Certified Kubernetes Security Specialist CKS (CKS) — Questions 451525

997 questions total · 14pages · All types, answers revealed

Page 6

Page 7 of 14

Page 8
451
MCQmedium

A pod is running in a namespace that has a Kyverno policy requiring all images to come from a trusted registry. The pod is using an image from an untrusted registry. What will happen when the pod is created?

A.The pod will be created but immediately terminated
B.The pod creation will be rejected with an admission error
C.The pod will be created and run successfully
D.The pod will be created but the image will be replaced with a trusted one
AnswerB

Kyverno acts as an admission webhook and denies the request if the policy is violated.

Why this answer

Kyverno policies are enforced as admission webhooks. If the policy denies the pod, the creation is rejected. The pod will not be created, and an error message is returned to the user.

452
MCQmedium

A security auditor runs kube-bench and reports that the kubelet is not configured with --protect-kernel-defaults. What is the impact of this misconfiguration?

A.Container runtime will not be able to pull images
B.The node will be unable to schedule pods
C.The kubelet will refuse to start
D.Kernel parameters may be modified, potentially reducing node security
AnswerD

Without --protect-kernel-defaults, kubelet does not enforce recommended kernel security settings.

Why this answer

The `--protect-kernel-defaults` flag ensures that the kubelet enforces kernel parameter hardening, preventing modifications that could weaken node security. Without it, a compromised or misconfigured pod could alter kernel settings (e.g., `net.ipv4.ip_forward`, `vm.overcommit_memory`), reducing the overall security posture of the node. This does not affect image pulling, pod scheduling, or kubelet startup.

Exam trap

The trap here is that candidates assume a missing security flag will cause an immediate failure (like kubelet not starting), when in reality the kubelet runs but the node becomes vulnerable to kernel parameter tampering.

How to eliminate wrong answers

Option A is wrong because the container runtime's ability to pull images depends on network connectivity and registry access, not on kernel parameter protection. Option B is wrong because pod scheduling is controlled by the scheduler and node conditions, not by the `--protect-kernel-defaults` flag; the node will still schedule pods. Option C is wrong because the kubelet will start without this flag; it only logs a warning or fails if the kernel parameters are not set correctly, but the flag itself does not prevent startup.

453
MCQmedium

An administrator wants to enforce that no container in a specific namespace runs with the privileged security context. They decide to use Pod Security Standards. Which Pod Security Standard level should be applied to the namespace?

A.baseline
B.custom
C.restricted
D.privileged
AnswerC

Restricted is the most restrictive level and prohibits privileged containers.

Why this answer

The restricted Pod Security Standard (PSS) level is the correct choice because it enforces the most stringent set of security controls, including the prohibition of privileged containers. This level denies any pod that requests `privileged: true` or uses other privileged capabilities, ensuring that no container in the namespace can run with elevated host access. The baseline level is less restrictive and allows some privileged configurations, while the privileged level imposes no restrictions at all.

Exam trap

The trap here is that candidates often confuse the 'baseline' level as being sufficient to block privileged containers, but baseline only prevents known privilege escalations and does not explicitly deny the `privileged: true` setting, which is only enforced by the restricted level.

How to eliminate wrong answers

Option A is wrong because the baseline level only blocks known privilege escalations but still allows some privileged settings (e.g., `privileged: true` is not explicitly denied by baseline). Option B is wrong because 'custom' is not a standard Pod Security Standard level; PSS defines only three built-in levels: privileged, baseline, and restricted. Option D is wrong because the privileged level explicitly permits all containers to run with privileged security contexts, which is the opposite of the enforcement goal.

454
MCQeasy

Which admission plugin should be used to enforce Pod Security Standards at the namespace level?

A.PodSecurity
B.PodSecurityPolicy
C.NodeRestriction
D.SecurityContextDeny
AnswerA

This plugin enforces Pod Security Standards.

Why this answer

Option A is correct because the PodSecurity admission plugin is the successor to PodSecurityPolicy (PSP) and is designed specifically to enforce Pod Security Standards (PSS) at the namespace level. It evaluates pods against the three predefined PSS levels (privileged, baseline, restricted) based on labels set on the namespace, and can be configured in warn, audit, or enforce mode. This plugin is built into the kube-apiserver and is the recommended approach for pod security in Kubernetes v1.25 and later.

Exam trap

CNCF often tests the fact that PodSecurityPolicy is deprecated and removed, so candidates who studied older material may mistakenly choose PodSecurityPolicy, not realizing it has been replaced by the PodSecurity admission plugin.

How to eliminate wrong answers

Option B is wrong because PodSecurityPolicy (PSP) was deprecated in Kubernetes v1.21 and removed in v1.25, and it enforces security policies cluster-wide via a CRD, not at the namespace level using Pod Security Standards. Option C is wrong because NodeRestriction is an admission plugin that limits the Node API objects a kubelet can modify, and has nothing to do with pod security standards. Option D is wrong because SecurityContextDeny is an older admission plugin that rejects pods with certain security context settings, but it does not enforce the namespace-scoped Pod Security Standards and is not the recommended replacement for PSP.

455
MCQeasy

Which of the following is the best practice for injecting secrets into a pod?

A.Storing secrets in container image layers
B.Using environment variables
C.Using ConfigMap for secrets
D.Injecting via volume mounts
AnswerD

Secrets as files in a volume are more secure; they are not visible in env dump.

Why this answer

Option B is correct. Mounting secrets as volumes is the recommended approach because it avoids exposing secrets in environment variables that may be visible in logs or process listings. Option A is less secure.

Option C is insecure. Option D is not a valid method.

456
MCQmedium

An administrator wants to prevent the kubelet from serving anonymous requests. Which flag should be set on the kubelet?

A.--client-ca-file=/etc/kubernetes/pki/ca.crt
B.--authorization-mode=Webhook
C.--anonymous-auth=false
D.--authentication-token-webhook=true
AnswerC

This disables anonymous authentication on the kubelet.

Why this answer

The `--anonymous-auth=false` flag explicitly disables anonymous authentication on the kubelet, preventing unauthenticated requests from being processed. By default, anonymous authentication is enabled (`--anonymous-auth=true`), which allows any unauthenticated user to make requests to the kubelet API. Setting this flag to `false` ensures that only authenticated clients can interact with the kubelet, directly addressing the requirement to block anonymous requests.

Exam trap

The trap here is that candidates often confuse authentication with authorization—they think setting a client CA file or enabling webhook authorization will block anonymous requests, but those controls only affect already-authenticated users or authorization decisions, not the initial authentication step where anonymous access is allowed by default.

How to eliminate wrong answers

Option A is wrong because `--client-ca-file` configures the certificate authority used to validate client certificates for mutual TLS authentication, but it does not disable anonymous authentication—anonymous requests are still allowed unless explicitly blocked. Option B is wrong because `--authorization-mode=Webhook` sets the authorization mode to delegate authorization decisions to an external webhook, but it does not affect authentication; anonymous users can still be authenticated and then authorized. Option D is wrong because `--authentication-token-webhook=true` enables token-based authentication via a webhook, but it does not disable anonymous authentication—anonymous requests remain permitted unless `--anonymous-auth` is set to `false`.

457
MCQeasy

Which kubectl command creates a secret named 'mysecret' from a file called 'credentials.json'?

A.kubectl create secret generic mysecret --from-file=credentials.json
B.kubectl apply -f credentials.json
C.kubectl create configmap mysecret --from-file=credentials.json
D.kubectl create secret tls mysecret --cert=credentials.json
AnswerA

The --from-file flag creates a secret from the contents of a file, using the filename as the key.

458
MCQeasy

A DevOps engineer notices that a container's stdout logs are not appearing in the `kubectl logs` output. The container runs a legacy application that writes logs to a file inside the container. What is the most efficient way to capture these logs without modifying the application?

A.Configure the kubelet to rotate logs from the container's filesystem.
B.Add a sidecar container that reads the log file and outputs to stdout.
C.Use `kubectl cp` to periodically copy logs from the container.
D.Install a syslog daemon in the container to forward logs.
AnswerB

The sidecar pattern streams file logs to stdout for kubectl logs.

Why this answer

Option B is correct because deploying a sidecar container that tails the log file and writes to its own stdout is the most efficient, Kubernetes-native pattern for capturing logs from applications that write to files. The sidecar container shares the same Pod and volume, reads the log file (e.g., using `tail -F`), and outputs to stdout, which is then collected by `kubectl logs` and the cluster-level logging pipeline. This approach requires no modification to the legacy application and leverages the existing container runtime and kubelet log collection.

Exam trap

CNCF often tests the sidecar logging pattern as the standard Kubernetes solution for capturing file-based logs, and the trap here is that candidates may incorrectly choose kubelet log rotation (Option A) thinking it applies to all container logs, when in fact it only applies to the container runtime's own stdout/stderr streams.

How to eliminate wrong answers

Option A is wrong because the kubelet handles log rotation only for container stdout/stderr streams, not for files written inside the container's filesystem; it cannot rotate arbitrary application log files. Option C is wrong because `kubectl cp` is a manual, non-scalable operation that requires external orchestration and does not provide real-time log streaming to `kubectl logs`. Option D is wrong because installing a syslog daemon inside the container would require modifying the container image or running additional processes, which contradicts the requirement of not modifying the application and adds unnecessary complexity.

