CCNA Cks Supply Chain Questions

40 of 190 questions · Page 3/3 · Cks Supply Chain topic · Answers revealed

151
MCQmedium

An administrator wants to verify that an image was signed by a specific key before deploying. Which Cosign command should be used?

A.cosign verify --key mykey.pub myimage
B.cosign sign --key mykey.pub myimage
C.cosign download myimage
D.cosign attest --predicate mypredicate myimage
AnswerA

This verifies the image signature using the public key.

Why this answer

The 'cosign verify' command checks the signature against a public key and verifies the image.

152
MCQeasy

A DevOps team wants to ensure that only signed images from a trusted registry are deployed in the cluster. They plan to use a webhook to intercept pod creation. Which tool is best suited for this task?

A.kubectl with --validate flag
B.Helm with signed charts
C.etcd with encryption at rest
D.Kyverno with a verifyImages rule
E.Prometheus with alerting rules
AnswerD

Kyverno supports image signature verification via cosign.

Why this answer

Kyverno is a Kubernetes-native policy engine that can enforce image signature verification via its `verifyImages` rule. It intercepts pod creation through a dynamic admission webhook, checking that container images are signed with a trusted key (e.g., using Sigstore/Cosign) before the pod is admitted. This directly meets the requirement to only allow signed images from a trusted registry.

Exam trap

The trap here is that candidates confuse Helm chart signing (which verifies chart provenance) with container image signing, leading them to select Option B, even though Helm does not verify the images inside the chart at pod creation time.

How to eliminate wrong answers

Option A is wrong because `kubectl --validate` only performs client-side schema validation on the manifest, not image signature verification. Option B is wrong because Helm with signed charts ensures the Helm chart itself is signed, but does not verify the container images referenced within the chart at deployment time. Option C is wrong because etcd encryption at rest protects data stored in etcd (e.g., Secrets) but does not intercept pod creation or verify image signatures.

Option E is wrong because Prometheus with alerting rules monitors metrics and triggers alerts, but cannot enforce admission control or block pod creation based on image signatures.

153
MCQeasy

Which tool is specifically designed to generate a Software Bill of Materials (SBOM) for container images?

A.Checkov
B.Cosign
C.Syft
D.Trivy
AnswerC

Syft is a CLI tool for generating SBOMs from container images and filesystems.

Why this answer

Syft is an open-source tool that generates SBOMs from container images and filesystems.

154
MCQhard

You are the lead security engineer for a large financial institution. The organization runs a Kubernetes cluster with 500+ microservices. The supply chain security team has implemented the following measures: (1) All images are built from a minimal base image (distroless) and scanned with Trivy before being pushed to a private registry. (2) Images are signed using cosign with a key stored in a hardware security module (HSM). (3) Kyverno policies enforce that only signed images from the private registry can run, and also enforce that containers run as non-root. (4) A binary authorization (binauthz) style admission controller verifies attestations. Recently, a critical vulnerability (CVE-2024-0001) was discovered in a popular open-source library used by several microservices. The library is included as a dependency in the base image. The vulnerability is remotely exploitable and has a CVSS score of 9.8. The security team needs to remediate this quickly. They have already patched the library and updated the base image. What is the BEST course of action to ensure all running pods use the new image?

A.Update the image tag in each Deployment's spec to point to the new patched image, then perform a rolling update. The admission controller will verify signatures and attestations for the new image.
B.SSH into each node, pull the new image, and use kubectl exec to update the library inside running containers.
C.Temporarily disable the admission controller that verifies signatures and then update the image tags.
D.Delete all running pods and let the ReplicaSets recreate them from the existing image.
AnswerA

This ensures all pods are updated with a verified, patched image in a controlled manner.

Why this answer

Option A is correct because updating the image tag in each Deployment triggers a rolling update, which creates new pods with the patched image. The admission controller (Kyverno) will verify the cosign signature and binary authorization attestation for the new image, ensuring supply chain security is maintained. This approach is the standard Kubernetes method for deploying image updates while preserving security controls.

