
C.cosign attest <image>
D.cosign sign <image>
AnswerD

Cosign sign signs the specified container image.

Why this answer

Cosign sign is the correct command to sign an image. Option A is correct.

344
Multi-Selecthard

Which THREE of the following can be used to enforce policies on container images in a Kubernetes cluster? (Select 3)

Select 3 answers
A.Kyverno
B.ImagePolicyWebhook
C.Trivy
D.OPA/Gatekeeper
E.kubectl
AnswersA, B, D

Kyverno can enforce policies on images, such as allowed registries.

Why this answer

OPA/Gatekeeper, Kyverno, and ImagePolicyWebhook are all tools that can enforce image policies such as allowed registries, signatures, or other criteria.

345
MCQhard

A security team wants to ensure that all pods in a namespace run with a restricted seccomp profile. Which Pod Security Standard admission controller mode should be used to enforce this without blocking necessary pods?

A.Enable the PodSecurity admission plugin with the 'restricted' policy and 'enforce' mode
B.Use a mutating admission webhook to automatically add seccomp profiles
C.Enable the PodSecurity admission plugin with the 'baseline' policy and 'enforce' mode
D.Enable the PodSecurity admission plugin with the 'restricted' policy and 'warn' mode
AnswerA

'enforce' blocks non-compliant pods, and 'restricted' requires seccomp.

Why this answer

The Pod Security Standards (PSS) define three policies: privileged, baseline, and restricted. The restricted policy enforces the most stringent security controls, including requiring a seccomp profile to be set to 'RuntimeDefault' or 'localhost/*'. Using the PodSecurity admission plugin with 'enforce' mode ensures that any pod failing the restricted policy is immediately rejected, guaranteeing that only compliant pods run in the namespace.

Exam trap

CNCF often tests the distinction between 'enforce' and 'warn' modes: candidates mistakenly choose 'warn' thinking it is sufficient, but 'enforce' is required to actually block non-compliant pods.

How to eliminate wrong answers

Option B is wrong because a mutating admission webhook can automatically add seccomp profiles, but it does not enforce a Pod Security Standard policy; it only mutates the pod spec, and pods could still be created without the required profile if the webhook fails or is bypassed. Option C is wrong because the 'baseline' policy is less restrictive and does not require a seccomp profile; it only prevents known privilege escalations, so it would not enforce the restricted seccomp requirement. Option D is wrong because 'warn' mode only generates a warning for non-compliant pods but still allows them to be created, which does not enforce the restricted seccomp profile as required by the question.

346
MCQeasy

Which admission plugin enforces that kubelets cannot modify pods they do not own?

A.PodSecurity
B.AlwaysPullImages
C.NodeRestriction
D.ServiceAccount
AnswerC

This plugin restricts kubelet self-service APIs.

Why this answer

The NodeRestriction admission plugin ensures that kubelets can only modify Node and Pod objects that are bound to their own node. It enforces that a kubelet cannot update or delete pods it does not own, preventing a compromised or misconfigured kubelet from interfering with workloads on other nodes.

Exam trap

CNCF often tests the NodeRestriction plugin as a control for kubelet authorization, and the trap here is confusing it with PodSecurity (which handles pod security contexts) or AlwaysPullImages (which handles image pull policy), rather than recognizing that NodeRestriction specifically limits what a kubelet can modify.

How to eliminate wrong answers

Option A is wrong because PodSecurity is an admission plugin that enforces Pod Security Standards (e.g., privileged, baseline, restricted) on pod creation, not kubelet authorization. Option B is wrong because AlwaysPullImages forces every pod to pull its container images from the registry with credentials, but does not restrict kubelet modifications to pods. Option D is wrong because ServiceAccount is an admission plugin that manages service account automounting and token projection, not kubelet node-level access control.

347
Multi-Selectmedium

Which THREE of the following actions help reduce the attack surface of containers? (Select 3 correct answers)

Select 3 answers
A.Set hostNetwork: true for better network performance
B.Set securityContext.runAsNonRoot: true
C.Drop all capabilities and add only required ones
D.Enable audit logging for all API requests
E.Run containers with read-only root filesystem
AnswersB, C, E

Prevents running as root, reducing the impact of container escape.

