Linux Foundation CKS Exam Questions

Name: Linux Foundation CKS Exam
Brand: Pass4Success
SKU: CKS
Price: 69.00 USD
Availability: InStock
Rating: 5.0 (165 reviews)

Exam Name: Certified Kubernetes Security Specialist

Exam Code: CKS

Related Certification(s): Linux Foundation Kubernetes Security Specialist Certification

Certification Provider: Linux Foundation

Actual Exam Duration: 120 Minutes

Number of CKS practice questions in our database: 48 (updated: Nov. 22, 2024)

Expected CKS Exam Topics, as suggested by Linux Foundation :

Topic 1: Cluster Setup: This topic assesses skills of Kubernetes practitioners in configuring secure Kubernetes clusters. It covers network security policies, CIS benchmarks, ingress security, node metadata protection, minimizing GUI access, and verifying platform binaries. Proficiency in these areas ensures a secure foundation for Kubernetes deployments.
Topic 2: Cluster Hardening: Cluster hardening focuses on securing Kubernetes API access, utilizing Role-Based Access Controls, managing service accounts, and keeping Kubernetes updated. This topic of the CKS exam measures the ability of Kubernetes practitioner to enhance cluster security by reducing exposure and managing permissions effectively.
Topic 3: System Hardening: It involves minimizing the host OS footprint, managing IAM roles, limiting network access, and using kernel hardening tools like AppArmor and seccomp. The topic tests the skills of Kubernetes practitioners that are required to secure the underlying OS and its interactions with Kubernetes.
Topic 4: Minimize Microservice Vulnerabilities: This topic of the Linux Foundation Kubernetes Security Specialist exam evaluates techniques to secure microservices, including OS-level security domains, managing Kubernetes secrets, using container runtime sandboxes, and implementing pod-to-pod encryption. It measures the ability to safeguard against vulnerabilities within a multi-tenant environment.
Topic 5: Supply Chain Security: Supply chain security addresses securing base images, whitelisting registries, signing images, performing static analysis, and scanning for vulnerabilities. The CKA exam assesses skills of Kubernetes practitioners in protecting the entire supply chain of containerized applications from creation to deployment.
Topic 6: Monitoring, Logging, and Runtime Security: This area of the Certified Kubernetes Security Specialist exam focuses on behavioral analytics, threat detection across infrastructure, and ensuring container immutability. Proficiency of the Kubernetes practitioner here demonstrates the ability to maintain security and investigate incidents effectively.

Disscuss Linux Foundation CKS Topics, Questions or Ask Anything Related

Submit Cancel

Sherita

7 days ago

I successfully passed the Kubernetes Security Specialist exam, and Pass4Success practice questions were a key part of my preparation. There was a question on supply chain security that asked how to verify the integrity of container images using Notary. I was a bit uncertain, but I still passed the exam.

upvoted 0 times

...

Adolph

11 days ago

Securing the Kubernetes API server was emphasized. Know how to configure and audit API server flags for security best practices. Pass4Success practice questions really helped me prepare for this!

upvoted 0 times

...

Janet

16 days ago

CKS certified! Pass4Success materials were key to my quick preparation.

upvoted 0 times

...

24 days ago

Happy to share that I passed the Kubernetes Security Specialist exam! The Pass4Success practice questions were a big help. One question that caught me off guard was about cluster setup, asking how to configure etcd for high availability. I wasn't sure about the exact steps, but I managed to pass.

upvoted 0 times

...

Camellia

1 months ago

The exam tested my knowledge of RBAC. I had to create roles and role bindings to grant specific permissions. Study the different API resources and verbs used in RBAC.

upvoted 0 times

...

Tarra

1 months ago

I passed the Kubernetes Security Specialist exam, thanks in part to the practice questions from Pass4Success. One challenging question was about cluster hardening, specifically how to enforce network policies to isolate namespaces. I wasn't completely confident in my answer, but I still passed.

upvoted 0 times

...

Glynda

2 months ago

Aced the Kubernetes Security Specialist exam. Pass4Success made prep a breeze!

upvoted 0 times

...

Hassie

2 months ago

Network policies were a big part of my exam. Practice creating and troubleshooting them to control traffic between pods. Understanding ingress and egress rules is crucial.

upvoted 0 times

...

Jesus

2 months ago

Just cleared the Kubernetes Security Specialist exam, and Pass4Success was a great resource. There was a tricky question on system hardening that asked how to implement AppArmor profiles to restrict container capabilities. I was a bit unsure about the exact syntax, but I still managed to get through the exam.

upvoted 0 times

...

Julene

2 months ago

Just passed the CKS exam! Glad I studied Pod Security Policies. Had to analyze and modify PSPs to enforce security constraints. Make sure you understand PSP syntax and how to apply them.

upvoted 0 times

...

