Verified CKS dumps Q&As - Pass Guarantee Exam Dumps Test Engine [2026]
CKS dumps and 179 unique questions
The CKS certification is an advanced-level certification that requires a deep understanding of Kubernetes architecture and security best practices. Candidates must have experience working with Kubernetes in a production environment and should be familiar with common security threats and mitigation strategies.
NEW QUESTION # 44
You are using Kubesec for static analysis of Kubernetes manifests. You have a Deployment YAML file containing a container image that pulls from a public registry. The analysis reveals a potential vulnerability: the container image is outdated. How would you use Kubesec to identify this vulnerability and what steps would you take to remediate it?
Answer:
Explanation:
Solution (Step by Step) :
1. Run Kubesec Analysis:
- Use the 'kubesec' command to analyze your Deployment YAML file:
bash
kubesec scan your-deploymentyaml
- Kubesec will provide a detailed report of potential security vulnerabilities and best practice recommendations.
2. Identify Outdated Image:
- Review the Kubesec report to identify the warning related to the outdated container image. Kubesec might provide specific information like the image
name, tag, and the reason it's considered outdated (e.g., known vulnerabilities, end-of-life support).
3. Check for Updates:
- Check the official repository or documentation of the container image for newer versions.
- Look for updated tags that address the identified vulnerability or have updated security patches.
4. Update Deployment YAML:
- Modify your Deployment YAML file to use the newer, updated container image.
- Example (assuming the updated image is 'nginx:1 .20.1'):
5. Re-run Kubesec Analysis: - After updating the Deployment YAML, run Kubesec analysis again. This will verify that the vulnerability is resolved and that the new container image is properly configured.
NEW QUESTION # 45
You are tasked with securing a Kubernetes cluster that runs sensitive workloads. You need to implement a mechanism to enforce least privilege access for all pods in the cluster.
Answer:
Explanation:
Solution (Step by Step) :
1. Create a Service Account with Limited Permissions:
- Create a new ServiceAccount with minimal permissions:
2. Create a Role with Limited Permissions: - Create a Role that only grants the necessary permissions for the pods:
3. Bind the Role to the Service Account: - Bind the Role to the ServiceAccount:
4. Configure PodS to use the Service Account - Update your Deployment YAML to use the ServiceAccount:
NEW QUESTION # 46
You must complete this task on the following cluster/nodes:
Cluster: trace
Master node: master
Worker node: worker1
You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context trace
Given: You may use Sysdig or Falco documentation.
Task:
Use detection tools to detect anomalies like processes spawning and executing something weird frequently in the single container belonging to Pod tomcat.
Two tools are available to use:
1. falco
2. sysdig
Tools are pre-installed on the worker1 node only.
Analyse the container's behaviour for at least 40 seconds, using filters that detect newly spawning and executing processes.
Store an incident file at /home/cert_masters/report, in the following format:
[timestamp],[uid],[processName]
Note: Make sure to store incident file on the cluster's worker node, don't move it to master node.
Answer:
Explanation:
$vim /etc/falco/falco_rules.local.yaml
- rule: Container Drift Detected (open+create)
desc: New executable created in a container due to open+create
condition: >
evt.type in (open,openat,creat) and
evt.is_open_exec=true and
container and
not runc_writing_exec_fifo and
not runc_writing_var_lib_docker and
not user_known_container_drift_activities and
evt.rawres>=0
output: >
%evt.time,%user.uid,%proc.name # Add this/Refer falco documentation
priority: ERROR
$kill -1 <PID of falco>
Explanation
[desk@cli] $ ssh node01
[node01@cli] $ vim /etc/falco/falco_rules.yaml
search for Container Drift Detected & paste in falco_rules.local.yaml
[node01@cli] $ vim /etc/falco/falco_rules.local.yaml
- rule: Container Drift Detected (open+create)
desc: New executable created in a container due to open+create
condition: >
evt.type in (open,openat,creat) and
evt.is_open_exec=true and
container and
not runc_writing_exec_fifo and
not runc_writing_var_lib_docker and
not user_known_container_drift_activities and
evt.rawres>=0
output: >
%evt.time,%user.uid,%proc.name # Add this/Refer falco documentation
priority: ERROR
[node01@cli] $ vim /etc/falco/falco.yaml
NEW QUESTION # 47
You are running a Kubernetes cluster with a variety of workloads. One of your applications is a database that stores sensitive customer data- To enhance security, you need to implement network policies to limit the network traffic to and from this database pod. Specifically, you want to only allow access to the database from your application pods and deny all other traffic.