Why this answer

Options A, C, and D are recommended security practices. Option B increases attack surface, and option E is about monitoring, not reducing attack surface.

348
Drag & Dropmedium

Arrange the steps to create and enforce a Pod Security Policy (PSP) in a Kubernetes cluster.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

PSPs require enabling the admission controller, creating the policy, granting access via RBAC, and binding to subjects. Testing confirms enforcement.

349
MCQmedium

You are configuring kubelet to protect kernel defaults. Which flag enables this?

A.--security-opt=protect-kernel
B.--protect-kernel-defaults
C.--enable-protect-kernel
D.--kernel-security
AnswerB

Correct flag to protect kernel settings.

Why this answer

The `--protect-kernel-defaults` flag is a kubelet option that, when set to `true`, enforces kernel tunable protections by checking that sysctl settings like `vm.overcommit_memory`, `vm.panic_on_oom`, and `kernel.panic` match the kubelet's expected safe defaults. This is a critical hardening measure to prevent container breakout scenarios where a compromised pod could weaken host kernel parameters.

Exam trap

The trap here is that candidates confuse Docker's `--security-opt` flags (which apply per-container) with kubelet's node-level hardening flags, or they invent plausible-sounding flag names like `--enable-protect-kernel` that do not exist in the kubelet reference.

How to eliminate wrong answers

Option A is wrong because `--security-opt=protect-kernel` is a Docker run flag, not a kubelet flag; it applies to individual containers, not the kubelet's global kernel protection. Option C is wrong because `--enable-protect-kernel` is not a valid kubelet flag; the correct syntax uses `--protect-kernel-defaults` without the 'enable' prefix. Option D is wrong because `--kernel-security` is not a recognized kubelet flag; it might be confused with AppArmor or SELinux profiles, but it does not enforce kernel default protections.

350
MCQmedium

You are creating a ServiceAccount that should not automatically mount its token to pods. Which field should be set in the ServiceAccount manifest?

A.automountServiceAccountToken: false
B.disableAutomount: true
C.tokenMountDisabled: true
D.mountToken: false
AnswerA

This field in the ServiceAccount spec disables automatic mounting of the service account token.

Why this answer

Option A is correct because the `automountServiceAccountToken` field in a ServiceAccount manifest, when set to `false`, prevents pods using that ServiceAccount from automatically mounting the service account token as a volume. This is a security hardening measure to reduce the attack surface in case a pod is compromised, as the token could be used to authenticate to the Kubernetes API server.

Exam trap

The trap here is that candidates may confuse the ServiceAccount-level field with the Pod-level field of the same name, or invent non-existent field names like `disableAutomount` or `tokenMountDisabled`, instead of recalling the exact API field `automountServiceAccountToken`.

How to eliminate wrong answers

Option B is wrong because `disableAutomount: true` is not a valid field in the ServiceAccount API; the correct field name is `automountServiceAccountToken`. Option C is wrong because `tokenMountDisabled: true` does not exist in the Kubernetes API; it is a fabricated field name. Option D is wrong because `mountToken: false` is not a recognized field; the correct boolean field is `automountServiceAccountToken`, and setting it to `false` achieves the desired behavior.

351
MCQhard

An admin has created an EncryptionConfiguration to encrypt secrets at rest in etcd. After applying the configuration and restarting the kube-apiserver, existing secrets are still stored in plaintext. What is the most likely reason?

A.The encryption provider is set to 'identity' which does not encrypt
B.The kube-apiserver was not restarted after applying the configuration
C.Existing secrets are not automatically encrypted; they need to be rewritten by reading and writing them back
D.The EncryptionConfiguration has a syntax error that caused it to be ignored
AnswerC

EncryptionConfiguration only encrypts new writes; existing data remains as-is until rewritten.

Why this answer

Option A is correct. By default, Kubernetes does not rewrite existing resources when encryption is enabled. To encrypt existing secrets, the admin must use `kubectl get secrets --all-namespaces -o yaml | kubectl apply -f -` to rewrite them.

Option B would cause errors. Option C is wrong because the encryption provider is used for new writes. Option D is wrong because the configuration is correct.

352
MCQmedium

A developer reports that a pod cannot reach an external database at 192.168.1.100:3306. The pod's namespace is 'app'. You need to create a NetworkPolicy that allows egress to that IP only. Which policy is correct?