459
MCQhard

A container runs as non-root and needs to perform operations that require CAP_SYS_PTRACE. Which YAML snippet correctly adds only this capability while following the principle of least privilege?

A.securityContext: capabilities: add: ['SYS_PTRACE']
B.securityContext: capabilities: drop: ['ALL'] add: ['SYS_PTRACE']
C.securityContext: capabilities: drop: ['ALL']
D.securityContext: privileged: true
AnswerB

This drops all and adds only SYS_PTRACE.

Why this answer

Option B is correct because it first drops all capabilities with `drop: ['ALL']` and then explicitly adds only `SYS_PTRACE`, ensuring the container runs with the minimum privileges required. This follows the principle of least privilege by removing any inherited or default capabilities before granting only the needed one. In Kubernetes, capabilities are Linux kernel capabilities; dropping all and adding only what is necessary is the recommended security practice.

Exam trap

CNCF often tests the misconception that simply adding a capability is sufficient, but the trap is that candidates forget to drop all other capabilities first, leaving the container with more privileges than intended.

How to eliminate wrong answers

Option A is wrong because it only adds `SYS_PTRACE` without dropping existing capabilities, meaning the container retains all default capabilities (e.g., CHOWN, DAC_OVERRIDE, FOWNER, etc.), violating the principle of least privilege. Option C is wrong because it drops all capabilities but does not add `SYS_PTRACE`, so the container would lack the required capability to perform ptrace operations. Option D is wrong because setting `privileged: true` grants all capabilities (including SYS_PTRACE) and disables most security constraints, which is excessive and violates least privilege.

460
MCQmedium

An administrator runs kube-bench on a cluster node and receives failures for CIS benchmark checks related to kubelet configuration. Which kubelet flag should be set to ensure that kernel defaults are not used when they might be insecure?

A.--protect-kernel-defaults
B.--read-only-port=0
C.--anonymous-auth=false
D.--kubelet-extra-args
AnswerA

This flag is explicitly checked by kube-bench for CIS compliance.

Why this answer

The `--protect-kernel-defaults` kubelet flag ensures that the kubelet will not use insecure kernel defaults by enforcing that certain sysctl settings (e.g., `kernel.panic`, `vm.overcommit_memory`) are set to secure values. If these kernel parameters are not explicitly configured to safe values, the kubelet will fail to start, preventing the node from running with potentially insecure kernel defaults. This directly addresses CIS benchmark checks that require hardening of the kubelet's interaction with the host kernel.

Exam trap

The trap here is that candidates often confuse `--protect-kernel-defaults` with other kubelet security flags like `--read-only-port` or `--anonymous-auth`, or mistakenly think `--kubelet-extra-args` is a direct kubelet flag, when in fact it is a kubeadm configuration option and not a solution for kernel default protection.

How to eliminate wrong answers

Option B is wrong because `--read-only-port=0` disables the read-only port (10255) on the kubelet, which prevents unauthenticated access to kubelet metrics, but it does not address kernel default security. Option C is wrong because `--anonymous-auth=false` disables anonymous authentication to the kubelet API, which is a separate CIS check for authentication hardening, not for kernel defaults. Option D is wrong because `--kubelet-extra-args` is a kubeadm configuration field used to pass additional flags to the kubelet, not a kubelet flag itself, and it does not specifically enforce kernel default protection.

461
Multi-Selecthard

Which THREE of the following practices help protect microservice applications against supply chain attacks? (Choose three.)

Select 3 answers
A.Use images from any public registry for flexibility
B.Use minimal base images (e.g., distroless or scratch) to reduce attack surface
C.Always use the latest tag to get the most recent patches
D.Scan images for vulnerabilities using tools like Trivy or Clair
E.Enable image verification using digital signatures (e.g., Notary or Cosign)
AnswersB, D, E

Smaller images have fewer packages that could contain vulnerabilities.

Why this answer

Option B is correct because using minimal base images like distroless or scratch significantly reduces the attack surface by eliminating unnecessary packages, libraries, and utilities that could contain vulnerabilities. This aligns with the principle of least functionality, as fewer components mean fewer potential entry points for an attacker to exploit in a supply chain attack.

Exam trap

CNCF often tests the misconception that using the latest tag is a safe practice for getting patches, when in fact it undermines supply chain security by breaking image immutability and reproducibility.

462
MCQmedium

A security admin needs to audit all API requests to the Kubernetes API server. Which audit policy level logs the request body and response body?

A.Request
B.None
C.RequestResponse
D.Metadata
AnswerC

RequestResponse logs both request and response bodies.

Why this answer

The RequestResponse level logs both request and response bodies. Metadata only logs metadata, Request logs request body, and None disables audit logging.

463
MCQeasy

What is the purpose of the --audit-log-path flag on the kube-apiserver?

A.It sets the maximum number of audit log files to retain.
B.It disables audit logging.
C.It enables audit logging and sets the output file path.
D.It specifies the path to the audit policy file.
AnswerC

This flag enables audit logging and specifies the log file location.

Why this answer

The `--audit-log-path` flag on the kube-apiserver enables audit logging and specifies the file path where audit events are written. Without this flag, audit logging is disabled by default. Setting this flag is the first step to capturing API request logs for security monitoring and compliance.

Exam trap

CNCF often tests the distinction between `--audit-log-path` (enables logging and sets output path) and `--audit-policy-file` (defines what to log), causing candidates to confuse the two flags.

How to eliminate wrong answers

Option A is wrong because the `--audit-log-maxbackup` flag, not `--audit-log-path`, controls the maximum number of audit log files to retain. Option B is wrong because the `--audit-log-path` flag enables audit logging, not disables it; disabling audit logging is the default behavior when the flag is omitted. Option D is wrong because the path to the audit policy file is set by the `--audit-policy-file` flag, not `--audit-log-path`.

464
MCQmedium

Which of the following is NOT a valid seccomp profile type in Kubernetes?

A.SeccompDefault
B.Unconfined
C.RuntimeDefault
D.Localhost
AnswerA

There is no 'SeccompDefault' type. The correct type is 'RuntimeDefault'.

Why this answer

SeccompDefault is not a valid seccomp profile type in Kubernetes. The valid profile types are Unconfined, RuntimeDefault, and Localhost. SeccompDefault is a feature gate (introduced in Kubernetes 1.22) that, when enabled, tells the kubelet to use the RuntimeDefault seccomp profile by default for pods, but it is not itself a profile type.

Exam trap

The trap here is that candidates confuse the SeccompDefault feature gate with a valid seccomp profile type, especially since the feature gate name sounds like a profile type and is often mentioned in the context of default seccomp enforcement.

How to eliminate wrong answers

Option A is wrong because SeccompDefault is a feature gate, not a seccomp profile type. Option B is wrong because Unconfined is a valid seccomp profile type that disables seccomp filtering for a container. Option C is wrong because RuntimeDefault is a valid seccomp profile type that uses the container runtime's default seccomp profile (typically a restrictive profile that blocks syscalls like unshare, mount, etc.).

Option D is wrong because Localhost is a valid seccomp profile type that allows you to specify a custom seccomp profile file on the node's filesystem.

465
Multi-Selectmedium

Which TWO of the following are valid Falco output fields?

Select 2 answers
A.%pod.name
B.%fd.name
C.%k8s.ns
D.%evt.type
E.%proc.name
AnswersD, E

Valid field for event type.

Why this answer

Falco output fields include %evt.type, %proc.name, %container.id, %fd.name etc.

466
Multi-Selectmedium

Which TWO of the following are valid ways to securely manage secrets in Kubernetes? (Choose two.)

Select 2 answers
A.Mount Kubernetes Secrets as volumes into the pod.
B.Use environment variables from the pod spec referencing Secret keys.
C.Use an external secrets manager like HashiCorp Vault integrated with the pod.
D.Pass secrets as command-line arguments to the container.
E.Store secrets in ConfigMaps with base64 encoded data.
AnswersA, C

Volume mounts are more secure than env vars.

Why this answer

Option A is correct: external secret managers like Vault provide secure secret management. Option D is correct: Kubernetes Secrets mounted as volumes are more secure than environment variables. Option B is not a valid mechanism; Option C is insecure; Option E is not a native Kubernetes secret.

467
Multi-Selectmedium

Which TWO of the following are valid ways to reduce the attack surface of a Kubernetes node? (Select 2)

Select 2 answers
A.Load all kernel modules to support any workload
B.Restrict hostNetwork, hostPID, and hostIPC access from containers
C.Enable SSH access for all users for troubleshooting
D.Disable unnecessary system services on the node
E.Allow containers to run as root
AnswersB, D

These settings reduce a container's ability to access host resources.

Why this answer

Restricting hostNetwork, hostPID, and hostIPC access from containers is a valid way to reduce the attack surface of a Kubernetes node because it prevents containers from breaking out of their namespace isolation. When a container uses hostNetwork, it shares the node's network stack, potentially allowing it to sniff traffic or bind to privileged ports. Similarly, hostPID and hostIPC grant access to the host's process table and inter-process communication mechanisms, which can be leveraged for privilege escalation or information disclosure.