Create a NetworkPolicy that accomplishes this objective.
Answer:
Explanation:
Solution (Step by Step) :
1. Define the NetworkPolicy:
- Create a NetworkPoIicy YAML file.
- Define the policy name and target pods.
- Specify the ingress and egress rules.
- Example:
2. Apply the NetworkPolicy: - IJse ' kubectl apply -f database-policy-yamp to apply the policy. 3. Verification: - Verity that the NetworkPolicy is applied successfully- - Use 'kubectl get networkpolicies' to list the existing policies. 4. Test the Policy: - Attempt to access the database pod from a pod outside of the 'application' label. - The access should be denied due to the NetworkPolicy.
NEW QUESTION # 48
You are responsible for securing the Kubernetes clusters supply chain. You want to ensure that only images from trusted registries are allowed to be deployed to the cluster. How would you configure Kubernetes to restrict deployments to only images from specific registries?
Answer:
Explanation:
Solution (Step by Step) :
1. Create a Pod Security Policy (PSP):
- A PSP is a policy that enforces security restrictions on pods. You can define the allowed registries for image pulls within the PSP
- create a PSP YAML file:
2. Define Allowed Registries: - Within the 'spec' of your PSP, create a field 'seLinux' and then define the allowed registries within the 'seLinux' field. - Example:
3. Apply the PSP: - Apply the PSP to your cluster using 'kubectl apply -f restricted-registry-psp.yaml' 4. Create a Service Account: - Create a service account that will be allowed to run pods with this PSP:
5. Bind the PSP to the Service Account: - Add the 'securityContext' field to your deployment and specify the PSP you just created:
- Apply the deployment: bash kubectl apply -f deploymentyaml - Now, the deployment will only be able to pull images from the specified registry.
NEW QUESTION # 49
Create a User named john, create the CSR Request, fetch the certificate of the user after approving it.
Create a Role name john-role to list secrets, pods in namespace john
Finally, Create a RoleBinding named john-role-binding to attach the newly created role john-role to the user john in the namespace john.
To Verify: Use the kubectl auth CLI command to verify the permissions.
Answer:
Explanation:
se kubectl to create a CSR and approve it.
Get the list of CSRs:
kubectl get csr
Approve the CSR:
kubectl certificate approve myuser
Get the certificate
Retrieve the certificate from the CSR:
kubectl get csr/myuser -o yaml
here are the role and role-binding to give john permission to create NEW_CRD resource:
kubectl apply -f roleBindingJohn.yaml --as=john
rolebinding.rbac.authorization.k8s.io/john_external-rosource-rb created kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata:
name: john_crd
namespace: development-john
subjects:
- kind: User
name: john
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: crd-creation
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: crd-creation
rules:
- apiGroups: ["kubernetes-client.io/v1"]
resources: ["NEW_CRD"]
verbs: ["create, list, get"]
NEW QUESTION # 50
Cluster: dev
Master node: master1 Worker node: worker1
You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context dev Task: Retrieve the content of the existing secret named adam in the safe namespace.
Store the username field in a file names /home/cert-masters/username.txt, and the password field in a file named /home/cert-masters/password.txt.
1. You must create both files; they don't exist yet. 2. Do not use/modify the created files in the following steps, create new temporary files if needed.
Create a new secret names newsecret in the safe namespace, with the following content: Username: dbadmin Password: moresecurepas Finally, create a new Pod that has access to the secret newsecret via a volume:
Namespace: safe
Pod name: mysecret-pod
Container name: db-container
Image: redis
Volume name: secret-vol
Mount path: /etc/mysecret
Answer:
Explanation:



NEW QUESTION # 51
You are running a Kubernetes cluster with a deployment named "my-app" that uses a container image from a public registry. The container image has a vulnerability in a library it uses. You want to apply a security patch to the container image without rebuilding it. How can you do this using container patching tools and update the deployment?
