CCNA Supply Chain Security Questions

75 of 190 questions · Page 2/3 · Supply Chain Security · Answers revealed

76
MCQmedium

Which static analysis tool is specifically designed to evaluate Kubernetes manifests against security best practices?

A.cosign
B.syft
C.kubesec
D.clair
AnswerC

Kubesec scans Kubernetes manifests for security issues like privileged containers or host network access.

Why this answer

Kubesec is a tool that analyzes Kubernetes YAML files and provides security scores. Option A is correct.

77
MCQeasy

Which static analysis tool can be used to check Kubernetes manifests for security misconfigurations?

A.kubesec
B.kubectl apply
C.trivy image
D.helm template
AnswerA

Kubesec provides security ratings and recommendations for Kubernetes resources.

Why this answer

Kubesec is a tool that analyzes Kubernetes manifests for security issues. Option A is correct.

78
MCQhard

An organization uses a GitOps workflow with Argo CD to deploy applications to Kubernetes. The security team wants to ensure that container images are immutable and signed. They currently use a private container registry (Harbor) with vulnerability scanning and Cosign for signing. Which combination of controls best enforces that only signed and scanned images are deployed?

A.Configure Argo CD to verify Cosign signatures before syncing the application.
B.Use imagePullSecrets in Kubernetes to ensure only Harbor images are used.
C.Add a Cosign verification step in the CI pipeline before pushing images to Harbor, and rely on that guarantee.
D.Enable Harbor's content trust feature to reject unsigned images, and use a Kyverno admission rule to verify Cosign signatures at deploy time.
AnswerD

Harbor blocks unsigned pushes, and Kyverno validates signatures at admission.

Why this answer

Option D is correct because it enforces a two-layer defense: Harbor's content trust rejects unsigned images at the registry level, and a Kyverno admission rule verifies Cosign signatures at deploy time. This ensures that even if an unsigned image bypasses the registry, it will be blocked by Kubernetes admission control, providing defense in depth for supply chain security.

Exam trap

CNCF often tests the concept that imagePullSecrets only handle authentication, not integrity or signing, leading candidates to mistakenly choose Option B as a security control.

How to eliminate wrong answers

Option A is wrong because Argo CD does not natively verify Cosign signatures before syncing; it relies on external admission controllers or pre-sync hooks for such checks. Option B is wrong because imagePullSecrets only control authentication to pull images from a registry, not image integrity or signature verification. Option C is wrong because relying solely on CI pipeline verification is insufficient; an attacker could bypass the pipeline or push unsigned images directly to the registry, and there is no runtime enforcement.

79
MCQhard

You are asked to generate an SBOM for a container image and attach it as an attestation using cosign. Which two commands would you run in sequence?

A.trivy image --format spdx myimage:latest > sbom.spdx && cosign verify --key cosign.pub myimage:latest
B.syft myimage:latest -o spdx > sbom.spdx && cosign attest --type spdx --predicate sbom.spdx myimage:latest
C.cosign sign --key cosign.key myimage:latest && syft myimage:latest -o spdx
D.crane ls myimage:latest && cosign attest --type spdx --predicate sbom.spdx myimage:latest
AnswerB

This correctly generates an SBOM in SPDX format and attaches it as an in-toto attestation.

Why this answer

First generate the SBOM with syft, then attach it as an attestation with cosign attest.

80
MCQeasy

What is the primary purpose of an SBOM in supply chain security?

A.To list all open source and third-party components in an image
B.To scan images for secrets
C.To sign container images
D.To enforce network policies
AnswerA

SBOM is a formal record of components.

Why this answer

An SBOM provides a list of all components in a software artifact, enabling vulnerability tracking and license compliance.

81
Multi-Selectmedium

Which TWO of the following are valid ways to verify a container image signature using cosign?

Select 2 answers
A.cosign validate myimage:latest
B.cosign verify-attestation --key cosign.pub myimage:latest
C.cosign check myimage:latest
D.cosign attest --key cosign.key myimage:latest
E.cosign verify --key cosign.pub myimage:latest
AnswersB, E

This verifies an in-toto attestation.

Why this answer

Cosign verify and cosign verify-attestation are the correct commands. The other options are incorrect commands.

82
Multi-Selectmedium

Which TWO are benefits of using a distroless base image over a full OS image like Ubuntu? (Select two.)

Select 2 answers
A.Faster image build times
B.Smaller image size
C.Better compatibility with Kubernetes security contexts
D.Smaller attack surface
E.Easier debugging
AnswersB, D

Distroless images are significantly smaller.

Why this answer

Distroless images reduce attack surface and image size by including only necessary libraries.

83
MCQmedium

An administrator wants to enforce that all pods run with read-only root filesystem. Which admission controller can achieve this without writing custom code?

A.ServiceAccount
B.PodSecurity
C.MutatingAdmissionWebhook
D.ImagePolicyWebhook
AnswerB

PodSecurity enforce allows setting profiles with predefined restrictions including read-only root filesystem.

Why this answer

PodSecurity is a built-in admission controller that enforces Pod Security Standards (restricted, baseline, privileged). The restricted profile includes 'runAsNonRoot: true' and 'readOnlyRootFilesystem: true'.

84
MCQmedium

A security policy requires that all container images use SHA-based digests instead of tags. Which approach ensures this in a Deployment YAML?

A.Use the 'image' field with a tag and also set 'digest' field
B.Set imagePullPolicy: Always and use tags
C.Use the image field with a digest, e.g., 'image: nginx@sha256:abc123'
D.Set imagePullPolicy: IfNotPresent and use tags
AnswerC

Using @sha256:... ensures the exact image is pulled.

Why this answer

Using the image pull policy 'IfNotPresent' does not enforce digest usage; the image field must specify a digest.

85
Multi-Selecthard

Which TWO of the following admission controllers are relevant for supply chain security in Kubernetes?

