CCNA Cks Monitoring Runtime Questions

75 of 172 questions · Page 2/3 · Cks Monitoring Runtime topic · Answers revealed

76
MCQeasy

An admin runs 'kubectl get pods' and sees a pod in 'CrashLoopBackOff' state. The pod's containers have a restart policy of 'Always'. What is the most likely cause?

A.The image pull secret is missing
B.The pod's resource requests exceed node capacity
C.The node is out of memory
D.The container's command fails immediately after start
AnswerD

Correct. A failing command causes the container to exit, and with Always restart policy, it restarts and fails again, leading to CrashLoopBackOff.

Why this answer

CrashLoopBackOff indicates the container keeps crashing after starting. The restart policy 'Always' causes the kubelet to restart it, but if the crash persists, the backoff delay increases. The most likely cause is the application itself failing (e.g., error on startup).

77
MCQeasy

You suspect a container is running an unexpected process. Which crictl command can you use to list all running containers on the node?

A.crictl stats
B.crictl pods
C.crictl ps
D.crictl images
AnswerC

crictl ps lists running containers, similar to docker ps.

Why this answer

crictl ps lists all running containers on the node. crictl pods lists pods, not containers. crictl images lists images. crictl stats shows resource usage.

78
MCQhard

You need to configure Kubernetes audit logging to log all requests to the 'secrets' resource at the 'RequestResponse' level, but only log requests from the 'kube-system' namespace. Which audit policy rule is correct?

A.- level: RequestResponse resources: - apiGroup: "" resources: ["secrets"] namespaces: ["kube-system"]
B.- level: RequestResponse resources: - group: "" resources: ["secrets"] namespaces: ["kube-system"]
C.- level: RequestResponse resources: - group: "" resources: ["secrets"] namespace: ["kube-system"]
D.- level: RequestResponse resources: - group: "" resources: ["secrets"] namespaces: ["kube-system"]
AnswerB

Why this answer

The audit policy uses 'resources' and 'namespaces' fields. Option C correctly specifies the group 'resources' and 'namespaces' field set to ['kube-system']. Option A incorrectly uses 'apiGroups' as a top-level key.

Option B uses 'namespace' singular (should be plural). Option D uses 'namespaces' but incorrectly uses 'apiGroup' singular.

79
Multi-Selectmedium

Which TWO of the following are valid audit stages in Kubernetes audit logging?

Select 2 answers
A.ResponseStarted
B.Panic
C.ResponseFinished
D.RequestProcessing
E.RequestReceived
AnswersA, E

Valid audit stage.

Why this answer

The valid audit stages are RequestReceived, ResponseStarted, ResponseComplete, and Panic. RequestReceived and ResponseComplete are two of them.

80
MCQmedium

You want to preserve evidence from a compromised pod. Which command should you use to copy the entire container filesystem to a safe location?

A.crictl export <container-id> /tmp/evidence.tar
B.kubectl cp <pod>:/ /tmp/evidence
C.kubectl exec <pod> -- tar czf - / > /tmp/evidence.tar.gz
D.kubectl logs <pod> > /tmp/evidence.log
AnswerB

kubectl cp copies from the container's root directory to a local directory.

Why this answer

kubectl cp copies files from the container to the local machine. Using a tarball pipeline is an alternative, but kubectl cp is the standard method.

81
MCQeasy

To isolate a compromised pod and prevent all incoming and outgoing traffic, which Kubernetes resource should you use?

A.ResourceQuota
B.PodSecurityPolicy
C.NetworkPolicy with spec.podSelector: {} and spec.policyTypes: [Ingress, Egress]
D.LimitRange
AnswerC

Why this answer

NetworkPolicy with empty podSelector and policyTypes: Ingress, Egress denies all traffic.

82
MCQhard

A Falco rule has the following condition: spawned_process and container and proc.name = bash and proc.pname != sshd. What does this rule detect?

A.Any process named bash on the host
B.A bash shell started in a container via SSH
C.An SSH connection to a container
D.A bash shell started in a container from a non-SSH parent process
AnswerD

Why this answer

It detects a bash shell spawned inside a container where the parent process is not sshd.

83
Multi-Selecthard

Which THREE of the following are valid techniques for isolating a compromised pod during incident response? (Choose three)

Select 3 answers
A.Modify the container image to disable networking
B.Apply a NetworkPolicy that denies all ingress and egress traffic to the pod
C.Cordon the node where the pod is running
D.Add a label 'isolated=true' to the pod and apply a NetworkPolicy that selects that label and denies all traffic
E.Delete the pod immediately to stop the threat
AnswersB, C, D

This isolates the pod at the network level.

Why this answer

Isolation techniques include using NetworkPolicy to restrict network traffic, adding a label to the pod and applying a policy that denies all traffic, and cordoning the node to prevent new pods. Deleting the pod is a response action but not isolation; modifying the container image is not isolation.

84
MCQeasy

Which flag must be provided to the kube-apiserver to enable audit logging?

A.--enable-admission-plugins
B.--authorization-mode
C.--audit-log-path
D.--audit-policy-file
AnswerD

Correct. This flag points to the audit policy file that defines which events to log and at what level.

Why this answer

The --audit-policy-file flag specifies the path to the audit policy file. Without this, audit logging is disabled.

