Free Preparation Discussions
MENU
Linux Foundation Certified Kubernetes Security Specialist Exam Questions
- Topic 1: Cluster Setup: This topic assesses skills of Kubernetes practitioners in configuring secure Kubernetes clusters. It covers network security policies, CIS benchmarks, ingress security, node metadata protection, minimizing GUI access, and verifying platform binaries. Proficiency in these areas ensures a secure foundation for Kubernetes deployments.
- Topic 2: Cluster Hardening: Cluster hardening focuses on securing Kubernetes API access, utilizing Role-Based Access Controls, managing service accounts, and keeping Kubernetes updated. This topic of the CKS exam measures the ability of Kubernetes practitioner to enhance cluster security by reducing exposure and managing permissions effectively.
- Topic 3: System Hardening: It involves minimizing the host OS footprint, managing IAM roles, limiting network access, and using kernel hardening tools like AppArmor and seccomp. The topic tests the skills of Kubernetes practitioners that are required to secure the underlying OS and its interactions with Kubernetes.
- Topic 4: Minimize Microservice Vulnerabilities: This topic of the Linux Foundation Kubernetes Security Specialist exam evaluates techniques to secure microservices, including OS-level security domains, managing Kubernetes secrets, using container runtime sandboxes, and implementing pod-to-pod encryption. It measures the ability to safeguard against vulnerabilities within a multi-tenant environment.
- Topic 5: Supply Chain Security: Supply chain security addresses securing base images, whitelisting registries, signing images, performing static analysis, and scanning for vulnerabilities. The CKA exam assesses skills of Kubernetes practitioners in protecting the entire supply chain of containerized applications from creation to deployment.
- Topic 6: Monitoring, Logging, and Runtime Security: This area of the Certified Kubernetes Security Specialist exam focuses on behavioral analytics, threat detection across infrastructure, and ensuring container immutability. Proficiency of the Kubernetes practitioner here demonstrates the ability to maintain security and investigate incidents effectively.
Free Linux Foundation Certified Kubernetes Security Specialist Exam Actual Questions
Note: Premium Questions for Certified Kubernetes Security Specialist were last updated On Nov. 03, 2024 (see below)
Context
A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace.
Task
Create a new PodSecurityPolicy named prevent-psp-policy,which prevents the creation of privileged Pods.
Create a new ClusterRole named restrict-access-role, which uses the newly created PodSecurityPolicy prevent-psp-policy.
Create a new ServiceAccount named psp-restrict-sa in the existing namespace staging.
Finally, create a new ClusterRoleBinding named restrict-access-bind, which binds the newly created ClusterRole restrict-access-role to the newly created ServiceAccount psp-restrict-sa.
Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.
Fix all of the following violations that were found against theAPI server:-
a. Ensure that the RotateKubeletServerCertificate argument is set to true.
b. Ensure that the admission control plugin PodSecurityPolicy is set.
c. Ensure that the --kubelet-certificate-authority argument is set as appropriate.
Fix all of the following violations that were found against theKubelet:-
a. Ensure the --anonymous-auth argument is set to false.
b. Ensure that the --authorization-mode argument is set to Webhook.
Fix all of the following violations that were found against theETCD:-
a. Ensure that the --auto-tls argument is not set to true
b. Ensure that the --peer-auto-tls argument is not set to true
Hint: Take the use of Tool Kube-Bench
You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context stage Context: A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace. Task: 1. Create a new PodSecurityPolcy named deny-policy, which prevents the creation of privileged Pods. 2. Create a new ClusterRole name deny-access-role, which uses the newly created PodSecurityPolicy deny-policy. 3. Create a new ServiceAccount named psd-denial-sa in the existing namespace development. Finally, create a new ClusterRoleBindind named restrict-access-bind, which binds the newly created ClusterRole deny-access-role to the newly created ServiceAccount psp-denial-sa
You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context dev A default-deny NetworkPolicy avoid to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined.
Task: Create a new default-deny NetworkPolicy nameddeny-networkin the namespacetestfor all traffic of type Ingress + Egress
The new NetworkPolicy must deny all Ingress + Egress traffic in the namespacetest.
Apply the newly createddefault-denyNetworkPolicy to all Pods running in namespacetest.
You can find a skeleton manifests file at /home/cert_masters/network-policy.yaml
Context: Cluster:gvisor Master node:master1 Worker node:worker1
You can switch the cluster/configuration context using the following command:
[desk@cli] $kubectl config use-context gvisor
Context:This cluster has been prepared to support runtime handler, runsc as well as traditional one.
Task: Create a RuntimeClass namednot-trustedusing the prepared runtime handler namesrunsc. Update all Pods in the namespace server to run onnewruntime.
- Select Question Types you want
- Set your Desired Pass Percentage
- Allocate Time (Hours : Minutes)
- Create Multiple Practice tests with Limited Questions
- Customer Support
Janet
19 hours agoMa
9 days agoCamellia
22 days agoTarra
24 days agoGlynda
1 months agoHassie
1 months agoJesus
1 months agoJulene
2 months agoLoren
2 months agoBillye
2 months agoNadine
4 months ago