Linux Foundation CKS Exam Questions

Name: Linux Foundation CKS Exam
Brand: Pass4Success
SKU: CKS
Price: 69.00 USD
Availability: InStock
Rating: 4.7 (22 reviews)

Exam Name: Certified Kubernetes Security Specialist

Exam Code: CKS

Related Certification(s): Linux Foundation Kubernetes Security Specialist Certification

Certification Provider: Linux Foundation

Actual Exam Duration: 120 Minutes

Number of CKS practice questions in our database: 64 (updated: Mar. 04, 2026)

Expected CKS Exam Topics, as suggested by Linux Foundation :

Topic 1: Cluster Setup: This topic assesses the skills of Kubernetes practitioners in configuring secure Kubernetes clusters. It covers network security policies, CIS benchmarks, ingress security, node metadata protection, minimizing GUI access, and verifying platform binaries. Proficiency in these areas ensures a secure foundation for Kubernetes deployments.
Topic 2: Cluster Hardening: Cluster hardening focuses on securing Kubernetes API access, utilizing Role-Based Access Controls, managing service accounts, and keeping Kubernetes updated. This CKS exam topic measures Kubernetes practitioners' ability to enhance cluster security by reducing exposure and managing permissions effectively.
Topic 3: System Hardening: It involves minimizing the host OS footprint, managing IAM roles, limiting network access, and using kernel hardening tools like AppArmor and seccomp. The topic tests the skills of Kubernetes practitioners that are required to secure the underlying OS and its interactions with Kubernetes.
Topic 4: Minimize Microservice Vulnerabilities: This topic of the Linux Foundation Kubernetes Security Specialist exam evaluates techniques to secure microservices, including OS-level security domains, managing Kubernetes secrets, using container runtime sandboxes, and implementing pod-to-pod encryption. It measures the ability to safeguard against vulnerabilities within a multi-tenant environment.
Topic 5: Supply Chain Security: Supply chain security addresses securing base images, whitelisting registries, signing images, performing static analysis, and scanning for vulnerabilities. The CKA exam assesses the skills of Kubernetes practitioners in protecting the entire supply chain of containerized applications from creation to deployment.
Topic 6: Monitoring, Logging, and Runtime Security: This area of the Certified Kubernetes Security Specialist exam focuses on behavioral analytics, threat detection across infrastructure, and ensuring container immutability. The proficiency of the Kubernetes practitioner here demonstrates the ability to maintain security and investigate incidents effectively.

Disscuss Linux Foundation CKS Topics, Questions or Ask Anything Related

Submit Cancel

Jose

3 days ago

Nerves hit me hard right before the lab simulations, but PASS4SUCCESS walked me through with clear lab setups and actionable tips, turning anxiety into assurance. You've got this—believe in the process and ace it.

upvoted 0 times

...

Lawanda

12 days ago

Secrets management and encryption at rest vs in transit felt murky; the practice tests clarified which controls are testable and why.

upvoted 0 times

...

Lemuel

19 days ago

The tricky bit was auditing cluster components and interpreting kube-bench outputs; PASS4SUCCESS mock exams repeated the exact drill, which built confidence.

upvoted 0 times

...

Scarlet

27 days ago

Troubleshooting RBAC with multiple namespaces got hairy fast; the practice exams walked me through several tricky role-binding scenarios.

upvoted 0 times

...

Beatriz

1 month ago

Passing this exam was a huge relief. PASS4SUCCESS practice exams were instrumental in helping me stay focused and on track throughout my preparation.

upvoted 0 times

...

Caprice

1 month ago

I was jittery before the exam, doubting if I'd remember all the security nuances; PASS4SUCCESS gave me structured practice, detailed explanations, and a confidence boost I didn't know I needed. Keep pushing and you'll unlock your own success, future test-taker!

upvoted 0 times

...

Erick

2 months ago

Kubernetes admission controllers were a key topic. Know how to configure and use various admission controllers to enforce security policies.

upvoted 0 times

...

