Real IT Certification Exams Questions & Dumps | Get Certified with CertQuestionsBank.com

What is the CKS Exam?

The Certified Kubernetes Security Specialist CKS exam is an advanced, performance-based certification offered by the Cloud Native Computing Foundation (CNCF). It validates your ability to secure Kubernetes clusters and containerized applications in real-world environments. Unlike multiple-choice exams, the CKS exam requires you to solve hands-on security tasks directly from the command line in a live Kubernetes environment. Candidates must demonstrate practical expertise in securing clusters, workloads, supply chains, and runtime operations.

Prerequisite: You must have already passed the Certified Kubernetes Administrator (CKA) exam before attempting the CKS.

Who Is the CKS Exam For?

The CKS certification is designed for professionals who are responsible for Kubernetes security in production environments, including:

● Kubernetes Administrators

● DevOps Engineers

● Cloud Security Engineers

● Platform Engineers

● Site Reliability Engineers (SREs)

● Security Engineers working with containers and Kubernetes

This exam is ideal for candidates who already understand Kubernetes administration and want to prove advanced security skills that are in high demand across cloud-native organizations.

CKS Exam Overview

Exam Format: Performance-based, hands-on lab

Delivery: Online, remotely proctored

Duration: 2 hours

Environment: Command-line access to Kubernetes clusters

Prerequisite: Active CKA certification

Focus: Real-world Kubernetes security scenarios

Candidates are required to complete multiple security tasks under time pressure, closely simulating real production challenges.

Skills Measured in the CKS Exam

The CKS exam evaluates your ability to secure Kubernetes environments across the entire application lifecycle. Exam topics include:

Cluster Setup (15%)

Secure installation and configuration of Kubernetes clusters

Network policies and secure cluster components

TLS and authentication configuration

Cluster Hardening (15%)

Restricting access using RBAC

Securing API server, etcd, and kubelet

Minimizing attack surface

System Hardening (10%)

Securing host operating systems

Kernel hardening and process isolation

Limiting privileges and access

Minimize Microservice Vulnerabilities (20%)

Securing container images

Reducing image attack surfaces

Managing secrets safely

Supply Chain Security (20%)

Image signing and verification

Secure CI/CD pipelines

Preventing malicious image deployment

Monitoring, Logging, and Runtime Security (20%)

Detecting suspicious activity

Runtime threat detection

Auditing and logging Kubernetes events

How Will the CKS Benefit You?

Proves High-Demand Security Skills

CKS demonstrates that you can secure Kubernetes environments at an advanced level - a skillset highly sought after by employers.

Career Advancement

Certified professionals often qualify for senior DevOps, cloud security, and platform engineering roles.

Industry-Wide Credential Recognition

The CKS certification is globally recognized and backed by CNCF, making it valuable across industries.

Networking Opportunities

Join an elite community of Kubernetes security professionals and stand out in the cloud-native ecosystem.

How to Prepare for the CKS Exam?

Preparing for the CKS exam requires hands-on practice and security-focused thinking:

● Master Kubernetes fundamentals (pods, services, RBAC, networking)

● Practice securing clusters using real Kubernetes environments

● Learn container security best practices

● Understand supply chain and runtime security concepts

● Practice under time constraints using command-line tools

● Review CNCF documentation and Kubernetes security benchmarks

Since the exam is performance-based, the ability to execute commands quickly and accurately is critical.

How to Use CKS Practice Questions?

CKS practice questions are one of the most effective ways to prepare for the exam:

● Practice real-world security scenarios similar to the actual exam

● Improve speed and accuracy under timed conditions

● Identify weak areas across exam domains

● Learn the correct commands and configurations

● Gain confidence before the actual exam day

The best practice questions include detailed explanations, so you understand why a solution works - not just how to execute it.

Practice Questions for the CKS Exam

High-quality CKS practice questions with explanations help you:

● Simulate the real exam environment

● Practice cluster hardening and workload security

● Apply security controls in Kubernetes

● Prepare efficiently without guesswork

● Reduce exam anxiety and improve pass rates

Whether you are aiming to pass on your first attempt or strengthen your Kubernetes security expertise, CKS practice questions are an essential part of your study strategy.