85
Multi-Selecthard

Which THREE of the following are common indicators of a container compromise that Falco can detect? (Select 3)

Select 3 answers
A.Unexpected outbound network connections
B.Reading sensitive files like /etc/shadow
C.High CPU usage
D.Spawning a shell inside a container
E.Pod restarting in a loop
AnswersA, B, D

Falco can detect connect syscalls to unexpected destinations.

Why this answer

Falco can detect shell spawning, sensitive file reads, and unexpected outbound connections via syscall monitoring. CPU/memory spikes are not directly detected by Falco as they are not syscall events; they are typically monitored by metrics tools. Pod restart loops are a Kubernetes-level symptom, not a direct syscall event.

86
MCQhard

A pod is stuck in Pending state. You run 'kubectl describe pod' and see the event: '0/3 nodes are available: 3 Insufficient cpu'. What is the likely cause?

A.The pod's image pull policy is set to Always and the registry is unreachable
B.The pod's CPU request exceeds the available CPU capacity on all nodes
C.The cluster has a taint that the pod does not tolerate
D.The scheduler is misconfigured and not running
AnswerB

No node has enough allocatable CPU to satisfy the pod's request.

Why this answer

The event indicates insufficient CPU resources on all nodes to meet the pod's CPU request.

87
MCQeasy

You have deployed a pod and set `securityContext.readOnlyRootFilesystem: true`. The pod is failing to start with an error about writing to `/tmp`. What is the most likely cause?

A.The `securityContext` is misspelled
B.The pod is missing an emptyDir volume mounted at `/tmp`
C.The container image does not have `/tmp` directory
D.The container is running as a non-root user
AnswerB

An emptyDir volume provides a writable location on an otherwise read-only root filesystem.

Why this answer

When `readOnlyRootFilesystem` is true, the container cannot write to any path on the root filesystem unless a writable volume is mounted. `/tmp` is on the root filesystem by default, so the container needs an emptyDir volume mounted at `/tmp` to write there.

88
MCQmedium

A security team wants to detect any attempt to spawn an interactive shell inside a container. Which Falco rule condition would be appropriate?

A.container.id != host and evt.type = read and fd.name = /etc/shadow
B.evt.type = connect and container.id != host
C.proc.name = bash and evt.type = execve
D.container.id != host and evt.type = execve and proc.name = bash
AnswerD

Correct. This condition matches execve syscalls where the process is bash inside a container.

Why this answer

Falco uses syscall events. The condition container.id != host and evt.type = execve and proc.name = bash detects a bash exec in a container, which is a common interactive shell.

89
Multi-Selecthard

Which THREE of the following are effective methods to preserve evidence during a container security incident?

Select 3 answers
A.Delete the pod immediately
B.Take a memory dump of the container
C.Run kubectl exec to explore and modify files
D.Create a forensic snapshot of the container filesystem
E.Capture container logs
AnswersB, D, E

Correct: Captures in-memory data.

Why this answer

Creating a forensic snapshot (e.g., using dd or kubectl cp), capturing container logs, and taking a memory dump (e.g., via criu or gcore) preserve evidence. Deleting the pod destroys evidence. Running 'kubectl exec' and modifying files is destructive.

90
MCQmedium

An administrator runs 'crictl ps' and sees no containers listed, but kubectl shows running pods. What is the most likely cause?

A.crictl is not configured to connect to the correct container runtime socket
B.The images have not been pulled yet
C.The containers are running in a different namespace
D.The kubelet is not running
AnswerA

Correct: crictl needs the --runtime-endpoint flag or config to connect to the runtime.

Why this answer

crictl uses a specific container runtime socket (e.g., containerd.sock). If the socket is not configured or the runtime is different, it won't see containers. Option A is unlikely, option B is about kubelet, option D is about image pull.

91
MCQeasy

Which audit stage is logged after the request is fully processed and the response is sent?

A.Panic
B.ResponseComplete
C.ResponseStarted
D.RequestReceived
AnswerB

ResponseComplete is logged after the entire response is sent.

Why this answer

Audit stages are: RequestReceived, ResponseStarted, ResponseComplete, and Panic. ResponseComplete occurs after the response is sent.

92
MCQmedium

You need to detect any attempt to run a shell inside a container using Falco. Which macro or condition should you use?

A.evt.type=read and fd.name=/etc/passwd
B.evt.type=execve and proc.name in (bash, sh)
C.evt.type=clone and proc.name=bash
D.evt.type=open and fd.name=/bin/bash
AnswerB

This matches execution of shell binaries.

Why this answer

Falco's 'spawned_process' macro or condition evt.type=execve and proc.name in (bash, sh, zsh, etc.) can detect shell execution.

93
MCQmedium

A pod is running in the 'default' namespace with a container that has an immutable root filesystem (readOnlyRootFilesystem: true). The application writes logs to /var/log/app.log. What will happen?

A.The container will be automatically restarted by the kubelet
B.The write succeeds because logs are written to a temporary filesystem
C.The write to /var/log/app.log fails, and the container may crash or log an error
D.Kubernetes will create an emptyDir volume to hold the logs
AnswerC

The immutable filesystem prevents writes to the root filesystem; /var/log/ is part of the root filesystem unless a volume is mounted.

Why this answer

With readOnlyRootFilesystem set to true, the container's filesystem is read-only, so any attempt to write to the root filesystem will fail. If the application writes to /var/log/app.log, the write will fail and the container may crash or log an error. Option A is correct.

94
MCQeasy

Which audit policy level logs all requests and responses, including the request body and response body?

