$0.00
Linux-Foundation CKS Exam Dumps
Certified Kubernetes Security Specialist (CKS)
Total Questions : 48
Update Date : July 15, 2024
PDF + Test Engine
$65 $95
Test Engine
$55 $85
PDF Only
$45 $75
Last Week CKS Exam Results
265
Customers Passed Linux-Foundation CKS Exam
96%
Average Score In Real CKS Exam
99%
Questions came from our CKS dumps.
Real Linux-Foundation CKS Dumps With 100% Passing Guarantee
Congratulations on taking the first step towards achieving the prestigious CKS certification! At Pass4SureHub, we are committed to helping you excel in your career by providing top-notch dumps for the CKS exam. With our comprehensive and well-crafted resources, we offer you a 100% passing guarantee, ensuring your success in the certification journey.
Why Choose Pass4SureHub for CKS Exam Preparation?
Expertly Curated Study Guides: Our study guides are meticulously crafted by experts who possess a deep understanding of the CKS exam objectives. These CKS dumps cover all the essential topics.
Linux-Foundation CKS Online Test Engine
Practice makes perfect, and our online CKS practice mode are designed to replicate the actual test environment. With timed sessions, you'll experience the pressure of the real exam and become more confident in managing your time during the test and you can assess your knowledge and identify areas for improvement.
Linux-Foundation CKS Detailed Explanations for Answers
Understanding your mistakes is crucial for improvement. Our practice CKS questions answers come with detailed explanations for each question, helping you comprehend the correct approach and learn from any errors.
Dedicated Support of CKS Exam
Our support team is here to assist you every step of the way. If you have any queries or need guidance, regarding CKS Exam Question Answers then feel free to reach out to us. We are dedicated to your success and are committed to providing prompt and helpful responses.
Join the Community of Successful Professionals of Linux-Foundation CKS Exam
Pass4SureHub takes pride in the countless success stories of individuals who have achieved their Linux-Foundation CKS certification with our real exam dumps. You can be a part of this community of accomplished professionals who have unlocked new career opportunities and gained recognition in the IT industry.
Your Success is Guaranteed
With Pass4SureHub's CKS exam study material and 100% passing guarantee, you can approach the certification exam with confidence and assurance. We are confident that our comprehensive resources, combined with your dedication and hard work, will lead you to success.
Linux-Foundation CKS Sample Question Answers
Linux-Foundation CKS Sample Questions
Question # 1Given an existing Pod named test-web-pod running in the namespace test-system Edit the existing Role bound to the Pod's Service Account named sa-backend to only allow performing get operations on endpoints. Create a new Rolenamed test-system-role-2 in the namespace test-system, which can perform patch operations, on resources of type statefulsets. Create a new RoleBinding named test-system-role-2-binding binding the newly created Role to the Pod's ServiceAccount sa-backend.
Question # 2
Create a network policy named restrict-np to restrict to pod nginx-test running in namespace testing. Only allow the following Pods to connect to Pod nginx-test:- 1. pods in the namespace default 2.pods with label version:v1 in any namespace. Make sure to apply the network policy.
Question # 3
Create a Pod name Nginx-pod inside the namespace testing, Create a service for the Nginx-pod named nginx-svc, using the ingress of your choice, run the ingress on tls, secure port.
Question # 4
Create aRuntimeClass named gvisor-rc using the prepared runtime handler named runsc. Create a Pods of image Nginx in the Namespace server to run on the gVisor runtime class
Question # 5
A container image scanner is set up on the cluster. Given an incomplete configuration in the directory /etc/Kubernetes/confcontrol and a functional container image scanner with HTTPSendpoint https://acme.local.8081/image_policy 1. Enable the admission plugin. 2. Validate the control configuration and change it to implicit deny. Finally, test the configuration by deploying the pod having the image tag as the latest.
