CKS (Certified Kubernetes Security Specialist) Complete Practice Exam

A) NIST SP 800-190 B) CIS Kubernetes Benchmark C) PCI DSS D) ISO 27001

Answer: B

Explanation: kube-bench automatically audits cluster component configurations against the CIS (Center for Internet Security) Kubernetes Benchmark. It checks master nodes, worker nodes, etcd, and the API server.

A) --etcd-encryption-key flag in /etc/kubernetes/manifests/kube-apiserver.yaml B) Write /etc/kubernetes/encryption-config.yaml and reference it with kube-apiserver's --encryption-provider-config C) --cipher-suites flag on etcd D) --encrypt-data flag on kubelet

Answer: B

Explanation: etcd at-rest encryption is enabled by writing an EncryptionConfiguration YAML and pointing kube-apiserver's --encryption-provider-config flag to it. You configure encryption providers (aescbc, aesgcm, secretbox, etc.) for specific resource types such as Secrets and ConfigMaps.

A) ConfigMap B) Secret (type: kubernetes.io/tls) C) PersistentVolume D) ServiceAccount token

Answer: B

Explanation: TLS certificates and private keys are stored in a Secret of type kubernetes.io/tls, with tls.crt for the certificate and tls.key for the private key, both base64-encoded. The Ingress resource references this Secret in its spec.tls section.

A) Block 169.254.169.254 with NetworkPolicy B) Set hostNetwork: true on the Pod C) Disable ServiceAccount automount D) Disallow hostPID in PSP

Answer: A

Explanation: AWS IMDSv1 allows unauthenticated access to 169.254.169.254 to steal IAM credentials. Block outbound egress to that IP with NetworkPolicy, or upgrade to IMDSv2 and set the hop limit to 1, preventing containers from reaching the metadata endpoint directly.

A) podSelector B) namespaceSelector C) ipBlock D) serviceSelector

Answer: B

Explanation: namespaceSelector matches namespaces by label, allowing traffic only from Pods in those namespaces. Combined with podSelector you can permit only specific Pods within a specific namespace.

A) Immediately restart the cluster B) Read the remediation section for that finding C) Create a new cluster D) Delete etcd backups

Answer: B

Explanation: Each kube-bench [FAIL] item includes a remediation section with specific commands or configuration changes to fix the issue. Always review it carefully before applying changes.

A) --anonymous-auth=false B) --disable-anonymous=true C) --allow-anonymous=false D) --auth-anonymous=disabled

Answer: A

Explanation: Setting --anonymous-auth=false on kube-apiserver prevents unauthenticated requests from being treated as the system:anonymous user, causing them to be rejected instead.

A) --peer-cert-file, --peer-key-file, --peer-trusted-ca-file B) --tls-cert-file, --tls-key-file C) --client-cert-auth, --trusted-ca-file D) --peer-auth=tls

Answer: A

Explanation: etcd peer TLS requires --peer-cert-file (peer certificate), --peer-key-file (peer private key), and --peer-trusted-ca-file (peer CA certificate). Adding --peer-client-cert-auth=true also enforces mutual peer authentication.

A) Event metadata only B) Request metadata and request body C) Metadata, request body, and response body D) Response body only

Answer: C

Explanation: The four audit levels are None, Metadata, Request, and RequestResponse. RequestResponse is the most verbose; it captures all of: event metadata, request body, and response body. This provides the most detail but also generates the most data and storage cost.

A) AlwaysAllow B) NodeRestriction and PodSecurityAdmission among others C) AlwaysDeny D) LimitRanger only

Answer: B

Explanation: CIS Benchmark recommends enabling security-hardening admission controllers: NodeRestriction (limits nodes to modifying only their own resources), PodSecurityAdmission (enforces PSS policies), ResourceQuota, LimitRanger, and others.

A) Set automountServiceAccountToken: false on the ServiceAccount B) Set serviceAccountName: none in the Pod spec C) Delete the serviceaccount resource with RBAC D) Delete the Secret

Answer: A

Explanation: Setting automountServiceAccountToken: false on the ServiceAccount or the Pod spec prevents automatic token mounting. The Pod-level setting overrides the ServiceAccount-level setting.