Margo

2 months ago

Just passed the Kubernetes Security Specialist exam, and the practice questions from Pass4Success were invaluable. One question that puzzled me was about minimizing microservice vulnerabilities, specifically how to use network policies to restrict pod communication. I wasn't entirely sure, but I passed nonetheless.

upvoted 0 times

...

Krystal

2 months ago

Revising with PASS4SUCCESS practice exams was the key to my success. The detailed explanations really helped cement my understanding of the material.

upvoted 0 times

...

Kanisha

2 months ago

Aced the Kubernetes Security Specialist exam! Pass4Success questions were incredibly similar to the real thing.

upvoted 0 times

...

Elouise

3 months ago

I had to deal with securing persistent volumes. Understand best practices for encrypting and managing access to sensitive data in volumes.

upvoted 0 times

...

Alecia

3 months ago

If you're feeling overwhelmed, don't worry. PASS4SUCCESS practice exams gave me the confidence I needed to tackle even the toughest Kubernetes security concepts.

upvoted 0 times

...

Tequila

3 months ago

Runtime class security was featured. Understand how to use different runtime classes to enhance container isolation and security.

upvoted 0 times

...

Louis

3 months ago

Definitely use PASS4SUCCESS practice exams to manage your time effectively. Practicing with the timed simulations was crucial for me to finish the exam on time.

upvoted 0 times

...

Goldie

4 months ago

CKSS certification achieved! Pass4Success materials were a lifesaver. Covered all the key topics in no time.

upvoted 0 times

...

Gertude

4 months ago

Handling Pod Security Policies and the evolving Kubernetes hardening requirements was brutal, but PASS4SUCCESS practice questions guided my reasoning and timings.

upvoted 0 times

...

Paris

4 months ago

I successfully passed the Kubernetes Security Specialist exam, and the Pass4Success practice questions were a key part of my preparation. There was a question on supply chain security that asked how to use Clair to scan container images for vulnerabilities. I was a bit uncertain, but I still passed the exam.

upvoted 0 times

...

Precious

4 months ago

The toughest part was mastering the CRI-O vs Docker runtime nuances and how container isolation differs in practice; PASS4SUCCESS sims helped me see those edge cases in real exam-style questions.

upvoted 0 times

...

Veronika

5 months ago

Just passed the CKSS exam! Thanks Pass4Success for the spot-on practice questions. Saved me weeks of prep time!

upvoted 0 times

...

Nana

5 months ago

I encountered questions on threat modeling in Kubernetes. Know how to identify potential attack vectors and implement appropriate mitigations.

upvoted 0 times

...

Weldon

5 months ago

Passing the Linux Foundation Certified Kubernetes Security Specialist exam was a game-changer for me. PASS4SUCCESS practice exams were a lifesaver - they really helped me identify my weak areas and focus my studies.

upvoted 0 times

...

Broderick

5 months ago

Excited to share that I passed the Kubernetes Security Specialist exam! The Pass4Success practice questions were very useful. One question that stumped me was about cluster setup, specifically how to configure kubeadm for a multi-master setup. I wasn't entirely sure, but I managed to pass.

upvoted 0 times

...

Jeannetta

5 months ago

The exam tested knowledge on Linux security modules. Understand how SELinux and AppArmor integrate with Kubernetes for enhanced security.

upvoted 0 times

...

Frankie

6 months ago

Just became a Certified Kubernetes Security Specialist. Pass4Success rocks!

upvoted 0 times

...

Lizette

6 months ago

I passed the Kubernetes Security Specialist exam, and the practice questions from Pass4Success were a big help. There was a challenging question on cluster hardening that asked how to implement RBAC to restrict access to cluster resources. I wasn't sure about the exact roles and bindings, but I still passed.

upvoted 0 times

...

Lottie

6 months ago

Securing Ingress resources was part of the exam. Practice configuring TLS for Ingress and implementing authentication mechanisms.

upvoted 0 times

...

Fausto

8 months ago

CKS exam success! Pass4Success, your questions were worth every penny.

upvoted 0 times

...

Deangelo

8 months ago

I had to work with CIS benchmarks for Kubernetes. Know how to run and interpret kube-bench results and implement recommended security controls.

upvoted 0 times

...