By default, these should be disabled unless absolutely necessary, as they directly expose host-level resources to the container.

Exam trap

CNCF often tests the misconception that loading all kernel modules is beneficial for compatibility, when in fact it violates the principle of minimizing the attack surface by only loading required modules.

468
MCQeasy

What is the purpose of the CIS Kubernetes Benchmark?

A.To provide a set of security best practices for Kubernetes
B.To benchmark performance of Kubernetes clusters
C.To test network policies
D.To automate deployment of Kubernetes clusters
AnswerA

The CIS Benchmark outlines security recommendations.

Why this answer

The CIS Kubernetes Benchmark is a set of security best practices developed by the Center for Internet Security (CIS) specifically for hardening Kubernetes clusters. It provides prescriptive guidance on configuring cluster components (e.g., kube-apiserver, kubelet, etcd) to reduce the attack surface and meet compliance standards. Option A correctly identifies this purpose, as the benchmark is not about performance, networking, or automation.

Exam trap

The trap here is that candidates confuse the CIS Benchmark with a performance or automation tool, because 'benchmark' often implies performance testing in other contexts, but in Kubernetes security, it strictly refers to a compliance and hardening standard.

How to eliminate wrong answers

Option B is wrong because the CIS Kubernetes Benchmark focuses on security configuration, not performance benchmarking; performance metrics are measured by tools like the Kubernetes Performance and Scalability Working Group's benchmarks. Option C is wrong because while the benchmark includes recommendations for network policies, its scope is far broader, covering all aspects of cluster security (e.g., RBAC, secrets, pod security). Option D is wrong because the benchmark is a set of guidelines, not a deployment tool; automation of cluster deployment is handled by tools like kubeadm, Terraform, or Cluster API.

469
MCQmedium

A Kubernetes cluster has Kyverno installed. You want to enforce that all container images come from a trusted registry 'trusted-registry.example.com'. Which Kyverno policy rule type would you use?

A.validate with a deny condition
B.mutate
C.validate.deny
D.generate
AnswerA

Using a validate rule with a deny condition can block pods that use images from unauthorized registries.

Why this answer

To validate the registry for container images, you use a validation rule that checks the image field.

470
MCQhard

You need to ensure that all pods in a namespace have the label 'security: high' added automatically upon creation. Which admission controller should you use?

A.PodSecurityPolicy (deprecated)
B.ResourceQuota
C.ValidatingAdmissionPolicy
D.MutatingWebhookConfiguration
AnswerD

A mutating webhook can modify resources during admission, such as adding labels.

Why this answer

MutatingWebhookConfiguration defines a webhook that can mutate (modify) incoming API objects, such as adding labels. Validating webhooks only validate and reject, not modify.

471
MCQhard

You are configuring encryption at rest for Kubernetes secrets. After creating an EncryptionConfiguration with aescbc provider, which additional step is required to enable encryption?

A.Restart the kube-apiserver with --encryption-provider-config flag
B.Apply the EncryptionConfiguration as a ConfigMap
C.Restart the kube-scheduler
D.Recreate all secrets in the cluster
AnswerA

The kube-apiserver reads the encryption configuration at startup; a restart is required.

Why this answer

The kube-apiserver must be restarted to reload the encryption configuration, and the --encryption-provider-config flag must point to the configuration file.

472
Multi-Selectmedium

Which THREE of the following are features of container sandboxing solutions like gVisor or Kata Containers?

Select 3 answers
A.They are compatible with the OCI runtime specification
B.They improve container performance over native runc
C.They can be used with RuntimeClass to select the sandbox runtime per pod
D.They provide an additional layer of isolation between containers and the host kernel
E.They use the host kernel directly for all system calls
AnswersA, C, D

Both gVisor (runsc) and Kata Containers implement the OCI runtime spec.

Why this answer

Container sandboxing provides an additional isolation layer, supports OCI runtime, and adds a security layer. They do not use host kernel directly (that's typical containers). They do not necessarily improve performance; they often add overhead.

473
MCQmedium

A Falco rule is configured to detect privilege escalation via setuid binaries. Which syscall is commonly associated with this activity?

A.connect
B.setuid
C.open
D.execve
AnswerB

Why this answer

The setuid and setgid syscalls are used to change user/group IDs, a common privilege escalation vector. Option D is correct. Option A is file operations.

Option B is network. Option C is process execution.

474
MCQhard

A pod runs with a service mesh sidecar (Istio). The team wants to enforce mutual TLS (mTLS) for all traffic between services in the 'production' namespace. Which resource should be applied?

A.DestinationRule with trafficPolicy: tls: mode: ISTIO_MUTUAL
B.VirtualService with TLS settings
C.PeerAuthentication with mode: STRICT in the namespace
D.ServiceEntry with mTLS enabled
AnswerC

Correct. PeerAuthentication defines mTLS settings per namespace or workload. Mode STRICT requires mTLS.

Why this answer

A PeerAuthentication resource with mTLS mode set to STRICT enforces mutual TLS for all traffic within the namespace. This is an Istio security policy.

475
MCQmedium

You want to enable mutual TLS (mTLS) between services in a namespace using Istio. Which custom resource should you configure to enforce STRICT mTLS for all workloads in the namespace?

A.DestinationRule with trafficPolicy.tls.mode: ISTIO_MUTUAL
B.VirtualService with tls.mode: SIMPLE
C.PeerAuthentication with mtls.mode: STRICT
D.ServiceEntry with resolution: NONE
AnswerC

PeerAuthentication enforces mTLS on inbound traffic; STRICT mode requires mutual TLS.

Why this answer

PeerAuthentication with mTLS mode STRICT enforces that all incoming traffic to the namespace uses mutual TLS. DestinationRule is for traffic policies including TLS settings for the destination, but PeerAuthentication is the correct resource to enforce mTLS mode.

476
MCQmedium

You suspect a pod is making unexpected outbound connections. Which tool can you use to inspect network connections from within the container?

A.kubectl port-forward
B.crictl exec
C.falco
D.kubectl logs
AnswerB

crictl exec can run ss or netstat inside the container.

Why this answer

crictl exec allows running commands inside a container using the container runtime interface.

477
MCQmedium

An admin runs 'kubectl auth reconcile -f rbac.yaml' and gets an error that the user does not have permission to create ClusterRoleBindings. What is the most likely cause?

A.The ClusterRoleBinding already exists.
B.The YAML file has a syntax error.
C.The Kubernetes API server is not reachable.
D.The user's kubeconfig context does not have RBAC permissions to create ClusterRoleBindings.
AnswerD

The error indicates insufficient permissions; the user needs a ClusterRoleBinding that grants the necessary permissions.

Why this answer

The error indicates that the user's current kubeconfig context lacks RBAC permissions to create ClusterRoleBindings. The `kubectl auth reconcile` command attempts to apply the RBAC resources defined in the YAML file, and if the user's credentials (typically from a certificate or token) do not include the `create` verb on `clusterrolebindings` in the RBAC authorization layer, the API server will reject the request with a 403 Forbidden error. This is a direct permission issue, not a connectivity or syntax problem.

Exam trap

The trap here is that candidates may confuse a permission error with a resource conflict (Option A) or a connectivity issue (Option C), but the specific error message 'does not have permission to create ClusterRoleBindings' directly points to insufficient RBAC privileges in the current kubeconfig context.

How to eliminate wrong answers

Option A is wrong because if the ClusterRoleBinding already exists, `kubectl auth reconcile` would attempt to update it (which requires `update` permission), but the error specifically mentions lack of permission to `create`, not a conflict error like 'AlreadyExists'. Option B is wrong because a syntax error in the YAML file would produce a parsing error from kubectl (e.g., 'error converting YAML to JSON'), not an RBAC permission error. Option C is wrong because if the API server were unreachable, the error would be a connection timeout or 'Unable to connect to the server', not a permission-denied message.

478
Multi-Selectmedium

Which TWO actions should be taken to secure etcd in a Kubernetes cluster?

Select 2 answers
A.Enable TLS authentication for etcd peer and client communication
B.Run etcd as a DaemonSet to ensure high availability
C.Disable client certificate authentication for etcd
D.Enable the NodeRestriction admission plugin on etcd
E.Restrict access to etcd using network policies or firewall rules
AnswersA, E

TLS ensures encrypted and authenticated communication.

Why this answer

Enabling TLS authentication for etcd peer and client communication ensures that all data in transit between etcd members and between etcd and the Kubernetes API server is encrypted and mutually authenticated. This prevents man-in-the-middle attacks and unauthorized access to the cluster's state store, which is a critical requirement for securing etcd as per the CIS Kubernetes Benchmark.

Exam trap

CNCF often tests the misconception that admission plugins like NodeRestriction apply to etcd, when in fact they are exclusively API server components and have no role in securing the etcd datastore itself.

479
MCQeasy

A security engineer wants to ensure that only images signed with a specific key are allowed to run in the cluster. Which tool can be used to sign container images?

