What is the primary role of Falco in a Kubernetes environment?

A) Scanning container images for vulnerabilities B) Monitoring system calls at runtime to detect and alert on abnormal activities C) Automatically generating network policies D) Limiting Pod resource usage

Answer: B

Falco is a runtime security tool that monitors Linux kernel system calls in real-time. It detects abnormal activities such as shell execution within containers, reading sensitive files, and network connections. It operates using eBPF or kernel modules.

What is the purpose of the condition field in Falco rules?

A) Defining the format of alert messages B) Defining filter expressions for system call events to determine which events match the rule C) Setting rule priority D) Specifying output channels

Answer: B

The condition uses Sysdig filter syntax to define event matching criteria. For example, container.id != host and proc.name = bash detects bash process execution within containers. Fields related to syscalls, processes, files, and networks can be combined.

What condition should be used in a Falco rule to detect shell (bash, sh) execution inside containers?

A) fd.name contains /bin/bash B) container.id != host and proc.name in (bash, sh, zsh) and evt.type = execve C) k8s.pod.name exists D) syscall.type = open

Answer: B

container.id != host filters for container environments, proc.name specifies shell processes, and evt.type = execve detects process execution events. This combination effectively detects interactive shell access within containers.

How do you check only HIGH/CRITICAL vulnerabilities in a container image using Trivy?

A) Just run trivy image IMAGE_NAME B) Filter by severity with trivy image --severity HIGH,CRITICAL IMAGE_NAME C) Use the trivy scan --level=high command D) Only docker scan is available

Answer: B

Using the --severity HIGH,CRITICAL flag shows only vulnerabilities of the specified severity. Adding --exit-code 1 can fail CI/CD pipelines when vulnerabilities are found. --ignore-unfixed shows only fixable vulnerabilities.

Both Trivy and Grype are image scanning tools. What are the main differences?

A) They are completely identical tools B) Trivy scans various targets including images, filesystems, Git repos, and IaC, while Grype specializes in image and SBOM-based vulnerability scanning C) Grype is a runtime security tool D) Trivy is a network scanning tool

Answer: B

Trivy, developed by Aqua Security, is a comprehensive security scanner supporting images, filesystems, IaC, and Secret scanning. Grype, developed by Anchore, focuses on image and SBOM-based vulnerability scanning. Both tools can be covered in the CKS exam.

What is the role of ConstraintTemplate in OPA Gatekeeper?

A) Directly creating Kubernetes resources B) Defining policy logic written in Rego language, enabling the creation of Constraint resources based on it C) Automatically generating NetworkPolicies D) Managing RBAC rules

Answer: B

ConstraintTemplate defines the policy schema and Rego logic. Creating Constraint resources based on it can restrict resource creation/modification under certain conditions. For example, prohibiting privileged containers or allowing only specific registries.

What is the correct description of the relationship between ConstraintTemplate and Constraint?

A) Constraint contains the policy logic B) ConstraintTemplate defines the policy logic (Rego), and Constraint is an instance of that template specifying concrete parameters and scope C) They are independent and unrelated D) Constraint only applies at the namespace level

Answer: B

ConstraintTemplate is a reusable policy template (containing Rego code), and Constraint is an instance of that template. In Constraint, the match field specifies targets (namespaces, resource kinds, etc.), and parameters set specific policy values.

What happens when a Gatekeeper Constraint is set to dry-run mode?

A) The policy is completely disabled B) Policy violations are detected and logged but resource creation/modification is not actually blocked C) The policy is strictly enforced D) It only applies to test namespaces

Answer: B

Setting enforcementAction to dryrun in a Constraint logs violations without blocking resources. This is useful for assessing impact before applying new policies to production. deny blocks resources, and warn only displays warnings.

Why reference container images by digest (sha256 hash) instead of tags?

A) Image download speed improves B) It prevents tag mutation where different images are pushed to the same tag, ensuring exactly the verified image is used C) Image size is reduced D) Registry authentication becomes unnecessary

Answer: B

Tags are mutable, so different images can be pushed to the same tag (tag mutation). Digests are hash values of image content, so the digest changes when content changes. This ensures that the exact signed image is used.

How do you restrict the cluster to only use images from a specific container registry (e.g., myregistry.io)?

A) Block registry access with NetworkPolicy B) Write a Rego policy in ConstraintTemplate that checks image name prefixes, and specify allowed registries in the Constraint C) Restrict registries in kubelet configuration D) Add annotations to Pods

Answer: B

Write Rego code in the ConstraintTemplate to check whether container image prefixes are in the allowed list. Specify the allowed registry list (e.g., myregistry.io) in the Constraint parameters, and Pod creation with images from other registries will be denied.

