Get Linux Foundation CKS Exam Dumps

Linux Foundation Certified Kubernetes Security Specialist Exam Dumps

Last Updated : Nov 30, 2023

Total Questions : 48

This Bundle Pack includes Following 3 Formats

Desktop Practice
Test software

Web Based
Practice Test

Questions &
Answers (PDF)

Price: $79.00

Before $179

CKS Desktop Practice
Test Software

Last Updated : Nov 30, 2023
Total Questions : 48

$59.00

CKS Questions & Answers
(PDF)

Last Updated : Nov 30, 2023
Total Questions : 48

$59.00

CKS Web Based Self Assessment Practice Test

Last Updated : Nov 30, 2023

48 Total Questions

Supported Browsers

Supported Platforms

License Options

$59.00

Following are some CKS Exam Questions for Review

Question 1

Context: Cluster:prod Master node:master1 Worker node:worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $kubectl config use-context prod

Task: Analyse and edit the given Dockerfile (based on theubuntu:18:04image) /home/cert_masters/Dockerfilefixing two instructions present in the file being prominent security/best-practice issues.

Analyse and edit the given manifest file /home/cert_masters/mydeployment.yamlfixing two fields present in the file being prominent security/best-practice issues.

Note:Don't add or remove configuration settings; only modify the existing configuration settings, so that two configuration settings each are no longer security/best-practice concerns. Should you need an unprivileged user for any of the tasks, use usernobodywith user id65535

AExplanation:
1. For Dockerfile:Fix the image version & user name in Dockerfile
2. For mydeployment.yaml : Fix security contexts
Explanation
[desk@cli] $vim /home/cert_masters/Dockerfile
FROM ubuntu:latest # Remove this
FROM ubuntu:18.04 # Add this
USER root # Remove this
USER nobody # Add this
RUN apt get install -y lsof=4.72 wget=1.17.1 nginx=4.2
ENV ENVIRONMENT=testing
USER root # Remove this
USER nobody # Add this
CMD ['nginx -d']

[desk@cli] $vim/home/cert_masters/mydeployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: kafka
name: kafka
spec:
replicas: 1
selector:
matchLabels:
app: kafka
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: kafka
spec:
containers:
- image: bitnami/kafka
name: kafka
volumeMounts:
- name: kafka-vol
mountPath: /var/lib/kafka
securityContext:
{'capabilities':{'add':['NET_ADMIN'],'drop':['all']},'privileged': True,'readOnlyRootFilesystem': False, 'runAsUser': 65535} # Delete This
{'capabilities':{'add':['NET_ADMIN'],'drop':['all']},'privileged': False,'readOnlyRootFilesystem': True, 'runAsUser': 65535} # Add This
resources: {}
volumes:
- name: kafka-vol
emptyDir: {}
status: {}
Pictorial View:
[desk@cli] $vim/home/cert_masters/mydeployment.yaml

Question 2

Use the kubesec docker images to scan the given YAML manifest, edit and apply the advised changes, and passed with a score of 4 points.

kubesec-test.yaml

apiVersion: v1

kind: Pod

metadata:

name: kubesec-demo

spec:

containers:

- name: kubesec-demo

image: gcr.io/google-samples/node-hello:1.0

securityContext:

readOnlyRootFilesystem: true

Hint:docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml

AExplanation:
kubesec scan k8s-deployment.yaml
cat <<EOF > kubesec-test.yaml
apiVersion: v1
kind: Pod
metadata:
name: kubesec-demo
spec:
containers:
- name: kubesec-demo
image: gcr.io/google-samples/node-hello:1.0
securityContext:
readOnlyRootFilesystem: true
EOF
kubesec scan kubesec-test.yaml
docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml
kubesec http 8080 &
[1] 12345
{'severity':'info','timestamp':'2019-05-12T11:58:34.662+0100','caller':'server/server.go:69','message':'Starting HTTP server on port 8080'}
curl -sSX POST --data-binary @test/asset/score-0-cap-sys-admin.yml http://localhost:8080/scan
[
{
'object': 'Pod/security-context-demo.default',
'valid': true,
'message': 'Failed with a score of -30 points',
'score': -30,
'scoring': {
'critical': [
{
'selector': 'containers[] .securityContext .capabilities .add == SYS_ADMIN',
'reason': 'CAP_SYS_ADMIN is the most privileged capability and should always be avoided'
},
{
'selector': 'containers[] .securityContext .runAsNonRoot == true',
'reason': 'Force the running image to run as a non-root user to ensure least privilege'
},
// ...

Question 3

Service is running on port 389 inside the system, find the process-id of the process, and stores the names of all the open-files inside the /candidate/KH77539/files.txt, and also delete the binary.