Exam trap

CNCF often tests the misconception that manual intervention (SSH, exec) or disabling security controls is acceptable for urgent fixes, when in fact the correct path is to update the deployment manifest and let Kubernetes orchestrate the change while keeping all security checks active.

How to eliminate wrong answers

Option B is wrong because SSHing into nodes and using kubectl exec to update libraries inside running containers violates the immutable infrastructure principle; changes are ephemeral and lost on pod restart, and this bypasses admission controls, leaving pods unsigned and unverified. Option C is wrong because temporarily disabling the admission controller that verifies signatures creates a window where unsigned or malicious images could be deployed, undermining the entire supply chain security posture. Option D is wrong because deleting pods without updating the image tag causes ReplicaSets to recreate pods from the existing (vulnerable) image, failing to remediate the CVE.

155
MCQeasy

A developer runs 'trivy image myapp:latest' and gets a report with several CRITICAL CVEs. Which action would BEST address the supply chain security risk?

A.Ignore the report because the container is running in a sandboxed environment
B.Run 'trivy image myapp:latest --severity CRITICAL' to filter out lower severity findings
C.Rebuild the image using a minimal base image like distroless or alpine with no CVEs
D.Add a network policy to block outbound traffic from the container
AnswerC

Using a minimal base image reduces the attack surface and eliminates many CVEs.

Why this answer

The best practice is to rebuild the image using a minimal base image with no known vulnerabilities, reducing the attack surface.

156
MCQmedium

An administrator wants to ensure that only signed container images are deployed in the cluster. Which admission controller can be used to enforce this policy?

A.ServiceAccount
B.AlwaysPullImages
C.ImagePolicyWebhook
D.NodeRestriction
AnswerC

ImagePolicyWebhook allows an external webhook to validate images, such as verifying Cosign signatures.

Why this answer

The ImagePolicyWebhook admission controller allows external webhooks to validate image signatures before accepting a pod. It can be configured to reject unsigned images.

157
MCQhard

A CI pipeline fails with the error 'cosign: error: unable to verify image: no matching signatures' when running 'cosign verify --key pubkey.pem myregistry/myapp:latest'. The image was previously signed with a private key. What is the MOST likely cause?

A.The public key is incorrect
B.The registry requires authentication
C.Cosign is not installed correctly
D.The image tag was overwritten without signing
AnswerD

Overwriting a tag with a new, unsigned image removes the previous signature.

Why this answer

If the image tag was overwritten (e.g., pushed again without signing), the old signatures are lost and the new image is unsigned.

158
MCQmedium

Which command is used to sign a container image with Cosign and store the signature in an OCI registry?

A.cosign docker-sign myimage:latest
B.cosign verify --key cosign.pub myimage:latest
C.cosign sign --key cosign.key myimage:latest
D.cosign attach signature --key cosign.key myimage:latest
AnswerC

Correct command to sign an image.

Why this answer

The 'cosign sign' command signs the image and pushes the signature to the registry.

159
MCQmedium

A security admin wants to ensure that only images signed with a specific key can run in the cluster. Which admission controller should be enabled?

A.PodSecurityPolicy
B.MutatingAdmissionWebhook
C.ImagePolicyWebhook
D.ValidatingAdmissionWebhook
AnswerC

ImagePolicyWebhook allows an external webhook to validate images based on signatures.

Why this answer

ImagePolicyWebhook is the admission controller that can enforce policies based on image signatures. Option C is correct.

160
MCQeasy

Which of the following is a best practice for securing a Dockerfile?

A.Hardcode API keys as environment variables
B.Use a minimal base image like alpine
C.Run the container as root to avoid permission issues
D.Use the latest tag for all images
AnswerB

Minimal base images reduce the number of packages and potential vulnerabilities.

Why this answer

Using a minimal base image like alpine reduces the attack surface. Running as root (option A) is insecure. Hardcoding secrets (option C) is a bad practice.

Using latest tags (option D) can lead to unexpected changes; pinned versions are preferred.

