27/12/2024, 17:00 Linux Foundation Certified Kubernetes Security Specialist (CKS) - CKS Free Exam Questions [2024]

Limited Time Discount Offer! 15% Off - Ends in 02:12:14 - Use Discount Coupon Code A4T2024

Input your exam code ... 

Linux Foundation Certified Kubernetes Security Specialist (CKS) - CKS Free Exam
Questions

QUESTION NO: 21
Context
AppArmor is enabled on the cluster's worker node. An AppArmor profile is prepared, but not enforced yet.

Task
On the cluster's worker node, enforce the prepared AppArmor profile located at /etc/apparmor.d/nginx_apparmor.
Edit the prepared manifest file located at /home/candidate/KSSH00401/nginx-pod.yaml to apply the AppArmor profile.
Finally, apply the manifest file and create the Pod specified in it.

Hide answers/explanation  Discussion 0

Correct Answer:

Chat now


https://www.actual4test.com/exam/CKS-questions 1/13
27/12/2024, 17:00 Linux Foundation Certified Kubernetes Security Specialist (CKS) - CKS Free Exam Questions [2024]

Chat now


https://www.actual4test.com/exam/CKS-questions 2/13
27/12/2024, 17:00 Linux Foundation Certified Kubernetes Security Specialist (CKS) - CKS Free Exam Questions [2024]

QUESTION NO: 22
Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.
Fix all of the following violations that were found against the API server:- a. Ensure the --authorization-mode argument includes RBAC b. Ensure the --authorization-
mode argument includes Node c. Ensure that the --profiling argument is set to false Fix all of the following violations that were found against the Kubelet:- a. Ensure the
--anonymous-auth argument is set to false.
b. Ensure that the --authorization-mode argument is set to Webhook.
Fix all of the following violations that were found against the ETCD:-
a. Ensure that the --auto-tls argument is not set to true
Hint: Take the use of Tool Kube-Bench

Hide answers/explanation  Discussion 0

Correct Answer:

API server:
Ensure the --authorization-mode argument includes RBAC
Turn on Role Based Access Control. Role Based Access Control (RBAC) allows fine-grained control over the operations that different entities can perform on different objects in the
cluster. It is recommended to use the RBAC authorization mode.
Fix - Buildtime
Kubernetes
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
+ - kube-apiserver
+ - --authorization-mode=RBAC,Node
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
livenessProbe:
failureThreshold: 8
httpGet:
host: 127.0.0.1
path: /healthz
port: 6443
scheme: HTTPS
initialDelaySeconds: 15
timeoutSeconds: 15
name: kube-apiserver-should-pass
resources:
requests:
cpu: 250m
volumeMounts:
- mountPath: /etc/kubernetes/
name: k8s
Chat now

readOnly: true

https://www.actual4test.com/exam/CKS-questions 3/13
27/12/2024, 17:00 Linux Foundation Certified Kubernetes Security Specialist (CKS) - CKS Free Exam Questions [2024]
- mountPath: /etc/ssl/certs
name: certs
- mountPath: /etc/pki
name: pki
hostNetwork: true
volumes:
- hostPath:
path: /etc/kubernetes
name: k8s
- hostPath:
path: /etc/ssl/certs
name: certs
- hostPath:
path: /etc/pki
name: pki
Ensure the --authorization-mode argument includes Node
Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --authorization-mode parameter to a value
that includes Node.
--authorization-mode=Node,RBAC
Audit:
/bin/ps -ef | grep kube-apiserver | grep -v grep
Expected result:
'Node,RBAC' has 'Node'
Ensure that the --profiling argument is set to false
Remediation: Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter.
--profiling=false
Audit:
/bin/ps -ef | grep kube-apiserver | grep -v grep
Expected result:
'false' is equal to 'false'
Fix all of the following violations that were found against the Kubelet:- Ensure the --anonymous-auth argument is set to false.
Remediation: If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to false. If using executable arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
Audit:
/bin/ps -fC kubelet
Audit Config:
/bin/cat /var/lib/kubelet/config.yaml
Expected result:
'false' is equal to 'false'
2) Ensure that the --authorization-mode argument is set to Webhook.
Audit
docker inspect kubelet | jq -e '.[0].Args[] | match("--authorization-mode=Webhook").string' Returned Value: --authorization-mode=Webhook Fix all of the following violations that
were found against the ETCD:- a. Ensure that the --auto-tls argument is not set to true Do not use self-signed certificates for TLS. etcd is a highly-available key value store used by
Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You
should enable the client authentication via valid certificates to secure the access to the etcd service.
Fix - Buildtime
Kubernetes
apiVersion: v1
kind: Pod
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
creationTimestamp: null
labels:
component: etcd
tier: control-plane
name: etcd
namespace: kube-system
spec:
containers:
- command:
+ - etcd
+ - --auto-tls=true
image: k8s.gcr.io/etcd-amd64:3.2.18
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- /bin/sh
- -ec
Chat now

