Linux Foundation CKS Free Sample Exam Questions 2026

Here you can get the actual Linux Foundation CKS exam questions and answers in PDF for free and for all questions premium file. These best Certified Kubernetes Security Specialist Exam CKS PDF questions are for every Linux Foundation users. Real CKS exam dumps that will assist you to crack the %certification% certification exam in the PDF format. For Advance preparation premium PDF files available for perfect exam preparation on reilable price option.

UNLOCK FULL
CKS Exam Features

In Just $35 You can Access

• All Official Question Types
• Interactive Web-Based Practice Test Software
• No Installation or 3rd Party Software Required
• Customize your practice sessions (Free Demo)
• 24/7 Customer Support

Get Full Access

Page: 1 / 10
Total Questions: 48

Questions & Answers PDF

• Question 1

  

  Create a PSP that will prevent the creation of privileged pods in the namespace.Create a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation of privileged pods.Create a new ServiceAccount named psp-sa in the namespace default.Create a new ClusterRole named prevent-role, which uses the newly created Pod Security Policy prevent-privileged-policy.Create a new ClusterRoleBinding named prevent-role-binding, which binds the created ClusterRole prevent-role to the created SA psp-sa.Also, Check the Configuration is working or not by trying to Create a Privileged pod, it should get failed.

  • A . Explanation:
    Create a PSP that will prevent the creation of privileged pods in the namespace.
    $ cat clusterrole-use-privileged.yaml
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
    name: use-privileged-psp
    rules:
    - apiGroups: ['policy']
    resources: ['podsecuritypolicies']
    verbs: ['use']
    resourceNames:
    - default-psp
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
    name: privileged-role-bind
    namespace: psp-test
    roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: use-privileged-psp
    subjects:
    - kind: ServiceAccount
    name: privileged-sa
    $ kubectl -n psp-test apply -f clusterrole-use-privileged.yaml
    After a few moments, the privileged Pod should be created.
    Create a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation of privileged pods.
    apiVersion: policy/v1beta1
    kind: PodSecurityPolicy
    metadata:
    name: example
    spec:
    privileged: false # Don't allow privileged pods!
    # The rest fills in some required fields.
    seLinux:
    rule: RunAsAny
    supplementalGroups:
    rule: RunAsAny
    runAsUser:
    rule: RunAsAny
    fsGroup:
    rule: RunAsAny
    volumes:
    - '*'
    And create it with kubectl:
    kubectl-admin create -f example-psp.yaml
    Now, as the unprivileged user, try to create a simple pod:
    kubectl-user create -f- <<EOF
    apiVersion: v1
    kind: Pod
    metadata:
    name: pause
    spec:
    containers:
    - name: pause
    image: k8s.gcr.io/pause
    EOF
    The output is similar to this:
    Error from server (Forbidden): error when creating 'STDIN': pods 'pause' is forbidden: unable to validate against any pod security policy: []
    Create a new ServiceAccount named psp-sa in the namespace default.
    $ cat clusterrole-use-privileged.yaml
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
    name: use-privileged-psp
    rules:
    - apiGroups: ['policy']
    resources: ['podsecuritypolicies']
    verbs: ['use']
    resourceNames:
    - default-psp
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
    name: privileged-role-bind
    namespace: psp-test
    roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: use-privileged-psp
    subjects:
    - kind: ServiceAccount
    name: privileged-sa
    $ kubectl -n psp-test apply -f clusterrole-use-privileged.yaml
    After a few moments, the privileged Pod should be created.
    Create a new ClusterRole named prevent-role, which uses the newly created Pod Security Policy prevent-privileged-policy.
    apiVersion: policy/v1beta1
    kind: PodSecurityPolicy
    metadata:
    name: example
    spec:
    privileged: false # Don't allow privileged pods!
    # The rest fills in some required fields.
    seLinux:
    rule: RunAsAny
    supplementalGroups:
    rule: RunAsAny
    runAsUser:
    rule: RunAsAny
    fsGroup:
    rule: RunAsAny
    volumes:
    - '*'
    And create it with kubectl:
    kubectl-admin create -f example-psp.yaml
    Now, as the unprivileged user, try to create a simple pod:
    kubectl-user create -f- <<EOF
    apiVersion: v1
    kind: Pod
    metadata:
    name: pause
    spec:
    containers:
    - name: pause
    image: k8s.gcr.io/pause
    EOF
    The output is similar to this:
    Error from server (Forbidden): error when creating 'STDIN': pods 'pause' is forbidden: unable to validate against any pod security policy: []
    Create a new ClusterRoleBinding named prevent-role-binding, which binds the created ClusterRole prevent-role to the created SA psp-sa.
    apiVersion: rbac.authorization.k8s.io/v1
    # This role binding allows 'jane' to read pods in the 'default' namespace.
    # You need to already have a Role named 'pod-reader' in that namespace.
    kind: RoleBinding
    metadata:
    name: read-pods
    namespace: default
    subjects:
    # You can specify more than one 'subject'
    - kind: User
    name: jane # 'name' is case sensitive
    apiGroup: rbac.authorization.k8s.io
    roleRef:
    # 'roleRef' specifies the binding to a Role / ClusterRole
    kind: Role #this must be Role or ClusterRole
    name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
    apiGroup: rbac.authorization.k8s.io
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
    namespace: default
    name: pod-reader
    rules:
    - apiGroups: [''] # '' indicates the core API group
    resources: ['pods']
    verbs: ['get', 'watch', 'list']
    