161
MCQhard

An OPA/Gatekeeper constraint is configured to require all container images to be from a specific registry. A user creates a Pod with image 'gcr.io/myimage:v1'. Which admission controller will first reject this Pod?

A.PodSecurity
B.ImagePolicyWebhook
C.ValidatingAdmissionWebhook
D.MutatingAdmissionWebhook
AnswerC

Gatekeeper enforces constraints via ValidatingAdmissionWebhook, which runs after mutating webhooks.

Why this answer

Gatekeeper's validating webhook (part of ValidatingAdmissionWebhook) enforces constraints. The admission flow: MutatingAdmissionWebhooks run first, then ValidatingAdmissionWebhooks. Since OPA/Gatekeeper uses a ValidatingAdmissionWebhook, it runs after mutating webhooks but before the final validation.

162
MCQeasy

Which command would scan a Kubernetes Pod manifest for security issues?

A.checkov -f pod.yaml
B.trivy image pod.yaml
C.cosign verify pod.yaml
D.kubesec scan pod.yaml
AnswerD

Kubesec scans Kubernetes manifests for security issues.

Why this answer

Kubesec is a tool that scans Kubernetes resource manifests and provides security scores based on security best practices.

163
Multi-Selectmedium

Which TWO are recommended practices for securing a CI/CD pipeline that builds container images? (Select two.)

Select 2 answers
A.Run containers as root for compatibility
B.Scan images for vulnerabilities before pushing
C.Store secrets in the image as environment variables
D.Sign images after building
E.Use the 'latest' tag for simplicity
AnswersB, D

Scanning catches CVEs early.

Why this answer

Scanning images for vulnerabilities and signing images are key supply chain security practices.

164
MCQeasy

Which of the following is a best practice for securing container images in a Kubernetes environment?

A.Store secrets directly in the Dockerfile for convenience
B.Run containers as root to have full access to system resources
C.Use the latest tag for all base images to get the newest features
D.Use minimal base images such as distroless or Alpine to reduce attack surface
AnswerD

Minimal images reduce the number of packages and thus potential vulnerabilities.

Why this answer

Using minimal base images like distroless or Alpine reduces the attack surface by including only necessary packages. Option B is correct.

165
MCQhard

You are configuring an ImagePolicyWebhook admission controller to allow only images from a trusted registry 'trusted-registry.io'. Which flag must be set in the kube-apiserver configuration to enable the webhook?

A.--pod-security-policy
B.--admission-control-config-file
C.--image-policy-webhook-config
D.--enable-admission-plugins=ImagePolicyWebhook
AnswerB

This flag points to a file that contains the configuration for ImagePolicyWebhook and other admission plugins.

Why this answer

Option C is correct. The --admission-control-config-file flag points to a configuration file that specifies the image policy webhook and other admission plugins. Option A is not a valid flag.

Option B is for enabling the webhook but does not specify the configuration file. Option D is for the old PodSecurityPolicy.

166
MCQhard

A security team wants to generate an SBOM for a container image. Which tool should they use?

A.Clair
B.Trivy
C.Cosign
D.Syft
AnswerD

Syft is a tool designed to generate Software Bill of Materials (SBOM) from container images and filesystems.

Why this answer

Syft generates SBOMs for container images. Trivy and Clair are vulnerability scanners. Cosign is for signing.

Syft is specifically designed for SBOM generation.

167
MCQeasy

Which tool can generate an SBOM (Software Bill of Materials) from a container image?

A.syft
B.kubesec
C.trivy
D.checkov
AnswerA

Syft produces SBOMs in various formats (SPDX, CycloneDX) from container images.

Why this answer

Syft is a tool specifically designed to generate SBOMs from container images. Option A is correct.

168
MCQmedium

An administrator wants to ensure that only images from a trusted registry 'myregistry.io' can run in the cluster. Which admission controller should be configured?

A.NodeRestriction
B.MutatingAdmissionWebhook
C.ImagePolicyWebhook
D.PodSecurity
AnswerC

This admission controller calls a webhook to validate container images against a policy, e.g., allowlisting registries.

