CCNA Cks Supply Chain Questions

75 of 190 questions · Page 1/3 · Cks Supply Chain topic · Answers revealed

1
Multi-Selecteasy

Which THREE of the following are tools used for static analysis of Kubernetes manifests?

Select 3 answers
A.kubesec
B.checkov
C.kube-score
D.trivy
E.syft
AnswersA, B, C

kubesec scans Kubernetes resources for security issues.

Why this answer

kubesec, checkov, and kube-score are static analysis tools. Trivy and Syft focus on container images and SBOMs.

2
MCQmedium

A developer wants to ensure that a pod always uses a specific version of an image that cannot be changed without updating the manifest. Which image reference should be used?

A.myimage@sha256:abcdef...
B.myimage:latest
C.myimage:v1.0
D.myimage:1.0.0
AnswerA

A digest uniquely identifies the image content; any change results in a different digest.

Why this answer

Using an image digest (SHA256) ensures that the exact image is used, even if the tag is updated. This prevents unauthorized changes to the image without updating the manifest.

3
MCQeasy

Which tool can be used to generate an SBOM (Software Bill of Materials) for a container image?

A.trivy
B.kubesec
C.checkov
D.syft
AnswerD

Syft generates SBOMs from container images.

Why this answer

Syft is a tool specifically designed for generating SBOMs from container images.

4
MCQeasy

A developer wants to verify the signature of a container image before deploying it. Which command should they use along with Cosign?

A.cosign verify
B.cosign generate-key-pair
C.cosign sign
D.cosign attest
AnswerA

cosign verify checks the signature of an image against a public key.

Why this answer

Option D is correct. cosign verify is the command to verify the signature of an image. Option A is for signing. Option B is for generating keys.

Option C is for attaching attestations. Option D is the correct verification command.

5
MCQeasy

You want to scan a container image for vulnerabilities before deploying it. Which command uses the Trivy tool to scan an image?

A.trivy check nginx:latest
B.trivy image nginx:latest
C.trivy fs nginx:latest
D.trivy scan nginx:latest
AnswerB

trivy image scans the specified container image for vulnerabilities.

Why this answer

The correct command to scan a container image with Trivy is 'trivy image'. Option A uses 'trivy fs' which scans a filesystem, not an image.

6
MCQhard

You have a Kyverno policy that validates images are from a specific registry. However, a pod using an image from that registry is still blocked. The pod YAML includes 'imagePullPolicy: Always'. What could be the issue?

A.The imagePullPolicy is set to Always, causing Kyverno to ignore the registry check
B.The pod uses a different registry name than the one in the policy (e.g., a mirror)
C.Kyverno cannot validate images with a tag
D.The policy is missing the 'validate' rule type
AnswerB

The policy must match the exact image path used.

Why this answer

Kyverno matches against the exact image reference. If the registry is 'registry.example.com' but the pod uses 'docker.io/registry.example.com/image', the check fails.

7
MCQeasy

Which admission controller is responsible for validating and modifying images based on an external webhook in Kubernetes?

A.MutatingAdmissionWebhook
B.ImagePolicyWebhook
C.PodSecurity
D.ValidatingAdmissionWebhook
AnswerB

ImagePolicyWebhook is specifically designed to enforce image policies.

Why this answer

ImagePolicyWebhook is the dedicated admission controller for image policy enforcement. The others serve different purposes.

8
MCQhard

A cluster uses ImagePolicyWebhook admission controller. After configuring it, deployments referencing images from an unauthorized registry are blocked. However, some deployments are still being admitted. What is a possible cause?

A.The ImagePolicyWebhook is configured with a low timeout
B.The registry is allowlisted in the webhook configuration
C.The admission controller is disabled
D.The ImagePolicyWebhook is placed after mutating admission webhooks in the admission chain
AnswerD

If mutating webhooks change the image reference, the ImagePolicyWebhook might evaluate a different image.

Why this answer

The ImagePolicyWebhook must be invoked before mutating webhooks to evaluate the image policy. If it runs after mutating webhooks that change the image reference, the policy may not see the original unauthorized image.

9
MCQeasy

Which tool is used to generate an SBOM (Software Bill of Materials) for a container image?

A.Clair
B.Kubesec
C.Trivy
D.Syft
AnswerD

Syft generates SBOMs from container images.

Why this answer

Syft is a CLI tool to generate SBOMs from container images and filesystems. Cosign attest can also include SBOMs but syft is specifically for generation.

10
Multi-Selectmedium

Which TWO are best practices for Dockerfile security? (Select 2)

Select 2 answers
A.Use a non-root user
B.Use a minimal base image (distroless)
C.Store secrets in environment variables
D.Install SSH server for debugging
E.Run the container as root
AnswersA, B

Running as non-root limits the impact of a breach.

Why this answer

Using a non-root user reduces the attack surface if the container is compromised. Using a minimal base image like distroless reduces the number of packages and potential vulnerabilities.

11
MCQeasy

Which Kubernetes admission controller ensures that a pod only uses images from a specific registry?

A.NamespaceLifecycle
B.ImagePolicyWebhook
C.PodNodeSelector
D.AlwaysPullImages
AnswerB

ImagePolicyWebhook can enforce policies on image registry and more.

Why this answer

The ImagePolicyWebhook admission controller can be configured to allow or deny images based on registry, via an external webhook.

12
MCQmedium

Which tool can be used to perform static analysis of Kubernetes manifests for security issues?

A.syft
B.cosign
C.kubesec
D.trivy
AnswerC

kubesec analyzes Kubernetes manifests for security issues.

Why this answer

kubesec evaluates Kubernetes resources against security best practices.