Select 2 answers
A.MutatingAdmissionWebhook (for sidecar injection)
B.ImagePolicyWebhook
C.AlwaysPullImages
D.NodeRestriction
E.ValidatingAdmissionWebhook (used by Kyverno/Gatekeeper)
AnswersB, E

Validates image requests against a policy.

Why this answer

ImagePolicyWebhook validates images, and NodeRestriction is not supply-chain related. AlwaysPullImages ensures image pull always happens but does not enforce security policies.

86
Matchingmedium

Match each Kubernetes API server flag to its security function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Enables RBAC authorization

Comma-separated list of admission controllers to enable

Disables anonymous requests to the API server

Path to a CA file for verifying kubelet certificates

File containing PEM-encoded x509 RSA or ECDSA private or public keys for service account token signing

Why these pairings

These flags are essential for hardening the API server.

87
Multi-Selecthard

Which THREE of the following are valid approaches to prevent containers from running as root in a Kubernetes cluster?

Select 3 answers
A.Use Pod Security Admission with the 'restricted' profile
B.Set the container's entrypoint to 'sudo'
C.Use OPA/Gatekeeper with a constraint that requires runAsNonRoot: true
D.Use a Seccomp profile that blocks root system calls
E.Use Kyverno with a policy that validates runAsNonRoot
AnswersA, C, E

The restricted profile enforces must-run-as-non-root.

Why this answer

Pod Security Admission (PSA), OPA/Gatekeeper, and Kyverno are all valid tools to enforce security policies. Seccomp profiles restrict system calls but do not prevent running as root.

88
MCQhard

A user creates a Deployment with image 'alpine:3.18' and the Pod status is 'ErrImagePull'. The admin checks the image policy and sees that only images with SHA digests are allowed. What is the fix?

A.Enable the AlwaysPullImages admission controller
B.Change the image to 'alpine:latest'
C.Add a non-root user to the Dockerfile
D.Change the image to 'alpine@sha256:...'
AnswerD

Using a SHA digest satisfies the policy requirement for immutable references.

Why this answer

Using a SHA digest ensures immutability and is often required by security policies. Updating the image reference to use the SHA digest allows the image to pass policy.

89
MCQhard

A cluster uses Kyverno to enforce that all images come from a trusted registry. A new Deployment fails with a message that the image 'docker.io/library/nginx:latest' is not allowed. What Kyverno policy rule likely caused this?

A.A validate rule that checks the container's resource limits
B.A validate rule that checks the image registry
C.A generate rule that creates a ConfigMap
D.A mutating rule that adds a label to the pod
AnswerB

A validate rule with a pattern or deny condition can block images from unauthorized registries.

Why this answer

A Kyverno rule that validates image registries would deny images from registries not in the allowed list. Option D is correct.

90
Multi-Selecthard

You are securing a Kubernetes cluster that runs workloads from multiple teams. The cluster uses a private container registry and an admission controller to enforce image policies. Which TWO of the following actions are most effective in preventing the use of unapproved or tampered container images? (Choose two correct answers.)

Select 2 answers
A.Use OPA Gatekeeper to enforce a policy that rejects pods using images with the 'latest' tag.
B.Configure imagePullSecrets for each namespace to ensure only authorized service accounts can pull images.
C.Deploy Kyverno with a policy that requires images to have a specific annotation indicating they passed a security scan.
D.Implement a NetworkPolicy that blocks egress traffic from the cluster to unauthorized container registries.
E.Set up an ImagePolicyWebhook admission controller that checks image signatures and only allows signed images from your registry.
AnswersC, E

Kyverno can enforce custom policies including image annotations that prove scanning.

Why this answer

Option C is correct because Kyverno can enforce policies that require images to have specific annotations, such as one indicating a passed security scan. This ensures only images that have been verified by your security pipeline are allowed to run, directly preventing unapproved or tampered images from being deployed.

Exam trap

CNCF often tests the distinction between authentication/authorization and image integrity verification, where candidates mistakenly choose options that control access to registries (like imagePullSecrets or NetworkPolicy) instead of options that validate image content or approval status.

91
MCQmedium

A pod is running in a namespace that has a Kyverno policy requiring all images to come from a trusted registry. The pod is using an image from an untrusted registry. What will happen when the pod is created?

A.The pod will be created but immediately terminated
B.The pod creation will be rejected with an admission error
C.The pod will be created and run successfully
D.The pod will be created but the image will be replaced with a trusted one
AnswerB

Kyverno acts as an admission webhook and denies the request if the policy is violated.

Why this answer

Kyverno policies are enforced as admission webhooks. If the policy denies the pod, the creation is rejected. The pod will not be created, and an error message is returned to the user.

92
MCQmedium

A Kubernetes cluster has Kyverno installed. You want to enforce that all container images come from a trusted registry 'trusted-registry.example.com'. Which Kyverno policy rule type would you use?

A.validate with a deny condition
B.mutate
C.validate.deny
D.generate
AnswerA

Using a validate rule with a deny condition can block pods that use images from unauthorized registries.

Why this answer

To validate the registry for container images, you use a validation rule that checks the image field.

93
MCQeasy

A security engineer wants to ensure that only images signed with a specific key are allowed to run in the cluster. Which tool can be used to sign container images?

A.kubesec
B.syft
C.cosign
D.trivy
AnswerC

Cosign supports signing container images and verifying signatures.

Why this answer

Option A is correct. Cosign is a tool for signing and verifying container images. Option B (Trivy) is for scanning vulnerabilities.

Option C (Syft) generates SBOMs. Option D (kubesec) analyzes Kubernetes manifests.

94
Multi-Selectmedium

Which TWO tools can generate an SBOM for a container image? (Select two.)

Select 2 answers
A.checkov
B.trivy
C.syft
D.cosign
E.kubesec
AnswersB, C

Trivy can generate SBOMs in CycloneDX or SPDX format.