Loren

2 months ago

I recently passed the Linux Foundation Certified Kubernetes Security Specialist exam, and I have to say, the Pass4Success practice questions were incredibly helpful. One question that stumped me was about setting up monitoring and logging for runtime security. It asked how to configure Fluentd to collect logs from all nodes in a Kubernetes cluster. I wasn't entirely sure about the configuration details, but I managed to pass the exam.

upvoted 0 times

...

Billye

3 months ago

Just passed the CKS exam! Thanks Pass4Success for the spot-on practice questions.

upvoted 0 times

...

Nadine

5 months ago

Just passed the CKS exam! One tricky area was Pod Security Policies. Expect questions on configuring and troubleshooting PSPs. Study the different policy options and their impact on pod creation. Big thanks to Pass4Success for their spot-on practice questions that helped me prepare quickly!

upvoted 0 times

...

Free Linux Foundation CKS Exam Actual Questions

Note: Premium Questions for CKS were last updated On Nov. 22, 2024 (see below)

Question #1

A container image scanner is set up on the cluster.

Given an incomplete configuration in the directory

/etc/kubernetes/confcontrol and a functional container image scanner with HTTPS endpoint https://test-server.local.8081/image_policy

1. Enable the admission plugin.

2. Validate the control configuration and change it to implicit deny.

Finally, test the configuration by deploying the pod having the image tag as latest.

AExplanation:
ssh-add ~/.ssh/tempprivate
eval '$(ssh-agent -s)'
cd contrib/terraform/aws
vi terraform.tfvars
terraform init
terraform apply -var-file=credentials.tfvars
ansible-playbook -i ./inventory/hosts ./cluster.yml -e ansible_ssh_user=core -e bootstrap_os=coreos -b --become-user=root --flush-cache -e ansible_user=core

Reveal Solution

Correct Answer: A

Question #2

Context

A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace.

Task

Create a new PodSecurityPolicy named prevent-psp-policy,which prevents the creation of privileged Pods.

Create a new ClusterRole named restrict-access-role, which uses the newly created PodSecurityPolicy prevent-psp-policy.

Create a new ServiceAccount named psp-restrict-sa in the existing namespace staging.

Finally, create a new ClusterRoleBinding named restrict-access-bind, which binds the newly created ClusterRole restrict-access-role to the newly created ServiceAccount psp-restrict-sa.

AExplanation:

Reveal Solution

Correct Answer: A

Question #3

Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.

Fix all of the following violations that were found against theAPI server:-

a. Ensure that the RotateKubeletServerCertificate argument is set to true.

b. Ensure that the admission control plugin PodSecurityPolicy is set.

c. Ensure that the --kubelet-certificate-authority argument is set as appropriate.

Fix all of the following violations that were found against theKubelet:-

a. Ensure the --anonymous-auth argument is set to false.

b. Ensure that the --authorization-mode argument is set to Webhook.

Fix all of the following violations that were found against theETCD:-

a. Ensure that the --auto-tls argument is not set to true

b. Ensure that the --peer-auto-tls argument is not set to true

Hint: Take the use of Tool Kube-Bench

AExplanation:
Fix all of the following violations that were found against theAPI server:-
a. Ensure that the RotateKubeletServerCertificate argument is set to true.
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kubelet
tier: control-plane
name: kubelet
namespace: kube-system
spec:
containers:
- command:
- kube-controller-manager
+ - --feature-gates=RotateKubeletServerCertificate=true
image: gcr.io/google_containers/kubelet-amd64:v1.6.0
livenessProbe:
failureThreshold: 8
httpGet:
host: 127.0.0.1
path: /healthz
port: 6443
scheme: HTTPS
initialDelaySeconds: 15
timeoutSeconds: 15
name: kubelet
resources:
requests:
cpu: 250m
volumeMounts:
- mountPath: /etc/kubernetes/
name: k8s
readOnly: true
- mountPath: /etc/ssl/certs
name: certs
- mountPath: /etc/pki
name: pki
hostNetwork: true
volumes:
- hostPath:
path: /etc/kubernetes
name: k8s
- hostPath:
path: /etc/ssl/certs
name: certs
- hostPath:
path: /etc/pki
name: pki
b. Ensure that the admission control plugin PodSecurityPolicy is set.
audit: '/bin/ps -ef | grep $apiserverbin | grep -v grep'
tests:
test_items:
- flag: '--enable-admission-plugins'
compare:
op: has
value: 'PodSecurityPolicy'
set: true
remediation: |
Follow the documentation and create Pod Security Policy objects as per your environment.
Then, edit the API server pod specification file $apiserverconf
on the master node and set the --enable-admission-plugins parameter to a
value that includes PodSecurityPolicy :
--enable-admission-plugins=...,PodSecurityPolicy,...
Then restart the API Server.
scored: true
c. Ensure that the --kubelet-certificate-authority argument is set as appropriate.
audit: '/bin/ps -ef | grep $apiserverbin | grep -v grep'
tests:
test_items:
- flag: '--kubelet-certificate-authority'
set: true
remediation: |
Follow the Kubernetes documentation and setup the TLS connection between the
apiserver and kubelets. Then, edit the API server pod specification file
$apiserverconf on the master node and set the --kubelet-certificate-authority
parameter to the path to the cert file for the certificate authority.
--kubelet-certificate-authority=<ca-string>
scored: true
Fix all of the following violations that were found against theETCD:-
a. Ensure that the --auto-tls argument is not set to true
Edit the etcd pod specification file $etcdconf on the master
node and either remove the --auto-tls parameter or set it to false.
--auto-tls=false
b. Ensure that the --peer-auto-tls argument is not set to true
Edit the etcd pod specification file $etcdconf on the master
node and either remove the --peer-auto-tls parameter or set it to false.
--peer-auto-tls=false

