Free CKS Exam Questions - Linux Foundation CKS Exam

Linux Foundation CKS Exam

Certified Kubernetes Security Specialist

Total Questions: 48

Last Updated : 21-10-2024

Get Premium Files

Linux Foundation CKS Exam - Prepare from Latest, Not Redundant Questions!

Many candidates desire to prepare their Linux Foundation CKS exam with the help of only updated and relevant study material. But during their research, they usually waste most of their valuable time with information that is either not relevant or outdated. Study4Exam has a fantastic team of subject-matter experts that make sure you always get the most up-to-date preparatory material. Whenever there is a change in the syllabus of the Certified Kubernetes Security Specialist exam, our team of experts updates CKS questions and eliminates outdated questions. In this way, we save you money and time.

Linux Foundation CKS Exam Sample Questions:

Q1.

Cluster:scanner Master node:controlplane Worker node:worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context scanner

Given: You may use Trivy's documentation.

Task: Use the Trivy open-source container scanner to detect images with severe vulnerabilities used by Pods in the namespacenato.

Look for images withHighorCriticalseverity vulnerabilities and delete the Pods that use those images. Trivy is pre-installed on the cluster's master node. Use cluster's master node to use Trivy.

AExplanation:

Q2.

Cluster: dev

Master node:master1 Worker node:worker1

You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context dev

Task: Retrieve the content of the existing secret namedadamin thesafenamespace.

Store the username field in a file names/home/cert-masters/username.txt, and the password field in a file named/home/cert-masters/password.txt.

1. You must create both files; they don't exist yet. 2. Do not use/modify the created files in the following steps, create new temporary files if needed.

Create a new secret namesnewsecretin thesafenamespace, with the following content: Username:dbadmin Password:moresecurepas

Finally, create a new Pod that has access to the secretnewsecretvia a volume:

Namespace: safe

Pod name: mysecret-pod

Container name: db-container

Image: redis

Volume name: secret-vol

Mount path: /etc/mysecret

AExplanation:

Q3.

You must complete this task on the following cluster/nodes: Cluster:trace Master node:master Worker node:worker1 You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context trace Given: You may use Sysdig or Falco documentation. Task: Use detection tools to detect anomalies like processes spawning and executing something weird frequently in the single container belonging to Podtomcat. Two tools are available to use: 1. falco 2. sysdig Tools are pre-installed on the worker1 node only. Analyse the container's behaviour for at least 40 seconds, using filters that detect newly spawning and executing processes. Store an incident file at/home/cert_masters/report, in the following format: [timestamp],[uid],[processName] Note:Make sure to store incident file on the cluster's worker node, don't move it to master node.

AExplanation:
$vim /etc/falco/falco_rules.local.yaml
- rule: Container Drift Detected (open+create)
desc: New executable created in a container due to open+create
condition: >
evt.type in (open,openat,creat) and
evt.is_open_exec=true and
container and
not runc_writing_exec_fifo and
not runc_writing_var_lib_docker and
not user_known_container_drift_activities and
evt.rawres>=0
output: >
%evt.time,%user.uid,%proc.name # Add this/Refer falco documentation
priority: ERROR
$kill -1 <PID of falco>
Explanation
[desk@cli] $ssh node01
[node01@cli] $vim /etc/falco/falco_rules.yaml
search for Container Drift Detected & paste in falco_rules.local.yaml
[node01@cli] $vim /etc/falco/falco_rules.local.yaml
- rule: Container Drift Detected (open+create)
desc: New executable created in a container due to open+create
condition: >
evt.type in (open,openat,creat) and
evt.is_open_exec=true and
container and
not runc_writing_exec_fifo and
not runc_writing_var_lib_docker and
not user_known_container_drift_activities and
evt.rawres>=0
output: >
%evt.time,%user.uid,%proc.name # Add this/Refer falco documentation
priority: ERROR
[node01@cli] $vim /etc/falco/falco.yaml

Q4.

You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context qa Context: A pod fails to run because of an incorrectly specified ServiceAccount Task: Create a new service account named backend-qa in an existing namespace qa, which must not have access to any secret. Edit the frontend pod yaml to use backend-qa service account Note:You can find the frontend pod yaml at /home/cert_masters/frontend-pod.yaml

AExplanation:
[desk@cli] $k create sa backend-qa -n qa
sa/backend-qa created

[desk@cli] $k get role,rolebinding -n qa
No resources found in qa namespace.

[desk@cli] $k create role backend -n qa --resource pods,namespaces,configmaps --verb list
#No access to secret

[desk@cli] $k create rolebinding backend -n qa --role backend --serviceaccount qa:backend-qa

[desk@cli] $vim /home/cert_masters/frontend-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: frontend
spec:
serviceAccountName: backend-qa # Add this
image: nginx
name: frontend
[desk@cli] $k apply -f /home/cert_masters/frontend-pod.yaml
pod created
[desk@cli] $k create sa backend-qa -n qa
serviceaccount/backend-qa created

[desk@cli] $k get role,rolebinding -n qa
No resources found in qa namespace.

[desk@cli] $k create role backend -n qa --resource pods,namespaces,configmaps --verb list
role.rbac.authorization.k8s.io/backend created

[desk@cli] $k create rolebinding backend -n qa --role backend --serviceaccount qa:backend-qa
rolebinding.rbac.authorization.k8s.io/backend created

[desk@cli] $vim /home/cert_masters/frontend-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: frontend
spec:
serviceAccountName: backend-qa # Add this
image: nginx
name: frontend
[desk@cli] $k apply -f /home/cert_masters/frontend-pod.yaml
pod/frontend created

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

Q5.

Context

AppArmor is enabled on the cluster's worker node. An AppArmor profile is prepared, but not enforced yet.

q5_CKS

Task

On the cluster's worker node, enforce the prepared AppArmor profile located at /etc/apparmor.d/nginx_apparmor.

Edit the prepared manifest file located at /home/candidate/KSSH00401/nginx-pod.yaml to apply the AppArmor profile.

Finally, apply the manifest file and create the Pod specified in it.

AExplanation:

Solutions:

Question: 1 Answer: A

Question: 2 Answer: A

Question: 3 Answer: A

Question: 4 Answer: A

Question: 5 Answer: A

Disscuss Linux Foundation CKS Topics, Questions or Ask Anything Related

Submit Cancel

− ∔

Bentley 3 days ago

I am truly surprised that Ive passed the security specialist cks exam with such a high score of 91%. Almost all questions were from the premium set with a little changes. but that was ok for me as I practiced a lot and understood each practice question deeply.

upvoted 1 times

...