CKS Exam Dumps - Certified Kubernetes Security Specialist (CKS)

Searching for workable clues to ace the Linux Foundation CKS Exam? You’re on the right place! ExamCert has realistic, trusted and authentic exam prep tools to help you achieve your desired credential. ExamCert’s CKS PDF Study Guide, Testing Engine and Exam Dumps follow a reliable exam preparation strategy, providing you the most relevant and updated study material that is crafted in an easy to learn format of questions and answers. ExamCert’s study tools aim at simplifying all complex and confusing concepts of the exam and introduce you to the real exam scenario and practice it with the help of its testing engine and real exam dumps

Go to page:

Question # 9

You must connect to the correct host . Failure to do so may

result in a zero score.

[candidato@base] $ ssh cks000023

Task

Analyze and edit the Dockerfile located at /home/candidate/subtle-bee/build/Dockerfile, fixing one instruction present in the file that is a prominent security/best-practice issue.

Do not add or remove instructions; only modify the one existing instruction with a security/best-practice concern.

Do not build the Dockerfile, Failure to do so may result in running out of storage and a zero score.

Analyze and edit the given manifest file /home/candidate/subtle-bee/deployment.yaml, fixing one fields present in the file that are a prominent security/best-practice issue.

Do not add or remove fields; only modify the one existing field with a security/best-practice concern.

Should you need an unprivileged user for any of the tasks, use user nobody with user ID 65535.

Full Access

Answer:

Explanation:

0) Connect to the correct host

ssh cks000023

sudo -i

PART A â€” Fix ONE prominent Dockerfile security/best-practice issue

1) Open the Dockerfile

vi /home/candidate/subtle-bee/build/Dockerfile

2) Find the â€œmost obviousâ€ security/best-practice problem and modify ONLY THAT ONE instruction

Use / search in vi to quickly find candidates:

Candidate 1 (very common): USER root (or no USER but a USER 0)

Search:

/USER

If you see:

USER root

Change that single instruction to:

USER 65535

(or USER nobody if that exact word is already used in the fileâ€”but the task explicitly allows UID 65535, so USER 65535 is safest.)

âœ… This is one-instruction change and is a top-tier best practice.

Candidate 2 (very common): FROM <</b>image>:latest

Search:

/FROM

If you see something like:

FROM nginx:latest

Change ONLY that line to a pinned tag (example):

FROM nginx:1.25.5

(Any non-latest pinned version is the point. Donâ€™t add a digest line; just modify the existing FROM line.)

Candidate 3: ADD http://... (remote URL download)

Search:

/ADD

If you see remote URL usage like:

ADD https://example.com/app.tar.gz /app/

Change that single instruction to COPY only if itâ€™s copying local files.

If itâ€™s a remote URL, the more â€œcorrectâ€ fix would normally be using curl with verification, but that would require adding instructions (not allowed).

So in this exam constraint, do NOT pick this unless itâ€™s actually a local add like:

ADD . /app

Then change just the word:

COPY . /app

3) Save and exit

âš ï¸ Donâ€™t run docker build (task forbids building).

PART B â€” Fix ONE prominent security/best-practice issue in the Deployment manifest

4) Open the manifest

vi /home/candidate/subtle-bee/deployment.yaml

5) Change ONLY ONE existing field that is a clear security issue

Use / search in vi for the usual â€œbad fieldsâ€:

Option 1 (most common): running as root

Search:

/runAsUser

If you see:

runAsUser: 0

Change that one existing field value to:

runAsUser: 65535

âœ… This is a single-field change and matches the prompt hint.

Option 2: privileged container

Search:

/privileged

If you see:

privileged: true

Change only that value to:

privileged: false

Option 3: allow privilege escalation

Search:

/allowPrivilegeEscalation

If you see:

allowPrivilegeEscalation: true

Change only that value to:

allowPrivilegeEscalation: false

Option 4: writable root filesystem

Search:

/readOnlyRootFilesystem

If you see:

readOnlyRootFilesystem: false

Change only that value to:

readOnlyRootFilesystem: true

Option 5: image uses :latest

Search:

/image:

If you see:

image: something:latest

Change only that value to a pinned tag, e.g.:

image: something:1.2.3

6) Save and exit

What to pick (fast decision rule)

If you see run as root in either file, thatâ€™s usually the highest scoring / most â€œprominentâ€ security issue.

Dockerfile: USER root â†’ USER 65535

Deployment: runAsUser: 0 â†’ runAsUser: 65535

Those are perfect because you only modify one line/field and it matches the hint.