- ETCDCTL_API=3 etcdctl --endpoints=https://[192.168.22.9]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt

https://www.actual4test.com/exam/CKS-questions 4/13
27/12/2024, 17:00 Linux Foundation Certified Kubernetes Security Specialist (CKS) - CKS Free Exam Questions [2024]
--cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt --key=/etc/kubernetes/pki/etcd/healthcheck-client.key get foo failureThreshold: 8 initialDelaySeconds: 15 timeoutSeconds:
15 name: etcd-should-fail resources: {} volumeMounts:
- mountPath: /var/lib/etcd
name: etcd-data
- mountPath: /etc/kubernetes/pki/etcd
name: etcd-certs
hostNetwork: true
priorityClassName: system-cluster-critical
volumes:
- hostPath:
path: /var/lib/etcd
type: DirectoryOrCreate
name: etcd-data
- hostPath:
path: /etc/kubernetes/pki/etcd
type: DirectoryOrCreate
name: etcd-certs
status: {}
Explanation:

Chat now


https://www.actual4test.com/exam/CKS-questions 5/13
27/12/2024, 17:00 Linux Foundation Certified Kubernetes Security Specialist (CKS) - CKS Free Exam Questions [2024]

Chat now


https://www.actual4test.com/exam/CKS-questions 6/13
27/12/2024, 17:00 Linux Foundation Certified Kubernetes Security Specialist (CKS) - CKS Free Exam Questions [2024]

QUESTION NO: 23
Context: Cluster: prod Master node: master1 Worker node: worker1
You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context prod
Task: Analyse and edit the given Dockerfile (based on the ubuntu:18:04 image) /home/cert_masters/Dockerfile fixing two instructions present in the file being prominent
security/best-practice issues.
Analyse and edit the given manifest file /home/cert_masters/mydeployment.yaml fixing two fields present in the file being prominent security/best-practice issues.
Note: Don't add or remove configuration settings; only modify the existing configuration settings, so that two configuration settings each are no longer security/best-
practice concerns. Should you need an unprivileged user for any of the tasks, use user nobody with user id 65535

Hide answers/explanation  Discussion 0

Correct Answer:

1. For Dockerfile: Fix the image version & user name in Dockerfile 2. For mydeployment.yaml : Fix security contexts Explanation
[desk@cli] $ vim /home/cert_masters/Dockerfile
FROM ubuntu:latest # Remove this
FROM ubuntu:18.04 # Add this
USER root # Remove this
USER nobody # Add this
RUN apt get install -y lsof=4.72 wget=1.17.1 nginx=4.2
ENV ENVIRONMENT=testing
USER root # Remove this
USER nobody # Add this
CMD ["nginx -d"]

Chat now


https://www.actual4test.com/exam/CKS-questions 7/13
27/12/2024, 17:00 Linux Foundation Certified Kubernetes Security Specialist (CKS) - CKS Free Exam Questions [2024]