A.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-egress namespace: app spec: podSelector: {} egress: - to: - ipBlock: cidr: 192.168.1.100/32 policyTypes: - Egress
B.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-egress namespace: app spec: podSelector: matchLabels: app: myapp egress: - to: - ipBlock: cidr: 192.168.1.100/32 policyTypes: - Egress
C.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-egress namespace: app spec: podSelector: {} ingress: - from: - ipBlock: cidr: 192.168.1.100/32 policyTypes: - Ingress
D.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-egress namespace: app spec: podSelector: {} egress: - to: - ipBlock: cidr: 192.168.1.100/32 ports: - port: 3306 protocol: TCP policyTypes: - Egress
AnswerD

Why this answer

The NetworkPolicy must allow egress to the specific IP and port. Option B uses podSelector: {} to apply to all pods in the namespace, egress rules to destination IP and port. Option A is missing the port specification.

Option C applies to pods with label 'app', not all. Option D uses both ingress and egress incorrectly.

353
MCQmedium

What is the purpose of an SBOM (Software Bill of Materials) in the context of supply chain security?

A.To sign container images
B.To scan images for vulnerabilities
C.To provide a list of all software components and dependencies in an artifact
D.To enforce runtime security policies
AnswerC

SBOM provides transparency into the components used.

Why this answer

An SBOM lists all software components in an artifact, enabling vulnerability tracking and compliance. Option B is correct.

354
MCQeasy

Which command loads an AppArmor profile from a file into the kernel?

A.apparmor_parser -r /path/to/profile
B.aa-enforce /path/to/profile
C.aa-status
D.modprobe apparmor
AnswerA

apparmor_parser loads the profile; -r replaces if already loaded.

Why this answer

The `apparmor_parser` command loads AppArmor profiles into the kernel. The `-r` flag replaces an existing profile with the one from the specified file, ensuring the kernel enforces the updated rules. This is the standard method to load or reload AppArmor profiles from a profile file.

Exam trap

CNCF often tests the distinction between loading a profile (`apparmor_parser`) and changing its mode (`aa-enforce` or `aa-complain`), causing candidates to confuse the command that loads the profile with the one that sets its enforcement state.

How to eliminate wrong answers

Option B is wrong because `aa-enforce` sets an already-loaded profile to enforce mode, but does not load a profile from a file into the kernel. Option C is wrong because `aa-status` only displays the current status of loaded AppArmor profiles and does not load any profiles. Option D is wrong because `modprobe apparmor` loads the AppArmor kernel module, not a specific profile; the module must already be loaded for profiles to be used.

355
MCQmedium

A cluster administrator wants to ensure that all pods in a namespace run with the `seccomp` profile set to `RuntimeDefault`. Which OPA Gatekeeper ConstraintTemplate would achieve this?

A.violation[{"msg": "Seccomp profile must be RuntimeDefault"}] { input.review.object.spec.containers[_].securityContext.seccompProfile.type == "Unconfined" }
B.violation[{"msg": "Seccomp profile must be RuntimeDefault"}] { input.review.object.spec.containers[_].securityContext.seccompProfile == "RuntimeDefault" }
C.violation[{"msg": "Seccomp profile must be RuntimeDefault"}] { input.review.object.spec.securityContext.seccompProfile.type != "RuntimeDefault" }
D.violation[{"msg": "Seccomp profile must be RuntimeDefault"}] { input.review.object.spec.containers[_].securityContext.seccompProfile.type != "RuntimeDefault" }
AnswerD

This denies pods that do not have the required seccomp profile.

Why this answer

The correct Rego policy checks that the container's securityContext has `seccompProfile.type: RuntimeDefault`. Option A does this correctly.

356
MCQeasy

You need to enable audit logging for the Kubernetes API server to capture all requests at the RequestResponse level. Which flag should you add to the kube-apiserver configuration?

A.--audit-webhook-config-file=/etc/kubernetes/audit-webhook.yaml
B.--audit-policy-file=/etc/kubernetes/audit-policy.yaml
C.--audit-log-path=/var/log/audit.log
D.--authorization-mode=RBAC
AnswerB

Correct: This flag specifies the audit policy file.

