Home
Linux Foundation
CKS: Certified Kubernetes Security Specialist Dumps

Free Linux Foundation CKS Exam Dumps

Here you can find all the free questions related with Linux Foundation Certified Kubernetes Security Specialist (CKS) exam. You can also find on this page links to recently updated premium files with which you can practice for actual Linux Foundation Certified Kubernetes Security Specialist Exam. These premium versions are provided as CKS exam practice tests, both as desktop software and browser based application, you can use whatever suits your style. Feel free to try the Certified Kubernetes Security Specialist Exam premium files for free, Good luck with your Linux Foundation Certified Kubernetes Security Specialist Exam.

Question No: 11

MultipleChoice

Context:

Cluster:prod

Master node:master1

Worker node:worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context prod

Task:

Analyse and edit the given Dockerfile (based on theubuntu:18:04image)

/home/cert_masters/Dockerfilefixing two instructions present in the file being prominent security/best-practice issues.

Analyse and edit the given manifest file

/home/cert_masters/mydeployment.yamlfixing two fields present in the file being prominent security/best-practice issues.

Note:Don't add or remove configuration settings; only modify the existing configuration settings, so that two configuration settings each are no longer security/best-practice concerns.

Should you need an unprivileged user for any of the tasks, use usernobodywith user id65535

Options

AExplanation:
1. For Dockerfile:Fix the image version & user name in Dockerfile
2. For mydeployment.yaml : Fix security contexts
Explanation
[desk@cli] $vim /home/cert_masters/Dockerfile
FROM ubuntu:latest # Remove this
FROM ubuntu:18.04 # Add this
USER root # Remove this
USER nobody # Add this
RUN apt get install -y lsof=4.72 wget=1.17.1 nginx=4.2
ENV ENVIRONMENT=testing
USER root # Remove this
USER nobody # Add this
CMD ['nginx -d']

[desk@cli] $vim/home/cert_masters/mydeployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: kafka
name: kafka
spec:
replicas: 1
selector:
matchLabels:
app: kafka
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: kafka
spec:
containers:
- image: bitnami/kafka
name: kafka
volumeMounts:
- name: kafka-vol
mountPath: /var/lib/kafka
securityContext:
{'capabilities':{'add':['NET_ADMIN'],'drop':['all']},'privileged': True,'readOnlyRootFilesystem': False, 'runAsUser': 65535} # Delete This
{'capabilities':{'add':['NET_ADMIN'],'drop':['all']},'privileged': False,'readOnlyRootFilesystem': True, 'runAsUser': 65535} # Add This
resources: {}
volumes:
- name: kafka-vol
emptyDir: {}
status: {}
Pictorial View:
[desk@cli] $vim/home/cert_masters/mydeployment.yaml

Answer
A

Question No: 12

MultipleChoice

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context test-account

Task:Enable audit logs in the cluster.

To do so, enable the log backend, and ensure that:

1. logs are stored at/var/log/Kubernetes/logs.txt

2. log files are retained for5days

3. at maximum, a number of10old audit log files are retained

A basic policy is provided at/etc/Kubernetes/logpolicy/audit-policy.yaml. It only specifies what not to log.

Note: The base policy is located on the cluster's master node.

Edit and extend the basic policy to log:

1.Nodeschanges atRequestResponselevel

2. The request body ofpersistentvolumeschanges in the namespacefrontend

3.ConfigMapandSecretchanges in all namespaces at theMetadatalevel

Also, add a catch-all rule to log all other requests at theMetadatalevel

Note:Don't forget to apply the modified policy.