Why this answer

Syft and Trivy (via the 'trivy image --format cyclonedx' command) can generate SBOMs. Options A and B are correct.

95
Multi-Selecthard

Which THREE of the following are valid admission controllers involved in the Kubernetes admission flow that can be used for supply chain security?

Select 3 answers
A.MutatingAdmissionWebhook
B.ResourceQuota
C.ValidatingAdmissionWebhook
D.PodSecurity
E.PersistentVolumeClaim
AnswersA, C, D

Can be used to mutate Pods to enforce security settings like image policies.

Why this answer

Correct answers: A, C, E. MutatingAdmissionWebhook and ValidatingAdmissionWebhook are standard admission controllers that can enforce policies. PodSecurity is a built-in admission controller for pod security standards (replaces PSP).

ImagePolicyWebhook is specifically for image admission control. Option B (ResourceQuota) is for resource management, not security. Option D (PersistentVolumeClaim) is a resource type, not an admission controller.

96
MCQhard

You are auditing your cluster's supply chain security. You need to generate a Software Bill of Materials (SBOM) for a container image. Which tool should you use?

A.Trivy
B.Kubesec
C.Checkov
D.Syft
AnswerD

Syft is a popular tool for generating SBOMs from container images.

Why this answer

Syft is a CLI tool for generating an SBOM from container images. It outputs a list of packages and dependencies.

97
MCQeasy

Which command is used to sign a container image with Cosign?

A.cosign attest
B.cosign sign
C.cosign generate
D.cosign verify
AnswerB

cosign sign signs a container image.

Why this answer

The `cosign sign` command is used to sign a container image and attach the signature to the image registry.

98
MCQmedium

An OPA/Gatekeeper constraint requires that all images' registries match a pattern. A Deployment uses 'myregistry.io/app:v1'. The admission controller rejects it. The admin runs 'kubectl get constraints' and sees the constraint is active. What is the next debugging step?

A.Disable the Gatekeeper webhook
B.Check the audit logs of Gatekeeper
C.Reapply the Deployment YAML
D.Describe the constraint and constraint template to see the denial reason
AnswerD

Describing shows violations and reasons.

Why this answer

Describing the constraint and constraint template reveals the specific rule and any error messages.

99
Multi-Selecteasy

Which TWO of the following are tools that can be used to generate an SBOM for a container image?

Select 2 answers
A.Trivy
B.Cosign
C.Syft
D.Clair
E.Kubesec
AnswersA, C

Trivy can generate SBOMs in addition to vulnerability scanning.

Why this answer

Syft is specifically designed for SBOM generation. Trivy also has the ability to generate SBOMs. Cosign is for signing, Clair is a vulnerability scanner, and Kubesec is for static analysis of manifests.

100
MCQmedium

A security engineer wants to integrate image scanning into a CI/CD pipeline. They are using a tool that can scan the filesystem of the build context before building the image. Which tool is best suited for this purpose?

A.Trivy (trivy fs)
B.Kubesec
C.Notary
D.Cosign
AnswerA

trivy fs scans the filesystem for vulnerabilities, ideal for scanning a build context.

Why this answer

Trivy can scan filesystems (trivy fs) to find vulnerabilities in packages before building an image. This allows catching issues early in the pipeline.

101
Multi-Selectmedium

Which TWO of the following are best practices for securing the software supply chain in a CI/CD pipeline?

Select 2 answers
A.Use the 'latest' tag for base images to get the newest features
B.Store sensitive credentials directly in the pipeline YAML file
C.Scan all container images for known vulnerabilities before deployment
D.Ignore critical CVEs if they are in development environments
E.Sign container images to ensure integrity and authenticity
AnswersC, E

Vulnerability scanning is essential.

Why this answer

Scanning images for vulnerabilities and signing images are key supply chain security practices. Storing secrets in the pipeline YAML is insecure, and ignoring critical CVEs is not a best practice.

102
MCQeasy

Which of the following is a BEST practice for container images to reduce the attack surface?

A.Use minimal base images like distroless
B.Use the 'latest' tag
C.Include debugging tools in the image
D.Run containers as root user
AnswerA

Minimal base images reduce attack surface by including only necessary components.

Why this answer

Using minimal base images like distroless or Alpine reduces the number of packages and thus the attack surface.

103
MCQmedium

An administrator wants to ensure that all containers in a deployment run as a non-root user. Which YAML snippet correctly sets the security context to run as user ID 1000?

A.runAsUser: 1000
B.securityContext: runAsUser: 1000
C.securityContext: { runAsNonRoot: true }
D.user: 1000
AnswerB

This sets the container's user ID to 1000, ensuring it does not run as root.

Why this answer

The correct field is 'securityContext.runAsUser: 1000' at the pod or container level. Option C is the only one with the correct syntax.

104
Multi-Selectmedium

Which TWO of the following are best practices for securing the container supply chain? (Select 2)

Select 2 answers
A.Disable image pull secrets to reduce complexity
B.Scan container images for vulnerabilities
C.Hardcode secrets in the Dockerfile for convenience
D.Use minimal base images like Alpine or distroless
E.Run containers as root to simplify permissions
AnswersB, D

Scanning helps detect known vulnerabilities before deployment.

Why this answer

Using minimal base images reduces the attack surface, and scanning images for vulnerabilities helps identify and fix security issues before deployment.

105
Multi-Selecteasy

You are auditing a cluster's supply chain security. You find that many pods are running images from public registries without any pinning or verification. Which TWO actions would most effectively reduce the risk of pulling malicious images?

Select 2 answers
A.Configure all deployments to use image digests instead of tags.
B.Set up a private registry proxy that mirrors approved public images and disable direct access to public registries via containerd configuration.
C.Implement RBAC to restrict which users can create pods.
D.Enforce PodSecurityStandard baseline or restricted to block privileged containers.
E.Apply a network policy that blocks egress traffic to public registries.
AnswersA, B

Prevents tag mutation and ensures image integrity.

