最新 The Linux Foundation CKS 考古題 & 模擬試題，幫您學習 CKS 考試知識點

首頁
CKS 考試題庫
免費練習 CKS 考試

下列 CKS 練習題僅為 Kaozhengpro 考證寶完整題庫中的一部分。完整版本共收錄 44 題最新考題與模擬試題，幫助您全面掌握考試重點。Kaozhengpro 提供的 CKS 完整題庫，內容定期更新、緊貼官方考綱，能有效提升您的應試信心與通過率。若您使用題庫後仍未達到理想效果，我們將提供全額退款保障。立即開始測試與學習，體驗專業題庫帶來的高效備考！

完整CKS題庫

The Linux Foundation CKS 免費練習題庫

CKS 題庫的更新日期是 2025-10-26 .

正在練習第 1 頁，共 1 頁。

正在練習第 1 題，共 8 題

題目#1

CORRECT TEXT
Fix all issues via configuration and restart the affected components to ensure the new setting takes effect.
Fix all of the following violations that were found against the API server:-
✑ a. Ensure that the RotateKubeletServerCertificate argumentissettotrue.
✑ b. Ensure that the admission control plugin PodSecurityPolicyisset.
✑ c. Ensure that the --kubelet-certificate-authority argumentissetasappropriate.
Fix all of the following violations that were found against the Kubelet:-
✑ a. Ensure the --anonymous-auth argumentissettofalse.
✑ b. Ensure that the --authorization-mode argumentissetto Webhook.
Fix all of the following violations that were found against the ETCD:-
✑ a. Ensure that the --auto-tls argumentisnotsettotrue
✑ b. Ensure that the --peer-auto-tls argumentisnotsettotrue
Hint: Take the use of Tool Kube-Bench

A. Fix all of thefollowing violations that were found against the API server:-
✑ a. Ensure that the RotateKubeletServerCertificate argumentissettotrue.
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component:kubelet
tier: control-plane
name: kubelet
namespace: kube-system
spec:
containers:
- command:
- kube-controller-manager
+ - --feature-gates=RotateKubeletServerCertificate=true image: gcr.io/google_containers/kubelet-amd64:v1.6.0 livenessProbe:
failureThreshold: 8 httpGet:
host: 127.0.0.1
path: /healthz
port: 6443
scheme: HTTPS
initialDelaySeconds: 15
timeoutSeconds: 15
name:kubelet
resources:
requests:
cpu: 250m
volumeMounts:
- mountPath: /etc/kubernetes/ name: k8s
readOnly: true
- mountPath: /etc/ssl/certs name: certs
- mountPath: /etc/pki name:pki hostNetwork: true volumes:
- hostPath:
path: /etc/kubernetes
name: k8s
- hostPath:
path: /etc/ssl/certs
name: certs
- hostPath: path: /etc/pki name: pki
✑ b. Ensure that theadmission control plugin PodSecurityPolicyisset.
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--enable-admission-plugins"
compare:
op: has
value:"PodSecurityPolicy"
set: true
remediation: |
Follow the documentation and create Pod Security Policy objects as per your environment. Then, edit the API server pod specification file $apiserverconf
on themaster node and set the --enable-admission-plugins parameter to a
value that includes PodSecurityPolicy :
--enable-admission-plugins=...,PodSecurityPolicy,...
Then restart the API Server.
scored: true
✑ c. Ensure thatthe --kubelet-certificate-authority argumentissetasappropriate.
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--kubelet-certificate-authority" set: true
remediation: |
Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file $apiserverconf on the master node and set the --kubelet-certificate-authority parameter to the path to the cert file for the certificate authority. --kubelet-certificate-authority=<ca-string>
scored: true
Fix all of the following violations that were found against the ETCD:-
✑ a. Ensurethat the --auto-tls argumentisnotsettotrue
Edit the etcd pod specification file $etcdconf on the masternode and either remove the -- auto-tls parameter or set it to false.--auto-tls=false
✑ b. Ensure that the --peer-auto-tls argumentisnotsettotrue
Edit the etcd pod specification file $etcdconf on the masternode and either remove the -- peer-auto-tls parameter or set it to false.--peer-auto-tls=false

