Certified Kubernetes Security Specialist CKS (CKS) — Questions 376450

997 questions total · 14pages · All types, answers revealed

Page 5

Page 6 of 14

Page 7
376
MCQhard

An organization wants to implement supply chain security by signing all container images and verifying them before deployment. Which combination of tools is appropriate?

A.Snyk and OPA
B.Cosign and Kyverno
C.Trivy and Syft
D.Clair and Notary
AnswerB

Cosign signs and verifies images, and Kyverno can enforce admission policies to require signatures.

Why this answer

Cosign is used for signing and verifying images. Kyverno or OPA/Gatekeeper can enforce verification policies. The correct combination is Cosign for signing and Kyverno for enforcement.

Trivy and Syft are for scanning and SBOM, not signing. Notary is another signing tool, but Cosign is more common.

377
MCQmedium

An administrator wants to secure etcd communication. Which of the following is required to enable TLS for client-to-etcd communication?

A.Set ETCD_TLS_ENABLE=true environment variable
B.--cert-file=<cert-file> and --key-file=<key-file>
C.--client-cert-auth=true and --trusted-ca-file=<CA-file>
D.--tls-cert-file and --tls-key-file
AnswerB

These flags enable TLS for client connections.

Why this answer

To enable TLS for client-to-etcd communication, the etcd server must present a certificate to clients. The `--cert-file` and `--key-file` flags specify the server's TLS certificate and private key, which are required for the TLS handshake. Without these, etcd cannot serve HTTPS to clients.

Exam trap

The trap here is that candidates confuse the flags for enabling TLS (`--cert-file`/`--key-file`) with the flags for enabling client certificate authentication (`--client-cert-auth`/`--trusted-ca-file`), or they misremember the exact flag names as `--tls-cert-file`/`--tls-key-file` which do not exist in etcd.

How to eliminate wrong answers

Option A is wrong because `ETCD_TLS_ENABLE` is not a valid environment variable; etcd uses command-line flags, not environment variables, for TLS configuration. Option C is wrong because `--client-cert-auth=true` and `--trusted-ca-file` enable mutual TLS (client certificate authentication), which is optional and not required for basic TLS encryption. Option D is wrong because the correct flag names are `--cert-file` and `--key-file`, not `--tls-cert-file` and `--tls-key-file`; the latter are not recognized by etcd.

378
MCQmedium

Which static analysis tool is specifically designed to evaluate Kubernetes manifests against security best practices?

A.cosign
B.syft
C.kubesec
D.clair
AnswerC

Kubesec scans Kubernetes manifests for security issues like privileged containers or host network access.

Why this answer

Kubesec is a tool that analyzes Kubernetes YAML files and provides security scores. Option A is correct.

379
Multi-Selectmedium

Which TWO actions are recommended by the CIS Kubernetes Benchmark to secure the API server?

Select 2 answers
A.Set --authorization-mode=RBAC
B.Set --enable-admission-plugins=NodeRestriction
C.Set --authorization-mode=AlwaysAllow
D.Set --insecure-port=8080
E.Set --anonymous-auth=false
AnswersA, E

Enables RBAC authorization.

Why this answer

Option A is correct because the CIS Kubernetes Benchmark recommends setting `--authorization-mode=RBAC` to enforce role-based access control, which restricts API server access based on user roles and permissions. This ensures that only authorized users and service accounts can perform specific actions, aligning with the principle of least privilege.

Exam trap

CNCF often tests the distinction between recommended admission plugins (like NodeRestriction) and authorization/authentication settings, so candidates may mistakenly select NodeRestriction as a top-level security action when the question specifically targets authorization and authentication controls.

380
Multi-Selectmedium

Which TWO of the following are valid Rego keywords used in OPA policies for Gatekeeper? (Select TWO)

Select 2 answers
A.violation
B.allow
C.input
D.data
E.deny
AnswersC, E

input is a reserved variable in Rego representing the request data.

381
MCQmedium

You run kube-bench on a node and it reports a failure for 'Ensure that the --anonymous-auth argument is set to false' for the kubelet service. Which file must you modify to fix this?

A./etc/kubernetes/manifests/kube-apiserver.yaml
B./etc/kubernetes/pki/ca.crt
C./etc/kubernetes/kubelet.conf
D./var/lib/kubelet/config.yaml
AnswerD

Kubelet configuration is often stored in this YAML file; setting authentication.anonymous.enabled: false fixes the issue.

Why this answer

Option D is correct because kube-bench checks the kubelet configuration for the `--anonymous-auth` flag, which is set in the kubelet's configuration file. By default, the kubelet reads its configuration from `/var/lib/kubelet/config.yaml` (or a path specified by `--config` in the kubelet service). Setting `anonymous-auth: false` in this file disables anonymous requests to the kubelet API, enforcing authentication.

Exam trap

The trap here is that candidates confuse the kubelet's configuration file with the kubelet's kubeconfig file (`kubelet.conf`) or the API server manifest, because all three are involved in authentication but serve different roles.

How to eliminate wrong answers

Option A is wrong because `/etc/kubernetes/manifests/kube-apiserver.yaml` is the static pod manifest for the API server, not the kubelet; the `--anonymous-auth` flag for the kubelet is not configured there. Option B is wrong because `/etc/kubernetes/pki/ca.crt` is the CA certificate file used for TLS verification, not a configuration file for kubelet authentication settings. Option C is wrong because `/etc/kubernetes/kubelet.conf` is a kubeconfig file used by the kubelet to authenticate to the API server, not the file where kubelet server-side authentication options like `--anonymous-auth` are set.

382
MCQhard

A security auditor recommends enabling audit logging for the Kubernetes API server with a policy that logs all requests at the Metadata level. Which configuration ensures this requirement?

A.Enable the 'Audit' admission plugin
B.Set --audit-log-level=Metadata
C.Use --audit-log-maxage=30 to retain logs
D.Create an audit policy file with 'level: Metadata' for all resources and pass it via --audit-policy-file
AnswerD

The audit policy file defines the level of logging for different request types.

Why this answer

Option D is correct because Kubernetes audit logging requires an audit policy file that defines the log level for different request stages and resources. The requirement to log all requests at the Metadata level is achieved by creating a policy file with `level: Metadata` for all resources (or a catch-all rule) and passing it to the API server via the `--audit-policy-file` flag. The audit policy file is the only mechanism to specify the log level (None, Metadata, Request, RequestResponse) per resource or stage.

Exam trap

The trap here is that candidates confuse the audit policy file's `level` field with a command-line flag like `--audit-log-level`, which does not exist, leading them to select option B instead of understanding that the level is defined in the policy file.

How to eliminate wrong answers

Option A is wrong because the 'Audit' admission plugin does not exist; Kubernetes uses an audit backend (e.g., log backend) configured via flags, not an admission plugin. Option B is wrong because `--audit-log-level` is not a valid flag; the log level is defined inside the audit policy file, not as a command-line argument. Option C is wrong because `--audit-log-maxage` controls log rotation (days to retain old log files) but does not enable or configure the audit logging level or policy.

383
MCQeasy

Which kubectl command can be used to check the CIS benchmark compliance of a Kubernetes cluster?

A.kube-bench run --targets=master,worker
B.kubectl security-check
C.kubectl cis-benchmark
D.kubectl audit cluster
AnswerA

kube-bench is designed to run CIS benchmark checks against Kubernetes clusters.

Why this answer

Option A is correct because `kube-bench` is the official open-source tool from Aqua Security that runs CIS Kubernetes Benchmark checks against a cluster. It scans nodes by targeting specific roles (master, worker) and compares the cluster configuration against the CIS Benchmark controls, reporting pass/fail for each check.

Exam trap

CNCF often tests the misconception that kubectl has built-in security or compliance subcommands, when in reality tools like kube-bench are separate executables that must be installed and run independently.