How do you apply an AppArmor profile to a container in Kubernetes?

A) Set it directly in the Pod's securityContext B) Specify the profile type and name in the container's securityContext.appArmorProfile field (Kubernetes 1.30+) C) Store the profile in a ConfigMap D) Configure it once for the entire cluster

Answer: B

In Kubernetes 1.30+, use the securityContext.appArmorProfile field. Specify the type (Localhost, RuntimeDefault, etc.), and for Localhost, specify the profile name in localhostProfile. The profile must be pre-loaded on the target node.

What is the primary role of Seccomp (Secure Computing Mode) profiles?

A) Filtering network traffic B) Restricting Linux system calls available to containers to reduce the attack surface C) Controlling filesystem access D) Limiting CPU usage

Answer: B

Seccomp restricts the system calls that container processes can make. The RuntimeDefault profile blocks generally unsafe system calls. Custom profiles can be created to allow only system calls needed by specific applications.

How do you apply the RuntimeDefault Seccomp profile to all containers in a Pod?

A) It must be configured on the Node B) Set type: RuntimeDefault in the Pod spec's securityContext.seccompProfile C) Deploy as a DaemonSet D) Configure in kube-proxy

Answer: B

Setting type: RuntimeDefault in the Pod-level securityContext.seccompProfile applies to all containers. Container-level settings are also possible and take precedence over Pod settings. Custom profiles with Localhost type are also supported.

What are the 3 security levels defined by Kubernetes Pod Security Standards?

A) Low, Medium, High B) Privileged, Baseline, Restricted C) Basic, Standard, Enterprise D) None, Default, Strict

Answer: B

Pod Security Standards has 3 levels: Privileged (unrestricted), Baseline (prevents known privilege escalations), and Restricted (hardened security best practices). Baseline prohibits hostNetwork, privileged containers, etc. Restricted additionally prohibits running as root, privilege escalation, etc.

How do you apply Restricted level Pod Security to a specific namespace?

A) Create a CRD B) Add the label pod-security.kubernetes.io/enforce: restricted to the namespace C) Only cluster-wide configuration is possible D) Add annotations to Pods

Answer: B

Setting the pod-security.kubernetes.io/enforce label on a namespace denies Pod creation that exceeds that level. Besides enforce, there are audit (audit log recording) and warn (warning display) modes. Version can also be specified (e.g., pod-security.kubernetes.io/enforce-version: v1.30).

What is the purpose of Kubernetes RuntimeClass?

A) Managing Pod network configuration B) Selecting container runtime handlers to specify various isolation levels like gVisor or Kata Containers per Pod C) Managing image registries D) Managing storage classes

Answer: B

RuntimeClass allows Pods to select their container runtime. For example, security-critical workloads can use gVisor or Kata Containers while regular workloads use runc, separating runtimes by workload requirements.

What is the difference in isolation approach between gVisor and Kata Containers?

A) Both work the same way B) gVisor emulates the Linux kernel in user space, while Kata Containers runs containers inside lightweight VMs C) gVisor uses VMs and Kata uses namespaces D) Both are eBPF-based

Answer: B

gVisor (runsc) is a user-space kernel written in Go that intercepts system calls and provides a limited kernel interface. Kata Containers runs each container in a lightweight VM providing hardware-level isolation. Both provide stronger isolation than runc but with overhead.

How do you configure a Pod to use the gVisor runtime?

A) Add labels to the node B) Create a RuntimeClass resource and specify that RuntimeClass name in the Pod spec's runtimeClassName field C) Only change kubelet configuration D) All Pods automatically use gVisor

Answer: B

First create a RuntimeClass resource specifying the handler (e.g., runsc). Then specify that RuntimeClass name in the Pod spec's runtimeClassName field to run containers with that runtime. The runtime must be installed on the node.

What are the main differences between AppArmor and SELinux?

A) Both work the same way B) AppArmor uses path-based access control, while SELinux uses label-based mandatory access control (MAC) C) SELinux is simpler D) AppArmor only controls networking

Answer: B

AppArmor controls process access based on file paths and is relatively easier to write profiles for. SELinux assigns security labels to all files, processes, and ports for label-based mandatory access control (MAC), offering more granular control but with greater complexity.

How do you exclude specific users or namespaces from Pod Security Admission policies?

A) Exclusion is not possible B) Specify usernames, runtimeClasses, and namespaces in the exemptions field of PodSecurityConfiguration C) The namespace must be deleted D) Only controllable through RBAC

Answer: B

In the PodSecurityConfiguration (AdmissionConfiguration file), the exemptions section can exclude specific users, RuntimeClasses, and namespaces from policy enforcement. This is used when system components or special workloads need to bypass security restrictions.

What is the purpose of the omitStages field in Kubernetes audit policy?

