CKS · topic practice

Cluster Setup and Hardening practice questions

Practise Certified Kubernetes Security Specialist CKS Cluster Setup and Hardening practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Cluster Setup and Hardening

What the exam tests

What to know about Cluster Setup and Hardening

Cluster Setup and Hardening questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Cluster Setup and Hardening exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Cluster Setup and Hardening questions

20 questions · select your answer, then reveal the explanation

During a security audit, you discover that a container running as root inside a pod has been compromised. The pod uses the default service account. Which two measures should you implement to harden the cluster? (Select TWO)

A cluster uses Kubernetes v1.24 with Pod Security Admission enabled. The cluster administrator wants to enforce that all pods in the 'production' namespace run with the 'restricted' policy level, but some existing deployments use privileged containers. Which approach ensures that only new pods violating the policy are rejected, while existing pods continue to run?

A security engineer needs to ensure that all communication between nodes and the control plane is encrypted. Which component must be configured with a TLS certificate to achieve this?

After a security incident, you need to restrict which pods can communicate with each other in the 'finance' namespace. You want to allow only pods with label 'app: api' to connect to pods with label 'app: db' on TCP port 5432, and deny all other traffic. Which NetworkPolicy should you create?

Question 5hardmultiple choice
Read the full NAT/PAT explanation →

A cluster has been configured with the NodeRestriction admission plugin. A developer tries to create a pod that uses a hostPath volume pointing to /var/log. The pod's nodeSelector is set to 'kubernetes.io/hostname: worker-1'. Which statement is true?

Which THREE of the following are valid methods to secure etcd in a Kubernetes cluster? (Select THREE)

Which TWO of the following are recommended practices for securing the Kubernetes API server? (Select TWO)

A security team wants to ensure that only approved container images can run in their production cluster. Which admission controller should be configured in the kube-apiserver to enforce this policy?

An administrator discovers that a container has been running with root privileges despite a PodSecurityPolicy that should prevent it. What is the most likely cause?

A DevOps engineer needs to restrict the outbound network traffic from pods running in namespace 'secure-ns'. Which NetworkPolicy configuration achieves this by default?

Which TWO of the following are valid methods to secure the etcd datastore in a Kubernetes cluster?

You are a security engineer for a financial services company running a Kubernetes cluster on-premises. The cluster uses kubeadm for bootstrapping and Calico for network policy. Recently, a compliance audit revealed that all nodes in the cluster have the kubelet port 10250 open to the public network, allowing unauthenticated access to the kubelet API. This poses a severe security risk. The cluster has 10 worker nodes and 3 control plane nodes. You need to remediate this without disrupting running workloads. The nodes are behind a corporate firewall, but the internal network is considered untrusted. You have access to the node's iptables and can modify configuration files. Which course of action best secures the kubelet port while maintaining cluster functionality?

A security engineer is configuring a Kubernetes cluster to meet CIS benchmark recommendations. The cluster uses kubeadm for bootstrapping. Which action should be taken to ensure the kube-apiserver is hardened against unauthorized access?

A Kubernetes cluster is experiencing issues where pods cannot pull images from a private container registry. The registry requires authentication via imagePullSecrets. The cluster has a pod running with the following spec snippet. What is the likely cause of the failure?

A DevOps team is tasked with upgrading a Kubernetes cluster from version 1.21 to 1.22. They want to minimize downtime and follow best practices. Which approach should they take?

Which TWO actions should be taken to secure etcd in a Kubernetes cluster?

Arrange the steps to create and enforce a Pod Security Policy (PSP) in a Kubernetes cluster.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Order the steps to perform a Kubernetes cluster upgrade from version 1.24 to 1.25.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each Kubernetes security component to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Admission controller that enforces security constraints on pods

Defines how groups of pods can communicate with each other and other network endpoints

Role-based access control for authorization within the cluster

Linux security facility to restrict system calls from a container

Mandatory access control system that confines programs to a limited set of resources

Match each container security context setting to its effect.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Prevents processes from gaining more privileges than their parent

Ensures the container runs with a user ID that is not 0 (root)

Mounts the container's root filesystem as read-only

Drops all Linux capabilities, minimizing kernel privileges

Disables privileged mode, preventing access to host devices

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Cluster Setup and Hardening sessions

Start a Cluster Setup and Hardening only practice session

Every question in these sessions is drawn from the Cluster Setup and Hardening domain — nothing else.

Related practice questions

Related CKS topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CKS exam test about Cluster Setup and Hardening?
Cluster Setup and Hardening questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Cluster Setup and Hardening questions in a focused session?
Yes — the session launcher on this page draws every question from the Cluster Setup and Hardening domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CKS topics?
Use the topic links above to move to related areas, or go back to the CKS question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CKS exam covers. They are not copied from any real exam or dump site.