13
MCQmedium

An administrator runs 'kubectl run test-pod --image=nginx:latest' and the pod fails to start. The event log shows 'ImagePullBackOff' with error 'manifest for nginx:latest not found: manifest unknown'. The image 'nginx:latest' exists in the registry. What is the most likely cause?

A.The pod is running in a different namespace
B.The registry requires authentication
C.The image tag is misspelled or points to a non-existent tag
D.The image is a multi-architecture image and the node does not support the required architecture
AnswerC

'Manifest unknown' means the specific tag is not found. The user might have made a typo or the tag doesn't exist in the registry.

Why this answer

The 'manifest unknown' error indicates that the image tag does not exist in the repository. Even though 'nginx:latest' exists on Docker Hub, the registry in use may be a different one or the tag might be misspelled. Option A is the most likely.

14
MCQmedium

A security team wants to ensure that all container images in a cluster are scanned for critical CVEs before they are run. They decide to use an admission controller. Which Kubernetes built-in admission controller should they configure?

A.MutatingAdmissionWebhook
B.ValidatingAdmissionPolicy
C.ImagePolicyWebhook
D.PodSecurity
AnswerC

ImagePolicyWebhook is the correct built-in admission controller that can be configured to check images against external scanning services before allowing pod creation.

Why this answer

The ImagePolicyWebhook admission controller is the built-in mechanism that allows you to gate pod creation based on image policy decisions. The other options are not built-in admission controllers.

15
MCQhard

Developer A runs 'cosign verify --key cosign.pub myregistry/myimage:tag' and receives an error: 'No signatures found'. Developer B previously ran 'cosign sign --key cosign.key myregistry/myimage:tag'. What is the most likely cause of the verification failure?

A.The image tag does not exist in the registry
B.The signing command failed to push the signature to the registry
C.Developer B used a different private key to sign than the public key used for verification
D.Developer A used the public key instead of the private key
AnswerB

If the signature is not pushed, the verify command will find no signatures.

Why this answer

Option A is correct. The error 'No signatures found' indicates that the image does not have a signature attached to it. This could happen if the signing command did not push the signature to the registry.

Option B is irrelevant because the image tag exists. Option C is incorrect because the signing command uses the private key. Option D is incorrect; the verification command uses the public key, but the error is about missing signatures, not key mismatch.

16
MCQmedium

A developer wants to create a Deployment that runs as a non-root user. Which YAML snippet correctly sets the security context to run the container with UID 1000?

A.spec.containers[].securityContext.runAsUser: 0
B.spec.containers[].securityContext.runAsNonRoot: true
C.spec.containers[].securityContext.runAsGroup: 1000
D.spec.containers[].securityContext.runAsUser: 1000
AnswerD

Setting runAsUser at the container level ensures the container runs with that UID.

Why this answer

Option A is correct. The securityContext field at the container level with runAsUser: 1000 ensures the container runs as a non-root user. Option B uses runAsGroup which is for group ID, not user ID.

Option C places securityContext at the pod level, which also works but is not the only correct approach. Option D uses the incorrect field name 'runAsNonRoot' which is a boolean and does not set the UID.

17
MCQmedium

Which of the following is a static analysis tool for Kubernetes manifests that can be used to find misconfigurations?

A.Trivy
B.Kubesec
C.Syft
D.Cosign
AnswerB

Kubesec scans Kubernetes manifests for security issues.

Why this answer

Kubesec is a static analysis tool that evaluates Kubernetes resource YAML against security best practices and assigns a score.

18
MCQmedium

What is the correct way to specify a container image using a SHA digest instead of a tag for immutable deployments?

A.image: myapp:latest
B.image: myapp:stable
C.image: myapp@sha256:abc123...
D.image: myapp:1.0.0
AnswerC

The digest uniquely identifies the image content.

Why this answer

Using the digest ensures the exact image is used. Option B is correct.

19
MCQeasy

What is the purpose of using a non-root user in a container image?

A.To reduce the attack surface and limit potential damage if the container is compromised
B.To improve performance
C.To comply with Kubernetes requirements
D.To allow the container to bind to privileged ports
AnswerA

Non-root users have fewer privileges, limiting the impact of a breach.

Why this answer

Running containers as a non-root user reduces the risk of privilege escalation attacks. If an attacker compromises the container, they will have limited permissions.

20
MCQmedium

You are implementing supply chain security for container images. Which tool would you use to scan a local directory of Dockerfiles and Kubernetes manifests for known vulnerabilities?

A.kubectl scan
B.syft
C.cosign sign
D.trivy fs
AnswerD

Trivy fs scans the filesystem for vulnerabilities and misconfigurations in files including Dockerfiles and Kubernetes manifests.

Why this answer

Trivy fs scans a filesystem for vulnerabilities and misconfigurations, including Dockerfiles and Kubernetes manifests. Option A is correct.

21
MCQmedium

Which Kyverno policy action is used to automatically mutate a resource to add a sidecar container for security?

A.validate
B.verifyImages
C.mutate
D.generate
AnswerC

Mutate rules can automatically modify resources, such as injecting sidecars.

Why this answer

Kyverno's 'mutate' rule can modify resources during admission, such as injecting a sidecar container.

22
MCQmedium

A development team uses a custom container image for their application, built from a base image that includes multiple CVEs. The security team requires that no container runs with known critical vulnerabilities. Which approach best ensures that only images with no critical vulnerabilities are deployed in production?

A.Configure a Kubernetes admission controller (e.g., Kyverno) to reject pods using images with critical vulnerabilities.
B.Scan the base image before building the application image.
C.Integrate an image scanner (e.g., Trivy) into the CI/CD pipeline to block builds with critical vulnerabilities.
D.Manually review vulnerability reports after the image is deployed.
AnswerC

Scans the final image and prevents vulnerable images from being pushed to the registry.