A) Bind cluster-admin ClusterRole to all ServiceAccounts B) Create custom Roles with only the required resources and verbs C) Disable RBAC and use ABAC instead D) Use wildcards (*) for all resources

Answer: B

Explanation: The Principle of Least Privilege requires granting only the minimum permissions necessary. Create custom Roles with specific namespaces, resources, and verbs, and bind them only to the subjects that need them.

A) --authentication-token-webhook=true, --authorization-mode=Webhook B) --anonymous-auth=true C) --read-only-port=10255 D) --allow-all-requests=true

Answer: A

Explanation: To harden kubelet: set --anonymous-auth=false to block anonymous access, --authentication-token-webhook=true to enable token webhook authentication, and --authorization-mode=Webhook so the API server handles authorization.

A) To add new features B) To apply CVE patches and security fixes C) To improve performance D) For kubectl version compatibility

Answer: B

Explanation: Kubernetes releases a minor version approximately every 4 months, with each version supported for about 14 months. Running outdated versions leaves known CVEs (Common Vulnerabilities and Exposures) unpatched, increasing security risk. CKS recommends staying on a supported version.

subjects:
  - kind: Group
    name: system:authenticated
roleRef:
  kind: ClusterRole
  name: cluster-admin

A) The subjects field is wrong B) It grants cluster-admin to every authenticated user C) The ClusterRoleBinding has no name D) The apiGroup is missing

Answer: B

Explanation: The system:authenticated group includes every authenticated user in the cluster. Binding cluster-admin to it gives maximum privileges to everyone who can authenticate. Similarly, granting permissions to system:unauthenticated is extremely dangerous.

A) Specify only the desired verbs in the rules' verbs field B) Use the resourceNames field C) Filter by namespace field D) Set level to None

Answer: A

Explanation: Use the verbs field in Audit Policy rules to log only specific HTTP verbs. For example, verbs: ["create", "update", "delete", "patch"] records only write operations in the audit log.

A) --read-only-port=0 B) --disable-readonly=true C) --secure-port=0 D) --port=0

Answer: A

Explanation: Setting --read-only-port=0 disables the unauthenticated HTTP read-only port (default 10255) on kubelet. This port exposes Pod information and metrics without authentication, so disabling it is a security best practice.

A) All Pods use the default ServiceAccount B) Create a dedicated ServiceAccount per application with only the required permissions C) Grant cluster-admin to all ServiceAccounts D) Use file-based access control instead of RBAC

Answer: B

Explanation: Create a dedicated ServiceAccount per workload and bind a Role that permits only the specific resources and verbs that application actually needs. Sharing the default ServiceAccount risks over-provisioning permissions.

A) Set to 8080 B) Set to 0 to disable it C) Change to 443 D) Add a TLS certificate

Answer: B

Explanation: Setting --insecure-port=0 disables the unauthenticated HTTP port. This flag is deprecated since Kubernetes 1.20 with a default of 0, but explicitly setting it to 0 is the CIS Benchmark recommendation.

A) Allows all users to access any node B) Restricts kubelets to accessing only resources needed by the Pods running on their node C) Encrypts inter-node network communication D) Controls OS-level access on nodes

Answer: B

Explanation: Node Authorization limits kubelet API server requests to only the resources (Secrets, ConfigMaps, PersistentVolumes, etc.) needed by Pods scheduled on that kubelet's node. Using --authorization-mode=Node,RBAC together is recommended.

A) Create CSR → approve → create CSR object → extract certificate B) Generate private key → create CSR file → create CSR object → approve → extract certificate C) Sign directly with CA → configure kubeconfig D) Use ServiceAccount token

Answer: B

Explanation: The correct order is: 1) Generate a private key with openssl, 2) Create a CSR file, 3) Base64-encode and create a CertificateSigningRequest object, 4) Approve with kubectl certificate approve, 5) Extract the certificate with kubectl get csr -o jsonpath='{.status.certificate}'.

A) Renewing cluster certificates B) Checking whether a specific user/ServiceAccount can perform a specific action C) Applying RBAC rules D) Reviewing audit logs

Answer: B

Explanation: Use it as kubectl auth can-i get pods --namespace default to verify whether the current user can perform an action. The --as flag lets you impersonate another user. This is invaluable for validating RBAC configurations.

