KubeQuest

Appearance

Practice Questions: Supply Chain Security

Domain Weight

Supply Chain Security accounts for 20% of the CKS exam -- tied for the highest weight. These 25 questions cover all topics in this domain with exam-realistic scenarios and hands-on tasks.

Question 1

Difficulty: Easy

Scenario: A security team has requested that you check the nginx:1.21 image for vulnerabilities before deploying it to the production cluster.

Task: Use Trivy to scan the nginx:1.21 image and identify only CRITICAL and HIGH severity vulnerabilities. Save the output in JSON format to /root/nginx-scan.json.

Question 2

Difficulty: Easy

Scenario: You need to find which container images running in the webapp namespace have known CRITICAL vulnerabilities.

Task: List all unique container images used by Pods in the webapp namespace. Then scan each image with Trivy, filtering for CRITICAL severity only, and save the names of images with CRITICAL vulnerabilities to /root/critical-images.txt (one image per line).

Question 3

Difficulty: Easy

Scenario: A developer has submitted a Pod manifest for review before deployment.

Task: Use kubesec to scan the file /root/pod-manifest.yaml. Identify the security score. If the score is negative, document all critical issues found to /root/kubesec-findings.txt.

Question 4

Difficulty: Easy

Scenario: The production cluster needs to pull images from a private registry at registry.internal.io.

Task:

  1. Create an ImagePullSecret named registry-secret in the production namespace with the following credentials:
    • Server: registry.internal.io
    • Username: k8s-prod
    • Password: SecureP@ss2024
    • Email: devops@company.com
  2. Patch the default ServiceAccount in the production namespace to use this ImagePullSecret.

Question 5

Difficulty: Easy

Scenario: You have been given a Dockerfile at /root/app/Dockerfile to review.

Task: Identify all security issues in the Dockerfile and fix them. The Dockerfile should:

  • Use a specific version tag (not latest)
  • Run as a non-root user
  • Use COPY instead of ADD
  • Not contain any hardcoded secrets

Question 6

Difficulty: Medium

Scenario: The nginx:1.25 image was previously approved, but a new CVE has been discovered. You need to determine if the image is affected.

Task:

  1. Scan nginx:1.25 with Trivy for vulnerabilities, showing only those that have a fix available
  2. Save the output to /root/fixable-vulns.txt
  3. Count the total number of CRITICAL and HIGH vulnerabilities that have fixes, and write the count to /root/vuln-count.txt

Question 7

Difficulty: Medium

Scenario: Your organization requires that all containers in the secure namespace use images only from the registry.company.com registry.

Task: Configure an OPA Gatekeeper constraint that denies any Pod in the secure namespace if its container images do not start with registry.company.com/. The ConstraintTemplate is already installed as K8sAllowedRegistries. Create only the Constraint resource.

Question 8

Difficulty: Medium

Scenario: The API server needs to be configured to use an ImagePolicyWebhook admission controller. The webhook service is running at https://image-policy.default.svc:443/validate and the following files already exist on the control plane node:

  • Webhook CA certificate: /etc/kubernetes/pki/webhook-ca.crt
  • API server client cert: /etc/kubernetes/pki/apiserver.crt
  • API server client key: /etc/kubernetes/pki/apiserver.key

Task:

  1. Create the webhook kubeconfig file at /etc/kubernetes/pki/admission_kubeconfig.yaml
  2. Create the AdmissionConfiguration file at /etc/kubernetes/pki/admission_configuration.yaml with defaultAllow: false
  3. Update the kube-apiserver static pod manifest to enable ImagePolicyWebhook

Question 9

Difficulty: Medium

Scenario: A running Pod named suspicious-pod in the default namespace is using an image that may have been tampered with.

Task:

  1. Identify the image used by suspicious-pod
  2. Scan the image with Trivy for vulnerabilities and secrets
  3. Save the full scan results to /root/suspicious-scan.json in JSON format
  4. If CRITICAL vulnerabilities are found, delete the Pod

Question 10

Difficulty: Medium

Scenario: Your team uses a multi-stage Dockerfile to build a Go application, but the final image is too large and contains unnecessary tools.

