Linux Foundation CKS practice materials Questions Answers

Exam Code:
CKS
Exam Name:
Certified Kubernetes Security Specialist Exam
Last Update:
Jun 01,2026

64 Questions Answers Verified by Experts!


PDF + Testing Engine
$50.00
$144.00

Testing Engine (only)
$35.00
$79.00

PDF (only)
$30.00
$65.00

Linux Foundation CKS Last Week Results!

871
Customers Passed
Linux Foundation CKS
95%
Average Score In Real
Exam At Testing Centre
87%
Questions are designed to align with exam objectives

Linux Foundation CKS Questions for Kubernetes Security Specialist Certification Exam 2026

Here’s you can get most updated Linux Foundation CKS Certified Kubernetes Security Specialist Exam updated practice questions and explanations in PDF and web-based practice test software. These verified Certified Kubernetes Security Specialist Exam CKS questions are enough to practice and prepare for your certification exam. These Linux Foundation CKS practice questions that will undoubtedly assist you to prepare for the actual Linux Foundation Kubernetes Security Specialist Certification exam. Optionally, you can get premium files for extra help for the exam, besides a huge number of practice questions in the free Linux Foundation CKS PDF files.

Get a Perfect Exam Score with Actual Linux Foundation CKS practice questions

You can showcase your skills in the present information technology field with the Linux Foundation Kubernetes Security Specialist Certification CKS certification. Success in the CKS exam expands your portfolio to get well-paid jobs. CertsDrive offers real CompTIA Network+ Certification CKS studyguide to help you earn your desired Linux Foundation certification. Hundreds of IT aspirants have verified their skill set with these Kubernetes Security Specialist Certification CKS updated practice questions. Practice exams and PDF questions are formats of our product. You can practice in the actual Certified Kubernetes Security Specialist Exam CKS exam environment with our desktop practice test software and web-based practice exam.
 

The Linux Foundation Kubernetes Security Specialist Certification CKS PDF format is ideal for preparing quickly from any place via smartphones, laptops, and tablets. CertsDrive has been helping CKS exam applicants for many years. You can also authenticate your skills with the Linux Foundation Certification CKS exam certificate if you prepare from our exam-aligned study guide. Furthermore, there is a refund policy for users who fail after using Certified Kubernetes Security Specialist Exam CKS exam practice questions.

Certified Kubernetes Security Specialist Exam CKS practice questions with explanations

 

CertsDrive is the leading website that offers actual Linux Foundation CKS practice questions PDF for easy preparation. Try free Certified Kubernetes Security Specialist Exam CKS practice questions demo before purchasing.
 

UNLOCK FULL
CKS Exam Features

In Just $11 You can Access

• All Official Question Types
• Interactive Web-Based Practice Test Software
• No Installation or 3rd Party Software Required
• Customize your practice sessions (Free Demo)
• 24/7 Customer Support

Get Full Access

Page: 1 / 10
Total Questions: 48

Questions & Answers PDF

• Question 1

  

  Enable audit logs in the cluster, To Do so, enable the log backend, and ensure that1. logs are stored at /var/log/kubernetes-logs.txt.2. Log files are retained for 12 days.3. at maximum, a number of 8 old audit logs files are retained.4. set the maximum size before getting rotated to 200MBEdit and extend the basic policy to log:1. namespaces changes at RequestResponse2. Log the request body of secrets changes in the namespace kube-system.3. Log all other resources in core and extensions at the Request level.4. Log 'pods/portforward', 'services/proxy' at Metadata level.5. Omit the Stage RequestReceivedAll other requests at the Metadata level