How to eliminate wrong answers

Option B is wrong because `kubectl security-check` is not a valid kubectl command; kubectl does not have a built-in subcommand for security benchmarking. Option C is wrong because `kubectl cis-benchmark` is not a valid kubectl command; the CIS benchmark is not executed via kubectl but via a separate tool like kube-bench. Option D is wrong because `kubectl audit cluster` is not a valid kubectl command; cluster auditing is typically done via API server audit logs or tools like kube-bench, not a kubectl subcommand.

384
MCQhard

You want to run a container with gVisor for sandboxing. After installing gVisor and creating a RuntimeClass named 'gvisor', which Pod configuration enables it?

A.Set spec.runtimeClassName: gvisor
B.Set spec.nodeSelector with 'gvisor: true'
C.Define an environment variable RUNTIME=gvisor in the container
D.Add an annotation 'container.runtime: gvisor' to the Pod
AnswerA

The runtimeClassName field in Pod spec selects the RuntimeClass resource, which points to the gVisor runtime handler.

Why this answer

RuntimeClass is a cluster resource that defines a container runtime configuration (e.g., gVisor, Kata). Pods specify which RuntimeClass to use via the runtimeClassName field.

385
MCQhard

A cluster has been compromised due to a container running with privileged escalation. The team wants to prevent any container from gaining new privileges. Which configuration should be applied?

A.Set securityContext.runAsUser: 1000
B.Set securityContext.readOnlyRootFilesystem: true
C.Drop all capabilities with securityContext.capabilities.drop: ["ALL"]
D.Set securityContext.allowPrivilegeEscalation: false
AnswerD

This directly prevents privilege escalation, which is a key security control.

Why this answer

Setting `securityContext.allowPrivilegeEscalation: false` directly prevents a container from gaining new privileges beyond those it was initially granted, such as through setuid binaries or the `NO_NEW_PRIVS` flag. This is the exact control needed to block privilege escalation attacks, as it forces the kernel to deny any request for elevated privileges, even if the binary has the setuid bit set.

Exam trap

CNCF often tests the misconception that dropping all capabilities is sufficient to prevent privilege escalation, but the trap is that capabilities and privilege escalation are separate controls—`allowPrivilegeEscalation: false` is the specific setting to block setuid-based escalation.

How to eliminate wrong answers

Option A is wrong because setting `runAsUser: 1000` only specifies the user ID under which the container runs, but it does not prevent the container from escalating privileges (e.g., via a setuid binary owned by root). Option B is wrong because `readOnlyRootFilesystem: true` only makes the container's root filesystem read-only, which protects against writes but has no effect on privilege escalation mechanisms. Option C is wrong because dropping all capabilities with `capabilities.drop: ["ALL"]` removes Linux capabilities but does not disable the ability to gain new privileges through setuid binaries or other mechanisms; `allowPrivilegeEscalation: false` is required to block that path.

386
MCQmedium

An administrator runs 'falco --list' and sees many default rules. What is the correct way to load a custom Falco rules file?

A.falco --load /path/to/rules.yaml
B.falco --rules /path/to/rules.yaml
C.falco -r /path/to/rules.yaml
D.falco --config /path/to/rules.yaml
AnswerC

Why this answer

Use the -r flag to load a custom rules file.

387
MCQeasy

Which annotation is used to apply an AppArmor profile to a pod in Kubernetes?

A.security.alpha.kubernetes.io/apparmor
B.apparmor.kubernetes.io/default
C.seccomp.security.alpha.kubernetes.io/pod
D.container.apparmor.security.beta.kubernetes.io/<container_name>
AnswerD

Correct annotation to set AppArmor profile per container.

Why this answer

The annotation 'container.apparmor.security.beta.kubernetes.io/<container_name>' is the standard way to specify an AppArmor profile for a container in a pod.

388
MCQeasy

Which static analysis tool can be used to check Kubernetes manifests for security misconfigurations?

A.kubesec
B.kubectl apply
C.trivy image
D.helm template
AnswerA

Kubesec provides security ratings and recommendations for Kubernetes resources.

Why this answer

Kubesec is a tool that analyzes Kubernetes manifests for security issues. Option A is correct.

389
MCQhard

An organization uses a GitOps workflow with Argo CD to deploy applications to Kubernetes. The security team wants to ensure that container images are immutable and signed. They currently use a private container registry (Harbor) with vulnerability scanning and Cosign for signing. Which combination of controls best enforces that only signed and scanned images are deployed?

A.Configure Argo CD to verify Cosign signatures before syncing the application.
B.Use imagePullSecrets in Kubernetes to ensure only Harbor images are used.
C.Add a Cosign verification step in the CI pipeline before pushing images to Harbor, and rely on that guarantee.
D.Enable Harbor's content trust feature to reject unsigned images, and use a Kyverno admission rule to verify Cosign signatures at deploy time.
AnswerD

Harbor blocks unsigned pushes, and Kyverno validates signatures at admission.

Why this answer

Option D is correct because it enforces a two-layer defense: Harbor's content trust rejects unsigned images at the registry level, and a Kyverno admission rule verifies Cosign signatures at deploy time. This ensures that even if an unsigned image bypasses the registry, it will be blocked by Kubernetes admission control, providing defense in depth for supply chain security.

Exam trap

CNCF often tests the concept that imagePullSecrets only handle authentication, not integrity or signing, leading candidates to mistakenly choose Option B as a security control.

How to eliminate wrong answers

Option A is wrong because Argo CD does not natively verify Cosign signatures before syncing; it relies on external admission controllers or pre-sync hooks for such checks. Option B is wrong because imagePullSecrets only control authentication to pull images from a registry, not image integrity or signature verification. Option C is wrong because relying solely on CI pipeline verification is insufficient; an attacker could bypass the pipeline or push unsigned images directly to the registry, and there is no runtime enforcement.

390
MCQeasy

A security engineer needs to ensure that all containers in a cluster run as non-root users. Which Pod Security Context field should be set to enforce this requirement?

A.runAsNonRoot: true
B.runAsUser: 1000
C.privileged: false
D.allowPrivilegeEscalation: false
AnswerA

runAsNonRoot: true prevents the container from running as root (UID 0). If the container tries to run as root, the Pod will not be admitted.

Why this answer

runAsNonRoot: true is the correct field to ensure containers cannot run as root. It is a Pod Security Context field that rejects pods whose container image specifies a root user or does not specify a user.

391
MCQhard

You have deployed a service mesh with Istio and want to enforce mutual TLS (mTLS) for all traffic between services in the 'mesh' namespace. Which resource should you create?

A.A PeerAuthentication resource with mTLS mode set to STRICT and a namespace selector
B.A DestinationRule resource with trafficPolicy tls mode set to ISTIO_MUTUAL
C.A VirtualService with a rewrite rule to enforce TLS
D.A ServiceEntry to define external services
AnswerA

PeerAuthentication with mtls.mode: STRICT enforces mTLS for the selected namespace or workloads.

Why this answer

PeerAuthentication defines the mTLS mode for workloads. Setting mode to STRICT enforces that only mTLS traffic is accepted. DestinationRule can complement with client-side settings, but the primary enforcement is PeerAuthentication.

392
MCQhard

You are asked to generate an SBOM for a container image and attach it as an attestation using cosign. Which two commands would you run in sequence?

A.trivy image --format spdx myimage:latest > sbom.spdx && cosign verify --key cosign.pub myimage:latest
B.syft myimage:latest -o spdx > sbom.spdx && cosign attest --type spdx --predicate sbom.spdx myimage:latest
C.cosign sign --key cosign.key myimage:latest && syft myimage:latest -o spdx
D.crane ls myimage:latest && cosign attest --type spdx --predicate sbom.spdx myimage:latest
AnswerB

This correctly generates an SBOM in SPDX format and attaches it as an in-toto attestation.

Why this answer

First generate the SBOM with syft, then attach it as an attestation with cosign attest.

393
Multi-Selectmedium

Which TWO of the following are CIS Benchmark recommendations for securing the API server?

