CKS 무료 덤프문제 온라인 액세스

시험코드:	CKS
시험이름:	Certified Kubernetes Security Specialist (CKS)
인증사:	Linux Foundation
무료 덤프 문항수:	66
업로드 날짜:	2026-01-14

평점

100%

페이지 수: 1 / 14
총 66 문항

문제 1

SIMULATION
Documentation Deployments, Pods, bom Command Help bom-help
You must connect to the correct host. Failure to do so may result in a zero score.
[candidate@base] $ ssh cks000035
Task
The alpine Deployment in the alpine namespace has three containers that run different versions of the alpine image.
First, find out which version of the alpine image contains the libcrypto3 package at version 3.1.4-r5.
Next, use the pre-installed bom tool to create an SPDX document for the identified image version at /home/candidate/alpine.spdx.
You can find the bom tool documentation at bom.
Finally, update the alpine Deployment and remove the container that uses the idenfied image version.
The Deployment's manifest file can be found at /home/candidate/alpine-deployment.yaml.
Do not modify any other containers of the Deployment.

정답:

See the Explanation below for complete solution
Explanation:
1) Connect to the correct host
ssh cks000035
sudo -i
export KUBECONFIG=/etc/kubernetes/admin.conf
2) List the 3 container names + images in the Deployment
kubectl -n alpine get deploy alpine -o jsonpath='{range .spec.template.spec.containers[*]}{.name}{"\t"}{.image}{"\n"}{end}' You'll get 3 lines like:
c1 alpine:3.xx
c2 alpine:3.yy
c3 alpine:3.zz
3) Identify which alpine image has libcrypto3 at 3.1.4-r5
Fastest reliable method (since it's Alpine, just query apk inside each image):
Run these one-by-one for each image you saw in step 2:
docker run --rm <ALPINE_IMAGE_1> sh -c 'apk info -v libcrypto3 2>/dev/null | head -n1' docker run --rm <ALPINE_IMAGE_2> sh -c 'apk info -v libcrypto3 2>/dev/null | head -n1' docker run --rm <ALPINE_IMAGE_3> sh -c 'apk info -v libcrypto3 2>/dev/null | head -n1'
✅ The correct image is the one that prints exactly:
libcrypto3-3.1.4-r5
Note that full image tag, e.g.:
IMG=alpine:3.xx
4) Create SPDX document with bom for that identified image
(Use the identified image from step 3.)
bom generate --image $IMG --format spdx --output /home/candidate/alpine.spdx Verify file exists:
ls -l /home/candidate/alpine.spdx
5) Remove ONLY the container that uses that image version
The manifest to edit is:
vi /home/candidate/alpine-deployment.yaml
In the spec.template.spec.containers: list, find the container entry whose image: equals the identified $IMG, and delete that one container block only (name/image/ports/etc for that container).
Save:
:wq
6) Apply the updated Deployment (do not change other containers)
kubectl apply -f /home/candidate/alpine-deployment.yaml
Wait rollout:
kubectl -n alpine rollout status deployment/alpine
7) Verify only 2 containers remain
kubectl -n alpine get deploy alpine -o jsonpath='{range .spec.template.spec.containers[*]}{.name}{"\t"}{.image}{"\n"}{end}' You should now see 2 lines, and the $IMG line should be gone.
If bom generate ... errors (quick fix)
Check exact syntax on that system:
bom --help
bom generate --help
Then rerun with the flags it expects, keeping:
image = $IMG
output = /home/candidate/alpine.spdx
format = spdx

문제 2

SIMULATION
Create a RuntimeClass named gvisor-rc using the prepared runtime handler named runsc.
Create a Pods of image Nginx in the Namespace server to run on the gVisor runtime class

문제 3

SIMULATION
Context
You must implement auditing for the kubeadm provisioned cluster.
Task
First, reconfigure the cluster 's API server, so that:
. the basic audit policy located at
/etc/kubernetes/logpolicy/audit-policy.yaml is used,
. logs are stored at /var/log/kubernetes/audit-logs.txt,
. and a maximum of 2 logs are retained for 10 days.
The cluster uses the Docker Engine as its container runtime . If needed, use the docker command to troubleshoot running containers.
The basic policy only specifies what not to log.
Next, edit and extend the basic policy to log:
. namespaces interactions at RequestResponse level
. the request body of deployments interactions in the namespace webapps
. ConfigMap and Secret interactions in all namespaces at the Metadata level
. all other requests at the Metadata level
Make sure the API server uses the extended policy.
Failure to do so may result in a reduced score.

