Certified Kubernetes Security Specialist 2021 CKS Exam Study Guide

Certified Kubernetes Security Specialist 2021 CKS Exam Study Guide

To earn Certified Kubernetes Security Specialist CKS certification, you must be sure that you have achieved the Certified Kubernetes Administrator (CKA). Then you need to come here to choose the CKS exam study guide to make sure that you can pass Certified Kubernetes Security Specialist certification exam in 2021. New CKS study guide with 44 practice exam questions and answers are written by the top experts, who ensure you can pass CKS exam in the first attempt.

You can read CKS free questions to check the Certified Kubernetes Security Specialist study guide.

Page 1 of 1


a. Retrieve the content of the existing secret named default-token-xxxxx in the testing namespace.

Store the value of the token in thetoken.txt

b. Create a new secret named test-db-secret in the DB namespace with the following content:

username: mysql

password: password@123

Create the Pod name test-db-pod of image nginx in the namespace db that can accesstest-db-secret via a volume at path /etc/mysql-credentials


Create a RuntimeClass named untrusted using the prepared runtime handler named runsc.

Create a Pods of image alpine:3.13.2 in the Namespace default to run on the gVisor runtime class.

Verify: Exec the pods and run the dmesg, you will see output like this:-

3. Pods being configured to be privileged in any way must be treated as potentially not stateless or not immutable.


Cluster: scanner

Master node: controlplane

Worker node: worker1

You can switch the cluster/configuration context using the following command:

[desk@cli] $ kubectl config use-context scanner


You may use Trivy's documentation.


Use the Trivy open-source container scanner to detect images with severe vulnerabilities used by Pods in the namespace nato.

Look for images with High or Critical severity vulnerabilities and delete the Pods that use those images.

Trivy is pre-installed on the cluster's master node. Use cluster's master node to use Trivy.


On the Cluster worker node, enforce the prepared AppArmor profile

✑ #include<tunables/global>

✑ profilenginx-deny flags=(attach_disconnected) {

✑ #include<abstractions/base>

✑ file,

✑ # Deny all file writes.

✑ deny/** w,

✑ }

✑ EOF'

Edit the prepared manifest file to include the AppArmor profile.

✑ apiVersion: v1

✑ kind: Pod

✑ metadata:

✑ name:apparmor-pod

✑ spec:

✑ containers:

✑ - name: apparmor-pod

✑ image: nginx

Finally, apply the manifests files and create the Pod specified on it.

Verify: Try to make a file inside the directory which is restricted.

6. sysdig

Tools are pre-installed on the worker1 node only.

Analyse the container’s behaviour for at least 40 seconds, using filters that detect newly spawning and executing processes.

Store an incident file at /home/cert_masters/report, in the following format:


Note: Make sure to store incident file on the cluster's worker node, don't move it to master node.


Leave a Reply

Your email address will not be published.