A) Excluding specific resources from logging B) Excluding specific request processing stages like RequestReceived from logging to reduce log volume C) Disabling audit logging D) Excluding specific users

Answer: B

omitStages can exclude specific stages (RequestReceived, ResponseStarted, ResponseComplete, Panic) from logging. For example, excluding RequestReceived omits logs at the request reception point, reducing log volume.

What types of backends are available for Kubernetes API server audit logs?

A) Only file backend is supported B) Log backend (file) and Webhook backend (external service) are supported C) Only database backend is supported D) Only syslog is supported

Answer: B

Kubernetes supports a Log backend (writing to file via --audit-log-path) and a Webhook backend (sending to external HTTP services via --audit-webhook-config-file). Both backends can be used simultaneously with separate policy configurations.

How do you set up automatic rotation of kubelet client certificates?

A) Only manual renewal is possible B) Set rotateCertificates to true in kubelet config and enable CSR auto-approval in controller-manager C) Manage certificates in etcd D) Certificates never expire

Answer: B

Setting rotateCertificates: true in kubelet automatically generates CSRs (Certificate Signing Requests) before certificate expiration. The kube-controller-manager's csrsigning controller auto-approves CSRs and issues new certificates. Setting serverTLSBootstrap also enables serving certificate auto-rotation.

How do you encrypt Secrets stored in etcd?

A) Base64 encoding Secrets provides encryption B) Create an EncryptionConfiguration file and specify it with the --encryption-provider-config flag on kube-apiserver C) etcd automatically encrypts D) Use ConfigMap instead of Secret

Answer: B

Define encryption providers (aescbc, aesgcm, secretbox, etc.) and keys in the EncryptionConfiguration file. Specifying it with --encryption-provider-config at kube-apiserver startup encrypts specified resources (like secrets) in etcd. Base64 is encoding, not encryption.

What benefits does using a KMS provider for Secrets encryption offer?

A) Simpler configuration B) Encryption keys are managed by external KMS, centralizing key management and enabling key rotation without API server restart C) Encryption performance decreases D) No additional infrastructure required

Answer: B

With KMS providers, DEKs (Data Encryption Keys) are generated locally, while KEKs (Key Encryption Keys) that encrypt DEKs are managed by external KMS (AWS KMS, GCP KMS, HashiCorp Vault, etc.). Key rotation does not require API server restart, and key management is centralized.

What is the CIS (Center for Internet Security) Kubernetes Benchmark?

A) A Kubernetes performance benchmark tool B) A best practice guideline for Kubernetes cluster security settings that inspects security configuration of control plane, nodes, and policies C) A network performance testing tool D) An image build guide

Answer: B

The CIS Benchmark is a guideline for checking security settings of Kubernetes components (API server, etcd, kubelet, scheduler, etc.). It can be automatically checked using the kube-bench tool, providing pass/fail/warning results for each item.

What is kube-bench used for?

A) Performing load tests on Kubernetes clusters B) Automatically checking cluster security settings according to CIS Kubernetes Benchmark and reporting results C) Scanning image vulnerabilities D) Monitoring runtime security

Answer: B

kube-bench is an open-source tool by Aqua Security that automatically checks CIS Benchmark items. It inspects control plane, worker node, etcd, and other configurations, providing remediation guidance for failed items. It can be run as a Job within the cluster.

What is the purpose of signing container images with cosign?

A) Reducing image size B) Verifying image provenance and integrity to ensure only images from approved build pipelines are deployed C) Increasing image download speed D) Removing image vulnerabilities

Answer: B

Signing images with cosign (Sigstore project) allows verifying during deployment that images were built from trusted sources and were not tampered with. Integration with policy engines (Kyverno, OPA, etc.) can automatically block deployment of unsigned images.

Why generate an SBOM for container images?

A) Automating image builds B) Providing a complete list of all software packages and dependencies in an image to support vulnerability management and license compliance C) Compressing images D) Optimizing image layers

Answer: B

An SBOM is a detailed inventory of all packages, libraries, and dependencies included in a container image. When new vulnerabilities are discovered, it helps quickly identify affected images and verify license compliance. It can be generated with tools like Syft and Trivy.

How are admission controllers used in Kubernetes supply chain security?

A) Handling image builds B) Automatically performing image signature verification, allowed registry checks, and vulnerability scan result validation at deployment time to block unauthorized images C) Managing CI/CD pipelines D) Scanning source code

Answer: B

Using Validating Admission Webhooks or policy engines (Kyverno, OPA Gatekeeper), automatic checks are performed at Pod creation including image signature verification, allowed registry confirmation, vulnerability scan result-based blocking, and digest usage enforcement. This helps defend against supply chain attacks.