정답:

See the Explanation below for complete solution
Explanation:
1) Connect to the correct host
ssh cks000028
sudo -i
(If hostname differs in your exam, use the one shown in the question banner.)
2) Edit the API server static pod manifest
API server is a static pod in kubeadm.
vi /etc/kubernetes/manifests/kube-apiserver.yaml
3) Configure API server to enable auditing
Inside the command: section, ensure ALL of the following flags exist
(add them if missing, modify if present).
3.1 Use the given audit policy file
- --audit-policy-file=/etc/kubernetes/logpolicy/audit-policy.yaml
3.2 Store audit logs at the required location
- --audit-log-path=/var/log/kubernetes/audit-logs.txt
3.3 Retain a maximum of 2 log files
- --audit-log-maxbackup=2
3.4 Retain logs for 10 days
- --audit-log-maxage=10
✅ Example (your file may have more flags - that's fine):
- command:
- kube-apiserver
- --audit-policy-file=/etc/kubernetes/logpolicy/audit-policy.yaml
- --audit-log-path=/var/log/kubernetes/audit-logs.txt
- --audit-log-maxbackup=2
- --audit-log-maxage=10
Save and exit:
:wq
The API server will auto-restart (static pod).
Optional quick check:
docker ps | grep kube-apiserver
4) Edit and EXTEND the audit policy
Open the given basic policy:
vi /etc/kubernetes/logpolicy/audit-policy.yaml
The file already contains rules for what NOT to log.
You must ADD rules BELOW them (do not delete existing ones).
5) Add the required audit rules (EXACT ORDER)
Append the following rules in this order (order matters in audit policies).
5.1 Log namespaces interactions at RequestResponse
- level: RequestResponse
resources:
- group: ""
resources: ["namespaces"]
5.2 Log deployment request bodies in namespace webapps
- level: RequestResponse
namespaces: ["webapps"]
resources:
- group: "apps"
resources: ["deployments"]
5.3 Log ConfigMap and Secret interactions (all namespaces) at Metadata
- level: Metadata
resources:
- group: ""
resources: ["configmaps", "secrets"]
5.4 Log all other requests at Metadata
This must be LAST
- level: Metadata
5.5 Final audit-policy.yaml should END like this
# (existing "do not log" rules above)
- level: RequestResponse
resources:
- group: ""
resources: ["namespaces"]
- level: RequestResponse
namespaces: ["webapps"]
resources:
- group: "apps"
resources: ["deployments"]
- level: Metadata
resources:
- group: ""
resources: ["configmaps", "secrets"]
- level: Metadata
Save and exit:
:wq
6) Make sure API server uses the EXTENDED policy
Touch the manifest to guarantee reload:
touch /etc/kubernetes/manifests/kube-apiserver.yaml
Wait a few seconds.
7) Verify auditing is working
7.1 Check audit log file exists
ls -l /var/log/kubernetes/audit-logs.txt
7.2 Generate test activity
kubectl get namespaces
kubectl get configmaps -A
7.3 Confirm logs are written
tail -n 20 /var/log/kubernetes/audit-logs.txt
You should see audit entries.

문제 4

SIMULATION
Documentation
ServiceAccount, Deployment,
Projected Volumes
You must connect to the correct host . Failure to do so may
result in a zero score.
[candidate@base] $ ssh cks000033
Context
A security audit has identified a Deployment improperly handling service account tokens, which could lead to security vulnerabilities.
Task
First, modify the existing ServiceAccount stats-monitor-sa in the namespace monitoring to turn off automounting of API credentials.
Next, modify the existing Deployment stats-monitor in the namespace monitoring to inject a ServiceAccount token mounted at /var/run/secrets/kubernetes.io/serviceaccount/token.
Use a Projected Volume named token to inject the ServiceAccount token and ensure that it is mounted read-only.
The Deployment's manifest file can be found at /home/candidate/stats-monitor/deployment.yaml.