Options

AExplanation:
$vim /etc/kubernetes/log-policy/audit-policy.yaml
- level: RequestResponse
userGroups: ['system:nodes']
- level: Request
resources:
- group: '' # core API group
resources: ['persistentvolumes']
namespaces: ['frontend']
- level: Metadata
resources:
- group: ''
resources: ['configmaps', 'secrets']
- level: Metadata
$vim /etc/kubernetes/manifests/kube-apiserver.yaml
Add these
- --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml
- --audit-log-path=/var/log/kubernetes/logs.txt
- --audit-log-maxage=5
- --audit-log-maxbackup=10
Explanation
[desk@cli] $ssh master1
[master1@cli] $vim /etc/kubernetes/log-policy/audit-policy.yaml
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- 'RequestReceived'
rules:
# Don't log watch requests by the 'system:kube-proxy' on endpoints or services
- level: None
users: ['system:kube-proxy']
verbs: ['watch']
resources:
- group: '' # core API group
resources: ['endpoints', 'services']
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ['system:authenticated']
nonResourceURLs:
- '/api*' # Wildcard matching.
- '/version'
# Add your changes below
- level: RequestResponse
userGroups: ['system:nodes'] # Block for nodes
- level: Request
resources:
- group: '' # core API group
resources: ['persistentvolumes'] # Block for persistentvolumes
namespaces: ['frontend'] # Block for persistentvolumes of frontend ns
- level: Metadata
resources:
- group: '' # core API group
resources: ['configmaps', 'secrets'] # Block for configmaps & secrets
- level: Metadata # Block for everything else
[master1@cli] $vim /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.0.0.5:6443
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=10.0.0.5
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml #Add this
- --audit-log-path=/var/log/kubernetes/logs.txt #Add this
- --audit-log-maxage=5 #Add this
- --audit-log-maxbackup=10 #Add this
...
output truncated
Note: log volume & policy volume is already mounted invim /etc/kubernetes/manifests/kube-apiserver.yamlso no need to mount it.

Reference:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
Note: log volume & policy volume is already mounted invim /etc/kubernetes/manifests/kube-apiserver.yamlso no need to mount it.

Reference:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/

Answer
A

Question No: 13

MultipleChoice

You must complete this task on the following cluster/nodes:

Cluster:apparmor

Master node:master

Worker node:worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context apparmor

Given: AppArmor is enabled on the worker1 node.

Task:

On the worker1 node,

1. Enforce the prepared AppArmor profile located at:/etc/apparmor.d/nginx

2. Edit the prepared manifest file located at/home/cert_masters/nginx.yamlto apply the apparmor profile

3. Create the Pod using this manifest

Options

AExplanation:
[desk@cli] $ssh worker1
[worker1@cli] $apparmor_parser -q /etc/apparmor.d/nginx
[worker1@cli] $aa-status | grep nginx
nginx-profile-1
[worker1@cli] $logout
[desk@cli] $vim nginx-deploy.yaml
Add these lines under metadata:
annotations: # Add this line
container.apparmor.security.beta.kubernetes.io/<container-name>: localhost/nginx-profile-1
[desk@cli] $kubectl apply -f nginx-deploy.yaml
Explanation
[desk@cli] $ssh worker1
[worker1@cli] $apparmor_parser -q /etc/apparmor.d/nginx
[worker1@cli] $aa-status | grep nginx
nginx-profile-1
[worker1@cli] $logout
[desk@cli] $vim nginx-deploy.yaml

[desk@cli] $kubectl apply -f nginx-deploy.yaml
pod/nginx-deploy created

Reference:https://kubernetes.io/docs/tutorials/clusters/apparmor/
pod/nginx-deploy created
[desk@cli] $kubectl apply -f nginx-deploy.yaml
pod/nginx-deploy created

Reference:https://kubernetes.io/docs/tutorials/clusters/apparmor/

Answer
A

Question No: 14

MultipleChoice

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context qa

Context:

A pod fails to run because of an incorrectly specified ServiceAccount

Task:

Create a new service account named backend-qa in an existing namespace qa, which must not have access to any secret.

