📄️ Question 1 | Contexts
Solution to CKS Question 1 on kubectl context management, user certificate extraction and decoding, kubeconfig manipulation with jsonpath, multi-cluster configuration, and security practices for Kubernetes CKS certification.
📄️ Question 2 | Runtime Security
Solution to CKS Question 2 on runtime security with Falco, container monitoring and threat detection, malicious package management process identification, suspicious /etc/passwd modifications, syslog analysis, and incident response practices.
📄️ Question 3 | Apiserver Security
Solution to CKS Question 3 on Kubernetes API server security, NodePort to ClusterIP Service configuration changes, control plane component hardening, insecure exposure elimination, and API server security practices.
📄️ Question 4 | Pod Security Standard
Solution to CKS Question 4 on Pod Security Standards, baseline security configuration for namespaces, malicious hostPath volume prevention, ReplicaSet event analysis, and pod security policy implementation.
📄️ Question 5 | CIS Benchmark
Solution to CKS Question 5 on CIS Benchmark for Kubernetes, hardening with kube-bench, secure kube-controller-manager configuration, etcd permissions correction, kubelet configuration, and CIS security practices implementation.
📄️ Question 6 | Verify Platform Binaries
Solution to CKS Question 6 on Kubernetes platform binary verification and validation, SHA512 value comparison, compromised binary detection, malicious file removal, and component integrity security practices.
📄️ Question 7 | Open Policy Agent
Solution to CKS Question 7 on Open Policy Agent (OPA) and Gatekeeper, blacklist policy configuration for malicious registries, constraint template editing, Rego rule implementation, and admission control for image security.
📄️ Question 8 | Secure Dashboard
Solution to CKS Question 8 on Kubernetes Dashboard hardening and security, disabling skip login, HTTPS enforcement with auto-generated certificates, token authentication, cluster-internal access restriction, and vulnerability elimination.
📄️ Question 9 | AppArmor Profile
Solution to CKS Question 9 on AppArmor profile implementation and configuration, cluster node installation, deployment creation with nodeSelector, container security restriction application, and log analysis for troubleshooting.
📄️ Question 10 | gVisor Runtime
Solution to CKS Question 10 on gVisor container runtime sandbox implementation, RuntimeClass creation with runsc handler, Pod configuration for secure execution, workload isolation, and dmesg output analysis.
📄️ Question 11 | Secrets in ETCD
Solution to CKS Question 11 on direct access to Secrets stored in ETCD, using etcdctl for data reading, base64 value decoding, sensitive information extraction, and understanding unencrypted storage.
📄️ Question 12 | Hack Secrets
Solution to CKS Question 12 on investigating RBAC permission escape, ServiceAccount token exploitation, unauthorized Secret access, using Pods to bypass security restrictions, and demonstrating configuration vulnerabilities.
📄️ Question 13 | Metadata Server
Solution to CKS Question 13 on metadata server access restriction, NetworkPolicy creation for egress deny and allow, cloud credential protection, specific IP access control, and network security implementation.
📄️ Question 14 | Syscall Activity
Solution to CKS Question 14 on Syscall activity investigation, process identification using forbidden system calls, strace monitoring utilization, security policy violation detection, and remediation through deployment scaling.
📄️ Question 15 | TLS Ingress
Solution to CKS Question 15 on TLS Ingress configuration, default certificate replacement with custom ones, TLS Secret creation, secure HTTPS implementation, and SSL/TLS certificate management.
📄️ Question 16 | Image Security
Solution to CKS Question 16 on Docker image attack surface reduction, Dockerfile hardening, Alpine base image update, unnecessary tool removal, non-privileged user process execution, and container security best practices.
📄️ Question 17 | Audit Log Policy
Solution to CKS Question 17 on Kubernetes audit policies: audit log policy configuration, Metadata/Request/RequestResponse audit levels, namespace filters, and advanced monitoring implementation.
📄️ Question 18 | Investigate Break-in
Solution to CKS Question 18 on security incident investigation: audit log analysis to detect break-ins, malicious activity identification, digital forensics, and security incident response.