  Reveal Answer Answer: A Next Question

• Question 2

  

  You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context stage Context: A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace. Task: 1. Create a new PodSecurityPolcy named deny-policy, which prevents the creation of privileged Pods. 2. Create a new ClusterRole name deny-access-role, which uses the newly created PodSecurityPolicy deny-policy. 3. Create a new ServiceAccount named psd-denial-sa in the existing namespace development. Finally, create a new ClusterRoleBindind named restrict-access-bind, which binds the newly created ClusterRole deny-access-role to the newly created ServiceAccount psp-denial-sa

  • A . Explanation:
    Create psp to disallow privileged container
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
    name: deny-access-role
    rules:
    - apiGroups: ['policy']
    resources: ['podsecuritypolicies']
    verbs: ['use']
    resourceNames:
    - ''deny-policy''
    k create sa psp-denial-sa -n development
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
    name: restrict-access-bing
    roleRef:
    kind: ClusterRole
    name: deny-access-role
    apiGroup: rbac.authorization.k8s.io
    subjects:
    - kind: ServiceAccount
    name: psp-denial-sa
    namespace: development
    Explanation
    master1 $ vim psp.yaml
    apiVersion: policy/v1beta1
    kind: PodSecurityPolicy
    metadata:
    name: deny-policy
    spec:
    privileged: false # Don't allow privileged pods!
    seLinux:
    rule: RunAsAny
    supplementalGroups:
    rule: RunAsAny
    runAsUser:
    rule: RunAsAny
    fsGroup:
    rule: RunAsAny
    volumes:
    - '*'
    master1 $ vim cr1.yaml
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
    name: deny-access-role
    rules:
    - apiGroups: ['policy']
    resources: ['podsecuritypolicies']
    verbs: ['use']
    resourceNames:
    - ''deny-policy''
    master1 $k create sa psp-denial-sa -n development
    
    master1 $ vim cb1.yaml
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
    name: restrict-access-bing
    roleRef:
    kind: ClusterRole
    name: deny-access-role
    apiGroup: rbac.authorization.k8s.io
    subjects:
    # Authorize specific service accounts:
    - kind: ServiceAccount
    name: psp-denial-sa
    namespace: development
    master1 $k apply -f psp.yaml
    master1 $k apply -f cr1.yaml
    master1 $k apply -f cb1.yaml
    
    Reference:https://kubernetes.io/docs/concepts/policy/pod-security-policy/
    

  Reveal Answer Answer: A Next Question

• Question 3

  

  Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that1. logs are stored at /var/log/kubernetes-logs.txt.2. Log files are retained for 12 days.3. at maximum, a number of 8 old audit logs files are retained.4. set the maximum size before getting rotated to 200MBEdit and extend the basic policy to log:1. namespaces changes at RequestResponse2. Log the request body of secrets changes in the namespace kube-system.3. Log all other resources in core and extensions at the Request level.4. Log 'pods/portforward', 'services/proxy' at Metadata level.5. Omit the Stage RequestReceivedAll other requests at the Metadata level