Question#1

Create a new ServiceAccount named psd-denial-sa in the existing namespace development.
Finally, create a new ClusterRoleBindind named restrict-access-bind, which binds the newly created ClusterRole deny-access-role to the newly created ServiceAccount psp-denial-sa

A. Create psp to disallow privileged container
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: deny-access-role
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- “deny-policy”
k create sa psp-denial-sa -n development apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding
metadata:
name: restrict-access-bing roleRef:
kind: ClusterRole
name: deny-access-role
apiGroup: rbac.authorization.k8s.io subjects:
- kind: ServiceAccount name: psp-denial-sa
namespace: development
Explanation
master1 $ vim psp.yaml apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata:
name: deny-policy spec:
privileged: false # Don't allow privileged pods! seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
master1 $ vim cr1.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: deny-access-role
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use'] resourceNames: - “deny-policy”
master1 $ k create sa psp-denial-sa -n development
master1 $ vim cb1.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: restrict-access-bing
roleRef:
kind: ClusterRole
name: deny-access-role
apiGroup: rbac.authorization.k8s.io
subjects:
# Authorize specific service accounts: - kind: ServiceAccount
name: psp-denial-sa
namespace: development
master1 $ k apply -f psp.yaml
master1 $ k apply -f cr1.yaml
master1 $ k apply -f cb1.yaml
Reference: https://kubernetes.io/docs/concepts/policy/pod-security-policy/

Question#2

SIMULATION
Create a PSP that will prevent the creation of privileged pods in the namespace.
Create a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation of privileged pods.
Create a new ServiceAccount named psp-sa in the namespace default.
Create a new ClusterRole named prevent-role, which uses the newly created Pod Security Policy prevent-privileged-policy.
Create a new ClusterRoleBinding named prevent-role-binding, which binds the created ClusterRole prevent-role to the created SA psp-sa.
Also, Check the Configuration is working or not by trying to Create a Privileged pod, it should get failed.

A. Create a PSP that will prevent the creation of privileged pods in the namespace.
$ cat clusterrole-use-privileged.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: use-privileged-psp
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- default-psp
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding metadata:
name: privileged-role-bind
namespace: psp-test roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: use-privileged-psp subjects:
- kind: ServiceAccount
name: privileged-sa
$ kubectl -n psp-test apply -f clusterrole-use-privileged.yaml After a few moments, the privileged Pod should be created.
Create a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation of privileged pods.
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: example
spec:
privileged: false # Don't allow privileged pods!
# The rest fills in some required fields. seLinux:
rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser:
rule: RunAsAny fsGroup:
rule: RunAsAny volumes:
- '*'
And create it with kubectl:
kubectl-admin create -f example-psp.yaml
Now, as the unprivileged user, try to create a simple pod:
kubectl-user create -f- <<EOF
apiVersion: v1
kind: Pod
metadata:
name: pause
spec:
containers:
- name: pause
image: k8s.gcr.io/pause
EOF
The output is similar to this:
Error from server (Forbidden): error when creating "STDIN": pods "pause" is forbidden: unable to validate against any pod security policy: []
Create a new ServiceAccount named psp-sa in the namespace default.
$ cat clusterrole-use-privileged.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: use-privileged-psp
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- default-psp
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding metadata:
name: privileged-role-bind
namespace: psp-test roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: use-privileged-psp subjects:
- kind: ServiceAccount
name: privileged-sa
$ kubectl -n psp-test apply -f clusterrole-use-privileged.yaml After a few moments, the privileged Pod should be created.
Create a new ClusterRole named prevent-role, which uses the newly created Pod Security Policy prevent-privileged-policy.
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: example
spec:
privileged: false # Don't allow privileged pods!
# The rest fills in some required fields. seLinux:
rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser:
rule: RunAsAny fsGroup:
rule: RunAsAny volumes:
- '*'
And create it with kubectl:
kubectl-admin create -f example-psp.yaml
Now, as the unprivileged user, try to create a simple pod:
kubectl-user create -f- <<EOF
apiVersion: v1
kind: Pod
metadata:
name: pause
spec:
containers:
- name: pause
image: k8s.gcr.io/pause
EOF
The output is similar to this:
Error from server (Forbidden): error when creating "STDIN": pods "pause" is forbidden: unable to validate against any pod security policy: []
Create a new ClusterRoleBinding named prevent-role-binding, which binds the created ClusterRole prevent-role to the created SA psp-sa.
apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "jane" to read pods in the "default" namespace.
# You need to already have a Role named "pod-reader" in that namespace. kind: RoleBinding metadata:
name: read-pods
namespace: default subjects:
# You can specify more than one "subject"
- kind: User
name: jane # "name" is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
# "roleRef" specifies the binding to a Role / ClusterRole kind: Role #this must be Role or ClusterRole name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to apiGroup: rbac.authorization.k8s.io
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]

