Certified Kubernetes Security Specialist CKS (CKS) — Questions 526600

997 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
MCQeasy

Which of the following is a best practice for storing sensitive data like passwords in Kubernetes?

A.Store them in ConfigMaps
B.Store them in Secrets and mount them as volumes
C.Store them as environment variables in the Pod spec
D.Store them as labels on Pods
AnswerB

Secrets are designed for sensitive data, and mounting as volumes is more secure than environment variables (avoids exposure in process listing).

Why this answer

Mounting Secrets as volumes is recommended over environment variables because they are not exposed in container environment or command output. Secrets themselves are base64 encoded but not encrypted by default; enabling encryption at rest adds another layer.

527
MCQmedium

An administrator needs to enforce the restricted Pod Security Standard on a namespace 'secure-ns'. Which kubectl command should they use?

A.kubectl label namespace secure-ns pod-security.kubernetes.io/enforce=restricted
B.kubectl label namespace secure-ns security=restricted
C.kubectl create podsecuritypolicy restricted -n secure-ns
D.kubectl annotate namespace secure-ns pod-security.kubernetes.io/enforce=restricted
AnswerA

This correctly sets the enforce label for the restricted level.

Why this answer

The correct command uses 'kubectl label' to set the enforce label to 'restricted'. Option C is correct.

528
MCQmedium

A pod is configured with securityContext: runAsUser: 1000 runAsGroup: 3000 fsGroup: 2000 The volume mounted at /data is owned by user 1000 and group 2000. The container process inside the pod writes to /data. Which statement about file ownership is true?

A.Files created in /data will be owned by root:root because of the volume mount.
B.Files created in /data will be owned by user 1000 and group 2000.
C.Files created in /data will be owned by user 1000 and group 3000.
D.Files created in /data will be owned by user 1000 and group 1000.
AnswerB

fsGroup sets the group ownership for the volume, and runAsUser sets the user. New files are owned by the user and the fsGroup.

529
MCQeasy

A security engineer wants to scan a container image for vulnerabilities using Trivy. Which command should they use?

A.trivy image <image-name>
B.trivy scan <image-name>
C.trivy repo <image-name>
D.trivy fs <image-name>
AnswerA

'trivy image' is the correct command to scan a container image for vulnerabilities.

Why this answer

Trivy's image scanning command is 'trivy image <image-name>'. The other options are incorrect: 'trivy scan' is not a valid subcommand, 'trivy repo' scans a repository, and 'trivy fs' scans a filesystem.

530
MCQmedium

A security admin wants to drop all Linux capabilities for a container and then add only CAP_NET_BIND_SERVICE. Which YAML snippet correctly achieves this?

A.securityContext: capabilities: drop: ['ALL'] add: ['NET_BIND_SERVICE'] privileged: true
B.securityContext: capabilities: drop: ['NET_BIND_SERVICE'] add: ['ALL']
C.securityContext: capDrop: ['ALL'] capAdd: ['NET_BIND_SERVICE']
D.securityContext: capabilities: drop: ['ALL'] add: ['NET_BIND_SERVICE']
AnswerD

This correctly drops all capabilities and adds the required one.

Why this answer

Option D is correct because it uses the standard Kubernetes `securityContext.capabilities` field with `drop: ['ALL']` to remove all Linux capabilities from the container, then `add: ['NET_BIND_SERVICE']` to grant only the `CAP_NET_BIND_SERVICE` capability. This is the proper YAML syntax for the desired capability set.

Exam trap

CNCF often tests the distinction between the correct `capabilities` object syntax and the incorrect flat field names like `capDrop`/`capAdd`, and the trap is that candidates confuse `privileged: true` with a fine-grained capability control, when in fact it bypasses all capability restrictions.

How to eliminate wrong answers

Option A is wrong because setting `privileged: true` grants all capabilities and disables most security restrictions, completely negating the effect of dropping and adding capabilities. Option B is wrong because it drops `NET_BIND_SERVICE` and adds `ALL`, which would grant all capabilities instead of only `NET_BIND_SERVICE`. Option C is wrong because `capDrop` and `capAdd` are not valid Kubernetes securityContext fields; the correct field names are `capabilities.drop` and `capabilities.add`.

531
MCQhard

An administrator wants to use gVisor as the container runtime for specific high-security workloads. After installing gVisor, what Kubernetes resource must be created to allow pods to request gVisor?

A.RuntimeClass with handler: runsc
B.CustomResourceDefinition for gVisor
C.PodSecurityPolicy with runtimeClass: gvisor
D.ConfigMap with runtime handler mapping
AnswerA

A RuntimeClass resource with handler set to 'runsc' (the gVisor runtime handler) allows pods to specify this runtime via runtimeClassName.

Why this answer

RuntimeClass is the standard Kubernetes way to select a container runtime. For gVisor, the handler is 'runsc'.

532
MCQeasy

Which of the following is the best practice for providing sensitive data like passwords to a pod?

A.Mount secrets as volumes into the pod.
B.Use environment variables to inject secrets directly.
C.Pass secrets via command-line arguments.
D.Hardcode the secret in the container image.
AnswerA

Volume mounts are more secure as they are available only to the container and can have permissions set.

Why this answer

Mounting secrets as volumes is more secure than environment variables because volumes do not expose secrets in process listings or logs.

533
MCQeasy

An admin runs 'kubectl get pods' and sees a pod in 'CrashLoopBackOff' state. The pod's containers have a restart policy of 'Always'. What is the most likely cause?

A.The image pull secret is missing
B.The pod's resource requests exceed node capacity
C.The node is out of memory
D.The container's command fails immediately after start
AnswerD

Correct. A failing command causes the container to exit, and with Always restart policy, it restarts and fails again, leading to CrashLoopBackOff.

Why this answer

CrashLoopBackOff indicates the container keeps crashing after starting. The restart policy 'Always' causes the kubelet to restart it, but if the crash persists, the backoff delay increases. The most likely cause is the application itself failing (e.g., error on startup).

534
MCQmedium

An administrator runs 'kubectl auth can-i --list --as=system:serviceaccount:ns1:my-sa' and sees that the service account has 'create pods' permission via a RoleBinding. Which command can be used to delete that RoleBinding?

A.kubectl delete serviceaccount my-sa -n ns1
B.kubectl delete role <role-name> -n ns1
C.kubectl delete rolebinding <binding-name> -n ns1
D.kubectl delete clusterrolebinding <binding-name>
AnswerC

This deletes the RoleBinding in the specified namespace.

Why this answer

The `kubectl auth can-i --list` output shows that the service account `my-sa` has `create pods` permission via a RoleBinding. To remove that permission, you must delete the RoleBinding object itself, not the service account or the role (unless the role is exclusively used by this binding). Option C correctly uses `kubectl delete rolebinding` with the specific binding name and namespace to revoke the RBAC grant.

Exam trap

CNCF often tests the misconception that deleting the role or the service account is equivalent to removing the permission, but the correct action is to delete the RoleBinding that grants the permission.

How to eliminate wrong answers

Option A is wrong because deleting the service account removes the identity but does not directly delete the RoleBinding; the binding would become orphaned, and the permission would still exist in the cluster (though unusable). Option B is wrong because deleting the role removes the permission definition, but the RoleBinding would still reference a non-existent role, potentially causing errors or leaving the binding in an invalid state; the correct approach is to delete the binding itself. Option D is wrong because the permission was granted via a RoleBinding (namespaced), not a ClusterRoleBinding; deleting a ClusterRoleBinding would not affect a namespaced RoleBinding.

535
Multi-Selectmedium

Which THREE of the following are recommended practices for securing the etcd datastore?

Select 3 answers
A.Disable peer client cert authentication
B.Bind etcd to localhost only if not required to be accessible from other nodes
C.Allow anonymous access to etcd for performance
D.Enable encryption at rest for etcd data
E.Use TLS for all etcd client-to-server communication
AnswersB, D, E

Binding to localhost reduces the attack surface.