AExplanation:
root# netstat -ltnup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:17600 0.0.0.0:* LISTEN 1293/dropbox
tcp 0 0 127.0.0.1:17603 0.0.0.0:* LISTEN 1293/dropbox
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 575/sshd
tcp 0 0 127.0.0.1:9393 0.0.0.0:* LISTEN 900/perl
tcp 0 0 :::80 :::* LISTEN 9583/docker-proxy
tcp 0 0 :::443 :::* LISTEN 9571/docker-proxy
udp 0 0 0.0.0.0:68 0.0.0.0:* 8822/dhcpcd
...
root# netstat -ltnup | grep ':22'
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 575/sshd
Thesscommand is the replacement of thenetstatcommand.
Now let's see how to use thesscommand to see which process is listening on port 22:
root# ss -ltnup 'sport = :22'
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:('sshd',pid=575,fd=3))

Question 4

Secrets stored in the etcd is not secure at rest, you can use the etcdctl command utility to find the secret value

for e.g:-

ETCDCTL_API=3 etcdctl get /registry/secrets/default/cks-secret --cacert="ca.crt" --cert="server.crt" --key="server.key"

Output

Using the Encryption Configuration, Create the manifest, which secures the resource secrets using the provider AES-CBC and identity, to encrypt the secret-data at rest and ensure all secrets are encrypted with the new configuration.

AExplanation:
ETCD secret encryption can be verified with the help ofetcdctlcommand line utility.
ETCD secrets are stored at the path/registry/secrets/$namespace/$secreton the master node.
The below command can be used to verify if the particular ETCD secret is encrypted or not.
# ETCDCTL_API=3 etcdctl get /registry/secrets/default/secret1 [...] | hexdump -C

Question 5

Create a Pod name Nginx-pod inside the namespace testing, Create a service for the Nginx-pod named nginx-svc, using the ingress of your choice, run the ingress on tls, secure port.

AExplanation:
$ kubectl get ing -n <namespace-of-ingress-resource>
NAME HOSTS ADDRESS PORTS AGE
cafe-ingress cafe.com 10.0.2.15 80 25s
$ kubectl describe ing <ingress-resource-name> -n <namespace-of-ingress-resource>
Name: cafe-ingress
Namespace: default
Address: 10.0.2.15
Default backend: default-http-backend:80 (172.17.0.5:8080)
Rules:
Host Path Backends
---- ---- --------
cafe.com
/tea tea-svc:80 (<none>)
/coffee coffee-svc:80 (<none>)
Annotations:
kubectl.kubernetes.io/last-applied-configuration: {'apiVersion':'networking.k8s.io/v1','kind':'Ingress','metadata':{'annotations':{},'name':'cafe-ingress','namespace':'default','selfLink':'/apis/networking/v1/namespaces/default/ingresses/cafe-ingress'},'spec':{'rules':[{'host':'cafe.com','http':{'paths':[{'backend':{'serviceName':'tea-svc','servicePort':80},'path':'/tea'},{'backend':{'serviceName':'coffee-svc','servicePort':80},'path':'/coffee'}]}}]},'status':{'loadBalancer':{'ingress':[{'ip':'169.48.142.110'}]}}}
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 1m ingress-nginx-controller Ingress default/cafe-ingress
Normal UPDATE 58s ingress-nginx-controller Ingress default/cafe-ingress
$ kubectl get pods -n <namespace-of-ingress-controller>
NAME READY STATUS RESTARTS AGE
ingress-nginx-controller-67956bf89d-fv58j 1/1 Running 0 1m
$ kubectl logs -n <namespace> ingress-nginx-controller-67956bf89d-fv58j
-------------------------------------------------------------------------------
NGINX Ingress controller
Release: 0.14.0
Build: git-734361d
Repository: https://github.com/kubernetes/ingress-nginx
-------------------------------------------------------------------------------
....

Unlock All Features of Linux Foundation CKS Dumps Software

Just have a look at the best and updated features of our CKS dumps which are described in detail in the following tabs. We are very confident that you will get the best deal on this platform.

Select Question
Types you want

Set your desired
pass percentage

Allocate Time
(Hours: Minutes)

Create Multiple
Practice test with
limited questions

Customer
Support

Latest Success Metrics For actual CKS Exam

This is the best time to verify your skills and accelerate your career. Check out last week's results, more than 90% of students passed their exam with good scores. You may be the Next successful Candidate.

95%

Average Passing Scores in final Exam

91%

Exactly Same Questions from these dumps

90%

Customers Passed Linux Foundation CKS exam

Get Linux Foundation CKS Exam Dumps

Linux Foundation Certified Kubernetes Security Specialist Exam Dumps

This Bundle Pack includes Following 3 Formats

CKS Desktop Practice Test Software

CKS Questions & Answers (PDF)

CKS Web Based Self Assessment Practice Test

Following are some CKS Exam Questions for Review

Unlock All Features of Linux Foundation CKS Dumps Software

Latest Success Metrics For actual CKS Exam

CKS Desktop Practice
Test Software

CKS Questions & Answers
(PDF)