Edit the frontend pod yaml to use backend-qa service account

Note:You can find the frontend pod yaml at /home/cert_masters/frontend-pod.yaml

Options

AExplanation:
[desk@cli] $k create sa backend-qa -n qa
sa/backend-qa created
[desk@cli] $k get role,rolebinding -n qa
No resources found in qa namespace.
[desk@cli] $k create role backend -n qa --resource pods,namespaces,configmaps --verb list
#No access to secret
[desk@cli] $k create rolebinding backend -n qa --role backend --serviceaccount qa:backend-qa
[desk@cli] $vim /home/cert_masters/frontend-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: frontend
spec:
serviceAccountName: backend-qa # Add this
image: nginx
name: frontend
[desk@cli] $k apply -f /home/cert_masters/frontend-pod.yaml
pod created
[desk@cli] $k create sa backend-qa -n qa
serviceaccount/backend-qa created
[desk@cli] $k get role,rolebinding -n qa
No resources found in qa namespace.
[desk@cli] $k create role backend -n qa --resource pods,namespaces,configmaps --verb list
role.rbac.authorization.k8s.io/backend created
[desk@cli] $k create rolebinding backend -n qa --role backend --serviceaccount qa:backend-qa
rolebinding.rbac.authorization.k8s.io/backend created
[desk@cli] $vim /home/cert_masters/frontend-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: frontend
spec:
serviceAccountName: backend-qa # Add this
image: nginx
name: frontend
[desk@cli] $k apply -f /home/cert_masters/frontend-pod.yaml
pod/frontend created

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
pod/frontend created
[desk@cli] $k apply -f /home/cert_masters/frontend-pod.yaml
pod/frontend created

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

Answer
A

Question No: 15

MultipleChoice

You must complete this task on the following cluster/nodes:

Cluster:trace

Master node:master

Worker node:worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context trace

Given: You may use Sysdig or Falco documentation.

Task:

Use detection tools to detect anomalies like processes spawning and executing something weird frequently in the single container belonging to Podtomcat.

Two tools are available to use:

1. falco

2. sysdig

Tools are pre-installed on the worker1 node only.

Analyse the container's behaviour for at least 40 seconds, using filters that detect newly spawning and executing processes.

Store an incident file at/home/cert_masters/report, in the following format:

[timestamp],[uid],[processName]

Note:Make sure to store incident file on the cluster's worker node, don't move it to master node.

Options

AExplanation:
$vim /etc/falco/falco_rules.local.yaml
- rule: Container Drift Detected (open+create)
desc: New executable created in a container due to open+create
condition: >
evt.type in (open,openat,creat) and
evt.is_open_exec=true and
container and
not runc_writing_exec_fifo and
not runc_writing_var_lib_docker and
not user_known_container_drift_activities and
evt.rawres>=0
output: >
%evt.time,%user.uid,%proc.name # Add this/Refer falco documentation
priority: ERROR
$kill -1 <PID of falco>
Explanation
[desk@cli] $ssh node01
[node01@cli] $vim /etc/falco/falco_rules.yaml
search for Container Drift Detected & paste in falco_rules.local.yaml
[node01@cli] $vim /etc/falco/falco_rules.local.yaml
- rule: Container Drift Detected (open+create)
desc: New executable created in a container due to open+create
condition: >
evt.type in (open,openat,creat) and
evt.is_open_exec=true and
container and
not runc_writing_exec_fifo and
not runc_writing_var_lib_docker and
not user_known_container_drift_activities and
evt.rawres>=0
output: >
%evt.time,%user.uid,%proc.name # Add this/Refer falco documentation
priority: ERROR
[node01@cli] $vim /etc/falco/falco.yaml

Answer
A

Question No: 16

MultipleChoice

Cluster: dev

Master node:master1

Worker node:worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context dev

Task:

Retrieve the content of the existing secret namedadamin thesafenamespace.

Store the username field in a file names/home/cert-masters/username.txt, and the password field in a file named/home/cert-masters/password.txt.

1. You must create both files; they don't exist yet.

2. Do not use/modify the created files in the following steps, create new temporary files if needed.

Create a new secret namesnewsecretin thesafenamespace, with the following content:

Username:dbadmin

Password:moresecurepas

Finally, create a new Pod that has access to the secretnewsecretvia a volume:

Namespace: safe

Pod name: mysecret-pod

Container name: db-container

Image: redis

Volume name: secret-vol

Mount path: /etc/mysecret

Options

AExplanation:
1. Get the secret, decrypt it & save in files
k get secret adam -n safe -o yaml
2. Create new secret using --from-literal
[desk@cli] $k create secret generic newsecret -n safe --from-literal=username=dbadmin --from-literal=password=moresecurepass
3. Mount it as volume of db-container of mysecret-pod
Explanation