Why this answer

Binding etcd to localhost (127.0.0.1) when it does not need to be accessed from other nodes restricts network exposure, reducing the attack surface. This is a fundamental network hardening practice that prevents unauthorized remote access to the etcd datastore, which stores all cluster state and secrets.

Exam trap

The trap here is that candidates may think disabling authentication (Option A) or enabling anonymous access (Option C) improves performance or simplifies setup, but the CKS exam strictly enforces that security controls like mTLS and authentication must never be weakened for any reason.

536
MCQeasy

You suspect a container is running an unexpected process. Which crictl command can you use to list all running containers on the node?

A.crictl stats
B.crictl pods
C.crictl ps
D.crictl images
AnswerC

crictl ps lists running containers, similar to docker ps.

Why this answer

crictl ps lists all running containers on the node. crictl pods lists pods, not containers. crictl images lists images. crictl stats shows resource usage.

537
MCQmedium

A DevOps engineer is setting up a CI/CD pipeline to scan container images for vulnerabilities. They want to fail the pipeline if any critical vulnerabilities are found. Which command should they use to scan the image and produce a JSON output that can be parsed?

A.trivy fs --severity CRITICAL --output json .
B.trivy image --severity CRITICAL --output json myimage:tag
C.trivy image --format table myimage:tag
D.trivy image --severity HIGH myimage:tag
AnswerB

This command correctly scans the image, filters for critical severity, and outputs JSON.

Why this answer

Option B is correct. 'trivy image --severity CRITICAL --output json myimage:tag' will scan the image and return JSON output only for critical severity vulnerabilities. Option A uses severity HIGH which might not include critical. Option C outputs a table format.

Option D scans the filesystem, not the image.

538
MCQhard

You need to configure Kubernetes audit logging to log all requests to the 'secrets' resource at the 'RequestResponse' level, but only log requests from the 'kube-system' namespace. Which audit policy rule is correct?

A.- level: RequestResponse resources: - apiGroup: "" resources: ["secrets"] namespaces: ["kube-system"]
B.- level: RequestResponse resources: - group: "" resources: ["secrets"] namespaces: ["kube-system"]
C.- level: RequestResponse resources: - group: "" resources: ["secrets"] namespace: ["kube-system"]
D.- level: RequestResponse resources: - group: "" resources: ["secrets"] namespaces: ["kube-system"]
AnswerB

Why this answer

The audit policy uses 'resources' and 'namespaces' fields. Option C correctly specifies the group 'resources' and 'namespaces' field set to ['kube-system']. Option A incorrectly uses 'apiGroups' as a top-level key.

Option B uses 'namespace' singular (should be plural). Option D uses 'namespaces' but incorrectly uses 'apiGroup' singular.

539
MCQmedium

A security engineer runs the following command to inspect a pod's security context: kubectl get pod secure-pod -o jsonpath='{.spec.containers[0].securityContext.capabilities}' The output is: {"drop":["ALL"]} What does this indicate?

A.The container has all Linux capabilities dropped
B.The output is invalid because capabilities should be in add field
C.The container has no capability restrictions
D.The container has only the NET_ADMIN capability added
AnswerA

The output shows that the 'drop' field contains 'ALL', meaning all capabilities are removed from the container.

Why this answer

The capabilities field with drop: ["ALL"] removes all Linux capabilities from the container, increasing security.

540
Multi-Selectmedium

Which TWO of the following are valid audit stages in Kubernetes audit logging?

Select 2 answers
A.ResponseStarted
B.Panic
C.ResponseFinished
D.RequestProcessing
E.RequestReceived
AnswersA, E

Valid audit stage.

Why this answer

The valid audit stages are RequestReceived, ResponseStarted, ResponseComplete, and Panic. RequestReceived and ResponseComplete are two of them.

541
MCQhard

An OPA/Gatekeeper constraint is configured to allow only images from 'trusted-registry.io'. A pod is created with image 'trusted-registry.io/app:v1' but is denied. Which is the MOST likely cause?

A.The constraint is only applied in the default namespace
B.The image tag is not pinned to a digest
C.The image is not signed
D.The constraint uses regex and the image does not match the pattern
AnswerD

The constraint likely expects a specific pattern, and the image may not match exactly (e.g., missing path).

Why this answer

Gatekeeper constraints can enforce specific registries. If the constraint does not match the exact registry name (e.g., missing port or path), the pod will be denied.

542
MCQmedium

You want to preserve evidence from a compromised pod. Which command should you use to copy the entire container filesystem to a safe location?

A.crictl export <container-id> /tmp/evidence.tar
B.kubectl cp <pod>:/ /tmp/evidence
C.kubectl exec <pod> -- tar czf - / > /tmp/evidence.tar.gz
D.kubectl logs <pod> > /tmp/evidence.log
AnswerB

kubectl cp copies from the container's root directory to a local directory.

Why this answer

kubectl cp copies files from the container to the local machine. Using a tarball pipeline is an alternative, but kubectl cp is the standard method.

543
MCQeasy

Which admission plugin should be enabled on the API server to enforce that kubelet cannot modify nodes other than its own?

A.NodeSelector
B.PodSecurity
C.NodeRestriction
D.AlwaysPullImages
AnswerC

Correct. NodeRestriction ensures kubelet can only modify its own node.

Why this answer

The NodeRestriction admission plugin ensures that a kubelet can only modify its own Node object and Pods bound to it. This prevents a compromised or misconfigured kubelet from tampering with other nodes, enforcing the principle of least privilege. Without this plugin, a kubelet could potentially update labels, taints, or status on any node, leading to cluster instability or privilege escalation.

Exam trap

CNCF often tests the distinction between admission plugins that control Pod behavior (like PodSecurity or AlwaysPullImages) versus those that control kubelet authorization (NodeRestriction), leading candidates to confuse Pod-level security with node-level access control.

How to eliminate wrong answers

Option A is wrong because NodeSelector is not an admission plugin; it is a field in Pod specs used to constrain which nodes a Pod can be scheduled on, not a kubelet authorization control. Option B is wrong because PodSecurity is an admission plugin that enforces Pod Security Standards (e.g., privileged, baseline, restricted) on Pods, but it does not restrict kubelet actions on node objects. Option D is wrong because AlwaysPullImages is an admission plugin that forces image pull policy to Always, ensuring images are always pulled from the registry, but it has no effect on kubelet node modification permissions.

544
Multi-Selecteasy

Which TWO of the following are valid methods to securely manage secrets in Kubernetes?

Select 2 answers
A.Use Kubernetes Secrets with encryption at rest enabled
B.Store secrets in ConfigMaps and use them in pods
C.Commit secrets to a private Git repository
D.Store secrets directly in the application code
E.Use an external secret manager like HashiCorp Vault with a sidecar or CSI driver
AnswersA, E

Kubernetes Secrets can be encrypted using EncryptionConfiguration.

Why this answer

Secrets should be stored in etcd encrypted, and external secret managers like HashiCorp Vault provide better security. Using ConfigMaps for secrets is insecure because ConfigMaps are not encrypted. Committing secrets to Git is a security risk.

Hardcoding secrets in code is also insecure.

545
Multi-Selecthard

Which THREE are valid methods to verify the integrity and origin of a container image? (Select 3)

Select 3 answers
A.Trivy fs
B.Notary
C.Syft
D.Cosign verify
E.ImagePolicyWebhook
AnswersB, D, E

Notary provides signing and verification of content.

Why this answer

Cosign sign/verify uses cryptographic signing. Notary is a CNCF project for image signing. ImagePolicyWebhook can call an external service to verify images based on policy.

546
MCQmedium

You need to apply a seccomp profile to all containers in a pod. The profile is named 'custom-profile.json' and is stored on each node at /var/lib/kubelet/seccomp/. Complete the following YAML snippet: ```yaml apiVersion: v1 kind: Pod metadata: name: secure-pod spec: securityContext: seccompProfile: type: Localhost localhostProfile: ??? ``` What should replace ???

A.custom-profile.json
B.localhost/custom-profile.json
C.profile: custom-profile.json
D./var/lib/kubelet/seccomp/custom-profile.json
AnswerA

The localhostProfile field expects the filename relative to the seccomp directory.

