{"id":122407,"date":"2026-03-26T06:34:30","date_gmt":"2026-03-26T06:34:30","guid":{"rendered":"https:\/\/www.dumpsbase.com\/freedumps\/?p=122407"},"modified":"2026-03-26T06:34:30","modified_gmt":"2026-03-26T06:34:30","slug":"the-linux-foundation-cks-exam-dumps-v10-02-2026-best-materials-for-passing-the-certified-kubernetes-security-specialist-cks-exam","status":"publish","type":"post","link":"https:\/\/www.dumpsbase.com\/freedumps\/the-linux-foundation-cks-exam-dumps-v10-02-2026-best-materials-for-passing-the-certified-kubernetes-security-specialist-cks-exam.html","title":{"rendered":"The Linux Foundation CKS Exam Dumps (V10.02) 2026 &#8211; Best Materials for Passing the Certified Kubernetes Security Specialist (CKS) Exam"},"content":{"rendered":"<p>Achieving the Certified Kubernetes Security Specialist (CKS) certification will prove that you have security &amp; Kubernetes skills to open a career door. To ensure you are fully prepared for the CKS exam 2026, DumpsBase has updated the CKS exam dumps to V10.02. Our latest collection of <span class=\"notion-enable-hover\" data-token-index=\"1\">CKS exam dumps (V10.02)<\/span> provides a comprehensive and reliable way to assess your readiness, featuring real-world questions and precise answers that reflect the most current Certified Kubernetes Security Specialist (CKS) exam syllabus. Designed for efficiency, these updated questions and answers help you master complex security concepts in as little as two weeks, backed by a satisfaction guarantee to give you total confidence on exam day.<!-- notionvc: 07d2e62e-6930-47d9-a5b5-fbb538d29dca --><\/p>\n<h2>You can <span style=\"background-color: #ffff99;\"><em>read a free demo<\/em><\/span> of the CKS exam dumps (V10.02) below first:<\/h2>\n<script>\n\t  window.fbAsyncInit = function() {\n\t    FB.init({\n\t      appId            : '622169541470367',\n\t      autoLogAppEvents : true,\n\t      xfbml            : true,\n\t      version          : 'v3.1'\n\t    });\n\t  };\n\t\n\t  (function(d, s, id){\n\t     var js, fjs = d.getElementsByTagName(s)[0];\n\t     if (d.getElementById(id)) {return;}\n\t     js = d.createElement(s); js.id = id;\n\t     js.src = \"https:\/\/connect.facebook.net\/en_US\/sdk.js\";\n\t     fjs.parentNode.insertBefore(js, fjs);\n\t   }(document, 'script', 'facebook-jssdk'));\n\t<\/script><script type=\"text\/javascript\" >\ndocument.addEventListener(\"DOMContentLoaded\", function(event) { \nif(!window.jQuery) alert(\"The important jQuery library is not properly loaded in your site. Your WordPress theme is probably missing the essential wp_head() call. You can switch to another theme and you will see that the plugin works fine and this notice disappears. If you are still not sure what to do you can contact us for help.\");\n});\n<\/script>  \n  \n<div  id=\"watupro_quiz\" class=\"quiz-area single-page-quiz\">\n<p id=\"submittingExam11493\" style=\"display:none;text-align:center;\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/img\/loading.gif\" width=\"16\" height=\"16\"><\/p>\n\n<div class=\"watupro-exam-description\" id=\"description-quiz-11493\"><\/div>\n\n<form action=\"\" method=\"post\" class=\"quiz-form\" id=\"quiz-11493\"  enctype=\"multipart\/form-data\" >\n<div class='watu-question ' id='question-1' style=';'><div id='questionWrap-1'  class='   watupro-question-id-451342'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>1. <\/span>SIMULATION<br \/>\r\n<br \/>\r\nCreate a RuntimeClass named untrusted using the prepared runtime handler named runsc.<br \/>\r\n<br \/>\r\nCreate a Pods of image alpine:3.13.2 in the Namespace default to run on the gVisor runtime class.<\/div><input type='hidden' name='question_id[]' id='qID_1' value='451342' \/><input type='hidden' id='answerType451342' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-451342[]' id='answer-id-1745409' class='answer   answerof-451342 ' value='1745409'   \/><label for='answer-id-1745409' id='answer-label-1745409' class=' answer'><span><br><img decoding=\"async\" width=452 height=164 id=\"\u56fe\u7247 110\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image043-6.jpg\"><br><\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-2' style=';'><div id='questionWrap-2'  class='   watupro-question-id-451343'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>2. <\/span>SIMULATION<br \/>\r\n<br \/>\r\n<br \/>\r\n<img loading=\"lazy\" decoding=\"async\" id=\"\u56fe\u7247 145\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image008-13.jpg\" width=\"395\" height=\"695\" \/>Context<br \/>\r\n<br \/>\r\nA Role bound to a Pod's ServiceAccount grants overly permissive permissions. Complete the following tasks to reduce the set of permissions.<br \/>\r\n<br \/>\r\nTask<br \/>\r\n<br \/>\r\nGiven an existing Pod named web-pod running in the namespace security.<br \/>\r\n<br \/>\r\nEdit the existing Role bound to the Pod's ServiceAccount sa-dev-1 to only allow performing watch operations, only on resources of type services.<br \/>\r\n<br \/>\r\nCreate a new Role named role-2 in the namespace security, which only allows performing update operations, only on resources of type namespaces.