[desk@cli] $k create secret generic newsecret -n safe --from-literal=username=dbadmin --from-literal=password=moresecurepass
secret/newsecret created
[desk@cli] $vim /home/certs_masters/secret-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: mysecret-pod
namespace: safe
labels:
run: mysecret-pod
spec:
containers:
- name: db-container
image: redis
volumeMounts:
- name: secret-vol
mountPath: /etc/mysecret
readOnly: true
volumes:
- name: secret-vol
secret:
secretName: newsecret
[desk@cli] $k apply -f /home/certs_masters/secret-pod.yaml
pod/mysecret-pod created
[desk@cli] $k exec -it mysecret-pod -n safe -- cat /etc/mysecret/username
dbadmin

[desk@cli] $k exec -it mysecret-pod -n safe -- cat /etc/mysecret/password
moresecurepas

Answer
A

Question No: 17

MultipleChoice

Cluster:scanner

Master node:controlplane

Worker node:worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context scanner

Given:

You may use Trivy's documentation.

Task:

Use the Trivy open-source container scanner to detect images with severe vulnerabilities used by Pods in the namespacenato.

Look for images withHighorCriticalseverity vulnerabilities and delete the Pods that use those images.

Trivy is pre-installed on the cluster's master node. Use cluster's master node to use Trivy.

Options

AExplanation:
[controlplane@cli] $k get pods -n nato -o yaml | grep 'image: '
[controlplane@cli] $trivy image <image-name>
[controlplane@cli] $k delete pod <vulnerable-pod> -n nato
[desk@cli] $ssh controlnode
[controlplane@cli] $k get pods -n nato
NAME READY STATUS RESTARTS AGE
alohmora 1/1 Running 0 3m7s
c3d3 1/1 Running 0 2m54s
neon-pod 1/1 Running 0 2m11s
thor 1/1 Running 0 58s
[controlplane@cli] $k get pods -n nato -o yaml | grep 'image: '

[controlplane@cli] $k delete pod thor -n nato
[controlplane@cli] $k delete pod neon-pod -n nato

Reference:https://github.com/aquasecurity/trivy
[controlplane@cli] $k delete pod neon-pod -n nato

Reference:https://github.com/aquasecurity/trivy

Answer
A

Question No: 18

MultipleChoice

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context dev

A default-deny NetworkPolicy avoid to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined.

Task: Create a new default-deny NetworkPolicy nameddeny-networkin the namespacetestfor all traffic of type Ingress + Egress

The new NetworkPolicy must deny all Ingress + Egress traffic in the namespacetest.

Apply the newly createddefault-denyNetworkPolicy to all Pods running in namespacetest.

You can find a skeleton manifests file at /home/cert_masters/network-policy.yaml

Options

AExplanation:
master1 $k get pods -n test --show-labels
NAME READY STATUS RESTARTS AGE LABELS
test-pod 1/1 Running 0 34s role=test,run=test-pod
testing 1/1 Running 0 17d run=testing
$vim netpol.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-network
namespace: test
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
master1 $k apply -f netpol.yaml
Explanation
controlplane $ k get pods -n test --show-labels
NAME READY STATUS RESTARTS AGE LABELS
test-pod 1/1 Running 0 34s role=test,run=test-pod
testing 1/1 Running 0 17d run=testing
master1 $ vim netpol1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-network
namespace: test
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
master1 $ k apply -f netpol1.yaml

Reference:
https://kubernetes.io/docs/concepts/services-networking/network-policies/

Answer
AExplanation

master1 $ k apply -f netpol1.yaml Reference: https://kubernetes.io/docs/concepts/services-networking/network-policies/

Explanation

controlplane $ k get pods -n test --show-labels

NAME READY STATUS RESTARTS AGE LABELS

test-pod 1/1 Running 0 34s role=test,run=test-pod

testing 1/1 Running 0 17d run=testing

master1 $ vim netpol1.yaml

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

name: deny-network

namespace: test

spec:

podSelector: {}

policyTypes:

- Ingress

- Egress

master1 $ k apply -f netpol1.yaml Reference: https://kubernetes.io/docs/concepts/services-networking/network-policies/

Question No: 19

MultipleChoice

Context:

Cluster:gvisor

Master node:master1

Worker node:worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context gvisor

Context:This cluster has been prepared to support runtime handler, runsc as well as traditional one.