A.kubesec
B.syft
C.cosign
D.trivy
AnswerC

Cosign supports signing container images and verifying signatures.

Why this answer

Option A is correct. Cosign is a tool for signing and verifying container images. Option B (Trivy) is for scanning vulnerabilities.

Option C (Syft) generates SBOMs. Option D (kubesec) analyzes Kubernetes manifests.

480
MCQmedium

You are tasked with enabling audit logging for the Kubernetes API server. Which API server flag must be used to specify the audit log file path?

A.--audit-log-path
B.--audit-log-dir
C.--audit-policy-file
D.--audit-log-file
AnswerA

This flag sets the path for the audit log file.

Why this answer

The `--audit-log-path` flag is the correct API server flag to specify the file path where audit logs are written. This flag defines the absolute or relative path to the audit log file, and the kube-apiserver will create or append to that file. Without this flag, no audit log file is generated, even if an audit policy is configured.

Exam trap

CNCF often tests the exact flag name `--audit-log-path` versus the plausible but incorrect `--audit-log-file`, exploiting the common assumption that the flag would be named after the file rather than the path.

How to eliminate wrong answers

Option B is wrong because `--audit-log-dir` is not a valid kube-apiserver flag; the correct flag for specifying the directory is `--audit-log-path`, which can include a directory path as part of the filename. Option C is wrong because `--audit-policy-file` specifies the path to the audit policy YAML file that defines which events to log, not the log file path itself. Option D is wrong because `--audit-log-file` is not a valid flag; the correct flag name is `--audit-log-path`.

481
Multi-Selectmedium

Which TWO tools can generate an SBOM for a container image? (Select two.)

Select 2 answers
A.checkov
B.trivy
C.syft
D.cosign
E.kubesec
AnswersB, C

Trivy can generate SBOMs in CycloneDX or SPDX format.

Why this answer

Syft and Trivy (via the 'trivy image --format cyclonedx' command) can generate SBOMs. Options A and B are correct.

482
Multi-Selecteasy

An auditor requires that all audit logs from the Kubernetes API server be stored for 90 days and be tamper-proof. Which TWO measures should be implemented?

Select 2 answers
A.Configure the audit log backend to write to an immutable object store like S3 with Object Lock
B.Enable the AuditDynamicConfiguration feature gate
C.Deploy Fluentd to forward logs to a central Elasticsearch cluster
D.Set the API server flag --audit-log-maxage=90
E.Set --audit-log-maxbackup=10 and --audit-log-maxsize=100
AnswersA, D

Immutable storage prevents log modification or deletion.

Why this answer

Option A is correct because storing audit logs in an immutable object store like S3 with Object Lock ensures tamper-proof retention by preventing any object from being overwritten or deleted for a specified retention period. This directly satisfies the auditor's requirement for logs that cannot be altered or destroyed, regardless of the Kubernetes cluster state.

Exam trap

CNCF often tests the distinction between log rotation/retention settings (like --audit-log-maxage) and true immutability features, leading candidates to incorrectly select options that only manage log file age without preventing tampering.

483
MCQeasy

What is the default authorization mode for a new Kubernetes cluster?

A.ABAC
B.Node
C.AlwaysDeny
D.RBAC
AnswerD

RBAC is the default in most modern distributions.

Why this answer

Option D is correct because RBAC (Role-Based Access Control) is the default authorization mode for new Kubernetes clusters since version 1.8. When you initialize a cluster with kubeadm, the API server is automatically configured with the `--authorization-mode=RBAC` flag, enabling fine-grained access control based on roles and bindings.

Exam trap

CNCF often tests the misconception that ABAC is the default because it was the original authorization mode in early Kubernetes versions, but RBAC has been the default since v1.8 and is the recommended standard for security.

How to eliminate wrong answers

Option A is wrong because ABAC (Attribute-Based Access Control) is not the default; it requires manual configuration with `--authorization-mode=ABAC` and a policy file, and it is less secure and harder to manage than RBAC. Option B is wrong because Node authorization is a special-purpose mode used to authorize kubelet API requests, not the default for the entire cluster; it is typically combined with other modes like RBAC. Option C is wrong because AlwaysDeny is a legacy mode that denies all requests and is not used in production; it was removed in Kubernetes 1.10 and is never the default.

484
MCQhard

During a security audit, a team discovers that their microservice application, deployed on Kubernetes, is vulnerable to container breakout attacks. The containers run as root and have many Linux capabilities. Which set of Pod Security Standards (PSS) enforcement modes and policies would best mitigate this risk?

A.Use 'privileged' PSS with Warn mode
B.Use 'baseline' PSS with Audit mode
C.Use 'restricted' PSS with Enforce mode
D.Use 'baseline' PSS with Enforce mode
AnswerC

Restricted profile requires non-root and drops all capabilities except net bind service.

Why this answer

The 'restricted' Pod Security Standard with 'Enforce' mode is the correct choice because it mandates the most stringent security controls, including dropping all Linux capabilities and preventing containers from running as root. This directly mitigates container breakout attacks by eliminating the excessive privileges that enable such exploits. 'Enforce' mode actively blocks non-compliant pods, ensuring the policy is applied without relying on user awareness or audit logs.

Exam trap

CNCF often tests the misconception that 'baseline' PSS is sufficient for most security needs, but the trap here is that 'baseline' still allows root and default capabilities, which are exactly the vectors exploited in container breakout attacks, making 'restricted' the only adequate choice for this specific risk.

How to eliminate wrong answers

Option A is wrong because 'privileged' PSS is the least restrictive policy, allowing all capabilities and root access, which would not mitigate breakout risks; 'Warn' mode only alerts but does not block non-compliant pods. Option B is wrong because 'baseline' PSS allows some default capabilities and does not enforce dropping all capabilities or preventing root, and 'Audit' mode only logs violations without enforcement. Option D is wrong because while 'baseline' PSS with 'Enforce' mode blocks some obvious misconfigurations, it still permits containers to run as root and retains default capabilities, leaving significant breakout vectors unaddressed.

485
Multi-Selecthard

Which THREE of the following are valid admission controllers involved in the Kubernetes admission flow that can be used for supply chain security?

Select 3 answers
A.MutatingAdmissionWebhook
B.ResourceQuota
C.ValidatingAdmissionWebhook
D.PodSecurity
E.PersistentVolumeClaim
AnswersA, C, D

Can be used to mutate Pods to enforce security settings like image policies.

Why this answer

Correct answers: A, C, E. MutatingAdmissionWebhook and ValidatingAdmissionWebhook are standard admission controllers that can enforce policies. PodSecurity is a built-in admission controller for pod security standards (replaces PSP).

ImagePolicyWebhook is specifically for image admission control. Option B (ResourceQuota) is for resource management, not security. Option D (PersistentVolumeClaim) is a resource type, not an admission controller.

486
MCQmedium

A security best practice is to avoid storing secrets in environment variables. Which is a secure alternative for injecting secrets into a pod?

A.Use the Kubernetes Secret Store CSI driver to mount from external store
B.Store secrets in ConfigMap and reference them in the pod
C.Embed the secret directly in the pod definition YAML
D.Mount the Secret as a volume
AnswerD

Mounting secrets as volumes is a secure practice recommended over environment variables.

Why this answer

Mounting secrets as volumes is more secure than environment variables because it reduces exposure in process listings and other system introspection.

487
MCQmedium

After a security incident, you need to restrict which pods can communicate with each other in the 'finance' namespace. You want to allow only pods with label 'app: api' to connect to pods with label 'app: db' on TCP port 5432, and deny all other traffic. Which NetworkPolicy should you create?

A.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-api-to-db namespace: finance spec: podSelector: matchLabels: app: api ingress: - from: - podSelector: matchLabels: app: db ports: - port: 5432
B.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-api-to-db namespace: finance spec: podSelector: matchLabels: app: api egress: - to: - podSelector: matchLabels: app: db ports: - port: 5432
C.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-api-to-db namespace: finance spec: podSelector: matchLabels: app: db ingress: - from: - podSelector: matchLabels: app: api
D.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-api-to-db namespace: finance spec: podSelector: matchLabels: app: db ingress: - from: - podSelector: matchLabels: app: api ports: - port: 5432
AnswerD

Correctly targets db pods, allows ingress from api pods on port 5432, and implicitly denies all other ingress.

Why this answer

Option D is correct because it defines a NetworkPolicy that selects pods with label 'app: db' as the target and allows ingress traffic only from pods with label 'app: api' on TCP port 5432. By default, if no NetworkPolicy exists, all traffic is allowed; once a NetworkPolicy selects a pod, all traffic not explicitly allowed is denied. This policy therefore restricts communication to only the intended api-to-db flow on the specified port.

Exam trap

CNCF often tests the direction of traffic flow: candidates mistakenly apply the policy to the source pod (app: api) with an ingress rule, which would control traffic coming into the api pod rather than traffic going to the db pod, or they forget to specify the port, allowing all ports from the allowed source.