Why this answer

ImagePolicyWebhook allows you to configure an external webhook to validate images. OPA/Gatekeeper can also enforce registry allowlisting through constraint templates. However, ImagePolicyWebhook is the built-in admission controller specifically designed for image policy enforcement.

169
Multi-Selectmedium

Which THREE are valid admission controllers in Kubernetes? (Select three.)

Select 3 answers
A.ServiceAccount
B.NetworkPolicy
C.ImagePolicyWebhook
D.MutatingAdmissionWebhook
E.PodSecurity
AnswersC, D, E

It is an admission controller that validates images.

Why this answer

MutatingAdmissionWebhook, ImagePolicyWebhook, and PodSecurity are valid admission controllers. Options A, C, and E are correct.

170
MCQmedium

A CI/CD pipeline builds a Docker image and pushes it to a registry. To ensure supply chain security, the pipeline should scan the image for vulnerabilities before deployment. Which of the following is the correct command to scan a local Docker image using Trivy?

A.trivy fs --image myimage:latest
B.trivy image myimage:latest
C.trivy scan myimage:latest
D.trivy check myimage:latest
AnswerB

This command scans the specified container image for vulnerabilities.

Why this answer

The correct command to scan a local image with Trivy is 'trivy image <image-name>'. The other options are incorrect flags or commands.

171
MCQeasy

Which tool is commonly used to generate a Software Bill of Materials (SBOM) for a container image?

A.kubesec
B.syft
C.trivy
D.cosign
AnswerB

Syft is designed to generate SBOMs from container images and filesystems.

Why this answer

Option D is correct. Syft is a CLI tool that generates SBOMs for container images. Trivy is for vulnerability scanning.

Cosign is for signing. Kubesec is for manifest scanning.

172
MCQmedium

A security admin wants to ensure that all container images in a Kubernetes cluster are scanned for known vulnerabilities before being deployed. Which tool can be integrated into a CI/CD pipeline to scan container images for CVEs?

A.kubesec
B.Trivy
C.Helm
D.kubectl
AnswerB

Trivy is a popular open-source vulnerability scanner for container images, supporting multiple formats and databases.

Why this answer

Trivy is a comprehensive vulnerability scanner for container images, filesystems, and Git repositories. It can be integrated into CI/CD pipelines to scan images before deployment.

173
MCQhard

A cluster has both ImagePolicyWebhook and a mutating webhook that adds a sidecar. The admin notices that even when ImagePolicyWebhook rejects an image, the mutating webhook has already added the sidecar. What admission ordering issue is occurring?

A.Validating webhooks should run before mutating webhooks
B.Use a validating webhook instead of ImagePolicyWebhook
C.The mutating webhook should be configured to skip pods with certain images
D.The ImagePolicyWebhook should be placed before the mutating webhook in the webhook configuration
AnswerD

Reordering ensures the image policy is evaluated before any mutation.

Why this answer

Mutating webhooks run before validating webhooks. If a mutating webhook runs first, it may modify the pod spec, and the validation may see the modified version.

174
MCQhard

You want to allow only images from a specific registry (e.g., myregistry.io) to be deployed in your cluster. Which tool or approach is best suited for this requirement?

A.Use OPA/Gatekeeper to create a constraint that checks the image registry
B.Set up a NetworkPolicy to block traffic from other registries
C.Configure an ImagePolicyWebhook
D.Modify the kubelet configuration to only pull from a specific registry
AnswerA

Gatekeeper can enforce policies on images, including allowing only certain registries.

Why this answer

OPA/Gatekeeper can be used to create a ConstraintTemplate that validates image registries. Kyverno is another option, but Gatekeeper is specifically designed for policy enforcement.

175
MCQhard

An organization uses a private container registry and wants to ensure that only images built from a specific CI/CD pipeline are deployed. Which combination of measures provides the strongest guarantee?