[desk@cli] $ vim /home/cert_masters/mydeployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: kafka
name: kafka
spec:
replicas: 1
selector:
matchLabels:
app: kafka
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: kafka
spec:
containers:
- image: bitnami/kafka
name: kafka
volumeMounts:
- name: kafka-vol
mountPath: /var/lib/kafka
securityContext:
{"capabilities":{"add":["NET_ADMIN"],"drop":["all"]},"privileged": True,"readOnlyRootFilesystem": False, "runAsUser": 65535} # Delete This
{"capabilities":{"add":["NET_ADMIN"],"drop":["all"]},"privileged": False,"readOnlyRootFilesystem": True, "runAsUser": 65535} # Add This resources: {} volumes:
- name: kafka-vol
emptyDir: {}
status: {}
Pictorial View: [desk@cli] $ vim /home/cert_masters/mydeployment.yaml

QUESTION NO: 24
Context: Cluster: gvisor Master node: master1 Worker node: worker1
You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context gvisor
Context: This cluster has been prepared to support runtime handler, runsc as well as traditional one.
Task: Create a RuntimeClass named not-trusted using the prepared runtime handler names runsc. Update all Pods in the namespace server to run on newruntime.

Chat now


https://www.actual4test.com/exam/CKS-questions 8/13
27/12/2024, 17:00 Linux Foundation Certified Kubernetes Security Specialist (CKS) - CKS Free Exam Questions [2024]

Hide answers/explanation  Discussion 0

Correct Answer:

Explanation
[desk@cli] $vim runtime.yaml
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
name: not-trusted
handler: runsc
[desk@cli] $ k apply -f runtime.yaml [desk@cli] $ k get pods
NAME READY STATUS RESTARTS AGE
nginx-6798fc88e8-chp6r 1/1 Running 0 11m
nginx-6798fc88e8-fs53n 1/1 Running 0 11m
nginx-6798fc88e8-ndved 1/1 Running 0 11m
[desk@cli] $ k get deploy
NAME READY UP-TO-DATE AVAILABLE AGE
nginx 3/3 11 3 5m
[desk@cli] $ k edit deploy nginx

QUESTION NO: 25
Given an existing Pod named nginx-pod running in the namespace test-system, fetch the service-account-name used and put the content in /candidate/KSC00124.txt
Create a new Role named dev-test-role in the namespace test-system, which can perform update operations, on resources of type namespaces.
Create a new RoleBinding named dev-test-role-binding, which binds the newly created Role to the Pod's ServiceAccount ( found in the Nginx pod running in namespace
test-system).

Chat now


https://www.actual4test.com/exam/CKS-questions 9/13
27/12/2024, 17:00 Linux Foundation Certified Kubernetes Security Specialist (CKS) - CKS Free Exam Questions [2024]

Hide answers/explanation  Discussion 0

Correct Answer:

Chat now


https://www.actual4test.com/exam/CKS-questions 10/13
27/12/2024, 17:00 Linux Foundation Certified Kubernetes Security Specialist (CKS) - CKS Free Exam Questions [2024]

QUALITY AND VALUE

Actual4test Practice Exams are written to the highest standards of technical accuracy, using only certified subject matter experts and published authors for development - no all
study materials.

TESTED AND APPROVED

We are committed to the process of vendor and third party approvals. We believe professionals and executives alike deserve the confidence of quality coverage these
authorizations provide.

EASY TO PASS
If you prepare for the exams using our Actual4test testing engine, It is easy to succeed for all certifications in the first attempt. You don't have to deal with all dumps or any free
torrent / rapidshare all stuff.

Chat now


https://www.actual4test.com/exam/CKS-questions 11/13
27/12/2024, 17:00 Linux Foundation Certified Kubernetes Security Specialist (CKS) - CKS Free Exam Questions [2024]

TRY BEFORE BUY

Actual4test offers free demo of each product. You can check out the interface, question quality and usability of our practice exams before you decide to buy.

(https://www.actual4test.com)

Here are all the actual test exam dumps for IT exams. Most people prepare for the actual exams with our test dumps to pass their exams. So it's critical to choose and actual test
pdf to succeed.

