Certified Kubernetes Security Specialist (CKS) Exam Dumps 2023
Certified Kubernetes Security Specialist (CKS) Practice Tests 2023. Contains 120+ exam questions to pass the exam in first attempt.
SkillCertPro offers real exam questions for practice for all major IT certifications.
For a full set of 120+ questions. Go to https://skillcertpro.com/product/certified-kubernetes-security-specialist-cksexam-questions/
SkillCertPro offers detailed explanations to each question which helps to understand the concepts better.
It is recommended to score above 85% in SkillCertPro exams before attempting a real exam.
SkillCertPro updates exam questions every 2 weeks.
You will get life time access and life time free updates
SkillCertPro assures 100% pass guarantee in first attempt.
Below are the free 10 sample questions.
Question 1:
Which of the following are potential security issues that you might find in a Docker file? (Pick 3)
Choose 3
A. USER 0
B. FROM alpine: latest
C. ENV user_svc_password=12345
D. USER nobody Answer: A, B, C
Explanation:
This could cause containers to run with the root user by default.
It is better from a security standpoint to use a specific version in the FROM directive.
This directive would cause a sensitive password to be stored within the image.
Question 2:
Which of the following is a tool you could use to scan container images for known software vulnerabilities from the command line?
A. Trivy
B. Falco
C. kubectl
D. OPA Gatekeeper
Answer: A
Explanation:
Trivy can be used from the command line to scan images for known vulnerabilities.
Question 3:
How can you validate an image using an image signature hash in Kubernetes before running a container using the image?
A. Use the kubectl image validate command.
B. Kubernetes does not have a way to do this built-in.
C. Add the hash to the imageHash field in the container spec.
D. Include the hash when referencing the image in a Pod spec.
Answer: D
Explanation:
When referencing an image, you can include the hash after the image name and tag.
Question 4:
In the ImagePolicyWebhook admission controller configuration, which setting would cause images to be denied when the backend webhook service cannot be reached?
A. defaultDeny: true
B. defaultAllow: true
C. defaultAllow: false
D. default: false
Answer: C
Explanation:
This setting would deny images if the backend webhook service cannot be reached.
Question 5:
When using ImagePolicyWebhook, where is the URL of the backend webhook service configured?
A. The admission control config file
B. A ConfigMap called ImagePolicyWebhookConfig
C. The kube-apiserver manifest file
D. A kubeconfig file
Answer: D
Explanation:
ImagePolicyWebhook uses a kubeconfig to configure settings related to the backend webhook service.
For a full set of 120+ questions. Go to https://skillcertpro.com/product/certified-kubernetes-security-specialist-cksexam-questions/
SkillCertPro offers detailed explanations to each question which helps to understand the concepts better.
It is recommended to score above 85% in SkillCertPro exams before attempting a real exam.
SkillCertPro updates exam questions every 2 weeks.
You will get life time access and life time free updates
SkillCertPro assures 100% pass guarantee in first attempt.
Question 6:
Which tool could you use to whitelist image registries to be used within the cluster?
A. OPA Gatekeeper
B. Falco
C. PodSecurityPolicy
D. AppArmor
Answer: A
Explanation:
OPA Gatekeeper can be used to create a constraint that controls which registries are allowed.
Question 7:
You have a pod that needs access to list pods and watch secrets in a namespace via the Kubernetes API. Which of the following is the best strategy from a security standpoint?
A. Create a role that has permissions to perform all actions on all resources, then bind it to the pod‘s ServiceAccount.
B. Create a role with permission to list pods, and another role with permission to watch secrets, then bind both roles to the pod‘s ServiceAccount.
C. Create a single role that the necessary access to both pods and secrets, then bind it to the pod‘s ServiceAccount.
D. Refactor the application so that the pod does not need access to both pods and secrets.
Answer: B
Explanation:
This approach does not provide too many permissions, and it keeps the RBAC setup more manageable by providing granular permissions via multiple roles.
Question 8:
What does a ServiceAccount do?
A. It allows an external, automated process to interact with Kubernetes.
B. It defines a set of shared permissions that can be assigned to multiple users.
C. It defines which permissions a container process has to interact with the host.
D. It allows a container to authenticate with the Kubernetes API.
Answer: D
Explanation:
A ServiceAccount provides a way for a container to authenticate with the Kubernetes API.
Question 9:
How can you help protect against security vulnerabilities in Kubernetes itself?
A. Keep Kubernetes up-to-date.
B. Verify your Kubernetes binaries.
C. Install Kubernetes using kubeadm.
D. Run a CIS benchmark.
Answer: A
Explanation:
Keeping Kubernetes up to date will ensure that your cluster contains the latest security patches.
Question 10:
Which of the following are ways to restrict access to the Kubernetes API? (Choose Two) Choose 2
A. Limiting network access.
B. Disable the API.
C. It is not necessary to restrict access to the API.
D. RBAC. Answer: A, D
Explanation:
Limiting network access to port 6443 on a control plane node can prevent malicious users from trying to interact with the API.
You can use RBAC to control what a user can and cannot do via the API.
For a full set of 120+ questions. Go to https://skillcertpro.com/product/certified-kubernetes-security-specialist-cksexam-questions/
SkillCertPro offers detailed explanations to each question which helps to understand the concepts better.
It is recommended to score above 85% in SkillCertPro exams before attempting a real exam.
SkillCertPro updates exam questions every 2 weeks.
You will get life time access and life time free updates
SkillCertPro assures 100% pass guarantee in first attempt.