Why this answer

Option A is correct because using image digests (e.g., `nginx@sha256:abc123...`) pins the image to an immutable content hash, ensuring that the exact same image is pulled every time, even if the tag is updated to a malicious version. This prevents tag-mutation attacks where an attacker replaces a benign image tag with a compromised one. Digests are verified by the container runtime (containerd) against the registry's manifest, providing cryptographic assurance of image integrity.

Exam trap

CNCF often tests the distinction between runtime security controls (PodSecurityStandards, network policies) and supply chain controls (image pinning, registry proxies), and candidates mistakenly think blocking egress or restricting pod creation mitigates the risk of pulling malicious images, when those controls do not affect the image pull process itself.

106
Multi-Selectmedium

Which two of the following are best practices for securing a CI/CD pipeline that builds and deploys container images? (Select TWO.)

Select 2 answers
A.Scan container images for vulnerabilities in the pipeline
B.Store secrets as environment variables in the pipeline configuration
C.Sign container images after building them
D.Run the build process as root to avoid permission issues
E.Grant all permissions to the pipeline service account to avoid failures
AnswersA, C

Scanning helps catch vulnerabilities before deployment.

Why this answer

Options A and C are correct. Scanning images for vulnerabilities in the pipeline ensures that insecure images are not deployed. Signing images ensures integrity and provenance.

Option B is wrong because storing secrets in environment variables in the pipeline is insecure; use secret management. Option D is wrong because running builds as root increases risk. Option E is wrong because granting all permissions violates the principle of least privilege.

107
MCQmedium

A cluster administrator notices that a pod using an image from a public registry is failing to start. The image was signed with Cosign, and the cluster has an ImagePolicyWebhook configured to require signatures. The error message from the webhook indicates 'signature verification failed'. What is the most likely cause?

A.The public key used to verify the signature does not match the private key used to sign
B.The image is not signed at all
C.The webhook is not reachable
D.The image tag is incorrect
AnswerA

Signature verification requires the matching public key. If the wrong key is configured, verification will fail.

Why this answer

If the image was signed, but verification fails, it could be due to an incorrect public key being used for verification. The webhook must have the correct key to validate the signature.

108
MCQeasy

A security engineer wants to scan a container image for vulnerabilities using Trivy. Which command should they use?

A.trivy image <image-name>
B.trivy scan <image-name>
C.trivy repo <image-name>
D.trivy fs <image-name>
AnswerA

'trivy image' is the correct command to scan a container image for vulnerabilities.

Why this answer

Trivy's image scanning command is 'trivy image <image-name>'. The other options are incorrect: 'trivy scan' is not a valid subcommand, 'trivy repo' scans a repository, and 'trivy fs' scans a filesystem.

109
MCQmedium

A DevOps engineer is setting up a CI/CD pipeline to scan container images for vulnerabilities. They want to fail the pipeline if any critical vulnerabilities are found. Which command should they use to scan the image and produce a JSON output that can be parsed?

A.trivy fs --severity CRITICAL --output json .
B.trivy image --severity CRITICAL --output json myimage:tag
C.trivy image --format table myimage:tag
D.trivy image --severity HIGH myimage:tag
AnswerB

This command correctly scans the image, filters for critical severity, and outputs JSON.

Why this answer

Option B is correct. 'trivy image --severity CRITICAL --output json myimage:tag' will scan the image and return JSON output only for critical severity vulnerabilities. Option A uses severity HIGH which might not include critical. Option C outputs a table format.

Option D scans the filesystem, not the image.

110
MCQhard

An OPA/Gatekeeper constraint is configured to allow only images from 'trusted-registry.io'. A pod is created with image 'trusted-registry.io/app:v1' but is denied. Which is the MOST likely cause?

A.The constraint is only applied in the default namespace
B.The image tag is not pinned to a digest
C.The image is not signed
D.The constraint uses regex and the image does not match the pattern
AnswerD

The constraint likely expects a specific pattern, and the image may not match exactly (e.g., missing path).

Why this answer

Gatekeeper constraints can enforce specific registries. If the constraint does not match the exact registry name (e.g., missing port or path), the pod will be denied.

111
Multi-Selecthard

Which THREE are valid methods to verify the integrity and origin of a container image? (Select 3)

Select 3 answers
A.Trivy fs
B.Notary
C.Syft
D.Cosign verify
E.ImagePolicyWebhook
AnswersB, D, E

Notary provides signing and verification of content.

Why this answer

Cosign sign/verify uses cryptographic signing. Notary is a CNCF project for image signing. ImagePolicyWebhook can call an external service to verify images based on policy.

112
MCQmedium

Which of the following is a best practice for Dockerfiles to improve supply chain security?

A.Use the latest tag for base images to get the newest features
B.Run the container as root by default
C.Use a distroless base image
D.Hardcode secrets directly in the Dockerfile
AnswerC

Distroless images contain only the application and its runtime dependencies, reducing the attack surface.

Why this answer

Using distroless base images reduces the attack surface by minimizing installed packages and dependencies.

113
MCQmedium

To verify a signed container image, which command should be used?

A.cosign verify myimage:latest
B.trivy verify myimage:latest
C.kubectl verify myimage:latest
D.cosign validate myimage:latest
AnswerA

This command verifies the signature of the image using the public key or keyless mode.

Why this answer

Cosign verify checks the signature of an image. Option A is correct.

114
Multi-Selectmedium

Which TWO are tools for static analysis of Kubernetes manifests? (Select 2)

Select 2 answers
A.Cosign
B.Trivy
C.Kubesec
D.Clair
E.Checkov
AnswersC, E

Scans Kubernetes manifests for security issues.

Why this answer

Kubesec and Checkov are both tools that perform static analysis on Kubernetes resource definitions to identify misconfigurations and security issues.

115
Multi-Selectmedium

Which TWO of the following are valid methods to ensure only signed images are deployed in a Kubernetes cluster?

