CKS Exam Details

  • Exam Code
    :CKS
  • Exam Name
    :Linux Foundation Certified Kubernetes Security Specialist (CKS)
  • Certification
    :Linux Foundation Certifications
  • Vendor
    :Linux Foundation
  • Total Questions
    :46 Q&As
  • Last Updated
    :Jul 08, 2026

Linux Foundation CKS Online Questions & Answers

  • Question 31:

    Task

    Analyze and edit the given Dockerfile /home/candidate/KSSC00301/Docker file (based on the ubuntu:16.04 image), fixing two instructions present in the file that are prominent security/best-practice issues. Analyze and edit the given manifest file /home/candidate/KSSC00301/deployment.yaml, fixing two fields present in the file that are prominent security/best-practice issues.

    A. See explanation below.
    B. PlaceHolder

  • Question 32:

    Create a new ServiceAccount named backend-sa in the existing namespace default, which has the capability to list the pods inside the namespace default.

    Create a new Pod named backend-pod in the namespace default, mount the newly created sa backend-sa to the pod, and Verify that the pod is able to list pods.

    Ensure that the Pod is running.

    A. See the below:
    B. PlaceHolder

  • Question 33:

    Create a PSP that will prevent the creation of privileged pods in the namespace.

    Create a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation of privileged pods.

    Create a new ServiceAccount named psp-sa in the namespace default.

    Create a new ClusterRole named prevent-role, which uses the newly created Pod Security Policy prevent-privileged-policy.

    Create a new ClusterRoleBinding named prevent-role-binding, which binds the created ClusterRole prevent-role to the created SA psp-sa.

    Also, Check the Configuration is working or not by trying to Create a Privileged pod, it should get failed.

    A. See the below.
    B. PlaceHolder

  • Question 34:

    Service is running on port 389 inside the system, find the process-id of the process, and stores the names of all the open-files inside the /candidate/KH77539/files.txt, and also delete the binary.

    A. See explanation below.
    B. PlaceHolder

  • Question 35:

    Create a RuntimeClass named untrusted using the prepared runtime handler named runsc.

    Create a Pods of image alpine:3.13.2 in the Namespace default to run on the gVisor runtime class.

    A. See the explanation below:
    B. PlaceHolder

  • Question 36:

    A CIS Benchmark tool was run against the kubeadm-created cluster and found multiple issues that must be addressed immediately.

    Fix all issues via configuration and restart the affected components to ensure the new settings take effect. Fix all of the following violations that were found against the API server:

    Fix all of the following violations that were found against the Kubelet:

    Fix all of the following violations that were found against etcd:

    A. See explanation below.
    B. PlaceHolder

  • Question 37:

    Given an existing Pod named nginx-pod running in the namespace test-system, fetch the service-account-name used and put the content in /candidate/KSC00124.txt

    Create a new Role named dev-test-role in the namespace test-system, which can perform update operations, on resources of type namespaces.

    Create a new RoleBinding named dev-test-role-binding, which binds the newly created Role to the Pod's ServiceAccount ( found in the Nginx pod running in namespace test- system).

    A. See explanation below.
    B. PlaceHolder

  • Question 38:

    Use the kubesec docker images to scan the given YAML manifest, edit and apply the advised changes, and passed with a score of 4 points.

    kubesec-test.yaml

    1. apiVersion: v1

    2. kind: Pod

    3. metadata:

    4. name: kubesec-demo

    5. spec:

    6. containers:

    7. - name: kubesec-demo

    8. image: gcr.io/google-samples/node-hello:1.0

    9. securityContext:

    10.readOnlyRootFilesystem: true

    Hint: docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml

    A. See explanation below.
    B. PlaceHolder

  • Question 39:

    CORRECT TEXT Your organization's security policy includes:

    1. ServiceAccounts must not automount API credentials

    2. ServiceAccount names must end in "-sa"

    The Pod specified in the manifest file /home/candidate/KSCH00301 /pod-m

    nifest.yaml fails to schedule because of an incorrectly specified ServiceAccount.

    Complete the following tasks:

    Task

    1. Create a new ServiceAccount named frontend-sa in the existing namespace qa. Ensure the ServiceAccount does not automount API credentials.

    2. Using the manifest file at /home/candidate/KSCH00301 /pod-manifest.yaml, create the Pod.

    3. Finally, clean up any unused ServiceAccounts in namespace qa.

    A. See the explanation below
    B. PlaceHolder

  • Question 40:

    Cluster: scanner

    Master node: controlplane

    Worker node: worker1

    You can switch the cluster/configuration context using the following command:

    [desk@cli] $ kubectl config use-context scanner

    Given:

    You may use Trivy's documentation.

    Task:

    Use the Trivy open-source container scanner to detect images with severe vulnerabilities used by Pods in the namespace nato.

    Look for images with High or Critical severity vulnerabilities and delete the Pods that use those images.

    Trivy is pre-installed on the cluster's master node. Use cluster's master node to use Trivy.

    A. See the explanation below
    B. PlaceHolder

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Linux Foundation exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CKS exam preparations and Linux Foundation certification application, do not hesitate to visit our Vcedump.com to find your solutions here.