  • A . Explanation:
    Kubernetes auditing provides a security-relevant chronological set of records about a cluster. Kube-apiserver performs auditing. Each request on each stage of its execution generates an event, which is then pre-processed according to a certain policy and written to a backend. The policy determines what's recorded and the backends persist the records.
    You might want to configure the audit log as part of compliance with the CIS (Center for Internet Security) Kubernetes Benchmark controls.
    The audit log can be enabled by default using the following configuration incluster.yml:
    services:
    kube-api:
    audit_log:
    enabled: true
    When the audit log is enabled, you should be able to see the default values at/etc/kubernetes/audit-policy.yaml
    The log backend writes audit events to a file inJSONlinesformat. You can configure the log audit backend using the followingkube-apiserverflags:
    --audit-log-pathspecifies the log file path that log backend uses to write audit events. Not specifying this flag disables log backend.-means standard out
    --audit-log-maxagedefined the maximum number of days to retain old audit log files
    --audit-log-maxbackupdefines the maximum number of audit log files to retain
    --audit-log-maxsizedefines the maximum size in megabytes of the audit log file before it gets rotated
    If your cluster's control plane runs the kube-apiserver as a Pod, remember to mount thehostPathto the location of the policy file and log file, so that audit records are persisted. For example:
    --audit-policy-file=/etc/kubernetes/audit-policy.yaml \
    --audit-log-path=/var/log/audit.log
    

  Reveal Answer Answer: A Next Question

• Question 2

  

  Create a new ServiceAccount named backend-sa in the existing namespace default, which has the capability to list the pods inside the namespace default.Create a new Pod named backend-pod in the namespace default, mount the newly created sa backend-sa to the pod, and Verify that the pod is able to list pods.Ensure that the Pod is running.

  • A . Explanation:
    A service account provides an identity for processes that run in a Pod.
    When you (a human) access the cluster (for example, usingkubectl), you are authenticated by the apiserver as a particular User Account (currently this is usuallyadmin, unless your cluster administrator has customized your cluster). Processes in containers inside pods can also contact the apiserver. When they do, they are authenticated as a particular Service Account (for example,default).
    When you create a pod, if you do not specify a service account, it is automatically assigned thedefaultservice account in the same namespace. If you get the raw json or yaml for a pod you have created (for example,kubectl get pods/ -o yaml), you can see thespec.serviceAccountNamefield has beenautomatically set.
    You can access the API from inside a pod using automatically mounted service account credentials, as described inAccessing the Cluster. The API permissions of the service account depend on theauthorization plugin and policyin use.
    In version 1.6+, you can opt out of automounting API credentials for a service account by settingautomountServiceAccountToken: falseon the service account:
    apiVersion: v1
    kind: ServiceAccount
    metadata:
    name: build-robot
    automountServiceAccountToken: false
    ...
    In version 1.6+, you can also opt out of automounting API credentials for a particular pod:
    apiVersion: v1
    kind: Pod
    metadata:
    name: my-pod
    spec:
    serviceAccountName: build-robot
    automountServiceAccountToken: false
    ...
    The pod spec takes precedence over the service account if both specify aautomountServiceAccountTokenvalue.
    

  Reveal Answer Answer: A Next Question

• Question 3

  

  You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context qa Context: A pod fails to run because of an incorrectly specified ServiceAccount Task: Create a new service account named backend-qa in an existing namespace qa, which must not have access to any secret. Edit the frontend pod yaml to use backend-qa service account Note:You can find the frontend pod yaml at /home/cert_masters/frontend-pod.yaml

  • A . Explanation:
    [desk@cli] $k create sa backend-qa -n qa
    sa/backend-qa created
    
    [desk@cli] $k get role,rolebinding -n qa
    No resources found in qa namespace.
    
    [desk@cli] $k create role backend -n qa --resource pods,namespaces,configmaps --verb list
    #No access to secret
    
    [desk@cli] $k create rolebinding backend -n qa --role backend --serviceaccount qa:backend-qa
    
    [desk@cli] $vim /home/cert_masters/frontend-pod.yaml
    apiVersion: v1
    kind: Pod
    metadata:
    name: frontend
    spec:
    serviceAccountName: backend-qa # Add this
    image: nginx
    name: frontend
    [desk@cli] $k apply -f /home/cert_masters/frontend-pod.yaml
    pod created
    [desk@cli] $k create sa backend-qa -n qa
    serviceaccount/backend-qa created
    
    [desk@cli] $k get role,rolebinding -n qa
    No resources found in qa namespace.
    
