Summer Special 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: bestdeal

Free Linux Foundation CKS Practice Exam with Questions & Answers

Questions 1

CKS Question 1

CKS Question 1

Two tools are pre-installed on the cluster's worker node:

CKS Question 1sysdig

CKS Question 1falco

Using the tool of your choice (including any non pre-installed tool), analyze the container's behavior for at least 30 seconds, using filters that detect newly spawning and executing processes.

Store an incident file at /opt/KSRS00101/alerts/details, containing the detected incidents, one per line, in the following format:

CKS Question 1

The following example shows a properly formatted incident file:

CKS Question 1

CKS Question 1

CKS Question 1

Options:
Linux Foundation CKS Premium Access
Questions 2

You must complete this task on the following cluster/nodes: Cluster: immutable-cluster

Master node: master1

Worker node: worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $  kubectl config use-context immutable-cluster 

Context: It is best practice to design containers to be stateless and immutable.

Task:

Inspect Pods running in namespace prod and delete any Pod that is either not stateless or not immutable.

Use the following strict interpretation of stateless and immutable:

1. Pods being able to store data inside containers must be treated as not stateless. 

Note: You don't have to worry whether data is actually stored inside containers or not already.

2. Pods being configured to be privileged in any way must be treated as potentially not stateless or not immutable.

Options:
Questions 3

You must complete this task on the following cluster/nodes:

Cluster: trace

Master node: master

Worker node: worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $ kubectl config use-context trace   

Given: You may use Sysdig or Falco documentation. 

Task:

Use detection tools to detect anomalies like processes spawning and executing something weird frequently in the single container belonging to Pod tomcat

Two tools are available to use:

1.    falco

2.   sysdig

Tools are pre-installed on the worker1 node only.

Analyse the container’s behaviour for at least 40 seconds, using filters that detect newly spawning and executing processes. 

Store an incident file at /home/cert_masters/report, in the following format:

[timestamp],[uid],[processName]

Note: Make sure to store incident file on the cluster's worker node, don't move it to master node.

Options:
Questions 4

CKS Question 4

Context

A CIS Benchmark tool was run against the kubeadm-created cluster and found multiple issues that must be addressed immediately.

Task

Fix all issues via configuration and restart the affected components to ensure the new settings take effect.

Fix all of the following violations that were found against the API server:

CKS Question 4

Fix all of the following violations that were found against the Kubelet:

CKS Question 4

CKS Question 4

Fix all of the following violations that were found against etcd:

CKS Question 4

Options:
Questions 5

Context:

Cluster: gvisor

Master node: master1

Worker node: worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $ kubectl config use-context gvisor

Context: This cluster has been prepared to support runtime handler, runsc as well as traditional one.

Task:

Create a RuntimeClass named not-trusted using the prepared runtime handler names runsc.

Update all Pods in the namespace server to run on newruntime.

Options:
Questions 6

On the Cluster worker node, enforce the prepared AppArmor profile

  • #include
  •  
  • profile nginx-deny flags=(attach_disconnected) {
  •   #include <abstractions/base>
  •  
  •   file,
  •  
  •   # Deny all file writes.
  •   deny /** w,
  • }
  • EOF'

Edit the prepared manifest file to include the AppArmor profile.

  • apiVersion: v1
  • kind: Pod
  • metadata:
  •   name: apparmor-pod
  • spec:
  •   containers:
  •   - name: apparmor-pod
  •     image: nginx

Finally, apply the manifests files and create the Pod specified on it.

Verify: Try to make a file inside the directory which is restricted.

Options:
Questions 7

Create a User named john, create the CSR Request, fetch the certificate of the user after approving it.

Create a Role name john-role to list secrets, pods in namespace john

Finally, Create a RoleBinding named john-role-binding to attach the newly created role john-role to the user john in the namespace john.

To Verify: Use the kubectl auth CLI command to verify the permissions.

Options:
Questions 8

CKS Question 8

Context

This cluster uses containerd as CRI runtime.

Containerd's default runtime handler is runc. Containerd has been prepared to support an additional runtime handler, runsc (gVisor).

Task

Create a RuntimeClass named sandboxed using the prepared runtime handler named runsc.

Update all Pods in the namespace server to run on gVisor.

CKS Question 8

Options:
Questions 9

CKS Question 9

Task

Create a NetworkPolicy named pod-access to restrict access to Pod users-service running in namespace dev-team.

Only allow the following Pods to connect to Pod users-service:

CKS Question 9Pods in the namespace qa

CKS Question 9Pods with label environment: testing, in any namespace

CKS Question 9

CKS Question 9

Options:
Questions 10

Create a PSP that will prevent the creation of privileged pods in the namespace.

Create a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation of privileged pods.

Create a new ServiceAccount named psp-sa in the namespace default.

Create a new ClusterRole named prevent-role, which uses the newly created Pod Security Policy prevent-privileged-policy.

Create a new ClusterRoleBinding named prevent-role-binding, which binds the created ClusterRole prevent-role to the created SA psp-sa.

Also, Check the Configuration is working or not by trying to Create a  Privileged pod, it should get failed.

Options:
Exam Code: CKS
Certification Provider: Linux Foundation
Exam Name: Certified Kubernetes Security Specialist (CKS)
Last Update: Jul 9, 2025
Questions: 48

How to Pass CKS Exams

PDF + Testing Engine
$164.99
$66
Add to Cart
Testing Engine
$124.99
$50
Add to Cart
PDF (Q&A)
$104.99
$42
Add to Cart

Linux Foundation Related Exams

CKAD - Certified Kubernetes Application Developer (CKAD) Program
KCNA - Kubernetes and Cloud Native Associate (KCNA)
LFCA - Linux Foundation Certified IT Associate
CKA - Certified Kubernetes Administrator (CKA) Program
LFCS - Linux Foundation Certified System Administrator
HFCP - Hyperledger Fabric Certified Practitioner (HFCP) Exam
Linux Foundation Free Access
Get Linux Foundation Full Access

Linux Foundation Free Exams
Linux Foundation Free Exams
Enhance your Linux Foundation exam prep with free resources and practice tests from Examstrack. Achieve Linux Foundation certification success by exploring Examstrack.