A.None
B.Request
C.Metadata
D.RequestResponse
AnswerD

RequestResponse logs both request and response objects, including bodies.

Why this answer

RequestResponse logs both the request object and the response object, including bodies. Request logs only the request object. Metadata logs only metadata.

None logs nothing.

95
MCQhard

A Falco rule triggers when a shell is spawned inside a container. Which condition correctly identifies bash or sh being executed as the first process (PID 1)?

A.spawned_process and proc.name in (bash, sh) and proc.pid=1
B.evt.type=execve and proc.name in (bash, sh) and container.id != host
C.container.id != host and proc.name in (bash, sh) and proc.ppid=0
D.proc.name = bash and proc.pid=1
AnswerA

This checks that the process was spawned (i.e., the syscall execve) and its name is bash or sh, and it's PID 1.

Why this answer

The condition checks for a spawned process (proc.spawned) with name bash or sh and that its PID is 1 (indicating it was started by the container entrypoint and not by another process).

96
Multi-Selectmedium

Which TWO of the following are valid audit policy levels in Kubernetes? (Choose two.)

Select 2 answers
A.RequestResponse
B.Verbose
C.Response
D.All
E.Metadata
AnswersA, E

Valid level.

Why this answer

Valid audit levels are None, Metadata, Request, and RequestResponse. Options B and C are valid.

97
MCQhard

You need to configure Kubernetes audit logging to log all requests at the Metadata level except for requests to the 'kube-system' namespace, which should be logged at Request level. How should you structure the audit policy?

A.Default level Metadata with a rule that has 'level: Request' and 'namespaces: [kube-system]'
B.Use two rules with 'level: Request' and 'level: Metadata' without default
C.Default level Request with a rule for kube-system at Metadata
D.Default level Metadata with a rule for kube-system at Request
AnswerA

The rule for kube-system overrides the default for that namespace.

Why this answer

The policy defines rules with levels and optional namespaces. Rules are evaluated in order; the first matching rule applies.

98
MCQmedium

You run 'crictl ps' and see a container with state CONTAINER_RUNNING. What does this indicate?

A.The container has exited
B.The container is paused
C.The container is starting up
D.The container is running normally
AnswerD

CONTAINER_RUNNING is the normal running state.

Why this answer

crictl ps shows containers managed by the runtime; CONTAINER_RUNNING means the container is actively running.

99
Multi-Selecthard

Which THREE of the following are required components to enable audit logging in Kubernetes? (Select three.)

Select 3 answers
A.The --audit-policy-file flag on kube-apiserver
B.The --audit-log-path flag on kube-apiserver
C.An audit policy YAML file
D.The --audit-dynamic-configuration flag
E.An audit webhook backend
AnswersA, B, C

Why this answer

Audit logging requires an audit policy file, the --audit-policy-file flag, and a log backend like --audit-log-path.

100
MCQmedium

You have a pod that is in CrashLoopBackOff. You want to inspect the logs from the previous instance of the container. Which flag should you use with kubectl logs?

A.--previous
B.--tail
C.--all-containers
D.--since
AnswerA

--previous shows logs from the previous container instance.

Why this answer

The --previous flag retrieves logs from the previous instance of the container before it crashed.

101
Multi-Selectmedium

Which THREE stages can be configured for Kubernetes audit logging?

Select 3 answers
A.RequestProcessed
B.ResponseComplete
C.Panic
D.ResponseStarted
E.RequestReceived
AnswersB, D, E

Standard stage.

Why this answer

The audit stages are RequestReceived, ResponseStarted, ResponseComplete, and Panic.

102
MCQmedium

You are configuring Kubernetes audit logging. You want to log all requests to the `secrets` resource in the `kube-system` namespace at the `RequestResponse` level, while logging all other requests at the `Metadata` level. Which audit policy configuration achieves this?

A.rules: [- level: RequestResponse, resources: [group: '', resources: [*]], - level: Metadata]
B.rules: [- level: RequestResponse, resources: [group: '', resources: [secrets]], namespaces: [kube-system], - level: Metadata]
C.rules: [- level: Metadata, resources: [group: '', resources: [secrets]], namespaces: [kube-system], - level: RequestResponse]
D.rules: [- level: Metadata, resources: [group: '', resources: [secrets]], namespaces: [kube-system], omitStages: [RequestReceived], - level: RequestResponse]
AnswerB

Correct: first rule matches secrets in kube-system with RequestResponse, second rule catches all other requests with Metadata.

Why this answer

Option A is correct because it defines a rule for secrets in kube-system with level RequestResponse, then a default rule for all other resources with level Metadata. Option B incorrectly uses `omitStages` instead of `level`. Option C does not target the specific resource.

Option D reverses the levels.

103
MCQmedium

You run 'crictl ps' and see no output, but the node has running pods. What is the most likely cause?

A.The --runtime-endpoint flag is not set or points to the wrong socket
B.The container runtime is not Docker
C.The pod uses a different container runtime than CRI-O
D.The containers are in a different namespace
AnswerA

Why this answer

crictl uses a socket to communicate with the container runtime; if the socket is wrong, it won't list containers.

104
MCQeasy

Which crictl command lists all running containers on a node?

A.crictl pods
B.crictl images
C.crictl ps
D.crictl stats
AnswerC

Correct: crictl ps lists containers.

Why this answer

crictl ps lists running containers, similar to docker ps.