Select 2 answers
A.Enable the insecure port (--insecure-port)
B.Disable anonymous authentication
C.Enable audit logging
D.Use ABAC mode for authorization
E.Disable TLS
AnswersB, C

Anonymous auth should be disabled.

Why this answer

Option B is correct because the CIS Benchmark for Kubernetes recommends disabling anonymous authentication to ensure that all requests to the API server are authenticated. By setting the `--anonymous-auth=false` flag on the kube-apiserver, unauthenticated requests are rejected, which prevents anonymous users from accessing the cluster. This is a fundamental security hardening step to enforce identity verification for every API call.

Exam trap

CNCF often tests the distinction between deprecated/insecure features (like the insecure port or disabling TLS) and the actual CIS-recommended secure defaults, tempting candidates to select options that sound like hardening but are actually anti-patterns.

394
MCQmedium

You are investigating a pod that may have been compromised. Which kubectl command allows you to run a shell inside the running container without overwriting the container's filesystem?

A.kubectl exec -it pod-name -- /bin/bash
B.kubectl debug pod-name --image=busybox
C.kubectl run -it --image=busybox sh
D.kubectl attach pod-name
AnswerA

This starts an interactive shell inside the running container.

Why this answer

kubectl exec with -it and -- /bin/bash gives an interactive shell without modifying the container's filesystem.

395
MCQhard

A cluster has EncryptionConfiguration with aescbc provider. After rotating the encryption key, what must be done to re-encrypt existing Secrets with the new key?

A.Delete and recreate all Secrets
B.Restart the API server
C.Run 'kubectl encrypt secrets --key new-key'
D.Use 'kubectl get secrets --all-namespaces -o yaml | kubectl replace -f -'
AnswerD

Correct. This reads and rewrites all secrets, triggering re-encryption with the new key.

Why this answer

The 'kubectl replace' command triggers re-encryption by rewriting the resource.

396
MCQeasy

What is the primary purpose of an SBOM in supply chain security?

A.To list all open source and third-party components in an image
B.To scan images for secrets
C.To sign container images
D.To enforce network policies
AnswerA

SBOM is a formal record of components.

Why this answer

An SBOM provides a list of all components in a software artifact, enabling vulnerability tracking and license compliance.

397
MCQhard

Given the exhibit, what will happen when a user creates a pod with an image from an untrusted registry?

A.The pod is rejected by NodeRestriction admission
B.The pod is rejected by PodSecurity admission
C.The pod is created and the image is pulled
D.The pod is created but the image is not pulled because it's untrusted
AnswerC

AlwaysPullImages forces image pull but does not block untrusted registries.

Why this answer

Option C is correct because, by default, Kubernetes does not enforce any restrictions on image registries. The kubelet will attempt to pull the image from any registry, including untrusted ones, unless an admission controller like ImagePolicyWebhook or a runtime-specific policy (e.g., containerd's `untrusted_workload` mode) is explicitly configured. In this scenario, no such policy is mentioned, so the pod is created and the image is pulled.

Exam trap

CNCF often tests the misconception that Kubernetes has a built-in 'untrusted registry' blocker, when in reality it requires explicit admission control or runtime configuration to enforce such policies.

How to eliminate wrong answers

Option A is wrong because NodeRestriction admission only limits the Node API access (e.g., prevents nodes from modifying pods bound to other nodes), not image registry validation. Option B is wrong because PodSecurity admission (formerly PSP) enforces security contexts and capabilities, not registry trustworthiness. Option D is wrong because Kubernetes does not have a built-in mechanism to block image pulls based on registry trust; the image will be pulled unless a custom admission webhook or runtime policy is configured.

398
MCQeasy

Which kubectl command is used to check whether AppArmor is enabled and which profiles are loaded on a node?

A.kubectl get seccomp
B.kubectl get apparmor
C.aa-status
D.systemctl status apparmor
AnswerC

Correct. aa-status shows AppArmor status and loaded profiles.

Why this answer

The `aa-status` command is a standard Linux utility that displays the status of AppArmor, including whether it is enabled and which profiles are loaded. Since AppArmor is a Linux Security Module (LSM) enforced at the node level, not a Kubernetes resource, you must use a node-level command like `aa-status` to check its status. This command directly queries the AppArmor module in the kernel and lists all loaded profiles.

Exam trap

The trap here is that candidates assume AppArmor can be managed like a Kubernetes resource using kubectl, but it is a node-level security module that must be checked with Linux-native commands, not Kubernetes API objects.

How to eliminate wrong answers

Option A is wrong because `kubectl get seccomp` is not a valid kubectl command; seccomp profiles are managed via pod security contexts or runtime classes, not through a dedicated kubectl subcommand. Option B is wrong because `kubectl get apparmor` is also invalid; AppArmor profiles are not Kubernetes API resources and cannot be retrieved with kubectl. Option D is wrong because `systemctl status apparmor` only checks the systemd service status, not whether AppArmor is enabled in the kernel or which profiles are loaded; the service may be running but AppArmor could be in complain mode or have no profiles loaded.

399
Multi-Selectmedium

Which TWO of the following are valid ways to verify a container image signature using cosign?

Select 2 answers
A.cosign validate myimage:latest
B.cosign verify-attestation --key cosign.pub myimage:latest
C.cosign check myimage:latest
D.cosign attest --key cosign.key myimage:latest
E.cosign verify --key cosign.pub myimage:latest
AnswersB, E

This verifies an in-toto attestation.

Why this answer

Cosign verify and cosign verify-attestation are the correct commands. The other options are incorrect commands.

400
MCQhard

A cluster has been hardened by setting --anonymous-auth=false and enabling RBAC. However, kube-bench still reports a failure for the kubelet check 'Ensure that the --anonymous-auth argument is set to false'. What could be the reason?

A.The kubelet configuration file does not set --anonymous-auth=false
B.The API server is running with --authorization-mode=AlwaysAllow
C.The kubelet is using a self-signed certificate
D.The NodeRestriction admission plugin is not enabled
AnswerA

kube-bench checks kubelet flags, which must be set independently.

Why this answer

The kubelet can have its authentication settings configured either via command-line arguments or via a KubeletConfiguration file. If the kubelet configuration file does not explicitly set `authentication.anonymous.enabled` to `false`, the kubelet may still allow anonymous access even if the `--anonymous-auth=false` argument is passed on the command line, because the configuration file takes precedence over command-line flags. kube-bench checks the effective configuration, so if the file overrides the flag, the check fails.

Exam trap

The trap here is that candidates assume command-line flags always override the kubelet configuration file, but in reality the configuration file takes precedence for kubelet settings, so both must be set consistently.

How to eliminate wrong answers

Option B is wrong because the API server's `--authorization-mode=AlwaysAllow` affects authorization for API server requests, not the kubelet's anonymous authentication setting; kube-bench's kubelet check is specific to the kubelet's own `--anonymous-auth` flag. Option C is wrong because using a self-signed certificate relates to TLS certificate validation and does not impact the anonymous authentication setting; kube-bench has separate checks for certificate validation. Option D is wrong because the NodeRestriction admission plugin controls what node identities can do via the API server, not the kubelet's own anonymous authentication configuration.

401
Multi-Selectmedium

Which TWO of the following are valid ways to enable mTLS between services in a service mesh (e.g., Istio)?

Select 2 answers
A.Creating a DestinationRule with a trafficPolicy that sets tls mode to ISTIO_MUTUAL
B.Creating a ServiceEntry for the destination service
C.Creating a NetworkPolicy that allows ingress on port 443
D.Creating a PeerAuthentication resource with mTLS mode set to STRICT
E.Creating an AuthorizationPolicy with DENY action
AnswersA, D

DestinationRule can override mTLS settings for specific services.

Why this answer

In Istio, PeerAuthentication enables mTLS for traffic within the mesh, and DestinationRule can set the traffic policy for specific services. ServiceEntry is for external services, not internal mTLS. NetworkPolicy is for Kubernetes network policies, not mTLS.