Reveal Solution

Correct Answer: A

Question #4

You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context stage Context: A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace. Task: 1. Create a new PodSecurityPolcy named deny-policy, which prevents the creation of privileged Pods. 2. Create a new ClusterRole name deny-access-role, which uses the newly created PodSecurityPolicy deny-policy. 3. Create a new ServiceAccount named psd-denial-sa in the existing namespace development. Finally, create a new ClusterRoleBindind named restrict-access-bind, which binds the newly created ClusterRole deny-access-role to the newly created ServiceAccount psp-denial-sa

AExplanation:
Create psp to disallow privileged container
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: deny-access-role
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- ''deny-policy''
k create sa psp-denial-sa -n development
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: restrict-access-bing
roleRef:
kind: ClusterRole
name: deny-access-role
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: psp-denial-sa
namespace: development
Explanation
master1 $ vim psp.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: deny-policy
spec:
privileged: false # Don't allow privileged pods!
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
master1 $ vim cr1.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: deny-access-role
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- ''deny-policy''
master1 $k create sa psp-denial-sa -n development

master1 $ vim cb1.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: restrict-access-bing
roleRef:
kind: ClusterRole
name: deny-access-role
apiGroup: rbac.authorization.k8s.io
subjects:
# Authorize specific service accounts:
- kind: ServiceAccount
name: psp-denial-sa
namespace: development
master1 $k apply -f psp.yaml
master1 $k apply -f cr1.yaml
master1 $k apply -f cb1.yaml

Reference:https://kubernetes.io/docs/concepts/policy/pod-security-policy/

Reveal Solution

Correct Answer: A

Question #5

You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context dev A default-deny NetworkPolicy avoid to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined.

Task: Create a new default-deny NetworkPolicy nameddeny-networkin the namespacetestfor all traffic of type Ingress + Egress

The new NetworkPolicy must deny all Ingress + Egress traffic in the namespacetest.

Apply the newly createddefault-denyNetworkPolicy to all Pods running in namespacetest.

You can find a skeleton manifests file at /home/cert_masters/network-policy.yaml

AExplanation:
master1 $k get pods -n test --show-labels
NAME READY STATUS RESTARTS AGE LABELS
test-pod 1/1 Running 0 34s role=test,run=test-pod
testing 1/1 Running 0 17d run=testing
$vim netpol.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-network
namespace: test
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
master1 $k apply -f netpol.yaml
Explanation
controlplane $ k get pods -n test --show-labels
NAME READY STATUS RESTARTS AGE LABELS
test-pod 1/1 Running 0 34s role=test,run=test-pod
testing 1/1 Running 0 17d run=testing
master1 $ vim netpol1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-network
namespace: test
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
master1 $ k apply -f netpol1.yaml

Reference:
https://kubernetes.io/docs/concepts/services-networking/network-policies/
Explanation
controlplane $ k get pods -n test --show-labels
NAME READY STATUS RESTARTS AGE LABELS
test-pod 1/1 Running 0 34s role=test,run=test-pod
testing 1/1 Running 0 17d run=testing
master1 $ vim netpol1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-network
namespace: test
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
master1 $ k apply -f netpol1.yaml

Reference:
https://kubernetes.io/docs/concepts/services-networking/network-policies/

Reveal Solution

Correct Answer: A

Unlock Premium CKS Exam Questions with Advanced Practice Test Features:

Select Question Types you want
Set your Desired Pass Percentage
Allocate Time (Hours : Minutes)
Create Multiple Practice tests with Limited Questions
Customer Support

Get Full Access Now