Why this answer

Option C is correct because integrating an image scanner like Trivy into the CI/CD pipeline ensures that any image with critical vulnerabilities is blocked before it is even built or pushed to a registry. This shift-left approach prevents vulnerable images from ever reaching the production environment, aligning with the security team's requirement to deploy only images with no critical vulnerabilities.

Exam trap

CNCF often tests the distinction between shift-left security (preventing vulnerabilities at build time) versus runtime enforcement (admission controllers), and the trap here is that candidates choose admission controllers (Option A) because they seem to block vulnerable images, but they fail to realize that the image must already exist in the registry and may have been built with vulnerabilities, whereas CI/CD scanning prevents the image from being created in the first place.

How to eliminate wrong answers

Option A is wrong because a Kubernetes admission controller like Kyverno can only reject pods at deployment time, but the image may already be in the registry with known CVEs, and the admission controller relies on metadata or external scans that may not be up-to-date; it also does not prevent the image from being built or stored. Option B is wrong because scanning only the base image before building the application image does not account for vulnerabilities introduced by the application layer or dependencies added during the build process, leaving the final image potentially vulnerable. Option D is wrong because manually reviewing vulnerability reports after deployment is reactive and does not prevent vulnerable images from running in production, violating the requirement to ensure no container runs with critical vulnerabilities.

23
Multi-Selecthard

Which THREE are valid methods to enforce that only images from a specific registry can be deployed in a Kubernetes cluster? (Select three.)

Select 3 answers
A.PodSecurityPolicy (PSP)
B.ImagePolicyWebhook admission controller
C.Kyverno policy validating image registry
D.OPA/Gatekeeper constraint to validate registry
E.NetworkPolicy to restrict egress to registries
AnswersB, C, D

ImagePolicyWebhook can enforce image policies including registry allowlists.

Why this answer

OPA/Gatekeeper, ImagePolicyWebhook, and Kyverno can enforce registry allowlists. PodSecurityPolicy is deprecated and removed; NetworkPolicy does not control image sources.

24
MCQmedium

Which tool can generate an SBOM for a container image?

A.Trivy
B.Cosign
C.Kubescape
D.Syft
AnswerD

Syft generates SBOMs from container images.

Why this answer

Syft is a CLI tool that generates Software Bill of Materials (SBOM) from container images and filesystems.

25
MCQeasy

Which of the following is a BEST practice for securing container images in a Dockerfile?

A.Use the USER directive to specify a non-root user
B.Store secrets in environment variables in the image
C.Run the container as root to simplify permission management
D.Use the 'latest' tag to always get the newest base image
AnswerA

This follows the principle of least privilege.

Why this answer

Using a non-root user in the container reduces the impact of a compromise. The other options are insecure or less effective.

26
MCQeasy

Which command is used with Cosign to sign a container image?

A.cosign verify <image>
B.cosign attest <image>
C.cosign sign <image>
D.cosign generate <image>
AnswerC

Correct command to sign an image.

Why this answer

Cosign is a tool for signing and verifying container images. The 'cosign sign' command signs an image, and 'cosign verify' verifies a signature.

27
MCQhard

An administrator runs 'kubectl describe pod secure-pod' and sees that the pod is in a Pending state with the event 'Error: ImagePullBackOff' and the message 'unauthorized: authentication required'. The image is stored in a private registry. What is the most likely cause?

A.Missing imagePullSecret in the pod spec or in the namespace's default service account
B.The registry requires TLS 1.3 but the kubelet uses TLS 1.2
C.The image tag is misspelled
D.The registry hostname is not resolvable
AnswerA

The error indicates authentication failure. Creating an imagePullSecret with valid registry credentials and adding it to the pod spec resolves the issue.

Why this answer

The 'unauthorized: authentication required' error indicates that the cluster cannot authenticate to the private registry. The fix is to create an imagePullSecret with valid registry credentials and reference it in the pod spec. Option A is incorrect because the image exists.

Option B is incorrect because DNS resolution would produce a different error. Option D is a valid practice but not the cause.

28
MCQmedium

A security policy requires that all container images must have a signed attestation. Which Cosign command would an admin add to the CI pipeline to create this attestation?

A.cosign verify-attestation <image>
B.cosign sign --key <key> <image>
C.cosign download attestation <image>
D.cosign attest --type custom --predicate <file> <image>
AnswerD

Creates a signed attestation with a predicate.

Why this answer

Cosign can create in-toto attestations that include metadata about the image. The 'cosign attest' command creates an attestation and signs it.

29
MCQmedium

You need to enforce that all images deployed in the cluster are signed by a trusted key. Which Kubernetes admission control mechanism would you use?

A.ResourceQuota
B.NetworkPolicy
C.PodSecurityPolicy
D.ImagePolicyWebhook
AnswerD

ImagePolicyWebhook can be configured to verify image signatures by calling an external service.

Why this answer

ImagePolicyWebhook is an admission controller that can validate image signatures before allowing a pod to run. Option C is correct.

30
Multi-Selecthard

Which THREE of the following are best practices for Dockerfile security? (Select THREE)

Select 3 answers
A.Install debugging tools like curl and vim in the final image
B.Pin base image versions using SHA256 digests
C.Specify a non-root user with the USER directive
D.Use COPY instead of ADD for copying files
E.Use multi-stage builds to reduce image size
AnswersB, C, E

Pinning with digest ensures the exact image is used and prevents tag mutability.

Why this answer

Using multi-stage builds reduces size, specifying USER non-root reduces privilege, and pinning base image SHA ensures immutability. Installing tools for debugging is not recommended as it increases attack surface.

31
MCQmedium

A security admin runs 'trivy image --severity CRITICAL,HIGH myrepo/myapp:latest' and sees many CVEs. The admin wants to ensure that only images with no CRITICAL or HIGH severity vulnerabilities are deployed to the cluster. Which admission controller should be configured to enforce this policy?