RECENT DISCUSSIONS

Exam 000-221 Topic 1 Question 72 Discussion (https://www.actual4test.com/discussions/IBM/exam-000-221-topic-1-question-72-discussion-p1099426.html)

Exam M2010-616 Topic 3 Question 8 Discussion (https://www.actual4test.com/discussions/IBM/exam-m2010-616-topic-3-question-8-discussion-p1099425.html)

Exam 2V0-31.23 Topic 3 Question 23 Discussion (https://www.actual4test.com/discussions/VMware/exam-2v0-31.23-topic-3-question-23-discussion-p1099424.html)

Exam 2V0-11.24 Topic 1 Question 279 Discussion (https://www.actual4test.com/discussions/VMware/exam-2v0-11.24-topic-1-question-279-discussion-p1099423.html)

Exam HP0-S43 Topic 1 Question 55 Discussion (https://www.actual4test.com/discussions/HP/exam-hp0-s43-topic-1-question-55-discussion-p1099422.html)

Exam A2040-922 Topic 1 Question 1 Discussion (https://www.actual4test.com/discussions/IBM/exam-a2040-922-topic-1-question-1-discussion-p1099421.html)

Exam M2090-728 Topic 1 Question 6 Discussion (https://www.actual4test.com/discussions/IBM/exam-m2090-728-topic-1-question-6-discussion-p1099420.html)

Useful Links

ALL PRODUCTS (HTTPS://WWW.ACTUAL4TEST.COM/ALLPRODUCTS.PHP) 

FREQUENTLY ASKED QUESTIONS (HTTPS://WWW.ACTUAL4TEST.COM/PAGE_FAQS.HTML) 

GUARANTEE & REFUND POLICY (HTTPS://WWW.ACTUAL4TEST.COM/PAGE_GUARANTEE.HTML) 

HOW TO BUY? (HTTPS://WWW.ACTUAL4TEST.COM/PAGE_HOWTOBUY.HTML) 

ABOUT US (HTTPS://WWW.ACTUAL4TEST.COM/PAGE_ABOUT.HTML) 

Contact Us

Our Working Time: ( GMT 0:00-15:00 )

From Monday to Saturday

Support: Contact now  (https://www.actual4test.com/contact.php)

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2024 Actual4test NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy
(https://www.actual4test.com/page_privacy.html)

 (https://www.facebook.com/sharer.php?u=https://www.actual4test.com/exam/CKS-questions)
 (https://twitter.com/share?
original_referer=https%3A%2F%2Fsiteproxy.ruqli.workers.dev%3A443%2Fhttp%2Fwww.actual4test.com%2F&source=tweetbutton&text=Actual4test&url=https://www.actual4test.com/exam/CKS-
questions&via=) 
Chat now

https://www.actual4test.com/exam/CKS-questions 12/13
27/12/2024, 17:00 Linux Foundation Certified Kubernetes Security Specialist (CKS) - CKS Free Exam Questions [2024]
 (https://plus.google.com/share?url=https://www.actual4test.com/exam/CKS-questions)
 (https://www.linkedin.com/cws/share?url=https://www.actual4test.com/exam/CKS-questions)
 (https://pinterest.com/pin/create/button/?url=https://www.actual4test.com/exam/CKS-
questions&description=Actual4test&media=https://www.actual4test.com/_/a4t/imgs/product.jpg)

Disclaimer:
Actual4test doesn't offer Real SANS and GIAC Exam Questions.
Oracle and Java are registered trademarks of Oracle and/or its affiliates
Actual4test material do not contain actual actual Oracle Exam Questions or material.
Actual4test doesn't offer Real Microsoft Exam Questions.
Microsoft®, Azure®, Windows®, Windows Vista®, and the Windows logo are registered trademarks of Microsoft Corporation
Actual4test Materials do not contain actual questions and answers from Cisco's Certification Exams. The brand Cisco is a registered trademark of CISCO, Inc
CFA Institute does not endorse, promote or warrant the accuracy or quality of these questions. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA
Institute.
Actual4test does not offer exam dumps or questions from actual exams. We offer learning material and practice tests created by subject matter experts to assist and help learners
prepare for those exams. All certification brands used on the website are owned by the respective brand owners. Actual4test does not own or claim any ownership on any of the
brands.

Chat now


https://www.actual4test.com/exam/CKS-questions 13/13