Task:

Create a RuntimeClass namednot-trustedusing the prepared runtime handler namesrunsc.

Update all Pods in the namespace server to run onnewruntime.

Options

AExplanation:
Find all the pods/deployment and edit runtimeClassName parameter to not-trusted under spec
[desk@cli] $k edit deploy nginx
spec:
runtimeClassName: not-trusted. # Add this
Explanation
[desk@cli] $vim runtime.yaml
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
name: not-trusted
handler: runsc
[desk@cli] $k apply -f runtime.yaml
[desk@cli] $k get pods
NAME READY STATUS RESTARTS AGE
nginx-6798fc88e8-chp6r 1/1 Running 0 11m
nginx-6798fc88e8-fs53n 1/1 Running 0 11m
nginx-6798fc88e8-ndved 1/1 Running 0 11m
[desk@cli] $k get deploy
NAME READY UP-TO-DATE AVAILABLE AGE
nginx 3/3 11 3 5m
[desk@cli] $k edit deploy nginx

Answer
A

Question No: 20

MultipleChoice

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context prod-account

Context:

A Role bound to a Pod's ServiceAccount grants overly permissive permissions. Complete the following tasks to reduce the set of permissions.

Task:

Given an existing Pod namedweb-podrunning in the namespacedatabase.

1. Edit the existing Role bound to the Pod's ServiceAccounttest-sato only allow performing get operations, only on resources of type Pods.

2. Create a new Role namedtest-role-2in the namespacedatabase, which only allows performingupdateoperations, only on resources of typestatuefulsets.

3. Create a new RoleBinding namedtest-role-2-bindbinding the newly created Role to the Pod's ServiceAccount.

Note: Don't delete the existing RoleBinding.

Options

AExplanation:
$k edit role test-role -n database
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: '2021-06-04T11:12:23Z'
name: test-role
namespace: database
resourceVersion: '1139'
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/database/roles/test-role
uid: 49949265-6e01-499c-94ac-5011d6f6a353
rules:
- apiGroups:
- ''
resources:
- pods
verbs:
- * # Delete
- get # Fixed
$k create role test-role-2 -n database --resource statefulset --verb update
$k create rolebinding test-role-2-bind -n database --role test-role-2 --serviceaccount=database:test-sa
Explanation
[desk@cli]$k get pods -n database
NAME READY STATUS RESTARTS AGE LABELS
web-pod 1/1 Running 0 34s run=web-pod
[desk@cli]$k get roles -n database
test-role
[desk@cli]$k edit role test-role -n database
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: '2021-06-13T11:12:23Z'
name: test-role
namespace: database
resourceVersion: '1139'
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/database/roles/test-role
uid: 49949265-6e01-499c-94ac-5011d6f6a353
rules:
- apiGroups:
- ''
resources:
- pods
verbs:
- '*' # Delete this
- get # Replace by this
[desk@cli]$k create role test-role-2 -n database --resource statefulset --verb update
role.rbac.authorization.k8s.io/test-role-2 created

[desk@cli]$k create rolebinding test-role-2-bind -n database --role test-role-2 --serviceaccount=database:test-sa
rolebinding.rbac.authorization.k8s.io/test-role-2-bind created

Reference:https://kubernetes.io/docs/reference/access-authn-authz/rbac/
role.rbac.authorization.k8s.io/test-role-2 created
[desk@cli]$k create rolebinding test-role-2-bind -n database --role test-role-2 --serviceaccount=database:test-sa
rolebinding.rbac.authorization.k8s.io/test-role-2-bind created
[desk@cli]$k create role test-role-2 -n database --resource statefulset --verb update
role.rbac.authorization.k8s.io/test-role-2 created

[desk@cli]$k create rolebinding test-role-2-bind -n database --role test-role-2 --serviceaccount=database:test-sa
rolebinding.rbac.authorization.k8s.io/test-role-2-bind created

Reference:https://kubernetes.io/docs/reference/access-authn-authz/rbac/

Answer
A

Limited Time Offer

25%

Off

Get Premium CKS Questions as Interactive Web-Based Practice Test or PDF