How to eliminate wrong answers

Option A is wrong because it selects pods with label 'app: api' and defines an ingress rule from pods with label 'app: db', which would allow db pods to connect to api pods, the reverse of the required direction. Option B is wrong because it defines an egress rule from api pods to db pods, but the question requires restricting which pods can communicate with each other, and egress policies control outbound traffic from the selected pods, not inbound traffic to the db pods; additionally, it does not deny all other traffic because it only affects egress from api pods, leaving ingress to db pods unrestricted. Option C is wrong because it selects db pods and allows ingress from api pods but does not specify the port (5432), thus allowing all ports from api pods, which is too permissive and does not meet the requirement to restrict to TCP port 5432.

488
MCQeasy

Which admission plugin is recommended by the CIS Kubernetes Benchmark to restrict the kubelet's ability to modify nodes?

A.NodeRestriction
B.PodNodeSelector
C.SecurityContextDeny
D.AlwaysPullImages
AnswerA

NodeRestriction ensures kubelets can only modify their own node objects.

Why this answer

The NodeRestriction admission plugin is recommended by the CIS Kubernetes Benchmark to restrict the kubelet's ability to modify nodes. It limits the kubelet's permissions to only modify its own node and its own pods, preventing it from altering other nodes or performing unauthorized operations. This plugin enforces a security boundary by rejecting requests that attempt to modify node labels, taints, or status outside the kubelet's assigned scope.

Exam trap

The trap here is that candidates often confuse admission plugins that control pod security (like SecurityContextDeny or PodNodeSelector) with the specific plugin that restricts kubelet node modification, leading them to pick a security-focused option that does not address the kubelet's API access.

How to eliminate wrong answers

Option B (PodNodeSelector) is wrong because it enforces namespace-level pod node selector constraints, not kubelet node modification restrictions. Option C (SecurityContextDeny) is wrong because it rejects pods with certain security context settings, such as privileged containers, but does not limit kubelet actions on nodes. Option D (AlwaysPullImages) is wrong because it forces image pull policy to Always for every pod, addressing image freshness and security, not kubelet node modification control.

489
MCQeasy

A cluster administrator wants to monitor network traffic between pods for security analysis. Which tool is designed specifically for this purpose and integrates with Kubernetes?

A.Configure Fluentd to collect network logs from each node.
B.Use Prometheus to scrape network metrics from kube-proxy.
C.Run kube-bench to audit network policies.
D.Deploy Cilium with Hubble for network flow visibility.
AnswerD

Cilium/Hubble provides pod-level network monitoring.

Why this answer

D is correct because Cilium, combined with Hubble, is specifically designed to provide deep network flow visibility and monitoring for Kubernetes pods. Hubble leverages eBPF to capture and report network traffic at the kernel level, offering granular observability into pod-to-pod communications, which directly meets the requirement for security analysis of network traffic between pods.

Exam trap

The trap here is that candidates may confuse general monitoring tools (Fluentd, Prometheus) or security auditing tools (kube-bench) with a purpose-built network flow visibility solution like Cilium/Hubble, which is the only option that directly addresses pod-to-pod traffic monitoring for security analysis.

How to eliminate wrong answers

Option A is wrong because Fluentd is a log collector and aggregator, not a network traffic monitoring tool; it collects log files (e.g., from containers or applications) but does not capture or analyze network flows between pods. Option B is wrong because Prometheus scrapes metrics (e.g., from kube-proxy for iptables rules or service endpoints) but does not provide real-time network flow visibility or capture individual packet-level communications between pods. Option C is wrong because kube-bench is a compliance auditor that checks Kubernetes clusters against CIS benchmarks, focusing on configuration security, not on monitoring live network traffic between pods.

490
MCQhard

An OPA/Gatekeeper ConstraintTemplate is defined with the following Rego rule: violation[{"msg": msg}] { container := input.review.object.spec.containers[_] container.securityContext.runAsNonRoot != true msg := "Container must run as non-root" } What happens when a pod is submitted with a container that has runAsNonRoot: true?

A.The pod is admitted but an audit log is generated
B.The pod is admitted
C.The pod is denied with a message
D.The pod is mutated to set runAsNonRoot
AnswerB

The violation rule evaluates to false because the condition runAsNonRoot != true is false, so the pod passes the constraint.

Why this answer

The rule produces a violation only when runAsNonRoot is not true. If it is true, the rule does not fire, and the pod is admitted.

491
MCQhard

A cluster administrator wants to prevent all containers in a namespace from running with the NET_RAW capability. They plan to use a PodSecurityPolicy (PSP) but PSP is deprecated. Which approach should they use instead?

A.Apply a PodSecurity admission label with 'pod-security.kubernetes.io/enforce: privileged'
B.Apply a PodSecurity admission label with 'pod-security.kubernetes.io/enforce: restricted'
C.Apply a PodSecurity admission label with 'pod-security.kubernetes.io/enforce: baseline'
D.Use a PodSecurityPolicy with 'requiredDropCapabilities: [NET_RAW]'
AnswerC

Baseline policy drops NET_RAW and other dangerous capabilities while being less restrictive than restricted.

Why this answer

Option C is correct because the 'baseline' PodSecurity standard enforces the minimum restrictions that prevent privilege escalation, including dropping the NET_RAW capability by default. The 'baseline' profile is designed to be applied to namespaces where most workloads run, and it automatically adds NET_RAW to the required drop capabilities list, which directly addresses the administrator's goal without the overhead of the more restrictive 'restricted' profile.

Exam trap

CNCF often tests the distinction between the three PodSecurity standards, and the trap here is that candidates may choose 'restricted' (option B) because it is the most secure, but the question only requires dropping NET_RAW, which is already covered by the 'baseline' profile without imposing unnecessary restrictions like requiring non-root users or seccomp profiles.

How to eliminate wrong answers

Option A is wrong because the 'privileged' PodSecurity standard allows all capabilities, including NET_RAW, and does not enforce any capability drops, so it would not prevent containers from running with NET_RAW. Option B is wrong because the 'restricted' standard is overly restrictive for many workloads (e.g., it requires running as non-root, seccomp profiles, and dropping all capabilities), and while it would drop NET_RAW, it imposes additional constraints that are not necessary for the stated requirement. Option D is wrong because PodSecurityPolicy (PSP) is deprecated in Kubernetes v1.21 and removed in v1.25, and the question explicitly states that PSP is deprecated, so using it is not the recommended approach; the correct replacement is PodSecurity admission with the 'baseline' profile.

492
MCQeasy

Which Kubernetes resource can be used to enforce that a container's filesystem is read-only?

A.ResourceQuota
B.PodSecurityPolicy
C.SecurityContext
D.NetworkPolicy
AnswerC

SecurityContext with readOnlyRootFilesystem: true makes the container filesystem read-only.

Why this answer

The SecurityContext at the container level has a 'readOnlyRootFilesystem' field. When set to true, the container's root filesystem is read-only.

493
MCQmedium

An administrator wants to use gVisor to sandbox containers in a Kubernetes cluster. Which resource must be created to enable this?

A.RuntimeClass with handler: runsc
B.DaemonSet to install gVisor on nodes
C.PodSecurityPolicy with gVisor enabled
D.SecurityContext with runtime: gvisor
AnswerA

RuntimeClass allows selecting a container runtime. gVisor's runsc is specified as the handler.

494
MCQmedium

A team wants to use an external secret manager (HashiCorp Vault) to inject secrets into pods. Which approach is most aligned with Kubernetes best practices?

A.Use a ConfigMap to mount secrets as files
B.Store secrets as environment variables in the pod spec
C.Use kubectl exec to copy secrets into the container at startup
D.Use a mutating webhook that injects a sidecar container to fetch secrets and mount them as volumes
AnswerD

This approach securely injects secrets without exposing them in the pod spec.

Why this answer

Using a mutating webhook to inject secrets as volumes is a common pattern (e.g., with Vault Agent Sidecar Injector). It avoids storing secrets in environment variables and integrates with native Kubernetes resources. Option A is insecure; option B is deprecated; option D exposes secrets in the command line.

495
MCQhard

You are auditing your cluster's supply chain security. You need to generate a Software Bill of Materials (SBOM) for a container image. Which tool should you use?

A.Trivy
B.Kubesec
C.Checkov
D.Syft
AnswerD

Syft is a popular tool for generating SBOMs from container images.

Why this answer

Syft is a CLI tool for generating an SBOM from container images. It outputs a list of packages and dependencies.

496
MCQmedium

You are investigating a security incident where a container ran a shell inside a pod. Which Falco rule condition would trigger on a shell spawned in a container?

A.evt.type=clone and proc.name = 'shell'
B.evt.type=execve and proc.name contains 'sh'
C.proc.name in (sh, bash)
D.container.id != host and proc.name = shell
AnswerC

Correct: Falco conditions check process names to detect shell execution.

Why this answer

Falco uses syscalls to detect events. The condition 'proc.name=sh' or 'proc.name=bash' matches processes named sh or bash, which are common shells. Option B is incorrect because 'container.id' is not a typical field; Falco uses 'container.id' but the condition is about process name.

Option C is too broad. Option D is not the typical way to detect shell execution.

497
Multi-Selectmedium

Which TWO of the following are valid ways to enforce that containers cannot run as root in a Kubernetes cluster? (Select TWO.)