<br \/>\r\n<br \/>\r\nCreate a new RoleBinding named role-2-binding binding the newly created Role to the Pod's ServiceAccount.<br \/>\r\n<br \/>\r\n<br \/>\r\n<img loading=\"lazy\" decoding=\"async\" id=\"\u56fe\u7247 144\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image009-9.jpg\" width=\"394\" height=\"110\" \/><\/div><input type='hidden' name='question_id[]' id='qID_2' value='451343' \/><input type='hidden' id='answerType451343' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-451343[]' id='answer-id-1745410' class='answer   answerof-451343 ' value='1745410'   \/><label for='answer-id-1745410' id='answer-label-1745410' class=' answer'><span><br><img decoding=\"async\" width=649 height=439 id=\"\u56fe\u7247 143\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image010-10.jpg\"><br>\r\n<br><br><img decoding=\"async\" width=509 height=187 id=\"\u56fe\u7247 142\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image011-9.jpg\"><br>\r\n<br><br><img decoding=\"async\" width=649 height=485 id=\"\u56fe\u7247 141\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image012-10.jpg\"><br><\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-3' style=';'><div id='questionWrap-3'  class='   watupro-question-id-451344'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>3. <\/span>SIMULATION<br \/>\r\n<br \/>\r\nCreate a PSP that will prevent the creation of privileged pods in the namespace.<br \/>\r\n<br \/>\r\nCreate a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation of privileged pods.<br \/>\r\n<br \/>\r\nCreate a new ServiceAccount named psp-sa in the namespace default.<br \/>\r\n<br \/>\r\nCreate a new ClusterRole named prevent-role, which uses the newly created Pod Security Policy prevent-privileged-policy.<br \/>\r\n<br \/>\r\nCreate a new ClusterRoleBinding named prevent-role-binding, which binds the created ClusterRole prevent-role to the created SA psp-sa.<br \/>\r\n<br \/>\r\nAlso, Check the Configuration is working or not by trying to Create a Privileged pod, it should get failed.<\/div><input type='hidden' name='question_id[]' id='qID_3' value='451344' \/><input type='hidden' id='answerType451344' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-451344[]' id='answer-id-1745411' class='answer   answerof-451344 ' value='1745411'   \/><label for='answer-id-1745411' id='answer-label-1745411' class=' answer'><span>Create a PSP that will prevent the creation of privileged pods in the namespace. \r\n<br>$ cat clusterrole-use-privileged.yaml \r\n<br>--- \r\n<br>apiVersion: rbac.authorization.k8s.io\/v1 \r\n<br>kind: ClusterRole \r\n<br>metadata: \r\n<br>name: use-privileged-psp \r\n<br>rules: \r\n<br>- apiGroups: ['policy'] \r\n<br>resources: ['podsecuritypolicies'] \r\n<br>verbs: ['use'] \r\n<br>resourceNames: \r\n<br>- default-psp \r\n<br>--- \r\n<br>apiVersion: rbac.authorization.k8s.io\/v1 \r\n<br>kind: RoleBinding metadata: \r\n<br>name: privileged-role-bind \r\n<br>namespace: psp-test roleRef: \r\n<br>apiGroup: rbac.authorization.k8s.io \r\n<br>kind: ClusterRole \r\n<br>name: use-privileged-psp subjects: \r\n<br>- kind: ServiceAccount \r\n<br>name: privileged-sa \r\n<br>$ kubectl -n psp-test apply -f clusterrole-use-privileged.yaml After a few moments, the privileged Pod should be created. \r\n<br>Create a new PodSecurityPolicy named prevent-privileged-policy which prevents the creation of privileged pods. \r\n<br>apiVersion: policy\/v1beta1 \r\n<br>kind: PodSecurityPolicy \r\n<br>metadata: \r\n<br>name: example \r\n<br>spec: \r\n<br>privileged: false # Don't allow privileged pods! \r\n<br># The rest fills in some required fields. seLinux: \r\n<br>rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: \r\n<br>rule: RunAsAny fsGroup: \r\n<br>rule: RunAsAny volumes: \r\n<br>- '*' \r\n<br>And create it with kubectl: \r\n<br>kubectl-admin create -f example-psp.yaml \r\n<br>Now, as the unprivileged user, try to create a simple pod: \r\n<br>kubectl-user create -f- &lt;&lt;EOF \r\n<br>apiVersion: v1 \r\n<br>kind: Pod \r\n<br>metadata: \r\n<br>name: pause \r\n<br>spec: \r\n<br>containers: \r\n<br>- name: pause \r\n<br>image: k8s.gcr.io\/pause \r\n<br>EOF \r\n<br>The output is similar to this: \r\n<br>Error from server (Forbidden): error when creating &quot;STDIN&quot;: pods &quot;pause&quot; is forbidden: unable to validate against any pod security policy: [] \r\n<br>Create a new ServiceAccount named psp-sa in the namespace default. \r\n<br>$ cat clusterrole-use-privileged.yaml \r\n<br>--- \r\n<br>apiVersion: rbac.authorization.k8s.io\/v1 \r\n<br>kind: ClusterRole \r\n<br>metadata: \r\n<br>name: use-privileged-psp \r\n<br>rules: \r\n<br>- apiGroups: ['policy'] \r\n<br>resources: ['podsecuritypolicies'] \r\n<br>verbs: ['use'] \r\n<br>resourceNames: \r\n<br>- default-psp \r\n<br>--- \r\n<br>apiVersion: rbac.authorization.k8s.io\/v1 \r\n<br>kind: RoleBinding metadata: \r\n<br>name: privileged-role-bind \r\n<br>namespace: psp-test roleRef: \r\n<br>apiGroup: rbac.authorization.k8s.io \r\n<br>kind: ClusterRole \r\n<br>name: use-privileged-psp subjects: \r\n<br>- kind: ServiceAccount \r\n<br>name: privileged-sa \r\n<br>$ kubectl -n psp-test apply -f clusterrole-use-privileged.yaml After a few moments, the privileged Pod should be created. \r\n<br>Create a new ClusterRole named prevent-role, which uses the newly created Pod Security Policy prevent-privileged-policy. \r\n<br>apiVersion: policy\/v1beta1 \r\n<br>kind: PodSecurityPolicy \r\n<br>metadata: \r\n<br>name: example \r\n<br>spec: \r\n<br>privileged: false # Don't allow privileged pods! \r\n<br># The rest fills in some required fields. seLinux: \r\n<br>rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: \r\n<br>rule: RunAsAny fsGroup: \r\n<br>rule: RunAsAny volumes: \r\n<br>- '*' \r\n<br>And create it with kubectl: \r\n<br>kubectl-admin create -f example-psp.yaml \r\n<br>Now, as the unprivileged user, try to create a simple pod: \r\n<br>kubectl-user create -f- &lt;&lt;EOF \r\n<br>apiVersion: v1 \r\n<br>kind: Pod \r\n<br>metadata: \r\n<br>name: pause \r\n<br>spec: \r\n<br>containers: \r\n<br>- name: pause \r\n<br>image: k8s.gcr.io\/pause \r\n<br>EOF \r\n<br>The output is similar to this: \r\n<br>Error from server (Forbidden): error when creating &quot;STDIN&quot;: pods &quot;pause&quot; is forbidden: unable to validate against any pod security policy: [] \r\n<br>Create a new ClusterRoleBinding named prevent-role-binding, which binds the created ClusterRole prevent-role to the created SA psp-sa. \r\n<br>apiVersion: rbac.authorization.k8s.io\/v1 \r\n<br># This role binding allows &quot;jane&quot; to read pods in the &quot;default&quot; namespace. \r\n<br># You need to already have a Role named &quot;pod-reader&quot; in that namespace. kind: RoleBinding metadata: \r\n<br>name: read-pods \r\n<br>namespace: default subjects: \r\n<br># You can specify more than one &quot;subject&quot; \r\n<br>- kind: User \r\n<br>name: jane # &quot;name&quot; is case sensitive \r\n<br>apiGroup: rbac.authorization.k8s.io \r\n<br>roleRef: \r\n<br># &quot;roleRef&quot; specifies the binding to a Role \/ ClusterRole kind: Role #this must be Role or ClusterRole name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to apiGroup: rbac.authorization.k8s.io \r\n<br>apiVersion: rbac.authorization.k8s.io\/v1 \r\n<br>kind: Role \r\n<br>metadata: \r\n<br>namespace: default \r\n<br>name: pod-reader \r\n<br>rules: \r\n<br>- apiGroups: [&quot;&quot;] # &quot;&quot; indicates the core API group \r\n<br>resources: [&quot;pods&quot;] \r\n<br>verbs: [&quot;get&quot;, &quot;watch&quot;, &quot;list&quot;]<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-4' style=';'><div id='questionWrap-4'  class='   watupro-question-id-451345'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>4. <\/span>SIMULATION<br \/>\r\n<br \/>\r\nEnable audit logs in the cluster, To Do so, enable the log backend, and ensure that<br \/>\r\n<br \/>\r\n1. logs are stored at \/var\/log\/kubernetes-logs.txt.<br \/>\r\n<br \/>\r\n2. Log files are retained for 12 days.<br \/>\r\n<br \/>\r\n3. at maximum, a number of 8 old audit logs files are retained.<br \/>\r\n<br \/>\r\n4. set the maximum size before getting rotated to 200MB<br \/>\r\n<br \/>\r\nEdit and extend the basic policy to log:<br \/>\r\n<br \/>\r\n1. namespaces changes at RequestResponse<br \/>\r\n<br \/>\r\n2. Log the request body of secrets changes in the namespace kube-system.<br \/>\r\n<br \/>\r\n3. Log all other resources in core and extensions at the Request level.<br \/>\r\n<br \/>\r\n4. Log \"pods\/portforward\", \"services\/proxy\" at Metadata level.<br \/>\r\n<br \/>\r\n5. Omit the Stage RequestReceived<br \/>\r\n<br \/>\r\nAll other requests at the Metadata level<\/div><input type='hidden' name='question_id[]' id='qID_4' value='451345' \/><input type='hidden' id='answerType451345' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-451345[]' id='answer-id-1745412' class='answer   answerof-451345 ' value='1745412'   \/><label for='answer-id-1745412' id='answer-label-1745412' class=' answer'><span>Kubernetes auditing provides a security-relevant chronological set of records about a cluster. Kube-apiserver performs auditing. Each request on each stage of its execution generates an event, which is then pre-processed according to a certain policy and written to a backend. The policy determines what\u2019s recorded and the backends persist the records. \r\n<br>You might want to configure the audit log as part of compliance with the CIS (Center for Internet Security) Kubernetes Benchmark controls. \r\n<br>The audit log can be enabled by default using the following configuration in cluster.yml: \r\n<br>services: \r\n<br>kube-api: \r\n<br>audit_log: \r\n<br>enabled: true \r\n<br>When the audit log is enabled, you should be able to see the default values at \/etc\/kubernetes\/audit-policy.yaml \r\n<br>The log backend writes audit events to a file in JSONlines format. You can configure the log audit backend using the following kube-apiserver flags: \r\n<br>--audit-log-path specifies the log file path that log backend uses to write audit events. Not specifying this flag disables log backend. - means standard out \r\n<br>--audit-log-maxage