CKS Readiness Self-Assessment
These 10 questions test whether you have the prerequisite knowledge to start CKS preparation. They cover Linux security, networking, RBAC, TLS, and container security concepts that CKS assumes you already know.
How to Use This Assessment
- Answer each question without looking anything up
- Be honest with yourself -- the goal is to identify gaps, not score 100%
- After answering, check the Solutions
- Scoring guide:
- 8-10 correct: You are ready to start CKS domains immediately
- 5-7 correct: Review the topics you missed, then proceed
- Below 5: Spend a week on the CKA to CKS Bridge before starting CKS domains
Question 1: Linux Capabilities
Difficulty: Medium
A pod specification includes the following securityContext:
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
- SYS_ADMINWhat is wrong with this configuration from a security perspective, and how would you fix it?
Question 2: Seccomp Profiles
Difficulty: Medium
Explain the difference between these three seccomp profile types in Kubernetes:
UnconfinedRuntimeDefaultLocalhost
Which one should be the minimum baseline for production workloads, and why?
Question 3: Network Policy Default Deny
Difficulty: Easy
Write a NetworkPolicy manifest that implements a default deny all ingress and egress policy for all pods in the namespace production.
Why is this considered a security best practice?
Question 4: RBAC Least Privilege
Difficulty: Hard
You discover the following ClusterRoleBinding in your cluster:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dev-team-binding
subjects:
- kind: Group
name: developers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.ioIdentify at least three security issues with this binding. What would you do to remediate them?
Question 5: TLS Certificate Inspection
Difficulty: Medium
Given the command:
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -nooutWhat specific fields would you check to verify that the API server certificate is properly configured? Name at least four fields and explain why each matters.
Question 6: Container Isolation
Difficulty: Medium
A pod has the following settings:
spec:
hostNetwork: true
hostPID: true
hostIPC: true
containers:
- name: app
image: myapp:latest
securityContext:
privileged: trueExplain what each of the four highlighted settings does and why each one is a security risk. Which Linux isolation mechanism does each one bypass?
Question 7: Kubernetes Secrets
Difficulty: Easy
By default, how are Kubernetes Secrets stored in etcd? What are two methods to improve the security of Secrets at rest?
Bonus: Why is storing sensitive values in environment variables (via env in a pod spec) considered less secure than mounting secrets as files?
Question 8: Admission Controllers
Difficulty: Hard
Explain the difference between a Mutating Admission Webhook and a Validating Admission Webhook. In what order does the Kubernetes API server process them?
Give a practical security example for each type.
Question 9: AppArmor and Containers
Difficulty: Medium
You need to apply an AppArmor profile to a container in a Kubernetes pod.
- Where must the AppArmor profile be loaded?
- How do you reference the profile in a pod specification?
- What happens if you reference a profile that does not exist on the node where the pod is scheduled?
Question 10: Audit Logging
Difficulty: Hard
The Kubernetes API server supports four audit logging levels.
- Name all four levels in order from least to most verbose.
- Write an audit policy rule that logs all Secret access (get, list, watch) at the
Metadatalevel, but logs Secret creation and deletion at theRequestResponselevel. - Where do you configure the API server to use an audit policy file?
After Completing
Check your answers against the detailed Solutions. Pay special attention to any questions where you were unsure -- those topics will likely appear on the CKS exam.