Question#3

Does not allow access from Pods, not in namespace staging.

A. apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: network-policy
spec:
podSelector: {} #selects all the pods in the namespace deployed policyTypes:
- Ingress ingress:
- ports: #in input traffic allowed only through 80 port only
- protocol: TCP
port: 80

Question#4

SIMULATION
Documentation Secrets, TLS Secrets, Volumes
You must connect to the correct host. Failure to do so may result in a zero score.
[candidate@base] $ ssh cks000m40
Path
Key
Context
You must complete securing access to a web server using SSL files stored in a TLS Secret.
Task
Create a TLS Secret named clever-cactus in the clever-cactus namespace for an existing Deployment named clever-cactus.
Use the following SSL files:
File
Certificate /home/candidate/clever-cactus/web.k8s.local.crt
/home/candidate/clever-cactus/web.k8s.local.key
The Deployment is already configured to use the TLS Secret.
Do not modify the existing Deployment.
Failure to do so may result in a reduced score.

A. 1) Connect to the correct host ssh cks000m40
sudo -i
export KUBECONFIG=/etc/kubernetes/admin.conf
2) Verify namespace exists (quick check)
kubectl get ns clever-cactus
3) Verify certificate and key files exist
ls -l /home/candidate/clever-cactus/web.k8s.local.crt
ls -l /home/candidate/clever-cactus/web.k8s.local.key
Both files must exist.
4) Create the TLS Secret (THIS IS THE MAIN TASK)
Create a TLS Secret named clever-cactus in namespace clever-cactus:
kubectl -n clever-cactus create secret tls clever-cactus \
--cert=/home/candidate/clever-cactus/web.k8s.local.crt \
--key=/home/candidate/clever-cactus/web.k8s.local.key
⚠️ Do NOT use apply
⚠️ Do NOT edit the Deployment
5) Verify the Secret
kubectl -n clever-cactus get secret clever-cactus
Expected type:
kubernetes.io/tls
Optional detail check:
kubectl -n clever-cactus describe secret clever-cactus
You should see:
tls.crt
tls.key
6) (Optional) Confirm Pods are running
Since the Deployment is already configured to use the Secret, Pods should now work.
kubectl -n clever-cactus get pods

Question#5

SIMULATION
Fix all issues viaconfiguration and restart the affected components to ensure the new setting takes effect.
Fix all of the following violations that were found against the API server:-
✑ a. Ensure the --authorization-mode argument includes RBAC
✑ b. Ensure the --authorization-mode argument includes Node
✑ c. Ensure that the --profiling argumentissettofalse
Fix all of the following violations that were found against the Kubelet:-
✑ a. Ensure the --anonymous-auth argumentissettofalse.
✑ b. Ensure thatthe --authorization-mode argumentissetto Webhook.
Fix all of the following violations that were found against the ETCD:
✑ a. Ensure that the --auto-tls argument is not set to true
Hint: Take the use of Tool Kube-Bench