Why this answer

The --audit-policy-file flag tells the API server to use a specific audit policy file. The other options are incorrect: --audit-log-path is for the log file location, --audit-webhook-config-file is for webhook configuration, and --authorization-mode is for authorization.

357
MCQeasy

You want to run crictl to list all running containers on a node. Which command should you execute?

A.crictl ps
B.crictl stats
C.crictl images
D.crictl pods
AnswerA

Why this answer

crictl ps lists containers. By default it shows only running ones. Option A is correct.

Option B shows images; Option C shows pods; Option D shows stats.

358
MCQmedium

You are investigating a compromised pod. You suspect the attacker used 'kubectl exec' to gain shell access. Which command can you use to check the audit logs for exec events?

A.kubectl exec -it pod-name -- cat /var/log/audit/audit.log
B.kubectl get events
C.kubectl logs --audit
D.kubectl describe pod pod-name
AnswerA

This reads the audit log file from the pod's node if the log is accessible, but audit logs are typically on the API server node. However, among the options, this is the most direct way to view audit log content.

Why this answer

The kubectl logs command fetches logs from a pod, but audit logs are stored on the API server. To view audit logs, you typically read the audit log file (e.g., /var/log/audit/audit.log on the master node) or use a log aggregation tool. kubectl get events shows Kubernetes events, not audit logs.

359
Multi-Selecthard

Which THREE of the following are recommended actions to secure the Kubernetes Dashboard? (Choose three.)

Select 3 answers
A.Use RBAC to create a dedicated service account with minimal permissions
B.Expose the Dashboard via an Ingress with a public domain
C.Enable HTTPS for Dashboard communications
D.Do not bind the Dashboard's service account to the cluster-admin role
E.Avoid exposing the Dashboard via a public LoadBalancer
AnswersA, D, E

Least privilege reduces risk.

Why this answer

Option A is correct because the Kubernetes Dashboard should be accessed using a dedicated service account with minimal permissions via RBAC. This follows the principle of least privilege, ensuring the dashboard only has the permissions necessary for its function, reducing the attack surface. By default, the dashboard's service account has minimal permissions, but binding it to a role with excessive privileges (like cluster-admin) would be a security risk.

Exam trap

CNCF often tests the distinction between actions that are recommended (like using RBAC with minimal permissions) versus actions that are explicitly discouraged (like binding to cluster-admin or exposing via public endpoints), and candidates may mistakenly think enabling HTTPS is a 'recommended action' in this context, but it is not listed among the three correct options here because the question focuses on access control and exposure, not encryption.

360
MCQeasy

Which stage of the Kubernetes API request processing should be audited to capture the final response sent to the client?

A.ResponseStarted
B.Panic
C.ResponseComplete
D.RequestReceived
AnswerC

This stage occurs after the full response has been sent.

Why this answer

ResponseComplete is the stage after the response has been sent.

361
MCQmedium

A pod spec includes 'hostPID: true' and 'hostNetwork: true'. What security concern does this raise?

A.The container can use the host's GPU and other devices
B.The container can see all host processes and access the host network namespace, increasing the risk of privilege escalation
C.The container can read and write to the host filesystem
D.The container cannot use a securityContext
AnswerB

HostPID allows viewing processes, and hostNetwork allows using the host network stack, which can be abused.

Why this answer

Setting `hostPID: true` allows the container to see all processes running on the host, which can leak sensitive information and enable process injection. Setting `hostNetwork: true` gives the container direct access to the host's network namespace, bypassing network policies and potentially allowing the container to bind to privileged ports or sniff traffic. Together, these settings significantly increase the attack surface and risk of privilege escalation or host compromise.

Exam trap

CNCF often tests the distinction between namespace sharing (`hostPID`, `hostNetwork`, `hostIPC`) and volume mounts or device access; the trap here is that candidates confuse `hostNetwork` with host filesystem access or assume `hostPID` implies device access.

How to eliminate wrong answers

Option A is wrong because GPU and device access is controlled by `hostDevice` or resource limits, not by `hostPID` or `hostNetwork`. Option C is wrong because read/write access to the host filesystem requires a `hostPath` volume mount or `hostFilesystem` capability, not `hostPID` or `hostNetwork`. Option D is wrong because a pod with `hostPID: true` and `hostNetwork: true` can still use a `securityContext`; these settings are independent of the `securityContext` field.

