Free CKS Exam Questions - Linux Foundation CKS Exam

Linux Foundation CKS Exam

Certified Kubernetes Security Specialist

Total Questions: 44

Last Updated : 14-01-2022

Based on Official Syllabus Topics of Actual Linux Foundation CKS Exam

During the preparation, you can be confused about Linux Foundation exam question types, exam pattern, and allocated time to attempt questions of the Linux Foundation Kubernetes Security Specialist certification exam. Study4Exam helps you to remove these doubts with 3 formats of its Linux Foundation CKS exam preparation. We ensure that you will easily pass the Linux Foundation Certified Kubernetes Security Specialist exam either by using CKS PDF questions or taking the practice exam is web-based and desktop formats. You can prepare CKS practice questions in PDF format at any time and from any place with smartphones, laptops, or tablets. Preparation evaluation is very helpful to remove mistakes and successfully prepare for the Linux Foundation Kubernetes Security Specialist CKS exam. The Linux Foundation Kubernetes Security Specialist CKS practice exam is one of the key steps of your exam preparation plan to identify your preparation mistakes, strengthen weaker areas of the preparation, and get familiar with the actual exam environment. Web-based and desktop Linux Foundation CKS practice exams are available to help you do self-assessment.

How these Free Questions can help you Prepare for the actual Linux Foundation CKS Exam?

Understand the Actual CKS Exam Syllabus, Format, and Question Types

Get official information about the syllabus and format of the exam to set an effective study plan. This information helps you to know what type of questions and topics will appear in the Linux Foundation CKS exam. Don’t waste your time and concentrate on such learning content which is expected in the actual exam.

Self-Asses your preparation for the actual Linux Foundation Certified Kubernetes Security Specialist Exam

Manage your daily routine to ensure that you have the proper time to study for the Linux Foundation Certified Kubernetes Security Specialist exam every day. Sit in a calm environment and do hard work daily to cover the entire CKS exam syllabus. It is not possible to study one morning and pass the CKS exam the next day. If you want to get passing marks on the first attempt, prepare for the Linux Foundation CKS exam daily.

Linux Foundation CKS Questions

Q1.

Context:

Cluster:prod

Master node:master1

Worker node:worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context prod

Task:

Analyse and edit the given Dockerfile (based on theubuntu:18:04image)

/home/cert_masters/Dockerfilefixing two instructions present in the file being prominent security/best-practice issues.

Analyse and edit the given manifest file

/home/cert_masters/mydeployment.yamlfixing two fields present in the file being prominent security/best-practice issues.

Note:Don't add or remove configuration settings; only modify the existing configuration settings, so that two configuration settings each are no longer security/best-practice concerns.

Should you need an unprivileged user for any of the tasks, use usernobodywith user id65535

AExplanation:
1. For Dockerfile:Fix the image version & user name in Dockerfile
2. For mydeployment.yaml : Fix security contexts
Explanation
[desk@cli] $vim /home/cert_masters/Dockerfile
FROM ubuntu:latest # Remove this
FROM ubuntu:18.04 # Add this
USER root # Remove this
USER nobody # Add this
RUN apt get install -y lsof=4.72 wget=1.17.1 nginx=4.2
ENV ENVIRONMENT=testing
USER root # Remove this
USER nobody # Add this
CMD ['nginx -d']

[desk@cli] $vim/home/cert_masters/mydeployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: kafka
name: kafka
spec:
replicas: 1
selector:
matchLabels:
app: kafka
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: kafka
spec:
containers:
- image: bitnami/kafka
name: kafka
volumeMounts:
- name: kafka-vol
mountPath: /var/lib/kafka
securityContext:
{'capabilities':{'add':['NET_ADMIN'],'drop':['all']},'privileged': True,'readOnlyRootFilesystem': False, 'runAsUser': 65535} # Delete This
{'capabilities':{'add':['NET_ADMIN'],'drop':['all']},'privileged': False,'readOnlyRootFilesystem': True, 'runAsUser': 65535} # Add This
resources: {}
volumes:
- name: kafka-vol
emptyDir: {}
status: {}
Pictorial View:
[desk@cli] $vim/home/cert_masters/mydeployment.yaml

Q2.

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context stage

Context:

A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace.