  • A . Explanation:
    Kubernetes auditing provides a security-relevant chronological set of records about a cluster. Kube-apiserver performs auditing. Each request on each stage of its execution generates an event, which is then pre-processed according to a certain policy and written to a backend. The policy determines what's recorded and the backends persist the records.
    You might want to configure the audit log as part of compliance with the CIS (Center for Internet Security) Kubernetes Benchmark controls.
    The audit log can be enabled by default using the following configuration incluster.yml:
    services:
    kube-api:
    audit_log:
    enabled: true
    When the audit log is enabled, you should be able to see the default values at/etc/kubernetes/audit-policy.yaml
    The log backend writes audit events to a file inJSONlinesformat. You can configure the log audit backend using the followingkube-apiserverflags:
    --audit-log-pathspecifies the log file path that log backend uses to write audit events. Not specifying this flag disables log backend.-means standard out
    --audit-log-maxagedefined the maximum number of days to retain old audit log files
    --audit-log-maxbackupdefines the maximum number of audit log files to retain
    --audit-log-maxsizedefines the maximum size in megabytes of the audit log file before it gets rotated
    If your cluster's control plane runs the kube-apiserver as a Pod, remember to mount thehostPathto the location of the policy file and log file, so that audit records are persisted. For example:
    --audit-policy-file=/etc/kubernetes/audit-policy.yaml \
    --audit-log-path=/var/log/audit.log
    

  Reveal Answer Answer: A Next Question

• Question 4

  

  Use the kubesec docker images to scan the given YAML manifest, edit and apply the advised changes, and passed with a score of 4 points.kubesec-test.yamlapiVersion: v1kind: Podmetadata:name: kubesec-demospec:containers:- name: kubesec-demoimage: gcr.io/google-samples/node-hello:1.0securityContext:readOnlyRootFilesystem: trueHint:docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml

  • A . Explanation:
    kubesec scan k8s-deployment.yaml
    cat <<EOF > kubesec-test.yaml
    apiVersion: v1
    kind: Pod
    metadata:
    name: kubesec-demo
    spec:
    containers:
    - name: kubesec-demo
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
    readOnlyRootFilesystem: true
    EOF
    kubesec scan kubesec-test.yaml
    docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml
    kubesec http 8080 &
    [1] 12345
    {'severity':'info','timestamp':'2019-05-12T11:58:34.662+0100','caller':'server/server.go:69','message':'Starting HTTP server on port 8080'}
    curl -sSX POST --data-binary @test/asset/score-0-cap-sys-admin.yml http://localhost:8080/scan
    [
    {
    'object': 'Pod/security-context-demo.default',
    'valid': true,
    'message': 'Failed with a score of -30 points',
    'score': -30,
    'scoring': {
    'critical': [
    {
    'selector': 'containers[] .securityContext .capabilities .add == SYS_ADMIN',
    'reason': 'CAP_SYS_ADMIN is the most privileged capability and should always be avoided'
    },
    {
    'selector': 'containers[] .securityContext .runAsNonRoot == true',
    'reason': 'Force the running image to run as a non-root user to ensure least privilege'
    },
    // ...
    

  Reveal Answer Answer: A Next Question

• Question 5

  

  a. Retrieve the content of the existing secret nameddefault-token-xxxxxin the testing namespace.Store the value of the token in the token.txtb. Create a new secret named test-db-secret in the DB namespace with the following content:username:mysqlpassword:password@123Create the Pod name test-db-pod of image nginx in the namespace db that can access test-db-secret via a volume at path /etc/mysql-credentials

