CKS Exam Details

  • Exam Code
    :CKS
  • Exam Name
    :Linux Foundation Certified Kubernetes Security Specialist (CKS)
  • Certification
    :Linux Foundation Certifications
  • Vendor
    :Linux Foundation
  • Total Questions
    :46 Q&As
  • Last Updated
    :Jul 08, 2026

Linux Foundation CKS Online Questions & Answers

  • Question 11:

    Analyze and edit the given Dockerfile

    1. FROM ubuntu:latest

    2. RUN apt-get update -y

    3. RUN apt-install nginx -y

    4. COPY entrypoint.sh /

    5. ENTRYPOINT ["/entrypoint.sh"]

    6. USER ROOT

    Fixing two instructions present in the file being prominent security best practice issues

    Analyze and edit the deployment manifest file

    1. apiVersion: v1

    2. kind: Pod

    3. metadata:

    4. name: security-context-demo-2

    5. spec:

    6. securityContext:

    7. runAsUser: 1000

    8. containers:

    9. - name: sec-ctx-demo-2 10.image: gcr.io/google-samples/node-hello:1.0 11.securityContext: 12.runAsUser: 0 13.privileged: True 14.allowPrivilegeEscalation: false

    Fixing two fields present in the file being prominent security best practice issues

    Don't add or remove configuration settings; only modify the existing configuration settings

    Whenever you need an unprivileged user for any of the tasks, use user test-user with the user id 5487

    A. See the explanation below:
    B. PlaceHolder

  • Question 12:

    You can switch the cluster/configuration context using the following command:

    [desk@cli] $ kubectl config use-context qa

    Context:

    A pod fails to run because of an incorrectly specified ServiceAccount

    Task:

    Create a new service account named backend-qa in an existing namespace qa, which must not have access to any secret.

    Edit the frontend pod yaml to use backend-qa service account

    Note: You can find the frontend pod yaml at /home/cert_masters/frontend-pod.yaml

    A. See the explanation below
    B. PlaceHolder

  • Question 13:

    Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that

    1. logs are stored at /var/log/kubernetes-logs.txt.

    2. Log files are retained for 12 days.

    3. at maximum, a number of 8 old audit logs files are retained.

    4. set the maximum size before getting rotated to 200MB

    Edit and extend the basic policy to log:

    1. namespaces changes at RequestResponse

    2. Log the request body of secrets changes in the namespace kube-system.

    3. Log all other resources in core and extensions at the Request level.

    4. Log "pods/portforward", "services/proxy" at Metadata level.

    5. Omit the Stage RequestReceived

    All other requests at the Metadata level

    A. See the explanation below:
    B. PlaceHolder

  • Question 14:

    CORRECT TEXT

    Two tools are pre-installed on the cluster's worker node:

    1. sysdig

    2. falco

    Using the tool of your choice (including any non pre-installed tool), analyze the container's behavior for at least 30 seconds, using filters that detect newly spawning and executing processes. Store an incident file at /opt/KSRS00101/alerts/

    details, containing the detected incidents, one per line, in the following format:

    The following example shows a properly formatted incident file:

    A. See the explanation below:
    B. PlaceHolder

  • Question 15:

    You can switch the cluster/configuration context using the following command:

    [desk@cli] $ kubectl config use-context dev

    Context:

    A CIS Benchmark tool was run against the kubeadm created cluster and found multiple issues that must be addressed.

    Task:

    Fix all issues via configuration and restart the affected components to ensure the new settings take effect.

    Fix all of the following violations that were found against the API server:

    1.2.7 authorization-mode argument is not set to AlwaysAllow FAIL

    1.2.8 authorization-mode argument includes Node FAIL

    1.2.7 authorization-mode argument includes RBAC FAIL

    Fix all of the following violations that were found against the Kubelet:

    4.2.1 Ensure that the anonymous-auth argument is set to false FAIL

    4.2.2 authorization-mode argument is not set to AlwaysAllow FAIL (Use Webhook autumn/authz where possible)

    Fix all of the following violations that were found against etcd:

    2.2 Ensure that the client-cert-auth argument is set to true

    A. See the explanation below
    B. PlaceHolder

  • Question 16:

    Create a RuntimeClass named gvisor-rc using the prepared runtime handler named runsc.

    Create a Pods of image Nginx in the Namespace server to run on the gVisor runtime class

    A. See the explanation below:
    B. PlaceHolder

  • Question 17:

    You can switch the cluster/configuration context using the following command:

    [desk@cli] $ kubectl config use-context test-account

    Task: Enable audit logs in the cluster.

    To do so, enable the log backend, and ensure that:

    1. logs are stored at /var/log/Kubernetes/logs.txt

    2. log files are retained for 5 days

    3. at maximum, a number of 10 old audit log files are retained

    A basic policy is provided at /etc/Kubernetes/logpolicy/audit-policy.yaml. It only specifies what not to log.

    Note: The base policy is located on the cluster's master node.

    Edit and extend the basic policy to log:

    1. Nodes changes at RequestResponse level

    2. The request body of persistentvolumes changes in the namespace frontend

    3. ConfigMap and Secret changes in all namespaces at the Metadata level

    Also, add a catch-all rule to log all other requests at the Metadata level Note: Don't forget to apply the modified policy.

    A. See the explanation below
    B. PlaceHolder

  • Question 18:

    AppArmor is enabled on the cluster's worker node. An AppArmor profile is prepared, but not enforced yet.

    Task

    On the cluster's worker node, enforce the prepared AppArmor profile located at /etc/apparmor.d/nginx_apparmor.

    Edit the prepared manifest file located at /home/candidate/KSSH00401/nginx-pod.yaml to apply the AppArmor profile.

    Finally, apply the manifest file and create the Pod specified in it.

    A. See the explanation below
    B. PlaceHolder

  • Question 19:

    You can switch the cluster/configuration context using the following command:

    [desk@cli] $ kubectl config use-context prod-account

    Context:

    A Role bound to a Pod's ServiceAccount grants overly permissive permissions. Complete the following tasks to reduce the set of permissions.

    Task:

    Given an existing Pod named web-pod running in the namespace database.

    1. Edit the existing Role bound to the Pod's ServiceAccount test-sa to only allow performing get operations, only on resources of type Pods.

    2. Create a new Role named test-role-2 in the namespace database, which only allows performing update operations, only on resources of type statuefulsets.

    3. Create a new RoleBinding named test-role-2-bind binding the newly created Role to the Pod's ServiceAccount. Note: Don't delete the existing RoleBinding.

    A. See the explanation below
    B. PlaceHolder

  • Question 20:

    Secrets stored in the etcd is not secure at rest, you can use the etcdctl command utility to find the secret value for e.g:ETCDCTL_API=3 etcdctl get /registry/secrets/default/cks-secret --cacert="ca.crt" -- cert="server.crt" --key="server.key" Output

    Using the Encryption Configuration, Create the manifest, which secures the resource secrets using the provider AES-CBC and identity, to encrypt the secret-data at rest and ensure all secrets are encrypted with the new configuration.

    A. See explanation below.
    B. PlaceHolder

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Linux Foundation exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CKS exam preparations and Linux Foundation certification application, do not hesitate to visit our Vcedump.com to find your solutions here.