aba rocks practice test Advanced Practice Exam: Hard Questions 2025

You’re hardening a kubeadm-based cluster. A security review finds that kubelets accept unauthenticated requests from some internal IPs because an administrator previously added an argument to “make metrics scraping easy.” You must prevent anonymous access while still allowing metrics scraping by the monitoring stack without weakening node security. Which approach best satisfies this requirement?

A multi-tenant cluster uses separate namespaces per team. A new admission policy requires that only images from an internal registry are allowed, except for one namespace used by a controlled build system that must pull from external registries. You must enforce this with minimal operational overhead and strong guarantees that no other namespace can bypass it. Which solution is most appropriate?

During an audit you discover multiple teams run privileged Pods and mount the host filesystem, claiming they need it for debugging. You must reduce the blast radius immediately while still enabling controlled debugging workflows. Which is the best hardening strategy?

A CKS candidate is asked to harden an etcd data directory on control-plane nodes. The cluster uses systemd to manage services. The goal is to protect secrets at rest and reduce the impact of node-level compromise while keeping recoverability. Which choice best meets the goal?

You suspect a node has been partially compromised. You find that an attacker likely gained access through a container escape attempt and may have tampered with binaries. You need to reduce persistence and limit lateral movement without immediately rebuilding the entire cluster. Which action is the most appropriate first step from a system-hardening/incident-containment perspective?

A critical service must accept user-supplied YAML that is converted into Kubernetes resources by an internal controller. A pentest shows the controller can be tricked into creating Pods with hostPath mounts and elevated capabilities. You must minimize microservice vulnerabilities by preventing privilege escalation even if the controller is exploited. Which design is best?

Your organization mandates that application containers must not run as root and must not have Linux capabilities beyond the default. However, a legacy app requires binding to port 80 and currently runs as root. You must meet the policy without changing cluster-wide security posture. What is the best solution?

A supply-chain review finds that developers frequently deploy ‘latest’ tags and that image contents can change without notice. You must ensure workloads are immutable and verifiable, and prevent drift even if the registry is compromised after approval. Which approach best achieves this?

A CI system builds images and pushes them to a registry. You’re asked to prevent compromised CI runners from injecting malicious binaries while still allowing fast builds. You need a Kubernetes-native control that enforces that only images built from an approved pipeline and signed with an authorized key can run in the cluster. What is the best solution?

Runtime monitoring shows intermittent suspicious outbound connections from a Pod, but logs are incomplete. You need to detect and block similar behavior in the future with minimal false positives, and you must capture forensic evidence of process activity (execs, file opens, network connections) when it occurs. Which solution is most appropriate?