Skip to main content
Cybersecurity ⭐ Premium

CNCF Certified Kubernetes Security Specialist (CKS) - 340 Questions

By Webmaster Certland ❤️ 0 likes

Practice exam for the Certified Kubernetes Security Specialist (CKS). Covers Cluster Setup, Cluster Hardening, System Hardening, Microservice Vulnerabilities, Supply Chain Security, and Runtime Security.

🔒

Premium Content

This exam is exclusive to Premium users. Upgrade to get unlimited access!

Become Premium

👁️ Free Preview (5 of 340 questions)

1. A security engineer needs to ensure that all pods in the 'payments' namespace cannot receive any inbound traffic from pods in any other namespace. Which NetworkPolicy configuration achieves this?

A Create a NetworkPolicy with policyTypes: [Egress] and an empty egress list targeting all pods in the namespace.
B Create a NetworkPolicy with podSelector: {} and policyTypes: [Ingress] with no ingress rules defined.
C Create a NetworkPolicy with podSelector: {} and ingress: [{}] to match all sources.
D Create a NetworkPolicy targeting only pods with the label app=payments to block ingress traffic.

2. A Kubernetes cluster administrator needs to allow only the 'monitoring' namespace to send traffic to pods labeled 'app=api' in the 'production' namespace on port 8080. All other ingress to these pods must be denied. Which NetworkPolicy achieves this?

A Use a NetworkPolicy with podSelector: {matchLabels: {app: api}} and a from rule containing only podSelector: {matchLabels: {app: monitoring-agent}}.
B Apply a namespaceSelector to the NetworkPolicy spec itself to restrict it to the monitoring namespace.
C Use a NetworkPolicy with podSelector: {matchLabels: {app: api}}, policyTypes: [Ingress], and a from rule with namespaceSelector: {matchLabels: {kubernetes.io/metadata.name: monitoring}} plus ports: [{port: 8080}].
D Define two separate from list items: one with podSelector: {} and another with namespaceSelector: {matchLabels: {name: monitoring}}.

3. A CKS candidate is reviewing a cluster's kube-apiserver configuration and finds the flag `--anonymous-auth=true`. What is the security risk of this setting and how should it be remediated?

A Unauthenticated requests are assigned system:anonymous identity and may be authorized if RBAC rules allow it. Set --anonymous-auth=false to remediate.
B Anonymous auth allows requests without TLS. Remediate by enabling --tls-cert-file and --tls-private-key-file on the API server.
C The risk is that all requests bypass RBAC. Remediate by changing --authorization-mode to AlwaysAllow to explicitly handle all requests.
D Anonymous auth weakens cipher suites. Remediate by adding --tls-cipher-suites with approved algorithms.

4. During a CIS benchmark scan, a finding reports that the kube-apiserver is using `--authorization-mode=AlwaysAllow`. A security engineer must fix this. Which configuration correctly applies principle of least privilege authorization?

A Set --authorization-mode=RBAC to enforce role-based access control for all requests.
B Set --authorization-mode=Node,RBAC to enable the Node authorizer for kubelets and RBAC for all other requests.
C Set --authorization-mode=Webhook to delegate authorization to an external admission webhook.
D Set --authorization-mode=AlwaysDeny to reject unauthorized requests by default.

5. A security team is hardening a Kubernetes cluster according to the CIS Benchmark. They need to configure the kube-apiserver to use only strong TLS cipher suites. Which flag and value should be applied?

A Set --tls-min-version=VersionTLS13 to enforce TLS 1.3 and automatically use only strong ciphers.
B Set --secure-port=6443 to enable HTTPS and restrict weak cipher usage.
C Set --client-ca-file=/etc/kubernetes/pki/ca.crt to enforce mutual TLS with strong cipher suites.
D Set --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 to restrict the API server to approved cipher suites.

Want to test yourself for real?

Create a free account and run our exam simulation engine.

Free No credit card
  • Simulation engine
  • Up to 10 questions per attempt
  • Score & basic stats
Create free account Already have an account? Sign in
Best
Premium 7-day trial
  • All 340 questions
  • Detailed explanations
  • Smart Practice + Focus Mode
⭐ Start 7-day free trial

Information

Questions 340
Time 2h
Difficulty Hard
Minimum Score 67.00%
🤍 Like

Related Exams

⭐ Premium

Microsoft Azure Security Technologies (AZ-500) - 340 Questions

340 questions · 0 attempts
⭐ Premium

Microsoft Cybersecurity Architect (SC-100) - 340 Questions

340 questions · 0 attempts
⭐ Premium

Microsoft Identity and Access Administrator (SC-300) - 340 Questions

340 questions · 0 attempts
⭐ Premium

AWS Certified Security Specialty (SCS-C03) - 340 Questions

340 questions · 0 attempts

Discussion

No comments yet. Be the first to start the discussion!

Sign in to join the discussion.