題目#2

CORRECT TEXT
On the Cluster worker node, enforce the prepared AppArmor profile
✑ #include<tunables/global>
✑
✑ profilenginx-deny flags=(attach_disconnected) {
✑ #include<abstractions/base>
✑
✑ file,
✑
✑ # Deny all file writes.
✑ deny/** w,
✑ }
✑ EOF'
Edit the prepared manifest file to include the AppArmor profile.
✑ apiVersion: v1
✑ kind: Pod
✑ metadata:
✑ name:apparmor-pod
✑ spec:
✑ containers:
✑ - name: apparmor-pod
✑ image: nginx
Finally, apply the manifests files and create the Pod specified on it.
Verify: Try to make a file inside the directory which is restricted.

A. Send us your Feedback on this.

題目#3

CORRECT TEXT
Cluster: scanner
Master node: controlplane
Worker node: worker1
You can switch the cluster/configuration context using the following command:
[desk@cli] $ kubectl config use-context scanner
Given:
You may use Trivy's documentation.
Task:
Use the Trivy open-source container scanner to detect images with severe vulnerabilities used by Pods in the namespace nato.
Look for images with High or Critical severity vulnerabilities and delete the Pods that use those images.
Trivy is pre-installed on the cluster's master node. Use cluster's master node to use Trivy.

A. [controlplane@cli] $ k get pods -n nato -o yaml | grep "image: "[controlplane@cli] $ trivy image <image-name>[controlplane@cli] $ k delete pod <vulnerable-pod> -n nato
[desk@cli] $ ssh controlnode[controlplane@cli] $ k get pods -n nato
NAME READY STATUS RESTARTS AGE
alohmora 1/1 Running 0 3m7s
c3d3 1/1 Running 0 2m54s
neon-pod 1/1 Running 0 2m11s
thor 1/1 Running 0 58s
[controlplane@cli] $ k get pods -n nato -o yaml | grep "image: "

Text
Description automatically generated[controlplane@cli] $ trivy image <image-name>

Text
Description automatically generated

Text

Description automatically generated
Text
Description automatically generatedNote: As there are 2 images have vulnerability with severity Hight & Critical. Delete containers for nginx:latest & alpine:3.7 [controlplane@cli] $ k delete pod thor -n nato

題目#4

CORRECT TEXT
Using the runtime detection tool Falco, Analyse the container behavior for at least 30 seconds, using filters that detect newly spawning and executing processes store the incident file art /opt/falco-incident.txt, containing the detected incidents. one per line, in the format
[timestamp],[uid],[user-name],[processName]

A. Send us your suggestion on it.

題目#5

Create the Pod using this manifest

A. [desk@cli] $ ssh worker1[worker1@cli] $apparmor_parser -q /etc/apparmor.d/nginx[worker1@cli] $aa-status | grep nginxnginx-profile-1[worker1@cli] $ logout[desk@cli] $vim nginx-deploy.yamlAdd these lines under metadata:annotations: # Add this line container.apparmor.security.beta.kubernetes.io/<container-name>: localhost/nginx-profile-1[desk@cli] $kubectl apply -f nginx-deploy.yaml
Explanation[desk@cli] $ ssh worker1[worker1@cli] $apparmor_parser -q /etc/apparmor.d/nginx[worker1@cli] $aa-status | grep nginxnginx-profile-1[worker1@cli] $ logout[desk@cli] $vim nginx-deploy.yaml

Text
Description automatically generated

考題代碼: CKS題庫題數: 44 題更新時間: 2025-10-26

完整 CKS 題庫

CKS 考試詳情

題目#1

題目#2

題目#3

題目#4

題目#5

熱門考試

商品分類