CKS Exam Details

  • Exam Code
    :CKS
  • Exam Name
    :Linux Foundation Certified Kubernetes Security Specialist (CKS)
  • Certification
    :Linux Foundation Certifications
  • Vendor
    :Linux Foundation
  • Total Questions
    :46 Q&As
  • Last Updated
    :Jul 08, 2026

Linux Foundation CKS Online Questions & Answers

  • Question 1:

    You can switch the cluster/configuration context using the following command:

    [desk@cli] $ kubectl config use-context stage

    Context:

    A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace.

    Task:

    1. Create a new PodSecurityPolcy named deny-policy, which prevents the creation of privileged Pods.

    2. Create a new ClusterRole name deny-access-role, which uses the newly created PodSecurityPolicy deny-policy.

    3. Create a new ServiceAccount named psd-denial-sa in the existing namespace development.

    Finally, create a new ClusterRoleBindind named restrict-access-bind, which binds the newly created ClusterRole deny-access-role to the newly created ServiceAccount psp-denial-sa

    A. See the explanation below
    B. PlaceHolder

  • Question 2:

    A Role bound to a Pod's ServiceAccount grants overly permissive permissions. Complete the following tasks to reduce the set of permissions.

    Task

    Given an existing Pod named web-pod running in the namespace security.

    Edit the existing Role bound to the Pod's ServiceAccount sa-dev-1 to only allow performing watch operations, only on resources of type services.

    Create a new Role named role-2 in the namespace security, which only allows performing update

    operations, only on resources of type namespaces.

    Create a new RoleBinding named role-2-binding binding the newly created Role to the Pod's ServiceAccount.

    A. See the explanation below
    B. PlaceHolder

  • Question 3:

    CORRECT TEXT

    Task

    Create a NetworkPolicy named pod-access to restrict access to Pod users-service running in namespace dev-team. Only allow the following Pods to connect to Pod users-service:

    1. Pods in the namespace qa

    2. Pods with label environment: testing, in any namespace

    A. See explanation below.
    B. PlaceHolder

  • Question 4:

    Context:

    Cluster: gvisor

    Master node: master1

    Worker node: worker1

    You can switch the cluster/configuration context using the following command:

    [desk@cli] $ kubectl config use-context gvisor

    Context: This cluster has been prepared to support runtime handler, runsc as well as traditional one.

    Task:

    Create a RuntimeClass named not-trusted using the prepared runtime handler names runsc.

    Update all Pods in the namespace server to run on newruntime.

    A. See the explanation below
    B. PlaceHolder

  • Question 5:

    Fix all issues via configuration and restart the affected components to ensure the new setting takes effect. Fix all of the following violations that were found against the API server:

    1. Ensure that the RotateKubeletServerCertificate argument is set to true.

    2. Ensure that the admission control plugin PodSecurityPolicy is set.

    3. Ensure that the --kubelet-certificate-authority argument is set as appropriate. Fix all of the following violations that were found against the Kubelet:

    1. Ensure the --anonymous-auth argument is set to false.

    2. Ensure that the --authorization-mode argument is set to Webhook. Fix all of the following violations that were found against the ETCD:

    1. Ensure that the --auto-tls argument is not set to true

    2. Ensure that the --peer-auto-tls argument is not set to true

    Hint: Take the use of Tool Kube-Bench

    A. See the below.
    B. PlaceHolder

  • Question 6:

    CORRECT TEXT

    A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace.

    Task

    Create a new PodSecurityPolicy named prevent-psp-policy,which prevents the creation of privileged Pods.

    Create a new ClusterRole named restrict-access-role, which uses the newly created PodSecurityPolicy prevent-psp-policy.

    Create a new ServiceAccount named psp-restrict-sa in the existing namespace staging.

    Finally, create a new ClusterRoleBinding named restrict-access-bind, which binds the newly created ClusterRole restrict-access-role to the newly created ServiceAccount psp- restrict-sa.

    A. See explanation below.
    B. PlaceHolder

  • Question 7:

    Context:

    Cluster: prod

    Master node: master1

    Worker node: worker1

    You can switch the cluster/configuration context using the following command:

    [desk@cli] $ kubectl config use-context prod

    Task:

    Analyse and edit the given Dockerfile (based on the ubuntu:18:04 image)

    /home/cert_masters/Dockerfile fixing two instructions present in the file being prominent security/best-practice issues.

    Analyse and edit the given manifest file

    /home/cert_masters/mydeployment.yaml fixing two fields present in the file being prominent security/best-practice issues.

    Note: Don't add or remove configuration settings; only modify the existing configuration settings, so that two configuration settings each are no longer security/best-practice concerns.

    Should you need an unprivileged user for any of the tasks, use user nobody with user id 65535

    A. See the explanation below
    B. PlaceHolder

  • Question 8:

    You must complete this task on the following cluster/nodes: Cluster: immutable-cluster

    Master node: master1

    Worker node: worker1

    You can switch the cluster/configuration context using the following command:

    [desk@cli] $ kubectl config use-context immutable-cluster

    Context: It is best practice to design containers to be stateless and immutable.

    Task:

    Inspect Pods running in namespace prod and delete any Pod that is either not stateless or not immutable.

    Use the following strict interpretation of stateless and immutable:

    1. Pods being able to store data inside containers must be treated as not stateless.

    Note: You don't have to worry whether data is actually stored inside containers or not already.

    2. Pods being configured to be privileged in any way must be treated as potentially not stateless or not immutable.

    A. See the explanation below
    B. PlaceHolder

  • Question 9:

    Create a new NetworkPolicy named deny-all in the namespace testing which denies all traffic of type ingress and egress traffic

    A. See the explanation below:
    B. PlaceHolder

  • Question 10:

    You must complete this task on the following cluster/nodes:

    Cluster: trace Master node: master Worker node: worker1

    You can switch the cluster/configuration context using the following command:

    [desk@cli] $ kubectl config use-context trace

    Given: You may use Sysdig or Falco documentation.

    Task:

    Use detection tools to detect anomalies like processes spawning and executing something weird frequently in the single container belonging to Pod tomcat.

    Two tools are available to use:

    1. falco

    2. sysdig

    Tools are pre-installed on the worker1 node only.

    Analyse the container's behaviour for at least 40 seconds, using filters that detect newly spawning and executing processes.

    Store an incident file at /home/cert_masters/report, in the following format:

    [timestamp],[uid],[processName]

    Note: Make sure to store incident file on the cluster's worker node, don't move it to master node.

    A. See the explanation below
    B. PlaceHolder

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Linux Foundation exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CKS exam preparations and Linux Foundation certification application, do not hesitate to visit our Vcedump.com to find your solutions here.