Select 2 answers
A.Configure ImagePolicyWebhook to require signatures
B.Set imagePullPolicy: Always
C.Run 'cosign verify' manually before every deployment
D.Use Kyverno policy to verify image signatures
E.Use NodeRestriction admission controller
AnswersA, D

ImagePolicyWebhook can reject unsigned images.

Why this answer

Using an admission controller like ImagePolicyWebhook or Kyverno can enforce signature verification. Cosign verify is a manual step, not a cluster-wide enforcement.

116
MCQmedium

In a CI/CD pipeline, at which stage should container image scanning be performed?

A.Only when a vulnerability is reported
B.After deployment to production
C.Before code commit
D.After building the image but before pushing to registry
AnswerD

Scanning at this stage prevents vulnerable images from being stored or deployed.

Why this answer

Scanning should be performed after building the image to catch vulnerabilities before pushing to registry. Option B is correct.

117
Multi-Selecteasy

Which THREE of the following are valid flags for the 'trivy image' command to output results in different formats?

Select 3 answers
A.--format table
B.--format sarif
C.--format xml
D.--format yaml
E.--format json
AnswersA, B, E

Table is the default output format.

Why this answer

Correct answers: B, C, E. Trivy supports output formats like JSON, table (default), and SARIF. --format json, --format table, and --format sarif are valid. Option A (--format xml) is not supported.

Option D (--format yaml) is not supported; Trivy uses JSON or table primarily.

118
MCQmedium

Which admission controller is responsible for invoking external webhooks to validate or mutate resources?

A.ImagePolicyWebhook
B.ValidatingAdmissionWebhook
C.MutatingAdmissionWebhook
D.PodSecurity
AnswerB

This admission controller calls external webhook services to validate resources.

Why this answer

ValidatingAdmissionWebhook and MutatingAdmissionWebhook are the admission controllers that call external webhooks. The question asks for the one that invokes webhooks, so both are correct but the stem likely expects both. However, as a single answer, 'ValidatingAdmissionWebhook' is a common choice.

But to be precise, both are correct. The question is ambiguous; I'll pick 'ValidatingAdmissionWebhook' as it's the first named. Actually, the correct answer should be both, but since it's multiple choice with one correct, I'll choose 'ValidatingAdmissionWebhook'.

119
MCQmedium

Which admission controller runs FIRST in the Kubernetes admission flow?

A.ResourceQuota
B.ValidatingAdmissionWebhook
C.MutatingAdmissionWebhook
D.ImagePolicyWebhook
AnswerC

MutatingAdmissionWebhook runs before validating webhooks.

Why this answer

The MutatingAdmissionWebhook runs first, before ValidatingAdmissionWebhook, as mutations must be applied before validation.

120
MCQeasy

A security best practice for Dockerfiles is to avoid hardcoded secrets. Which Dockerfile instruction is MOST likely to contain a hardcoded secret?

A.ENV
B.EXPOSE
C.RUN
D.FROM
AnswerA

ENV sets environment variables that can contain hardcoded secrets.

Why this answer

The 'ENV' instruction can set environment variables, but secrets should not be hardcoded. However, 'ARG' is often used for passing build-time variables, but can also contain secrets if not careful. The most common culprit is 'ENV' with a secret value.

121
MCQmedium

A security audit reveals that a container image running in production contains a critical vulnerability (CVE-2024-1234). The image was built from a base image that had the vulnerability. What is the MOST effective long-term solution to prevent such issues?

A.Use a runtime security tool like Falco to detect exploitation attempts.
B.Patch the vulnerability by installing a security update inside the running container.
C.Add an admission controller that rejects images with vulnerabilities.
D.Rebuild the image using a patched base image and integrate vulnerability scanning into the CI pipeline.
E.Switch to a different container runtime that is immune to the vulnerability.
AnswerD

Fixing the base image and scanning prevent vulnerable images from being built.

Why this answer

Option D is the most effective long-term solution because it addresses the root cause by rebuilding the image from a patched base image, eliminating the vulnerability at the source. Integrating vulnerability scanning into the CI pipeline ensures that future images are automatically checked for known CVEs before deployment, preventing vulnerable images from reaching production. This aligns with the principle of shifting security left in the software supply chain.

Exam trap

CNCF often tests the distinction between reactive runtime detection (Falco) and proactive supply chain fixes (rebuilding with patched base images), leading candidates to choose a runtime tool instead of addressing the root cause in the CI/CD pipeline.

How to eliminate wrong answers

Option A is wrong because Falco is a runtime security tool that detects exploitation attempts but does not prevent the vulnerable image from being deployed or fix the underlying vulnerability; it only provides detection and alerting. Option B is wrong because patching a running container is a temporary, non-repeatable fix that violates immutable infrastructure principles; the patch will be lost on container restart and does not address the base image issue. Option C is wrong because an admission controller that rejects images with vulnerabilities is a preventive control, but it does not fix the existing vulnerable images already in production and relies on a policy that may block legitimate updates; it also does not address the root cause in the CI pipeline.

Option E is wrong because switching to a different container runtime does not fix the vulnerability in the image; the runtime is not responsible for image content, and the CVE would still be present regardless of the runtime used.

122
Multi-Selectmedium

Which TWO of the following are best practices for Dockerfile security according to CKS guidelines?

Select 2 answers
A.RUN useradd -m myuser && USER root
B.COPY --from=builder /app /app
C.RUN adduser -D myuser && USER myuser
D.FROM scratch
E.FROM alpine:latest
AnswersC, D

This creates a non-root user and switches to it, following security best practice.

Why this answer

Correct answers: B and D. Using a non-root user reduces container privilege. Using a minimal base image reduces attack surface.

Option A (root user) is insecure. Option C (latest tag) is not reproducible. Option E (multi-stage build) is a best practice for image size but not strictly a security practice; it's more about efficiency.