Answer:
Explanation:
Solution (Step by Step) :
1. Use a Container Patching Tool:
- Employ a container patching tool like 'kpatch' or 'image-patcher' that can apply security patches to container images Without rebuilding them. These tools allow you to modify the container image's filesystem and update libraries directly.
2. Identify the Vulnerable Library:
- Use a vulnerability scanner like Trivy to identify the specific vulnerable library within the container image.
3. Apply the Patch:
- Use the container patching tool to apply the security patch to the vulnerable library within the container image. This involves downloading the patch, modifying the container image's filesystem, and updating the relevant library files.
4. Create a Patched Image:
- The container patching tool will typically generate a new, patched container image. This patched image will contain the updated library with the security fix applied.
5. Push the Patched Image to a Registry:
- Push the patched image to your private container registry for use in deployments.
6. Update the Deployment
- Update the "my-app" deployment configuration to use the newly created patched image from your private registry.
7. Validate the Patch:
- After updating the deployment, verify that the patch has been successfully applied by running a vulnerability scan on the running container.
NEW QUESTION # 52
You are tasked with implementing a security policy that prohibits the use of privileged containers in your Kubernetes cluster. Implement a solution that uses KubeLinter to enforce this policy by automatically scanning all deployments and preventing deployments that violate the policy.
Answer:
Explanation:
Solution (Step by Step):
1. Install KubeLinter: Download and install the 'kubevar binary from the official GitHub repository.
2. Create a custom KubeLinter check: Define a custom check that prohibits the use of privileged containers. This check can be defined in a separate
YAML file or embedded in your '.kubeval.yaml configuration file.
3. Configure KubeLinter to use the custom check: Add the custom check to your .kuoeval.yaml configuration file.
4. Integrate KubeLinter into your CI/CD pipeline: Add a step to your pipeline that runs KubeLinter against your deployment YAML manifests. This step should be executed before the manifests are deployed to the cluster.
5. (Optional) Implement an admission controller: For real-time enforcement, deploy an admission controller that uses KubeLinter to validate deployments as they are created or updated. This will prevent any deployments that violate the policy from being created in the cluster. Tools like Kyverno or Gatekeeper can be used to create and enforce such policies.
NEW QUESTION # 53
Context
AppArmor is enabled on the cluster's worker node. An AppArmor profile is prepared, but not enforced yet.
Task
On the cluster's worker node, enforce the prepared AppArmor profile located at /etc/apparmor.d/nginx_apparmor.
Edit the prepared manifest file located at /home/candidate/KSSH00401/nginx-pod.yaml to apply the AppArmor profile.
Finally, apply the manifest file and create the Pod specified in it.
Answer:
Explanation:


NEW QUESTION # 54
Your organization requires strict control over container image usage within your Kubernetes cluster. You want to implement a policy to prevent deployment of images from untrusted repositories. How can you achieve this while still allowing access to your organization's private registry?
Answer:
Explanation:
Solution (Step by Step) :
1. Configure PodSecurityPolicy:
- Create a PodSecurityP01icy (PSP) that restricts the use of containers from untrusted repositories.
- Define a set of allowed registries in the PSP.
2. Use ImagePullSecrets:
- Create ' ImagePuIISecretS for your organization's private registry.
- Ensure pods that need to pull images from the private registry have the corresponding ImagePullSecrets.
3. Example Implementation:
-
4. Restrict Deployments - Ensure your Deployments are configured to use the restricted PSP and the correct ImagePuIISecrets.
NEW QUESTION # 55
Create a network policy named restrict-np to restrict to pod nginx-test running in namespace testing.
Only allow the following Pods to connect to Pod nginx-test:-
1. pods in the namespace default
2. pods with label version:v1 in any namespace.
Make sure to apply the network policy.
- A. Send us your Feedback on this.