A.Implement network policies to restrict egress from pods to the registry.
B.Grant registry write access only to the CI system's service account.
C.Use a static analysis tool to check the Dockerfile before building.
D.Use a unique registry path and restrict access via firewall rules.
E.Generate signed attestations with in-toto during the CI pipeline and verify them using an admission webhook like Kyverno.
AnswerE

Attestations provide non-repudiation and can be verified at admission time.

Why this answer

Option E is correct because it implements a complete chain of custody for container images. In-toto generates signed attestations that record every step of the CI/CD pipeline (e.g., source code checkout, build, test), and an admission webhook like Kyverno verifies these attestations before allowing a pod to run. This ensures that only images that passed the exact, attested pipeline are deployed, providing the strongest guarantee against unauthorized or tampered images.

Exam trap

CNCF often tests the distinction between access control measures (network policies, RBAC, firewalls) and cryptographic provenance verification; candidates mistakenly think restricting registry access or network egress is sufficient, but the exam emphasizes that only signed attestations with admission control can guarantee the image was built by the intended pipeline.

How to eliminate wrong answers

Option A is wrong because network policies restrict egress from pods to the registry, which controls runtime access but does not verify the provenance or integrity of the image itself; an attacker could still deploy a malicious image that was built outside the CI/CD pipeline. Option B is wrong because granting registry write access only to the CI system's service account prevents unauthorized pushes but does not prevent the CI system itself from being compromised or building images from untrusted sources; it lacks verification of the build process. Option C is wrong because static analysis of the Dockerfile checks for vulnerabilities or misconfigurations in the build instructions but does not provide any cryptographic proof that the resulting image was actually built from that Dockerfile in the approved pipeline.

Option D is wrong because using a unique registry path and firewall rules restricts network access but does not verify the image's supply chain; an attacker who gains access to the registry path could push arbitrary images.

176
Multi-Selectmedium

Which TWO of the following are valid methods to verify the integrity of a container image before deployment?

Select 2 answers
A.Run a vulnerability scan on the image
B.Use the latest tag to ensure the most recent version
C.Generate an SBOM for the image
D.Use the image digest (SHA256) instead of a tag
E.Verify the image signature using Cosign
AnswersD, E

Using the digest ensures that the exact image content is used, preventing tag mutability attacks.

Why this answer

Image signing with Cosign allows verification of the image's integrity and origin. Image digest ensures the exact image content is used. SBOM provides a list of components but does not verify integrity.

Vulnerability scanning identifies issues but does not verify integrity. Using latest tag does not provide integrity.

177
MCQmedium

An administrator applies the following Kyverno policy to the cluster. What is the effect of this policy? apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: require-non-root spec: validationFailureAction: enforce rules: - name: check-runAsNonRoot match: resources: kinds: - Pod validate: message: "Running as root is not allowed." pattern: spec: securityContext: runAsNonRoot: true

A.It allows Pods that run as root if they have a reason
B.It applies only to Pods in the default namespace
C.It denies all Pods that do not specify a security context
D.It only audits Pods and does not block them
AnswerC

The policy requires runAsNonRoot: true. If the security context is missing entirely, the field is not set, so the validation fails and the Pod is denied.

Why this answer

The policy enforces that all Pods must have 'runAsNonRoot: true' in their security context. If a Pod does not have this setting, it will be rejected (enforce mode).

178
MCQeasy

Which of the following is a static analysis tool for Kubernetes manifests that can identify security misconfigurations?

A.Clair
B.kubesec
C.OPA/Gatekeeper
D.Notary
AnswerB

kubesec performs static analysis of Kubernetes YAML files to identify security risks.

Why this answer

Option A is correct. kubesec is a tool that analyzes Kubernetes resource manifests for security issues. Clair is for image scanning. Notary is for image signing.

OPA/Gatekeeper is for admission control, not static analysis.

179
MCQhard

You are tasked with creating a Kubernetes admission controller that validates image signatures before allowing pods to run. Which admission controller should you configure?

A.ImagePolicyWebhook
B.MutatingAdmissionWebhook
C.ValidatingAdmissionWebhook
D.NodeRestriction
AnswerA

ImagePolicyWebhook is an admission controller specifically for image policy validation, often used with image signing.