A.PodSecurityPolicy
B.ValidatingAdmissionWebhook
C.MutatingAdmissionWebhook
D.ImagePolicyWebhook
AnswerD

ImagePolicyWebhook is specifically designed to check container images against an external policy service before admission.

Why this answer

An ImagePolicyWebhook admission controller can be used to evaluate container images against a policy, such as requiring scan results to be free of specified vulnerabilities. Options A, B, and D are not designed for this purpose.

32
MCQmedium

An organization uses Kyverno to enforce policies. Which Kyverno rule action would you use to require that all images come from a specific registry?

A.verifyImages
B.generate
C.mutate
D.validate
AnswerD

Validate rules enforce conditions; if not met, the resource is denied.

Why this answer

Kyverno policies can validate, mutate, or generate resources. To enforce a condition (e.g., image registry), use the 'validate' action. If the condition fails, the resource is rejected.

33
Multi-Selectmedium

Which THREE of the following are best practices for securing the software supply chain in a CI/CD pipeline?

Select 3 answers
A.Sign images with Cosign after building
B.Generate an SBOM for each image
C.Scan container images for vulnerabilities using Trivy
D.Use a non-minimal base image to ensure all libraries are available
E.Store secrets in the Dockerfile as build args
AnswersA, B, C

Ensures image integrity and provenance.

Why this answer

Scanning images for vulnerabilities, generating SBOMs, and signing images are all key supply chain security practices.

34
MCQhard

A DevOps team wants to enforce that all Deployments must have a specific label 'app.kubernetes.io/name'. Which tool can be used to validate this in the admission controller stage?

A.Trivy
B.Cosign
C.Kyverno
D.Syft
AnswerC

Kyverno can enforce policies like requiring specific labels on resources.

Why this answer

Kyverno is a Kubernetes-native policy engine that can validate, mutate, and generate resources using admission controller webhooks. It can enforce that certain labels exist on resources.

35
MCQeasy

Which YAML field in a Deployment specifies the container user should not run as root?

A.spec.containers[].securityContext.readOnlyRootFilesystem
B.spec.containers[].securityContext.runAsUser: 0
C.spec.containers[].securityContext.runAsNonRoot
D.spec.containers[].securityContext.allowPrivilegeEscalation
AnswerC

Setting runAsNonRoot: true ensures the container runs with a non-root user.

Why this answer

The 'runAsNonRoot' field in the security context enforces that the container cannot run as root. Option B is correct.

36
MCQeasy

A DevOps team uses a CI/CD pipeline to build container images and push them to a private registry. To minimize the risk of supply chain attacks, which of the following is the most effective security control to implement?

A.Scan all images for vulnerabilities using Trivy before pushing to the registry.
B.Restrict access to the registry using Kubernetes RBAC and service accounts.
C.Implement network policies to restrict traffic to the registry endpoint.
D.Sign all container images using a private key and verify the signature before deployment.
AnswerD

Image signing provides cryptographic assurance of image integrity and origin, a core supply chain security control.

Why this answer

Option D is correct because signing container images with a private key and verifying the signature before deployment ensures image integrity and authenticity, directly mitigating supply chain attacks where an attacker could tamper with images in transit or at rest. This control, often implemented using tools like Notary or Cosign (part of the Sigstore project), provides cryptographic proof that the image was produced by a trusted source and has not been altered. Without signature verification, even a vulnerability-scanned image could be replaced with a malicious one, bypassing other controls.

Exam trap

The trap here is that candidates often confuse vulnerability scanning (which detects known flaws) with image signing (which ensures integrity and provenance), and mistakenly choose scanning as the primary defense against supply chain attacks, overlooking that a scanned image can still be replaced or tampered with.

How to eliminate wrong answers

Option A is wrong because vulnerability scanning (e.g., with Trivy) only identifies known CVEs in the image content; it does not prevent an attacker from replacing the image with a different, malicious one after scanning or during transit. Option B is wrong because restricting registry access via Kubernetes RBAC and service addresses only controls who can push or pull images, but does not verify the integrity or origin of the image itself—an authorized user could still push a tampered image. Option C is wrong because network policies limit traffic to the registry endpoint but do not protect against image tampering; an attacker who gains access to the registry or intercepts traffic could still modify images without detection.

37
MCQhard

A CI/CD pipeline uses cosign attest to add an SBOM attestation to an image. Later, during deployment, which command verifies the attestation?

A.cosign verify --key cosign.pub myimage:latest
B.cosign attest --key cosign.key --predicate sbom.json myimage:latest
C.cosign verify-attestation --key cosign.pub myimage:latest
D.cosign download attestation myimage:latest
AnswerC

Correct command to verify attestations.

Why this answer

'cosign verify-attestation' verifies the attestation against a public key.

38
MCQeasy

Which tool is used to generate a Software Bill of Materials (SBOM) for a container image?

A.Syft
B.Kubesec
C.Checkov
D.Trivy
AnswerA

Syft is a CLI tool that generates SBOMs for container images and filesystems.

Why this answer

Syft is a tool specifically designed for generating SBOMs from container images and filesystems.

39
MCQmedium

An administrator runs `kubectl run nginx --image=nginx:latest` and the pod remains in ImagePullBackoff. The cluster uses containerd as the container runtime. What is the most likely cause?

A.The image tag 'latest' is not recommended
B.The container runtime is not configured correctly
C.The image name is misspelled
D.The cluster does not have authentication to pull from Docker Hub
AnswerD

The default nginx image is on Docker Hub, and if the cluster cannot authenticate (e.g., rate limiting), it will fail to pull.