Why this answer

The 'localhostProfile' field should contain the filename of the profile relative to the seccomp directory on the node. The full path is /var/lib/kubelet/seccomp/custom-profile.json, so the value should be 'custom-profile.json'. Option A is correct.

Option B is incorrect because it includes the full path, which is not needed. Option C is incorrect because 'localhost' is not a valid type. Option D is incorrect because the field is 'localhostProfile', not 'profile'.

547
MCQhard

You are a security engineer for a large e-commerce company. The Kubernetes cluster runs on-premises and hosts critical payment processing applications. Recently, a security scan revealed that several pods are running with privileged escalation enabled, and some have a writable root filesystem. The cluster uses Kubernetes v1.26 with PodSecurity admission controller enabled but currently set to 'privileged' profile for all namespaces. The development teams require flexibility for some legacy applications that need to run with hostNetwork or hostPID. However, the security team wants to enforce a restricted profile for most namespaces while allowing exceptions. The CISO has mandated that no pod should run as root, and all pods must have read-only root filesystem and privilege escalation disabled. Additionally, any pod that requires hostNetwork or hostPID must be explicitly approved and placed in a separate namespace. You need to design a solution that meets these requirements with minimal operational overhead. What is the best course of action?

A.Deploy OPA Gatekeeper and create constraints to enforce read-only root filesystem, no privilege escalation, and non-root user, with exceptions via label selectors
B.Keep the current 'privileged' profile and rely on runtime security tools like Falco to detect violations
C.Use PodSecurity admission with 'restricted' profile for most namespaces by labeling them with 'pod-security.kubernetes.io/enforce=restricted', and create a separate namespace with 'baseline' profile for legacy apps that require hostNetwork/hostPID, after reviewing and approving each exception
D.Change the PodSecurity profile to 'restricted' cluster-wide and require all legacy apps to be rewritten to not need hostNetwork/hostPID
AnswerC

This uses native Kubernetes features, enforces the mandates, and allows controlled exceptions.

Why this answer

Option C is correct because PodSecurity admission (PSA) is the native Kubernetes mechanism for enforcing pod security standards with minimal operational overhead. By labeling most namespaces with 'pod-security.kubernetes.io/enforce=restricted', you enforce the CISO's mandates (non-root, read-only root filesystem, no privilege escalation) automatically. Creating a separate namespace with the 'baseline' profile allows legacy apps requiring hostNetwork/hostPID to run after explicit approval, while still blocking privileged escalation and other dangerous capabilities.

Exam trap

CNCF often tests the misconception that OPA Gatekeeper is always required for fine-grained policy enforcement, when in fact PodSecurity admission with 'baseline' and 'restricted' profiles can handle common exceptions like hostNetwork/hostPID without additional tooling.

How to eliminate wrong answers

Option A is wrong because deploying OPA Gatekeeper introduces significant operational overhead (managing constraint templates, rego policies, and label selectors) when the native PodSecurity admission controller already meets the requirements with simpler namespace labeling. Option B is wrong because keeping the 'privileged' profile and relying on Falco for detection only alerts on violations after they occur, failing the CISO's mandate to prevent pods from running as root or with writable root filesystem. Option D is wrong because changing the profile to 'restricted' cluster-wide would block all legacy apps that need hostNetwork/hostPID, as the 'restricted' profile explicitly denies these settings, and rewriting all legacy apps is not a minimal-overhead solution.

548
MCQeasy

To isolate a compromised pod and prevent all incoming and outgoing traffic, which Kubernetes resource should you use?

A.ResourceQuota
B.PodSecurityPolicy
C.NetworkPolicy with spec.podSelector: {} and spec.policyTypes: [Ingress, Egress]
D.LimitRange
AnswerC

Why this answer

NetworkPolicy with empty podSelector and policyTypes: Ingress, Egress denies all traffic.

549
MCQmedium

Which of the following is a best practice for Dockerfiles to improve supply chain security?

A.Use the latest tag for base images to get the newest features
B.Run the container as root by default
C.Use a distroless base image
D.Hardcode secrets directly in the Dockerfile
AnswerC

Distroless images contain only the application and its runtime dependencies, reducing the attack surface.

Why this answer

Using distroless base images reduces the attack surface by minimizing installed packages and dependencies.

550
MCQmedium

To verify a signed container image, which command should be used?

A.cosign verify myimage:latest
B.trivy verify myimage:latest
C.kubectl verify myimage:latest
D.cosign validate myimage:latest
AnswerA

This command verifies the signature of the image using the public key or keyless mode.

Why this answer

Cosign verify checks the signature of an image. Option A is correct.

551
MCQhard

An admin wants to enforce that all pods in a namespace use a read-only root filesystem except for a specific deployment that needs to write to a temporary directory. Which approach best meets this requirement?

A.Use a Gatekeeper Constraint that denies pods with readOnlyRootFilesystem not set to true, but add an exception label on the specific deployment's namespace or pod, and modify the Constraint to skip pods with that label
B.Set a default readOnlyRootFilesystem: true via a mutating webhook, and then manually patch the specific deployment after creation
C.Modify the PodSecurityPolicy to allow readOnlyRootFilesystem: false for the specific deployment's service account
D.Set readOnlyRootFilesystem: true in the deployment's pod template and add an emptyDir volume for the temporary directory
AnswerA

This allows fine-grained, policy-based enforcement with exceptions.

Why this answer

Option C is correct. Using a Constraint that allows exceptions via label matching is the most flexible. Option A is not possible per pod.

Option B would require manual maintenance. Option D would still require a policy to enforce non-exempt pods.

552
Multi-Selectmedium

Which two of the following are correct ways to enforce least privilege for service accounts? (Choose two.)

Select 2 answers
A.Set automountServiceAccountToken: false in Pod spec for pods that do not need API access
B.Add multiple ClusterRoleBindings to a single service account to ensure it has access to all resources
C.Use the default service account for all workloads
D.Create a dedicated service account with only the required RBAC permissions
E.Grant cluster-admin ClusterRole to the service account for simplicity
AnswersA, D

This prevents unnecessary token mounting.

Why this answer

Setting `automountServiceAccountToken: false` in the Pod spec prevents the automatic mounting of the service account token into the container. This enforces least privilege by ensuring that pods which do not require API access cannot inadvertently use the token to authenticate to the Kubernetes API server, reducing the attack surface.

Exam trap

CNCF often tests the misconception that the default service account is safe to use for all workloads, when in fact it should be replaced with dedicated service accounts that have minimal, scoped RBAC permissions.

553
MCQmedium

A pod in namespace 'secure' has the following securityContext: securityContext: runAsNonRoot: true runAsUser: 1000 capabilities: drop: ["ALL"] add: ["NET_BIND_SERVICE"] The pod fails to start. The namespace is enforced with the 'restricted' Pod Security Standard. What is the most likely reason?

A.The pod adds capabilities, which is not allowed by the restricted policy.
B.The runAsUser is set to 1000, which is not allowed by the restricted policy.
C.The pod sets runAsNonRoot to true, which is not allowed by the restricted policy.
D.The pod drops all capabilities, which is not allowed by the restricted policy.
AnswerA

Restricted policy prohibits adding capabilities beyond the default set; NET_BIND_SERVICE is not allowed.

Why this answer

The 'restricted' Pod Security Standard (PSS) explicitly prohibits adding any capabilities beyond the default set, which is empty. Since the pod's securityContext adds the NET_BIND_SERVICE capability, it violates the restricted policy, causing the pod to fail to start.

Exam trap

CNCF often tests the nuance that the restricted policy forbids adding any capabilities, even if they are considered 'safe' or commonly used, and candidates may mistakenly think that dropping all capabilities is the violation or that runAsUser: 1000 is the issue.

How to eliminate wrong answers

Option B is wrong because the restricted policy does allow runAsUser values, provided they are not 0 (root); 1000 is a non-root user and is permitted. Option C is wrong because runAsNonRoot: true is actually required by the restricted policy, not disallowed. Option D is wrong because dropping all capabilities is not only allowed but is a requirement of the restricted policy, which mandates dropping all capabilities and adding none.