정답:

See the Explanation below for complete solution
Explanation:
1) Connect to correct host
ssh cks000033
sudo -i
export KUBECONFIG=/etc/kubernetes/admin.conf
2) Patch the ServiceAccount to disable automounting
Task: turn off automounting of API credentials for stats-monitor-sa in monitoring.
kubectl -n monitoring patch sa stats-monitor-sa -p '{"automountServiceAccountToken": false}' Verify:
kubectl -n monitoring get sa stats-monitor-sa -o yaml | grep -i automount
3) Edit the Deployment manifest file
Task says to modify the manifest at:
/home/candidate/stats-monitor/deployment.yaml
vi /home/candidate/stats-monitor/deployment.yaml
4) In the Deployment, ensure it uses the ServiceAccount AND inject token via Projected Volume
4.1 Make sure Deployment uses the SA
Under:
spec: -> template: -> spec:
ensure:
serviceAccountName: stats-monitor-sa
(If it already exists, leave it; don't add extra changes beyond requirements.)
4.2 Add a projected volume named token
Under:
spec: -> template: -> spec: -> volumes:
add (or modify existing volume if present) so it is exactly:
- name: token
projected:
sources:
- serviceAccountToken:
path: token
This creates the file token inside the mounted directory, so the final path becomes:
/var/run/secrets/kubernetes.io/serviceaccount/token
4.3 Mount the projected volume read-only at the required location
Under the target container:
spec: -> template: -> spec: -> containers: -> (your container) -> volumeMounts:
Add:
- name: token
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
readOnly: true
✅ This satisfies:
Projected volume name: token
Mount path: /var/run/secrets/kubernetes.io/serviceaccount/token (file inside mount) Mounted read-only
4.4 Important: Don't break default token mount behavior
Because you disabled SA automounting at the ServiceAccount level, you must explicitly mount the projected token (done above). That's the whole point of this task.
Save and exit:
:wq
5) Apply the updated Deployment
kubectl -n monitoring apply -f /home/candidate/stats-monitor/deployment.yaml Wait rollout:
kubectl -n monitoring rollout status deployment/stats-monitor
6) Verify the token file exists in the running Pod
Get a pod name:
POD=$(kubectl -n monitoring get pods -l app=stats-monitor -o jsonpath='{.items[0].metadata.name}') echo $POD Check the token file path exists:
kubectl -n monitoring exec -it $POD -- ls -l /var/run/secrets/kubernetes.io/serviceaccount/token Optional: confirm it's mounted read-only (usually shown by mount options):
kubectl -n monitoring exec -it $POD -- mount | grep /var/run/secrets/kubernetes.io/serviceaccount
✅ What the examiner checks
SA stats-monitor-sa has:
automountServiceAccountToken: false
Deployment stats-monitor mounts a projected volume named token
Token file is at:
/var/run/secrets/kubernetes.io/serviceaccount/token
Mount is readOnly: true
If label selector doesn't match (-l app=stats-monitor)
Use:
kubectl -n monitoring get pods
Then set:
POD=<paste-pod-name>

문제 5

SIMULATION

Context
A default-deny NetworkPolicy avoids to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined.
Task
Create a new default-deny NetworkPolicy named defaultdeny in the namespace testing for all traffic of type Egress.
The new NetworkPolicy must deny all Egress traffic in the namespace testing.
Apply the newly created default-deny NetworkPolicy to all Pods running in namespace testing.

다른 버전: 427LinuxFoundation.CKS.v2025-12-12.q105; 758LinuxFoundation.CKS.v2025-05-19.q37; 748LinuxFoundation.CKS.v2024-03-01.q40; 1012LinuxFoundation.CKS.v2023-10-13.q39; 966LinuxFoundation.CKS.v2023-01-07.q26; 880LinuxFoundation.CKS.v2022-09-06.q24; 1154LinuxFoundation.CKS.v2022-02-01.q26

최근 업로드: 243ACAMS.CAMS.v2026-01-15.q822; 153Microsoft.GH-300.v2026-01-15.q65; 132NACE.NACE-CIP1-001.v2026-01-15.q34; 156Salesforce.MCE-Admn-201.v2026-01-14.q54; 155Salesforce.MC-101.v2026-01-14.q41; 162Google.Professional-Cloud-Architect.v2026-01-14.q101; 142RUCKUS.RCWA.v2026-01-14.q48; 140SOCRA.CCRP.v2026-01-14.q43; 130CompTIA.FC0-U71.v2026-01-13.q88; 192APICS.CPIM.v2026-01-13.q161