Why this answer

ImagePolicyWebhook is the admission controller that can be configured to validate images against an external webhook, typically used for image signature verification.

180
Multi-Selectmedium

Which TWO of the following tools can be used to generate or analyze SBOMs? (Select 2)

Select 2 answers
A.Cosign
B.Kubesec
C.Syft
D.Trivy
E.Checkov
AnswersC, D

Syft is a dedicated SBOM generation tool.

Why this answer

Syft generates SBOMs, and Trivy can also generate SBOMs (in addition to vulnerability scanning). Cosign is for signing, Kubesec is for manifest analysis, and Checkov is for infrastructure-as-code scanning.

181
MCQeasy

Which of the following is a best practice for securing container images?

A.Run containers as root to ensure all permissions are available
B.Use the 'latest' tag for base images to get the latest features
C.Use distroless base images to minimize the attack surface
D.Embed secrets directly in the Dockerfile for easy access
AnswerC

Distroless images contain only essential components, reducing the number of potential vulnerabilities.

Why this answer

Using minimal base images reduces the attack surface. Distroless images contain only the application and its runtime dependencies, reducing vulnerabilities.

182
MCQhard

A security audit reveals that a Deployment uses an image with a mutable tag 'app:latest'. Which change ensures the image is immutable and traceable?

A.Change tag to 'app:stable'
B.Set 'replicas: 1'
C.Use 'image: app@sha256:abc123...'
D.Add 'imagePullPolicy: Always'
AnswerC

Using a digest ensures the exact image layer is used, providing immutability.

Why this answer

Using a SHA digest ensures the image is immutable and exactly the same version each time. Option C is correct.

183
Drag & Dropmedium

Arrange the steps to secure etcd in a Kubernetes cluster.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Securing etcd involves TLS configuration, restarting, health verification, and network restriction.

184
Multi-Selectmedium

Which TWO of the following are best practices for securing the container supply chain?

Select 2 answers
A.Scan images for vulnerabilities in a CI pipeline before deploying.
B.Use image signing and verification (e.g., with cosign) to ensure image integrity.
C.Embed API keys directly in container images for authentication.
D.Allow all images from any registry without verification to speed up development.
E.Use mutable tags like 'latest' for easier updates.
AnswersA, B

Scanning helps catch known vulnerabilities early.

Why this answer

Scanning images for vulnerabilities in a CI pipeline before deployment is a best practice because it catches known CVEs early, preventing vulnerable images from reaching production. Tools like Trivy, Clair, or Grype integrate into CI/CD to enforce policy gates, ensuring only compliant images proceed.

Exam trap

CNCF often tests the distinction between 'scanning for vulnerabilities' (Option A) and 'signing for integrity' (Option B) as complementary but distinct practices, and the trap is that candidates might think only one is needed or confuse signing with scanning.

185
MCQhard

A developer wants to ensure the container image used in a Deployment is immutable. Which approach BEST guarantees that the exact same image is used every time, preventing tag mutation?

A.Use the image digest like 'myapp@sha256:abc123'
B.Use a tag like 'v1.0-20231001' with a date
C.Use the tag 'v1.0' in the image field
D.Pin the image using a 'latest' tag
AnswerA

Digests are immutable and guarantee the exact image content.

Why this answer

Using a digest (SHA256) ensures that the image identifier is unique to the content, making it immutable. Tags like 'v1.0' can be overwritten.

186
Multi-Selecthard

Which THREE of the following are required to implement a secure software supply chain using Kubernetes native features?

Select 3 answers
A.Use vulnerability scanning tools like Trivy or Grype in the CI/CD pipeline.
B.Disable admission controllers to reduce latency in pod creation.
C.Integrate image signature verification into the admission webhook (e.g., using cosign and Kyverno).
D.Run all containers as root inside the pod to avoid permission issues.
E.Enforce policies using OPA Gatekeeper or Kyverno to restrict allowed registries and image constraints.
AnswersA, C, E

Scanning prevents deployment of images with known vulnerabilities.