However, multi-stage builds can reduce attack surface by not including build tools. But the most direct security practices are B and D.

123
MCQhard

A security policy requires that all container images must reference a specific SHA256 digest instead of a tag. You need to enforce this using Kyverno. Which Kyverno rule type and pattern would you use?

A.A generate rule that creates a ConfigMap with allowed digests
B.A mutate rule that replaces the image tag with a digest
C.A validate rule with a pattern that the image field matches '@sha256:'
D.A validate rule checking the annotation 'image.openshift.io/triggers'
AnswerC

A validate rule can enforce that the image string contains a digest. Example: pattern: spec.containers[*].image: "*@sha256:*"

Why this answer

Option C is correct. A validate rule with a pattern that matches the image field to a regular expression requiring '@sha256:' ensures digest reference. Option A mutates the image but does not validate.

Option B validates annotation, not image. Option D is for generating resources, not validation.

124
MCQmedium

An administrator runs 'trivy image --severity HIGH,CRITICAL myapp:v1.0' and sees no vulnerabilities. However, a security scan of the same image using a different tool reports several HIGH severity CVEs. What is the MOST likely reason for this discrepancy?

A.Trivy only scans the application layer and ignores the base image
B.The image was scanned with an outdated vulnerability database
C.Trivy cannot scan images stored in private registries
D.The other tool has false positives
AnswerB

Trivy's vulnerability database may be outdated or not include all databases, leading to missing CVEs.

Why this answer

Trivy uses different vulnerability databases and may not include all sources (e.g., Red Hat OVAL, OSV). The other tool might use a broader set of databases, explaining the additional found CVEs.

125
MCQhard

An admin runs 'kubectl run test-pod --image=nginx:latest' and the Pod is created but immediately enters 'CrashLoopBackOff'. 'kubectl describe pod test-pod' shows 'Back-off restarting failed container'. Which admission controller might cause this if misconfigured?

A.ValidatingAdmissionWebhook
B.MutatingAdmissionWebhook
C.PodSecurity
D.PersistentVolumeClaimResize
AnswerB

A mutating webhook could modify the Pod spec (e.g., adding a sidecar or changing command) causing the container to fail.

Why this answer

ImagePolicyWebhook can reject images based on policy, but this causes a different error (e.g., 'ImagePullBackOff'). The failure to start repeatedly could be due to a MutatingAdmissionWebhook that modifies the Pod spec in a way that causes the container to fail (e.g., injecting a sidecar that crashes).

126
MCQhard

A developer creates a Dockerfile with 'FROM ubuntu:latest'. The security team recommends using a minimal base image. Which change minimizes the attack surface?

A.FROM gcr.io/distroless/base:latest
B.FROM alpine:latest
C.FROM scratch
D.FROM ubuntu:20.04
AnswerA

Distroless images contain only the necessary runtime dependencies, greatly reducing the attack surface.

Why this answer

Using a distroless image reduces the number of packages and thus the attack surface. Option B is correct.

127
MCQeasy

Which of the following is a static analysis tool for Kubernetes manifests?

A.Kubesec
B.Cosign
C.Trivy
D.Syft
AnswerA

Kubesec analyzes Kubernetes resource manifests and scores them based on security best practices.

Why this answer

Kubesec is a static analysis tool that evaluates Kubernetes resources against security best practices. The others are not static analysis tools for manifests.

128
MCQhard

You are configuring ImagePolicyWebhook admission controller to reject images not signed by a trusted authority. After deploying the webhook, you notice that pods are being rejected even for images that are properly signed. Which configuration change is MOST likely to fix this?

A.Increase the memory limit of the API server
B.Change the webhook from 'MutatingAdmissionWebhook' to 'ValidatingAdmissionWebhook'
C.Set failurePolicy to Ignore in the webhook configuration
D.Grant the webhook service account cluster-admin role
AnswerC

When the webhook cannot be reached, the API server rejects the request. Setting failurePolicy: Ignore allows pods to be admitted even if the webhook is unavailable, but this is a temporary fix. The root cause might be network connectivity to the webhook service.

Why this answer

Option C is correct. The ImagePolicyWebhook admission controller uses an external webhook that must be reachable. If the webhook fails, the default behavior is to reject the request unless failurePolicy is set to Ignore.

Option A is about resource limits. Option B is about RBAC. Option D is irrelevant.

129
MCQhard

A pod is stuck in Pending state. 'kubectl describe pod' shows the event: '0/4 nodes are available: 1 node had taint {node-role.kubernetes.io/control-plane: }, that the pod didn't tolerate, 3 Insufficient memory.' The pod YAML does not specify any tolerations. Which command would allow the pod to schedule on the control-plane node?

A.kubectl taint nodes control-plane node-role.kubernetes.io/control-plane-
B.kubectl cordon control-plane
C.Edit the pod YAML to add tolerations for node-role.kubernetes.io/control-plane
D.kubectl delete pod --all
AnswerC

Adding the appropriate toleration allows the pod to schedule on tainted nodes.

Why this answer

To schedule on a control-plane node, you need to add a toleration for the node-role.kubernetes.io/control-plane taint. The other options are incorrect or incomplete.

130
MCQmedium

A Kubernetes cluster has Kyverno installed. A policy requires that all images come from a trusted registry 'trusted.example.com'. A Deployment uses the image 'nginx:latest'. When the Deployment is created, it is blocked. What Kyverno policy action is being used?

A.validate with failureAction: enforce
B.audit
C.mutate
D.generate
AnswerA

Enforce validation blocks non-compliant resources.

Why this answer

Kyverno policies can use 'validate' to enforce rules; the 'enforce' failure action causes the resource to be blocked.

131
MCQmedium

A DevOps engineer runs 'trivy image myapp:latest' and finds a critical CVE in the base image. Which Dockerfile change would BEST address this?

