Linux Foundation CKS Study & Exam Dumps 2025

Certified Kubernetes Security Specialist (CKS) Questions and Answers

Question 1

Context

The kubeadm-created cluster's Kubernetes API server was, for testing purposes, temporarily configured to allow unauthenticated and unauthorized access granting the anonymous user duster-admin access.

Task

Reconfigure the cluster's Kubernetes API server to ensure that only authenticated and authorized REST requests are allowed.

Use authorization mode Node,RBAC and admission controller NodeRestriction.

Cleaning up, remove the ClusterRoleBinding for user system:anonymous.

Options:

Buy Now

Question 2

Documentation Deployments, Pods, bom Command Help bom-help

You must connect to the correct host. Failure to do so may result in a zero score.

[candidate@base] $ ssh cks000035

Task

The alpine Deployment in the alpine namespace has three containers that run different versions of the alpine image.

First, find out which version of the alpine image contains the libcrypto3 package at version 3.1.4-r5.

Next, use the pre-installed bom tool to create an SPDX document for the identified image version at /home/candidate/alpine.spdx.

You can find the bom tool documentation at bom.

Finally, update the alpine Deployment and remove the container that uses the idenfied image version.

The Deployment's manifest file can be found at /home/candidate/alpine-deployment.yaml.

Do not modify any other containers of the Deployment.

Options:

Answer:

See the Explanation below for complete solution.

Explanation:

1) Connect to the correct host

ssh cks000035

sudo -i

export KUBECONFIG=/etc/kubernetes/admin.conf

2) List the 3 container names + images in the Deployment

kubectl -n alpine get deploy alpine -o jsonpath='{range .spec.template.spec.containers[*]}{.name}{"\t"}{.image}{"\n"}{end}'

You’ll get 3 lines like:

c1 alpine:3.xx

c2 alpine:3.yy

c3 alpine:3.zz

3) Identify which alpine image has libcrypto3 at 3.1.4-r5

Fastest reliable method (since it’s Alpine, just query apk inside each image):

Run these one-by-one for each image you saw in step 2:

docker run --rm sh -c 'apk info -v libcrypto3 2>/dev/null | head -n1'

✅ The correct image is the one that prints exactly:

libcrypto3-3.1.4-r5

Note that full image tag, e.g.:

IMG=alpine:3.xx

4) Create SPDX document with bom for that identified image

(Use the identified image from step 3.)

bom generate --image $IMG --format spdx --output /home/candidate/alpine.spdx

Verify file exists:

ls -l /home/candidate/alpine.spdx

5) Remove ONLY the container that uses that image version

The manifest to edit is:

vi /home/candidate/alpine-deployment.yaml

In the spec.template.spec.containers: list, find the container entry whose image: equals the identified $IMG, and delete that one container block only (name/image/ports/etc for that container).

Save:

6) Apply the updated Deployment (do not change other containers)

kubectl apply -f /home/candidate/alpine-deployment.yaml

Wait rollout:

kubectl -n alpine rollout status deployment/alpine

7) Verify only 2 containers remain

kubectl -n alpine get deploy alpine -o jsonpath='{range .spec.template.spec.containers[*]}{.name}{"\t"}{.image}{"\n"}{end}'

You should now see 2 lines, and the $IMG line should be gone.

If bom generate ... errors (quick fix)

Check exact syntax on that system:

bom --help

bom generate --help

Then rerun with the flags it expects, keeping:

image = $IMG

output = /home/candidate/alpine.spdx

format = spdx

Question 3

Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.

Fix all of the following violations that were found against the API server:-

a. Ensure that the RotateKubeletServerCertificate argument is set to true.

b. Ensure that the admission control plugin PodSecurityPolicy is set.

c. Ensure that the --kubelet-certificate-authority argument is set as appropriate.

Fix all of the following violations that were found against the Kubelet:-

a. Ensure the --anonymous-auth argument is set to false.

b. Ensure that the --authorization-mode argument is set to Webhook.

Fix all of the following violations that were found against the ETCD:-

a. Ensure that the --auto-tls argument is not set to true

b. Ensure that the --peer-auto-tls argument is not set to true

Hint: Take the use of Tool Kube-Bench

Options:

Answer:

See the Explanation below.

Explanation:

Fix all of the following violations that were found against the API server:-

a. Ensure that the RotateKubeletServerCertificate argument is set to true.

apiVersion: v1

kind: Pod

metadata:

creationTimestamp: null

labels:

component: kubelet

tier: control-plane

namespace: kube-system

spec:

containers:

- command:

- kube-controller-manager

+ - --feature-gates=RotateKubeletServerCertificate=true

image: gcr.io/google_containers/kubelet-amd64:v1.6.0

livenessProbe:

failureThreshold: 8

httpGet:

host: 127.0.0.1

path: /healthz

port: 6443

scheme: HTTPS

initialDelaySeconds: 15

timeoutSeconds: 15

resources:

requests:

cpu: 250m

volumeMounts:

- mountPath: /etc/kubernetes/

readOnly: true

- mountPath: /etc/ssl/certs

- mountPath: /etc/pki

hostNetwork: true

volumes:

- hostPath:

path: /etc/kubernetes

- hostPath:

path: /etc/ssl/certs

- hostPath:

path: /etc/pki

b. Ensure that the admission control plugin PodSecurityPolicy is set.

audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"

tests:

test_items:

- flag: "--enable-admission-plugins"

compare:

op: has

value: "PodSecurityPolicy"

set: true

remediation: |

Follow the documentation and create Pod Security Policy objects as per your environment.

Then, edit the API server pod specification file $apiserverconf

on the master node and set the --enable-admission-plugins parameter to a

value that includes PodSecurityPolicy :

--enable-admission-plugins=...,PodSecurityPolicy,...

Then restart the API Server.

scored: true

c. Ensure that the --kubelet-certificate-authority argument is set as appropriate.

audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"

tests:

test_items:

- flag: "--kubelet-certificate-authority"

set: true

remediation: |

Follow the Kubernetes documentation and setup the TLS connection between the

apiserver and kubelets. Then, edit the API server pod specification file

$apiserverconf on the master node and set the --kubelet-certificate-authority

parameter to the path to the cert file for the certificate authority.

--kubelet-certificate-authority=

scored: true

Fix all of the following violations that were found against the ETCD:-

a. Ensure that the --auto-tls argument is not set to true

Edit the etcd pod specification file $etcdconf on the master

node and either remove the --auto-tls parameter or set it to false.

--auto-tls=false

b. Ensure that the --peer-auto-tls argument is not set to true

Edit the etcd pod specification file $etcdconf on the master

node and either remove the --peer-auto-tls parameter or set it to false.

--peer-auto-tls=false

Get Free CKS Questions and Answers

Week End Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Linux Foundation CKS Exam With Confidence Using Practice Dumps

CKS: Kubernetes Security Specialist Exam 2025 Study Guide Pdf and Test Engine

Related Linux Foundation Exams

Certified Kubernetes Security Specialist (CKS) Questions and Answers

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

CompTIA

Fortinet

Microsoft

Salesforce