defined the maximum number of days to retain old audit log files \r\n<br>--audit-log-maxbackup defines the maximum number of audit log files to retain \r\n<br>--audit-log-maxsize defines the maximum size in megabytes of the audit log file before it gets rotated \r\n<br>If your cluster's control plane runs the kube-apiserver as a Pod, remember to mount the hostPath to the location of the policy file and log file, so that audit records are persisted. \r\n<br>For example: \r\n<br>--audit-policy-file=\/etc\/kubernetes\/audit-policy.yaml  \r\n<br>--audit-log-path=\/var\/log\/audit.log<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-5' style=';'><div id='questionWrap-5'  class='   watupro-question-id-451346'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>5. <\/span>SIMULATION<br \/>\r\n<br \/>\r\nFix all issues via configuration and restart the affected components to ensure the new setting takes effect.<br \/>\r\n<br \/>\r\nFix all of the following violations that were found against the API server:<br \/>\r\n<br \/>\r\na. Ensure that the RotateKubeletServerCertificate argument is set to true.<br \/>\r\n<br \/>\r\nb. Ensure that the admission control plugin PodSecurityPolicy is set.<br \/>\r\n<br \/>\r\nc. Ensure that the --kubelet-certificate-authority argument is set as appropriate.<br \/>\r\n<br \/>\r\nFix all of the following violations that were found against the Kubelet:<br \/>\r\n<br \/>\r\na. Ensure the --anonymous-auth argument is set to false.<br \/>\r\n<br \/>\r\nb. Ensure that the --authorization-mode argument is set to Webhook.<br \/>\r\n<br \/>\r\nFix all of the following violations that were found against the ETCD:<br \/>\r\n<br \/>\r\na. Ensure that the --auto-tls argument is not set to true<br \/>\r\n<br \/>\r\nb. Ensure that the --peer-auto-tls argument is not set to true<br \/>\r\n<br \/>\r\nHint: Take the use of Tool Kube-Bench<\/div><input type='hidden' name='question_id[]' id='qID_5' value='451346' \/><input type='hidden' id='answerType451346' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-451346[]' id='answer-id-1745413' class='answer   answerof-451346 ' value='1745413'   \/><label for='answer-id-1745413' id='answer-label-1745413' class=' answer'><span><br>Fix all of the following violations that were found against the API server: \r\n<br>a. Ensure that the RotateKubeletServerCertificate argument is set to true. \r\n<br>apiVersion: v1 \r\n<br>kind: Pod \r\n<br>metadata: \r\n<br>creationTimestamp: null \r\n<br>labels: \r\n<br>component: kubelet \r\n<br>tier: control-plane \r\n<br>name: kubelet \r\n<br>namespace: kube-system \r\n<br>spec: \r\n<br>containers: \r\n<br>- command: \r\n<br>- kube-controller-manager \r\n<br>+ - --feature-gates=RotateKubeletServerCertificate=true image: gcr.io\/google_containers\/kubelet-amd64:v1.6.0 livenessProbe: \r\n<br>failureThreshold: 8 httpGet: \r\n<br>host: 127.0.0.1 \r\n<br>path: \/healthz \r\n<br>port: 6443 \r\n<br>scheme: HTTPS initialDelaySeconds: 15 timeoutSeconds: 15 name: kubelet resources: \r\n<br>requests: cpu: 250m \r\n<br>volumeMounts: \r\n<br>- mountPath: \/etc\/kubernetes\/ \r\n<br>name: k8s \r\n<br>readOnly: true \r\n<br>- mountPath: \/etc\/ssl\/certs \r\n<br>name: certs \r\n<br>- mountPath: \/etc\/pki \r\n<br>name: pki \r\n<br>hostNetwork: true \r\n<br>volumes: \r\n<br>- hostPath: \r\n<br>path: \/etc\/kubernetes \r\n<br>name: k8s \r\n<br>- hostPath: \r\n<br>path: \/etc\/ssl\/certs \r\n<br>name: certs \r\n<br>- hostPath: path: \/etc\/pki \r\n<br>name: pki \r\n<br>b. Ensure that the admission control plugin PodSecurityPolicy is set. \r\n<br>audit: &quot;\/bin\/ps - \r\n<br>ef | grep \r\n<br>$apiserverbin | \r\n<br>grep -v grep&quot; \r\n<br>tests: \r\n<br>test_items: \r\n<br>- flag: &quot;--enable-admission-plugins&quot; compare: \r\n<br>op: has \r\n<br>value: &quot;PodSecurityPolicy&quot; \r\n<br>set: true \r\n<br>remediation: | \r\n<br>Follow the documentation and create Pod Security Policy objects as per your environment. \r\n<br>Then, edit the API server pod specification file $apiserverconf \r\n<br>on the master node and set the --enable-admission-plugins parameter to a value that includes PodSecurityPolicy: \r\n<br>--enable-admission-plugins=...,PodSecurityPolicy,... \r\n<br>Then restart the API Server. \r\n<br>scored: true \r\n<br>c. Ensure that the --kubelet-certificate-authority argument is set as appropriate. \r\n<br>audit: &quot;\/bin\/ps - \r\n<br>ef | grep \r\n<br>$apiserverbin | \r\n<br>grep -v grep&quot; \r\n<br>tests: \r\n<br>test_items: \r\n<br>- flag: &quot;--kubelet-certificate-authority&quot; \r\n<br>set: true \r\n<br>remediation: | \r\n<br>Follow the Kubernetes documentation and setup the TLS connection between the \r\n<br>apiserver and kubelets. Then, edit the API server pod specification file \r\n<br>$apiserverconf on the master node and set the --kubelet-certificate-authority \r\n<br>parameter to the path to the cert file for the certificate authority. \r\n<br>--kubelet-certificate-authority=&lt;ca-string&gt; \r\n<br>scored: true \r\n<br>Fix all of the following violations that were found against the ETCD: \r\n<br>a. Ensure that the --auto-tls argument is not set to true Edit the etcd pod specification file $etcdconf on the master \r\n<br>node and either remove the --auto-tls parameter or set it to false. \r\n<br>--auto-tls=false \r\n<br>b. Ensure that the --peer-auto-tls argument is not set to true \r\n<br>Edit the etcd pod specification file $etcdconf on the master \r\n<br>node and either remove the --peer-auto-tls parameter or set it to false. \r\n<br>--peer-auto-tls=false<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-6' style=';'><div id='questionWrap-6'  class='   watupro-question-id-451347'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>6. <\/span>SIMULATION<br \/>\r\n<br \/>\r\nAnalyze and edit the given Dockerfile<br \/>\r\n<br \/>\r\nFROM ubuntu:latest<br \/>\r\n<br \/>\r\nRUN apt-get update -y<br \/>\r\n<br \/>\r\nRUN apt-install nginx -y<br \/>\r\n<br \/>\r\nCOPY entrypoint.sh \/<br \/>\r\n<br \/>\r\nENTRYPOINT [\"\/entrypoint.sh\"]<br \/>\r\n<br \/>\r\nUSER ROOT<br \/>\r\n<br \/>\r\nFixing two instructions present in the file being prominent security best practice issues Analyze and edit the deployment manifest file apiVersion: v1<br \/>\r\n<br \/>\r\nkind: Pod<br \/>\r\n<br \/>\r\nmetadata:<br \/>\r\n<br \/>\r\nname: security-context-demo-2<br \/>\r\n<br \/>\r\nspec:<br \/>\r\n<br \/>\r\nsecurityContext:<br \/>\r\n<br \/>\r\nrunAsUser: 1000<br \/>\r\n<br \/>\r\ncontainers:<br \/>\r\n<br \/>\r\n- name: sec-ctx-demo-2<br \/>\r\n<br \/>\r\nimage: gcr.io\/google-samples\/node-hello:1.0 securityContext:<br \/>\r\n<br \/>\r\nrunAsUser: 0<br \/>\r\n<br \/>\r\nprivileged: True<br \/>\r\n<br \/>\r\nallowPrivilegeEscalation: false<br \/>\r\n<br \/>\r\nFixing two fields present in the file being prominent security best practice issues<br \/>\r\n<br \/>\r\nDon't add or remove configuration settings; only modify the existing configuration settings<br \/>\r\n<br \/>\r\nWhenever you need an unprivileged user for any of the tasks, use user test-user with the user id 5487<\/div><input type='hidden' name='question_id[]' id='qID_6' value='451347' \/><input type='hidden' id='answerType451347' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-451347[]' id='answer-id-1745414' class='answer   answerof-451347 ' value='1745414'   \/><label for='answer-id-1745414' id='answer-label-1745414' class=' answer'><span>FROM debian:latest \r\n<br>MAINTAINER k@bogotobogo.com \r\n<br>#1-RUN \r\n<br>RUN apt-get update &amp;&amp; DEBIAN_FRONTEND=noninteractive apt-get install -yq apt-utils \r\n<br>RUN DEBIAN_FRONTEND=noninteractive apt-get install -yq htop \r\n<br>RUN apt-get clean \r\n<br>#2-CMD \r\n<br>#CMD [&quot;htop&quot;] \r\n<br>#CMD [&quot;ls&quot;, &quot;-l&quot;] \r\n<br># 3 - WORKDIR and ENV WORKDIR \/root \r\n<br>ENV DZ version1 \r\n<br>$ docker image build -t bogodevops\/demo. Sending build context to Docker daemon 3.072kB Step 1\/7: FROM debian:latest \r\n<br>---&gt; be2868bebaba \r\n<br>Step 2\/7: MAINTAINER k@bogotobogo.com \r\n<br>---&gt; Using cache \r\n<br>---&gt; e2eef476b3fd \r\n<br>Step 3\/7: RUN apt-get update &amp;&amp; DEBIAN_FRONTEND=noninteractive apt-get install -yq apt-utils \r\n<br>---&gt; Using cache \r\n<br>---&gt; 32fd044c1356 \r\n<br>Step 4\/7: RUN DEBIAN_FRONTEND=noninteractive apt-get install -yq htop \r\n<br>---&gt; Using cache \r\n<br>---&gt; 0a5b514a209e \r\n<br>Step 5\/7: RUN apt-get clean \r\n<br>---&gt; Using cache \r\n<br>---&gt; 5d1578a47c17 \r\n<br>Step 6\/7: WORKDIR \/root \r\n<br>---&gt; Using cache \r\n<br>---&gt; 6b1c70e87675 \r\n<br>Step 7\/7: ENV DZ version1 \r\n<br>---&gt; Using cache \r\n<br>---&gt; cd195168c5c7 \r\n<br>Successfully built cd195168c5c7 \r\n<br>Successfully tagged bogodevops\/demo:latest<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-7' style=';'><div id='questionWrap-7'  class='   watupro-question-id-451348'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>7. <\/span>SIMULATION<br \/>\r\n<br \/>\r\nCreate a PSP that will only allow the persistentvolumeclaim as the volume type in the namespace restricted.<br \/>\r\n<br \/>\r\nCreate a new PodSecurityPolicy named prevent-volume-policy which prevents the pods which is having different volumes mount apart from persistentvolumeclaim.<br \/>\r\n<br \/>\r\nCreate a new ServiceAccount named psp-sa in the namespace restricted.<br \/>\r\n<br \/>\r\nCreate a new ClusterRole named psp-role, which uses the newly created Pod Security Policy prevent-volume-policy<br \/>\r\n<br \/>\r\nCreate a new ClusterRoleBinding named psp-role-binding, which binds the created ClusterRole psp-role to the created SA psp-sa.<br \/>\r\n<br \/>\r\nHint:<br \/>\r\n<br \/>\r\nAlso, Check the Configuration is working or not by trying to Mount a Secret in the pod maifest, it should get failed.