AuthorizationPolicy is for access control, not transport security.

402
Multi-Selectmedium

Which TWO are benefits of using a distroless base image over a full OS image like Ubuntu? (Select two.)

Select 2 answers
A.Faster image build times
B.Smaller image size
C.Better compatibility with Kubernetes security contexts
D.Smaller attack surface
E.Easier debugging
AnswersB, D

Distroless images are significantly smaller.

Why this answer

Distroless images reduce attack surface and image size by including only necessary libraries.

403
MCQeasy

Which kubectl command can be used to exec into a running container for forensic analysis during an incident response?

A.kubectl exec -it <pod> -- /bin/sh
B.kubectl run --stdin --tty --image=busybox
C.kubectl logs <pod>
D.kubectl attach <pod>
AnswerA

Why this answer

The correct command is kubectl exec -it <pod> -- /bin/sh, which starts an interactive shell in the container.

404
MCQmedium

Which flag is used to restrict the kubelet's ability to modify node status and pods?

A.--authorization-mode=Webhook
B.--read-only-port=0
C.--protect-kernel-defaults=true
D.--authentication-token-webhook=true
AnswerA

This enables webhook authorization for the kubelet, which can restrict actions.

Why this answer

The `--authorization-mode=Webhook` flag configures the kubelet to use an external authorization webhook (e.g., via the SubjectAccessReview API) for all requests, including those to modify node status and pods. This restricts the kubelet's ability to autonomously update its own node status or pod resources, as every such request must be approved by the external authorizer, enforcing a least-privilege model.

Exam trap

The trap here is that candidates confuse authentication (verifying identity) with authorization (controlling actions), so they pick `--authentication-token-webhook=true` thinking it restricts the kubelet, when in fact it only validates tokens without limiting what the kubelet can do once authenticated.

How to eliminate wrong answers

Option B is wrong because `--read-only-port=0` disables the kubelet's read-only port (10255), which prevents unauthenticated read access to metrics and stats, but does not restrict the kubelet's ability to modify node status or pods. Option C is wrong because `--protect-kernel-defaults=true` ensures the kubelet checks and enforces kernel parameter settings (e.g., sysctl) for security, but it does not control authorization for node or pod modifications. Option D is wrong because `--authentication-token-webhook=true` enables token-based authentication via a webhook, verifying the identity of API requesters, but it does not restrict the kubelet's own ability to modify resources—that requires authorization, not authentication.

405
MCQmedium

An administrator wants to enforce that all pods run with read-only root filesystem. Which admission controller can achieve this without writing custom code?

A.ServiceAccount
B.PodSecurity
C.MutatingAdmissionWebhook
D.ImagePolicyWebhook
AnswerB

PodSecurity enforce allows setting profiles with predefined restrictions including read-only root filesystem.

Why this answer

PodSecurity is a built-in admission controller that enforces Pod Security Standards (restricted, baseline, privileged). The restricted profile includes 'runAsNonRoot: true' and 'readOnlyRootFilesystem: true'.

406
MCQmedium

What is the purpose of the `allowPrivilegeEscalation: false` setting in a container's security context?

A.It prevents the container from running as root.
B.It prevents processes from gaining additional privileges (e.g., via setuid).
C.It prevents the container from using host networking.
D.It prevents the container from accessing host devices.
AnswerB

Correct: it disables privilege escalation.

Why this answer

This setting prevents processes in the container from gaining more privileges than their parent, such as via setuid binaries.

407
Multi-Selectmedium

Which TWO of the following are effective measures to minimize the impact of a compromised microservice container in a Kubernetes cluster? (Choose two.)

Select 2 answers
A.Set resource limits (CPU/memory) on the container
B.Set the container's root filesystem as read-only
C.Apply a NetworkPolicy that restricts egress traffic to only necessary services
D.Run the container as root to simplify debugging
E.Use hostNetwork: true to share the host's network namespace
AnswersA, C

Resource limits prevent a compromised container from exhausting cluster resources.

Why this answer

Setting resource limits (CPU/memory) on a container is correct because it prevents a compromised microservice from consuming excessive cluster resources, which could lead to a denial-of-service (DoS) attack against other workloads. By enforcing limits via the container's cgroup constraints, the kernel throttles or OOM-kills the container if it exceeds its allocated resources, containing the blast radius of the compromise.

Exam trap

CNCF often tests the distinction between preventive controls (e.g., read-only filesystem, non-root user) and impact-minimization controls (e.g., resource limits, network policies), and candidates mistakenly choose read-only filesystem as an impact-minimization measure when it is actually a preventive measure.

408
MCQeasy

A security team wants to detect any attempt to open /etc/shadow in a container. Which Falco rule condition field is MOST appropriate?

A.proc.name contains 'shadow'
B.container.id != host and fd.name=/etc/shadow
C.evt.type in (open, openat) and fd.name=/etc/shadow
D.evt.type=read and fd.name=/etc/shadow
AnswerC

This checks for open or openat syscalls on the file /etc/shadow, which is the standard way to detect file access.

Why this answer

Falco uses the 'evt.type' field to match system call events, and 'fd.name' to match the file descriptor name. Option A correctly checks for openat or open syscalls with target file name containing /etc/shadow.

409
MCQhard

You need to encrypt Secrets at rest in an existing Kubernetes cluster. You create an EncryptionConfiguration file specifying aescbc as the provider. After updating the API server kube-apiserver.yaml with the new configuration, you create a new Secret. Which of the following statements is true?

A.Only newly created secrets will be encrypted; existing secrets remain unencrypted.
B.The encryption key is automatically rotated every 30 days.
C.The aescbc provider can be changed to identity without any impact on existing secrets.
D.All existing secrets in the cluster are automatically encrypted after the API server restart.
AnswerA

EncryptionConfiguration applies at write time. Existing secrets stored in etcd remain unencrypted until they are modified.

Why this answer

EncryptionConfiguration only encrypts newly created or updated secrets. Existing secrets are not automatically encrypted unless they are rewritten. Option A is incorrect because existing secrets are not automatically encrypted.

Option C is incorrect because the key is not automatically rotated. Option D is incorrect because the encryption provider can be changed but would require rewriting existing secrets.

410
MCQmedium

A security policy requires that all pods in a namespace must run with a read-only root filesystem. Which admission controller can enforce this?

A.ResourceQuota
B.MutatingAdmissionWebhook
C.PodSecurityPolicy
D.ValidatingAdmissionPolicy
AnswerD

Correct. This is a built-in admission controller that can enforce custom policies including read-only filesystem.

Why this answer

PodSecurityPolicy is deprecated. The modern approach is to use a ValidatingAdmissionPolicy or an OPA/Gatekeeper policy. Among the options, only 'ValidatingAdmissionPolicy' is a built-in admission controller that can enforce such policies.

411
MCQeasy

Which of the following flags should be set on the kube-apiserver to disable anonymous authentication?

A.--disable-anonymous-auth
B.--enable-anonymous-auth=false
C.--anonymous-auth=false
D.--anonymous-auth=off
AnswerC

This flag disables anonymous authentication.

Why this answer

Option C is correct because the kube-apiserver uses the `--anonymous-auth` flag to control anonymous requests. Setting `--anonymous-auth=false` explicitly disables anonymous authentication, meaning unauthenticated requests (those without a valid bearer token or client certificate) will be rejected with a 401 Unauthorized response. This is a critical hardening step to prevent unauthorized access to the Kubernetes API server.

Exam trap

The trap here is that candidates confuse the flag name with a 'disable' or 'enable' prefix pattern common in other tools, or assume a non-boolean value like 'off' or 'false' string works, when Kubernetes strictly requires the exact `--anonymous-auth=false` syntax.