Natalya

8 months ago

The exam had questions on network security beyond just policies. Understand how to use tools like Calico for advanced network security features.

upvoted 0 times

...

Onita

9 months ago

New CKS here! Pass4Success, thanks for the efficient study materials.

upvoted 0 times

...

Tamar

10 months ago

Kubernetes upgrade security was tested. Know the process of safely upgrading a cluster and verifying security settings post-upgrade. Pass4Success really prepared me for this topic!

upvoted 0 times

...

Margery

10 months ago

Passed CKS on my first try. Pass4Success questions were spot on!

upvoted 0 times

...

Vallie

11 months ago

I encountered scenarios on container runtime security. Understand how to configure and use seccomp and AppArmor profiles to restrict container capabilities.

upvoted 0 times

...

Truman

11 months ago

CKS certification achieved! Pass4Success made last-minute prep possible.

upvoted 0 times

...

Arminda

12 months ago

Just passed the CKS exam! The last section tested incident response in Kubernetes. Practice creating and executing incident response plans. Thanks to Pass4Success for the comprehensive prep materials!

upvoted 0 times

...

Sunshine

1 year ago

I had to deal with Kubernetes audit logging. Understand how to configure and analyze audit logs to detect security events. Practice interpreting log entries.

upvoted 0 times

...

Fletcher

1 year ago

Nailed the Kubernetes Security exam. Pass4Success, you're the real MVP!

upvoted 0 times

...

Alease

1 year ago

Open Policy Agent (OPA) and Gatekeeper were featured. Know how to write and apply policies to enforce security standards across your cluster.

upvoted 0 times

...

Eleonore

1 year ago

The exam tested knowledge on minimizing microservice vulnerabilities. Practice analyzing and fixing security issues in Kubernetes manifests. Pass4Success questions were spot on for this!

upvoted 0 times

...

Geoffrey

1 year ago

CKS exam conquered! Pass4Success, your practice tests were lifesavers.

upvoted 0 times

...

Barbra

1 year ago

Cluster hardening was a significant part. I had to disable unnecessary services and limit node access. Know how to secure kubelet and set proper permissions.

upvoted 0 times

...

Francoise

1 year ago

Thrilled to have passed the Kubernetes Security Specialist exam! The Pass4Success practice questions were a great help. One question that I found difficult was about system hardening, specifically how to configure SELinux policies for Kubernetes nodes. I wasn't entirely confident, but I passed.

upvoted 0 times

...

Deane

1 year ago

The exam included scenarios on securing service accounts. Know how to manage and restrict service account tokens and permissions.

upvoted 0 times

...

Hermila

1 year ago

Successfully cleared CKS. Pass4Success questions were incredibly relevant.

upvoted 0 times

...

Blossom

1 year ago

I encountered questions on Kubernetes secrets management. Know how to create, use, and rotate secrets securely. Understanding encryption at rest is important too.

upvoted 0 times

...

Felix

1 year ago

I passed the Kubernetes Security Specialist exam, and I owe a lot to the Pass4Success practice questions. There was a tough question on monitoring, logging, and runtime security, asking how to set up Prometheus to monitor Kubernetes clusters. I wasn't completely sure, but I still managed to pass.

upvoted 0 times

...

William

1 year ago

The exam included scenarios on securing container images. Practice using tools like Trivy to scan for vulnerabilities and interpret scan results.

upvoted 0 times

...

Jolanda

1 year ago

Passed the CKS exam with flying colors. Kudos to Pass4Success for the help!

upvoted 0 times

...

Micaela

1 year ago

Just passed the Kubernetes Security Specialist exam, and the practice questions from Pass4Success were invaluable. One question that puzzled me was about minimizing microservice vulnerabilities, specifically how to use PodSecurityPolicies to restrict container privileges. I wasn't entirely sure, but I passed nonetheless.

upvoted 0 times

...

Eladia

1 year ago

Runtime security was a key topic. I had to work with tools like Falco to detect and respond to security threats. Familiarize yourself with Falco rules and how to interpret its output.

upvoted 0 times

...