105
MCQmedium

Which kubectl command can you use to view the logs of a specific container in a multi-container pod?

A.kubectl logs <pod> -c <container>
B.kubectl logs <pod> --container <container>
C.kubectl logs <pod> <container>
D.kubectl logs <pod> --all-containers
AnswerA, B

-c is the short form for --container; both are correct.

Why this answer

kubectl logs with the -c flag allows you to specify a container name within a pod. The other options are incorrect: --container is not a valid flag, and the others miss the required container specification.

106
MCQmedium

A Falco rule is triggered when a shell is spawned inside a container. Which syscall is typically used to detect shell execution?

A.clone
B.open
C.read
D.execve
AnswerD

execve is the syscall used to execute a new program, such as a shell.

Why this answer

Falco detects shell execution by monitoring the execve syscall. The rule usually checks for a process named 'bash', 'sh', etc., and the evt.type=execve condition.

107
MCQeasy

You want to isolate a compromised pod by blocking all network traffic to and from it. Which NetworkPolicy would you apply?

A.A policy with podSelector matching the pod, and only ingress rules denying from all
B.A policy with podSelector matching the pod, and policyTypes: [Ingress, Egress] with no rules
C.A policy with podSelector matching the pod, and egress rules allowing to 0.0.0.0/0
D.A policy with podSelector: {} and no rules
AnswerB

Why this answer

A NetworkPolicy that selects the pod with no ingress or egress rules will default to denying all traffic. Option B is correct. Option A denies ingress only.

Option C allows all. Option D allows egress to all.

108
MCQmedium

A pod runs with an immutable root filesystem (readOnlyRootFilesystem: true). The application attempts to write to /tmp. What is the expected behavior?

A.The write fails with a permission error unless a writable volume is mounted at /tmp
B.The application can write to any directory because /tmp is always writable
C.The container crashes immediately
D.The write succeeds and is silently dropped
AnswerA

Why this answer

When readOnlyRootFilesystem is true, the container's filesystem is read-only. However, if an emptyDir volume is mounted at /tmp, the application can write to that location. Option C is correct.

Option A is wrong because write operations are not silently dropped; they fail with an error. Option B is wrong because the container may still run if it doesn't need to write to the root filesystem. Option D is false because the application can write to mounted volumes.

109
MCQeasy

An admin runs 'crictl ps' on a node and sees multiple containers. Which command should they use to view the logs of a specific container?

A.crictl logs <container-id>
B.crictl exec <container-id> logs
C.crictl inspect <container-id>
D.crictl ps -a <container-id>
AnswerA

crictl logs fetches logs of the specified container.

Why this answer

crictl logs is the correct command to retrieve logs from a container. crictl ps lists containers, crictl exec runs a command inside a container, and crictl inspect shows detailed info.

110
MCQmedium

You need to isolate a compromised pod named 'malicious-pod' in the 'default' namespace so that it cannot communicate with any other pod, but can still receive traffic from a specific monitoring pod. Which NetworkPolicy should you apply?

A.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: isolate-pod spec: podSelector: matchLabels: app: malicious-pod ingress: - from: - podSelector: matchLabels: app: monitoring-pod policyTypes: - Ingress - Egress
B.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: isolate-pod spec: podSelector: matchLabels: app: malicious-pod egress: - {} policyTypes: - Egress
C.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: isolate-pod spec: podSelector: matchLabels: app: malicious-pod policyTypes: - Ingress - Egress
D.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: isolate-pod spec: podSelector: matchLabels: app: malicious-pod ingress: - {} policyTypes: - Ingress
AnswerA

Allows ingress only from monitoring-pod, and blocks all egress by default. This isolates the pod while allowing monitoring.

Why this answer

Option B specifies podSelector: matchLabels: app: malicious-pod, ingress from a specific pod (monitoring-pod), and no egress rules, so egress is denied by default. Option A denies all ingress as well (no ingress rules). Option C allows all ingress.

Option D allows all egress.

111
MCQmedium

An administrator needs to preserve evidence from a compromised container. Which approach is BEST for capturing the container's filesystem and memory for later analysis?

A.Use 'crictl export <container-id>' to create a tar archive of the container's filesystem
B.Use 'runc checkpoint' to create a checkpoint of the container
C.Use 'kubectl cp' to copy files from the container to the node
D.Use 'crictl save' to save the container image
AnswerA

crictl export exports the container's filesystem, which preserves file evidence.

Why this answer

crictl export exports the container's filesystem as a tar archive. For memory dump, tools like gcore or /proc/.../mem are needed. Option A is the closest match for filesystem preservation among the options.

Option B is for runc, not typical. Option D is for images.

112
MCQeasy

Which kubectl command can be used to execute a shell inside a running container for forensic analysis?

A.kubectl delete pod <pod>
B.kubectl logs <pod>
C.kubectl describe pod <pod>
D.kubectl exec -it <pod> -- /bin/sh
AnswerD

Correct: This starts an interactive shell.

Why this answer

'kubectl exec' with '-it' and a shell command allows interactive shell access. Option B is for logs, option C is for describing resources, option D is for deleting.

113
Multi-Selecteasy

Which TWO crictl commands can be used to inspect a running container?

Select 2 answers
A.crictl logs <container-id>
B.crictl run <image>
C.crictl create <pod-config>
D.crictl stats <container-id>
E.crictl exec <container-id> <command>
AnswersA, E

Shows container logs.