How to eliminate wrong answers

Option A is wrong because `--disable-anonymous-auth` is not a valid kube-apiserver flag; the correct flag name is `--anonymous-auth`. Option B is wrong because `--enable-anonymous-auth=false` is not a recognized flag; Kubernetes does not use an `enable-` prefix for this setting, and the flag must be `--anonymous-auth` with a boolean value. Option D is wrong because `--anonymous-auth=off` uses a string value 'off' instead of the required boolean `false`; the kube-apiserver expects a boolean (true/false), and 'off' will be interpreted as true (since it is a non-empty string), leaving anonymous auth enabled.

412
MCQmedium

You are auditing RBAC and find a ClusterRoleBinding named 'admin-binding' that binds the 'cluster-admin' ClusterRole to a service account in the 'default' namespace. What is the security concern?

A.The binding should be a RoleBinding instead of ClusterRoleBinding
B.It grants too broad permissions to the service account
C.The service account name must be changed
D.The binding is fine as long as the service account is used in the default namespace
AnswerB

Correct. cluster-admin gives superuser access, which should be avoided for service accounts.

Why this answer

The 'cluster-admin' ClusterRole grants super-user permissions across the entire cluster, including access to all namespaces and all resources. Binding this role to a service account via a ClusterRoleBinding gives that service account unrestricted cluster-wide privileges, which violates the principle of least privilege. This is a significant security concern because if the service account is compromised, an attacker gains full control over the cluster.

Exam trap

The trap here is that candidates may focus on the binding type (ClusterRoleBinding vs RoleBinding) or namespace usage, rather than recognizing that the core issue is the excessive privileges of the 'cluster-admin' role itself, regardless of how it is bound.

How to eliminate wrong answers

Option A is wrong because a ClusterRoleBinding is necessary to bind a ClusterRole; a RoleBinding can only bind a ClusterRole to subjects within a specific namespace, but the security issue here is the excessive permissions of the 'cluster-admin' role itself, not the binding type. Option C is wrong because the service account name is irrelevant to the security concern; the problem is the permissions granted, not the identity. Option D is wrong because the binding is not fine; even if the service account is used only in the default namespace, the ClusterRoleBinding grants cluster-wide permissions, allowing the service account to access resources in any namespace, which is a severe security risk.

413
MCQhard

You are configuring kubelet security. Which flag prevents containers from modifying kernel parameters?

A.--read-only-port=0
B.--protect-kernel-defaults
C.--kernel-memcg-notification
D.--allow-privileged=false
AnswerB

This flag prevents containers from modifying kernel parameters.

Why this answer

The `--protect-kernel-defaults` flag ensures that the kubelet enforces kernel parameter protections, preventing containers from modifying sensitive kernel parameters (e.g., via sysctl). This is a critical security hardening measure to maintain node stability and prevent container breakout through kernel tuning.

Exam trap

The trap here is that candidates confuse `--protect-kernel-defaults` with `--allow-privileged=false`, assuming that preventing privileged containers is sufficient to block kernel parameter changes, but non-privileged containers can still modify kernel parameters via sysctl unless explicitly restricted.

How to eliminate wrong answers

Option A is wrong because `--read-only-port=0` disables the read-only kubelet API port (10255), which reduces attack surface but does not prevent kernel parameter modification. Option C is wrong because `--kernel-memcg-notification` is a kubelet flag for memory cgroup notifications, unrelated to restricting kernel parameter changes. Option D is wrong because `--allow-privileged=false` prevents privileged containers but does not block non-privileged containers from modifying kernel parameters via sysctl or other mechanisms.

414
MCQhard

You are deploying a ValidatingWebhookConfiguration. The webhook server is running in the 'webhook' namespace, service name 'svc', port 443. Which clientConfig should you specify?

A.clientConfig: service: namespace: webhook name: svc path: /validate
B.clientConfig: url: https://webhook.svc.cluster.local:443/validate
C.clientConfig: service: namespace: webhook name: webhook path: /validate
D.clientConfig: service: namespace: default name: svc path: /validate
AnswerA

Correctly specifies the service reference.

Why this answer

The clientConfig for a service-based webhook must reference the namespace, service name, and path. Option A uses the service reference correctly.

415
MCQeasy

Which tool is used to load AppArmor profiles on a node?

A.apparmor_parser
B.aa-enforce
C.aa-status
D.kubectl apply
AnswerA

Correct. apparmor_parser loads profiles.

Why this answer

The apparmor_parser command is used to load AppArmor profiles into the kernel.

416
MCQmedium

You suspect a container has been compromised. You want to preserve the container's filesystem for forensic analysis before terminating the pod. Which approach should you use?

A.Exec into the container and delete suspicious files
B.Restart the kubelet on the node
C.Use kubectl cp to copy files from the container to a safe location
D.Immediately delete the pod to stop the attack
AnswerC

Correct. This preserves the filesystem for analysis.

Why this answer

To preserve evidence, you should not delete the pod immediately. Instead, use kubectl cp or a sidecar to copy files, or create a snapshot. But the simplest non-destructive step is to copy files from the container using 'kubectl cp' before deletion.

417
MCQmedium

An administrator wants to drop all capabilities for a container and then add back only NET_BIND_SERVICE. Which securityContext configuration is correct?

A.capabilities: add: ["NET_BIND_SERVICE"]
B.capabilities: drop: ["ALL"]
C.capabilities: drop: ["ALL"] add: ["NET_BIND_SERVICE"]
D.capabilities: drop: ["NET_BIND_SERVICE"] add: ["ALL"]
AnswerC

Correct. Drops all first, then adds the required capability.

Why this answer

The recommended approach is to drop ALL capabilities using 'ALL' and then add only the needed capabilities.

418
MCQhard

During a security incident, you need to snapshot the processes running inside a container without using kubectl exec. Which crictl command sequence can you use?

A.crictl pods and then crictl ps -a
B.crictl images and then crictl run <image>
C.crictl ps and then crictl exec <container-id> ps aux
D.crictl ps and then crictl inspect <container-id>
AnswerC

This lists running containers and then executes ps aux inside a specific container to snapshot processes.

Why this answer

crictl ps lists containers, then crictl exec (or crictl exec -i -t) runs a command in a container. However, crictl does not have a 'top' command; you would use ps inside the container. The question asks for a command sequence.

Option C is the most direct: list containers, then exec ps aux.

419
MCQmedium

A security policy requires that all container images use SHA-based digests instead of tags. Which approach ensures this in a Deployment YAML?

A.Use the 'image' field with a tag and also set 'digest' field
B.Set imagePullPolicy: Always and use tags
C.Use the image field with a digest, e.g., 'image: nginx@sha256:abc123'
D.Set imagePullPolicy: IfNotPresent and use tags
AnswerC

Using @sha256:... ensures the exact image is pulled.

Why this answer

Using the image pull policy 'IfNotPresent' does not enforce digest usage; the image field must specify a digest.

420
MCQmedium

Which crictl command is used to view the logs of a specific container in a node?

A.crictl logs <container-id>
B.crictl exec -it <container-id> sh
C.crictl pods
D.crictl ps -a
AnswerA

Correct: This command fetches logs.

Why this answer

'crictl logs <container-id>' retrieves the logs of a container. Option A lists pods, option B lists containers, option D executes a command in a container.

421
MCQmedium

An audit policy is configured with level: Request. Which operations are recorded in the audit log?

A.Nothing, only the fact that a request occurred
B.Request metadata and the request body
C.Request and response metadata and bodies
D.Only metadata about the request
AnswerB

Request level includes metadata and request body.

Why this answer

Request level logs only the request metadata and request object, not the response.

422
MCQeasy

Which kubectl command creates a valid webhook configuration that validates pods against a policy?

A.kubectl apply -f webhookconfiguration.yaml
B.kubectl apply -f podpreset.yaml
C.kubectl apply -f mutatingwebhookconfiguration.yaml
D.kubectl apply -f validatingwebhookconfiguration.yaml
AnswerD

ValidatingWebhookConfiguration is the correct resource for validation webhooks.

