Back to Certified Kubernetes Security Specialist CKS questions

Scenario-based practice

Drag and Drop Matching Questions

Practise Certified Kubernetes Security Specialist CKS practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

10
scenario questions
CKS
exam code
CNCF
vendor

Scenario guide

How to approach drag and drop matching questions

Matching questions give you two columns — concepts, commands, or protocols on the left, and their definitions or use-cases on the right. You drag each left item to its correct match. These appear on most certification exams and punish superficial memorisation.

Quick answer

Drag and Drop Matching Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related CKS topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummatching
Full question →

Match each etcd security configuration to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Encrypts communication between etcd clients and the etcd server

Encrypts communication between etcd cluster members

Requires clients to present a valid certificate to access etcd

Encrypts etcd data stored on disk (requires manual configuration)

Limits which users or clients can perform operations on etcd keys

Question 2mediummatching
Full question →

Match each Kubernetes security component to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Admission controller that enforces security constraints on pods

Defines how groups of pods can communicate with each other and other network endpoints

Role-based access control for authorization within the cluster

Linux security facility to restrict system calls from a container

Mandatory access control system that confines programs to a limited set of resources

Question 3mediummatching
Full question →

Match each Kubernetes security tool or feature to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Checks whether Kubernetes is deployed securely according to CIS benchmarks

Penetration testing tool for Kubernetes clusters

Policy engine for enforcing custom policies on Kubernetes resources

Runtime security monitoring tool that detects abnormal behavior

Vulnerability scanner for container images, filesystems, and Git repos

Question 4mediummatching
Full question →

Match each Kubernetes certificate type to its usage.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Used by kubelet to serve the kubelet API (e.g., exec, logs)

Used by kubelet to authenticate to the API server

Used by the API server to serve HTTPS endpoints

Used to sign service account tokens so they can be verified

Used by an administrator to authenticate to the cluster with full privileges

Question 5mediummatching
Full question →

Match each Kubernetes admission controller to its role in security.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Limits the Node and Pod objects a kubelet can modify

Ensures images are always pulled, preventing use of local images

Denies pods with certain security context settings (deprecated)

Implements automation for service accounts

Enforces namespace-level node selector restrictions

Question 6mediummatching
Full question →

Match each Kubernetes command to its function related to security.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Check whether an action is allowed for a user or service account

Approve a certificate signing request (CSR)

Run a temporary interactive pod for troubleshooting

Create a secret from literals, files, or directories

Apply a PodSecurityPolicy configuration (deprecated)

Question 7mediummatching
Full question →

Match each Kubernetes API server flag to its security function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Enables RBAC authorization

Comma-separated list of admission controllers to enable

Disables anonymous requests to the API server

Path to a CA file for verifying kubelet certificates

File containing PEM-encoded x509 RSA or ECDSA private or public keys for service account token signing

Question 8mediummatching
Full question →

Match each container security context setting to its effect.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Prevents processes from gaining more privileges than their parent

Ensures the container runs with a user ID that is not 0 (root)

Mounts the container's root filesystem as read-only

Drops all Linux capabilities, minimizing kernel privileges

Disables privileged mode, preventing access to host devices

Question 9mediummatching
Full question →

Match each Kubernetes object or feature to its primary security purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Provides an identity for processes running in a pod

Stores sensitive data such as passwords, OAuth tokens, and ssh keys

Stores non-sensitive configuration data in key-value pairs

Specifies security settings for a pod or container

Limits resource consumption per namespace to prevent resource exhaustion

Question 10mediummatching
Full question →

Match each Kubernetes network security concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Outbound network traffic from a pod to external endpoints

Inbound network traffic to a pod from external sources

Specification of how groups of pods are allowed to communicate

Container Network Interface plugin that implements networking for pods

Infrastructure layer for handling service-to-service communication, often with mTLS

These CKS practice questions are part of Courseiva's free CNCF certification practice question bank. Courseiva provides original exam-style CKS questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.