  • A . Explanation:
    To add a Kubernetes cluster to your project, group, or instance:
    Navigate to your:
    Project'sOperations > Kubernetespage, for a project-level cluster.
    Group'sKubernetespage, for a group-level cluster.
    Admin Area >Kubernetespage, for an instance-level cluster.
    ClickAdd Kubernetes cluster.
    Click theAdd existing clustertab and fill in the details:
    Kubernetes cluster name(required) - The name you wish to give the cluster.
    Environment scope(required) - Theassociated environmentto this cluster.
    API URL(required) - It's the URL that GitLab uses to access the Kubernetes API. Kubernetes exposes several APIs, we want the ''base'' URL that is common to all of them. For example,https://kubernetes.example.comrather thanhttps://kubernetes.example.com/api/v1.
    Get the API URL by running this command:
    kubectl cluster-info | grep -E 'Kubernetes master|Kubernetes control plane' | awk '/http/ {print $NF}'
    CA certificate(required) - A valid Kubernetes certificate is needed to authenticate to the cluster. We use the certificate created by default.
    List the secrets withkubectl get secrets, and one should be named similar todefault-token-xxxxx. Copy that token name for use below.
    Get the certificate by running this command:
    kubectl get secret <secret name> -o jsonpath='{['data']['ca\.crt']}'
    

  Reveal Answer Answer: A Next Question

• Question 6

  

  Create a RuntimeClass named gvisor-rc using the prepared runtime handler named runsc.Create a Pods of image Nginx in the Namespace server to run on the gVisor runtime class

  • A . Explanation:
    Install the Runtime Class for gVisor
    { # Step 1: Install a RuntimeClass
    cat <<EOF | kubectl apply -f -
    apiVersion: node.k8s.io/v1beta1
    kind: RuntimeClass
    metadata:
    name: gvisor
    handler: runsc
    EOF
    }
    Create a Pod with the gVisor Runtime Class
    { # Step 2: Create a pod
    cat <<EOF | kubectl apply -f -
    apiVersion: v1
    kind: Pod
    metadata:
    name: nginx-gvisor
    spec:
    runtimeClassName: gvisor
    containers:
    - name: nginx
    image: nginx
    EOF
    }
    Verify that the Pod is running
    { # Step 3: Get the pod
    kubectl get pod nginx-gvisor -o wide
    }
    

  Reveal Answer Answer: A Next Question

• Question 7

  

  Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.Fix all of the following violations that were found against theAPI server:-a. Ensure that the RotateKubeletServerCertificate argument is set to true.b. Ensure that the admission control plugin PodSecurityPolicy is set.c. Ensure that the --kubelet-certificate-authority argument is set as appropriate.Fix all of the following violations that were found against theKubelet:-a. Ensure the --anonymous-auth argument is set to false.b. Ensure that the --authorization-mode argument is set to Webhook.Fix all of the following violations that were found against theETCD:-a. Ensure that the --auto-tls argument is not set to trueb. Ensure that the --peer-auto-tls argument is not set to trueHint: Take the use of Tool Kube-Bench

  • A . Explanation:
    Fix all of the following violations that were found against theAPI server:-
    a. Ensure that the RotateKubeletServerCertificate argument is set to true.
    apiVersion: v1
    kind: Pod
    metadata:
    creationTimestamp: null
    labels:
    component: kubelet
    tier: control-plane
    name: kubelet
    namespace: kube-system
    spec:
    containers:
    - command:
    - kube-controller-manager
    + - --feature-gates=RotateKubeletServerCertificate=true
    image: gcr.io/google_containers/kubelet-amd64:v1.6.0
    livenessProbe:
    failureThreshold: 8
    httpGet:
    host: 127.0.0.1
    path: /healthz
    port: 6443
    scheme: HTTPS
    initialDelaySeconds: 15
    timeoutSeconds: 15
    name: kubelet
    resources:
    requests:
    cpu: 250m
    volumeMounts:
    - mountPath: /etc/kubernetes/
    name: k8s
    readOnly: true
    - mountPath: /etc/ssl/certs
    name: certs
    - mountPath: /etc/pki
    name: pki
    hostNetwork: true
    volumes:
    - hostPath:
    path: /etc/kubernetes
    name: k8s
    - hostPath:
    path: /etc/ssl/certs
    name: certs
    - hostPath:
    path: /etc/pki
    name: pki
    b. Ensure that the admission control plugin PodSecurityPolicy is set.
    audit: '/bin/ps -ef | grep $apiserverbin | grep -v grep'
    tests:
    test_items:
    - flag: '--enable-admission-plugins'
    compare:
    op: has
    value: 'PodSecurityPolicy'
    set: true
    remediation: |
    Follow the documentation and create Pod Security Policy objects as per your environment.
    Then, edit the API server pod specification file $apiserverconf
    on the master node and set the --enable-admission-plugins parameter to a
    value that includes PodSecurityPolicy :
    --enable-admission-plugins=...,PodSecurityPolicy,...
    Then restart the API Server.
    scored: true
    c. Ensure that the --kubelet-certificate-authority argument is set as appropriate.
    audit: '/bin/ps -ef | grep $apiserverbin | grep -v grep'
    tests:
    test_items:
    - flag: '--kubelet-certificate-authority'
    set: true
    remediation: |
    Follow the Kubernetes documentation and setup the TLS connection between the
    apiserver and kubelets. Then, edit the API server pod specification file
    $apiserverconf on the master node and set the --kubelet-certificate-authority
    parameter to the path to the cert file for the certificate authority.
    --kubelet-certificate-authority=<ca-string>
    scored: true
    Fix all of the following violations that were found against theETCD:-
    a. Ensure that the --auto-tls argument is not set to true
    Edit the etcd pod specification file $etcdconf on the master
    node and either remove the --auto-tls parameter or set it to false.
    --auto-tls=false
    b. Ensure that the --peer-auto-tls argument is not set to true
    Edit the etcd pod specification file $etcdconf on the master
    node and either remove the --peer-auto-tls parameter or set it to false.
    --peer-auto-tls=false
    