Why this answer

`ImagePullBackoff` indicates that the kubelet is unable to pull the image. Using `latest` tag can lead to pull failures if the tag is not found or if there is a registry issue, but more commonly, it's due to authentication or network issues. However, the most likely cause among the options is that the image requires authentication and no image pull secrets are configured.

40
MCQhard

A pod is stuck in Pending state. 'kubectl describe pod' shows '0/1 nodes are available: 1 node(s) had taint {node-role.kubernetes.io/control-plane: }, that the pod didn't tolerate.' The pod does not specify any tolerations. What is the most likely cause?

A.The pod's image pull secret is missing
B.The pod uses an untrusted image that was rejected by an admission webhook
C.The pod's resource requests exceed the available node capacity
D.The cluster only has control-plane nodes and the pod does not tolerate the control-plane taint
AnswerD

Control-plane nodes typically have a taint that prevents regular pods from scheduling. If there are no worker nodes, the pod will remain Pending.

Why this answer

The taint on the control-plane node prevents pods without tolerations from being scheduled. The pod must either tolerate the taint or be scheduled to a worker node that does not have this taint.

41
MCQhard

A cluster administrator wants to allow only images from a specific registry (e.g., 'myregistry.io') to be deployed in the cluster. Which tool can be used to enforce this via admission control?

A.OPA/Gatekeeper
B.Helm
C.Calico
D.Prometheus
AnswerA

OPA/Gatekeeper can define policies to restrict image registries using a ConstraintTemplate.

Why this answer

OPA/Gatekeeper can create a Constraint that validates image registry. Option A is correct.

42
Multi-Selectmedium

Which TWO of the following are tools for image signing and verification? (Select TWO)

Select 2 answers
A.Cosign
B.Trivy
C.kubesec
D.Syft
E.Notary
AnswersA, E

Cosign supports signing and verification of container images.

Why this answer

Cosign is for signing and verifying images. Notary is a signing framework. Trivy scans for vulnerabilities, Syft generates SBOMs, and kubesec analyzes manifests.

43
MCQmedium

A DevOps engineer wants to ensure that a container image is signed and the signature is verified before deployment. Which Cosign command verifies an image signature?

A.cosign sign
B.cosign check
C.cosign verify
D.cosign attest
AnswerC

cosign verify checks the signature of a signed image.

Why this answer

cosign verify is the correct command to verify an image signature. The other options are for signing or other operations.

44
Multi-Selecthard

Which TWO of the following are correct methods to verify a signed container image using Cosign?

Select 2 answers
A.cosign verify --fulcio-url https://fulcio.example.com myimage:latest
B.cosign verify myimage:latest
C.cosign sign --key privkey.pem myimage:latest
D.cosign verify --insecure-ignore-sigs myimage:latest
E.cosign verify --key pubkey.pem myimage:latest
AnswersA, E

This uses keyless verification with Fulcio.

Why this answer

Cosign verify can be used with a public key or with keyless verification using Fulcio. The command 'cosign verify' is not correct; it must specify the key or use keyless.

45
Multi-Selecthard

Which THREE of the following are best practices for securing the software supply chain in Kubernetes?

Select 3 answers
A.Run containers as root to avoid permission issues
B.Sign container images and verify signatures in the CI/CD pipeline
C.Use admission controllers like OPA/Gatekeeper to enforce image policies
D.Use mutable tags like 'latest' for easier updates
E.Scan container images for known vulnerabilities before deployment
AnswersB, C, E

Signing ensures image integrity and authenticity.

Why this answer

Scanning images for vulnerabilities, signing images, and enforcing policies with admission controllers are key practices. Running containers as root is insecure. Using mutable tags (like latest) is discouraged.

46
MCQmedium

Which of the following is a best practice for securing container images?

A.Hardcode passwords in Dockerfile as environment variables for convenience
B.Use minimal base images like distroless or Alpine
C.Use the latest tag for base images to get the newest features
D.Run containers as root to simplify permission management
AnswerB

Minimal images reduce the attack surface and number of vulnerabilities.

Why this answer

Option D is correct. Using distroless or Alpine base images reduces the attack surface by minimizing packages and vulnerabilities. Options A, B, and C are insecure practices.

47
MCQhard

A cluster has the ImagePolicyWebhook admission controller enabled. A pod creation is denied with the message 'image policy check failed'. The webhook server returns an error. Which of the following could be a valid reason?

A.The image is not signed by a trusted authority
B.The container runtime is out of date
C.The image tag does not exist in the registry
D.The pod specification has a hostNetwork: true
AnswerA

The webhook can be configured to require signatures, and if missing, the pod is denied.

Why this answer

The ImagePolicyWebhook can reject images based on external policy. If the image is not signed or the signature cannot be verified, the webhook may deny the request.

48
Multi-Selectmedium

Which two of the following are best practices for container image security? (Select TWO.)

Select 2 answers
A.Maximize the number of layers to improve caching
B.Run containers as a non-root user
C.Use pinned SHA digests for base images
D.Use the 'latest' tag for flexibility
E.Use old base images to avoid breaking changes
AnswersB, C

Non-root users limit the impact of a container compromise.

Why this answer

Options A and C are correct. Using pinned SHA digests ensures immutability and prevents unexpected updates. Running as non-root reduces security risks.

Option B is wrong because the 'latest' tag introduces uncertainty. Option D is wrong; multiple layers increase build time and can hide vulnerabilities. Option E is wrong because base images should be kept up-to-date to fix CVEs.

49
MCQmedium

A CI pipeline uses 'checkov' to scan Kubernetes manifests. Which of the following is a common checkov check related to supply chain security?