Sherita

1 year ago

I successfully passed the Kubernetes Security Specialist exam, and Pass4Success practice questions were a key part of my preparation. There was a question on supply chain security that asked how to verify the integrity of container images using Notary. I was a bit uncertain, but I still passed the exam.

upvoted 0 times

...

Adolph

1 year ago

Securing the Kubernetes API server was emphasized. Know how to configure and audit API server flags for security best practices. Pass4Success practice questions really helped me prepare for this!

upvoted 0 times

...

Janet

1 year ago

CKS certified! Pass4Success materials were key to my quick preparation.

upvoted 0 times

...

1 year ago

Happy to share that I passed the Kubernetes Security Specialist exam! The Pass4Success practice questions were a big help. One question that caught me off guard was about cluster setup, asking how to configure etcd for high availability. I wasn't sure about the exact steps, but I managed to pass.

upvoted 0 times

...

Camellia

1 year ago

The exam tested my knowledge of RBAC. I had to create roles and role bindings to grant specific permissions. Study the different API resources and verbs used in RBAC.

upvoted 0 times

...

Tarra

1 year ago

I passed the Kubernetes Security Specialist exam, thanks in part to the practice questions from Pass4Success. One challenging question was about cluster hardening, specifically how to enforce network policies to isolate namespaces. I wasn't completely confident in my answer, but I still passed.

upvoted 0 times

...

Glynda

1 year ago

Aced the Kubernetes Security Specialist exam. Pass4Success made prep a breeze!

upvoted 0 times

...

Hassie

1 year ago

Network policies were a big part of my exam. Practice creating and troubleshooting them to control traffic between pods. Understanding ingress and egress rules is crucial.

upvoted 0 times

...

Jesus

1 year ago

Just cleared the Kubernetes Security Specialist exam, and Pass4Success was a great resource. There was a tricky question on system hardening that asked how to implement AppArmor profiles to restrict container capabilities. I was a bit unsure about the exact syntax, but I still managed to get through the exam.

upvoted 0 times

...

Julene

1 year ago

Just passed the CKS exam! Glad I studied Pod Security Policies. Had to analyze and modify PSPs to enforce security constraints. Make sure you understand PSP syntax and how to apply them.

upvoted 0 times

...

Loren

1 year ago

I recently passed the Linux Foundation Certified Kubernetes Security Specialist exam, and I have to say, the Pass4Success practice questions were incredibly helpful. One question that stumped me was about setting up monitoring and logging for runtime security. It asked how to configure Fluentd to collect logs from all nodes in a Kubernetes cluster. I wasn't entirely sure about the configuration details, but I managed to pass the exam.

upvoted 0 times

...

Billye

2 years ago

Just passed the CKS exam! Thanks Pass4Success for the spot-on practice questions.

upvoted 0 times

...

Nadine

2 years ago

Just passed the CKS exam! One tricky area was Pod Security Policies. Expect questions on configuring and troubleshooting PSPs. Study the different policy options and their impact on pod creation. Big thanks to Pass4Success for their spot-on practice questions that helped me prepare quickly!

upvoted 0 times

...

Free Linux Foundation CKS Exam Actual Questions

Note: Premium Questions for CKS were last updated On Mar. 04, 2026 (see below)

Question #1

Create a PSP that will prevent the creation of privileged pods in the namespace.

Create a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation of privileged pods.

Create a new ServiceAccount named psp-sa in the namespace default.

Create a new ClusterRole named prevent-role, which uses the newly created Pod Security Policy prevent-privileged-policy.

Create a new ClusterRoleBinding named prevent-role-binding, which binds the created ClusterRole prevent-role to the created SA psp-sa.

Also, Check the Configuration is working or not by trying to Create a Privileged pod, it should get failed.