A. API server:
✑ Ensure the --authorization-mode argument includes RBAC
Turn on Role Based Access Control.Role Based Access Control (RBAC) allows fine-grained control over the operations that different entities can perform on different objects in the cluster. It is recommended to use the RBAC authorization mode. Fix - BuildtimeKubernetesapiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name:kube-apiserver
namespace: kube-system
spec:
containers:
-command:
+ - kube-apiserver
+ - --authorization-mode=RBAC,Node
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
livenessProbe:
failureThreshold:8
httpGet:
host:127.0.0.1
path: /healthz
port:6443
scheme: HTTPS
initialDelaySeconds:15
timeoutSeconds:15
name: kube-apiserver-should-pass
resources:
requests:
cpu: 250m
volumeMounts:
-mountPath: /etc/kubernetes/
name: k8s
readOnly:true
-mountPath: /etc/ssl/certs
name: certs
-mountPath: /etc/pki
name: pki
hostNetwork:true
volumes:
-hostPath:
path: /etc/kubernetes
name: k8s
-hostPath:
path: /etc/ssl/certs
name: certs
-hostPath:
path: /etc/pki
name: pki
✑ Ensure the --authorization-mode argument includes Node
Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --authorization-mode parameter to a value that includes Node.
--authorization-mode=Node,RBAC
Audit:
/bin/ps -ef | grep kube-apiserver | grep -v grep
Expected result:
'Node,RBAC' has 'Node'
✑ Ensure that the --profiling argumentissettofalse
Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter.
--profiling=false
Audit:
/bin/ps -ef | grep kube-apiserver | grep -v grep
Expected result:
'false' is equal to 'false'
Fix all of the following violations that were found against the Kubelet:-
✑ uk.co.certification.simulator.questionpool.PList@db811b0
Remediation: If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to false. If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
Audit:
/bin/ps -fC kubelet
Audit Config:
/bin/cat /var/lib/kubelet/config.yaml
Expected result:
✑ 'false' is equal to 'false'
2)Ensure that the --authorization-mode argumentissetto Webhook.
Audit
docker inspect kubelet | jq -e'.[0].Args[] |match("--authorization-mode=Webhook").string'
Returned Value: --authorization-mode=Webhook
Fix all of the following violations that were found against the ETCD:-a. Ensure that the --auto-tls argument is not set to true
Do not useself-signed certificates for TLS. etcd is a highly-available key value store used
by Kubernetes deployments for persistent storage of all of its REST API objects. These
objects are sensitive in nature and should not be available to unauthenticated clients.You
should enable the client authentication via valid certificates to secure the access to the etcd
service.
Fix - BuildtimeKubernetesapiVersion: v1
kind: Pod
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod:""
creationTimestamp: null
labels:
component: etcd
tier: control-plane
name: etcd
namespace: kube-system
spec:
containers:
-command:
+ - etcd
+ - --auto-tls=true image:k8s.gcr.io/etcd-amd64:3.2.18 imagePullPolicy: IfNotPresent livenessProbe:
exec:
command: - /bin/sh
- -ec
- ETCDCTL_API=3 etcdctl --endpoints=https://[192.168.22.9]:2379 -- cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt -- key=/etc/kubernetes/pki/etcd/healthcheck-client.key
get foo failureThreshold:8 initialDelaySeconds:15 timeoutSeconds:15 name: etcd-should-fail resources: {} volumeMounts: -mountPath: /var/lib/etcd name: etcd-data
-mountPath: /etc/kubernetes/pki/etcd
name: etcd-certs hostNetwork:true priorityClassName: system-cluster-critical volumes:
-hostPath: path:/var/lib/etcd type: DirectoryOrCreate name: etcd-data -hostPath:
path: /etc/kubernetes/pki/etcd
type: DirectoryOrCreate
name: etcd-certs
status: {}

Disclaimer

This page is for educational and exam preparation reference only. It is not affiliated with The Linux Foundation, Kubernetes Security Specialist, or the official exam provider. Candidates should refer to official documentation and training for authoritative information.

Exam Code: CKSQ & A: 64 Q&AsUpdated: 2026-02-24

Get All CKS Q&As

CKS Online Practice Questions