Question # 6
You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context dev A default-deny NetworkPolicy avoid to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined. Task: Create a new default-deny NetworkPolicy named deny-network in the namespace test for all traffic of type Ingress + Egress The new NetworkPolicy must deny all Ingress + Egress traffic in the namespace test. Apply the newly created default-deny NetworkPolicy to all Pods running in namespace test. You can find a skeleton manifests file at /home/cert_masters/network-policy.yaml
Question # 7
On the Cluster worker node, enforce the prepared AppArmor profile #include<tunables/global> profile docker-nginx flags=(attach_disconnected,mediate_deleted) { #include<abstractions/base> network inet tcp, network inet udp, network inet icmp, deny network raw, deny network packet, file, umount, deny /bin/** wl, deny /boot/** wl, deny /dev/** wl, deny /etc/** wl, deny /home/** wl, deny /lib/** wl, deny /lib64/** wl, deny /media/** wl, deny /mnt/** wl, deny /opt/** wl, deny /proc/** wl, deny /root/** wl, deny /sbin/** wl, deny /srv/** wl, deny /tmp/** wl, deny /sys/** wl, deny /usr/** wl, audit /** w, /var/run/nginx.pid w, /usr/sbin/nginx ix, deny /bin/dash mrwklx, deny /bin/sh mrwklx, deny /usr/bin/top mrwklx, capability chown, capability dac_override, capability setuid, capability setgid, capability net_bind_service, deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) # deny write to files not in /proc/<number>/** or /proc/sys/** deny@{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w, deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel) deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/ deny @{PROC}/sysrq-trigger rwklx, deny @{PROC}/mem rwklx, deny @{PROC}/kmem rwklx, deny @{PROC}/kcore rwklx, deny mount, deny /sys/[^f]*/** wklx, deny /sys/f[^s]*/** wklx, deny /sys/fs/[^c]*/** wklx, deny /sys/fs/c[^g]*/** wklx, deny /sys/fs/cg[^r]*/** wklx, deny /sys/firmware/** rwklx, deny /sys/kernel/security/** rwklx, } Edit the prepared manifest file to include the AppArmor profile. apiVersion: v1 kind: Pod metadata: name:apparmor-pod spec: containers: - name: apparmor-pod image: nginx Finally, apply the manifests files and create the Pod specified on it. Verify: Try to use command ping, top, sh
Question # 8
use the Trivy to scan the following images, 1. amazonlinux:1 2. k8s.gcr.io/kube-controller-manager:v1.18.6 Look for images with HIGH or CRITICAL severity vulnerabilities and store theoutput of the same in /opt/trivy-vulnerable.txt
Question # 9
You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context prod-account Context: A Role bound to a Pod's ServiceAccount grants overly permissive permissions. Complete the following tasks to reduce the set of permissions. Task: Given an existing Pod named web-pod running in the namespace database. 1. Edit the existing Role bound to the Pod's ServiceAccount test-sa to only allow performing get operations, only on resources of type Pods. 2. Create a new Role named test-role-2 in the namespace database, which only allows performing update operations, only on resources of type statuefulsets. 3. Create a new RoleBinding named test-role-2-bind binding the newly created Role to the Pod's ServiceAccount. Note: Don't delete the existing RoleBinding.
Question # 10
You can switch the cluster/configuration context using the following command: [desk@cli] $ kubectl config use-context stage Context: A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace. Task: 1. Create a new PodSecurityPolcy named deny-policy, which prevents the creation of privileged Pods. 2. Create a new ClusterRole name deny-access-role, which uses the newly created PodSecurityPolicy deny-policy. 3. Create a new ServiceAccount named psd-denial-sa in the existing namespace development. Finally, create a new ClusterRoleBindind named restrict-access-bind, which binds the newly created ClusterRole deny-access-role to the newly created ServiceAccount pspdenial-sa
Question # 11
A container image scanner is set up on the cluster.Given an incomplete configuration in thedirectory/etc/kubernetes/confcontrol and a functional container image scanner with HTTPS endpointhttps://test-server.local.8081/image_policy1. Enable the admission plugin.2. Validate the control configuration and change it to implicit deny.Finally,test the configuration by deploying the pod having the image tag as latest.
Question # 12
Create a PSP that will prevent the creation ofprivileged pods in the namespace. Create a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation of privileged pods. Create a new ServiceAccount named psp-sa in the namespace default. Create a new ClusterRole namedprevent-role, which uses the newly created Pod Security Policy prevent-privileged-policy. Create a new ClusterRoleBinding named prevent-role-binding, which binds the created ClusterRole prevent-role to the created SA psp-sa. Also, Check the Configuration is working or not by trying to Create a Privileged pod, it should get failed.
Question # 13
Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that1. logs are stored at /var/log/kubernetes/kubernetes-logs.txt.2. Log files are retainedfor5 days.3. at maximum, a number of 10 old audit logs files are retained.Edit and extend the basic policy to log:1. Cronjobs changes at RequestResponse2. Log the request body of deployments changesinthenamespacekube-system.3. Log all other resourcesincoreandextensions at the Request level.4. Don't log watch requests by the "system:kube-proxy" on endpoints or
Question # 14
Create a new NetworkPolicy named deny-all in the namespace testing which denies all traffic of type ingress and egress traffic
Question # 15
Use the kubesec docker images to scan the given YAML manifest, edit and apply the advised changes, and passed with a score of 4 points. kubesec-test.yaml apiVersion: v1 kind: Pod metadata: name: kubesec-demo spec: containers: - name: kubesec-demo image: gcr.io/google-samples/node-hello:1.0 securityContext: readOnlyRootFilesystem:true Hint: docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin <kubesec-test.yaml
Reviews From Our Customers
Copyright © Pass4sureHub. All rights reserved.