    [desk@cli] $k create role backend -n qa --resource pods,namespaces,configmaps --verb list
    role.rbac.authorization.k8s.io/backend created
    
    [desk@cli] $k create rolebinding backend -n qa --role backend --serviceaccount qa:backend-qa
    rolebinding.rbac.authorization.k8s.io/backend created
    
    [desk@cli] $vim /home/cert_masters/frontend-pod.yaml
    apiVersion: v1
    kind: Pod
    metadata:
    name: frontend
    spec:
    serviceAccountName: backend-qa # Add this
    image: nginx
    name: frontend
    [desk@cli] $k apply -f /home/cert_masters/frontend-pod.yaml
    pod/frontend created
    
    https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
    

  Reveal Answer Answer: A Next Question

• Question 4

  

  You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context stage Context: A PodSecurityPolicy shall prevent the creation of privileged Pods in a specific namespace. Task: 1. Create a new PodSecurityPolcy named deny-policy, which prevents the creation of privileged Pods. 2. Create a new ClusterRole name deny-access-role, which uses the newly created PodSecurityPolicy deny-policy. 3. Create a new ServiceAccount named psd-denial-sa in the existing namespace development. Finally, create a new ClusterRoleBindind named restrict-access-bind, which binds the newly created ClusterRole deny-access-role to the newly created ServiceAccount psp-denial-sa

  • A . Explanation:
    Create psp to disallow privileged container
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
    name: deny-access-role
    rules:
    - apiGroups: ['policy']
    resources: ['podsecuritypolicies']
    verbs: ['use']
    resourceNames:
    - ''deny-policy''
    k create sa psp-denial-sa -n development
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
    name: restrict-access-bing
    roleRef:
    kind: ClusterRole
    name: deny-access-role
    apiGroup: rbac.authorization.k8s.io
    subjects:
    - kind: ServiceAccount
    name: psp-denial-sa
    namespace: development
    Explanation
    master1 $ vim psp.yaml
    apiVersion: policy/v1beta1
    kind: PodSecurityPolicy
    metadata:
    name: deny-policy
    spec:
    privileged: false # Don't allow privileged pods!
    seLinux:
    rule: RunAsAny
    supplementalGroups:
    rule: RunAsAny
    runAsUser:
    rule: RunAsAny
    fsGroup:
    rule: RunAsAny
    volumes:
    - '*'
    master1 $ vim cr1.yaml
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
    name: deny-access-role
    rules:
    - apiGroups: ['policy']
    resources: ['podsecuritypolicies']
    verbs: ['use']
    resourceNames:
    - ''deny-policy''
    master1 $k create sa psp-denial-sa -n development
    
    master1 $ vim cb1.yaml
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
    name: restrict-access-bing
    roleRef:
    kind: ClusterRole
    name: deny-access-role
    apiGroup: rbac.authorization.k8s.io
    subjects:
    # Authorize specific service accounts:
    - kind: ServiceAccount
    name: psp-denial-sa
    namespace: development
    master1 $k apply -f psp.yaml
    master1 $k apply -f cr1.yaml
    master1 $k apply -f cb1.yaml
    
    Reference:https://kubernetes.io/docs/concepts/policy/pod-security-policy/
    

  Reveal Answer Answer: A Next Question

• Question 5

  