362
MCQmedium

A security policy requires that all container images must be signed using Cosign. Which admission controller enforces signature verification at pod creation time?

A.ImagePolicyWebhook
B.MutatingAdmissionWebhook
C.ValidatingAdmissionWebhook
D.ResourceQuota
AnswerA

ImagePolicyWebhook is the dedicated admission controller for enforcing image policies like signature verification.

Why this answer

The ImagePolicyWebhook admission controller is specifically designed to verify image signatures and policies via an external webhook.

363
MCQmedium

A DevOps team deploys a microservice that needs to access a third-party API using credentials stored in a Kubernetes Secret. The team wants to minimize the risk of credential exposure. Which approach best achieves this goal while following security best practices?

A.Store the credentials in a Secret and mount it as a volume with default permissions.
B.Store the credentials in a Secret, mount it as a read-only volume, and use a dedicated service account with RBAC limiting access to that secret.
C.Use a sidecar container that reads the secret from a file and exposes it via a Unix socket, running the container as root.
D.Store the credentials in a ConfigMap and inject them as environment variables.
AnswerB

Read-only volume prevents modification, dedicated service account with RBAC ensures only the specific pod can access the secret, minimizing exposure.

Why this answer

Option B is correct because mounting the Secret as a read-only volume prevents runtime modification, and using a dedicated service account with RBAC ensures only the specific microservice can access the Secret. This follows the principle of least privilege and minimizes exposure, as the credentials are never injected as environment variables (which can be leaked via /proc or logs) and are only available to the intended pod.

Exam trap

CNCF often tests the misconception that environment variables are safe for secrets, but the trap here is that environment variables can be exposed via `/proc/self/environ`, logs, or debug endpoints, making volume mounts with strict permissions and RBAC the more secure choice.

How to eliminate wrong answers

Option A is wrong because mounting a Secret with default permissions (typically 0644) allows other processes on the node to read the secret files, increasing exposure risk. Option C is wrong because running the sidecar container as root violates the principle of least privilege and could allow privilege escalation; a Unix socket approach adds complexity without addressing the core credential exposure issue. Option D is wrong because ConfigMaps are not designed for sensitive data—they lack encryption at rest and are often stored in plaintext in etcd, making credentials vulnerable to exposure.

364
MCQeasy

Which of the following is a MutatingAdmissionWebhook that is built into Kubernetes and can automatically inject a sidecar proxy for service mesh?

A.PodSecurity admission controller
B.Istio sidecar injector
C.Cert-manager
D.Gatekeeper
AnswerB

Istio uses a mutating admission webhook to automatically inject the Envoy sidecar proxy into pods.

Why this answer

Istio’s sidecar injector is a mutating webhook that modifies pod specs to add the Envoy proxy sidecar.

365
MCQmedium

You need to sign a container image using cosign with a key stored in an environment variable. Which command should you use?

A.cosign sign myimage:latest --key cosign.pub
B.cosign sign --key env://COSIGN_PRIVATE_KEY myimage:latest
C.cosign sign --key $COSIGN_PRIVATE_KEY myimage:latest
D.cosign sign --key file://cosign.key myimage:latest
AnswerB

This is the correct syntax to use a key from an environment variable.

Why this answer

Cosign sign with --key env://[VAR] reads the key from an environment variable.

366
MCQeasy

Which flag disables anonymous authentication on the API server?

A.--enable-admission-plugins=NodeRestriction
B.--authorization-mode=RBAC
C.--anonymous-auth=false
D.--client-ca-file=<path>
AnswerC

This flag disables anonymous authentication.

Why this answer

The `--anonymous-auth=false` flag explicitly disables anonymous authentication on the Kubernetes API server. When set to false, the API server will reject requests from unauthenticated users (those not presenting valid credentials), enforcing that all requests must be authenticated. This is a critical security hardening step to prevent anonymous access to the cluster's control plane.

Exam trap

The trap here is that candidates often confuse authentication with authorization, mistakenly selecting `--authorization-mode=RBAC` (Option B) thinking it controls who can access the API, when in fact RBAC only controls what authenticated users can do, not whether anonymous users are allowed.

