CKS · topic practice

System Hardening practice questions

Practise Certified Kubernetes Security Specialist CKS System Hardening practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: System Hardening

What the exam tests

What to know about System Hardening

System Hardening questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common System Hardening exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

System Hardening questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full System Hardening explanation →

A security team is hardening a Kubernetes cluster. They need to ensure that all control plane components run with the least privilege. Which approach should they take?

An administrator wants to restrict pods from running as root. Which admission controller should be enabled?

A cluster has been compromised due to a container running with privileged escalation. The team wants to prevent any container from gaining new privileges. Which configuration should be applied?

Question 4mediummultiple choice
Read the full System Hardening explanation →

During a security audit, it was found that some pods have access to the host network. How can an administrator restrict host network access for all pods in the cluster?

A DevOps team wants to ensure that all container images are pulled from a trusted registry only. Which cluster-level configuration should be applied?

An attacker exploited a container escape vulnerability. The team wants to mitigate such attacks by restricting containers from accessing the host's kernel capabilities. Which set of capabilities should be dropped from all containers?

Question 7mediummultiple choice
Read the full System Hardening explanation →

A cluster is running Kubernetes 1.24. The security team wants to enforce that all pods run with a read-only root filesystem. Which approach is most effective?

A developer wants to run a container that needs to modify kernel parameters. What is the secure way to achieve this?

Which TWO of the following are effective methods to harden the kubelet against unauthorized access?

Which THREE of the following are recommended practices for securing the etcd datastore?

Which TWO of the following are valid approaches to restrict which nodes a pod can run on?

Question 12mediummultiple choice
Read the full System Hardening explanation →

A pod manifest is shown. What security issue remains in this configuration?

Exhibit

Refer to the exhibit.

```
apiVersion: v1
kind: Pod
metadata:
  name: test-pod
spec:
  containers:
  - name: test
    image: alpine
    securityContext:
      runAsUser: 1000
      runAsGroup: 3000
      allowPrivilegeEscalation: false
      capabilities:
        drop: ["ALL"]
```

Given the exhibit, what will happen when a user creates a pod with an image from an untrusted registry?

Network Topology
$ kube-apiserveradmission-control=PodSecurityenable-admission-plugins=AlwaysPullImagesRefer to the exhibit.```

You are a security engineer for a large e-commerce company. The Kubernetes cluster runs on-premises and hosts critical payment processing applications. Recently, a security scan revealed that several pods are running with privileged escalation enabled, and some have a writable root filesystem. The cluster uses Kubernetes v1.26 with PodSecurity admission controller enabled but currently set to 'privileged' profile for all namespaces. The development teams require flexibility for some legacy applications that need to run with hostNetwork or hostPID. However, the security team wants to enforce a restricted profile for most namespaces while allowing exceptions. The CISO has mandated that no pod should run as root, and all pods must have read-only root filesystem and privilege escalation disabled. Additionally, any pod that requires hostNetwork or hostPID must be explicitly approved and placed in a separate namespace. You need to design a solution that meets these requirements with minimal operational overhead. What is the best course of action?

Question 15mediummultiple choice
Read the full System Hardening explanation →

You are managing a Kubernetes cluster that hosts multiple microservices. The cluster uses Kubernetes v1.25. Recently, a security audit identified that containers are running with the default seccomp profile (unconfined). The security team has requested that all containers use a seccomp profile that blocks unnecessary syscalls. You need to implement this cluster-wide without breaking existing applications. The audit also found that the kubelet's anonymous authentication is enabled, which should be disabled. Additionally, you need to ensure that the kubelet's NodeRestriction admission controller is enabled to limit what nodes can do. Which of the following is the most appropriate sequence of actions?

A security engineer is hardening a Kubernetes node and wants to ensure that kubelet does not accept requests from unauthorized sources. Which kubelet configuration change should be made?

Question 17mediummultiple choice
Read the full System Hardening explanation →

During a security audit, it is found that containers running in a cluster have CAP_NET_RAW capability by default. The team wants to drop this capability for all containers. Which approach should be taken?

A cluster has enabled the NodeRestriction admission controller. A developer is trying to create a pod with hostNetwork: true but is getting an error. What is the most likely reason?

Refer to the exhibit. A security engineer sees that podPidsLimit is set to -1. What security concern does this raise?

Exhibit

Refer to the exhibit.
```
$ kubectl get nodes -o yaml | grep -A10 kubeletConfig
    kubeletConfig:
      imageGCHighThresholdPercent: 85
      imageGCLowThresholdPercent: 80
      maxPods: 110
      podPidsLimit: -1
      resolvConf: /etc/resolv.conf
      rotateCertificates: true
```
Question 20mediummultiple choice
Read the full System Hardening explanation →

Refer to the exhibit. The pod fails to start with the error 'container has runAsNonRoot but image will run as root'. Which change would fix the issue?

Exhibit

Refer to the exhibit.
```
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - name: nginx
    image: nginx:1.21
    securityContext:
      runAsNonRoot: true
      runAsUser: 1000
      capabilities:
        add: ["NET_ADMIN"]
```

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused System Hardening sessions

Start a System Hardening only practice session

Every question in these sessions is drawn from the System Hardening domain — nothing else.

Related practice questions

Related CKS topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CKS exam test about System Hardening?
System Hardening questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just System Hardening questions in a focused session?
Yes — the session launcher on this page draws every question from the System Hardening domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CKS topics?
Use the topic links above to move to related areas, or go back to the CKS question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CKS exam covers. They are not copied from any real exam or dump site.