CKS Linux Foundation Certified Kubernetes Security Specialist (CKS) exact Exam Questions

Certified Kubernetes Security Specialist (CKS)

Last Update 8 hours ago Total Questions : 64

The Certified Kubernetes Security Specialist (CKS) content is now fully updated, with all current exam questions added 8 hours ago. Deciding to include CKS practice exam questions in your study plan goes far beyond basic test preparation.

You'll find that our CKS exam questions frequently feature detailed scenarios and practical problem-solving exercises that directly mirror industry challenges. Engaging with these CKS sample sets allows you to effectively manage your time and pace yourself, giving you the ability to finish any Certified Kubernetes Security Specialist (CKS) practice test comfortably within the allotted time.

Question # 11

You must connect to the correct host . Failure to do so may

result in a zero score.

[candidato@base] $ ssh cks000023

Task

Analyze and edit the Dockerfile located at /home/candidate/subtle-bee/build/Dockerfile, fixing one instruction present in the file that is a prominent security/best-practice issue.

Do not add or remove instructions; only modify the one existing instruction with a security/best-practice concern.

Do not build the Dockerfile, Failure to do so may result in running out of storage and a zero score.

Analyze and edit the given manifest file /home/candidate/subtle-bee/deployment.yaml, fixing one fields present in the file that are a prominent security/best-practice issue.

Do not add or remove fields; only modify the one existing field with a security/best-practice concern.

Should you need an unprivileged user for any of the tasks, use user nobody with user ID 65535.

Answer:

See the Explanation below for complete solution.

Explanation:

0) Connect to the correct host

ssh cks000023

sudo -i

PART A — Fix ONE prominent Dockerfile security/best-practice issue

1) Open the Dockerfile

vi /home/candidate/subtle-bee/build/Dockerfile

2) Find the “most obvious” security/best-practice problem and modify ONLY THAT ONE instruction

Use / search in vi to quickly find candidates:

Candidate 1 (very common): USER root (or no USER but a USER 0)

Search:

/USER

If you see:

USER root

Change that single instruction to:

USER 65535

(or USER nobody if that exact word is already used in the file— but the task explicitly allows UID 65535 , so USER 65535 is safest.)

✅ This is one-instruction change and is a top-tier best practice.

Candidate 2 (very common): FROM <</b> image > :latest

Search:

/FROM

If you see something like:

FROM nginx:latest

Change ONLY that line to a pinned tag (example):

FROM nginx:1.25.5

(Any non-latest pinned version is the point. Don’t add a digest line; just modify the existing FROM line.)

Candidate 3: ADD http://... (remote URL download)

Search:

/ADD

If you see remote URL usage like:

ADD https://example.com/app.tar.gz /app/

Change that single instruction to COPY only if it’s copying local files .

If it’s a remote URL, the more “correct” fix would normally be using curl with verification, but that would require adding instructions (not allowed).

So in this exam constraint, do NOT pick this unless it’s actually a local add like:

ADD . /app

Then change just the word:

COPY . /app

3) Save and exit

⚠️ Don’t run docker build (task forbids building).

PART B — Fix ONE prominent security/best-practice issue in the Deployment manifest

4) Open the manifest

vi /home/candidate/subtle-bee/deployment.yaml

5) Change ONLY ONE existing field that is a clear security issue

Use / search in vi for the usual “bad fields”:

Option 1 (most common): running as root

Search:

/runAsUser

If you see:

runAsUser: 0

Change that one existing field value to:

runAsUser: 65535

✅ This is a single-field change and matches the prompt hint.

Option 2: privileged container

Search:

/privileged

If you see:

privileged: true

Change only that value to:

privileged: false

Option 3: allow privilege escalation

Search:

/allowPrivilegeEscalation

If you see:

allowPrivilegeEscalation: true

Change only that value to:

allowPrivilegeEscalation: false

Option 4: writable root filesystem

Search:

/readOnlyRootFilesystem

If you see:

readOnlyRootFilesystem: false

Change only that value to:

readOnlyRootFilesystem: true

Option 5: image uses :latest

Search:

/image:

If you see:

image: something:latest

Change only that value to a pinned tag, e.g.:

image: something:1.2.3

6) Save and exit

What to pick (fast decision rule)

If you see run as root in either file, that’s usually the highest scoring / most “prominent” security issue.

Dockerfile: USER root → USER 65535

Deployment: runAsUser: 0 → runAsUser: 65535

Those are perfect because you only modify one line/field and it matches the hint.

Question # 12

Cluster: qa-cluster
Master node: master Worker node: worker1
You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context qa-cluster
Task:
Create a NetworkPolicy named restricted-policy to restrict access to Pod product running in namespace dev.
Only allow the following Pods to connect to Pod products-service:
1. Pods in the namespace qa
2. Pods with label environment: stage, in any namespace

Answer:

Answer:
See the Explanation below.