Task: Rewrite the Dockerfile at /root/go-app/Dockerfile to:

  1. Use a multi-stage build
  2. Use golang:1.22-alpine as the builder stage
  3. Use gcr.io/distroless/static:nonroot as the final stage
  4. Run as a non-root user (UID 65532)
  5. Only copy the compiled binary to the final stage

Question 11

Difficulty: Medium

Scenario: You need to scan Kubernetes manifests in the /root/manifests/ directory for security misconfigurations before applying them.

Task:

  1. Use Trivy to scan the directory for configuration issues
  2. Save the results to /root/config-scan.txt
  3. Identify and fix any HIGH severity misconfigurations in the manifests

Question 12

Difficulty: Medium

Scenario: A Deployment in the production namespace is using mutable image tags. The security policy requires all production images to use SHA256 digests.

Task:

  1. Identify the Deployment named web-frontend in the production namespace
  2. Find the SHA256 digest for the image it currently uses
  3. Update the Deployment to use the image digest instead of the tag

Question 13

Difficulty: Medium

Scenario: Your cluster needs to ensure that images are always pulled from the registry, never served from node cache.

Task:

  1. Enable the AlwaysPullImages admission controller on the API server
  2. Verify that the admission controller is active by checking the API server configuration
  3. Create a test Pod to confirm the imagePullPolicy is being enforced

Question 14

Difficulty: Medium

Scenario: A saved container image archive exists at /root/images/app-image.tar on the control plane node.

Task:

  1. Scan the image archive with Trivy
  2. List all CRITICAL and HIGH CVEs found
  3. Save the CVE IDs to /root/cve-list.txt (one per line)

Question 15

Difficulty: Medium

Scenario: Multiple namespaces in the cluster need access to different private registries. Set up the following:

Task:

  1. Create ImagePullSecret gcr-secret in namespace team-a for gcr.io with username _json_key and password from file /root/gcr-key.json
  2. Create ImagePullSecret ecr-secret in namespace team-b for 123456789.dkr.ecr.us-east-1.amazonaws.com with username AWS and password ecr-token-2024
  3. Attach each secret to the default ServiceAccount in their respective namespaces

Question 16

Difficulty: Hard

Scenario: The security team requires a complete supply chain gate: images must be scanned AND must come from an approved registry before being admitted to the cluster.

Task:

  1. Configure ImagePolicyWebhook on the API server (webhook at https://policy-webhook.security.svc:443/check)
  2. Create an OPA Gatekeeper Constraint to allow images only from harbor.company.com/
  3. Ensure defaultAllow is set to false for the webhook
  4. Verify both controls are working by testing with allowed and denied images

Question 17

Difficulty: Hard

Scenario: You have discovered that several Pods across the cluster are running images with CRITICAL vulnerabilities. You need to perform a cluster-wide audit.

Task:

  1. List all unique container images across all namespaces in the cluster
  2. Scan each image with Trivy (CRITICAL severity only)
  3. Save a report to /root/cluster-audit.txt with format: NAMESPACE/POD_NAME IMAGE_NAME CVE_COUNT
  4. Delete any Pods running images with more than 5 CRITICAL vulnerabilities

Question 18

Difficulty: Hard

Scenario: An existing ImagePolicyWebhook configuration is not working. The API server fails to start after the configuration was added.

Task:

  1. Investigate the API server logs to identify the issue
  2. Fix the ImagePolicyWebhook configuration
  3. Ensure the API server starts successfully with ImagePolicyWebhook enabled
  4. Verify the webhook is functioning by attempting to deploy a test Pod

Question 19

Difficulty: Hard

Scenario: You need to create a comprehensive .trivyignore file and configure Trivy scanning for the CI/CD pipeline.

Task:

  1. The following CVEs have been accepted as risk: CVE-2023-44487, CVE-2023-39325, CVE-2024-0727
  2. Create a .trivyignore file at /root/.trivyignore with these CVEs
  3. Scan the image python:3.11-slim using this ignore file, showing only CRITICAL and HIGH vulnerabilities with no unfixed vulnerabilities
  4. Save the results to /root/python-scan.json in JSON format

Question 20

Difficulty: Hard

Scenario: A Dockerfile at /root/secure-build/Dockerfile has multiple security issues and builds a Node.js application.