Why this answer

ValidatingWebhookConfiguration is the correct resource for admission webhooks that validate requests. PodPreset is deprecated, and other options are not valid resources.

423
Multi-Selecthard

Which TWO of the following admission controllers are relevant for supply chain security in Kubernetes?

Select 2 answers
A.MutatingAdmissionWebhook (for sidecar injection)
B.ImagePolicyWebhook
C.AlwaysPullImages
D.NodeRestriction
E.ValidatingAdmissionWebhook (used by Kyverno/Gatekeeper)
AnswersB, E

Validates image requests against a policy.

Why this answer

ImagePolicyWebhook validates images, and NodeRestriction is not supply-chain related. AlwaysPullImages ensures image pull always happens but does not enforce security policies.

424
MCQmedium

What is the effect of setting 'hostPID: true' in a pod's spec?

A.The container runs with the host's IPC namespace.
B.The container can access the host's network interfaces.
C.The container can mount the host's filesystem.
D.The container runs in the host's PID namespace.
AnswerD

Correct. The container shares the host's process namespace.

Why this answer

Setting 'hostPID: true' in a pod's spec allows the container to share the host node's PID namespace, meaning the container can see and interact with all processes running on the host, not just those within its own PID namespace. This is a privileged-level setting that bypasses the default process isolation provided by Kubernetes and Linux namespaces.

Exam trap

CNCF often tests the distinction between the three host namespace settings (hostPID, hostIPC, hostNetwork) and candidates frequently confuse 'hostPID' with 'hostNetwork' or 'hostIPC' due to similar naming patterns.

How to eliminate wrong answers

Option A is wrong because 'hostPID: true' controls the PID namespace, not the IPC namespace; to share the host's IPC namespace, you would set 'hostIPC: true'. Option B is wrong because accessing the host's network interfaces is achieved by setting 'hostNetwork: true', not 'hostPID: true'. Option C is wrong because mounting the host's filesystem is not directly controlled by 'hostPID'; that requires a hostPath volume mount or privileged container settings.

425
MCQhard

A pod is configured with a custom seccomp profile stored at /var/lib/kubelet/seccomp/custom-profile.json. The pod manifest uses securityContext.seccompProfile with type: Localhost and localhostProfile: "custom-profile.json". The pod fails to start with an error 'seccomp profile not found'. What is the most likely cause?

A.The securityContext.seccompProfile.defaultRuntimeProfile field must be set to 'custom-profile.json'.
B.The seccomp profile should be defined in the pod's annotations, not securityContext.
C.The custom-profile.json file is not present on the node filesystem.
D.The localhostProfile field must be an absolute path.
AnswerC

The seccomp profile must be present on the node at the specified path. If it's missing, the pod cannot start.

Why this answer

Option C is correct because the error 'seccomp profile not found' indicates that the Kubernetes kubelet cannot locate the specified profile file on the node's filesystem. When using `type: Localhost`, the `localhostProfile` value is resolved relative to the kubelet's seccomp profile root directory (default `/var/lib/kubelet/seccomp`). If the file `custom-profile.json` does not exist at that path on the node, the pod will fail to start.

Exam trap

CNCF often tests the misconception that `localhostProfile` requires an absolute path, but in reality it is a relative path from the kubelet's seccomp directory, and the error 'not found' points to a missing file, not a path format issue.

How to eliminate wrong answers

Option A is wrong because `defaultRuntimeProfile` is not a valid field in `securityContext.seccompProfile`; the correct field is `type`, and `defaultRuntimeProfile` is a separate concept used in the kubelet's configuration or in the `RuntimeDefault` type. Option B is wrong because seccomp profiles can be defined either via pod annotations (deprecated in Kubernetes 1.19) or via `securityContext.seccompProfile` (the current stable API); the error is not due to using `securityContext` instead of annotations. Option D is wrong because `localhostProfile` does not require an absolute path; it is interpreted as a filename relative to the kubelet's seccomp profile directory (`/var/lib/kubelet/seccomp`), and an absolute path would be incorrect unless it points to a file outside that directory, which is not supported.

426
Multi-Selecthard

Which THREE of the following are required to configure encryption of secrets at rest in Kubernetes?

Select 3 answers
A.Specifying an encryption provider such as `aescbc` in the EncryptionConfiguration
B.An EncryptionConfiguration YAML file defining encryption providers and resources to encrypt
C.Running `kubectl get secrets --all-namespaces -o yaml | kubectl apply -f -` to rewrite existing secrets
D.Passing the `--encryption-provider-config` flag to the kube-apiserver
E.Modifying the etcd configuration to enable encryption at rest
AnswersA, B, D

The provider defines the encryption algorithm and keys.

Why this answer

Options A, C, and D are required. A: An EncryptionConfiguration YAML file is needed. C: The kube-apiserver must be started with the `--encryption-provider-config` flag pointing to that file.

D: The encryption provider must be specified (e.g., `aescbc`, `secretbox`). Option B is not required because the etcd cluster itself does not need modification for Kubernetes encryption; it just stores encrypted data. Option E is not required because rewriting secrets after encryption is optional; the encryption applies to new writes automatically.

427
MCQmedium

A security policy requires that all ServiceAccounts in a namespace do not automatically mount their tokens. How can this be achieved at the namespace level?

A.Set automountServiceAccountToken: false in each pod spec
B.Use a PodSecurityPolicy to deny token mounting
C.Set automountServiceAccountToken: false in the ServiceAccount definition
D.Delete the default ServiceAccount
AnswerC

This applies to all pods using that ServiceAccount.

Why this answer

Setting `automountServiceAccountToken: false` in the ServiceAccount definition applies the setting to all pods that use that ServiceAccount, effectively enforcing the policy at the namespace level when the default or all ServiceAccounts are configured this way. This is the correct approach because the ServiceAccount's `automountServiceAccountToken` field controls token mounting for pods referencing it, overriding any pod-level setting unless explicitly set in the pod spec.

Exam trap

CNCF often tests the distinction between namespace-level and pod-level controls, and the trap here is that candidates mistakenly think PodSecurityPolicy can control token mounting or that deleting the default ServiceAccount is a viable solution, when in fact the ServiceAccount's `automountServiceAccountToken` field is the intended namespace-wide mechanism.

How to eliminate wrong answers

Option A is wrong because setting `automountServiceAccountToken: false` in each pod spec is a per-pod solution, not a namespace-level enforcement; it requires manual configuration for every pod and does not scale or guarantee compliance across the namespace. Option B is wrong because PodSecurityPolicy (PSP) does not have a field to control ServiceAccount token mounting; PSP controls pod security contexts, volumes, and capabilities, but token mounting is governed by the ServiceAccount or pod spec, not PSP. Option D is wrong because deleting the default ServiceAccount does not prevent token mounting; Kubernetes will still create a new default ServiceAccount automatically, and pods without an explicit ServiceAccount will use the new default, which still mounts tokens by default.

428
MCQeasy

Which command creates a ResourceQuota in the 'team-a' namespace?

A.kubectl expose quota --namespace=team-a
B.kubectl apply -f quota.yaml --namespace=team-a
C.kubectl create quota team-a-quota --namespace=team-a
D.kubectl run quota --namespace=team-a --image=quota
AnswerC

The 'kubectl create quota' command creates a ResourceQuota object in the specified namespace.

Why this answer

kubectl create quota is the imperative command to create a ResourceQuota. It requires a name and optionally the --namespace flag.

429
Matchingmedium

Match each Kubernetes API server flag to its security function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Enables RBAC authorization

Comma-separated list of admission controllers to enable

Disables anonymous requests to the API server

Path to a CA file for verifying kubelet certificates

File containing PEM-encoded x509 RSA or ECDSA private or public keys for service account token signing

Why these pairings

These flags are essential for hardening the API server.