554
MCQhard

A Falco rule has the following condition: spawned_process and container and proc.name = bash and proc.pname != sshd. What does this rule detect?

A.Any process named bash on the host
B.A bash shell started in a container via SSH
C.An SSH connection to a container
D.A bash shell started in a container from a non-SSH parent process
AnswerD

Why this answer

It detects a bash shell spawned inside a container where the parent process is not sshd.

555
MCQmedium

A DevOps engineer wants to ensure that all pods in a namespace have seccomp set to RuntimeDefault unless explicitly overridden. Which approach should be used to enforce this?

A.Add a PodSecurityPolicy that sets seccomp to RuntimeDefault
B.Use a cronjob to audit and modify pods that do not have seccomp set
C.Add a seccomp profile to the kubelet configuration
D.Configure the namespace with the label 'pod-security.kubernetes.io/enforce: restricted'
AnswerD

This enables Pod Security Admission with the restricted level, which requires seccomp to be set to RuntimeDefault or Localhost.

Why this answer

Option D is correct because the 'restricted' Pod Security Standard enforces seccomp to RuntimeDefault as a baseline requirement. By labeling the namespace with 'pod-security.kubernetes.io/enforce: restricted', the built-in Pod Security Admission controller automatically rejects any pod that does not set seccomp to RuntimeDefault (or a custom profile), without needing a separate policy or manual auditing.

Exam trap

The trap here is that candidates confuse kubelet-level seccomp configuration (which affects the kubelet, not pods) with pod-level enforcement, or they mistakenly think deprecated PSPs are still a valid solution for seccomp enforcement.

How to eliminate wrong answers

Option A is wrong because PodSecurityPolicy (PSP) is deprecated in Kubernetes 1.21 and removed in 1.25, so it cannot be used in modern clusters; also, PSP does not natively enforce seccomp profiles by default. Option B is wrong because a cronjob that audits and modifies pods is reactive, not proactive, and violates the principle of enforcement—pods without seccomp would already be running before the cronjob acts. Option C is wrong because kubelet configuration sets a seccomp profile for the kubelet process itself, not for pods; pod seccomp is controlled via securityContext in the pod spec or admission controllers.

556
Multi-Selecthard

Which THREE of the following are valid techniques for isolating a compromised pod during incident response? (Choose three)

Select 3 answers
A.Modify the container image to disable networking
B.Apply a NetworkPolicy that denies all ingress and egress traffic to the pod
C.Cordon the node where the pod is running
D.Add a label 'isolated=true' to the pod and apply a NetworkPolicy that selects that label and denies all traffic
E.Delete the pod immediately to stop the threat
AnswersB, C, D

This isolates the pod at the network level.

Why this answer

Isolation techniques include using NetworkPolicy to restrict network traffic, adding a label to the pod and applying a policy that denies all traffic, and cordoning the node to prevent new pods. Deleting the pod is a response action but not isolation; modifying the container image is not isolation.

557
MCQeasy

Which command creates a validating webhook configuration that checks all pods in the cluster?

A.kubectl create mutatingwebhookconfiguration my-webhook --from-file=webhook.yaml
B.kubectl run webhook --image=webhook
C.kubectl create validatingwebhookconfiguration my-webhook --from-file=webhook.yaml
D.kubectl apply -f webhook.yaml --validating
AnswerC

Correct.

Why this answer

ValidatingWebhookConfiguration is the resource for admission webhooks that validate resources.

558
Multi-Selectmedium

Which TWO of the following are recommended practices for securing the Kubernetes dashboard?

Select 2 answers
A.Avoid exposing the dashboard to the public internet
B.Expose the dashboard via a NodePort service for easy access
C.Enable anonymous access to the dashboard
D.Use RBAC to restrict dashboard permissions
E.Run the dashboard as a DaemonSet
AnswersA, D

Public exposure increases attack surface.

Why this answer

Option A is correct because exposing the Kubernetes dashboard to the public internet significantly increases the attack surface, making it a prime target for credential theft, API abuse, and cluster compromise. The dashboard should only be accessible via internal networks, VPNs, or using kubectl proxy with authentication, never directly over the internet.

Exam trap

CNCF often tests the misconception that NodePort or anonymous access are acceptable for convenience in a lab environment, but the CKS exam strictly requires production-hardened configurations where any public exposure or unauthenticated access is automatically incorrect.

559
MCQmedium

A pod manifest is shown. What security issue remains in this configuration?

A.The container runs as root (user 0)
B.The container has a writable root filesystem
C.The container has dangerous capabilities
D.The container can escalate privileges
AnswerB

There is no readOnlyRootFilesystem: true, so the root filesystem is writable, which is a security risk.

Why this answer

Option B is correct because the pod manifest does not set `readOnlyRootFilesystem: true` in the container's security context. Without this setting, the container's root filesystem is writable by default, allowing an attacker who compromises the container to modify binaries, configuration files, or write malicious scripts to persistent storage, thereby increasing the attack surface and potentially enabling persistence or privilege escalation.

Exam trap

The trap here is that candidates often assume the default security context is secure, but Cisco tests the specific omission of `readOnlyRootFilesystem: true` as a distinct hardening requirement, even when other settings like `runAsNonRoot: true` are present.

How to eliminate wrong answers

Option A is wrong because the question does not specify that the container runs as root; the manifest may not set `runAsUser: 0`, and even if it did, running as root is not inherently a security issue if other controls (like dropping capabilities and read-only rootfs) are in place. Option C is wrong because the manifest does not show any added capabilities; by default, containers run with a restricted set of capabilities, and dangerous capabilities like CAP_SYS_ADMIN are not present unless explicitly added. Option D is wrong because the manifest does not set `allowPrivilegeEscalation: true`; by default, this is false in Kubernetes 1.24+ and prevents processes from gaining more privileges than their parent, so no escalation risk is introduced by the manifest as shown.

560
MCQmedium

A security audit reveals that a ServiceAccount named 'monitor' has a ClusterRoleBinding to the cluster-admin role. What is the best remediation?

A.Set automountServiceAccountToken to false on the pods
B.Add a second ClusterRoleBinding to a more restrictive role
C.Delete the ServiceAccount
D.Create a new ClusterRoleBinding with a limited role
AnswerD

This reduces privileges while maintaining functionality.

Why this answer

Option D is correct because the best practice is to replace an overly permissive ClusterRoleBinding (like cluster-admin) with a new binding that grants only the specific permissions the 'monitor' ServiceAccount needs, following the principle of least privilege. Deleting the ServiceAccount (C) might break dependent workloads, while merely adding a second binding (B) doesn't remove the dangerous cluster-admin binding. Setting automountServiceAccountToken to false (A) prevents token mounting but doesn't revoke the existing RBAC permissions, leaving the account still capable of escalating privileges if the token is obtained elsewhere.

Exam trap

CNCF often tests the misconception that simply adding a restrictive binding or disabling token mounting is sufficient to limit permissions, when in reality RBAC permissions are cumulative and the original dangerous binding must be explicitly removed.

How to eliminate wrong answers

Option A is wrong because setting automountServiceAccountToken to false only prevents automatic mounting of the service account token into pods; it does not revoke the existing ClusterRoleBinding, so the 'monitor' ServiceAccount still has cluster-admin privileges if the token is accessed via other means (e.g., manually mounted or leaked). Option B is wrong because adding a second ClusterRoleBinding to a more restrictive role does not remove the existing cluster-admin binding; the user or service account will still have the union of all permissions, including the overly permissive cluster-admin role. Option C is wrong because deleting the ServiceAccount may break applications or controllers that depend on it, and it does not address the underlying misconfiguration of the ClusterRoleBinding; a better approach is to replace the binding with a least-privilege role.

561
MCQhard

You are a security engineer for a financial services company running a Kubernetes cluster with 50 nodes. The cluster uses containerd as the container runtime and Calico for networking. The security team has detected unusual outbound network connections from a pod running in the 'payments' namespace to an external IP address known to be a command-and-control server. The pod is part of a Deployment named 'payment-processor' with 3 replicas. The cluster has a Falco daemonset deployed with default rules, and audit logging is enabled for the API server. You need to quickly identify the compromised container and contain the threat. Which action should you take FIRST?