Why this answer

Option A is correct because vulnerability scanning tools like Trivy or Grype are essential for identifying known CVEs in container images before deployment. Integrating these tools into the CI/CD pipeline ensures that only images with an acceptable vulnerability posture are built and pushed to the registry, forming a foundational security gate in the software supply chain.

Exam trap

CNCF often tests the misconception that disabling security controls (like admission controllers) is acceptable for performance, when in fact it undermines the entire supply chain security model.

187
Multi-Selectmedium

Which TWO of the following tools can generate an SBOM (Software Bill of Materials) for a container image?

Select 2 answers
A.syft
B.cosign attest
C.Clair
D.kubesec
E.Snyk
AnswersA, B

syft is a dedicated SBOM generation tool.

Why this answer

Correct answers: A and D. syft and cosign attest (specifically 'cosign attest --predicate sbom' or using cosign with an SBOM) are tools that can generate SBOMs. Trivy can also generate SBOMs (trivy image --format spdx), but the question asks specifically for tools that can generate SBOM. Trivy is primarily a scanner, but it can generate SBOM.

However, the most common dedicated SBOM tools are syft and cosign attest. Clair and Snyk are vulnerability scanners, not SBOM generators. Option E (kubesec) is for static analysis of manifests.

188
MCQmedium

A security team wants to ensure that only container images from a trusted registry (mytrustedregistry.io) are deployed in the cluster. They plan to use OPA/Gatekeeper. Which kind of Gatekeeper constraint template and constraint should they create?

A.A constraint that uses a pattern to match the image field against allowed registries
B.A constraint that validates the cluster's registry mirror configuration
C.A constraint that inspects the image field in the Pod's metadata annotations
D.A constraint that checks the imagePullSecrets field in the Pod spec
AnswerA

By matching the 'image' field in containers, you can ensure only images from trusted registries are used.

Why this answer

Option B is correct. A K8sAllowedRegions constraint template on the spec.containers[*].image field can enforce that image names match a specific registry. Option A is too broad.

Option C uses an incorrect field. Option D targets an irrelevant field.

189
MCQhard

You have configured Kyverno to enforce that all Pods must have an image from a trusted registry. However, a newly created Pod is not being rejected even though it uses an untrusted image. What is the most likely reason?

A.Kyverno is not an admission controller; it only mutates resources
B.The Kyverno policy requires an external registry to compare images, which is unavailable
C.The Kyverno webhook is not invoked because the failure policy is set to Ignore or the resource is not matched by the policy's rules
D.The Pod was created by a Deployment controller, which bypasses admission control
AnswerC

If the webhook's failure policy is 'Ignore', a failing webhook will not block the request. Also, the policy may not match the namespace or other criteria.

Why this answer

Option D is correct. Kyverno policies are implemented as a MutatingAdmissionWebhook or ValidatingAdmissionWebhook, and they must be properly configured with the correct failurePolicy and match conditions. If the webhook is not properly configured, the request may bypass the policy.

Option A is wrong because Kyverno uses webhooks, not the ImagePolicyWebhook. Option B is not specific to this issue. Option C is wrong because Kyverno can validate resources without an external registry.

190
MCQmedium

An admin runs 'kubectl run nginx --image=nginx' and the pod fails with 'ImagePullBackOff'. The cluster has an OPA/Gatekeeper constraint that only allows images from 'myregistry.io'. How can the admin quickly test the restriction?

A.Delete the OPA constraint
B.Add a label 'allowlist=true' to the pod
C.Use an image from 'myregistry.io/nginx:latest'
D.Use 'kubectl run nginx --image=nginx --validate=false'
AnswerC

If the constraint allowlists 'myregistry.io', then using an image from that registry should pass the admission check.

Why this answer

The constraint restricts images to a specific registry. The admin should use an image from that registry to succeed. Option A is correct.

← PreviousPage 3 of 3 · 190 questions total

Ready to test yourself?

Try a timed practice session using only Cks Supply Chain questions.