A.CKV_K8S_2: Ensure that the container has a read-only root filesystem
B.CKV_K8S_4: Ensure that the container uses a non-root user
C.CKV_K8S_3: Ensure that the image is signed
D.CKV_K8S_1: Pod Security Policy
AnswerC

Checkov can check for image signature verification annotations.

Why this answer

Checkov includes checks for verifying image signatures as part of supply chain security.

50
MCQeasy

Which of the following is a best practice when writing a Dockerfile for a containerized application?

A.Run the application as the root user for file permissions
B.Use a minimal base image such as distroless or alpine
C.Hardcode credentials in the Dockerfile for convenience
D.Use the latest tag for the base image to get the newest features
AnswerB

Minimal images reduce the number of packages and potential vulnerabilities.

Why this answer

Using a minimal base image reduces the attack surface. The other options are not best practices.

51
Multi-Selecthard

Which TWO practices improve supply chain security for container images? (Select two.)

Select 2 answers
A.Scanning images for CVEs before deployment
B.Storing secrets in the Dockerfile
C.Signing images with Cosign
D.Using the 'latest' tag for easy updates
E.Running containers as root
AnswersA, C

Scanning detects known vulnerabilities and reduces risk.

Why this answer

Using signed images and scanning for vulnerabilities are key supply chain security practices. Options A and C are correct.

52
MCQmedium

An administrator wants to perform static analysis on Kubernetes manifest files to find security misconfigurations. Which tool is specifically designed for this?

A.Trivy
B.Cosign
C.Kubesec
D.Syft
AnswerC

Kubesec is a static analysis tool that evaluates Kubernetes YAML files against security best practices.

Why this answer

Kubesec is a static analysis tool for Kubernetes resources. Checkov and others serve similar but broader purposes, but Kubesec is specifically named.

53
MCQeasy

Which of the following is a recommended Dockerfile best practice to improve container security?

A.Hardcode secrets in environment variables in the Dockerfile
B.Run the container as root to simplify permission management
C.Use a non-root user with USER directive
D.Copy the entire host filesystem into the image
AnswerC

Non-root user minimizes privileges.

Why this answer

Using a non-root user limits the privileges within the container, reducing the impact of a compromise.

54
MCQhard

A security engineer wants to enforce that all images in the cluster must come from a trusted registry 'trusted-registry.io'. They are using OPA/Gatekeeper. Which constraint template and constraint combination would achieve this?

A.A constraint template that checks 'spec.containers[*].image' contains 'trusted-registry.io' and a constraint that denies if it does.
B.A constraint template that allows all images and a constraint that audits violations.
C.A constraint template that checks 'spec.containers[*].image' starts with 'trusted-registry.io/' and a constraint that denies if it does not.
D.A constraint template that checks 'spec.containers[*].image' equals 'trusted-registry.io' and a constraint that denies if it does not.
AnswerC

This correctly validates that every container image originates from the trusted registry.

Why this answer

A Gatekeeper constraint template that validates image registries against an allowed list is appropriate. The other options either allow any registry or use incorrect logic.

55
MCQeasy

A developer wants to sign a container image using Cosign. Which command should they run after building and pushing the image to a registry?

A.cosign sign myrepo/myapp:latest
B.cosign verify myrepo/myapp:latest
C.cosign attest myrepo/myapp:latest
D.cosign generate-key-pair
AnswerA

cosign sign creates a signature for the specified image.

Why this answer

The cosign sign command signs a container image and generates a signature. The other options are incorrect commands or actions.

56
MCQmedium

An administrator wants to ensure that only images from a specific registry (e.g., myregistry.internal) can run in the cluster. Which tool can be used to enforce this via admission control?

A.Cosign
B.Notary
C.Trivy
D.OPA/Gatekeeper
AnswerD

OPA/Gatekeeper can enforce admission policies, such as restricting images to trusted registries.

Why this answer

OPA/Gatekeeper can enforce policies that restrict allowed registries. Trivy scans images but doesn't enforce policies. Cosign signs images.

Kyverno can also enforce policies, but OPA/Gatekeeper is a common choice for registry allowlisting.

57
MCQmedium

An admin wants to scan a local filesystem for vulnerabilities using Trivy. Which command should they use?

A.trivy image
B.trivy config
C.trivy fs
D.trivy repo
AnswerC

trivy fs scans a filesystem for vulnerabilities.

Why this answer

`trivy fs` is the command to scan a filesystem for vulnerabilities, including configuration files and source code.

58
MCQmedium

You need to ensure that all containers in your cluster run with a read-only root filesystem. Which field should be set in the container's security context?

A.readOnlyRootFilesystem: true
B.allowPrivilegeEscalation: false
C.capabilities.drop: ['ALL']
D.runAsNonRoot: true
AnswerA

Setting readOnlyRootFilesystem to true mounts the container's root filesystem as read-only, preventing writes.

Why this answer

Option B is correct. 'readOnlyRootFilesystem: true' in the security context makes the container's root filesystem read-only. Option A is for running as non-root. Option C is for dropping capabilities.

Option D is for privilege escalation.

59
MCQhard

You are a security engineer at a fintech startup. The company runs a Kubernetes cluster in production with hundreds of microservices. Recently, a container image from a public registry was compromised, and the attacker injected a backdoor that exfiltrated customer data. The CISO mandates that all images must come from an internal registry that only stores approved, scanned, and signed images. Currently, developers build images locally and push them to Docker Hub, then reference those images in Kubernetes manifests. You have deployed Harbor as a private registry with vulnerability scanning and Cosign for signing. However, you notice that some pods are still running images directly from Docker Hub. You need to enforce that only images from your internal Harbor registry can be used in the cluster. You cannot change the Kubernetes manifests immediately because of a large backlog. You have access to the cluster's kubelet configuration and can modify cluster-level components. Which single action will most effectively block any pod that tries to use an image not hosted on your internal registry?