Answer: A
NEW QUESTION # 56
You are using a Kubernetes cluster running on a cloud provider. You are concerned about the security of the underlying cloud infrastructure. Describe now you can use Kubernetes security features and cloud provider security services to assess and mitigate risks related to the cloud infrastructure.
Answer:
Explanation:
Solution (Step by Step) :
1. Kubernetes Security Features:
- Pod Security Policies (PSPs): Use PSPs to enforce security restrictions on pods, such as limiting the privileges and resources they can access.
- Network Policies: Implement network policies to restrict network traffic between pods and external services, reducing the attack surface.
- Admission Controllers: I-Ise admission controllers to enforce security checks on incoming requests to the cluster, such as validating resource
requests or checking for malicious code.
- RBAC Implement role-based access control to grant specific permissions to users and service accounts, limiting their access to resources.
2. Cloud Provider Security Services:
- Vulnerability Scanning: Use the cloud provider's vulnerability scanning services to identify and remediate vulnerabilities in the underlying infrastructure.
- Security Monitoring: Leverage cloud security monitoring tools to detect unusual activities, suspicious connections, and potential security threats.
- Intrusion Detection and Prevention (IDS/IPS): Configure cloud-based IDS/IPS solutions to protect the infrastructure from known attacks and malicious traffic.
- Security Auditing: Enable security auditing features to track changes to infrastructure configurations and user activities, allowing for forensic analysis in case of security incidents.
3. Combined Approach:
- Security Posture Assessment: Use a combination of Kubernetes security features and cloud provider security services to conduct regular security posture assessments of the cluster and underlying infrastructure.
- Security Best Practices: Adhere to cloud security best practices, such as regularly patching systems, rotating credentials, and implementing least- privilege access.
4. Example with AWS:
- AWS Security Groups: I-Jse AWS Security Groups to control inbound and outbound network traffic for your Kubernetes cluster.
- AWS GuardDuty: Leverage AWS GuardDuty to detect threats and suspicious activity in your cloud environment
- AWS Inspector: use AWS Inspector to scan your Kubernetes cluster for security vulnerabilities.
5. Security Considerations:
- Security Awareness: Ensure that your team is aware of cloud security best practices and responsibilities.
- Continuous Monitoring: Implement continuous monitoring of security logs and events to detect and respond to threats in a timely manner.
- Incident Response: Have a well-defined incident response plan to handle security incidents efficiently and minimize potential damage.
NEW QUESTION # 57
SIMULATION
use the Trivy to scan the following images,
1. amazonlinux:1
2. k8s.gcr.io/kube-controller-manager:v1.18.6
Look for images with HIGH or CRITICAL severity vulnerabilities and store the output of the same in /opt/trivy-vulnerable.txt
- A. Send us the Feedback on it.
Answer: A
NEW QUESTION # 58
You are responsible for securing the Kubernetes clusters supply chain. Your organization utilizes a private Docker registry to host container images. Currently, images are built and pushed to this registry without any validation or signing. How can you implement a policy to ensure that only signed and verified images are deployed to the cluster?
Answer:
Explanation:
Solution (Step by Step) :
1. Set Up a Signing Authority:
- Choose a trusted entity (e.g., a dedicated server or a dedicated user account) to act as the signing authority.
- Generate a private and public key pair using tools like 'openssr or 'gpg'
- Store the private key securely and ensure only authorized individuals have access.
2. Configure Image Signing:
- Create a script or integrate signing into your image build process.
- when building an image, use the private key from the signing authority to sign the image.
- The signing process embeds a digital signature within the image manifest.
3. Integrate Image Verification
- Configure the Kubernetes cluster to enforce image signature verification.
- Utilize tools like 'admission webhookS to inspect incoming images.
- The webh00k will check if the image has a valid signature from the trusted authority.
- If the signature is invalid or missing, the deployment will be blocked.
4. Example Implementation (using 'cosign'):
-
5. Integrate with CI/CD pipelines: - Integrate image signing and verification into your automated CI/CD pipelines. - This ensures consistency and prevents accidental deployment of unsigned images.
NEW QUESTION # 59
You nave a Kubernetes cluster with a Deployment named 'web-app- that runs multiple replicas of a web application. You need to create a network policy that allows only traffic from pods in the same namespace to access the web application's API endpoint on port 8080.