Explanation:

[Reference: https://kubernetes.io/docs/concepts/services-networking/network-policies/, , ]

Question # 13

Context
AppArmor is enabled on the cluster ' s worker node. An AppArmor profile is prepared, but not enforced yet.
Task
On the cluster ' s worker node, enforce the prepared AppArmor profile located at /etc/apparmor.d/nginx_apparmor.
Edit the prepared manifest file located at /home/candidate/KSSH00401/nginx-pod.yaml to apply the AppArmor profile.
Finally, apply the manifest file and create the Pod specified in it.

Answer:

Answer:
See the explanation below

Explanation:

[Reference: https://kubernetes.io/docs/tutorials/clusters/apparmor/, , ]

Question # 14

You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context test-account
Task: Enable audit logs in the cluster.
To do so, enable the log backend, and ensure that:
1. logs are stored at   /var/log/Kubernetes/logs.txt
2. log files are retained for 5 days
3. at maximum, a number of 10 old audit log files are retained
A basic policy is provided at /etc/Kubernetes/logpolicy/audit-policy.yaml . It only specifies what not to log.
Note: The base policy is located on the cluster ' s master node.
Edit and extend the basic policy to log:
1.   Nodes changes at RequestResponse level
2. The request body of persistentvolumes changes in the namespace frontend
3. ConfigMap and Secret changes in all namespaces at the Metadata level
Also, add a catch-all rule to log all other requests at the Metadata level
Note: Don ' t forget to apply the modified policy.

Answer:

Answer:
See the explanation below

Explanation:

$ vim /etc/kubernetes/log-policy/audit-policy.yaml
- level: RequestResponse
userGroups: [ " system:nodes " ]
- level: Request
resources:
- group : " " # core API group
resources: [ " persistentvolumes " ]
namespaces: [ " frontend " ]
- level: Metadata
resources:
- group : " "
resources: [ " configmaps " , " secrets " ]
- level: Metadata
$ vim /etc/kubernetes/manifests/kube-apiserver.yaml
Add these
- --audit-policy-file= /etc/ kubernetes/log-policy/audit-policy.yaml
- --audit-log-path= /var/ log/kubernetes/logs.txt
- --audit-log-maxage=5
- --audit-log-maxbackup=10
Explanation [desk@cli] $ ssh master1
[master1@cli] $ vim /etc/kubernetes/log-policy/audit-policy.yaml
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don ' t generate audit events for all requests in RequestReceived stage.
omitStages:
- " RequestReceived "
rules:
# Don ' t log watch requests by the " system:kube-proxy " on endpoints or services
- level: None
users: [ " system:kube-proxy " ]
verbs: [ " watch " ]
resources:
- group: " " # core API group
resources: [ " endpoints " , " services " ]
# Don ' t log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: [ " system:authenticated " ]
nonResourceURLs:
- " /api* " # Wildcard matching.
- " /version "
# Add your changes below
- level: RequestResponse
userGroups: [ " system:nodes " ] # Block for nodes
- level: Request
resources:
- group: " " # core API group
resources: [ " persistentvolumes " ] # Block for persistentvolumes
namespaces: [ " frontend " ] # Block for persistentvolumes of frontend ns
- level: Metadata
resources:
- group: " " # core API group
resources: [ " configmaps " , " secrets " ] # Block for configmaps & secrets
- level: Metadata # Block for everything else
[master1@cli] $ vim /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.0.0.5:6443
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=10.0.0.5
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --audit-policy-file=/etc/kubernetes/log-policy/audit-policy.yaml #Add this
- --audit-log-path=/var/log/kubernetes/logs.txt #Add this
- --audit-log-maxage=5 #Add this
- --audit-log-maxbackup=10 #Add this
output truncated
Note: log volume & policy volume is already mounted in vim /etc/kubernetes/manifests/kube-apiserver.yaml so no need to mount it.
[Reference: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/, ]

Question # 15

You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context stage
Context:
A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace.
Task:
1. Create a new PodSecurityPolcy named deny-policy, which prevents the creation of privileged Pods.
2. Create a new ClusterRole name deny-access-role, which uses the newly created PodSecurityPolicy deny-policy.
3. Create a new ServiceAccount named psd-denial-sa in the existing namespace development.
Finally, create a new ClusterRoleBindind named restrict-access-bind, which binds the newly created ClusterRole deny-access-role to the newly created ServiceAccount psp-denial-sa

Answer:

Answer:
See the explanation below

Explanation:

Create psp to disallow privileged container
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: deny-access-role
rules:
- apiGroups: [ ' policy ' ]
resources: [ ' podsecuritypolicies ' ]
verbs:    [ ' use ' ]
resourceNames:
- “deny-policy”
k create sa psp-denial-sa -n development
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: restrict-access-bing
roleRef:
kind: ClusterRole
name: deny-access-role
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: psp-denial-sa
namespace : development
Explanation master1 $ vim psp.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: deny-policy
spec:
privileged: false # Don ' t allow privileged pods!
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- ' * '
master1 $ vim cr1.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: deny-access-role
rules:
- apiGroups: [ ' policy ' ]
resources: [ ' podsecuritypolicies ' ]
verbs:    [ ' use ' ]
resourceNames:
- “deny-policy”
master1 $ k create sa psp-denial-sa -n development
master1 $ vim cb1.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: restrict-access-bing
roleRef:
kind: ClusterRole
name: deny-access-role
apiGroup: rbac.authorization.k8s.io
subjects:
# Authorize specific service accounts:
- kind: ServiceAccount
name: psp-denial-sa
namespace: development
master1 $ k apply -f psp.yaml
master1 $ k apply -f cr1.yaml
master1 $ k apply -f cb1.yaml
[Reference: https://kubernetes.io/docs/concepts/policy/pod-security-policy/]

Question # 16

Create a User named john, create the CSR Request, fetch the certificate of the user after approving it.
Create a Role name john-role to list secrets, pods in namespace john
Finally, Create a RoleBinding named john-role-binding to attach the newly created role john-role to the user john in the namespace john.
To Verify: Use the kubectl auth CLI command to verify the permissions.

Answer:

Answer:
See the Explanation below.

Explanation:

se kubectl to create a CSR and approve it.
Get the list of CSRs:
kubectl get csr
Approve the CSR:
kubectl certificate approve myuser
Retrieve the certificate from the CSR:
kubectl get csr/myuser -o yaml
here are the role and role-binding to give john permission to create NEW_CRD resource:
kubectl apply -f roleBindingJohn.yaml --as=john
rolebinding.rbac.authorization.k8s.io/john_external-rosource-rb created
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: john_crd
namespace: development-john
subjects:
- kind: User
name: john
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: crd-creation
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: crd-creation
rules:
- apiGroups: [ " kubernetes-client.io/v1 " ]
resources: [ " NEW_CRD " ]
verbs: [ " create, list, get " ]

Question # 17

You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context dev
Context:
A CIS Benchmark tool was run against the kubeadm created cluster and found multiple issues that must be addressed.
Task:
Fix all issues via configuration and restart the affected components to ensure the new settings take effect.
Fix all of the following violations that were found against the API server:
1.2.7 authorization-mode argument is not set to AlwaysAllow FAIL
1.2.8 authorization-mode argument includes Node FAIL
1.2.7 authorization-mode argument includes RBAC FAIL
Fix all of the following violations that were found against the Kubelet:
4.2.1 Ensure that the anonymous-auth argument is set to false FAIL
4.2.2 authorization-mode argument is not set to AlwaysAllow FAIL (Use Webhook autumn/authz where possible)
Fix all of the following violations that were found against etcd:
2.2 Ensure that the client-cert-auth argument is set to true

Answer:

Answer:
See the explanation below

Explanation:

worker1 $ vim /var/lib/kubelet/config.yaml
anonymous:
enabled: true #Delete this
enabled: false #Replace by this
authorization:
mode: AlwaysAllow #Delete this
mode: Webhook #Replace by this
worker1 $ systemctl restart kubelet. # To reload kubelet config
ssh to master1
master1 $ vim /etc/kubernetes/manifests/kube-apiserver.yaml
- -- authorization-mode=Node,RBAC
master1 $ vim /etc/kubernetes/manifests/etcd.yaml
- --client-cert-auth=true
Explanation ssh to worker1
worker1 $ vim /var/lib/kubelet/config.yaml
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
anonymous:
enabled: true #Delete this
enabled: false #Replace by this
webhook:
cacheTTL: 0s
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
mode: AlwaysAllow #Delete this
mode: Webhook #Replace by this
webhook:
cacheAuthorizedTTL: 0s
cacheUnauthorizedTTL: 0s
cgroupDriver: systemd
clusterDNS:
- 10.96.0.10
clusterDomain: cluster.local
cpuManagerReconcilePeriod: 0s
evictionPressureTransitionPeriod: 0s
fileCheckFrequency: 0s
healthzBindAddress: 127.0.0.1
healthzPort: 10248
httpCheckFrequency: 0s
imageMinimumGCAge: 0s
kind: KubeletConfiguration
logging: {}
nodeStatusReportFrequency: 0s
nodeStatusUpdateFrequency: 0s
resolvConf: /run/systemd/resolve/resolv.conf
rotateCertificates: true
runtimeRequestTimeout: 0s
staticPodPath: /etc/kubernetes/manifests
streamingConnectionIdleTimeout: 0s
syncFrequency: 0s
volumeStatsAggPeriod: 0s
worker1 $ systemctl restart kubelet. # To reload kubelet config
ssh to master1
master1 $ vim /etc/kubernetes/manifests/kube-apiserver.yaml
master1 $ vim /etc/kubernetes/manifests/etcd.yaml
[Reference:kubelet parameters: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/kubeapi parameters: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/etcd parameters: https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/, , ]