<br \/>\r\n<br \/>\r\nPOD Manifest:<br \/>\r\n<br \/>\r\napiVersion: v1<br \/>\r\n<br \/>\r\nkind: Pod<br \/>\r\n<br \/>\r\nmetadata:<br \/>\r\n<br \/>\r\nname:<br \/>\r\n<br \/>\r\nspec:<br \/>\r\n<br \/>\r\ncontainers:<br \/>\r\n<br \/>\r\n- name:<br \/>\r\n<br \/>\r\nimage:<br \/>\r\n<br \/>\r\nvolumeMounts:<br \/>\r\n<br \/>\r\n- name:<br \/>\r\n<br \/>\r\nmountPath:<br \/>\r\n<br \/>\r\nvolumes:<br \/>\r\n<br \/>\r\n- name:<br \/>\r\n<br \/>\r\nsecret:<br \/>\r\n<br \/>\r\nsecretName:<\/div><input type='hidden' name='question_id[]' id='qID_7' value='451348' \/><input type='hidden' id='answerType451348' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-451348[]' id='answer-id-1745415' class='answer   answerof-451348 ' value='1745415'   \/><label for='answer-id-1745415' id='answer-label-1745415' class=' answer'><span>apiVersion: policy\/v1beta1 \r\n<br>kind: PodSecurityPolicy \r\n<br>metadata: \r\n<br>name: restricted \r\n<br>annotations: \r\n<br>seccomp.security.alpha.kubernetes.io\/allowedProfileNames: 'docker\/default,runtime\/default' \r\n<br>apparmor.security.beta.kubernetes.io\/allowedProfileNames: 'runtime\/default' \r\n<br>seccomp.security.alpha.kubernetes.io\/defaultProfileName: 'runtime\/default' \r\n<br>apparmor.security.beta.kubernetes.io\/defaultProfileName: 'runtime\/default' spec: \r\n<br>privileged: false \r\n<br># Required to prevent escalations to root. allowPrivilegeEscalation: false \r\n<br># This is redundant with non-root + disallow privilege escalation, \r\n<br># but we can provide it for defense in depth. requiredDropCapabilities: \r\n<br>- ALL \r\n<br># Allow core volume types. \r\n<br>volumes: \r\n<br>- 'configMap' \r\n<br>- 'emptyDir' \r\n<br>- 'projected' \r\n<br>- 'secret' \r\n<br>- 'downwardAPI' \r\n<br># Assume that persistentVolumes set up by the cluster admin are safe to use. - 'persistentVolumeClaim' \r\n<br>hostNetwork: false \r\n<br>hostIPC: false \r\n<br>hostPID: false \r\n<br>runAsUser: \r\n<br># Require the container to run without root privileges. rule: 'MustRunAsNonRoot' \r\n<br>seLinux: \r\n<br># This policy assumes the nodes are using AppArmor rather than SELinux. rule: 'RunAsAny' \r\n<br>supplementalGroups: \r\n<br>rule: 'MustRunAs' \r\n<br>ranges: \r\n<br># Forbid adding the root group. - min: 1 \r\n<br>max: 65535 \r\n<br>fsGroup: \r\n<br>rule: 'MustRunAs' \r\n<br>ranges: \r\n<br># Forbid adding the root group. - min: 1 \r\n<br>max: 65535 \r\n<br>readOnlyRootFilesystem: false<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-8' style=';'><div id='questionWrap-8'  class='   watupro-question-id-451349'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>8. <\/span>SIMULATION<br \/>\r\n<br \/>\r\nCreate a new ServiceAccount named backend-sa in the existing namespace default, which has the capability to list the pods inside the namespace default.<br \/>\r\n<br \/>\r\nCreate a new Pod named backend-pod in the namespace default, mount the newly created sa backend-sa to the pod, and Verify that the pod is able to list pods.<br \/>\r\n<br \/>\r\nEnsure that the Pod is running.<\/div><input type='hidden' name='question_id[]' id='qID_8' value='451349' \/><input type='hidden' id='answerType451349' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-451349[]' id='answer-id-1745416' class='answer   answerof-451349 ' value='1745416'   \/><label for='answer-id-1745416' id='answer-label-1745416' class=' answer'><span>A service account provides an identity for processes that run in a Pod. \r\n<br>When you (a human) access the cluster (for example, using kubectl), you are authenticated by the apiserver as a particular User Account (currently this is usually admin, unless your cluster administrator has customized your cluster). Processes in containers inside pods can also contact the apiserver. When they do, they are authenticated as a particular Service Account (for example, default). \r\n<br>When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace. If you get the raw json or yaml for a pod you have created (for example, kubectl get pods\/&lt;podname&gt; -o yaml), you can see the spec.serviceAccountName field has been automatically set. \r\n<br>You can access the API from inside a pod using automatically mounted service account credentials, as described in Accessing the Cluster. The API permissions of the service account depend on the authorization plugin and policy in use. \r\n<br>In version 1.6+, you can opt out of automounting API credentials for a service account by setting automountServiceAccountToken: false on the service account: \r\n<br>apiVersion: v1 \r\n<br>kind: ServiceAccount \r\n<br>metadata: \r\n<br>name: build-robot \r\n<br>automountServiceAccountToken: false \r\n<br>... \r\n<br>In version 1.6+, you can also opt out of automounting API credentials for a particular pod: \r\n<br>apiVersion: v1 \r\n<br>kind: Pod \r\n<br>metadata: \r\n<br>name: my-pod \r\n<br>spec: \r\n<br>serviceAccountName: build-robot \r\n<br>automountServiceAccountToken: false \r\n<br>... \r\n<br>The pod spec takes precedence over the service account if both specify a automountServiceAccountToken value.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-9' style=';'><div id='questionWrap-9'  class='   watupro-question-id-451350'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>9. <\/span>SIMULATION<br \/>\r\n<br \/>\r\nCreate a User named john, create the CSR Request, fetch the certificate of the user after approving it. Create a Role name john-role to list secrets, pods in namespace john<br \/>\r\n<br \/>\r\nFinally, Create a RoleBinding named john-role-binding to attach the newly created role john-role to the user john in the namespace john.