CKS Online Practice Questions

Home / The Linux Foundation / CKS

Latest CKS Exam Practice Questions

The practice questions for CKS exam was last updated on 2025-06-03 .

Viewing page 1 out of 3 pages.

Viewing questions 1 out of 17 questions.

Question#1

Omit the Stage RequestReceived
All other requests at the Metadata level

A. Kubernetes auditing provides a security-relevant chronological set of records about a cluster. Kube-apiserver performs auditing. Each request on each stage of its execution generates an event, which is then pre-processed accordingto a certain policy and written to a backend. The policy determines what’s recorded and the backends persist the records. You might want to configure the audit log as part of compliance with the CIS (Center for Internet Security) Kubernetes Benchmark controls.
The audit log can be enabled by default using the following configuration in cluster.yml:
services:
kube-api:
audit_log:
enabled:true
When the audit log is enabled, you should be able to see the default values at
/etc/kubernetes/audit-policy.yaml
The log backend writes audit events to a file in JSONlines format. You can configure the log audit backend using the following kube-apiserver flags:
✑ --audit-log-path specifies the log file path that log backend uses to write audit events. Not specifying this flag disables log backend. - means standard out
✑ --audit-log-maxage defined the maximum number of days to retain old audit log files
✑ --audit-log-maxbackup defines the maximum number of audit log files to retain
✑ --audit-log-maxsize defines the maximum size in megabytes of the audit log file
before it gets rotated
If your cluster's control plane runs the kube-apiserver as a Pod, rememberto mount
the hostPath to the location of the policy file and log file, so that audit records are persisted.
For example:
--audit-policy-file=/etc/kubernetes/audit-policy.yaml\ --audit-log-path=/var/log/audit.log

Question#2

Pods being configured to be privileged in any way must be treated as potentially not stateless or not immutable.

A. k get pods -n prodk get pod <pod-name> -n prod -o yaml | grep -E 'privileged|ReadOnlyRootFileSystem'Delete the pods which do have any of these 2 propertiesprivileged:true or ReadOnlyRootFileSystem: false
[desk@cli]$ k get pods -n prod
NAME READY STATUS RESTARTS AGE
cms 1/1 Running 0 68m
db 1/1 Running 0 4m
nginx 1/1 Running 0 23m
[desk@cli]$ k get pod nginx -n prod -o yaml | grep -E 'privileged|RootFileSystem' {"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"creationTimestamp":null,"label s":{"run":"nginx"},"name":"nginx","namespace":"prod"},"spec":{"containers":[{"image":"nginx ","name":"nginx","resources":{},"securityContext":{"privileged":true }}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always"},"status":{}}f:privileged: {}privileged:
true



[desk@cli]$ k delete pod nginx -n prod
[desk@cli]$ k get pod db -n prod -o yaml | grep -E 'privileged|RootFilesystem'



[desk@cli]$ k get pod cms -n prod -o yaml | grep -E 'privileged|RootFilesystem'


Question#3

CORRECT TEXT
On the Cluster worker node, enforce the prepared AppArmor profile
✑ #include<tunables/global>


✑ profile docker-nginx flags=(attach_disconnected,mediate_deleted) {
✑ #include<abstractions/base>

✑ network inet tcp,
✑ network inet udp,
✑ network inet icmp,

✑ deny network raw,

✑ deny network packet,

✑ file,
✑ umount,

✑ deny /bin/** wl,
✑ deny /boot/** wl,
✑ deny /dev/** wl,
✑ deny /etc/** wl,
✑ deny /home/** wl,
✑ deny /lib/** wl,
✑ deny /lib64/** wl,
✑ deny /media/** wl,
✑ deny /mnt/** wl,
✑ deny /opt/** wl,
✑ deny /proc/** wl,
✑ deny /root/** wl,
✑ deny /sbin/** wl,
✑ deny /srv/** wl,
✑ deny /tmp/** wl,
✑ deny /sys/** wl,
✑ deny /usr/** wl,

✑ audit /** w,

✑ /var/run/nginx.pid w,

✑ /usr/sbin/nginx ix,

✑ deny /bin/dash mrwklx,
✑ deny /bin/sh mrwklx,
✑ deny /usr/bin/top mrwklx,


✑ capability chown,
✑ capability dac_override,
✑ capability setuid,
✑ capability setgid,
✑ capability net_bind_service,

✑ deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
✑ # deny write to files not in /proc/<number>/** or /proc/sys/**
✑ deny@{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
✑ deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
✑ deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/
✑ deny @{PROC}/sysrq-trigger rwklx,
✑ deny @{PROC}/mem rwklx,
✑ deny @{PROC}/kmem rwklx,
✑ deny @{PROC}/kcore rwklx,