A) security.alpha.kubernetes.io/apparmor: runtime/default B) container.apparmor.security.beta.kubernetes.io/CONTAINER_NAME: localhost/PROFILE_NAME C) apparmor.kubernetes.io/profile: enforced D) securityContext.appArmorProfile: localhost/custom

Answer: B

Explanation: Before Kubernetes 1.30, AppArmor was applied with the annotation container.apparmor.security.beta.kubernetes.io/containerName: localhost/profileName. From 1.30 onward use the securityContext.appArmorProfile field. The profile must be pre-loaded on the node.

A) Set only via Pod annotation B) securityContext.seccompProfile.type: RuntimeDefault C) Create a separate CRD D) Can only be set at the Node level

Answer: B

Explanation: Since Kubernetes 1.19, use the securityContext.seccompProfile field. type: RuntimeDefault uses the container runtime's default Seccomp profile; type: Localhost allows a custom profile.

A) NetworkPolicy B) RBAC C) AppArmor, Seccomp D) PodDisruptionBudget

Answer: C

Explanation: AppArmor enforces MAC (Mandatory Access Control) restricting which files, network, and capabilities a process can access. Seccomp restricts which system calls a process can invoke. Both operate at the OS level to limit container process behavior.

A) kubectl describe node B) ss -tlnp or netstat -tlnp C) docker ps D) journalctl -u kubelet

Answer: B

Explanation: ss -tlnp (socket statistics) or netstat -tlnp shows which TCP ports are listening on the node and the corresponding processes. Any unnecessary services found should be disabled or removed.

A) securityContext.privileged: false B) securityContext.capabilities.drop: ["ALL"] C) securityContext.runAsRoot: false D) securityContext.allowPrivilegeEscalation: false

Answer: B

Explanation: securityContext.capabilities.drop: ["ALL"] removes all Linux capabilities, then capabilities.add selectively re-adds only what is needed. Using this with allowPrivilegeEscalation: false provides strong hardening.

A) spec.runtimeClassName: gvisor B) spec.securityContext.runtime: gvisor C) Set via annotation D) Automatically selected by Node label

Answer: A

Explanation: First create a RuntimeClass object with handler: runsc, then reference it in the Pod spec's runtimeClassName field. gVisor implements a user-space kernel, sandboxing the container from the host kernel.

A) Grant all permissions to the node IAM role B) Store access key / secret key in a Secret C) Connect an IAM Role to a ServiceAccount via OIDC Provider and annotation D) Use only EC2 instance profiles

Answer: C

Explanation: IRSA (IAM Roles for Service Accounts) uses the EKS OIDC Provider to link Kubernetes ServiceAccounts with IAM Roles. Adding the eks.amazonaws.com/role-arn annotation to a ServiceAccount grants that IAM role only to Pods using that SA.

A) securityContext.immutable: true B) securityContext.readOnlyRootFilesystem: true C) securityContext.noWrite: true D) volumeMounts.readOnly: true

Answer: B

Explanation: securityContext.readOnlyRootFilesystem: true makes the container's root filesystem read-only, preventing attackers from creating malicious files or tampering with binaries. Paths that need write access should be mounted as emptyDir volumes.

A) securityContext.runAsUser: 0 B) securityContext.runAsNonRoot: true C) securityContext.privileged: false D) Control via RBAC

Answer: B

Explanation: securityContext.runAsNonRoot: true causes Kubernetes to reject the container if it tries to run as root (UID 0). Specifying runAsUser: 1000 (or another non-zero UID) is also a good practice.

A) Shared-kernel container isolation like standard containers B) Each container/Pod runs on a lightweight VM with its own independent kernel C) Only provides network isolation D) Seccomp profile-based isolation

Answer: B

Explanation: Kata Containers runs each container (or Pod) on a lightweight VM. Each workload has its own independent kernel, making kernel-exploit container escapes extremely difficult. Unlike gVisor, Kata uses a real Linux kernel.

A) No difference B) enforce rejects policy-violating Pods; warn allows them but shows a warning C) warn is stricter D) enforce applies retroactively to existing Pods

Answer: B

Explanation: Among PSA's three modes: enforce rejects Pods that violate the policy. warn returns a warning message but still creates the Pod. audit logs a violation but also allows the Pod.