  Analyze and edit the given DockerfileFROM ubuntu:latestRUN apt-get update -yRUN apt-install nginx -yCOPY entrypoint.sh /ENTRYPOINT ['/entrypoint.sh']USER ROOTFixing two instructions present in the file being prominent security best practice issuesAnalyze and edit the deployment manifest fileapiVersion: v1kind: Podmetadata:name: security-context-demo-2spec:securityContext:runAsUser: 1000containers:- name: sec-ctx-demo-2image: gcr.io/google-samples/node-hello:1.0securityContext:runAsUser: 0privileged: TrueallowPrivilegeEscalation: falseFixing two fields present in the file being prominent security best practice issuesDon't add or remove configuration settings; only modify the existing configuration settingsWhenever you need an unprivileged user for any of the tasks, use user test-user with the user id 5487

  • A . Explanation:
    FROM debian:latest
    MAINTAINER [email protected]
    # 1 - RUN
    RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -yq apt-utils
    RUN DEBIAN_FRONTEND=noninteractive apt-get install -yq htop
    RUN apt-get clean
    # 2 - CMD
    #CMD ['htop']
    #CMD ['ls', '-l']
    # 3 - WORKDIR and ENV
    WORKDIR /root
    ENV DZ version1
    $ docker image build -t bogodevops/demo .
    Sending build context to Docker daemon 3.072kB
    Step 1/7 : FROM debian:latest
    ---> be2868bebaba
    Step 2/7 : MAINTAINER [email protected]
    ---> Using cache
    ---> e2eef476b3fd
    Step 3/7 : RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -yq apt-utils
    ---> Using cache
    ---> 32fd044c1356
    Step 4/7 : RUN DEBIAN_FRONTEND=noninteractive apt-get install -yq htop
    ---> Using cache
    ---> 0a5b514a209e
    Step 5/7 : RUN apt-get clean
    ---> Using cache
    ---> 5d1578a47c17
    Step 6/7 : WORKDIR /root
    ---> Using cache
    ---> 6b1c70e87675
    Step 7/7 : ENV DZ version1
    ---> Using cache
    ---> cd195168c5c7
    Successfully built cd195168c5c7
    Successfully tagged bogodevops/demo:latest
    

  Reveal Answer Answer: A Next Question

• Question 6

  

  Create a Pod name Nginx-pod inside the namespace testing, Create a service for the Nginx-pod named nginx-svc, using the ingress of your choice, run the ingress on tls, secure port.

  • A . Explanation:
    $ kubectl get ing -n <namespace-of-ingress-resource>
    NAME HOSTS ADDRESS PORTS AGE
    cafe-ingress cafe.com 10.0.2.15 80 25s
    $ kubectl describe ing <ingress-resource-name> -n <namespace-of-ingress-resource>
    Name: cafe-ingress
    Namespace: default
    Address: 10.0.2.15
    Default backend: default-http-backend:80 (172.17.0.5:8080)
    Rules:
    Host Path Backends
    ---- ---- --------
    cafe.com
    /tea tea-svc:80 (<none>)
    /coffee coffee-svc:80 (<none>)
    Annotations:
    kubectl.kubernetes.io/last-applied-configuration: {'apiVersion':'networking.k8s.io/v1','kind':'Ingress','metadata':{'annotations':{},'name':'cafe-ingress','namespace':'default','selfLink':'/apis/networking/v1/namespaces/default/ingresses/cafe-ingress'},'spec':{'rules':[{'host':'cafe.com','http':{'paths':[{'backend':{'serviceName':'tea-svc','servicePort':80},'path':'/tea'},{'backend':{'serviceName':'coffee-svc','servicePort':80},'path':'/coffee'}]}}]},'status':{'loadBalancer':{'ingress':[{'ip':'169.48.142.110'}]}}}
    Events:
    Type Reason Age From Message
    ---- ------ ---- ---- -------
    Normal CREATE 1m ingress-nginx-controller Ingress default/cafe-ingress
    Normal UPDATE 58s ingress-nginx-controller Ingress default/cafe-ingress
    $ kubectl get pods -n <namespace-of-ingress-controller>
    NAME READY STATUS RESTARTS AGE
    ingress-nginx-controller-67956bf89d-fv58j 1/1 Running 0 1m
    $ kubectl logs -n <namespace> ingress-nginx-controller-67956bf89d-fv58j
    -------------------------------------------------------------------------------
    NGINX Ingress controller
    Release: 0.14.0
    Build: git-734361d
    Repository: https://github.com/kubernetes/ingress-nginx
    -------------------------------------------------------------------------------
    ....
    