Why this answer

crictl logs shows logs, crictl exec runs a command in the container.

114
MCQmedium

You need to preserve evidence (container logs) from a compromised pod before deleting it. Which command should you run first?

A.kubectl exec <pod> -- cat /var/log/*
B.kubectl cp <pod>:/var/log ./pod-logs
C.kubectl logs <pod> --tail=-1 > pod.log
D.kubectl delete pod <pod>
AnswerC

Why this answer

kubectl logs with --tail=-1 fetches all lines from the logs.

115
MCQhard

An administrator wants to enable Kubernetes audit logging with the following requirements: log all requests at the Metadata level, but log all responses at the Request level. Which audit policy configuration achieves this?

A.Set default level to Metadata and use a dynamic level based on request size
B.Use the --audit-log-maxbackup flag to adjust levels
C.Set default level to Metadata and use a rule with level: Request for specific resources
D.Use separate rules with 'stages: ["RequestReceived"]' level Metadata, and 'stages: ["ResponseComplete"]' level Request
AnswerD

Correct: stages allow different levels per request vs response.

Why this answer

Audit policies are defined with a 'level' per rule or default. To have different levels for requests and responses, you must use different stages. Option B correctly sets the default stage for 'RequestReceived' to Metadata and for 'ResponseComplete' to Request.

116
Multi-Selecthard

Which THREE of the following are valid audit stages in Kubernetes audit logging? (Select THREE.)

Select 3 answers
A.ResponseStarted
B.RequestReceived
C.ResponseBuffered
D.RequestProcessing
E.ResponseComplete
AnswersA, B, E

Correct. Occurs when response headers are sent.

Why this answer

Audit stages are: RequestReceived, ResponseStarted, ResponseComplete, Panic. 'RequestProcessing' and 'ResponseBuffered' are not valid stages.

117
MCQhard

You want to detect any attempt to run a shell inside a container that is not running as root. Which Falco condition would you use?

A.evt.type=execve and proc.name in (bash, sh) and container.id != host and user.name != root
B.evt.type=execve and proc.aname in (bash, sh) and container.id != host and user.name != root
C.evt.type=execve and proc.name in (bash, sh) and container.id != host
D.evt.type=execve and proc.name in (bash, sh) and container.id != host and user.name = root
AnswerA

Correctly detects shell execution by non-root users in containers.

Why this answer

Option C checks for execve of bash or sh, with container.id != host, and user.name != root. Option A doesn't check user. Option B uses proc.aname=parent (parent process name) which is not standard.

Option D checks user.name=root, which is opposite.

118
MCQmedium

You need to configure Kubernetes audit logging to log all requests to the 'secrets' resource at the RequestResponse level. Which audit policy rule would achieve this?

A.- level: Metadata resources: - group: "" resources: ["secrets"]
B.- level: RequestResponse resources: - group: "" resources: ["secrets"]
C.- level: RequestResponse resources: - group: "" resources: ["pods"]
D.- level: Request resources: - group: "" resources: ["secrets"]
AnswerB

Correct. This rule matches all API groups (empty string) and the secrets resource, logging at RequestResponse level.

Why this answer

An audit policy rule with resources: groups: [""]; resources: ["secrets"]; level: RequestResponse will log all requests to secrets at the RequestResponse level (metadata + request + response).

119
MCQhard

You are writing a Falco rule to detect privilege escalation via setuid binaries. Which syscall should the rule monitor?

A.open
B.execve
C.connect
D.setuid
AnswerD

Correct. The setuid syscall is used to set the user ID of the current process, which can escalate privileges.

Why this answer

setuid and setgid syscalls are used to change user/group identity, which can be used for privilege escalation. Falco can monitor these syscalls to detect unauthorized attempts.

120
MCQmedium

A container has been compromised. You need to isolate it by denying all network traffic. Which NetworkPolicy manifest achieves this?

A.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: isolate spec: podSelector: matchLabels: app: compromised ingress: [] egress: []
B.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: isolate spec: podSelector: matchLabels: app: compromised policyTypes: - Ingress ingress: - from: - podSelector: {}
C.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: isolate spec: podSelector: matchLabels: app: compromised policyTypes: - Egress egress: - to: - podSelector: {}
D.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: isolate spec: podSelector: matchLabels: app: compromised policyTypes: - Ingress - Egress
AnswerA, D

Empty ingress and egress arrays block all traffic when policyTypes includes both.

Why this answer

A NetworkPolicy with podSelector matching the pod and no ingress or egress rules blocks all traffic by default when policyIsolation is enabled (which is the default).

121
Multi-Selectmedium

Which TWO of the following are valid audit stages in Kubernetes audit logging?

Select 2 answers
A.ResponseStarted
B.ResponseDelay
C.ResponseComplete
D.RequestProcessing
E.RequestReceived
AnswersA, E

Correct: This is a valid stage.

Why this answer

Valid audit stages are RequestReceived, ResponseStarted, ResponseComplete, and Panic. Option D (RequestProcessing) is not a valid stage. Option E (ResponseDelay) is not.

122
MCQmedium

You are using `crictl` to debug a container that is not responding. Which command should you use to get the list of running containers?

A.crictl pods
B.crictl ps
C.crictl images
D.crictl stats
AnswerB

crictl ps lists containers (including running, paused, exited).

Why this answer

`crictl ps` lists containers, similar to `docker ps`. `crictl pods` lists pods (sandboxes). `crictl images` lists images. `crictl stats` displays resource usage.

