CKS Exam Details

  • Exam Code
    :CKS
  • Exam Name
    :Linux Foundation Certified Kubernetes Security Specialist (CKS)
  • Certification
    :Linux Foundation Certifications
  • Vendor
    :Linux Foundation
  • Total Questions
    :46 Q&As
  • Last Updated
    :Jul 08, 2026

Linux Foundation CKS Online Questions & Answers

  • Question 21:

    On the Cluster worker node, enforce the prepared AppArmor profile

    1. #include

    2. profile nginx-deny flags=(attach_disconnected) {

    3. #include

    4. file,

    5. # Deny all file writes.

    6. deny /** w,

    7. }

    8. EOF'

    Edit the prepared manifest file to include the AppArmor profile.

    1. apiVersion: v1

    2. kind: Pod

    3. metadata:

    4. name: apparmor-pod

    5. spec:

    6. containers:

    7. - name: apparmor-pod

    8. image: nginx

    Finally, apply the manifests files and create the Pod specified on it.

    Verify: Try to make a file inside the directory which is restricted.

    A. See explanation below.
    B. PlaceHolder

  • Question 22:

    1. Retrieve the content of the existing secret named default-token-xxxxx in the testing namespace.

    Store the value of the token in the token.txt

    2. Create a new secret named test-db-secret in the DB namespace with the following content:

    username: mysql password: password@123

    Create the Pod name test-db-pod of image nginx in the namespace db that can access test-db-secret via a volume at path /etc/mysql-credentials

    A. See the explanation below:
    B. PlaceHolder

  • Question 23:

    Create a Pod name Nginx-pod inside the namespace testing, Create a service for the Nginx-pod named nginx-svc, using the ingress of your choice, run the ingress on tls, secure port.

    A. See explanation below.
    B. PlaceHolder

  • Question 24:

    A container image scanner is set up on the cluster.

    Given an incomplete configuration in the directory

    /etc/kubernetes/confcontrol and a functional container image scanner with HTTPS endpoint https://test-server.local.8081/image_policy

    1. Enable the admission plugin.

    2. Validate the control configuration and change it to implicit deny.

    Finally, test the configuration by deploying the pod having the image tag as latest.

    A. See explanation below.
    B. PlaceHolder

  • Question 25:

    The kubeadm-created cluster's Kubernetes API server was, for testing purposes, temporarily configured to allow unauthenticated and unauthorized access granting the anonymous user duster-admin access.

    Task

    Reconfigure the cluster's Kubernetes API server to ensure that only authenticated and authorized REST requests are allowed.

    Use authorization mode Node,RBAC and admission controller NodeRestriction.

    Cleaning up, remove the ClusterRoleBinding for user system:anonymous.

    A. See explanation below.
    B. PlaceHolder

  • Question 26:

    You can switch the cluster/configuration context using the following command:

    [desk@cli] $ kubectl config use-context dev

    A default-deny NetworkPolicy avoid to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined.

    Task: Create a new default-deny NetworkPolicy named deny-network in the namespace test for all traffic of type Ingress + Egress

    The new NetworkPolicy must deny all Ingress + Egress traffic in the namespace test.

    Apply the newly created default-deny NetworkPolicy to all Pods running in namespace test.

    You can find a skeleton manifests file at /home/cert_masters/network-policy.yaml

    A. See the explanation below
    B. PlaceHolder

  • Question 27:

    CORRECT TEXT

    Context

    This cluster uses containerd as CRI runtime.

    Containerd's default runtime handler is runc. Containerd has been prepared to support an additional runtime handler, runsc (gVisor).

    Task

    Create a RuntimeClass named sandboxed using the prepared runtime handler named runsc.

    Update all Pods in the namespace server to run on gVisor.

    A. See the explanation below
    B. PlaceHolder

  • Question 28:

    Cluster: qa-cluster

    Master node: master Worker node: worker1 You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context qa-cluster

    Task:

    Create a NetworkPolicy named restricted-policy to restrict access to Pod product running in namespace dev.

    Only allow the following Pods to connect to Pod products-service:

    1. Pods in the namespace qa

    2. Pods with label environment: stage, in any namespace

    A. See the below.
    B. PlaceHolder

  • Question 29:

    Cluster: dev Master node: master1 Worker node: worker1 You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context dev Task:

    Retrieve the content of the existing secret named adam in the safe namespace.

    Store the username field in a file names /home/cert-masters/username.txt, and the password field in a file named /home/cert-masters/password.txt.

    1. You must create both files; they don't exist yet.

    2. Do not use/modify the created files in the following steps, create new temporary files if needed.

    Create a new secret names newsecret in the safe namespace, with the following content:

    Username: dbadmin Password: moresecurepas

    Finally, create a new Pod that has access to the secret newsecret via a volume:

    Namespace:safe Pod name:mysecret-pod Container name:db-container Image:redis Volume name:secret-vol Mount path:/etc/mysecret

    A. See the explanation below
    B. PlaceHolder

  • Question 30:

    CORRECT TEXT Context

    A default-deny NetworkPolicy avoids to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined.

    Task

    Create a new default-deny NetworkPolicy named defaultdeny in the namespace testing for all traffic of type Egress.

    The new NetworkPolicy must deny all Egress traffic in the namespace testing.

    Apply the newly created default-deny NetworkPolicy to all Pods running in namespace testing.

    A. See explanation below.
    B. PlaceHolder

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Linux Foundation exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CKS exam preparations and Linux Foundation certification application, do not hesitate to visit our Vcedump.com to find your solutions here.