A.Use an Alpine base image with the latest tag
B.Set USER root in the Dockerfile
C.Switch to a distroless base image with a SHA digest
D.Add a non-root user in the Dockerfile
AnswerC

Distroless images are minimal and have fewer CVEs. Using SHA prevents unexpected changes.

Why this answer

Using a minimal distroless base image reduces attack surface and typically has fewer CVEs. Pinning to a specific SHA ensures repeatability and avoids pulling an updated tag that may introduce different vulnerabilities.

132
MCQhard

A Kyverno policy is written to require all images to use SHA256 digests instead of tags. The policy uses a 'validate' rule with 'pattern' on 'spec.containers[*].image'. Which pattern would match an image reference like 'registry.example.com/myapp@sha256:abc123...'?

A."*@sha256:*"
B."*@*"
C."*@sha256:*"
D."*:*"
AnswerC

This glob pattern matches any image that contains '@sha256:'.

Why this answer

The policy should use a regular expression that requires an '@sha256:' in the image field. Option C correctly matches the digest format.

133
MCQeasy

In a CI/CD pipeline, which step is MOST effective for detecting known vulnerabilities in a container image before deployment?

A.Run a vulnerability scan on the container image
B.Check the image size
C.Run unit tests on the application code
D.Lint the Dockerfile
AnswerA

Scanning the image for CVEs identifies known security issues.

Why this answer

Running an image vulnerability scanner like Trivy in the pipeline detects CVEs before deployment. Option B is correct.

134
MCQeasy

Which command scans a Docker image for CVEs using Trivy?

A.trivy cve myapp:latest
B.trivy check myapp:latest
C.trivy image myapp:latest
D.trivy scan myapp:latest
AnswerC

This is the correct Trivy command to scan a container image for vulnerabilities.

Why this answer

The correct command to scan an image for vulnerabilities with Trivy is `trivy image <image>`. Option A is correct.

135
Multi-Selectmedium

Which TWO of the following are valid methods to verify the integrity of a container image in a Kubernetes supply chain? (Select 2)

Select 2 answers
A.Signing the image with Cosign and verifying the signature before deployment
B.Running the container in a separate namespace
C.Using a SHA256 digest instead of a tag in the image reference
D.Scanning the image for vulnerabilities using Trivy
E.Using a base image with the latest tag
AnswersA, C

Image signing ensures the image has not been tampered with and originated from a trusted source.

Why this answer

Image signing with Cosign and using SHA digests are both methods to verify image integrity. Scanning for CVEs does not verify integrity but finds vulnerabilities. Namespace isolation is not related to image verification.

136
Multi-Selectmedium

Which TWO of the following are valid admission controllers in Kubernetes? (Select TWO)

Select 2 answers
A.PodSecurityPolicy
B.MutatingAdmissionWebhook
C.ImagePolicyWebhook
D.NodeRestriction
E.OPA
AnswersB, C

MutatingAdmissionWebhook is a standard admission controller that mutates objects.

Why this answer

ImagePolicyWebhook and MutatingAdmissionWebhook are valid admission controllers. PodSecurityPolicy is deprecated, NodeRestriction is not an admission controller, and OPA is a tool not an admission controller itself.

137
MCQhard

Refer to the exhibit. A cluster has the ClusterImagePolicy shown. A developer creates a pod with an image from registry.example.com/myapp:v1, which was built and signed by a GitHub Actions workflow that is NOT defined in the policy (different workflow). Which behavior will occur when the pod is created?

A.The pod is admitted because keyless signing does not enforce identity matching.
B.The pod is admitted because the policy only applies to images with a tag 'v*'.
C.The pod is admitted because the image is from the allowed registry.
D.The pod is denied because the image's signer identity does not match the policy.
AnswerD

The identity check fails, so cosigned denies the admission.

Why this answer

Option D is correct because the ClusterImagePolicy enforces that images must be signed by a specific identity (the GitHub Actions workflow defined in the policy). The image from registry.example.com/myapp:v1 was signed by a different workflow, so the signer identity does not match the policy's required identity. Sigstore keyless signing verifies the OIDC identity embedded in the signature, and if the identity does not match the policy's `issuer` and `subject` patterns, the admission controller denies the pod.

Exam trap

CNCF often tests the misconception that keyless signing only verifies the signature's cryptographic validity, not the identity of the signer, but in reality the policy enforces identity matching via OIDC claims.

How to eliminate wrong answers

Option A is wrong because keyless signing does enforce identity matching via OIDC tokens; the policy specifies allowed identities, and mismatches cause denial. Option B is wrong because the policy uses a regex `v*` which matches any tag starting with 'v', and 'v1' matches that pattern, so the policy applies. Option C is wrong because the policy restricts based on signer identity, not just registry; the image is from an allowed registry but the signer identity does not match, so admission is denied.

138
MCQmedium

During a CI/CD pipeline, you run 'trivy image myapp:latest' and get a high number of vulnerabilities. What is the BEST action to reduce the vulnerability count?

A.Increase CPU and memory limits for the container
B.Switch to a distroless base image
C.Sign the image with Cosign
D.Remove all environment variables from the Dockerfile
AnswerB

Distroless images have fewer components, reducing the attack surface and vulnerability count.

Why this answer

Option A is correct. Using a minimal base image like distroless or alpine reduces the number of packages and thus vulnerabilities. Option B is about secrets.

Option C is about resources. Option D is about signing, not vulnerability reduction.

139
MCQmedium

A security engineer runs 'kubesec scan deployment.yaml' and receives a score of -1. What does this score indicate?

A.The deployment passed all security checks
B.The deployment is not secure and needs immediate attention
C.The scan failed due to an error or invalid YAML
D.The deployment has critical vulnerabilities
AnswerC

Kubesec returns -1 when the file cannot be parsed or scanned correctly.

Why this answer

Kubesec uses a scoring system where -1 indicates a failed scan due to an error or misconfiguration in the file.