Select 2 answers
A.Create a Gatekeeper Constraint that requires runAsNonRoot
B.Use a NetworkPolicy to block root containers
C.Set the kubelet flag --run-non-root
D.Enable the PodSecurity admission controller with the 'restricted' profile
E.Use a ServiceAccount to restrict root
AnswersA, D

Correct. Gatekeeper can enforce arbitrary policies.

Why this answer

Pod Security Standards (restricted profile) and Pod Security Policies (deprecated but still valid in some contexts) both enforce runAsNonRoot. OPA Gatekeeper can also enforce custom policies.

498
Multi-Selecthard

Which THREE of the following are valid ways to enforce mTLS in an Istio service mesh? (Select 3)

Select 3 answers
A.DestinationRule with trafficPolicy.tls.mode set to ISTIO_MUTUAL
B.PeerAuthentication with mTLS mode set to STRICT
C.ServiceEntry with mTLS enabled for external services
D.AuthorizationPolicy with deny rules for non-mTLS traffic
E.NetworkPolicy with ingress rules to allow only TLS traffic
AnswersA, B, C

Configures client-side mTLS for traffic to a specific host.

Why this answer

PeerAuthentication with mTLS mode (option A) enforces mTLS per namespace or workload. DestinationRule with tls settings (option B) configures client-side TLS settings. ServiceEntry can enable mTLS for external services (option D).

Option C (NetworkPolicy) is for Kubernetes network policies, not TLS. Option E (AuthorizationPolicy) is for access control, not TLS configuration.

499
MCQeasy

Which command is used to sign a container image with Cosign?

A.cosign attest
B.cosign sign
C.cosign generate
D.cosign verify
AnswerB

cosign sign signs a container image.

Why this answer

The `cosign sign` command is used to sign a container image and attach the signature to the image registry.

500
MCQhard

A cluster uses Kubernetes v1.24 with Pod Security Admission enabled. The cluster administrator wants to enforce that all pods in the 'production' namespace run with the 'restricted' policy level, but some existing deployments use privileged containers. Which approach ensures that only new pods violating the policy are rejected, while existing pods continue to run?

A.Patch existing deployments to remove privileged containers, then add the label 'pod-security.kubernetes.io/enforce=restricted' to the namespace.
B.Add the namespace label 'pod-security.kubernetes.io/enforce=restricted' and leave existing pods unchanged; new pods violating the policy will be rejected.
C.Create a PodSecurityPolicy that restricts privileged containers and bind it to all service accounts in the namespace.
D.Set the namespace label 'pod-security.kubernetes.io/enforce=restricted' and use the 'inform' mode to allow existing pods.
AnswerB

Correctly enforces the policy on new pods without affecting existing ones.

Why this answer

Option B is correct because Pod Security Admission (PSA) in Kubernetes v1.24 enforces policies via namespace labels. Setting `pod-security.kubernetes.io/enforce=restricted` on the 'production' namespace will reject any new pod that violates the restricted policy, but existing pods are not re-evaluated and continue running. This behavior is by design: PSA evaluates pods at creation or update time, not retroactively, so existing workloads are unaffected.

Exam trap

The trap here is that candidates confuse Pod Security Admission with the deprecated PodSecurityPolicy, or assume that setting an enforce label will retroactively terminate existing pods, when in fact PSA only applies to new or updated pods.

How to eliminate wrong answers

Option A is wrong because patching existing deployments to remove privileged containers is unnecessary and contradicts the requirement to let existing pods continue running; PSA does not require modifying existing workloads. Option C is wrong because PodSecurityPolicy (PSP) was deprecated in Kubernetes v1.21 and removed in v1.25, and the question specifies v1.24 with Pod Security Admission enabled, making PSP irrelevant and non-functional. Option D is wrong because setting the label to 'enforce=restricted' already enforces the policy; 'inform' mode would only log violations without rejecting pods, which does not meet the requirement to reject new violating pods.

501
Multi-Selectmedium

Which TWO of the following are valid seccomp profile types in Kubernetes? (Select two.)

Select 2 answers
A.Localhost
B.RuntimeDefault
C.ContainerDefault
D.Unconfined
E.KubernetesDefault
AnswersA, B

Uses a custom profile from the node's filesystem.

Why this answer

Option A is correct because the `Localhost` seccomp profile type allows you to reference a custom seccomp profile stored as a JSON file on the node's filesystem. This is a valid profile type in Kubernetes, specified via the `localhostProfile` field in the pod's security context. Option B is correct because `RuntimeDefault` is a valid seccomp profile type that instructs the container runtime (e.g., containerd or CRI-O) to apply its own default seccomp profile, which typically blocks a set of dangerous syscalls while allowing normal operations.

Exam trap

CNCF often tests the misconception that `Unconfined` is not a valid seccomp profile type, but it is valid; the trap is that candidates may confuse `Unconfined` with a non-existent type like `ContainerDefault` or `KubernetesDefault`, or they may incorrectly think `RuntimeDefault` is not a standard option.

502
MCQmedium

An OPA/Gatekeeper constraint requires that all images' registries match a pattern. A Deployment uses 'myregistry.io/app:v1'. The admission controller rejects it. The admin runs 'kubectl get constraints' and sees the constraint is active. What is the next debugging step?

A.Disable the Gatekeeper webhook
B.Check the audit logs of Gatekeeper
C.Reapply the Deployment YAML
D.Describe the constraint and constraint template to see the denial reason
AnswerD

Describing shows violations and reasons.

Why this answer

Describing the constraint and constraint template reveals the specific rule and any error messages.

503
MCQmedium

An administrator runs kube-bench and receives a failing result for CIS control 1.1.1. What does this control typically check?

A.That the API server pod specification file permissions are set to 644 or more restrictive
B.That etcd is using TLS
C.That the API server audit log path is configured
D.That anonymous authentication is disabled on the API server
AnswerA

This is the check for control 1.1.1.

Why this answer

CIS control 1.1.1 specifically checks that the API server pod specification file (typically /etc/kubernetes/manifests/kube-apiserver.yaml) has permissions set to 644 or more restrictive (e.g., 600 or 640). This ensures that only authorized users (root or the kube-apiserver process) can read or modify the file, preventing unauthorized changes to critical API server configuration.

Exam trap

CNCF often tests candidates' ability to map CIS control numbers to their exact checks, so the trap here is that candidates confuse control 1.1.1 (file permissions) with other common API server hardening controls like TLS, audit logging, or authentication settings.

How to eliminate wrong answers

Option B is wrong because etcd TLS configuration is covered under a different CIS control (e.g., 2.1 or 2.2), not 1.1.1. Option C is wrong because API server audit log path configuration is checked under CIS control 1.2.1 or similar audit-related controls, not 1.1.1. Option D is wrong because disabling anonymous authentication on the API server is a separate control (e.g., 1.2.3 or 1.2.4), not part of control 1.1.1 which focuses on file permissions.

504
Multi-Selecteasy

Which TWO of the following are recommended practices for securing the Kubernetes API server? (Select TWO)

Select 2 answers
A.Set --cors-allowed-origins=* for easy access.
B.Disable TLS to improve performance.
C.Enable audit logging.
D.Set --insecure-port=8080 to allow non-TLS access.
E.Set --anonymous-auth=false.
AnswersC, E

Audit logs help detect and investigate suspicious activities.

Why this answer

Option C is correct because enabling audit logging on the API server records all requests to the cluster, providing an immutable record for security monitoring, incident response, and compliance. Audit logs are essential for detecting unauthorized access attempts, misconfigurations, and policy violations, and are a core requirement for Kubernetes security hardening.

Exam trap

CNCF often tests the misconception that disabling security features (like TLS or authentication) improves performance or simplifies access, when in fact these actions directly violate the principle of defense in depth and are explicitly discouraged in Kubernetes security best practices.

505
MCQeasy

You are a platform engineer for a financial services company. Your Kubernetes cluster runs on bare-metal nodes with Ubuntu 20.04 and uses containerd as the container runtime. The cluster is in production with 50 worker nodes. A recent security scan shows that all nodes have the 'overlayfs' kernel module loaded, which is not required. The security policy requires minimal kernel modules. You need to disable the module without disrupting running containers. What should you do?

A.Restart containerd on each node to unload the module
B.Add 'blacklist overlayfs' to /etc/modprobe.d/ and run 'update-initramfs -u', then reboot nodes one by one after draining
C.Use 'rmmod overlayfs' after stopping all containers
D.Use 'modprobe -r overlayfs' on each node immediately
AnswerB

This ensures the module is not loaded on subsequent boots, and draining before reboot prevents disruption.

Why this answer

Option B is correct because it permanently disables the overlayfs kernel module by adding it to the modprobe blacklist and updating the initramfs, ensuring the module is not loaded on subsequent boots. Draining and rebooting nodes one by one avoids disrupting running containers, as pods are rescheduled to other nodes before the node is taken offline. This approach aligns with the security policy of minimizing kernel modules while maintaining production uptime.

Exam trap

CNCF often tests the misconception that unloading a kernel module with 'rmmod' or 'modprobe -r' is safe while containers are running, but in reality, overlayfs is actively used by the container runtime and cannot be removed without causing filesystem errors or container crashes.