123
MCQmedium

A security team wants to detect any attempt to read the /etc/shadow file inside a container. Which Falco rule condition would detect this syscall?

A.evt.type in (open, openat) and fd.name=/etc/shadow
B.evt.type=read and fd.name=/etc/shadow
C.evt.type=open and fd.name contains /etc/shadow
D.proc.name=cat and fd.name=/etc/shadow
AnswerA

Correct: open/openat syscall with exact match on shadow file.

Why this answer

Falco uses the 'open' or 'openat' syscall with the 'fd.name' field to check file paths. Option C correctly checks for open and openat syscalls and matches the filename.

124
MCQmedium

You need to configure Kubernetes audit logging to log all requests to the 'secrets' API. Which audit policy level captures the body of the request?

A.Request
B.None
C.RequestResponse
D.Metadata
AnswerC

Why this answer

RequestResponse logs request metadata and the request and response body.

125
MCQmedium

A Falco rule has the following output: 'Sensitive file opened for reading (user=root command=cat /etc/shadow)'. Which macro is most likely used in the rule condition?

A.shell_procs
B.outbound
C.binaries
D.sensitive_file_names
AnswerD

Correct. This macro is defined in Falco's default rules to detect access to sensitive files.

Why this answer

Falco has a macro called 'sensitive_file_names' that includes files like /etc/shadow, /etc/passwd, etc. The rule likely uses that macro to match on open syscalls targeting those files.

126
MCQeasy

What is the purpose of setting a container's filesystem to read-only in a Pod spec?

A.To prevent an attacker from modifying the container's filesystem after compromise
B.To allow multiple pods to share the same filesystem
C.To prevent the container from being deleted
D.To improve disk I/O performance
AnswerA

Correct. If the filesystem is read-only, an attacker cannot write new files or modify existing ones, limiting the impact of a breach.

Why this answer

Setting readOnlyRootFilesystem to true makes the container's filesystem immutable, preventing attackers from writing malicious files or altering binaries. It is a security best practice.

127
MCQhard

A Falco rule is written to detect when a shell is spawned inside a container. The rule condition is: `spawned_process and container and proc.name = bash`. The rule is not triggering. Which of the following is the most likely reason?

A.The rule is missing `proc.name in (bash, sh, zsh)` because only bash is checked
B.Falco is not running with the required syscall capabilities
C.The `spawned_process` macro may not match because the process was inherited (not spawned), e.g., from an entrypoint
D.The priority is set to `ERROR` but the output is being filtered
AnswerC

`spawned_process` typically checks for newly created processes; inherited processes may not match.

Why this answer

The condition requires both `spawned_process` and `container` macro fields, which are typical. Option B is the most likely because the `spawned_process` macro might not include all shell spawn scenarios (e.g., inherited processes). Option A is correct but less likely.

Options C and D are incorrect.

128
MCQmedium

A pod is stuck in 'Pending' state. You run 'kubectl describe pod mypod' and see the event: '0/1 nodes are available: 1 node(s) had taint {node-role.kubernetes.io/master: }, that the pod didn't tolerate'. What is the most likely solution?

A.Delete the pod and recreate it without any tolerations
B.Remove the taint from the node using 'kubectl taint nodes ...'
C.Add a toleration to the pod spec for the taint 'node-role.kubernetes.io/master'
D.Add a nodeSelector to the pod to match the node's labels
AnswerC

Correct. Adding a toleration allows the pod to be scheduled on the tainted node.

Why this answer

The pod cannot schedule because the node has a taint. To allow the pod to run on that node, add a toleration for that taint in the pod spec.

129
MCQeasy

You want to ensure that a container's root filesystem is immutable. Which field in the Pod spec should you set?

A.spec.containers[].securityContext.privileged
B.spec.hostNetwork
C.spec.containers[].securityContext.readOnlyRootFilesystem
D.spec.containers[].volumeMounts[].readOnly
AnswerC

Setting this to true makes the filesystem read-only.

Why this answer

The field 'securityContext.readOnlyRootFilesystem' at the container level makes the root filesystem read-only, effectively immutable.

130
MCQeasy

Which crictl command is used to list all running containers managed by the container runtime?

A.crictl images
B.crictl stats
C.crictl ps
D.crictl pods
AnswerC

crictl ps lists containers.

Why this answer

crictl ps lists containers, similar to docker ps.

131
MCQeasy

A security team wants to detect attempts to read /etc/shadow inside containers. Which Falco rule condition would trigger on a container reading that file?

A.evt.type=connect and fd.name=/etc/shadow
B.evt.type=execve and proc.name=cat
C.evt.type=open and container.id exists
D.evt.type=open and fd.name=/etc/shadow
AnswerD

This matches open syscalls on /etc/shadow.

Why this answer

Falco's open_read syscall condition with fd.name=/etc/shadow detects attempts to open the file for reading.

132
MCQmedium

Which crictl command is used to view the logs of a specific container?

A.crictl ps
B.crictl exec
C.crictl logs
D.crictl inspect
AnswerC

crictl logs <container-id> retrieves container logs.

Why this answer

crictl logs <container-id> displays logs from a container. crictl ps lists containers, crictl exec runs a command in a container, and crictl inspect shows detailed container information.

133
MCQmedium

You need to detect when a container attempts to mount the host's Docker socket. Which Falco macro or condition would you use?

