Back to Certified Kubernetes Security Specialist CKS questions

Scenario-based practice

Hard Difficulty Questions

Practise Certified Kubernetes Security Specialist CKS practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
CKS
exam code
CNCF
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related CKS topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmulti select
Full question →

A security engineer runs kube-hunter against a production cluster and receives the above output. The cluster uses kubeadm with default settings. Which two actions should the engineer take to remediate the vulnerabilities?

Network Topology
$ kube-hunterreport jsonlog warnRefer to the exhibit.Exhibit:```"vulnerability": "CVE-2020-8558","component": "kubelet","severity": "medium",},"vulnerability": "CVE-2019-11245","severity": "high",
Question 2hardmulti select
Full question →

Which THREE practices help ensure the integrity and confidentiality of container logs in a Kubernetes cluster?

Question 3hardmultiple choice
Full question →

A security auditor requires that all container images used in the cluster are scanned for vulnerabilities before deployment. The team uses a private registry with image signing. Which solution enforces that only signed and scanned images are deployed?

Question 4hardmultiple choice
Full question →

You are asked to ensure that a specific Kubernetes dashboard (e.g., kubernetes-dashboard) is not publicly accessible. The dashboard is deployed in the 'kube-system' namespace. Which NetworkPolicy should you apply?

Question 5hardmultiple choice
Full question →

You want to ensure that kubelets only serve pods that have been scheduled by the API server. Which admission plugin should be enabled?

Question 6hardmulti select
Full question →

Which THREE of the following are valid methods to restrict access to etcd in a Kubernetes cluster? (Select THREE)

Question 7hardmultiple choice
Full question →

A security scan reports that the etcd data directory is not encrypted at rest. The cluster uses etcd v3.5. Which steps are required to enable encryption?

Question 8hardmulti select
Full question →

Which THREE of the following are valid ways to restrict access to etcd? (Select 3)

Question 9hardmultiple choice
Full question →

You are tasked with securing a Kubernetes cluster. You want to ensure that the kubelet only serves APIs that are explicitly allowed and that it does not allow anonymous requests. Which kubelet configuration flags should you set?

Question 10hardmultiple choice
Full question →

An administrator wants to ensure that containers in a pod cannot run with any Linux capabilities except the minimal required for the container runtime. The pod is subject to the 'restricted' Pod Security Standard. Which capability configuration should be set in the pod's security context?

Question 11hardmultiple choice
Full question →

You are tasked with reducing the attack surface on a Kubernetes node. Which of the following actions is LEAST effective for hardening the node itself?

Question 12hardmultiple choice
Full question →

An administrator wants to use AppArmor to confine a container. They have loaded a profile named 'my-custom-profile' using apparmor_parser. Which annotation should be added to the pod to enforce this profile?

Question 13hardmultiple choice
Full question →

A cluster administrator has applied a PodSecurityPolicy (PSP) to restrict privileged containers. After upgrading to Kubernetes 1.25, they notice that PSPs are no longer working. What is the MOST likely reason?

Question 14hardmultiple choice
Full question →

A pod is configured with securityContext: { seccompProfile: { type: RuntimeDefault } }. Which of the following is true about this configuration?

Question 15hardmulti select
Full question →

Which TWO of the following are valid AppArmor profile modes? (Select 2 correct answers)

Question 16hardmultiple choice
Full question →

A custom seccomp profile is created at /var/lib/kubelet/seccomp/custom-profile.json. Which YAML snippet applies this profile to a container?

Question 17hardmulti select
Full question →

Which THREE of the following are best practices for reducing the attack surface of a Kubernetes node?

Question 18hardmultiple choice
Full question →

A cluster uses PodSecurity admission. A namespace has the label 'pod-security.kubernetes.io/enforce: baseline'. A user creates a pod that runs a container with 'privileged: true'. What happens?

Question 19hardmultiple choice
Full question →

A security auditor reports that a container can sniff network traffic on the host. Which field in the pod spec should be checked and set to false to prevent this?

Question 20hardmultiple choice
Full question →

A security team wants to enforce that no container in the 'restricted' namespace runs with added Linux capabilities beyond the default set (according to the restricted Pod Security Standard). Which PodSecurityConfiguration should be applied to the namespace?

These CKS practice questions are part of Courseiva's free CNCF certification practice question bank. Courseiva provides original exam-style CKS questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.