  Reveal Answer Answer: A Next Question

• Question 8

  

  use the Trivy to scan the following images,1. amazonlinux:12. k8s.gcr.io/kube-controller-manager:v1.18.6Look for images with HIGH or CRITICAL severity vulnerabilities and store the output of the same in /opt/trivy-vulnerable.txt

  • Send us your suggestion on it.
  • Send us your suggestion

  Reveal Answer Answer: A Next Question

• Question 9

  

  Create a new NetworkPolicy named deny-all in the namespace testing which denies all traffic of type ingress and egress traffic

  • A . Explanation:
    You can create a 'default' isolation policy for a namespace by creating a NetworkPolicy that selects all pods but does not allow any ingress traffic to those pods.
    ---
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
    name: default-deny-ingress
    spec:
    podSelector: {}
    policyTypes:
    - Ingress
    You can create a 'default' egress isolation policy for a namespace by creating a NetworkPolicy that selects all pods but does not allow any egress traffic from those pods.
    ---
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
    name: allow-all-egress
    spec:
    podSelector: {}
    egress:
    - {}
    policyTypes:
    - Egress
    Default deny all ingress and all egress traffic
    You can create a 'default' policy for a namespace which prevents all ingress AND egress traffic by creating the following NetworkPolicy in that namespace.
    ---
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
    name: default-deny-all
    spec:
    podSelector: {}
    policyTypes:
    - Ingress
    - Egress
    This ensures that even pods that aren't selected by any other NetworkPolicy will not be allowed ingress or egress traffic.
    

  Reveal Answer Answer: A Next Question

• Question 10

  

  Service is running on port 389 inside the system, find the process-id of the process, and stores the names of all the open-files inside the /candidate/KH77539/files.txt, and also delete the binary.

  • A . Explanation:
    root# netstat -ltnup
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 127.0.0.1:17600 0.0.0.0:* LISTEN 1293/dropbox
    tcp 0 0 127.0.0.1:17603 0.0.0.0:* LISTEN 1293/dropbox
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 575/sshd
    tcp 0 0 127.0.0.1:9393 0.0.0.0:* LISTEN 900/perl
    tcp 0 0 :::80 :::* LISTEN 9583/docker-proxy
    tcp 0 0 :::443 :::* LISTEN 9571/docker-proxy
    udp 0 0 0.0.0.0:68 0.0.0.0:* 8822/dhcpcd
    ...
    root# netstat -ltnup | grep ':22'
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 575/sshd
    Thesscommand is the replacement of thenetstatcommand.
    Now let's see how to use thesscommand to see which process is listening on port 22:
    root# ss -ltnup 'sport = :22'
    Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
    tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:('sshd',pid=575,fd=3))
    

  Reveal Answer Answer: A Next Question

Page: 1 / 10
Total Questions: 48

Previous Page Next Page