Skip to main content
CNCF ⭐ Premium ⭐ Featured

CNCF Certified Kubernetes Security Specialist (CKS)

By Webmaster Certland English 📝 340 questions ❤️ 0 likes

Practice exam for the Certified Kubernetes Security Specialist (CKS). Covers Cluster Setup, Cluster Hardening, System Hardening, Microservice Vulnerabilities, Supply Chain Security, and Runtime Security.

⭐ Premium Updated Mar 2026

Unlock all 340 CNCF Certified Kubernetes Security Specialist (CKS) questions

Full simulation · Detailed explanations · Unlimited attempts

  • 340 questions — ~5 full-length simulations
  • Detailed explanations — why each answer is right or wrong
  • Unlimited attempts — retake as many times as needed
  • Smart Practice + Focus Mode + no ads
340
Questions
All certifications
from $4.90/mo
⭐ Get Premium — $4.90/mo ▶ Try 5 questions free

Sample Questions — CNCF Certified Kubernetes Security Specialist (CKS)

5 free sample questions from this practice exam. Correct answers are highlighted.

1. A security engineer needs to ensure that all pods in the 'payments' namespace cannot receive any inbound traffic from pods in any other namespace. Which NetworkPolicy configuration achieves this?

A Create a NetworkPolicy with policyTypes: [Egress] and an empty egress list targeting all pods in the namespace.
B Create a NetworkPolicy with podSelector: {} and policyTypes: [Ingress] with no ingress rules defined. ✓ Correct
C Create a NetworkPolicy with podSelector: {} and ingress: [{}] to match all sources.
D Create a NetworkPolicy targeting only pods with the label app=payments to block ingress traffic.

2. A Kubernetes cluster administrator needs to allow only the 'monitoring' namespace to send traffic to pods labeled 'app=api' in the 'production' namespace on port 8080. All other ingress to these pods must be denied. Which NetworkPolicy achieves this?

A Use a NetworkPolicy with podSelector: {matchLabels: {app: api}} and a from rule containing only podSelector: {matchLabels: {app: monitoring-agent}}.
B Apply a namespaceSelector to the NetworkPolicy spec itself to restrict it to the monitoring namespace.
C Use a NetworkPolicy with podSelector: {matchLabels: {app: api}}, policyTypes: [Ingress], and a from rule with namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: monitoring}} plus ports: [{port: 8080}]. ✓ Correct
D Define two separate from list items: one with podSelector: {} and another with namespaceSelector: {matchLabels: {name: monitoring}}.

3. A CKS candidate is reviewing a cluster's kube-apiserver configuration and finds the flag `--anonymous-auth=true`. What is the security risk of this setting and how should it be remediated?

A Unauthenticated requests are assigned system:anonymous identity and may be authorized if RBAC rules allow it. Set --anonymous-auth=false to remediate. ✓ Correct
B Anonymous auth allows requests without TLS. Remediate by enabling --tls-cert-file and --tls-private-key-file on the API server.
C The risk is that all requests bypass RBAC. Remediate by changing --authorization-mode to AlwaysAllow to explicitly handle all requests.
D Anonymous auth weakens cipher suites. Remediate by adding --tls-cipher-suites with approved algorithms.

4. During a CIS benchmark scan, a finding reports that the kube-apiserver is using `--authorization-mode=AlwaysAllow`. A security engineer must fix this. Which configuration correctly applies principle of least privilege authorization?

A Set --authorization-mode=RBAC to enforce role-based access control for all requests.
B Set --authorization-mode=Node,RBAC to enable the Node authorizer for kubelets and RBAC for all other requests. ✓ Correct
C Set --authorization-mode=Webhook to delegate authorization to an external admission webhook.
D Set --authorization-mode=AlwaysDeny to reject unauthorized requests by default.

5. A security team is hardening a Kubernetes cluster according to the CIS Benchmark. They need to configure the kube-apiserver to use only strong TLS cipher suites. Which flag and value should be applied?

A Set --tls-min-version=VersionTLS13 to enforce TLS 1.3 and automatically use only strong ciphers.
B Set --secure-port=6443 to enable HTTPS and restrict weak cipher usage.
C Set --client-ca-file=/etc/kubernetes/pki/ca.crt to enforce mutual TLS with strong cipher suites.
D Set --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 to restrict the API server to approved cipher suites. ✓ Correct

Want to test yourself for real?

Create a free account and run our exam simulation engine.

Free No credit card
  • Simulation engine
  • Up to 10 questions per attempt
  • Score & basic stats
Create free account Already have an account? Sign in
Best
Premium Premium
  • All 340 questions
  • Detailed explanations
  • Smart Practice + Focus Mode
⭐ Get Premium

Information

Questions 340
Time 2h
Difficulty Hard
Minimum Score 67.00%
▶ Try 5 questions — no account needed ⭐ Unlock all questions — Premium 🤍 Like

💰 ROI

Official exam $395.00
CertLand $4.90/mo
Prepare for $395 for less than a coffee/mo

Study Guides & Articles

Free

How to Pass CKS (Certified Kubernetes Security Specialist) in 2026: Complete Study Guide

CKS is the hardest Kubernetes certification — requires an active CKA and tests hands-on security hardening under time pressure. This guide covers all 6 domains, essential tools (Falco, OPA Gatekeeper, Trivy, AppArmor), and a 10-week study plan built on top of CKA knowledge.
⭐ Premium

CKS Deep Dive: Supply Chain Security, Falco Runtime Detection, and OPA Gatekeeper

Supply Chain Security and Monitoring/Runtime Security each account for 20% of the CKS exam — 40% combined. This guide goes deep on Trivy image scanning, Cosign signing, Falco custom rules, OPA Gatekeeper ConstraintTemplates, and Kubernetes audit logging.
⭐ Premium

CKS Exam Traps: Cluster Hardening and Pod Security Tasks That Fail Candidates

CKS is the most unforgiving Kubernetes exam — one wrong flag in a Falco rule or a misplaced seccomp annotation breaks the task. This guide covers 12 specific traps across cluster hardening, pod security, and runtime security where candidates lose the most points.

Related Exams

⭐ Premium

CNCF Kubernetes and Cloud Native Associate (KCNA)

340 questions · English
⭐ Premium

CNCF Kubernetes and Cloud Native Security Associate (KCSA)

340 questions · English
⭐ Premium

CNCF Certified Kubernetes Administrator (CKA)

340 questions · English
⭐ Premium

CNCF Certified Kubernetes Application Developer (CKAD)

340 questions · English

Discussion

No comments yet. Be the first to start the discussion!

Sign in to join the discussion.