Task:

1. Create a new PodSecurityPolcy named deny-policy, which prevents the creation of privileged Pods.

2. Create a new ClusterRole name deny-access-role, which uses the newly created PodSecurityPolicy deny-policy.

3. Create a new ServiceAccount named psd-denial-sa in the existing namespace development.

Finally, create a new ClusterRoleBindind named restrict-access-bind, which binds the newly created ClusterRole deny-access-role to the newly created ServiceAccount psp-denial-sa

AExplanation:
Create psp to disallow privileged container
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: deny-access-role
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- ''deny-policy''
k create sa psp-denial-sa -n development
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: restrict-access-bing
roleRef:
kind: ClusterRole
name: deny-access-role
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: psp-denial-sa
namespace: development
Explanation
master1 $ vim psp.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: deny-policy
spec:
privileged: false # Don't allow privileged pods!
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
master1 $ vim cr1.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: deny-access-role
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- ''deny-policy''
master1 $k create sa psp-denial-sa -n development
master1 $ vim cb1.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: restrict-access-bing
roleRef:
kind: ClusterRole
name: deny-access-role
apiGroup: rbac.authorization.k8s.io
subjects:
# Authorize specific service accounts:
- kind: ServiceAccount
name: psp-denial-sa
namespace: development
master1 $k apply -f psp.yaml
master1 $k apply -f cr1.yaml
master1 $k apply -f cb1.yaml

Reference:https://kubernetes.io/docs/concepts/policy/pod-security-policy/
master1 $k apply -f cr1.yaml
master1 $k apply -f cb1.yaml
master1 $k apply -f psp.yaml
master1 $k apply -f cr1.yaml
master1 $k apply -f cb1.yaml

Reference:https://kubernetes.io/docs/concepts/policy/pod-security-policy/

Q3.

You must complete this task on the following cluster/nodes: Cluster:immutable-cluster

Master node:master1

Worker node:worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context immutable-cluster

Context: It is best practice to design containers to be stateless and immutable.

Task:

Inspect Pods running in namespaceprodand delete any Pod that is either not stateless or not immutable.

Use the following strict interpretation of stateless and immutable:

1. Pods being able to store data inside containers must be treated as not stateless.

Note:You don't have to worry whether data is actually stored inside containers or not already.

2. Pods being configured to beprivilegedin any way must be treated as potentially not stateless or not immutable.

AExplanation:
k get pods -n prod
k get pod -n prod -o yaml | grep -E 'privileged|ReadOnlyRootFileSystem'
Delete the pods which do have any of these 2 properties
privileged:trueorReadOnlyRootFileSystem: false
[desk@cli]$k get pods -n prod
NAME READY STATUS RESTARTS AGE
cms 1/1 Running 0 68m
db 1/1 Running 0 4m
nginx 1/1 Running 0 23m
[desk@cli]$k get pod nginx -n prod -o yaml | grep -E 'privileged|RootFileSystem'
{'apiVersion':'v1','kind':'Pod','metadata':{'annotations':{},'creationTimestamp':null,'labels':{'run':'nginx'},'name':'nginx','namespace':'prod'},'spec':{'containers':[{'image':'nginx','name':'nginx','resources':{},'securityContext':{'privileged':true}}],'dnsPolicy':'ClusterFirst','restartPolicy':'Always'},'status':{}}
f:privileged: {}
privileged:true

[desk@cli]$k delete pod nginx -n prod
[desk@cli]$k get pod db -n prod -o yaml | grep -E 'privileged|RootFilesystem'

[desk@cli]$k delete pod cms -n prod

Reference:https://kubernetes.io/docs/concepts/policy/pod-security-policy/
https://cloud.google.com/architecture/best-practices-for-operating-containers

Q4.

Cluster:admission-cluster

Master node:master

Worker node:worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context admission-cluster

Context:

A container image scanner is set up on the cluster, but it's not yet fully integrated into the cluster's configuration. When complete, the container image scanner shall scan for and reject the use of vulnerable images.

Task:

You have to complete the entire task on the cluster's master node, where all services and files have been prepared and placed.