140
Multi-Selectmedium

Which TWO of the following are valid methods to supply a Kubernetes manifest to kubesec for static analysis?

Select 2 answers
A.cat deploy.yaml | kubesec scan /dev/stdin
B.kubectl apply -f deploy.yaml | kubesec scan
C.kubectl get deployment myapp -o yaml | kubesec scan
D.kubesec scan deploy.yaml
E.kubesec curl https://example.com/deploy.yaml
AnswersA, D

kubesec can read from stdin.

Why this answer

Correct answers: B and D. kubesec can analyze YAML from stdin or a file. Option A (curl) is not a kubesec command. Option C (kubectl apply) is for deployment.

Option E (kubectl get) retrieves manifests but is not direct input to kubesec; you would pipe it.

141
MCQmedium

Which kubectl command signs a container image using Cosign?

A.crictl sign myimage:latest
B.kubectl sign image myimage:latest
C.cosign sign myimage:latest
D.kubectl cosign sign myimage:latest
AnswerC

Cosign's sign command signs a container image.

Why this answer

Cosign is a standalone CLI tool, not a kubectl command. Option B correctly uses the cosign binary.

142
Multi-Selecteasy

Which THREE of the following are best practices for writing Dockerfiles?

Select 3 answers
A.Minimize the number of layers
B.Use the 'latest' tag for base images
C.Use specific tags or digests for base images
D.Install all packages that might be needed for debugging
E.Run containers as a non-root user
AnswersA, C, E

Fewer layers reduce image size and attack surface.

Why this answer

Using specific base image tags, running as non-root, and minimizing layers are best practices. Using latest tag and installing unnecessary packages are not.

143
MCQmedium

You are tasked with ensuring that all container images in your cluster are scanned for vulnerabilities before being deployed. You have set up Trivy in your CI/CD pipeline and want to enforce that only images with no critical vulnerabilities are allowed. Which admission controller should you configure to reject pods using non-compliant images?

A.ImagePolicyWebhook
B.ValidatingAdmissionWebhook
C.PodSecurityPolicy (PSP)
D.ResourceQuota
AnswerA

ImagePolicyWebhook is the admission controller designed to intercept image-related requests and can be configured to reject images based on external scanning results.

Why this answer

Option C is correct. ImagePolicyWebhook is a Kubernetes admission controller that can be configured to call an external webhook to validate container images. It can reject pods based on policies such as vulnerability scan results.

Other options are not designed for this purpose.

144
MCQhard

A security engineer wants to ensure that all container images in a Kubernetes cluster have a non-root user. Which admission controller can enforce this requirement?

A.ServiceAccount
B.PodSecurityPolicy (deprecated)
C.NodeRestriction
D.Kyverno
AnswerD

Kyverno can enforce policies like requiring runAsNonRoot: true.

Why this answer

Kyverno can validate pod security contexts to ensure runAsNonRoot is set. Option D is correct.

145
Multi-Selectmedium

Which TWO of the following are benefits of using an SBOM (Software Bill of Materials) in supply chain security?

Select 2 answers
A.It allows for faster image pulls
B.It helps in identifying known vulnerabilities in dependencies
C.It ensures license compliance by tracking open source components
D.It reduces the size of the container image
E.It automatically patches vulnerabilities
AnswersB, C

By listing components, you can cross-reference with vulnerability databases.

Why this answer

An SBOM provides a list of all components in a software artifact, which helps in identifying vulnerabilities and ensuring license compliance.

146
MCQhard

You have a Kyverno policy that validates image registries. The policy should allow only images from `myregistry.example.com`. Which Kyverno rule field should be used to check the image registry?

A.mutate
B.resources
C.imageRegistry
D.generate
AnswerC

imageRegistry is the correct field to define allowed image registries in a Kyverno rule.

Why this answer

The `imageRegistry` field in Kyverno allows you to specify a regular expression to match allowed image registries.

147
MCQmedium

A security scan report shows that a container image has several high-severity CVEs. The team wants to implement automated scanning in CI/CD pipeline. Which tool would you recommend for scanning container images in a CI pipeline?

A.Syft
B.Checkov
C.Kubesec
D.Trivy
AnswerD

Trivy scans container images for known vulnerabilities.

Why this answer

Trivy is a popular open-source vulnerability scanner for container images, filesystems, and Git repos. It can be easily integrated into CI/CD pipelines.

148
Multi-Selectmedium

Which TWO of the following are valid methods to verify the integrity of a container image? (Select 2)

Select 2 answers
A.Use trivy image to check for vulnerabilities
B.Compare the image SHA digest with a known good digest
C.Use cosign verify to check the image signature
D.Use docker history to view layers
E.Use kubectl describe pod to check image details
AnswersB, C

Using SHA digests ensures the image has not been tampered with.

Why this answer

Cosign verify checks signatures, and comparing SHA digests ensures the image content hasn't changed.

149
MCQeasy

Which of the following is a best practice for securing container images in a CI/CD pipeline?

A.Using a minimal base image such as Alpine
B.Using the 'latest' tag for all base images to ensure the newest features
C.Running the container as root to avoid permission issues
D.Installing all available packages to ensure the application has all dependencies
AnswerA

Minimal images reduce vulnerabilities and attack surface.

Why this answer

Using a minimal base image like Alpine reduces the attack surface by minimizing the number of installed packages and potential vulnerabilities.

150
MCQmedium

An administrator wants to enforce that only images signed by a trusted key can run in the cluster. They have configured cosign and want to use a Kubernetes admission controller. Which tool should they deploy?

A.Helm
B.Kube-bench
C.Prometheus
D.Kyverno with a verifyImages rule
AnswerD

Kyverno can be configured to verify container image signatures using cosign.

Why this answer

Cosign integrates with Kubernetes via the cosign webhook or through policy engines like Kyverno. Kyverno can verify image signatures using cosign.

← PreviousPage 2 of 3 · 190 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Supply Chain Security questions.