✑ deny mount,

✑ deny /sys/[^f]*/** wklx,
✑ deny /sys/f[^s]*/** wklx,
✑ deny /sys/fs/[^c]*/** wklx,
✑ deny /sys/fs/c[^g]*/** wklx,
✑ deny /sys/fs/cg[^r]*/** wklx,
✑ deny /sys/firmware/** rwklx,
✑ deny /sys/kernel/security/** rwklx,
✑ }
Edit the prepared manifest file to include the AppArmor profile.
✑ apiVersion: v1
✑ kind: Pod
✑ metadata:
✑ name:apparmor-pod
✑ spec:
✑ containers:
✑ - name: apparmor-pod
✑ image: nginx
Finally, apply the manifests files and create the Pod specified on it.
Verify: Try to use command ping, top, sh

A. To apply the AppArmor profile to your Kubernetes Pod and enforce the security settings as specified, follow these detailed steps:

Question#4

CORRECT TEXT
Service is running on port 389 inside the system, find the process-id of the process, and stores the names of all the open-files inside the /candidate/KH77539/files.txt, and also delete thebinary.

A. To address your request regarding the service running on port 389, identifying its process ID, capturing names of all open files, and deleting the binary, here are the Linux commands that you need to execute, broken down by tasks. Note that these commands should be executed with sufficient privileges, typically as sudo or root.
Step 1: Find the Process ID of the Service on Port 389
Port 389 is typically used by LDAP services. You can find the process ID (PID) of the service running on this port using the netstat or ss command. Here's how you do it using ss (a modern replacement for netstat):
sudo ss -ltnp | grep ':389'
This command will output details about the service running on port 389, including its PID. The output might look something like this:
LISTEN 0 128 *:389 *:* users:(("slapd",pid=1234,fd=7))
From here, you can see that the PID of the service is 1234 (this is just an example, your output will vary).
Step 2: List All Open Files by the Process
Once you have the PID, you can use the lsof command to list all open files by this process. To store these file names into /candidate/KH77539/files.txt, run:
sudo lsof -p <PID> > /candidate/KH77539/files.txt
Replace <PID> with the actual process ID you found earlier. For example:
sudo lsof -p 1234 > /candidate/KH77539/files.txt
Step 3: Delete the Binary of the Process
First, identify the binary file associated with the process. You can find this by looking at the txt field for the process in the output of lsof, or directly by:
binary_path=$(sudo readlink /proc/<PID>/exe)
Once you have the path, you can delete the binary file. However, be very cautious with this step , as deleting a binary can affect system functionality, especially if it's a critical service. Here's how to delete it: sudo rm -f "$binary_path"
Example Commands Together: # Find PID
pid=$(sudo ss -ltnp | grep ':389' | sed -E 's/.*pid=([0-9]+),.*/\1/')

# List and store open files
sudo lsof -p $pid > /candidate/KH77539/files.txt

# Find binary path and delete
binary_path=$(sudo readlink /proc/$pid/exe)
sudo rm -f "$binary_path"
Important Considerations
Permissions : Ensure you have the right permissions to execute these commands. You might need to run them as root or use sudo. Service Disruption : Deleting a binary while the service is running can disrupt the service. Also, the system might fail to restart the service upon the next boot or request. System Stability : Consider the impact on system stability and functionality before deleting system files or binaries, especially in a production environment.
Please confirm that these actions are in line with your system management policies and proceed with caution.

Question#5

Create a new RoleBinding named test-role-2-bind binding the newly created Role to the Pod's ServiceAccount.
Note: Don't delete the existing RoleBinding.

A. $ k edit role test-role -n database
✑ uk.co.certification.simulator.questionpool.PList@e615200
$ k create role test-role-2 -n database --resource statefulset --verb update$ k create rolebinding test-role-2-bind -n database --role test-role-2 --serviceaccount=database:test-sa
Explanation[desk@cli]$ k get pods -n database NAME READY STATUS RESTARTS AGE LABELS web-pod 1/1 Running 0 34s run=web-pod
[desk@cli]$ k get roles -n databasetest-role[desk@cli]$ k edit role test-role -n database
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: "2021-06-13T11:12:23Z"
name: test-role
namespace: database
resourceVersion: "1139"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/database/roles/test-role
uid: 49949265-6e01-499c-94ac-5011d6f6a353 rules:
- apiGroups:
- ""
resources:
- pods verbs:
- "*" # Delete this
- get # Replace by this

Exam Code: CKSQ & A: 44 Q&AsUpdated:  2025-06-03

 Get All CKS Q&As

Top 20 Exams

CertQuestionsBank doesn't offer Real Microsoft, Amazon, Cisco Exam Questions. All CertQuestionsBank content is sourced from the Internet.

Important Links

Know Us

Follow Us

Copyright © 2025 CertQuestionsBank NETWORK CO.,LIMITED. All Rights Reserved.