A.Use 'kubectl exec -it <pod> -- bash' to inspect the container, then kill the malicious process from within
B.Scale the 'payment-processor' Deployment to 0 replicas to immediately stop all pods
C.Check the Falco logs for an alert containing the pod name, then use 'kubectl delete pod' to remove the compromised pod
D.Identify the node hosting the suspicious pod using 'kubectl get pod -o wide', then SSH to that node and use 'crictl ps' to list containers, then 'crictl stop' the container
AnswerD

This directly stops the specific container without affecting other replicas and preserves the ability to investigate.

Why this answer

Option D is correct because it follows the proper incident response workflow for a compromised container: first identify the node hosting the suspicious pod using `kubectl get pod -o wide`, then SSH to that node and use `crictl ps` (the containerd CLI) to list running containers and their IDs, then use `crictl stop` to immediately halt the compromised container. This approach directly isolates the threat at the container runtime level without relying on potentially compromised in-pod tools or deleting the pod (which could be recreated by the Deployment controller).

Exam trap

CNCF often tests the misconception that `kubectl delete pod` is sufficient for containment, but the trap here is that a Deployment controller will immediately recreate the pod, so you must either scale the Deployment to 0 (which destroys evidence) or directly stop the container at the runtime level using `crictl stop`.

How to eliminate wrong answers

Option A is wrong because using `kubectl exec -it <pod> -- bash` to inspect the container assumes the container has a shell and that the shell is not compromised; the attacker may have disabled or replaced `bash`, and any commands run inside could be tampered with or alert the attacker. Option B is wrong because scaling the Deployment to 0 replicas deletes all pods, destroying forensic evidence and potentially triggering the Deployment's restart policy or a ReplicaSet recreation, and it does not isolate the specific compromised container for investigation. Option C is wrong because Falco logs may not contain the exact pod name if the default rules do not capture outbound C2 traffic or if the alert is not triggered; additionally, `kubectl delete pod` will cause the Deployment controller to immediately recreate the pod, failing to contain the threat.

562
MCQmedium

A pod is running with a custom seccomp profile located at /var/lib/kubelet/seccomp/my-profile.json. Which securityContext configuration correctly applies this profile?

A.seccompProfile: { type: RuntimeDefault }
B.seccompProfile: { type: Localhost, localhostProfile: my-profile.json }
C.seccompProfile: { type: Localhost, localhostProfile: /var/lib/kubelet/seccomp/my-profile.json }
D.seccompProfile: { type: Unconfined }
AnswerB

Correct. 'type: Localhost' tells Kubernetes to use a local file, and 'localhostProfile' specifies the filename relative to /var/lib/kubelet/seccomp/.

Why this answer

Option B sets the seccomp type to Localhost and specifies the path relative to /var/lib/kubelet/seccomp/. Option A incorrectly uses 'localhostProfile' but the field name is 'localhostProfile'? Actually the correct field is 'localhostProfile' but the type should be Localhost. Option C uses RuntimeDefault, not custom.

Option D uses Unconfined, which disables seccomp.

563
MCQmedium

You need to encrypt etcd data at rest using AES-CBC. Which encryption provider should you specify in the EncryptionConfiguration?

A.aesgcm
B.aescbc
C.aes-256-cbc
D.secretbox
AnswerB

aescbc is the supported provider for AES-CBC encryption at rest.

Why this answer

Option B (aescbc) is correct because Kubernetes supports AES-CBC encryption via the 'aescbc' provider in the EncryptionConfiguration. This provider uses AES in Cipher Block Chaining mode with a 32-byte key for encryption at rest, as specified in the Kubernetes documentation for encrypting etcd data.

Exam trap

The trap here is that candidates confuse the Kubernetes provider name 'aescbc' with the generic algorithm name 'aes-256-cbc' or other encryption modes like 'aesgcm', but the exam expects exact knowledge of the Kubernetes-specific provider identifiers as defined in the official documentation.

How to eliminate wrong answers

Option A (aesgcm) is wrong because AES-GCM is an authenticated encryption mode that requires a unique nonce per key and is not recommended for encrypting etcd data at rest due to nonce reuse risks and lack of support as a standalone provider in Kubernetes EncryptionConfiguration. Option C (aes-256-cbc) is wrong because Kubernetes does not recognize 'aes-256-cbc' as a valid provider name; the correct identifier is 'aescbc', and the key length is determined by the key file, not the provider string. Option D (secretbox) is wrong because Secretbox is a NaCl-based encryption scheme using XSalsa20-Poly1305, which is not a built-in provider in Kubernetes; it would require a custom implementation or is used in other contexts like libsodium.

564
Multi-Selectmedium

Which TWO are tools for static analysis of Kubernetes manifests? (Select 2)

Select 2 answers
A.Cosign
B.Trivy
C.Kubesec
D.Clair
E.Checkov
AnswersC, E

Scans Kubernetes manifests for security issues.

Why this answer

Kubesec and Checkov are both tools that perform static analysis on Kubernetes resource definitions to identify misconfigurations and security issues.

565
MCQhard

During a cluster upgrade, the kubelet on a worker node fails to start after updating the kubelet binary. The kubelet logs show: 'failed to load bootstrap client certificate: open /var/lib/kubelet/pki/kubelet-client-current.pem: no such file or directory'. What is the most likely cause?

A.The kubelet's node IP has changed
B.The kubelet's certificate has expired
C.The kubelet is using an outdated kubeconfig
D.The bootstrap kubeconfig file is missing or misconfigured
AnswerD

The bootstrap kubeconfig is used to initially request a client certificate; missing file leads to this error.

Why this answer

The error 'failed to load bootstrap client certificate: open /var/lib/kubelet/pki/kubelet-client-current.pem: no such file or directory' indicates that the kubelet cannot find the bootstrap client certificate file. This file is generated from the bootstrap kubeconfig file during the initial TLS bootstrapping process. If the bootstrap kubeconfig file is missing or misconfigured, the kubelet cannot request or renew its client certificate, leading to this failure.

Exam trap

CNCF often tests the distinction between bootstrap kubeconfig errors and certificate expiry errors; the trap here is that candidates confuse a missing file (bootstrap configuration issue) with a certificate expiry or authentication problem, leading them to choose options B or C.

How to eliminate wrong answers

Option A is wrong because a change in the node IP would cause network connectivity issues or certificate SAN mismatches, not a missing certificate file. Option B is wrong because an expired certificate would produce a different error, such as 'certificate has expired' or 'x509: certificate has expired or is not yet valid', not a 'no such file or directory' error. Option C is wrong because an outdated kubeconfig would cause authentication failures (e.g., 'Unauthorized') or token expiry errors, not a missing file error for the bootstrap client certificate.

566
MCQeasy

Which flag must be provided to the kube-apiserver to enable audit logging?

A.--enable-admission-plugins
B.--authorization-mode
C.--audit-log-path
D.--audit-policy-file
AnswerD

Correct. This flag points to the audit policy file that defines which events to log and at what level.

Why this answer

The --audit-policy-file flag specifies the path to the audit policy file. Without this, audit logging is disabled.

567
Matchingmedium

Match each Kubernetes admission controller to its role in security.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Limits the Node and Pod objects a kubelet can modify

Ensures images are always pulled, preventing use of local images

Denies pods with certain security context settings (deprecated)

Implements automation for service accounts

Enforces namespace-level node selector restrictions

Why these pairings

Admission controllers intercept requests to the API server and can enforce security policies.

568
Multi-Selectmedium

Which TWO of the following are valid methods to ensure only signed images are deployed in a Kubernetes cluster?

Select 2 answers
A.Configure ImagePolicyWebhook to require signatures
B.Set imagePullPolicy: Always
C.Run 'cosign verify' manually before every deployment
D.Use Kyverno policy to verify image signatures
E.Use NodeRestriction admission controller
AnswersA, D

ImagePolicyWebhook can reject unsigned images.