How to eliminate wrong answers

Option A is wrong because restarting containerd does not unload kernel modules; containerd is a user-space runtime that uses overlayfs, but unloading the module requires kernel-level operations, not a service restart. Option C is wrong because 'rmmod overlayfs' will fail if the module is in use by any container or filesystem, and stopping all containers on a node would disrupt running workloads, violating the requirement to avoid disruption. Option D is wrong because 'modprobe -r overlayfs' immediately unloads the module, which will fail if any process (including containerd or running containers) is using overlayfs, and even if it succeeds, it could cause container failures or filesystem errors without proper draining.

506
Multi-Selecteasy

Which TWO of the following are tools that can be used to generate an SBOM for a container image?

Select 2 answers
A.Trivy
B.Cosign
C.Syft
D.Clair
E.Kubesec
AnswersA, C

Trivy can generate SBOMs in addition to vulnerability scanning.

Why this answer

Syft is specifically designed for SBOM generation. Trivy also has the ability to generate SBOMs. Cosign is for signing, Clair is a vulnerability scanner, and Kubesec is for static analysis of manifests.

507
MCQmedium

A security engineer wants to integrate image scanning into a CI/CD pipeline. They are using a tool that can scan the filesystem of the build context before building the image. Which tool is best suited for this purpose?

A.Trivy (trivy fs)
B.Kubesec
C.Notary
D.Cosign
AnswerA

trivy fs scans the filesystem for vulnerabilities, ideal for scanning a build context.

Why this answer

Trivy can scan filesystems (trivy fs) to find vulnerabilities in packages before building an image. This allows catching issues early in the pipeline.

508
MCQeasy

Which Pod Security Standard level allows the most relaxed security controls?

A.restricted
B.default
C.baseline
D.privileged
AnswerD

Privileged allows all capabilities and has no restrictions.

Why this answer

The 'privileged' level is the most permissive, with no restrictions.

509
MCQhard

You want to run a workload in a sandboxed container using gVisor. You have created a RuntimeClass named 'gvisor' that references the 'runsc' handler. Which of the following Pod specs correctly uses this RuntimeClass?

A.apiVersion: v1 kind: Pod metadata: name: sandbox-pod annotations: runtimeClass: gvisor spec: containers: - name: app image: nginx
B.apiVersion: v1 kind: Pod metadata: name: sandbox-pod spec: runtimeClassName: gvisor containers: - name: app image: nginx
C.apiVersion: v1 kind: Pod metadata: name: sandbox-pod spec: nodeSelector: runtime: gvisor containers: - name: app image: nginx
D.apiVersion: v1 kind: Pod metadata: name: sandbox-pod spec: runtimeClass: name: gvisor containers: - name: app image: nginx
AnswerB

Correct usage: runtimeClassName set to the name of the RuntimeClass resource.

510
Multi-Selectmedium

Which TWO of the following are best practices for securing the software supply chain in a CI/CD pipeline?

Select 2 answers
A.Use the 'latest' tag for base images to get the newest features
B.Store sensitive credentials directly in the pipeline YAML file
C.Scan all container images for known vulnerabilities before deployment
D.Ignore critical CVEs if they are in development environments
E.Sign container images to ensure integrity and authenticity
AnswersC, E

Vulnerability scanning is essential.

Why this answer

Scanning images for vulnerabilities and signing images are key supply chain security practices. Storing secrets in the pipeline YAML is insecure, and ignoring critical CVEs is not a best practice.

511
MCQmedium

A container runs with the default seccomp profile but the application needs to make a specific syscall that is blocked. Which approach should be taken?

A.Use the RuntimeDefault profile and add capabilities
B.Change the seccomp profile to another runtime default
C.Set seccompProfile to Unconfined
D.Create a custom seccomp profile that allows the syscall and apply it via type: Localhost
AnswerD

Correct. A custom profile allows fine-grained control.

Why this answer

Option D is correct because the default seccomp profile (RuntimeDefault) blocks a specific set of syscalls for security. When an application requires a blocked syscall, the proper approach is to create a custom seccomp profile that explicitly allows that syscall, then apply it to the container via `seccompProfile.type: Localhost` and reference the profile file. This maintains security by only relaxing the necessary restriction, rather than disabling the profile entirely.

Exam trap

CNCF often tests the misconception that capabilities can override seccomp restrictions, but in reality, seccomp and capabilities are independent security mechanisms; a blocked syscall cannot be unblocked by adding capabilities.

How to eliminate wrong answers

Option A is wrong because capabilities control privileged operations (e.g., CAP_SYS_ADMIN), not syscall filtering; adding capabilities does not unblock a syscall blocked by seccomp. Option B is wrong because there is only one runtime default profile (RuntimeDefault) in containerd/Docker; changing to another runtime default is not possible as it is the same profile. Option C is wrong because setting seccompProfile to Unconfined disables all seccomp filtering, which is overly permissive and violates the principle of least privilege; it should only be used when absolutely necessary and after careful consideration.

512
MCQmedium

You have created a ValidatingWebhookConfiguration to reject pods without resource limits. When you try to create a pod without limits, it is created successfully. What is the most likely reason?

A.The webhook is not matching the namespace labels
B.The webhook service is not running or is unreachable
C.The webhook is configured with failurePolicy: Fail
D.The pod is being created by a controller like a Deployment
AnswerB

If the webhook service is down, the API server will fail open (depending on failurePolicy) and allow the pod creation.

Why this answer

If the webhook service is not available, the API server's behavior depends on the failurePolicy. The default failurePolicy is Fail, but if the service is unreachable, the webhook check fails and the request is denied. However, common misconfigurations include the webhook service not being deployed or the service name not matching the webhook configuration, causing the API server to skip the webhook.

The most common reason for a webhook not working is that the service is not running or the configuration is incorrect.

513
MCQeasy

Which of the following is a BEST practice for container images to reduce the attack surface?

A.Use minimal base images like distroless
B.Use the 'latest' tag
C.Include debugging tools in the image
D.Run containers as root user
AnswerA

Minimal base images reduce attack surface by including only necessary components.

Why this answer

Using minimal base images like distroless or Alpine reduces the number of packages and thus the attack surface.

514
MCQmedium

An administrator wants to ensure that a service account used by a deployment cannot automatically mount its token. Which field should be set to `false` in the Pod spec?

A.mountServiceAccountToken
B.disableTokenMount
C.automountServiceAccountToken
D.automountToken
AnswerC

This field controls whether the service account token is automatically mounted.

Why this answer

Option C is correct because the `automountServiceAccountToken` field in the Pod spec controls whether the service account token is automatically mounted into the container. Setting this field to `false` prevents the automatic mounting of the token, which is a security best practice to reduce the attack surface for compromised pods. This field can be set at the Pod level or overridden at the ServiceAccount level.

Exam trap

The trap here is that candidates often confuse the field name with similar-sounding but incorrect options like `automountToken` or `disableTokenMount`, or they mistakenly think `mountServiceAccountToken` is the correct field, when the exact API field is `automountServiceAccountToken`.

How to eliminate wrong answers

Option A is wrong because `mountServiceAccountToken` is not a valid field in the Pod spec; the correct field name is `automountServiceAccountToken`. Option B is wrong because `disableTokenMount` is not a recognized Kubernetes field; no such field exists in the Pod or ServiceAccount API. Option D is wrong because `automountToken` is an incorrect abbreviation; the actual field name is `automountServiceAccountToken`, which must be spelled out exactly as defined in the Kubernetes API.

515
MCQhard

An organization uses Kubernetes with multiple namespaces and wants to ensure that containers running as non-root cannot escalate to root via setuid binaries. Which combination of security contexts and Pod Security Standards achieves this?

A.Use an AppArmor profile to block setuid syscalls.
B.Apply the 'restricted' Pod Security Standard at the namespace level.
C.Set 'securityContext.runAsUser: 1000' on each pod spec.
D.Apply the 'baseline' Pod Security Standard with 'seccompProfile: RuntimeDefault'.
AnswerB

Restricted enforces runAsNonRoot and disallows privileged escalation.

Why this answer

The 'restricted' Pod Security Standard (PSS) enforces the strongest set of security constraints, including preventing containers from running as root and disallowing privilege escalation. Specifically, it requires `securityContext.allowPrivilegeEscalation: false` and prohibits running as root, which directly blocks escalation via setuid binaries. Applying this standard at the namespace level ensures all pods in that namespace inherit these controls, meeting the requirement.

Exam trap

CNCF often tests the misconception that simply running as a non-root user (e.g., `runAsUser: 1000`) is sufficient to prevent privilege escalation, but without `allowPrivilegeEscalation: false`, setuid binaries can still be exploited to gain root.

How to eliminate wrong answers

Option A is wrong because AppArmor profiles can block specific syscalls, but they are not the standard Kubernetes-native mechanism for preventing privilege escalation via setuid binaries; the question specifically asks for a combination of security contexts and Pod Security Standards, not a third-party tool. Option C is wrong because setting `runAsUser: 1000` only changes the user ID but does not prevent the container from using setuid binaries to escalate to root; it still allows privilege escalation unless `allowPrivilegeEscalation: false` is also set. Option D is wrong because the 'baseline' PSS does not enforce `allowPrivilegeEscalation: false`; it only prevents known privilege escalation paths like host namespaces but allows setuid binaries, and `seccompProfile: RuntimeDefault` alone does not block setuid escalation.