430
MCQmedium

You are configuring an Istio service mesh for mTLS between services. Which resource defines the TLS mode for traffic between services in a namespace?

A.PeerAuthentication
B.ServiceEntry
C.VirtualService
D.DestinationRule
AnswerA

Correct. PeerAuthentication specifies mTLS mode (STRICT, PERMISSIVE, etc.) for workloads.

Why this answer

PeerAuthentication defines the mTLS mode for workloads within a namespace.

431
MCQmedium

Which crictl command can you use to view the logs of a specific container?

A.crictl inspect <container-id>
B.crictl exec <container-id> cat /var/log/syslog
C.crictl ps
D.crictl logs <container-id>
AnswerD

Correct. crictl logs retrieves the logs of the specified container.

Why this answer

crictl logs is the equivalent of 'kubectl logs' but uses the container ID. It outputs the container's stdout/stderr.

432
MCQhard

A pod is failing with 'CrashLoopBackOff'. The pod's securityContext includes 'allowPrivilegeEscalation: false'. The container image is built with a default user of root and attempts to change capabilities. What is the most likely cause of the crash?

A.The container is trying to write to a read-only filesystem
B.The container is trying to set capabilities using setcap
C.The container is missing the NET_ADMIN capability
D.The container is trying to bind to a privileged port (<1024) as non-root
AnswerB

Setting capabilities requires privilege escalation, which is disabled. This will cause the operation to fail and the container to crash.

Why this answer

Option C is correct. With allowPrivilegeEscalation: false, the container cannot gain additional privileges beyond its initial capabilities. If the container tries to set capabilities (e.g., via setcap), it will fail and crash.

Options A and B are possible but less likely given the symptom. Option D is unrelated.

433
Multi-Selecthard

Which THREE of the following are valid approaches to prevent containers from running as root in a Kubernetes cluster?

Select 3 answers
A.Use Pod Security Admission with the 'restricted' profile
B.Set the container's entrypoint to 'sudo'
C.Use OPA/Gatekeeper with a constraint that requires runAsNonRoot: true
D.Use a Seccomp profile that blocks root system calls
E.Use Kyverno with a policy that validates runAsNonRoot
AnswersA, C, E

The restricted profile enforces must-run-as-non-root.

Why this answer

Pod Security Admission (PSA), OPA/Gatekeeper, and Kyverno are all valid tools to enforce security policies. Seccomp profiles restrict system calls but do not prevent running as root.

434
MCQmedium

You need to use gVisor as a container runtime for a set of workloads in the cluster. Which Kubernetes resource must be created to reference the runtime class?

A.Create a RuntimeClass resource with handler: runsc
B.Set the kubelet runtime flag --runtime-class=gvisor
C.Install a CRD for gVisor
D.Create a Pod with spec.runtimeClassName set to "gvisor"
AnswerA

The RuntimeClass defines the runtime handler (e.g., runsc) that corresponds to gVisor.

Why this answer

A RuntimeClass resource defines a runtime handler (e.g., runsc) and is referenced in a pod's spec.runtimeClassName to select that runtime.

435
MCQhard

A user creates a Deployment with image 'alpine:3.18' and the Pod status is 'ErrImagePull'. The admin checks the image policy and sees that only images with SHA digests are allowed. What is the fix?

A.Enable the AlwaysPullImages admission controller
B.Change the image to 'alpine:latest'
C.Add a non-root user to the Dockerfile
D.Change the image to 'alpine@sha256:...'
AnswerD

Using a SHA digest satisfies the policy requirement for immutable references.

Why this answer

Using a SHA digest ensures immutability and is often required by security policies. Updating the image reference to use the SHA digest allows the image to pass policy.

436
Multi-Selecthard

Which THREE of the following are valid methods to enforce pod security standards in a Kubernetes cluster?

Select 3 answers
A.Use Kyverno policy engine
B.Run kube-bench on the cluster
C.Manual review of all pod specs
D.Use Open Policy Agent (OPA) with Gatekeeper
E.Enable PodSecurity admission plugin
AnswersA, D, E

Another admission controller.

Why this answer

Kyverno is a Kubernetes-native policy engine that can enforce pod security standards by validating, mutating, and generating resources based on policies written as Kubernetes custom resources. It integrates with the Kubernetes API server via dynamic admission webhooks, allowing it to reject non-compliant pod specs before they are persisted.

Exam trap

CNCF often tests the distinction between auditing tools (like kube-bench) and admission controllers that enforce policies at runtime, leading candidates to mistakenly select kube-bench as an enforcement method.

437
MCQeasy

Refer to the exhibit. A security engineer sees that podPidsLimit is set to -1. What security concern does this raise?

A.It sets a hard limit of 1 PID per pod, which may break workloads
B.It limits each container to 1000 PIDs
C.It disables PID limiting, allowing a single pod to consume all PIDs on the node, risking a fork bomb
D.It enforces a default PID limit of 100 per pod
AnswerC

-1 disables the limit, so a pod can exhaust node PIDs.

Why this answer

Setting `podPidsLimit` to `-1` in Kubernetes disables PID limiting for pods, meaning a single pod can create an unlimited number of processes. This poses a security risk because a compromised or malicious pod could launch a fork bomb, exhausting all available PIDs on the node and causing a denial of service (DoS) for other workloads. The correct answer is C.

Exam trap

The trap here is that candidates often assume `-1` means 'no limit' is safe or that it enforces a default, but Cisco tests the specific security implication of disabling PID limiting, which is the risk of a fork bomb and node-wide DoS.

How to eliminate wrong answers

Option A is wrong because `-1` does not set a hard limit of 1 PID; it disables the limit entirely, and a value of 1 would be impractical and not the default behavior. Option B is wrong because `-1` does not limit each container to 1000 PIDs; that would correspond to a positive integer value, not `-1`. Option D is wrong because `-1` does not enforce a default PID limit of 100 per pod; it explicitly removes any limit, and the default in Kubernetes is typically 100 (set via `--pod-max-pids` in kubelet), but `-1` overrides that.

438
MCQhard

A cluster uses Kyverno to enforce that all images come from a trusted registry. A new Deployment fails with a message that the image 'docker.io/library/nginx:latest' is not allowed. What Kyverno policy rule likely caused this?

A.A validate rule that checks the container's resource limits
B.A validate rule that checks the image registry
C.A generate rule that creates a ConfigMap
D.A mutating rule that adds a label to the pod
AnswerB

A validate rule with a pattern or deny condition can block images from unauthorized registries.

Why this answer

A Kyverno rule that validates image registries would deny images from registries not in the allowed list. Option D is correct.

439
MCQmedium

A developer wants to ensure that a pod can only receive traffic from pods with label 'app: frontend' in the same namespace. Which NetworkPolicy egress rule should be applied to the source pods?

A.Apply an egress rule on the target pod with 'to' podSelector matching 'app: frontend'
B.Apply an egress rule on the source pods with 'to' podSelector matching the target pod
C.Apply an ingress rule on the source pods with 'from' podSelector matching the target pod
D.Apply an ingress rule on the target pod with 'from' podSelector matching 'app: frontend'
AnswerD

Correct. Ingress rules on the target pod control which sources can send traffic to it.

Why this answer

This scenario requires allowing ingress to the target pod from sources with label 'app: frontend'. A NetworkPolicy with podSelector matching the target and an ingress rule from pods with label 'app: frontend' in the same namespace would work. However, the question asks for egress rule on source pods.

Typically, you apply an ingress rule on the target. Option A is correct: an ingress rule on the target pod with 'from' selector for 'app: frontend'.

440
Multi-Selectmedium

Which TWO of the following are recommended practices for securing container images and runtime?

Select 2 answers
A.Set runAsNonRoot to true in securityContext
B.Run containers as root inside the container for easier management
C.Set readOnlyRootFilesystem to true in securityContext
D.Mount the docker socket inside the container for debugging
E.Use the latest tag for all images
AnswersA, C

Ensures the container runs as a non-root user.