Why this answer

Using an admission controller like ImagePolicyWebhook or Kyverno can enforce signature verification. Cosign verify is a manual step, not a cluster-wide enforcement.

569
Multi-Selecthard

Which THREE of the following are common indicators of a container compromise that Falco can detect? (Select 3)

Select 3 answers
A.Unexpected outbound network connections
B.Reading sensitive files like /etc/shadow
C.High CPU usage
D.Spawning a shell inside a container
E.Pod restarting in a loop
AnswersA, B, D

Falco can detect connect syscalls to unexpected destinations.

Why this answer

Falco can detect shell spawning, sensitive file reads, and unexpected outbound connections via syscall monitoring. CPU/memory spikes are not directly detected by Falco as they are not syscall events; they are typically monitored by metrics tools. Pod restart loops are a Kubernetes-level symptom, not a direct syscall event.

570
MCQhard

A security team wants to use OPA/Gatekeeper to enforce that all namespaces must have a label 'security-tier' with value 'high' or 'medium'. What is the correct approach?

A.Write a MutatingWebhookConfiguration that adds the label automatically.
B.Use kubectl label command with a --validate flag.
C.Create a ValidatingWebhookConfiguration that directly contains the Rego policy.
D.Create a ConstraintTemplate with Rego that denies namespaces missing the label, then create a Constraint referencing that template.
AnswerD

This is the standard Gatekeeper pattern: ConstraintTemplate defines the rule, Constraint applies it to specific resources.

Why this answer

The correct approach is to create a ConstraintTemplate that defines the Rego logic for checking the label, and then create a Constraint that uses that template. The Constraint is the actual policy object that specifies the enforcement scope (e.g., all namespaces).

571
MCQmedium

An administrator wants to prevent pods from using secrets as environment variables and enforce that secrets are only mounted as volumes. Which admission controller could be used to achieve this?

A.NetworkPolicy
B.MutatingWebhookConfiguration
C.PodSecurityPolicy (deprecated)
D.ValidatingWebhookConfiguration
AnswerB

A mutating webhook can automatically modify the pod spec to replace env vars with volume mounts, enforcing the policy without rejecting the pod.

Why this answer

A MutatingWebhookConfiguration can be used to modify pod specs at admission time, for example to remove environment variable references to secrets and replace them with volume mounts. Alternatively, a ValidatingWebhookConfiguration could deny pods that use secrets as env vars. Both are valid, but a mutating webhook can automatically fix the issue.

572
MCQhard

A pod is stuck in Pending state. You run 'kubectl describe pod' and see the event: '0/3 nodes are available: 3 Insufficient cpu'. What is the likely cause?

A.The pod's image pull policy is set to Always and the registry is unreachable
B.The pod's CPU request exceeds the available CPU capacity on all nodes
C.The cluster has a taint that the pod does not tolerate
D.The scheduler is misconfigured and not running
AnswerB

No node has enough allocatable CPU to satisfy the pod's request.

Why this answer

The event indicates insufficient CPU resources on all nodes to meet the pod's CPU request.

573
MCQmedium

In a CI/CD pipeline, at which stage should container image scanning be performed?

A.Only when a vulnerability is reported
B.After deployment to production
C.Before code commit
D.After building the image but before pushing to registry
AnswerD

Scanning at this stage prevents vulnerable images from being stored or deployed.

Why this answer

Scanning should be performed after building the image to catch vulnerabilities before pushing to registry. Option B is correct.

574
MCQmedium

Which of the following is the correct way to drop all Linux capabilities for a container?

A.capability: drop: ["ALL"]
B.capabilities: drop: ["NET_RAW", "CHOWN"]
C.capabilities: drop: ["ALL"]
D.capabilities: add: ["ALL"]
AnswerC

Correct field and value.

Why this answer

Option C is correct because in a Kubernetes Pod security context, the `capabilities` field is a list of capabilities to add or drop. Dropping `ALL` removes all Linux capabilities from the container, which is the most restrictive and secure approach. The correct YAML syntax uses `capabilities:` (plural) with a `drop:` list containing `"ALL"`.

Exam trap

CNCF often tests the distinction between singular `capability` and plural `capabilities` in the YAML field name, as well as the difference between `drop: ["ALL"]` and `add: ["ALL"]`, to catch candidates who misremember the exact syntax or confuse dropping with adding capabilities.

How to eliminate wrong answers

Option A is wrong because it uses `capability:` (singular) instead of the correct `capabilities:` (plural) field name in the Pod security context. Option B is wrong because it drops only specific capabilities (`NET_RAW` and `CHOWN`) rather than all capabilities, which does not achieve the goal of dropping all Linux capabilities. Option D is wrong because it adds `ALL` capabilities, which grants every capability to the container, the opposite of what is required.

575
MCQmedium

You want to run a container with gVisor (runsc) runtime for sandboxing. Which resource is required to use a non-default runtime?

A.PodSecurityPolicy
B.ContainerRuntime resource
C.RuntimeClass resource
D.Node runtime configuration only
AnswerC

Correct. RuntimeClass is a cluster-scoped resource that defines a runtime handler (e.g., runsc) and is referenced in pod spec.

Why this answer

A RuntimeClass resource defines a container runtime (e.g., gVisor) that can be referenced in pod spec via 'runtimeClassName'. This is the standard way to use alternative runtimes in Kubernetes.

576
MCQeasy

Which command is used to load an AppArmor profile into the kernel?

A.aa-status
B.apparmor_parser
C.aa-load
D.aa-enforce
AnswerB

apparmor_parser is the utility to load profiles into the kernel.

Why this answer

The 'apparmor_parser' command is used to load AppArmor profiles into the kernel. Options A and C are not valid AppArmor commands. Option D is used to check status.

577
MCQmedium

An admin runs 'kubectl describe pod secure-pod' and sees 'seccompProfile: RuntimeDefault' under the container's security context. Which seccomp profile is being used?

A.A custom seccomp profile from '/var/lib/kubelet/seccomp/' is used
B.The container runtime's default seccomp profile is applied
C.The container runtime's seccomp profile is set to 'Unconfined'
D.Seccomp is disabled for this container
AnswerB

'RuntimeDefault' instructs the runtime to use its default seccomp profile.

Why this answer

When `seccompProfile` is set to `RuntimeDefault` in a container's security context, Kubernetes instructs the container runtime (e.g., containerd, CRI-O) to apply its own default seccomp profile. This profile is typically a restrictive set of syscalls that blocks dangerous or unnecessary system calls while allowing common operations. It is not a custom profile from the node's filesystem, nor does it disable seccomp or set it to unconfined.

Exam trap

The trap here is that candidates confuse `RuntimeDefault` with a custom profile stored on the node's filesystem, or mistakenly think it disables seccomp entirely, when in fact it instructs the runtime to apply its own pre-configured default seccomp filter.

How to eliminate wrong answers

Option A is wrong because `RuntimeDefault` does not reference a custom profile from `/var/lib/kubelet/seccomp/`; that path is used for `Localhost` profiles only. Option C is wrong because `RuntimeDefault` explicitly applies the runtime's default profile, not `Unconfined`, which would disable seccomp entirely. Option D is wrong because `RuntimeDefault` means seccomp is enabled and enforced by the runtime's default rules, not disabled.

578
MCQeasy

You have deployed a pod and set `securityContext.readOnlyRootFilesystem: true`. The pod is failing to start with an error about writing to `/tmp`. What is the most likely cause?

A.The `securityContext` is misspelled
B.The pod is missing an emptyDir volume mounted at `/tmp`
C.The container image does not have `/tmp` directory
D.The container is running as a non-root user
AnswerB

An emptyDir volume provides a writable location on an otherwise read-only root filesystem.

Why this answer

When `readOnlyRootFilesystem` is true, the container cannot write to any path on the root filesystem unless a writable volume is mounted. `/tmp` is on the root filesystem by default, so the container needs an emptyDir volume mounted at `/tmp` to write there.

579
MCQeasy

Which annotation is used to apply an AppArmor profile to a pod in Kubernetes?