516
MCQmedium

An administrator wants to run a container that requires the SYS_TIME capability. Which field should be used in the securityContext to add this capability?

A.capabilities.add
B.privileged: true
C.allowPrivilegeEscalation: true
D.capabilities.drop
AnswerA

Correct field to add capabilities.

Why this answer

Option A is correct because the `capabilities.add` field in the `securityContext` is specifically designed to add Linux capabilities (such as `SYS_TIME`) to a container without granting full root privileges. This follows the principle of least privilege, allowing only the required capability to modify the system clock.

Exam trap

The trap here is that candidates often confuse `privileged: true` (which grants all capabilities but is overly permissive) with the more precise `capabilities.add` approach, or they mistakenly think `allowPrivilegeEscalation` is related to adding capabilities.

How to eliminate wrong answers

Option B is wrong because `privileged: true` grants all capabilities (including SYS_TIME) but also disables all security restrictions, which is excessive and violates the principle of least privilege. Option C is wrong because `allowPrivilegeEscalation: true` controls whether a process can gain more privileges than its parent (e.g., via setuid binaries), not the addition of specific capabilities. Option D is wrong because `capabilities.drop` is used to remove capabilities from the default set, not to add them.

517
MCQmedium

An administrator wants to ensure that all containers in a deployment run as a non-root user. Which YAML snippet correctly sets the security context to run as user ID 1000?

A.runAsUser: 1000
B.securityContext: runAsUser: 1000
C.securityContext: { runAsNonRoot: true }
D.user: 1000
AnswerB

This sets the container's user ID to 1000, ensuring it does not run as root.

Why this answer

The correct field is 'securityContext.runAsUser: 1000' at the pod or container level. Option C is the only one with the correct syntax.

518
Multi-Selectmedium

Which TWO of the following are best practices for securing the container supply chain? (Select 2)

Select 2 answers
A.Disable image pull secrets to reduce complexity
B.Scan container images for vulnerabilities
C.Hardcode secrets in the Dockerfile for convenience
D.Use minimal base images like Alpine or distroless
E.Run containers as root to simplify permissions
AnswersB, D

Scanning helps detect known vulnerabilities before deployment.

Why this answer

Using minimal base images reduces the attack surface, and scanning images for vulnerabilities helps identify and fix security issues before deployment.

519
Multi-Selectmedium

Which TWO of the following are valid ways to restrict access to the Kubernetes API server?

Select 2 answers
A.Use static token file
B.Use webhook token authentication
C.Enable NodeRestriction admission plugin
D.Configure RBAC authorization
E.Enable anonymous access
AnswersB, D

Valid authentication method.

Why this answer

Webhook token authentication (Option B) is a valid method to restrict API server access because it delegates token validation to an external service via a webhook, allowing custom authentication logic. This is a supported authentication strategy in Kubernetes, enabling fine-grained control over who can access the API server.

Exam trap

CNCF often tests the distinction between authentication (who you are) and authorization (what you can do), so candidates may confuse RBAC (authorization) with authentication mechanisms like webhook tokens, but the question asks for ways to 'restrict access,' which includes both authentication and authorization controls.

520
Multi-Selecteasy

You are auditing a cluster's supply chain security. You find that many pods are running images from public registries without any pinning or verification. Which TWO actions would most effectively reduce the risk of pulling malicious images?

Select 2 answers
A.Configure all deployments to use image digests instead of tags.
B.Set up a private registry proxy that mirrors approved public images and disable direct access to public registries via containerd configuration.
C.Implement RBAC to restrict which users can create pods.
D.Enforce PodSecurityStandard baseline or restricted to block privileged containers.
E.Apply a network policy that blocks egress traffic to public registries.
AnswersA, B

Prevents tag mutation and ensures image integrity.

Why this answer

Option A is correct because using image digests (e.g., `nginx@sha256:abc123...`) pins the image to an immutable content hash, ensuring that the exact same image is pulled every time, even if the tag is updated to a malicious version. This prevents tag-mutation attacks where an attacker replaces a benign image tag with a compromised one. Digests are verified by the container runtime (containerd) against the registry's manifest, providing cryptographic assurance of image integrity.

Exam trap

CNCF often tests the distinction between runtime security controls (PodSecurityStandards, network policies) and supply chain controls (image pinning, registry proxies), and candidates mistakenly think blocking egress or restricting pod creation mitigates the risk of pulling malicious images, when those controls do not affect the image pull process itself.

521
Multi-Selectmedium

Which two of the following are best practices for securing a CI/CD pipeline that builds and deploys container images? (Select TWO.)

Select 2 answers
A.Scan container images for vulnerabilities in the pipeline
B.Store secrets as environment variables in the pipeline configuration
C.Sign container images after building them
D.Run the build process as root to avoid permission issues
E.Grant all permissions to the pipeline service account to avoid failures
AnswersA, C

Scanning helps catch vulnerabilities before deployment.

Why this answer

Options A and C are correct. Scanning images for vulnerabilities in the pipeline ensures that insecure images are not deployed. Signing images ensures integrity and provenance.

Option B is wrong because storing secrets in environment variables in the pipeline is insecure; use secret management. Option D is wrong because running builds as root increases risk. Option E is wrong because granting all permissions violates the principle of least privilege.

522
Multi-Selectmedium

You need to apply a Pod Security Standard that prevents containers from running as root and disallows privileged escalation. Which TWO levels enforce these requirements?

Select 2 answers
A.baseline
B.privileged
C.restricted
D.default
E.unrestricted
AnswersA, C

Baseline restricts privilege escalation and prevents running as root.

Why this answer

The Pod Security Standards (PSS) define three levels: privileged, baseline, and restricted. The baseline level disallows privileged escalation (allowPrivilegeEscalation: false) and prevents containers from running as root by requiring that runAsNonRoot be set to true. The restricted level enforces all baseline requirements plus additional constraints, such as dropping all capabilities and setting seccomp to RuntimeDefault, which also prevents root execution and privileged escalation.

Therefore, both baseline and restricted enforce these two specific requirements.

Exam trap

CNCF often tests the misconception that 'default' or 'unrestricted' are valid PSS levels, when in fact only privileged, baseline, and restricted exist, and candidates may confuse 'privileged' with 'unrestricted' or think that 'default' is a separate level.

523
MCQmedium

Which flag must be set on the API server to enable audit logging?

A.--audit-log-maxage=30
B.--audit-log-format=json
C.--audit-log-path=/var/log/audit.log
D.--audit-policy-file=/etc/kubernetes/audit-policy.yaml
AnswerC

This flag enables audit logging by specifying the log file path.

Why this answer

Option C is correct because the `--audit-log-path` flag is the mandatory parameter that enables audit logging in the kube-apiserver. Without specifying a file path for the audit log, the API server will not write any audit events, even if other audit-related flags are set. This flag tells the API server where to persist the audit log entries, effectively activating the audit logging feature.

Exam trap

The trap here is that candidates often assume setting the audit policy file (`--audit-policy-file`) alone enables auditing, but without `--audit-log-path` the API server does not write any audit logs, making the policy effectively useless.

How to eliminate wrong answers

Option A is wrong because `--audit-log-maxage=30` only controls the maximum number of days to retain old audit log files; it does not enable audit logging itself. Option B is wrong because `--audit-log-format=json` specifies the output format of the audit log (e.g., JSON or legacy format) but does not turn on audit logging. Option D is wrong because `--audit-policy-file` defines the rules for which events to audit, but without `--audit-log-path` the API server will not write any audit log output, making the policy file ineffective.

524
MCQmedium

A cluster administrator notices that a pod using an image from a public registry is failing to start. The image was signed with Cosign, and the cluster has an ImagePolicyWebhook configured to require signatures. The error message from the webhook indicates 'signature verification failed'. What is the most likely cause?

A.The public key used to verify the signature does not match the private key used to sign
B.The image is not signed at all
C.The webhook is not reachable
D.The image tag is incorrect
AnswerA

Signature verification requires the matching public key. If the wrong key is configured, verification will fail.

Why this answer

If the image was signed, but verification fails, it could be due to an incorrect public key being used for verification. The webhook must have the correct key to validate the signature.

525
MCQeasy

Which kubectl command is used to create a Constraint object in OPA/Gatekeeper?

A.kubectl create configmap constraint.yaml
B.kubectl apply -f constraint.yaml
C.kubectl create pod constraint.yaml
D.kubectl create -f constraint.yaml
AnswerB

kubectl apply can create a constraint from a YAML file. However, 'kubectl create -f' also works. Both are common, but 'apply' is more general.

Why this answer

In OPA/Gatekeeper, constraints are custom resources defined by the ConstraintTemplate. They are created using 'kubectl create -f constraint.yaml'. Option A is for creating a pod.

Option B is for applying a manifest (which can create or update). Option D is for creating a ConfigMap.

Page 6

Page 7 of 14

Page 8