  Reveal Answer Answer: A Next Question

• Question 7

  

  Use the kubesec docker images to scan the given YAML manifest, edit and apply the advised changes, and passed with a score of 4 points.kubesec-test.yamlapiVersion: v1kind: Podmetadata:name: kubesec-demospec:containers:- name: kubesec-demoimage: gcr.io/google-samples/node-hello:1.0securityContext:readOnlyRootFilesystem: trueHint:docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml

  • A . Explanation:
    kubesec scan k8s-deployment.yaml
    cat <<EOF > kubesec-test.yaml
    apiVersion: v1
    kind: Pod
    metadata:
    name: kubesec-demo
    spec:
    containers:
    - name: kubesec-demo
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
    readOnlyRootFilesystem: true
    EOF
    kubesec scan kubesec-test.yaml
    docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml
    kubesec http 8080 &
    [1] 12345
    {'severity':'info','timestamp':'2019-05-12T11:58:34.662+0100','caller':'server/server.go:69','message':'Starting HTTP server on port 8080'}
    curl -sSX POST --data-binary @test/asset/score-0-cap-sys-admin.yml http://localhost:8080/scan
    [
    {
    'object': 'Pod/security-context-demo.default',
    'valid': true,
    'message': 'Failed with a score of -30 points',
    'score': -30,
    'scoring': {
    'critical': [
    {
    'selector': 'containers[] .securityContext .capabilities .add == SYS_ADMIN',
    'reason': 'CAP_SYS_ADMIN is the most privileged capability and should always be avoided'
    },
    {
    'selector': 'containers[] .securityContext .runAsNonRoot == true',
    'reason': 'Force the running image to run as a non-root user to ensure least privilege'
    },
    // ...
    

  Reveal Answer Answer: A Next Question

• Question 8

  

  You can switch the cluster/configuration context using the following command: [desk@cli] $kubectl config use-context dev A default-deny NetworkPolicy avoid to accidentally expose a Pod in a namespace that doesn't have any other NetworkPolicy defined.Task: Create a new default-deny NetworkPolicy nameddeny-networkin the namespacetestfor all traffic of type Ingress + EgressThe new NetworkPolicy must deny all Ingress + Egress traffic in the namespacetest.Apply the newly createddefault-denyNetworkPolicy to all Pods running in namespacetest.You can find a skeleton manifests file at /home/cert_masters/network-policy.yaml

  • A . Explanation:
    master1 $k get pods -n test --show-labels
    NAME READY STATUS RESTARTS AGE LABELS
    test-pod 1/1 Running 0 34s role=test,run=test-pod
    testing 1/1 Running 0 17d run=testing
    $vim netpol.yaml
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
    name: deny-network
    namespace: test
    spec:
    podSelector: {}
    policyTypes:
    - Ingress
    - Egress
    master1 $k apply -f netpol.yaml
    Explanation
    controlplane $ k get pods -n test --show-labels
    NAME READY STATUS RESTARTS AGE LABELS
    test-pod 1/1 Running 0 34s role=test,run=test-pod
    testing 1/1 Running 0 17d run=testing
    master1 $ vim netpol1.yaml
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
    name: deny-network
    namespace: test
    spec:
    podSelector: {}
    policyTypes:
    - Ingress
    - Egress
    master1 $ k apply -f netpol1.yaml
    