Given an incomplete configuration in directory /etc/Kubernetes/config and a functional container image scanner with HTTPS endpoint https://imagescanner.local:8181/image_policy:

1. Enable the necessary plugins to create an image policy

2. Validate the control configuration and change it to an implicit deny

3. Edit the configuration to point to the provided HTTPS endpoint correctly

Finally, test if the configuration is working by trying to deploy the vulnerable resource /home/cert_masters/test-pod.yml

Note: You can find the container image scanner's log file at /var/log/policy/scanner.log

AExplanation:
[master@cli] $cd /etc/Kubernetes/config
1. Edit kubeconfig to explicity deny
[master@cli] $vim kubeconfig.json
'defaultAllow': false # Change to false
2. fix server parameter by taking its value from ~/.kube/config
[master@cli] $cat /etc/kubernetes/config/kubeconfig.yaml | grep server
server:
3. EnableImagePolicyWebhook
[master@cli] $vim /etc/kubernetes/manifests/kube-apiserver.yaml
- --enable-admission-plugins=NodeRestriction,ImagePolicyWebhook # Add this
- --admission-control-config-file=/etc/kubernetes/config/kubeconfig.json # Add this
Explanation
[desk@cli] $ssh master
[master@cli] $cd /etc/Kubernetes/config
[master@cli] $vim kubeconfig.json
{
'imagePolicy': {
'kubeConfigFile': '/etc/kubernetes/config/kubeconfig.yaml',
'allowTTL': 50,
'denyTTL': 50,
'retryBackoff': 500,
'defaultAllow': true # Delete this
'defaultAllow': false # Add this
}
}

Note:We can see a missing value here, so how from where i can get this value
[master@cli] $cat ~/.kube/config | grep server
or
[master@cli] $cat /etc/kubernetes/manifests/kube-apiserver.yaml

[master@cli] $vim /etc/kubernetes/config/kubeconfig.yaml

[master@cli] $vim /etc/kubernetes/manifests/kube-apiserver.yaml
- --enable-admission-plugins=NodeRestriction # Delete This
- --enable-admission-plugins=NodeRestriction,ImagePolicyWebhook # Add this
- --admission-control-config-file=/etc/kubernetes/config/kubeconfig.json # Add this

Reference:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
- --enable-admission-plugins=NodeRestriction # Delete This
- --enable-admission-plugins=NodeRestriction,ImagePolicyWebhook # Add this
- --admission-control-config-file=/etc/kubernetes/config/kubeconfig.json # Add this
[master@cli] $vim /etc/kubernetes/manifests/kube-apiserver.yaml
- --enable-admission-plugins=NodeRestriction # Delete This
- --enable-admission-plugins=NodeRestriction,ImagePolicyWebhook # Add this
- --admission-control-config-file=/etc/kubernetes/config/kubeconfig.json # Add this

Reference:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/

Q5.

Cluster:qa-cluster

Master node:masterWorker node:worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context qa-cluster

Task:

Create a NetworkPolicy namedrestricted-policyto restrict access to Podproductrunning in namespacedev.

Only allow the following Pods to connect to Pod products-service:

1. Pods in the namespaceqa

2. Pods with labelenvironment: stage, in any namespace

AExplanation:
$k get ns qa --show-labels
NAME STATUS AGE LABELS
qa Active 47m env=stage
$k get pods -n dev --show-labels
NAME READY STATUS RESTARTS AGE LABELS
product 1/1 Running 0 3s env=dev-team
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: restricted-policy
namespace: dev
spec:
podSelector:
matchLabels:
env: dev-team
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
env: stage
- podSelector:
matchLabels:
env: stage
[desk@cli] $k get ns qa --show-labels
NAME STATUS AGE LABELS
qa Active 47m env=stage
[desk@cli] $k get pods -n dev --show-labels
NAME READY STATUS RESTARTS AGE LABELS
product 1/1 Running 0 3s env=dev-team
[desk@cli] $vim netpol2.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: restricted-policy
namespace: dev
spec:
podSelector:
matchLabels:
env: dev-team
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
env: stage
- podSelector:
matchLabels:
env: stage
[desk@cli] $k apply -f netpol2.yaml

Reference:https://kubernetes.io/docs/concepts/services-networking/network-policies/
[desk@cli] $k apply -f netpol2.yaml

Reference:https://kubernetes.io/docs/concepts/services-networking/network-policies/

Solutions:

Question: 1 Answer: A

Question: 2 Answer: A

Question: 3 Answer: A

Question: 4 Answer: A

Question: 5 Answer: A

Limited Time Offer

50%

Off

Get Premium CKS Questions as Interactive Practice Test or PDF

Note: If you see any error in these Linux Foundation Certified Kubernetes Security Specialist questions or answers, get in touch with us via email: support@study4exam.com.

CKS Exam Details

Linux Foundation CKS Exam Details

CKS Exam Syllabus

Linux Foundation CKS Exam Syllabus

Disscuss Linux Foundation CKS Topics, Questions or Ask Anything Related

Submit Cancel

Currently there are no comments in this discussion, be the first to comment!