A.fd.name=/var/run/docker.sock
B.fd.name=/var/run/containerd.sock
C.fd.name=/var/run/docker
D.fd.name=/run/docker.sock
AnswerA

Why this answer

Falco has a default macro 'docker_socket' that matches the path '/var/run/docker.sock'. Using fd.name=/var/run/docker.sock in a condition will detect access to the socket. Option A is correct.

Option B is a valid path but not the standard. Option C is a directory. Option D is a different socket.

134
MCQhard

You have deployed a DaemonSet to run a logging agent on every node. After an update, the new pods are stuck in 'Pending' state. You run 'kubectl describe pod ds-pod-xxxxx' and see '0/3 nodes are available: 3 node(s) had taint {node-role.kubernetes.io/master: }, that the pod didn't tolerate'. What is the MOST likely cause?

A.The DaemonSet has a nodeSelector that doesn't match any nodes
B.The DaemonSet uses hostNetwork which conflicts with existing pods
C.The DaemonSet does not have tolerations for the node taints
D.The nodes are cordoned
AnswerC

The taint prevents scheduling unless the pod has a matching toleration.

Why this answer

The message indicates that the nodes have a taint that the pod does not tolerate. The DaemonSet likely does not have a toleration for the master taint, and if the cluster only has master nodes (or the DaemonSet is scheduled on masters), the pods cannot be scheduled.

135
MCQmedium

A pod named 'busybox-pod' is compromised. You want to isolate it from all other pods using a NetworkPolicy. Which YAML snippet correctly denies all ingress and egress traffic to/from the pod?

A.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: isolate spec: podSelector: matchLabels: app: busybox egress: - to: - podSelector: {}
B.apiVersion: v1 kind: NetworkPolicy metadata: name: isolate spec: podSelector: {} policyTypes: - Ingress
C.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: isolate spec: podSelector: matchLabels: app: busybox ingress: - from: - podSelector: {}
D.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: isolate spec: podSelector: matchLabels: app: busybox policyTypes: - Ingress - Egress
AnswerD

This policy selects the pod and specifies both policyTypes with no rules, which defaults to deny all ingress and egress.

Why this answer

A NetworkPolicy with podSelector matching the pod, empty ingress and egress rules (or policyTypes set to both and no rules) will deny all traffic. Option A uses the correct structure: podSelector to target the pod, policyTypes including both, and empty ingress/egress lists.

136
MCQmedium

A Falco rule has the condition: 'evt.type=open and fd.name contains /etc/shadow and container.id != host'. What is being detected?

A.Any process opening /etc/shadow on the host
B.A container process writing to /etc/shadow
C.A process reading /etc/passwd
D.A container process opening /etc/shadow
AnswerD

The condition matches open syscalls on /etc/shadow from processes in containers.

Why this answer

The rule detects open syscalls on files whose name contains '/etc/shadow', occurring outside the host (i.e., inside containers). This indicates a container process is opening the shadow file.

137
Multi-Selecteasy

Which TWO of the following are valid audit stages in Kubernetes? (Choose two.)

Select 2 answers
A.ResponseFull
B.ResponseComplete
C.RequestReceived
D.RequestProcessing
E.RequestComplete
AnswersB, C

Valid stage.

Why this answer

Valid audit stages: RequestReceived, ResponseStarted, ResponseComplete, Panic. Options A and D are valid.

138
MCQmedium

You are responding to a security incident where a pod named `compromised-pod` in namespace `default` is suspected of being used for cryptocurrency mining. You need to immediately isolate the pod from the network while preserving evidence. Which command sequence should you use?

A.kubectl cordon <node-of-compromised-pod>
B.kubectl run temp-pod --image=busybox --restart=Never -- /bin/sh -c 'kubectl label pod compromised-pod isolated=true' && kubectl apply -f networkpolicy.yaml that selects pod with label isolated=true and denies all traffic
C.kubectl delete pod compromised-pod && kubectl describe pod compromised-pod
D.kubectl exec compromised-pod -- killall miner-process
AnswerB

This creates a network policy that isolates the pod by denying all ingress/egress. The pod remains running for forensics.

Why this answer

Option B is correct: `kubectl run` creates a temporary network policy that denies all ingress and egress traffic to the pod, effectively isolating it. Option A deletes the pod, losing evidence. Option C labels the node, which does not isolate the pod.

Option D uses `kubectl exec` to stop the process, which may not work and is not isolation.

139
Multi-Selectmedium

Which TWO of the following are valid audit stages in Kubernetes?

Select 2 answers
A.ResponseReceived
B.Panic
C.ResponseStarted
D.RequestReceived
E.RequestSent
AnswersC, D

ResponseStarted is a valid audit stage that occurs when the response headers are sent.

Why this answer

RequestReceived, ResponseStarted, ResponseComplete, and Panic are valid stages. RequestReceived and ResponseStarted are two of them. 'RequestSent' and 'ResponseReceived' are not standard stages.

140
MCQeasy

Which flag is used when starting kube-apiserver to enable audit logging?

A.--audit-log-path
B.--audit-webhook-config-file
C.--feature-gates=Audit=true
D.--audit-policy-file
AnswerD

This flag is required to enable audit logging; it points to a YAML file defining the audit policy.

Why this answer

The --audit-policy-file flag specifies the path to the audit policy file, which is required to enable audit logging.