AExplanation:
Create a PSP that will prevent the creation of privileged pods in the namespace.
$ cat clusterrole-use-privileged.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: use-privileged-psp
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- default-psp
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: privileged-role-bind
namespace: psp-test
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: use-privileged-psp
subjects:
- kind: ServiceAccount
name: privileged-sa
$ kubectl -n psp-test apply -f clusterrole-use-privileged.yaml
After a few moments, the privileged Pod should be created.
Create a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation of privileged pods.
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: example
spec:
privileged: false # Don't allow privileged pods!
# The rest fills in some required fields.
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
And create it with kubectl:
kubectl-admin create -f example-psp.yaml
Now, as the unprivileged user, try to create a simple pod:
kubectl-user create -f- <<EOF
apiVersion: v1
kind: Pod
metadata:
name: pause
spec:
containers:
- name: pause
image: k8s.gcr.io/pause
EOF
The output is similar to this:
Error from server (Forbidden): error when creating 'STDIN': pods 'pause' is forbidden: unable to validate against any pod security policy: []
Create a new ServiceAccount named psp-sa in the namespace default.
$ cat clusterrole-use-privileged.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: use-privileged-psp
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- default-psp
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: privileged-role-bind
namespace: psp-test
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: use-privileged-psp
subjects:
- kind: ServiceAccount
name: privileged-sa
$ kubectl -n psp-test apply -f clusterrole-use-privileged.yaml
After a few moments, the privileged Pod should be created.
Create a new ClusterRole named prevent-role, which uses the newly created Pod Security Policy prevent-privileged-policy.
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: example
spec:
privileged: false # Don't allow privileged pods!
# The rest fills in some required fields.
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
And create it with kubectl:
kubectl-admin create -f example-psp.yaml
Now, as the unprivileged user, try to create a simple pod:
kubectl-user create -f- <<EOF
apiVersion: v1
kind: Pod
metadata:
name: pause
spec:
containers:
- name: pause
image: k8s.gcr.io/pause
EOF
The output is similar to this:
Error from server (Forbidden): error when creating 'STDIN': pods 'pause' is forbidden: unable to validate against any pod security policy: []
Create a new ClusterRoleBinding named prevent-role-binding, which binds the created ClusterRole prevent-role to the created SA psp-sa.
apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows 'jane' to read pods in the 'default' namespace.
# You need to already have a Role named 'pod-reader' in that namespace.
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
# You can specify more than one 'subject'
- kind: User
name: jane # 'name' is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
# 'roleRef' specifies the binding to a Role / ClusterRole
kind: Role #this must be Role or ClusterRole
name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [''] # '' indicates the core API group
resources: ['pods']
verbs: ['get', 'watch', 'list']

Reveal Solution

Correct Answer: A

Question #2

A container image scanner is set up on the cluster.

Given an incomplete configuration in the directory

/etc/kubernetes/confcontrol and a functional container image scanner with HTTPS endpoint https://test-server.local.8081/image_policy

1. Enable the admission plugin.

2. Validate the control configuration and change it to implicit deny.

Finally, test the configuration by deploying the pod having the image tag as latest.

AExplanation:
ssh-add ~/.ssh/tempprivate
eval '$(ssh-agent -s)'
cd contrib/terraform/aws
vi terraform.tfvars
terraform init
terraform apply -var-file=credentials.tfvars
ansible-playbook -i ./inventory/hosts ./cluster.yml -e ansible_ssh_user=core -e bootstrap_os=coreos -b --become-user=root --flush-cache -e ansible_user=core

Reveal Solution

Correct Answer: A

Question #3

Context

A Role bound to a Pod's ServiceAccount grants overly permissive permissions. Complete the following tasks to reduce the set of permissions.

Task

Given an existing Pod named web-pod running in the namespace security.

Edit the existing Role bound to the Pod's ServiceAccount sa-dev-1 to only allow performing watch operations, only on resources of type services.

Create a new Role named role-2 in the namespace security, which only allows performing update

operations, only on resources of type namespaces.

Create a new RoleBinding named role-2-binding binding the newly created Role to the Pod's ServiceAccount.

AExplanation:

Reveal Solution

Correct Answer: A

Question #4

Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.

Fix all of the following violations that were found against theAPI server:-

a. Ensure the --authorization-mode argument includes RBAC

b. Ensure the --authorization-mode argument includes Node

c. Ensure that the --profiling argument is set to false

Fix all of the following violations that were found against theKubelet:-

a. Ensure the --anonymous-auth argument is set to false.

b. Ensure that the --authorization-mode argument is set to Webhook.