How to eliminate wrong answers

Option A is wrong because `--enable-admission-plugins=NodeRestriction` enables the NodeRestriction admission controller, which limits the permissions of kubelet nodes but does not control anonymous authentication. Option B is wrong because `--authorization-mode=RBAC` sets the authorization mode to Role-Based Access Control, which governs what authenticated users can do, not whether unauthenticated users can connect. Option D is wrong because `--client-ca-file=<path>` specifies the CA certificate used to validate client certificates for TLS-based authentication, but it does not disable anonymous authentication; anonymous requests are still allowed unless explicitly denied.

367
Multi-Selectmedium

Which TWO of the following are valid Pod Security Context settings to harden a container? (Select 2)

Select 2 answers
A.privileged: true
B.runAsUser: 0
C.runAsNonRoot: true
D.readOnlyRootFilesystem: true
E.allowPrivilegeEscalation: true
AnswersC, D

Prevents running as root user.

Why this answer

runAsNonRoot: true (option A) ensures the container does not run as root. readOnlyRootFilesystem: true (option C) prevents writes to the root filesystem. Option B (privileged: true) is insecure. Option D (runAsUser: 0) runs as root.

Option E (allowPrivilegeEscalation: true) allows privilege escalation.

368
Multi-Selecthard

Which THREE of the following are valid approaches to enforce that all pods in a cluster run with a read-only root filesystem? (Select THREE)

Select 3 answers
A.Deploy a ValidatingWebhookConfiguration that checks for readOnlyRootFilesystem: true
B.Use a Gatekeeper policy to drop all capabilities
C.Enable Pod Security Admission (PSA) with the 'restricted' profile
D.Deploy a MutatingWebhookConfiguration that adds readOnlyRootFilesystem: true to all pods
E.Apply a NetworkPolicy that denies egress
AnswersA, C, D

Validating webhooks can reject non-compliant pods.

Why this answer

Options A, B, and D are correct. A ValidatingWebhook can reject pods without readOnlyRootFilesystem. A MutatingWebhook can inject it.

Pod Security Admission (PSA) can enforce it via the 'restricted' profile. Option C is about dropping capabilities, not read-only root. Option E is for network policies.

369
MCQhard

A security team suspects a compromised pod is making unexpected outbound connections to an external IP. Which of the following is the BEST first step to investigate the network traffic from that pod?

A.Deploy Falco with a rule to detect outbound connections
B.Create a NetworkPolicy to deny all egress traffic
C.Run 'kubectl exec <pod> -- tcpdump -i eth0' to capture packets
D.Check the pod's logs using 'kubectl logs <pod>'
AnswerC

Correct: tcpdump inside the pod provides detailed network traffic capture.

Why this answer

Using 'kubectl exec' with tools like tcpdump or netstat allows you to inspect network connections from within the pod. Option B is plausible but not as direct. Option C (Falco) is for runtime security but not specifically for network traffic analysis.

Option D is about blocking, not investigation.

370
MCQmedium

You need to enable encryption at rest for secrets in the cluster. Which resource should you create to configure encryption providers?

A.EncryptionConfiguration
B.EncryptionProviderConfig
C.EncryptionPolicy
D.SecretEncryptionConfig
AnswerA

This is the correct resource to configure encryption providers such as aescbc or secretbox.

Why this answer

To enable encryption at rest for Kubernetes secrets, you must create an EncryptionConfiguration resource. This object defines which encryption providers (e.g., aesgcm, aescbc, secretbox, or identity) should be used to encrypt secrets stored in etcd. The API server reads this configuration from a file specified via the --encryption-provider-config flag, allowing you to control encryption at the provider level.

Exam trap

CNCF often tests the exact name of the Kubernetes resource, and candidates confuse EncryptionConfiguration with similar-sounding but nonexistent names like EncryptionProviderConfig or EncryptionPolicy, which are not part of the Kubernetes API.

How to eliminate wrong answers

Option B is wrong because EncryptionProviderConfig is not a valid Kubernetes resource; the correct resource name is EncryptionConfiguration. Option C is wrong because EncryptionPolicy is a generic term and not a specific Kubernetes API object used for configuring encryption providers. Option D is wrong because SecretEncryptionConfig does not exist as a Kubernetes resource; the configuration applies to all secrets cluster-wide via EncryptionConfiguration.

371
MCQeasy

What does SBOM stand for in the context of supply chain security?