141
MCQeasy

An administrator wants to monitor runtime security events in Kubernetes using Falco. Which component must be deployed as a DaemonSet to capture system calls from containers?

A.Falco driver
B.Kube-bench
C.Falcoctl
D.Falco
AnswerD

Falco itself runs as a DaemonSet to monitor syscalls on each node.

Why this answer

Falco runs as a DaemonSet to ensure each node has an instance that can intercept system calls from containers using kernel modules or eBPF.

142
Multi-Selectmedium

Which TWO of the following are valid methods to detect a container spawning a shell (e.g., /bin/bash) using Falco? (Select two.)

Select 2 answers
A.Use the rule 'Launch Sensitive Mount'
B.Check if proc.name is 'bash' and container is true
C.Use the macro 'spawned_process' combined with a container filter
D.Check if the process's parent is 'sshd'
E.Check if evt.type is 'execve' and fd.name contains 'bash'
AnswersB, C

Why this answer

Falco can detect shell spawning by checking spawned_process and container conditions, and specific process names.

143
MCQeasy

Which command can be used to view the logs of a container using the container runtime interface (crictl)?

A.crictl status <container-id>
B.crictl logs <container-id>
C.crictl inspect <container-id>
D.crictl log <container-id>
AnswerB

Correct. crictl logs displays logs from the container.

Why this answer

crictl logs is the command to fetch logs of a container, similar to 'docker logs'.

144
MCQhard

Which of the following is NOT a valid priority level in a Falco rule?

A.NOTICE
B.HIGH
C.CRITICAL
D.WARNING
AnswerB

Why this answer

Falco priorities are: EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG. 'HIGH' is not a valid priority.

145
MCQhard

A Falco rule is written to detect access to /etc/shadow inside a container. Which condition should be used?

A.evt.type=read and fd.name=/etc/shadow
B.spawned_process and proc.name in (cat, less) and container
C.evt.type=execve and proc.name=cat and fd.name=/etc/shadow
D.evt.type=open and fd.name=/etc/shadow
AnswerD

Correct. open syscall with fd.name exactly matching /etc/shadow.

Why this answer

Access to a file is detected by the 'open' syscall event. To detect reads of /etc/shadow, use 'evt.type=open' and 'fd.name' containing the path.

146
Multi-Selectmedium

Which TWO of the following are valid steps to respond to a runtime security incident where a container is suspected to be compromised? (Select two.)

Select 2 answers
A.Apply a NetworkPolicy that denies all ingress and egress to the pod
B.Immediately delete the pod to stop the attack
C.Add a taint to the node to evict the pod
D.Use kubectl logs to capture container logs before taking action
E.Restart the kubelet on the node
AnswersA, D

Why this answer

Valid incident response steps include isolating the pod via NetworkPolicy and capturing container logs for evidence.

147
MCQmedium

A Falco rule detects unexpected outbound connections. Which condition would identify a connection to an external IP not in the allowed list?

A.evt.type=connect and fd.ip not in (allowed_ips)
B.evt.type=accept and fd.ip not in (allowed_ips)
C.evt.type=listen and fd.ip not in (allowed_ips)
D.evt.type=bind and fd.ip not in (allowed_ips)
AnswerA

This matches connect syscalls to IPs not in the allowed list.

Why this answer

The evt.type=connect and fd.ip checks the destination IP; combined with a not in list condition detects unexpected outbound connections.

148
Multi-Selecthard

You need to preserve forensic evidence from a compromised pod. Which TWO actions should you take?

Select 2 answers
A.Delete the pod immediately
B.Take a snapshot of the container's filesystem
C.Apply a NetworkPolicy to allow all traffic
D.Capture the container logs using kubectl logs
E.Restart the container
AnswersB, D

Preserves the filesystem state for analysis.

Why this answer

Taking a snapshot of the container filesystem (e.g., using crictl export) and capturing the container logs are standard forensic steps.

149
MCQhard

You need to ensure that all containers in a pod cannot write to their root filesystem except for a specific directory `/data`. You set `securityContext.readOnlyRootFilesystem: true` and mount an emptyDir volume at `/data`. However, the container still cannot write to `/data`. What is the most likely cause?

A.The emptyDir volume is not mounted correctly in the pod spec
B.The container user does not have write permission on the emptyDir volume
C.The emptyDir volume is using a read-only storage class
D.readOnlyRootFilesystem also applies to mounted volumes
AnswerB

The emptyDir volume's permissions may not allow writing by the container's user. You may need to set `fsGroup` or `runAsUser` to ensure write access.

Why this answer

The emptyDir volume is mounted at `/data`, but the container process may not have write permissions on the emptyDir volume's default permissions (typically 755 owned by root). The container user must have write access. Option A suggests the emptyDir is not mounted; that would cause a different error.

Option C is incorrect because readOnlyRootFilesystem applies to the root filesystem, not the volume. Option D is unrelated.

150
Multi-Selectmedium

Which TWO are valid stages in a Kubernetes audit event? (Select 2)

Select 2 answers
A.RequestReceived
B.ResponseStarted
C.PreProcessing
D.None
E.PostProcessing
AnswersA, B

RequestReceived is a valid stage.

Why this answer

The valid stages are RequestReceived, ResponseStarted, ResponseComplete, and Panic. 'PreProcessing' and 'PostProcessing' are not valid stages.

← PreviousPage 2 of 3 · 172 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Cks Monitoring Runtime questions.