Why this answer

Running as non-root and using a read-only root filesystem are key security best practices. Scanning for vulnerabilities is also important but not listed as an option here. The correct answers are B and D.

441
Multi-Selectmedium

Which TWO of the following are valid ways to reduce the attack surface of a container? (Select TWO)

Select 2 answers
A.Drop all capabilities with capabilities.drop: ["ALL"]
B.Add the SYS_ADMIN capability
C.Set readOnlyRootFilesystem: true
D.Set runAsUser: 0
E.Set privileged: false
AnswersA, C

Removes all capabilities, minimizing privilege.

Why this answer

Options A and D are correct. Dropping all capabilities removes unnecessary privileges. Setting readOnlyRootFilesystem prevents writes to the root filesystem.

Option B increases attack surface. Option C is not a security feature. Option E is not a field; the correct field is 'runAsNonRoot'.

442
Multi-Selecthard

You are securing a Kubernetes cluster that runs workloads from multiple teams. The cluster uses a private container registry and an admission controller to enforce image policies. Which TWO of the following actions are most effective in preventing the use of unapproved or tampered container images? (Choose two correct answers.)

Select 2 answers
A.Use OPA Gatekeeper to enforce a policy that rejects pods using images with the 'latest' tag.
B.Configure imagePullSecrets for each namespace to ensure only authorized service accounts can pull images.
C.Deploy Kyverno with a policy that requires images to have a specific annotation indicating they passed a security scan.
D.Implement a NetworkPolicy that blocks egress traffic from the cluster to unauthorized container registries.
E.Set up an ImagePolicyWebhook admission controller that checks image signatures and only allows signed images from your registry.
AnswersC, E

Kyverno can enforce custom policies including image annotations that prove scanning.

Why this answer

Option C is correct because Kyverno can enforce policies that require images to have specific annotations, such as one indicating a passed security scan. This ensures only images that have been verified by your security pipeline are allowed to run, directly preventing unapproved or tampered images from being deployed.

Exam trap

CNCF often tests the distinction between authentication/authorization and image integrity verification, where candidates mistakenly choose options that control access to registries (like imagePullSecrets or NetworkPolicy) instead of options that validate image content or approval status.

443
Multi-Selecthard

Which THREE of the following are recommended incident response steps when a container is compromised?

Select 3 answers
A.Ignore the incident and monitor for further activity
B.Copy the container's filesystem using kubectl cp for offline analysis
C.Capture the container logs using kubectl logs
D.Apply a NetworkPolicy to isolate the pod
E.Immediately terminate the pod to contain the threat
AnswersB, C, D

Correct. This preserves evidence without altering the running container.

Why this answer

Isolating the pod via NetworkPolicy, preserving evidence by copying the filesystem, and capturing logs are key steps. Terminating the pod immediately may lose evidence, and ignoring is not recommended.

444
MCQeasy

You need to configure the Kubernetes API server to log all requests at the Metadata level. Which flag should you use when starting kube-apiserver?

A.--audit-log-level=Metadata
B.--audit-policy-file=/etc/kubernetes/audit-policy.yaml
C.--audit-webhook-mode=Metadata
D.--audit-log-path=/var/log/audit.log
AnswerB

Why this answer

The --audit-policy-file flag points to a YAML file that defines the audit policy. The policy file specifies the level for different resources. Option B is correct.

Option A is not a valid flag; Option C sets a different level; Option D is used to set the audit log path.

445
MCQeasy

Which of the following is a valid way to check the status of AppArmor profiles on a node?

A.Use 'apparmor_parser --status'
B.Run 'kubectl get apparmorprofiles'
C.Read the file /sys/kernel/security/apparmor/profiles
D.Run 'aa-status' on the node
AnswerD

aa-status displays the current AppArmor profile status.

Why this answer

The 'aa-status' command shows the status of AppArmor profiles, including which profiles are loaded and in what mode. Option A is correct. The other options are not standard AppArmor commands.

446
MCQhard

During a security incident, you need to isolate a compromised pod named 'malicious-pod' in namespace 'default' to prevent it from communicating with other pods. Which command should you run?

A.kubectl run networkpolicy --image=nginx --restart=Never
B.kubectl delete pod malicious-pod
C.kubectl apply -f networkpolicy.yaml
D.kubectl create networkpolicy isolate --pod-selector=app=malicious --policy-types=Ingress,Egress
AnswerC

Correct. You must write a NetworkPolicy YAML that selects the malicious pod and denies all traffic, then apply it.

Why this answer

Pod isolation is achieved by applying a NetworkPolicy that denies ingress/egress traffic. 'kubectl apply -f networkpolicy.yaml' applies the policy. The policy must be written to deny all traffic.

447
Multi-Selecteasy

Which TWO of the following flags are used to secure the kubelet?

Select 2 answers
A.--protect-kernel-defaults
B.--anonymous-auth=false
C.--enable-admission-plugins
D.--audit-log-path
E.--authorization-mode=RBAC
AnswersA, B

Correct. This flag protects kernel defaults.

Why this answer

The `--protect-kernel-defaults` flag is used to secure the kubelet by ensuring that kernel tunable parameters (e.g., `vm.overcommit_memory`, `kernel.panic`) are set to safe values. If the kernel defaults are not properly configured, the kubelet will fail to start, preventing insecure kernel settings from being used. This flag is part of the kubelet's security hardening measures, as recommended by the CIS Kubernetes Benchmark.

Exam trap

CNCF often tests the distinction between kubelet flags and API server flags, so the trap here is that candidates may confuse `--authorization-mode=RBAC` or `--audit-log-path` as kubelet security settings when they are actually API server parameters.

448
MCQmedium

A security admin wants to ensure all pods in a cluster drop ALL Linux capabilities. Which of the following YAML snippets should be added to a PodSecurityPolicy (assuming PSP is enabled) or a pod spec?

A.capabilities: drop: "ALL"
B.capabilities: drop: - "NET_RAW"
C.capabilities: add: ["ALL"]
D.capabilities: drop: ["ALL"]
AnswerD

This drops all capabilities, which is a security best practice.

Why this answer

Option D is correct. `capabilities.drop: ["ALL"]` drops all capabilities. Option A adds capabilities, the opposite. Option B drops some but not all.

Option C is incorrect syntax.

449
MCQmedium

You have an existing deployment that uses environment variables for secrets. Which kubectl command can be used to update the deployment to mount secrets as volumes without recreating the pods?

A.kubectl patch deployment <deploy> -p '{"spec":{"template":{"spec":{"containers":[{"name":"app","volumeMounts":[{"name":"secret","mountPath":"/etc/secret"}]}],"volumes":[{"name":"secret","secret":{"secretName":"mysecret"}}]}}}}'
B.kubectl set env deployment <deploy> --from=secret/mysecret
C.kubectl edit deployment <deploy>
D.kubectl set volume deployment/<deploy> --add --name=secret --mount-path=/etc/secret --secret-name=mysecret
AnswerD

This command adds a volume mount from a secret to the deployment.

Why this answer

Option D is correct. 'kubectl set volume' can add a volume and volume mount to existing pods/deployments. Option A is for general resource editing, but does not specifically handle volumes. Option B is not a real command.

Option C edits the deployment YAML, which would trigger a rolling update, but 'kubectl set volume' is more targeted.

450
MCQhard

An administrator wants to prevent containers from using hostNetwork, hostPID, and hostIPC. Which Pod Security Standard level enforces these restrictions?

A.None; you must manually configure admission webhooks
B.Privileged
C.Restricted
D.Baseline
AnswerC

Restricted prohibits hostNetwork, hostPID, and hostIPC.

Why this answer

The 'restricted' Pod Security Standard prohibits the use of hostNetwork, hostPID, and hostIPC, among other restrictions. 'Baseline' allows these with some restrictions, while 'privileged' allows all. Option C is correct.

Page 5

Page 6 of 14

Page 7