Question # 10

Secrets stored in the etcd is not secure at rest, you can use the etcdctl command utility to find the secret value
for e.g:-
ETCDCTL_API=3 etcdctl get /registry/secrets/default/cks-secret --cacert="ca.crt" --cert="server.crt" --key="server.key"
Output
Using the Encryption Configuration, Create the manifest, which secures the resource secrets using the provider AES-CBC and identity, to encrypt the secret-data at rest and ensure all secrets are encrypted with the new configuration.

Full Access

Answer:

Explanation:

ETCD secret encryption can be verified with the help ofÂ etcdctlÂ command line utility.
ETCD secrets are stored at the pathÂ /registry/secrets/$namespace/$secretÂ on the master node.
The below command can be used to verify if the particular ETCD secret is encrypted or not.
# ETCDCTL_API=3 etcdctl get /registry/secrets/default/secret1 [...] | hexdump -C

Question # 11

You can switch the cluster/configuration context using the following command:
[desk@cli] $Â kubectl config use-context devÂ
A default-deny NetworkPolicy avoid to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined.
Task:Â Create a new default-deny NetworkPolicy namedÂ deny-networkÂ in the namespaceÂ testÂ for all traffic of type Ingress + Egress
The new NetworkPolicy must deny all Ingress + Egress traffic in the namespaceÂ test.
Apply the newly createdÂ default-denyÂ NetworkPolicy to all Pods running in namespaceÂ test.
You can find a skeleton manifests file at /home/cert_masters/network-policy.yaml

Full Access

Answer:

Explanation:

master1 $Â k get pods -n test --show-labels
NAME READY STATUS RESTARTS AGE LABELS
test-pod 1/1 Running 0 34s role=test,run=test-pod
testing 1/1 Running 0 17d run=testing
$Â vim netpol.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-network
namespace: test
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
master1 $Â k apply -f netpol.yaml
Explanationcontrolplane $ k get pods -n test --show-labels
NAME READY STATUS RESTARTS AGE LABELS
test-pod 1/1 Running 0 34s role=test,run=test-pod
testing 1/1 Running 0 17d run=testing
master1 $ vim netpol1.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-network
namespace: test
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
master1 $ k apply -f netpol1.yaml
[Reference:https://kubernetes.io/docs/concepts/services-networking/network-policies/, , Explanationcontrolplane $ k get pods -n test --show-labels, NAME READY STATUS RESTARTS AGE LABELS, test-pod 1/1 Running 0 34s role=test,run=test-pod, testing 1/1 Running 0 17d run=testing, master1 $ vim netpol1.yaml, apiVersion: networking.k8s.io/v1, kind: NetworkPolicy, metadata:, name: deny-network, namespace: test, spec:, podSelector: {}, policyTypes:, - Ingress, - Egress, master1 $ k apply -f netpol1.yamlReference:https://kubernetes.io/docs/concepts/services-networking/network-policies/, ]

Question # 12

Documentation Upgrading kubeadm clusters
You must connect to the correct host . Failure to do so may result in a zero score.
[candidate@base] $ ssh cks000034
Context
The kubeadm provisioned cluster was recently upgraded, leaving one node on a slightly older version due to workload compatibility concerns.
Task
Upgrade the cluster node compute-0 to match the version of the control plane node.
Use a command like the following to connect to the compute node:
[candidate@cks000034] $ ssh compute-0
Do not modify any running workloads in the cluster.
Do not forget to exit from the compute node once you have completed your tasks:
[candidate@icompute-e] $ exit

Full Access

Answer:

Explanation:

Below is the CKS / CKA exam-style, exact step-by-step solution for Upgrading a kubeadm worker node.
Follow in order, type exact commands, no extra actions.
QUESTION â€” Upgrade node compute-0 (EXAM MODE)
1) Connect to the correct host (control plane)
ssh cks000034
sudo -i
export KUBECONFIG=/etc/kubernetes/admin.conf
2) Identify the control plane Kubernetes version
This is the target version for compute-0.
kubectl get nodes
Example output:
NAME STATUS ROLES VERSION
control-plane Ready control-plane v1.27.4
compute-0 Ready v1.26.6
ðŸ‘‰ Note the control-plane version
Example: v1.27.4
3) Drain the compute node (do NOT modify workloads manually)
kubectl drain compute-0 --ignore-daemonsets --delete-emptydir-data
Wait until drain completes successfully.
4) SSH into the compute node
ssh compute-0
sudo -i
5) Check current kubeadm version on compute node
kubeadm version
6) Upgrade kubeadm to match control plane version
Replace 1.27.4 with the exact control-plane version you observed.
apt-get update
apt-get install -y kubeadm=1.27.4-00
Verify:
kubeadm version
7) Run kubeadm upgrade for the node
kubeadm upgrade node
âœ… This updates node-specific configs (NO workloads touched).
8) Upgrade kubelet and kubectl to the same version
apt-get install -y kubelet=1.27.4-00 kubectl=1.27.4-00
9) Restart kubelet
systemctl daemon-reload
systemctl restart kubelet
systemctl status kubelet --no-pager
10) Exit the compute node (IMPORTANT)
exit
11) Uncordon the compute node (back on control plane)
kubectl uncordon compute-0
12) Final verification
kubectl get nodes
Expected:
NAME STATUS VERSION
compute-0 Ready v1.27.4