<br \/>\r\n<br \/>\r\nTo Verify: Use the kubectl auth CLI command to verify the permissions.<\/div><input type='hidden' name='question_id[]' id='qID_9' value='451350' \/><input type='hidden' id='answerType451350' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-451350[]' id='answer-id-1745417' class='answer   answerof-451350 ' value='1745417'   \/><label for='answer-id-1745417' id='answer-label-1745417' class=' answer'><span>se kubectl to create a CSR and approve it. \r\n<br>Get the list of CSRs: \r\n<br>kubectl get csr \r\n<br>Approve the CSR: \r\n<br>kubectl certificate approve myuser \r\n<br>Get the certificate \r\n<br>Retrieve the certificate from the CSR: \r\n<br>kubectl get csr\/myuser -o yaml \r\n<br>here are the role and role-binding to give john permission to create NEW_CRD resource: kubectl apply -f roleBindingJohn.yaml --as=john rolebinding.rbac.authorization.k8s.io\/john_external-rosource-rb created \r\n<br>kind: RoleBinding \r\n<br>apiVersion: rbac.authorization.k8s.io\/v1 \r\n<br>metadata: \r\n<br>name: john_crd \r\n<br>namespace: development-john \r\n<br>subjects: \r\n<br>- kind: User \r\n<br>name: john \r\n<br>apiGroup: rbac.authorization.k8s.io \r\n<br>roleRef: \r\n<br>kind: ClusterRole \r\n<br>name: crd-creation \r\n<br>kind: ClusterRole \r\n<br>apiVersion: rbac.authorization.k8s.io\/v1 \r\n<br>metadata: \r\n<br>name: crd-creation \r\n<br>rules: \r\n<br>- apiGroups: [&quot;kubernetes-client.io\/v1&quot;] \r\n<br>resources: [&quot;NEW_CRD&quot;] \r\n<br>verbs: [&quot;create, list, get&quot;]<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-10' style=';'><div id='questionWrap-10'  class='   watupro-question-id-451351'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>10. <\/span>SIMULATION<br \/>\r\n<br \/>\r\nuse the Trivy to scan the following images,<br \/>\r\n<br \/>\r\n1. amazonlinux:1<br \/>\r\n<br \/>\r\n2. k8s.gcr.io\/kube-controller-manager:v1.18.6<br \/>\r\n<br \/>\r\nLook for images with HIGH or CRITICAL severity vulnerabilities and store the output of the same in \/opt\/trivy-vulnerable.txt<\/div><input type='hidden' name='question_id[]' id='qID_10' value='451351' \/><input type='hidden' id='answerType451351' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-451351[]' id='answer-id-1745418' class='answer   answerof-451351 ' value='1745418'   \/><label for='answer-id-1745418' id='answer-label-1745418' class=' answer'><span>Send us your suggestion on it.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-11' style=';'><div id='questionWrap-11'  class='   watupro-question-id-451352'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>11. <\/span>SIMULATION<br \/>\r\n<br \/>\r\nOn the Cluster worker node, enforce the prepared AppArmor profile<br \/>\r\n<br \/>\r\n#include &lt;tunables\/global&gt;<br \/>\r\n<br \/>\r\nprofile nginx-deny flags=(attach_disconnected) {<br \/>\r\n<br \/>\r\n#include &lt;abstractions\/base&gt;<br \/>\r\n<br \/>\r\nfile,<br \/>\r\n<br \/>\r\n# Deny all file writes. deny \/** w,<br \/>\r\n<br \/>\r\n}<br \/>\r\n<br \/>\r\nEOF'<br \/>\r\n<br \/>\r\nEdit the prepared manifest file to include the AppArmor profile.<br \/>\r\n<br \/>\r\napiVersion: v1<br \/>\r\n<br \/>\r\nkind: Pod<br \/>\r\n<br \/>\r\nmetadata:<br \/>\r\n<br \/>\r\nname: apparmor-pod<br \/>\r\n<br \/>\r\nspec:<br \/>\r\n<br \/>\r\ncontainers:<br \/>\r\n<br \/>\r\n- name: apparmor-pod<br \/>\r\n<br \/>\r\nimage: nginx<br \/>\r\n<br \/>\r\nFinally, apply the manifests files and create the Pod specified on it.<br \/>\r\n<br \/>\r\nVerify: Try to make a file inside the directory which is restricted.<\/div><input type='hidden' name='question_id[]' id='qID_11' value='451352' \/><input type='hidden' id='answerType451352' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-451352[]' id='answer-id-1745419' class='answer   answerof-451352 ' value='1745419'   \/><label for='answer-id-1745419' id='answer-label-1745419' class=' answer'><span><br><img decoding=\"async\" width=649 height=670 id=\"\u56fe\u7247 132\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image021-8.jpg\"><br>\r\n<br><br><img decoding=\"async\" width=649 height=232 id=\"\u56fe\u7247 131\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image022-8.jpg\"><br>\r\n<br><br><img decoding=\"async\" width=649 height=258 id=\"\u56fe\u7247 130\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image023-8.jpg\"><br><\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-12' style=';'><div id='questionWrap-12'  class='   watupro-question-id-451353'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>12. <\/span>SIMULATION<br \/>\r\n<br \/>\r\nCreate a RuntimeClass named gvisor-rc using the prepared runtime handler named runsc.