A.seccomp.security.alpha.kubernetes.io/pod
B.apparmor.security.beta.kubernetes.io/profile
C.container.apparmor.security.beta.kubernetes.io/<container_name>
D.container.apparmor.kubernetes.io/<container_name>
AnswerC

This annotation is the correct way to set an AppArmor profile per container.

Why this answer

The annotation 'container.apparmor.security.beta.kubernetes.io/<container_name>' is used to specify the AppArmor profile for a container. The other options are either non-existent or used for other purposes (e.g., seccomp).

580
Multi-Selectmedium

Which TWO actions are effective for detecting and preventing container breakout attempts using runtime security tools?

Select 2 answers
A.Set 'securityContext.seccompProfile.type: Unconfined' to allow all syscalls.
B.Enable Kubernetes audit logging to capture exec commands.
C.Use PodSecurityPolicy to deny privileged containers.
D.Deploy Falco with rules that alert on 'syscall' events like 'clone' or 'unshare'.
E.Apply a seccomp profile that blocks unneeded syscalls for each container.
AnswersD, E

Falco can detect breakout attempts via syscall monitoring.

Why this answer

Option D is correct because Falco is a CNCF runtime security tool that uses eBPF or kernel modules to intercept system calls. By alerting on sensitive syscalls like 'clone' (used to spawn new processes) or 'unshare' (used to create new namespaces), Falco can detect container breakout attempts where an attacker tries to escape the container's isolation. This provides real-time detection of anomalous behavior indicative of a breakout.

Exam trap

CNCF often tests the distinction between admission control (e.g., PodSecurityPolicy, OPA/Gatekeeper) and runtime security (e.g., Falco, seccomp, AppArmor), leading candidates to select admission-based options like PodSecurityPolicy when the question explicitly asks for runtime security tools.

581
MCQmedium

A security team wants to detect any attempt to spawn an interactive shell inside a container. Which Falco rule condition would be appropriate?

A.container.id != host and evt.type = read and fd.name = /etc/shadow
B.evt.type = connect and container.id != host
C.proc.name = bash and evt.type = execve
D.container.id != host and evt.type = execve and proc.name = bash
AnswerD

Correct. This condition matches execve syscalls where the process is bash inside a container.

Why this answer

Falco uses syscall events. The condition container.id != host and evt.type = execve and proc.name = bash detects a bash exec in a container, which is a common interactive shell.

582
MCQeasy

Given the following PodSecurityPolicy (PSP) snippet, which statement about the allowed containers is correct?

A.Containers can run in privileged mode
B.Containers cannot use ConfigMap volumes
C.Containers must run as the root user
D.Containers cannot add any Linux capabilities
AnswerD

The PSP requires dropping ALL capabilities, so adding any is disallowed.

Why this answer

Option D is correct because the PodSecurityPolicy snippet does not include `allowedCapabilities` or sets it to an empty list, and the `defaultAddCapabilities` is not specified, meaning no Linux capabilities are added by default. Additionally, the `requiredDropCapabilities` field is not present, but the absence of any allowed capabilities effectively prevents containers from adding any Linux capabilities beyond the default set, which is restricted by the PSP's `allowedCapabilities: []` or lack thereof. This enforces a strict security posture where containers cannot gain extra privileges via capabilities.

Exam trap

The trap here is that candidates often assume the absence of `allowedCapabilities` means all capabilities are allowed, but in PSP, an empty or missing `allowedCapabilities` list actually denies all non-default capabilities, which is a subtle but critical distinction tested in the CKS exam.

How to eliminate wrong answers

Option A is wrong because the PSP snippet does not set `privileged: true`; by default, `privileged` is false, preventing containers from running in privileged mode. Option B is wrong because ConfigMap volumes are allowed by default unless explicitly denied via `volumes` field; the snippet does not list ConfigMap in a `volumes` blacklist or restrict it. Option C is wrong because the PSP does not specify `runAsUser: rule: MustRunAsNonRoot` or `runAsUser: rule: RunAsAny`; without a `runAsUser` rule, containers are not forced to run as root, and the default behavior allows any user ID unless constrained.

583
Multi-Selecthard

Which THREE of the following are effective methods to preserve evidence during a container security incident?

Select 3 answers
A.Delete the pod immediately
B.Take a memory dump of the container
C.Run kubectl exec to explore and modify files
D.Create a forensic snapshot of the container filesystem
E.Capture container logs
AnswersB, D, E

Correct: Captures in-memory data.

Why this answer

Creating a forensic snapshot (e.g., using dd or kubectl cp), capturing container logs, and taking a memory dump (e.g., via criu or gcore) preserve evidence. Deleting the pod destroys evidence. Running 'kubectl exec' and modifying files is destructive.

584
MCQmedium

An administrator runs 'crictl ps' and sees no containers listed, but kubectl shows running pods. What is the most likely cause?

A.crictl is not configured to connect to the correct container runtime socket
B.The images have not been pulled yet
C.The containers are running in a different namespace
D.The kubelet is not running
AnswerA

Correct: crictl needs the --runtime-endpoint flag or config to connect to the runtime.

Why this answer

crictl uses a specific container runtime socket (e.g., containerd.sock). If the socket is not configured or the runtime is different, it won't see containers. Option A is unlikely, option B is about kubelet, option D is about image pull.

585
MCQeasy

Which audit stage is logged after the request is fully processed and the response is sent?

A.Panic
B.ResponseComplete
C.ResponseStarted
D.RequestReceived
AnswerB

ResponseComplete is logged after the entire response is sent.

Why this answer

Audit stages are: RequestReceived, ResponseStarted, ResponseComplete, and Panic. ResponseComplete occurs after the response is sent.

586
MCQmedium

You need to detect any attempt to run a shell inside a container using Falco. Which macro or condition should you use?

A.evt.type=read and fd.name=/etc/passwd
B.evt.type=execve and proc.name in (bash, sh)
C.evt.type=clone and proc.name=bash
D.evt.type=open and fd.name=/bin/bash
AnswerB

This matches execution of shell binaries.

Why this answer

Falco's 'spawned_process' macro or condition evt.type=execve and proc.name in (bash, sh, zsh, etc.) can detect shell execution.

587
MCQmedium

A pod is running in the 'default' namespace with a container that has an immutable root filesystem (readOnlyRootFilesystem: true). The application writes logs to /var/log/app.log. What will happen?

A.The container will be automatically restarted by the kubelet
B.The write succeeds because logs are written to a temporary filesystem
C.The write to /var/log/app.log fails, and the container may crash or log an error
D.Kubernetes will create an emptyDir volume to hold the logs
AnswerC

The immutable filesystem prevents writes to the root filesystem; /var/log/ is part of the root filesystem unless a volume is mounted.

Why this answer

With readOnlyRootFilesystem set to true, the container's filesystem is read-only, so any attempt to write to the root filesystem will fail. If the application writes to /var/log/app.log, the write will fail and the container may crash or log an error. Option A is correct.

588
Multi-Selecteasy

Which THREE of the following are valid flags for the 'trivy image' command to output results in different formats?

Select 3 answers
A.--format table
B.--format sarif
C.--format xml
D.--format yaml
E.--format json
AnswersA, B, E

Table is the default output format.

Why this answer

Correct answers: B, C, E. Trivy supports output formats like JSON, table (default), and SARIF. --format json, --format table, and --format sarif are valid. Option A (--format xml) is not supported.

Option D (--format yaml) is not supported; Trivy uses JSON or table primarily.

589
MCQeasy

Which audit policy level logs all requests and responses, including the request body and response body?

A.None
B.Request
C.Metadata
D.RequestResponse
AnswerD

RequestResponse logs both request and response objects, including bodies.

Why this answer

RequestResponse logs both the request object and the response object, including bodies. Request logs only the request object. Metadata logs only metadata.

None logs nothing.

590
MCQmedium

A ValidatingWebhookConfiguration is not working as expected. The webhook server is running and accessible. What is a common misconfiguration that would cause the webhook to not be called?

A.The webhook server uses HTTP instead of HTTPS
B.The webhook service is of type ClusterIP
C.The webhook server returns a 502 status code
D.The 'clientConfig.service.namespace' does not match the namespace of the webhook service
AnswerD

The API server uses this namespace to route requests to the webhook service.