A) They use the same policy language B) Both operate as Kubernetes admission webhooks to enforce policies C) They are runtime monitoring tools D) They manage network policies

Answer: B

Explanation: Both OPA Gatekeeper and Kyverno work as Kubernetes ValidatingAdmissionWebhooks; they inspect resources at creation/modification time and reject violations. Gatekeeper uses the Rego language; Kyverno uses YAML-based policies.

A) Performance improvement B) Bidirectional authentication and encryption of service-to-service communication C) Blocking external traffic D) Database encryption

Answer: B

Explanation: mTLS requires both client and server to authenticate each other with certificates. Setting PeerAuthentication to STRICT mTLS in Istio encrypts all service-to-service traffic and allows only authenticated services to communicate, preventing lateral movement attacks.

A) Enable etcd at-rest encryption B) Use Vault or Sealed Secrets C) Store Secrets in plaintext in a Git repository D) Restrict Secret access with RBAC

Answer: C

Explanation: Storing Secrets in plaintext in Git is extremely dangerous. Correct approaches include etcd encryption, Bitnami Sealed Secrets (encrypted SealedSecrets committed to Git), HashiCorp Vault (dynamic secret management), and AWS Secrets Manager integration.

A) runAsNonRoot: true B) seccompProfile.type: RuntimeDefault C) privileged: true D) capabilities.drop: ["ALL"]

Answer: C

Explanation: Restricted PSS is the strictest profile; it forbids privileged: true, hostNetwork, hostPID, hostIPC, adding certain capabilities, and requires runAsNonRoot. Only the Privileged PSS profile permits privileged: true.

A) Performance issues; replaced by RuntimeClass B) Complexity and privilege escalation risk; replaced by Pod Security Admission C) Insufficient features; replaced by OPA D) etcd compatibility issues

Answer: B

Explanation: PSP was deprecated in Kubernetes 1.21 and removed in 1.25. Using PSP required granting a use ClusterRole to services, which created privilege escalation vectors and was complex to configure. It was replaced by Pod Security Admission (PSA); OPA Gatekeeper and Kyverno are also commonly used.

A) gVisor B) Kata Containers C) Firecracker D) Calico

Answer: D

Explanation: gVisor, Kata Containers, and Firecracker are all sandboxing technologies that enhance container isolation. Calico is a CNI network plugin that implements network policies; it is not a sandboxing technology.

A) Automatic certificate renewal B) Service-to-service access control (defining who can make requests to whom) C) Traffic load balancing D) Container image scanning

Answer: B

Explanation: Istio AuthorizationPolicy implements L7-level access control within the service mesh. It defines which services/users may access specific services, paths, and methods. Combined with mTLS it enables Zero Trust networking.

A) Performance degradation B) Exposed in the process environment and readable via /proc/PID/environ, or accidentally logged C) Size limitation D) Type restriction

Answer: B

Explanation: Environment variables can be read through /proc/PID/environ and may be accidentally printed in application logs. Volume mount injection is safer; tools like Vault Agent Injector or the CSI Secret Store provider are recommended.

A) Use only a firewall B) Combination of mTLS + RBAC + NetworkPolicy + PSA C) Use only a VPN D) Physical network separation

Answer: B

Explanation: Zero Trust follows the principle "never trust, always verify." In Kubernetes this is achieved by combining mTLS (service-to-service authentication), RBAC (least privilege), NetworkPolicy (network micro-segmentation), and PSA (workload security standards).

A) trivy scan IMAGE_NAME B) trivy image IMAGE_NAME C) trivy check IMAGE_NAME D) trivy docker IMAGE_NAME

Answer: B

Explanation: Use trivy image nginx:latest. The trivy image subcommand scans OS packages and language-specific dependencies for CVEs. Use --severity HIGH,CRITICAL to filter by severity.

A) Automatically updates images to the latest version B) Queries an external webhook service about whether an image is allowed C) Automatically fixes image vulnerabilities D) Restricts image size

Answer: B

Explanation: ImagePolicyWebhook queries an external webhook service at Pod creation time to determine if an image is permitted. The webhook service can base its decision on scan results, signature verification, registry policies, and more.