Question # 13

Documentation Ingress, Service, NGINX Ingress Controller
You must connect to the correct host . Failure to do so may result in a zero score.
[candidate@base] $ ssh cks000032
Context
You must expose a web application using HTTPS routes.
Task
Create an Ingress resource named web in the prod namespace and configure it as follows:
. Route traffic for host web.k8s.local and all paths to the existing Service web
. Enable TLS termination using the existing Secret web-cert.
. Redirect HTTP requests to HTTPS .
You can test your Ingress configuration with the following command:
[candidate@cks000032]$ curl -L http://web.k8s.local

Full Access

Answer:

Explanation:

1) Connect to the correct host
ssh cks000032
sudo -i
2) Use admin kubeconfig
export KUBECONFIG=/etc/kubernetes/admin.conf
3) Verify prerequisites (quick check)
These should already exist per task.
kubectl -n prod get svc web
kubectl -n prod get secret web-cert
kubectl get pods -n ingress-nginx
(If the ingress controller pods exist, youâ€™re good.)
4) Create the Ingress resource
Create Ingress named web in namespace prod with:
host: web.k8s.local
all paths â†’ Service web
TLS using Secret web-cert
HTTP â†’ HTTPS redirect (NGINX)
cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web
namespace: prod
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- web.k8s.local
secretName: web-cert
rules:
- host: web.k8s.local
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web
port:
number: 80
EOF
5) Verify Ingress creation
kubectl -n prod get ingress web
kubectl -n prod describe ingress web
Confirm:
Host = web.k8s.local
TLS Secret = web-cert
Backend Service = web
6) Test HTTP â†’ HTTPS redirect
curl -L http://web.k8s.local
Expected:
Redirects to https://web.k8s.local
Returns application response over HTTPS

Question # 14

Task
Analyze and edit the given Dockerfile /home/candidate/KSSC00301/Docker file (based on the ubuntu:16.04 image), fixing two instructions present in the file that are prominent security/best-practice issues.
Analyze and edit the given manifest file /home/candidate/KSSC00301/deployment.yaml, fixing two fields present in the file that are prominent security/best-practice issues.

Full Access

Answer:

Question # 15

Cluster: dev
Master node:Â master1
Worker node:Â worker1
You can switch the cluster/configuration context using the following command:
[desk@cli] $Â kubectl config use-context devÂ
Task:
Retrieve the content of the existing secret namedÂ adamÂ in theÂ safeÂ namespace.
Store the username field in a file namesÂ /home/cert-masters/username.txt, and the password field in a file namedÂ /home/cert-masters/password.txt.
1. You must create both files; they don't exist yet.
2. Do not use/modify the created files in the following steps, create new temporary files if needed.Â
Create a new secret namesÂ newsecretÂ in theÂ safeÂ namespace, with the following content:
Username:Â dbadmin
Password:Â moresecurepas
Finally, create a new Pod that has access to the secretÂ newsecretÂ via a volume:
Namespace:safe
Pod name:mysecret-pod
Container name:db-container
Image:redis
Volume name:secret-vol
Mount path:/etc/mysecret

Full Access

Answer:

Question # 16

Context
AppArmor is enabled on the cluster's worker node. An AppArmor profile is prepared, but not enforced yet.
Task
On the cluster's worker node, enforce the prepared AppArmor profile located at /etc/apparmor.d/nginx_apparmor.
Edit the prepared manifest file located at /home/candidate/KSSH00401/nginx-pod.yaml to apply the AppArmor profile.
Finally, apply the manifest file and create the Pod specified in it.

Full Access

Answer:

Explanation:

[Reference:Â https://kubernetes.io/docs/tutorials/clusters/apparmor/, , ]

Go to page:
<< First

Prev

1

2

3

Next

Last >>

Hot Exams

AZ-900 Dumps

200-301 Dumps

350-401 Dumps

350-701 Dumps

AZ-104 Dumps

CS0-003 Dumps

N10-009 Dumps

SY0-701 Dumps

CAS-005 Dumps

PT0-003 Dumps

ZDTA Dumps

Month End Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: scxmas70

CKS Exam Dumps - Certified Kubernetes Security Specialist (CKS)

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Answer:

Answer:

Explanation:

Hot Exams