A.Enforce a PodSecurityStandard that restricts containers from running with root privileges.
B.Apply a Kubernetes NetworkPolicy that blocks egress traffic from nodes to Docker Hub.
C.Configure the containerd configuration on each node to use Harbor as a mirror for all registries and set endpoint to Harbor only, disabling direct pull from public registries.
D.Deploy an admission webhook (e.g., OPA/Gatekeeper) that denies pods whose image registry is not the internal Harbor.
AnswerC

This forces all image pulls to go through Harbor, and if the image is not cached or allowed, the pull fails.

Why this answer

Option C is correct because configuring containerd to use Harbor as a mirror for all registries and setting the endpoint to Harbor only effectively blocks pulls from any external registry at the container runtime level. This approach works even if Kubernetes manifests reference Docker Hub images, as the kubelet will redirect all image pull requests to the internal Harbor registry, preventing direct pulls from public registries. It enforces the policy without requiring immediate changes to existing manifests, which aligns with the constraint of not modifying them due to a large backlog.

Exam trap

CNCF often tests the distinction between admission control (webhooks) and runtime enforcement (container runtime configuration), where candidates mistakenly choose an admission webhook because it seems like a direct policy enforcement tool, but the question explicitly states that manifests cannot be changed immediately, making runtime-level enforcement the only viable option to block pulls without modifying existing resources.

How to eliminate wrong answers

Option A is wrong because PodSecurityStandard restricting root privileges does not control which image registry is used; it only enforces security context constraints on containers, not image source validation. Option B is wrong because a Kubernetes NetworkPolicy that blocks egress traffic to Docker Hub only prevents network-level communication from nodes to Docker Hub, but it does not prevent the kubelet or container runtime from pulling images if the DNS resolution or caching still allows it; moreover, it does not block pulls from other public registries and can be bypassed if the image is cached locally. Option D is wrong because deploying an admission webhook like OPA/Gatekeeper would require modifying Kubernetes manifests or applying policies that could be circumvented if the webhook is not properly configured or if there is a delay in policy enforcement; it also does not address the immediate need to block images without changing manifests, as the webhook would deny pods at admission time but does not prevent runtime pulls if the image is already cached or if the webhook is bypassed.

60
MCQmedium

You need to generate an SBOM for a container image. Which command should you use?

A.cosign sbom <image>
B.trivy sbom <image>
C.syft <image>
D.kubectl sbom <pod>
AnswerC

Syft generates a software bill of materials for the given image.

Why this answer

Syft generates SBOMs from container images. Option A is correct.

61
MCQmedium

A security team wants to automatically reject any Pod that uses an image tagged with 'latest'. Which tool can be used to define this policy at the admission level?

A.ResourceQuota
B.NetworkPolicy
C.PodSecurityPolicy (PSP)
D.OPA/Gatekeeper
AnswerD

OPA/Gatekeeper allows you to create custom admission policies, such as rejecting images with the 'latest' tag.

Why this answer

Option C is correct. OPA/Gatekeeper can enforce custom policies using constraints, including checking image tags. Option A (PodSecurityPolicy) is deprecated.

Option B (NetworkPolicy) controls network traffic. Option D (ResourceQuota) limits resources.

62
Multi-Selecthard

Which three of the following are valid ways to enforce supply chain security in a Kubernetes cluster? (Select THREE.)

Select 3 answers
A.Use Cosign to sign images and configure verification in the cluster
B.Configure ImagePolicyWebhook to reject images from untrusted registries
C.Use ResourceQuota to limit the number of images that can be pulled
D.Use NetworkPolicy to block egress traffic to unknown registries
E.Use OPA/Gatekeeper to enforce that container images come from an allowed list of registries
AnswersA, B, E

Cosign provides image signing and verification capabilities.

Why this answer

Options A, B, and D are correct. Using ImagePolicyWebhook enforces image policies. OPA/Gatekeeper can enforce policies like allowed registries.

Cosign is used for image signing and verification. Option C is wrong because NetworkPolicy does not enforce image policies. Option E is wrong because ResourceQuota does not enforce image policies.

63
Multi-Selecthard

Which THREE of the following are correct statements about Kubernetes admission controllers in the context of supply chain security? (Select 3)

Select 3 answers
A.Admission controllers are executed in a specific order that can affect the final state of the resource
B.ValidatingAdmissionWebhook can be used to enforce policies like requiring all images to be signed
C.MutatingAdmissionWebhook can only modify pods, not other resources
D.ImagePolicyWebhook is used to validate container images against an external policy
E.OPA/Gatekeeper uses MutatingAdmissionWebhook to enforce policies
AnswersA, B, D

The order of admission controllers can impact the final resource, especially when mutating and validating are mixed.

Why this answer

Admission controllers can be chained, ImagePolicyWebhook is for image validation, and ValidatingAdmissionWebhooks can enforce custom policies. MutatingAdmissionWebhooks can modify pods but are not the only way to inject sidecars. OPA/Gatekeeper uses constraint templates for policy.

64
MCQmedium

A security team wants to ensure that only signed images are deployed in the cluster. They have set up an ImagePolicyWebhook admission controller. After configuring the webhook, they notice that pods with unsigned images are still being created. What is the most likely cause?

A.The ImagePolicyWebhook is failing open due to a misconfigured failure policy
B.The container runtime does not support image signing
C.The images are signed but the signature is invalid
D.The ImagePolicyWebhook is not enabled in the kube-apiserver configuration
AnswerD

The ImagePolicyWebhook must be enabled via the --admission-control flag or the Kubernetes API server configuration file. If not enabled, it will not be invoked.