    Reference:
    https://kubernetes.io/docs/concepts/services-networking/network-policies/
    Explanation
    controlplane $ k get pods -n test --show-labels
    NAME READY STATUS RESTARTS AGE LABELS
    test-pod 1/1 Running 0 34s role=test,run=test-pod
    testing 1/1 Running 0 17d run=testing
    master1 $ vim netpol1.yaml
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
    name: deny-network
    namespace: test
    spec:
    podSelector: {}
    policyTypes:
    - Ingress
    - Egress
    master1 $ k apply -f netpol1.yaml
    
    Reference:
    https://kubernetes.io/docs/concepts/services-networking/network-policies/
    

  Reveal Answer Answer: A Next Question

• Question 9

  

  Create a RuntimeClass named gvisor-rc using the prepared runtime handler named runsc.Create a Pods of image Nginx in the Namespace server to run on the gVisor runtime class

  • A . Explanation:
    Install the Runtime Class for gVisor
    { # Step 1: Install a RuntimeClass
    cat <<EOF | kubectl apply -f -
    apiVersion: node.k8s.io/v1beta1
    kind: RuntimeClass
    metadata:
    name: gvisor
    handler: runsc
    EOF
    }
    Create a Pod with the gVisor Runtime Class
    { # Step 2: Create a pod
    cat <<EOF | kubectl apply -f -
    apiVersion: v1
    kind: Pod
    metadata:
    name: nginx-gvisor
    spec:
    runtimeClassName: gvisor
    containers:
    - name: nginx
    image: nginx
    EOF
    }
    Verify that the Pod is running
    { # Step 3: Get the pod
    kubectl get pod nginx-gvisor -o wide
    }
    

  Reveal Answer Answer: A Next Question

• Question 10

  

  Create a PSP that will prevent the creation of privileged pods in the namespace.Create a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation of privileged pods.Create a new ServiceAccount named psp-sa in the namespace default.Create a new ClusterRole named prevent-role, which uses the newly created Pod Security Policy prevent-privileged-policy.Create a new ClusterRoleBinding named prevent-role-binding, which binds the created ClusterRole prevent-role to the created SA psp-sa.Also, Check the Configuration is working or not by trying to Create a Privileged pod, it should get failed.

