Trusted Worldwide Questions & Answers
Most Recent Linux Foundation CKS Exam Dumps
Prepare for the Linux Foundation Certified Kubernetes Security Specialist exam with our extensive collection of questions and answers. These practice Q&A are updated according to the latest syllabus, providing you with the tools needed to review and test your knowledge.
QA4Exam focus on the latest syllabus and exam objectives, our practice Q&A are designed to help you identify key topics and solidify your understanding. By focusing on the core curriculum, These Questions & Answers helps you cover all the essential topics, ensuring you're well-prepared for every section of the exam. Each question comes with a detailed explanation, offering valuable insights and helping you to learn from your mistakes. Whether you're looking to assess your progress or dive deeper into complex topics, our updated Q&A will provide the support you need to confidently approach the Linux Foundation CKS exam and achieve success.
The questions for CKS were last updated on Apr 22, 2026.
- Viewing page 1 out of 13 pages.
- Viewing questions 1-5 out of 64 questions
SIMULATION
Documentation Namespace, NetworkPolicy, Pod
You must connect to the correct host . Failure to do so may result in a zero score.
[candidate@base] $ ssh cks000031
Context
You must implement NetworkPolicies controlling the traffic flow of existing Deployments across namespaces.
Task
First, create a NetworkPolicy named deny-policy in the prod namespace to block all ingress traffic.
The prod namespace is labeled env:prod
Next, create a NetworkPolicy named allow-from-prod in the data namespace to allow ingress traffic only from Pods in the prod namespace.
Use the label of the prod names & Click to copy traffic.
The data namespace is labeled env:data
Do not modify or delete any namespaces or Pods . Only create the required NetworkPolicies.
1) Connect to the correct host
ssh cks000031
sudo -i
2) Use admin kubeconfig (safe default)
export KUBECONFIG=/etc/kubernetes/admin.conf
PART A --- Deny ALL ingress traffic in prod namespace
Requirement:
NetworkPolicy name: deny-policy
Namespace: prod (namespace is labeled env=prod)
Effect: block all ingress
3) Create deny-policy in prod
Create the policy directly with kubectl (fastest & safest):
cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-policy
namespace: prod
spec:
podSelector: {}
policyTypes:
- Ingress
EOF
What this does:
podSelector: {} selects all Pods in prod
No ingress: rules deny all ingress traffic
4) Verify
kubectl -n prod get networkpolicy deny-policy
PART B --- Allow ingress to data ONLY from Pods in prod
Requirement:
NetworkPolicy name: allow-from-prod
Namespace: data (namespace is labeled env=data)
Allow ingress only from Pods in prod namespace
Use namespace label (env=prod)
5) Create allow-from-prod policy in data
cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-prod
namespace: data
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
env: prod
EOF
What this does:
Applies to all Pods in data
Allows ingress only from namespaces labeled env=prod
All other ingress traffic is denied by default
6) Verify
kubectl -n data get networkpolicy allow-from-prod
FINAL CHECK (What the examiner expects)
kubectl get networkpolicy -n prod
kubectl get networkpolicy -n data
You should see:
deny-policy in prod
allow-from-prod in data
SIMULATION
Context:
Cluster:prod
Master node:master1
Worker node:worker1
You can switch the cluster/configuration context using the following command:
[desk@cli] $kubectl config use-context prod
Task:
Analyse and edit the given Dockerfile (based on theubuntu:18:04image)
/home/cert_masters/Dockerfilefixing two instructions present in the file being prominent security/best-practice issues.
Analyse and edit the given manifest file
/home/cert_masters/mydeployment.yamlfixing two fields present in the file being prominent security/best-practice issues.
Note:Don't add or remove configuration settings; only modify the existing configuration settings, so that two configuration settings each are no longer security/best-practice concerns.