Why this answer

The ImagePolicyWebhook admission controller is an external admission controller that must be properly configured and registered. If the webhook is not reachable or returns an error, Kubernetes may allow the request to proceed depending on the failure policy. However, the most common issue is that the ImagePolicyWebhook is not enabled in the API server or the webhook configuration is incorrect.

65
MCQmedium

You run 'trivy image myapp:latest' and the scan reports several critical CVEs. What is the best action to take?

A.Use kubectl delete pod to remove the running container
B.Delete the image from the registry
C.Rebuild the image with updated base images and re-deploy
D.Ignore the CVEs because the image is running in a non-production environment
AnswerC

Rebuilding with patched base images resolves the vulnerabilities.

Why this answer

You should rebuild the image using updated base images that include security patches. Option C is correct.

66
MCQmedium

An administrator runs 'trivy image myapp:1.0' and receives an output with several CRITICAL vulnerabilities. What is the best next step to ensure the image is secure before deployment?

A.Delete the image entirely and do not deploy
B.Rebuild the image using updated base images and fix the identified vulnerabilities
C.Deploy the image anyway because vulnerabilities are common
D.Ignore the output and re-run the scan
AnswerB

Rebuilding with patches remediates vulnerabilities.

Why this answer

Rebuilding the image with updated packages and fixes is the appropriate action to remediate the vulnerabilities found by the scan.

67
MCQmedium

A DevOps engineer wants to enforce that all container images running in the cluster are signed using Cosign. Which Kubernetes admission controller is designed for this purpose?

A.MutatingAdmissionWebhook
B.ImagePolicyWebhook
C.PodSecurityPolicy (deprecated)
D.ValidatingAdmissionWebhook
AnswerB

ImagePolicyWebhook is the admission controller that allows integration with external services to verify image signatures.

Why this answer

The ImagePolicyWebhook admission controller allows integration with external image verification services like Cosign to enforce image signing policies. The other options are not specifically for image signing.

68
MCQeasy

Which command would you use to sign a container image with Cosign?

A.cosign push <image>
B.cosign verify <image>
C.cosign attest <image>
D.cosign sign <image>
AnswerD

Cosign sign signs the specified container image.

Why this answer

Cosign sign is the correct command to sign an image. Option A is correct.

69
Multi-Selecthard

Which THREE of the following can be used to enforce policies on container images in a Kubernetes cluster? (Select 3)

Select 3 answers
A.Kyverno
B.ImagePolicyWebhook
C.Trivy
D.OPA/Gatekeeper
E.kubectl
AnswersA, B, D

Kyverno can enforce policies on images, such as allowed registries.

Why this answer

OPA/Gatekeeper, Kyverno, and ImagePolicyWebhook are all tools that can enforce image policies such as allowed registries, signatures, or other criteria.

70
MCQmedium

What is the purpose of an SBOM (Software Bill of Materials) in the context of supply chain security?

A.To sign container images
B.To scan images for vulnerabilities
C.To provide a list of all software components and dependencies in an artifact
D.To enforce runtime security policies
AnswerC

SBOM provides transparency into the components used.

Why this answer

An SBOM lists all software components in an artifact, enabling vulnerability tracking and compliance. Option B is correct.

71
MCQmedium

A security policy requires that all container images must be signed using Cosign. Which admission controller enforces signature verification at pod creation time?

A.ImagePolicyWebhook
B.MutatingAdmissionWebhook
C.ValidatingAdmissionWebhook
D.ResourceQuota
AnswerA

ImagePolicyWebhook is the dedicated admission controller for enforcing image policies like signature verification.

Why this answer

The ImagePolicyWebhook admission controller is specifically designed to verify image signatures and policies via an external webhook.

72
MCQmedium

You need to sign a container image using cosign with a key stored in an environment variable. Which command should you use?

A.cosign sign myimage:latest --key cosign.pub
B.cosign sign --key env://COSIGN_PRIVATE_KEY myimage:latest
C.cosign sign --key $COSIGN_PRIVATE_KEY myimage:latest
D.cosign sign --key file://cosign.key myimage:latest
AnswerB

This is the correct syntax to use a key from an environment variable.

Why this answer

Cosign sign with --key env://[VAR] reads the key from an environment variable.

73
MCQeasy

What does SBOM stand for in the context of supply chain security?

A.Software Bill of Materials
B.Systematic Bug and Oversight Manager
C.Secure Build Orchestration Manager
D.Source Binary Object Model
AnswerA

SBOM stands for Software Bill of Materials.

Why this answer

SBOM is a Software Bill of Materials, a detailed list of components, dependencies, and metadata used in a software artifact.

74
MCQmedium

An administrator wants to ensure that a Deployment uses a specific image digest (SHA256) instead of a tag. Which field in the Deployment YAML should be modified?

A.spec.replicas
B.spec.template.spec.containers[].imagePullPolicy
C.spec.template.spec.containers[].image
D.spec.template.metadata.annotations
AnswerC

The image field can be set to an image reference with a digest (e.g., 'image@sha256:...') instead of a tag.

Why this answer

The image field in the container spec can include a digest after the tag, e.g., 'nginx@sha256:abc123...'. The other options are not related to image specification.

75
MCQhard

An organization wants to implement supply chain security by signing all container images and verifying them before deployment. Which combination of tools is appropriate?

A.Snyk and OPA
B.Cosign and Kyverno
C.Trivy and Syft
D.Clair and Notary
AnswerB

Cosign signs and verifies images, and Kyverno can enforce admission policies to require signatures.

Why this answer

Cosign is used for signing and verifying images. Kyverno or OPA/Gatekeeper can enforce verification policies. The correct combination is Cosign for signing and Kyverno for enforcement.

Trivy and Syft are for scanning and SBOM, not signing. Notary is another signing tool, but Cosign is more common.

Page 1 of 3 · 190 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Cks Supply Chain questions.