A.Software Bill of Materials
B.Systematic Bug and Oversight Manager
C.Secure Build Orchestration Manager
D.Source Binary Object Model
AnswerA

SBOM stands for Software Bill of Materials.

Why this answer

SBOM is a Software Bill of Materials, a detailed list of components, dependencies, and metadata used in a software artifact.

372
MCQmedium

Which etcd encryption provider is considered strongest for encrypting secrets at rest?

A.secretbox
B.identity
C.aesgcm
D.aescbc
AnswerD

aescbc provides strong encryption with AES in CBC mode.

Why this answer

Option D (aescbc) is correct because AES-CBC with a 256-bit key is the recommended and strongest encryption provider for encrypting secrets at rest in etcd, as specified in the Kubernetes documentation. It provides robust encryption using the Advanced Encryption Standard in Cipher Block Chaining mode, which is widely accepted for data-at-rest encryption in production environments.

Exam trap

CNCF often tests the misconception that AES-GCM (aescbc's alternative) is stronger due to its authenticated encryption, but the trap here is that aescbc is the officially recommended provider for etcd encryption at rest in Kubernetes, while aesgcm is not supported for this purpose.

How to eliminate wrong answers

Option A (secretbox) is wrong because secretbox is not a valid encryption provider in Kubernetes; it is a reference to the NaCl library's secret-key encryption, but Kubernetes does not support it for etcd encryption. Option B (identity) is wrong because identity is the default provider that stores secrets in plaintext without any encryption, offering no protection at rest. Option C (aesgcm) is wrong because AES-GCM, while a strong authenticated encryption mode, is not recommended for etcd encryption due to its nonce reuse vulnerability and lack of support for key rotation in the Kubernetes encryption configuration.

373
Multi-Selectmedium

Which TWO of the following are recommended practices for securing the Kubernetes Dashboard? (Select TWO)

Select 2 answers
A.Use HTTP instead of HTTPS for Dashboard traffic
B.Disable authentication for the Dashboard
C.Restrict Dashboard access using RBAC with minimal privileges
D.Use the default cluster-admin ServiceAccount for Dashboard access
E.Avoid exposing the Dashboard on a public IP address
AnswersC, E

RBAC ensures users have only necessary permissions.

Why this answer

Option C is correct because the Kubernetes Dashboard should be secured using Role-Based Access Control (RBAC) with minimal privileges. This follows the principle of least privilege, ensuring that users or service accounts accessing the Dashboard have only the permissions necessary for their tasks, reducing the attack surface and potential blast radius in case of compromise.

Exam trap

CNCF often tests the misconception that disabling authentication or using HTTP simplifies setup, but the trap here is that these practices completely bypass security controls, while candidates may overlook that RBAC with minimal privileges is the correct hardening step.

374
MCQhard

You are writing a Falco rule to detect when a container tries to read the file `/etc/shadow`. Which condition in the Falco rule correctly matches this event?

A.container.name=shadow and evt.type=open
B.evt.type=read and fd.name=/etc/shadow
C.proc.name=cat and fd.name=/etc/shadow
D.evt.type=open and fd.name=/etc/shadow
AnswerD

The open syscall is used to open files, and fd.name contains the file path. This correctly detects attempts to open /etc/shadow.

Why this answer

Falco uses `evt.type` for syscall type (e.g., open, openat, read) and `fd.name` for the file path. The `open` syscall is typically used to open files; reading can also happen via `openat` or `read`. Option B is correct because it checks for the open syscall and the file path.

Option A checks for the `read` syscall but `fd.name` may not be available for read events. Option C uses `proc.name` which is process name, not file. Option D uses `container.name` which is not relevant.

375
MCQmedium

An administrator wants to ensure that a Deployment uses a specific image digest (SHA256) instead of a tag. Which field in the Deployment YAML should be modified?

A.spec.replicas
B.spec.template.spec.containers[].imagePullPolicy
C.spec.template.spec.containers[].image
D.spec.template.metadata.annotations
AnswerC

The image field can be set to an image reference with a digest (e.g., 'image@sha256:...') instead of a tag.

Why this answer

The image field in the container spec can include a digest after the tag, e.g., 'nginx@sha256:abc123...'. The other options are not related to image specification.

Page 4

Page 5 of 14

Page 6