Question # 18

Analyze and edit the given Dockerfile
FROM ubuntu:latest

RUN apt- get update -y

RUN apt-install nginx -y

COPY entrypoint.sh /

ENTRYPOINT [ " /entrypoint.sh " ]

USER ROOT
Fixing two instructions present in the file being prominent security best practice issues
Analyze and edit the deployment manifest file
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-2
spec:
securityContext:
runAsUser: 1000
containers:
- name: sec-ctx-demo-2
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsUser: 0
privileged: True
allowPrivilegeEscalation: false
Fixing two fields present in the file being prominent security best practice issues
Don ' t add or remove configuration settings; only modify the existing configuration settings
Whenever you need an unprivileged user for any of the tasks, use user test-user with the user id 5487

Answer:

Answer:
See the explanation below:

Explanation:

FROM debian:latest
MAINTAINER k@bogotobogo.com
# 1 - RUN
RUN apt-get update & & DEBIAN_FRONTEND=noninteractive apt-get install -yq apt-utils
RUN DEBIAN_FRONTEND=noninteractive apt-get install -yq htop
RUN apt-get clean
# 2 - CMD
#CMD [ " htop " ]
#CMD [ " ls " , " -l " ]
# 3 - WORKDIR and ENV
WORKDIR /root
ENV DZ version1
$ docker image build -t bogodevops/demo .
Sending build context to Docker daemon 3.072kB
Step 1/7 : FROM debian:latest
--- > be2868bebaba
Step 2/7 : MAINTAINER k@bogotobogo.com
--- > Using cache
--- > e2eef476b3fd
Step 3/7 : RUN apt-get update & & DEBIAN_FRONTEND=noninteractive apt-get install -yq apt-utils
--- > Using cache
--- > 32fd044c1356
Step 4/7 : RUN DEBIAN_FRONTEND=noninteractive apt-get install -yq htop
--- > Using cache
--- > 0a5b514a209e
Step 5/7 : RUN apt-get clean
--- > Using cache
--- > 5d1578a47c17
Step 6/7 : WORKDIR /root
--- > Using cache
--- > 6b1c70e87675
Step 7/7 : ENV DZ version1
--- > Using cache
--- > cd195168c5c7
Successfully built cd195168c5c7
Successfully tagged bogodevops/demo:latest

Question # 19

Given an existing Pod named nginx-pod running in the namespace test-system, fetch the service-account-name used and put the content in /candidate/KSC00124.txt
Create a new Role named dev-test-role in the namespace test-system, which can perform update operations, on resources of type namespaces.
Create a new RoleBinding named dev-test-role-binding, which binds the newly created Role to the Pod ' s ServiceAccount ( found in the Nginx pod running in namespace test-system).

Answer:

Answer:
See explanation below.

Go to page:
<< First

Prev

1

2

Next

Last >>

CKS PDF + Testing Engine

~~$149.97~~
$44.99

Last Update: Jun 24, 2026

64 Questions and Answers

Simulation: 64 Q&A's

View Packages

Related Linux Foundation Certification Exams

Linux Foundation PCA

Linux Foundation CNPA

Linux Foundation CGOA

Linux Foundation KCSA

Linux Foundation HFCP

Linux Foundation LFCA

Linux Foundation KCNA

Linux Foundation CKAD

Linux Foundation CKA

Linux Foundation LFCS

New Release

Applied-Probability-and-Statistics Exam Questions

CFE- Fraud-Schemes-and-Financial-Crimes Exam Questions

CFE- Fraud-Investigations-and-Legal-Issues Exam Questions

ISO-21502-Lead-Project-Manager Exam Questions

CVS Exam Questions

Workday-Procure-to-Pay Exam Questions

Workday-Adaptive-Planning Exam Questions

DevOps-Leader Exam Questions

AFP-Exam-1 Exam Questions

D-PE-OE-01 Exam Questions

DSPM- Deploy-and-Administer Exam Questions

NJ-Life-Producer Exam Questions

Copado-Extension-Builder Exam Questions

Category-Manager Exam Questions

Drupal-Site-Builder Exam Questions

Summer Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Exact2Pass

Certified Kubernetes Security Specialist (CKS)

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

CKS PDF + Testing Engine

Related Linux Foundation Certification Exams

New Release

SubFooter