BONUS!!! Download part of ExamPrepAway CKS dumps for free: https://drive.google.com/open?id=1EeBdvMv7vjY0BvK7KUmlSwbYtHYACsDz

We have three different versions of our CKS exam questions which can cater to different needs of our customers. They are the versions: PDF, Software and APP online. The PDF version of our CKS exam simulation can be printed out, suitable for you who like to take notes, your unique notes may make you more profound. The Software version of our CKS Study Materials can simulate the real exam. Adn the APP online version can be applied to all electronic devices.

The Linux Foundation CKS (Certified Kubernetes Security Specialist) Exam is a certification program that is designed to test and validate the skills of IT professionals in securing Kubernetes clusters. Kubernetes has become the most popular container orchestration system, and with its increased adoption, the need for Kubernetes security experts has also grown. The CKS certification program is aimed at IT professionals who already have a good understanding of Kubernetes and want to demonstrate their expertise in securing Kubernetes clusters.

The CKS exam is a practical, performance-based exam that tests the candidate's ability to solve real-world problems related to Kubernetes security. Candidates are required to perform tasks related to securing Kubernetes clusters and applications within a given time frame. The exam is conducted online, and candidates can take it from anywhere in the world.

The CKS certification exam is a valuable credential for professionals seeking to advance their career in the field of Kubernetes security. With the growing popularity of Kubernetes, the demand for professionals with CKS certification is increasing rapidly. By passing the exam, individuals can demonstrate their expertise in securing Kubernetes-based applications and infrastructure, making them a valuable asset to any organization.

>> CKS Exam Guide <<

CKS Exam Syllabus, CKS Test Assessment

If you want to pass the CKS exam, you should buy our CKS exam questions to prapare for it. Our sincerity stems from the good quality of our CKS learning guide is that not only we will give you the most latest content. Also we will give you one year's free update of the CKS Study Materials you purchase and 24/7 online service. Now just make up your mind and get your CKS exam braindumps!

Linux Foundation Certified Kubernetes Security Specialist (CKS) Sample Questions (Q17-Q22):

NEW QUESTION # 17
You must complete this task on the following cluster/nodes:
Cluster: trace
Master node: master
Worker node: worker1
You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context trace
Given: You may use Sysdig or Falco documentation.
Task:
Use detection tools to detect anomalies like processes spawning and executing something weird frequently in the single container belonging to Pod tomcat.
Two tools are available to use:
1. falco
2. sysdig
Tools are pre-installed on the worker1 node only.
Analyse the container's behaviour for at least 40 seconds, using filters that detect newly spawning and executing processes.
Store an incident file at /home/cert_masters/report, in the following format:
[timestamp],[uid],[processName]
Note: Make sure to store incident file on the cluster's worker node, don't move it to master node.

Answer:

Explanation:
$vim /etc/falco/falco_rules.local.yaml
- rule: Container Drift Detected (open+create)
desc: New executable created in a container due to open+create
condition: >
evt.type in (open,openat,creat) and
evt.is_open_exec=true and
container and
not runc_writing_exec_fifo and
not runc_writing_var_lib_docker and
not user_known_container_drift_activities and
evt.rawres>=0
output: >
%evt.time,%user.uid,%proc.name # Add this/Refer falco documentation
priority: ERROR
$kill -1 <PID of falco>
Explanation
[desk@cli] $ ssh node01
[node01@cli] $ vim /etc/falco/falco_rules.yaml
search for Container Drift Detected & paste in falco_rules.local.yaml
[node01@cli] $ vim /etc/falco/falco_rules.local.yaml
- rule: Container Drift Detected (open+create)
desc: New executable created in a container due to open+create
condition: >
evt.type in (open,openat,creat) and
evt.is_open_exec=true and
container and
not runc_writing_exec_fifo and
not runc_writing_var_lib_docker and
not user_known_container_drift_activities and
evt.rawres>=0
output: >
%evt.time,%user.uid,%proc.name # Add this/Refer falco documentation
priority: ERROR
[node01@cli] $ vim /etc/falco/falco.yaml


NEW QUESTION # 18
You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context qa
Context:
A pod fails to run because of an incorrectly specified ServiceAccount
Task:
Create a new service account named backend-qa in an existing namespace qa, which must not have access to any secret.
Edit the frontend pod yaml to use backend-qa service account
Note: You can find the frontend pod yaml at /home/cert_masters/frontend-pod.yaml

Answer:

Explanation:
[desk@cli] $ k create sa backend-qa -n qa
sa/backend-qa created
[desk@cli] $ k get role,rolebinding -n qa
No resources found in qa namespace.
[desk@cli] $ k create role backend -n qa --resource pods,namespaces,configmaps --verb list
# No access to secret
[desk@cli] $ k create rolebinding backend -n qa --role backend --serviceaccount qa:backend-qa
[desk@cli] $ vim /home/cert_masters/frontend-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: frontend
spec:
serviceAccountName: backend-qa # Add this
image: nginx
name: frontend
[desk@cli] $ k apply -f /home/cert_masters/frontend-pod.yaml
pod created
[desk@cli] $ k create sa backend-qa -n qa
serviceaccount/backend-qa created
[desk@cli] $ k get role,rolebinding -n qa
No resources found in qa namespace.
[desk@cli] $ k create role backend -n qa --resource pods,namespaces,configmaps --verb list role.rbac.authorization.k8s.io/backend created
[desk@cli] $ k create rolebinding backend -n qa --role backend --serviceaccount qa:backend-qa rolebinding.rbac.authorization.k8s.io/backend created
[desk@cli] $ vim /home/cert_masters/frontend-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: frontend
spec:
serviceAccountName: backend-qa # Add this
image: nginx
name: frontend
[desk@cli] $ k apply -f /home/cert_masters/frontend-pod.yaml pod/frontend created https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ pod/frontend created
[desk@cli] $ k apply -f /home/cert_masters/frontend-pod.yaml pod/frontend created https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/


NEW QUESTION # 19
You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context prod-account
Context:
A Role bound to a Pod's ServiceAccount grants overly permissive permissions. Complete the following tasks to reduce the set of permissions.
Task:
Given an existing Pod named web-pod running in the namespace database.
1. Edit the existing Role bound to the Pod's ServiceAccount test-sa to only allow performing get operations, only on resources of type Pods.
2. Create a new Role named test-role-2 in the namespace database, which only allows performing update operations, only on resources of type statuefulsets.
3. Create a new RoleBinding named test-role-2-bind binding the newly created Role to the Pod's ServiceAccount.
Note: Don't delete the existing RoleBinding.

Answer:

Explanation:
$ k edit role test-role -n database
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: "2021-06-04T11:12:23Z"
name: test-role
namespace: database
resourceVersion: "1139"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/database/roles/test-role uid: 49949265-6e01-499c-94ac-5011d6f6a353 rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- * # Delete
- get # Fixed
$ k create role test-role-2 -n database --resource statefulset --verb update
$ k create rolebinding test-role-2-bind -n database --role test-role-2 --serviceaccount=database:test-sa Explanation
[desk@cli]$ k get pods -n database
NAME READY STATUS RESTARTS AGE LABELS
web-pod 1/1 Running 0 34s run=web-pod
[desk@cli]$ k get roles -n database
test-role
[desk@cli]$ k edit role test-role -n database
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: "2021-06-13T11:12:23Z"
name: test-role
namespace: database
resourceVersion: "1139"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/database/roles/test-role uid: 49949265-6e01-499c-94ac-5011d6f6a353 rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- "*" # Delete this
- get # Replace by this
[desk@cli]$ k create role test-role-2 -n database --resource statefulset --verb update role.rbac.authorization.k8s.io/test-role-2 created [desk@cli]$ k create rolebinding test-role-2-bind -n database --role test-role-2 --serviceaccount=database:test-sa rolebinding.rbac.authorization.k8s.io/test-role-2-bind created Reference: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ role.rbac.authorization.k8s.io/test-role-2 created
[desk@cli]$ k create rolebinding test-role-2-bind -n database --role test-role-2 --serviceaccount=database:test-sa rolebinding.rbac.authorization.k8s.io/test-role-2-bind created
[desk@cli]$ k create role test-role-2 -n database --resource statefulset --verb update role.rbac.authorization.k8s.io/test-role-2 created [desk@cli]$ k create rolebinding test-role-2-bind -n database --role test-role-2 --serviceaccount=database:test-sa rolebinding.rbac.authorization.k8s.io/test-role-2-bind created Reference: https://kubernetes.io/docs/reference/access-authn-authz/rbac/


NEW QUESTION # 20
Secrets stored in the etcd is not secure at rest, you can use the etcdctl command utility to find the secret value for e.g:-

  • A. ETCDCTL_API=3 etcdctl get /registry/secrets/default/cks-secret --cacert="ca.crt" --cert="server.crt" --key="server.key"

Answer: A

Explanation:
Output

Using the Encryption Configuration, Create the manifest, which secures the resource secrets using the provider AES-CBC and identity, to encrypt the secret-data at rest and ensure all secrets are encrypted with the new configuration.


NEW QUESTION # 21
Create a network policy named restrict-np to restrict to pod nginx-test running in namespace testing.
Only allow the following Pods to connect to Pod nginx-test:-
1. pods in the namespace default
2. pods with label version:v1 in any namespace.
Make sure to apply the network policy.

  • A. Send us your Feedback on this.

Answer: A


NEW QUESTION # 22
......

ExamPrepAway makes your investment 100% secure when you purchase CKS practice exams. We guarantee your success in the CKS exam. Otherwise, our full refund policy will enable you to get your money back. The practice exams for Kubernetes Security Specialist are prepared by the CKS subject experts who are well aware of the CKS exam syllabus requirements. Our Customer support team is 24/7 available that you can reach through email or Live Chat for any CKS exam preparation product related question.

CKS Exam Syllabus: https://www.examprepaway.com/Linux-Foundation/braindumps.CKS.ete.file.html

BTW, DOWNLOAD part of ExamPrepAway CKS dumps from Cloud Storage: https://drive.google.com/open?id=1EeBdvMv7vjY0BvK7KUmlSwbYtHYACsDz