Task: Completely rewrite the Dockerfile following all security best practices:

  1. Multi-stage build with node:20-slim as builder and gcr.io/distroless/nodejs20-debian12:nonroot as runtime
  2. Pin the base image to a specific digest
  3. Use COPY exclusively (no ADD)
  4. Install production dependencies only (npm ci --only=production)
  5. Run as non-root user (UID 65532)
  6. Include a .dockerignore file that excludes .git, .env, node_modules, test/, and *.md
  7. No hardcoded secrets or environment variables with sensitive data

Question 21

Difficulty: Hard

Scenario: Configure Harbor-style registry access control for the cluster.

Task:

  1. Create namespace team-frontend with label team=frontend
  2. Create namespace team-backend with label team=backend
  3. Create ImagePullSecret for harbor.company.com in both namespaces with different robot accounts:
    • team-frontend: username robot$frontend-pull, password frontend-token-2024
    • team-backend: username robot$backend-pull, password backend-token-2024
  4. Create an OPA Gatekeeper Constraint that:
    • In team-frontend namespace: only allows images from harbor.company.com/frontend/
    • In team-backend namespace: only allows images from harbor.company.com/backend/

Question 22

Difficulty: Hard

Scenario: You need to analyze a suspicious image and determine if it has been tampered with.

Task:

  1. The image registry.company.com/app:v2.3 is suspected of being compromised
  2. Scan it with Trivy for vulnerabilities, misconfigurations, and secrets
  3. Check the image layers using docker history or trivy image --list-all-pkgs
  4. Save all findings to /root/forensics-report.txt
  5. If the image contains embedded secrets, document them

Question 23

Difficulty: Medium

Scenario: An existing AdmissionConfiguration file at /etc/kubernetes/pki/admission_configuration.yaml has defaultAllow: true which is insecure.

Task:

  1. Change defaultAllow to false
  2. Adjust the allowTTL to 50 seconds and denyTTL to 50 seconds
  3. Set retryBackoff to 500 milliseconds
  4. Restart the API server and verify the change took effect

Question 24

Difficulty: Hard

Scenario: Implement a complete supply chain security workflow for a new application.

Task:

  1. Review the Dockerfile at /root/new-app/Dockerfile and fix all security issues
  2. Build the image and tag it as harbor.company.com/production/new-app:v1.0
  3. Scan the built image with Trivy -- it must have zero CRITICAL vulnerabilities
  4. Create an ImagePullSecret in the production namespace for harbor.company.com
  5. Deploy the application using the secure image with proper imagePullSecrets
  6. Verify the Pod is running successfully

Question 25

Difficulty: Hard

Scenario: A combination of supply chain security controls needs to be implemented across the cluster.

Task:

  1. Enable AlwaysPullImages admission controller on the API server
  2. Configure ImagePolicyWebhook with defaultAllow: false (webhook at https://image-checker.kube-system.svc:443/validate)
  3. Create a Gatekeeper constraint to deny images using the :latest tag
  4. Create ImagePullSecrets for harbor.company.com in the default, production, and staging namespaces
  5. Verify all controls are working:
    • Test that imagePullPolicy is set to Always on new Pods
    • Test that unauthorized images are blocked
    • Test that :latest tag is rejected
    • Test that private images can be pulled with correct credentials

Exam Strategy

  • Easy questions (1-5): Target 3-5 minutes each. These are quick wins -- do them first.
  • Medium questions (6-15): Target 5-8 minutes each. These form the bulk of your score.
  • Hard questions (16-25): Target 8-12 minutes each. Attempt after completing easier ones.
  • Total domain time budget: ~24 minutes (20% of 120 minutes).
  • Prioritize: ImagePullSecrets, Trivy scanning, and kubesec -- they appear most frequently.

Released under the MIT License.

Copyright © 2026 OpsAlchemy