A) cosign sign --key cosign.key IMAGE_DIGEST B) cosign create-signature IMAGE C) docker sign IMAGE D) kubectl sign image IMAGE

Answer: A

Explanation: Use cosign sign --key cosign.key IMAGE@sha256:DIGEST. Signatures are stored in the OCI registry as a separate tag. Verify with cosign verify --key cosign.pub IMAGE. A Kyverno policy can enforce that only signed images are admitted.

A) A list of software licenses B) A list of all components, libraries, and dependencies that make up a software artifact C) A software cost breakdown D) A software release plan

Answer: B

Explanation: An SBOM is an inventory of all open-source and proprietary components, versions, licenses, and vulnerability information in a software artifact. CycloneDX and SPDX are standard formats. SBOMs are essential for supply chain attack prevention and vulnerability tracking.

A) Smaller image size means faster builds B) Minimizes attack surface by removing shells, package managers, and other unnecessary tools C) Available for free D) Easy CI/CD pipeline integration

Answer: B

Explanation: Distroless images contain only the runtime needed to run the application, without a shell (/bin/sh), package manager, or utilities. Even if an attacker breaks into the container there are no tools to leverage, minimizing potential damage.

A) Add an RBAC rule B) The webhook service inspects the admission review request and returns a denial response C) Configure a NetworkPolicy D) Deploy a Pod deletion controller

Answer: B

Explanation: ValidatingWebhookConfiguration sends an AdmissionReview request to an external webhook service at resource create/update time. The service inspects the request and returns allowed: false with a message, which causes the Kubernetes API server to reject the resource.

A) The latest tag is deprecated B) No reproducibility — you cannot know which exact image version is running C) Wastes registry storage D) Slows down builds

Answer: B

Explanation: The latest tag is mutable; a different image can be pushed under the same tag at any time. This makes deployments non-reproducible, and an image with security vulnerabilities could be deployed as latest. Always use a SHA256 digest or a pinned version tag.

A) MutatePolicy B) ClusterPolicy with validate rule C) GeneratePolicy D) SyncPolicy

Answer: B

Explanation: A Kyverno ClusterPolicy with a validate rule can deny images whose tag is latest. The deny condition checks the image tag and returns a message on violation. A mutate rule can also automatically transform image references.

A) SolarWinds hack B) Distribution of a malicious npm package C) DDoS attack D) Dependency confusion attack

Answer: C

Explanation: Supply chain attacks exploit vulnerabilities in the software development and delivery pipeline (SolarWinds build server compromise, malicious npm/PyPI packages, dependency confusion where a public package shadows a private one). A DDoS attack targets availability, not the supply chain.

A) ServiceAccount B) imagePullSecret C) ConfigMap D) PersistentVolumeClaim

Answer: B

Explanation: Create a Secret of type docker-registry and reference it in the Pod spec's imagePullSecrets, or add it to the ServiceAccount's imagePullSecrets so all Pods using that SA authenticate automatically.

A) evt.type=connect and fd.type=ipv4 B) evt.type=execve and container.id!=host and proc.name in (sh, bash, zsh) C) evt.type=open and fd.name contains /etc/passwd D) evt.type=write and fd.name startswith /tmp

Answer: B

Explanation: In Falco, the execve event type signals a new process execution. container.id!=host scopes the rule to containers, and proc.name in (sh, bash, zsh) filters for shell processes. The built-in rule "Terminal shell in container" uses this exact pattern.

A) Remove the relevant rule from the audit policy B) Write a level: None rule for that resource/namespace/verb first, before other rules C) Delete the kube-system namespace D) Change the Secret type

Answer: B

Explanation: Audit Policy rules are evaluated in order, with the first matching rule applied. To skip logging certain requests with level: None, that rule must appear before any broader rule. For example, place a level: None rule for resources: secrets, namespaces: kube-system, verbs: get at the top of the policy file.

A) Delete immediately then redeploy B) Collect evidence (logs, forensics) → isolate Pod (NetworkPolicy) → assess scope of compromise → remediate and redeploy C) Restart the node D) Redeploy the entire cluster

Answer: B

Explanation: The correct incident response order is: 1) Preserve evidence (collect logs, memory dumps), 2) Isolate the Pod with a NetworkPolicy to prevent further lateral movement, 3) Determine the attack vector and scope, 4) Fix the vulnerability, build a new image, and redeploy. Deleting immediately destroys forensic evidence.