Should you need an unprivileged user for any of the tasks, use usernobodywith user id65535
1. For Dockerfile:Fix the image version & user name in Dockerfile
2. For mydeployment.yaml : Fix security contexts
Explanation
[desk@cli] $vim /home/cert_masters/Dockerfile
FROM ubuntu:latest # Remove this
FROM ubuntu:18.04 # Add this
USER root # Remove this
USER nobody # Add this
RUN apt get install -y lsof=4.72 wget=1.17.1 nginx=4.2
ENV ENVIRONMENT=testing
USER root # Remove this
USER nobody # Add this
CMD ['nginx -d']
[desk@cli] $vim/home/cert_masters/mydeployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: kafka
name: kafka
spec:
replicas: 1
selector:
matchLabels:
app: kafka
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: kafka
spec:
containers:
- image: bitnami/kafka
name: kafka
volumeMounts:
- name: kafka-vol
mountPath: /var/lib/kafka
securityContext:
{'capabilities':{'add':['NET_ADMIN'],'drop':['all']},'privileged': True,'readOnlyRootFilesystem': False, 'runAsUser': 65535} # Delete This
{'capabilities':{'add':['NET_ADMIN'],'drop':['all']},'privileged': False,'readOnlyRootFilesystem': True, 'runAsUser': 65535} # Add This
resources: {}
volumes:
- name: kafka-vol
emptyDir: {}
status: {}
Pictorial View:
[desk@cli] $vim/home/cert_masters/mydeployment.yaml
SIMULATION
Context
A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace.
Task
Create a new PodSecurityPolicy named prevent-psp-policy,which prevents the creation of privileged Pods.
Create a new ClusterRole named restrict-access-role, which uses the newly created PodSecurityPolicy prevent-psp-policy.
Create a new ServiceAccount named psp-restrict-sa in the existing namespace staging.
Finally, create a new ClusterRoleBinding named restrict-access-bind, which binds the newly created ClusterRole restrict-access-role to the newly created ServiceAccount psp-restrict-sa.
SIMULATION
Documentation Deployment, Pod, Namespace
You must connect to the correct host . Failure to do so may result in a zero score.
[candidate@base] $ ssh cks000028
Context
You must update an existing Pod to ensure the immutability of its containers.
Task
Modify the existing Deployment named lamp-deployment, running in namespace lamp, so that its containers:
. run with user ID 20000
. use a read-only root filesystem
. forbid privilege escalation
The Deployment's manifest file con be found at /home/candidate/finer-sunbeam/lamp-deployment.yaml.
1) Connect to the correct host
ssh cks000028
sudo -i
2) Use the right kubeconfig (safe in exam)
export KUBECONFIG=/etc/kubernetes/admin.conf
3) Open the provided Deployment manifest
vi /home/candidate/finer-sunbeam/lamp-deployment.yaml
4) Edit ONLY the Pod template security settings (add/modify these fields)
Inside:
spec: -> template: -> spec:
4.1 Set container to run as user 20000
Add (or change) under the container securityContext::
securityContext:
runAsUser: 20000
4.2 Make root filesystem read-only
In the SAME container securityContext: ensure:
readOnlyRootFilesystem: true
4.3 Forbid privilege escalation
In the SAME container securityContext: ensure:
allowPrivilegeEscalation: false
The container section should look like this (example --- keep your existing image/ports/etc):
spec:
template:
spec:
containers:
- name: <your-container-name>
image: <unchanged>
securityContext:
runAsUser: 20000
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
If there are multiple containers, apply the same securityContext to each container.
Save and exit:
:wq
5) Apply the manifest (updates Deployment -> recreates Pods)
kubectl -n lamp apply -f /home/candidate/finer-sunbeam/lamp-deployment.yaml
6) Wait for rollout
kubectl -n lamp rollout status deployment/lamp-deployment
7) Verify the security settings are live
7.1 Check the Pod is running
kubectl -n lamp get pods -l app=lamp -o wide
(if label differs, just kubectl -n lamp get pods)
7.2 Verify the three fields on a running Pod
Pick the Pod name and run:
POD=$(kubectl -n lamp get pods -o jsonpath='{.items[0].metadata.name}')
kubectl -n lamp get pod $POD -o jsonpath='{.spec.containers[0].securityContext.runAsUser}{'\n'}{.spec.containers[0].securityContext.readOnlyRootFilesystem}{'\n'}{.spec.containers[0].securityContext.allowPrivilegeEscalation}{'\n'}'
Expected output:
20000
true
false
If the pod fails after readOnlyRootFilesystem=true
Don't change the requirement (task demands it). Usually the app needs writable dirs via volumes, but the task doesn't ask for that---so only adjust if the manifest already has volumes and just needs these securityContext fields.
SIMULATION
Using the runtime detection tool Falco, Analyse the container behavior for at least 20 seconds, using filters that detect newly spawning and executing processes in a single container of Nginx.
store the incident file art /opt/falco-incident.txt, containing the detected incidents. one per line, in the format
[timestamp],[uid],[processName]
Unlock All Questions for Linux Foundation CKS Exam
Full Exam Access, Actual Exam Questions, Validated Answers, Anytime Anywhere, No Download Limits, No Practice Limits
Get All 64 Questions & Answers