Fix all of the following violations that were found against theETCD:-

a. Ensure that the --auto-tls argument is not set to true

Hint: Take the use of Tool Kube-Bench

AExplanation:
API server:
Ensure the --authorization-mode argument includes RBAC
Turn on Role Based Access Control.
Role Based Access Control (RBAC) allows fine-grained control over the operations that different entities can perform on different objects in the cluster. It is recommended to use the RBAC authorization mode.
Fix - Buildtime
Kubernetes
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
+ - kube-apiserver
+ - --authorization-mode=RBAC,Node
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
livenessProbe:
failureThreshold: 8
httpGet:
host: 127.0.0.1
path: /healthz
port: 6443
scheme: HTTPS
initialDelaySeconds: 15
timeoutSeconds: 15
name: kube-apiserver-should-pass
resources:
requests:
cpu: 250m
volumeMounts:
- mountPath: /etc/kubernetes/
name: k8s
readOnly: true
- mountPath: /etc/ssl/certs
name: certs
- mountPath: /etc/pki
name: pki
hostNetwork: true
volumes:
- hostPath:
path: /etc/kubernetes
name: k8s
- hostPath:
path: /etc/ssl/certs
name: certs
- hostPath:
path: /etc/pki
name: pki
Ensure the --authorization-mode argument includes Node
Remediation:Edit the API server pod specification file/etc/kubernetes/manifests/kube-apiserver.yamlon the master node and set the--authorization-modeparameter to a value that includesNode.
--authorization-mode=Node,RBAC
Audit:
/bin/ps -ef | grep kube-apiserver | grep -v grep
Expected result:
'Node,RBAC' has 'Node'
Ensure that the --profiling argument is set to false
Remediation:Edit the API server pod specification file/etc/kubernetes/manifests/kube-apiserver.yamlon the master node and set the below parameter.
--profiling=false
Audit:
/bin/ps -ef | grep kube-apiserver | grep -v grep
Expected result:
'false' is equal to 'false'
Fix all of the following violations that were found against theKubelet:-
Ensure the --anonymous-auth argument is set to false.
Remediation:If using a Kubelet config file, edit the file to set authentication:anonymous: enabled tofalse. If using executable arguments, edit the kubelet service file/etc/systemd/system/kubelet.service.d/10-kubeadm.confon each worker node and set the below parameter inKUBELET_SYSTEM_PODS_ARGSvariable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
Audit:
/bin/ps -fC kubelet
Audit Config:
/bin/cat /var/lib/kubelet/config.yaml
Expected result:
'false' is equal to 'false'
2) Ensure that the --authorization-mode argument is set to Webhook.
Audit
docker inspect kubelet | jq -e '.[0].Args[] | match('--authorization-mode=Webhook').string'
Returned Value:--authorization-mode=Webhook
Fix all of the following violations that were found against theETCD:-
a. Ensure that the --auto-tls argument is not set to true
Do not use self-signed certificates for TLS. etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.
Fix - Buildtime
Kubernetes
apiVersion: v1
kind: Pod
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
creationTimestamp: null
labels:
component: etcd
tier: control-plane
name: etcd
namespace: kube-system
spec:
containers:
- command:
+ - etcd
+ - --auto-tls=true
image: k8s.gcr.io/etcd-amd64:3.2.18
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- /bin/sh
- -ec
- ETCDCTL_API=3 etcdctl --endpoints=https://[192.168.22.9]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt
--cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt --key=/etc/kubernetes/pki/etcd/healthcheck-client.key
get foo
failureThreshold: 8
initialDelaySeconds: 15
timeoutSeconds: 15
name: etcd-should-fail
resources: {}
volumeMounts:
- mountPath: /var/lib/etcd
name: etcd-data
- mountPath: /etc/kubernetes/pki/etcd
name: etcd-certs
hostNetwork: true
priorityClassName: system-cluster-critical
volumes:
- hostPath:
path: /var/lib/etcd
type: DirectoryOrCreate
name: etcd-data
- hostPath:
path: /etc/kubernetes/pki/etcd
type: DirectoryOrCreate
name: etcd-certs
status: {}

Reveal Solution

Correct Answer: A