Why this answer

Option A is correct. The 'clientConfig.service' must specify the correct namespace where the webhook service is deployed. If the namespace is wrong, the API server cannot reach the service.

Options B and C are not required for the webhook to be called. Option D would cause the webhook to fail, but it would still be called.

591
MCQhard

A Falco rule triggers when a shell is spawned inside a container. Which condition correctly identifies bash or sh being executed as the first process (PID 1)?

A.spawned_process and proc.name in (bash, sh) and proc.pid=1
B.evt.type=execve and proc.name in (bash, sh) and container.id != host
C.container.id != host and proc.name in (bash, sh) and proc.ppid=0
D.proc.name = bash and proc.pid=1
AnswerA

This checks that the process was spawned (i.e., the syscall execve) and its name is bash or sh, and it's PID 1.

Why this answer

The condition checks for a spawned process (proc.spawned) with name bash or sh and that its PID is 1 (indicating it was started by the container entrypoint and not by another process).

592
MCQmedium

A security auditor wants to verify that the AppArmor profile 'my-profile' is in enforce mode on a running container. Which command should they run inside the node?

A.cat /proc/<pid>/attr/current
B.dmesg | grep apparmor
C.apparmor_parser -r my-profile
D.cat /proc/<pid>/environ
AnswerA

Correct. This file shows the AppArmor mode (enforce, complain, unconfined) for the process.

Why this answer

Option C: cat /proc/<pid>/attr/current shows the AppArmor confinement status. Option A shows the system log, not current confinement. Option B shows the loaded profile definition.

Option D shows the process environment.

593
MCQmedium

You need to ensure that all pods in a namespace can only communicate via mTLS. In Istio, which resource should you apply?

A.PeerAuthentication with mode: STRICT
B.DestinationRule with tls: ISTIO_MUTUAL
C.PeerAuthentication with mode: DISABLE
D.PeerAuthentication with mode: PERMISSIVE
AnswerA

STRICT enforces mTLS for all traffic.

Why this answer

Option B is correct. PeerAuthentication with mode STRICT enforces mTLS for all workloads in the namespace. Option A sets mTLS to PERMISSIVE (allows both plaintext and mTLS).

Option C is for traffic policies, not mTLS enforcement. Option D disables mTLS.

594
Multi-Selecthard

Which THREE of the following are recommended practices for securing Kubernetes Dashboard?

Select 3 answers
A.Disable anonymous access to Dashboard
B.Expose Dashboard via NodePort service on all nodes
C.Use RBAC to grant Dashboard service account only necessary permissions
D.Avoid exposing Dashboard over the public internet
E.Create a ClusterRole with full cluster admin access for Dashboard
AnswersA, C, D

Correct. Anonymous access should be disabled.

Why this answer

Option A is correct because the Kubernetes Dashboard, by default, may allow unauthenticated access if not explicitly configured. Disabling anonymous access ensures that all requests to the Dashboard are authenticated, preventing unauthorized users from viewing or manipulating cluster resources. This is typically done by setting the `--enable-skip-login` flag to false or configuring the Dashboard deployment to require authentication tokens.

Exam trap

CNCF often tests the principle of least privilege by presenting options that seem convenient (like full admin access or NodePort exposure) but violate security best practices, and the trap here is that candidates may think exposing the Dashboard via NodePort is acceptable for internal access, ignoring that it bypasses authentication layers and network segmentation.

595
Multi-Selectmedium

Which TWO of the following are best practices for hardening Kubernetes Dashboard?

Select 2 answers
A.Grant minimal RBAC permissions to Dashboard service account
B.Do not expose Dashboard via a public LoadBalancer Service
C.Use HTTP to avoid certificate management
D.Use the default service account with cluster-admin binding
E.Enable anonymous access for simplicity
AnswersA, B

Follow least privilege principle.

Why this answer

Option A is correct because the Kubernetes Dashboard should run with the least privilege necessary. Granting minimal RBAC permissions to the Dashboard's service account follows the principle of least privilege, reducing the attack surface if the Dashboard is compromised. The default installation often creates a service account with excessive permissions, which should be scoped down to only what the Dashboard needs to function.

Exam trap

CNCF often tests the misconception that 'more permissions make the Dashboard work better' or that 'HTTP is simpler and acceptable for internal use,' but the correct approach is to always enforce TLS and minimal RBAC, as the exam expects you to prioritize security over convenience.

596
MCQmedium

Which admission controller is responsible for invoking external webhooks to validate or mutate resources?

A.ImagePolicyWebhook
B.ValidatingAdmissionWebhook
C.MutatingAdmissionWebhook
D.PodSecurity
AnswerB

This admission controller calls external webhook services to validate resources.

Why this answer

ValidatingAdmissionWebhook and MutatingAdmissionWebhook are the admission controllers that call external webhooks. The question asks for the one that invokes webhooks, so both are correct but the stem likely expects both. However, as a single answer, 'ValidatingAdmissionWebhook' is a common choice.

But to be precise, both are correct. The question is ambiguous; I'll pick 'ValidatingAdmissionWebhook' as it's the first named. Actually, the correct answer should be both, but since it's multiple choice with one correct, I'll choose 'ValidatingAdmissionWebhook'.

597
MCQmedium

Which admission controller runs FIRST in the Kubernetes admission flow?

A.ResourceQuota
B.ValidatingAdmissionWebhook
C.MutatingAdmissionWebhook
D.ImagePolicyWebhook
AnswerC

MutatingAdmissionWebhook runs before validating webhooks.

Why this answer

The MutatingAdmissionWebhook runs first, before ValidatingAdmissionWebhook, as mutations must be applied before validation.

598
Multi-Selectmedium

Which THREE of the following security context settings help mitigate container breakout attacks? (Select 3)

Select 3 answers
A.readOnlyRootFilesystem: true
B.privileged: true
C.allowPrivilegeEscalation: false
D.capabilities: add: ['NET_ADMIN']
E.runAsNonRoot: true
AnswersA, C, E

Prevents writing to the root filesystem, limiting the ability to modify binaries or write scripts.

Why this answer

runAsNonRoot, allowPrivilegeEscalation: false, and readOnlyRootFilesystem are standard security hardening measures that reduce the risk of container breakout.

599
Multi-Selectmedium

Which TWO of the following are valid audit policy levels in Kubernetes? (Choose two.)

Select 2 answers
A.RequestResponse
B.Verbose
C.Response
D.All
E.Metadata
AnswersA, E

Valid level.

Why this answer

Valid audit levels are None, Metadata, Request, and RequestResponse. Options B and C are valid.

600
MCQmedium

To protect kernel defaults on a node, which flag should be set on the kubelet?

A.--hardening=true
B.--protect-kernel-defaults=true
C.--protect-kernel-parameters=true
D.--kernel-security=true
AnswerB

This flag prevents the kubelet from modifying kernel parameters that could affect security.

Why this answer

The `--protect-kernel-defaults=true` flag on the kubelet ensures that the kubelet will not start if any kernel tunables (e.g., `vm.overcommit_memory`, `kernel.panic`) differ from their default values. This is a security hardening measure to prevent misconfigured nodes from running with weakened kernel settings, as required by the CIS Kubernetes Benchmark.

Exam trap

The trap here is that candidates confuse the exact flag name with plausible-sounding alternatives like 'protect-kernel-parameters' or 'kernel-security', but the CKS exam expects precise recall of the actual kubelet flag `--protect-kernel-defaults=true` as defined in the CIS Benchmark.

How to eliminate wrong answers

Option A is wrong because `--hardening=true` is not a valid kubelet flag; there is no such flag in the kubelet configuration. Option C is wrong because `--protect-kernel-parameters=true` is not a real kubelet flag; the correct flag uses the term 'defaults' not 'parameters'. Option D is wrong because `--kernel-security=true` is not a valid kubelet flag; kernel security is enforced through other mechanisms like AppArmor or seccomp, not a dedicated kubelet flag.

Page 7

Page 8 of 14

Page 9