  • A . Explanation:
    Create a PSP that will prevent the creation of privileged pods in the namespace.
    $ cat clusterrole-use-privileged.yaml
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
    name: use-privileged-psp
    rules:
    - apiGroups: ['policy']
    resources: ['podsecuritypolicies']
    verbs: ['use']
    resourceNames:
    - default-psp
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
    name: privileged-role-bind
    namespace: psp-test
    roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: use-privileged-psp
    subjects:
    - kind: ServiceAccount
    name: privileged-sa
    $ kubectl -n psp-test apply -f clusterrole-use-privileged.yaml
    After a few moments, the privileged Pod should be created.
    Create a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation of privileged pods.
    apiVersion: policy/v1beta1
    kind: PodSecurityPolicy
    metadata:
    name: example
    spec:
    privileged: false # Don't allow privileged pods!
    # The rest fills in some required fields.
    seLinux:
    rule: RunAsAny
    supplementalGroups:
    rule: RunAsAny
    runAsUser:
    rule: RunAsAny
    fsGroup:
    rule: RunAsAny
    volumes:
    - '*'
    And create it with kubectl:
    kubectl-admin create -f example-psp.yaml
    Now, as the unprivileged user, try to create a simple pod:
    kubectl-user create -f- <<EOF
    apiVersion: v1
    kind: Pod
    metadata:
    name: pause
    spec:
    containers:
    - name: pause
    image: k8s.gcr.io/pause
    EOF
    The output is similar to this:
    Error from server (Forbidden): error when creating 'STDIN': pods 'pause' is forbidden: unable to validate against any pod security policy: []
    Create a new ServiceAccount named psp-sa in the namespace default.
    $ cat clusterrole-use-privileged.yaml
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
    name: use-privileged-psp
    rules:
    - apiGroups: ['policy']
    resources: ['podsecuritypolicies']
    verbs: ['use']
    resourceNames:
    - default-psp
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
    name: privileged-role-bind
    namespace: psp-test
    roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: use-privileged-psp
    subjects:
    - kind: ServiceAccount
    name: privileged-sa
    $ kubectl -n psp-test apply -f clusterrole-use-privileged.yaml
    After a few moments, the privileged Pod should be created.
    Create a new ClusterRole named prevent-role, which uses the newly created Pod Security Policy prevent-privileged-policy.
    apiVersion: policy/v1beta1
    kind: PodSecurityPolicy
    metadata:
    name: example
    spec:
    privileged: false # Don't allow privileged pods!
    # The rest fills in some required fields.
    seLinux:
    rule: RunAsAny
    supplementalGroups:
    rule: RunAsAny
    runAsUser:
    rule: RunAsAny
    fsGroup:
    rule: RunAsAny
    volumes:
    - '*'
    And create it with kubectl:
    kubectl-admin create -f example-psp.yaml
    Now, as the unprivileged user, try to create a simple pod:
    kubectl-user create -f- <<EOF
    apiVersion: v1
    kind: Pod
    metadata:
    name: pause
    spec:
    containers:
    - name: pause
    image: k8s.gcr.io/pause
    EOF
    The output is similar to this:
    Error from server (Forbidden): error when creating 'STDIN': pods 'pause' is forbidden: unable to validate against any pod security policy: []
    Create a new ClusterRoleBinding named prevent-role-binding, which binds the created ClusterRole prevent-role to the created SA psp-sa.
    apiVersion: rbac.authorization.k8s.io/v1
    # This role binding allows 'jane' to read pods in the 'default' namespace.
    # You need to already have a Role named 'pod-reader' in that namespace.
    kind: RoleBinding
    metadata:
    name: read-pods
    namespace: default
    subjects:
    # You can specify more than one 'subject'
    - kind: User
    name: jane # 'name' is case sensitive
    apiGroup: rbac.authorization.k8s.io
    roleRef:
    # 'roleRef' specifies the binding to a Role / ClusterRole
    kind: Role #this must be Role or ClusterRole
    name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
    apiGroup: rbac.authorization.k8s.io
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
    namespace: default
    name: pod-reader
    rules:
    - apiGroups: [''] # '' indicates the core API group
    resources: ['pods']
    verbs: ['get', 'watch', 'list']
    

  Reveal Answer Answer: A Next Question

Page: 1 / 10
Total Questions: 48

Previous Page Next Page

Types of Questions Support

Both CKS PDF and Testing Engine have all the practice questions including Multiple Choice, Simulation and Drag Drop Questions.

?
?
??

Free 3 Months Linux Foundation CKS Exam practice questions with explanations Update

We provide you 3 Months Free Linux Foundation CKS Exam Updates at no cost.

?
?
??

100% Linux Foundation CKS refund policy and support policy

We provide you CKS practice material with policy-based support With refund policy.

?
?
??

Fully SSL Secure System of Purchase for Linux Foundation CKS Exam

Purchase Linux Foundation CKS Exam Product with fully SSL Secure system and available in your PrepFiles Account.

?
?
???

We Respect Privacy Policy

We respect full Privacy of our customers and would not share information with any third party.

?
?
??

Fully Exam Environment

Experience official exam objectives Environment with our testing engine.

?
?
??

2 Modes of CKS Practice Exam in Testing Engine

Testing Mode and Practice Mode.

?
?
??

Exam Score History

Our CKS Testing Engine will Save your CKS Exam Score so you can Review it later to improve your results.

?
?
??

Question Selection in Test engine

PrepFiles Test engine Provides Option to choose randomize and non-randomize Questions Set.

?
?
??

Saving Your Exam Notes

Our CKS Testing Engine provides option to save your exam Notes.

?
?