Certified Kubernetes Security Specialist (CKS) Practice Exam: Test Your Knowledge 2025

Your organization requires that all Kubernetes API server communications must be encrypted and that anonymous authentication should be disabled. Which flags must be configured on the kube-apiserver to meet these requirements?

You need to configure a Kubernetes cluster to use a custom admission controller webhook that validates security policies before pod creation. The webhook service is running at https://admission-webhook.security.svc:443/validate. What is the correct approach to configure this?

A security audit reveals that the kubelet on worker nodes is accepting anonymous requests. You need to harden the kubelet configuration. Which kubelet configuration settings should be applied?

Your team needs to implement Role-Based Access Control (RBAC) to ensure that developers in the 'dev' namespace can only view pods and logs but cannot delete or modify them. Which RBAC configuration accomplishes this?

You discover that the Kubernetes dashboard is exposed with excessive permissions. What is the most secure way to restrict access to the dashboard?

Your organization's security policy requires minimizing the attack surface on Kubernetes nodes. Which system hardening measures should be implemented on the host operating system?

You need to configure AppArmor to restrict a container's capabilities. The AppArmor profile 'docker-nginx' is already loaded on the nodes. How should you apply this profile to a pod?

During a security assessment, you identify that containers are running with the CAP_SYS_ADMIN capability, which poses a security risk. How should you configure the pod to drop this capability?

You need to ensure that a pod runs with a read-only root filesystem to prevent runtime modifications. However, the application needs to write temporary files. What is the correct configuration?

An application requires access to cloud provider APIs. Following the principle of least privilege, how should you configure service authentication for pods?

Your security team requires that sensitive configuration data be encrypted at rest in etcd. What must be configured to enable this encryption?

You need to implement a security policy that prevents pods from running as root and requires them to run with a non-root user ID greater than 1000. Using Pod Security Standards, which approach is correct?

Before deploying container images to production, your organization requires scanning for vulnerabilities. Which approach implements this requirement in the CI/CD pipeline?

Your organization wants to ensure that only container images signed by trusted entities can be deployed to the cluster. What solution should be implemented?

You need to ensure that container images are pulled only from approved registries (registry.company.com and gcr.io/company-project). How should this be enforced?

Your security team requires maintaining an immutable record of all container images deployed in production, including their digests and build metadata. What approach best accomplishes this?

You need to implement audit logging to track all attempts to access secrets in the cluster, including who accessed them and when. What configuration is required?

During runtime, you observe suspicious process execution inside a container that appears to be a cryptomining attack. What runtime security tool and approach should be used to detect and prevent such threats?

You need to investigate why a pod in the production namespace was deleted. The pod is no longer running. What is the best way to determine who deleted it and when?

Your security monitoring system needs to detect when containers attempt to execute privileged operations they shouldn't have access to. What combination of tools and configurations provides comprehensive runtime security monitoring?