Answer:
Explanation:
Solution (Step by Step) :
1. Create a NetworkP01icy:
- Define a NetworkPoIicy resource with a 'podSeIector that matches the 'web-app' Deployment.
- Create an 'ingress' rule that allows traffic from pods within the same namespace.
- Use the 'from' field to specify the namespace and set the 'namespaceselector' to 'matchLabels: {}' to include all pods in the namespace.
- Ensure that the port 8080 is included in the 'ports' field.
2. Apply the NetworkPolicy: - Apply the YAML file using 'kubectl apply -f web-app-namespace-policy.yaml 3. Verify the NetworkPoIicy: - Use 'kubectl get networkpolicies' to list the available network policies. - Use 'kubectl describe networkpolicy web-app-namespace-policy' to view the details of the applied policy. 4. Test the NetworkPolicy: - Deploy a pod in the same namespace as the 'web-app' Deployment and attempt to access the API endpoint Verify that the connection is successful. - Deploy a pod in a different namespace and attempt to access the API endpoint Verity that the connection is denied.
NEW QUESTION # 60
You are deploying a new microservice to your Kubernetes cluster. This microservice will handle sensitive user data and requires access to a database that is also deployed on the cluster. To ensure secure communication between the microservice and the database, you need to configure mutual TLS authentication.
Explain the steps involved in setting up mutual TLS authentication between the microservice and the database.
Answer:
Explanation:
Solution (Step by Step) :
1. Generate Certificates:
- Create a Certificate Authority (CA) to issue certificates for the microservice and the database.
- Generate a self-signed certificate and key for the CA.
- Example (using OpenSSL):
bash
openssl genrsa -out cakey 2048
openssl req -new -x509 -key ca.key -out ca.crt -days 365 -subj Francisco/O=My Company/OU=lT Department/CN=myCA"
2. Generate Certificates for the Microservice and Database:
- Use the CA certificate and key to sign certificates for tne microservice and the database.
- Example (using OpenSSL):
bash
# Generate a certificate request for the microservice
openssl req -new -key microservice-key -out microservice-csr -subj "/C=US/ST=California/L=San Francisco,'O=My Company/OU=lT
Department/CN=microservice"
# Sign the certificate request with the CA
openssl x509 -req -in microservice.csr -CA ca.crt -CAkey ca.key -out microservice-crt -days 365
# Repeat for the database
3. Create Kubernetes Secrets:
- Create secrets in the cluster to store the certificates and keys for the microservice and database.
- Example:
4. Configure the Microservice Container: - Update tne microservice deployment YAML to mount the certificate and key secret. - Set the 'TLS parameters in the database connection string. - Example:
5. Configure the Database Container: - Repeat the steps for the database container, using the database certificate and key. 6. Verify Communication: - Ensure that the microservice can connect to the database securely using mutual TLS authentication. - Test the application to ensure that it functions correctly. These are just a few examples of how to create and utilize custom base images, network policies, RBAC, and mutual TLS- Implementing robust security in Kubernetes is an ongoing effort that requires continuous monitoring and updates to mitigate potential threats.
NEW QUESTION # 61
......
The CKS certification exam is a hands-on, performance-based exam that tests an individual's knowledge of Kubernetes security concepts, including authentication and authorization, network security, cluster hardening, and monitoring. CKS exam is designed to ensure that individuals have the skills and knowledge necessary to secure Kubernetes clusters and workloads in production environments. CKS exam is rigorous and covers a range of topics, including securing Kubernetes API, securing Kubernetes network, securing Kubernetes workloads, and securing Kubernetes data. Certified Kubernetes Security Specialist (CKS) certification demonstrates an individual's expertise and proficiency in securing Kubernetes clusters, and is highly valued by employers in the IT industry.
CKS Dumps for Pass Guaranteed - Pass CKS Exam: https://www.passcollection.com/CKS_real-exams.html
CKS Exam Dumps - Try Best CKS Exam Questions: https://drive.google.com/open?id=1n8Rqu1iTiWC7zsxw6aGP2xFGCEwS7DLD