📄️ Question 19 | Immutable Root FileSystem
Solution to CKS Question 19 on immutable filesystem: readOnlyRootFilesystem configuration, emptyDir volumes, container security, hardening, and prevention of malicious filesystem modifications.
📄️ Question 20 | Update Kubernetes
Solution to CKS Question 20 on Kubernetes update: cluster upgrade process, kubeadm upgrade, master and worker node component updates, drain/uncordon, and safe maintenance.
📄️ Question 21 | Image Vulnerability Scanning
Solution to CKS Question 21 on image vulnerability scanning: using Trivy to detect CVEs, Docker image security analysis, critical vulnerability identification, and security check implementation.
📄️ Question 22 | Static Security Analysis
Solution to CKS Question 22 on manual static security analysis: identifying credential exposure issues in Dockerfiles and YAML manifests, auditing insecure configurations, and implementing security best practices.
📄️ Question 23 | RBAC Security
Solution to CKS Question 23 on RBAC security configuration: restricting Secret access, ClusterRole and RoleBinding creation, granular permission control, and implementing the principle of least privilege.
📄️ Question 24 | OPA Gatekeeper
Solution to CKS Question 24 on OPA Gatekeeper policy extension: constraint and template configuration, enforcing mandatory labels on namespaces, compliance policy implementation, and violation auditing.
📄️ Question 25 | Process Investigation
Solution to CKS Question 25 on malicious process investigation and removal: miner identification, suspicious process analysis on nodes, using netstat and lsof, threat elimination, and malicious binary cleanup.
📄️ Question 31 | Critical Vulnerabilities
Solution to CKS Question 31 on identifying and removing pods with critical vulnerabilities: using Trivy to scan images, detecting critical CVEs, container security analysis, and risk management.
📄️ Question 32 | RBAC ServiceAccount
Solution to CKS Question 32 on RBAC configuration with ServiceAccount: role creation, rolebindings, granular permission management, Kubernetes resource access control, and implementing the principle of least privilege.
📄️ Question 33 | Secret Volume Mount
Solution to CKS Question 33 on Secret volume mount configuration: secret creation, read-only mounting in pods, secure credential management, and security best practices implementation.
📄️ Question 34 | Seccomp Profile
Solution to CKS Question 34 on seccomp profile configuration: security context implementation with seccomp, syscall control, container hardening, kernel-level security, and attack prevention.
📄️ Question 35 | Kube-bench Hardening
Solution to CKS Question 35 on worker node hardening with kube-bench: fixing security failures, authorization mode Webhook configuration, kernel defaults protection, and security best practices implementation.
📄️ Question 36 | Audit Configuration
Solution to CKS Question 36 on Kubernetes audit configuration: audit policy creation, kube-apiserver configuration, event logging, log retention, and security monitoring.
📄️ Question 37 | ImagePolicyWebhook
Solution to CKS Question 37 on ImagePolicyWebhook admission controller configuration: image security, admission policies, implicit deny configuration, kube-apiserver hardening, and container deployment control.
📄️ Question 38 | Pod Security Policy
Solution to CKS Question 38 on Pod Security Policy configuration: PSP creation, pod privilege control, volume restrictions, seLinux configuration, and security policy implementation.
📄️ Question 41 | CKS Challenge 1
Solution to CKS Challenge 1 on complete security setup: vulnerability analysis with Trivy, AppArmor profiles, NetworkPolicies, PersistentVolumes, and enterprise-level security implementation.
📄️ Question 42 | CKS Challenge 2
Solution to CKS Challenge 2 on multi-environment security: Dockerfile hardening, kubesec security scanning, immutable pods, secret management, NetworkPolicies, and security implementation in dev/staging/prod environments.
📄️ Question 43 | CKS Challenge 3
Solution to CKS Challenge 3 on complete cluster hardening with kube-bench: control plane configuration, worker nodes, etcd security, audit logging, admission controllers, and CIS security benchmark implementation.
📄️ Question 44 | CKS Challenge 4
Solution to CKS Challenge 4 on security monitoring and incident response: audit logging configuration, Falco installation and configuration, suspicious activity investigation, forensic analysis, and security incident response.