<br \/>\r\n<br \/>\r\nCreate a Pods of image Nginx in the Namespace server to run on the gVisor runtime class<\/div><input type='hidden' name='question_id[]' id='qID_12' value='451353' \/><input type='hidden' id='answerType451353' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-451353[]' id='answer-id-1745420' class='answer   answerof-451353 ' value='1745420'   \/><label for='answer-id-1745420' id='answer-label-1745420' class=' answer'><span>Install the Runtime Class for gVisor \r\n<br>{ # Step 1: Install a RuntimeClass cat &lt;&lt;EOF | kubectl apply -f - apiVersion: node.k8s.io\/v1beta1 kind: RuntimeClass metadata: \r\n<br>name: gvisor handler: runsc \r\n<br>EOF \r\n<br>} \r\n<br>Create a Pod with the gVisor Runtime Class \r\n<br>{ # Step 2: Create a pod \r\n<br>cat &lt;&lt;EOF | kubectl apply -f - \r\n<br>apiVersion: v1 \r\n<br>kind: Pod \r\n<br>metadata: \r\n<br>name: nginx-gvisor \r\n<br>spec: \r\n<br>runtimeClassName: gvisor \r\n<br>containers: \r\n<br>- name: nginx \r\n<br>image: nginx \r\n<br>EOF \r\n<br>} \r\n<br>Verify that the Pod is running \r\n<br>{ # Step 3: Get the pod \r\n<br>kubectl get pod nginx-gvisor -o wide \r\n<br>}<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-13' style=';'><div id='questionWrap-13'  class='   watupro-question-id-451354'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>13. <\/span>SIMULATION<br \/>\r\n<br \/>\r\nA Retrieve the content of the existing secret named default-token-xxxxx in the testing namespace. Store the value of the token in the token.txt<br \/>\r\n<br \/>\r\nB Create a new secret named test-db-secret in the DB namespace with the following content: username: mysql password: password@123<br \/>\r\n<br \/>\r\nCreate the Pod name test-db-pod of image nginx in the namespace db that can access test-db-secret via a volume at path \/etc\/mysql-credentials<\/div><input type='hidden' name='question_id[]' id='qID_13' value='451354' \/><input type='hidden' id='answerType451354' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-451354[]' id='answer-id-1745421' class='answer   answerof-451354 ' value='1745421'   \/><label for='answer-id-1745421' id='answer-label-1745421' class=' answer'><span>To add a Kubernetes cluster to your project, group, or instance: \r\n<br>Navigate to your: \r\n<br>Project\u2019s Operations &gt; Kubernetes page, for a project-level cluster. \r\n<br>Group\u2019s Kubernetes page, for a group-level cluster. \r\n<br>Admin Area &gt; Kubernetes page, for an instance-level cluster. \r\n<br>Click Add Kubernetes cluster. \r\n<br>Click the Add existing cluster tab and fill in the details: \r\n<br>Kubernetes cluster name (required) - The name you wish to give the cluster. \r\n<br>Environment scope (required) - The associated environment to this cluster. \r\n<br>API URL (required) - It\u2019s the URL that GitLab uses to access the Kubernetes API. Kubernetes exposes several APIs, we want the \u201cbase\u201d URL that is common to all of them. \r\n<br>For example, https:\/\/kubernetes.example.com rather than https:\/\/kubernetes.example.com\/api\/v1. \r\n<br>Get the API URL by running this command: \r\n<br>kubectl cluster-info | grep -E 'Kubernetes master|Kubernetes control plane' | awk '\/http\/ {print $NF}' \r\n<br>CA certificate (required) - A valid Kubernetes certificate is needed to authenticate to the cluster. We use the certificate created by default. \r\n<br>List the secrets with kubectl get secrets, and one should be named similar to default-token-xxxxx. \r\n<br>Copy that token name for use below. \r\n<br>Get the certificate by running this command: \r\n<br>kubectl get secret &lt;secret name&gt; -o jsonpath=&quot;{['data']['ca.crt']}&quot;<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-14' style=';'><div id='questionWrap-14'  class='   watupro-question-id-451355'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>14. <\/span>SIMULATION<br \/>\r\n<br \/>\r\n<br \/>\r\n<img loading=\"lazy\" decoding=\"async\" id=\"\u56fe\u7247 129\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image024-9.jpg\" width=\"388\" height=\"675\" \/><img loading=\"lazy\" decoding=\"async\" id=\"\u56fe\u7247 128\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image025-8.jpg\" width=\"367\" height=\"133\" \/>Two tools are pre-installed on the cluster's worker node:<br \/>\r\n<br \/>\r\n\u2711 sysdig<br \/>\r\n<br \/>\r\n\u2711 falco<br \/>\r\n<br \/>\r\nUsing the tool of your choice (including any non pre-installed tool), analyze the container's behavior for at least 30 seconds, using filters that detect newly spawning and executing processes.<br \/>\r\n<br \/>\r\nStore an incident file at \/opt\/KSRS00101\/alerts\/details, containing the detected incidents, one per line, in the following format:<br \/>\r\n<br \/>\r\n<br \/>\r\n<img loading=\"lazy\" decoding=\"async\" id=\"\u56fe\u7247 127\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image026-7.jpg\" width=\"376\" height=\"78\" \/>The following example shows a properly formatted incident file:<br \/>\r\n<br \/>\r\n<br \/>\r\n<img loading=\"lazy\" decoding=\"async\" id=\"\u56fe\u7247 126\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image027-6.jpg\" width=\"368\" height=\"153\" \/><img loading=\"lazy\" decoding=\"async\" id=\"\u56fe\u7247 125\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image028-4.jpg\" width=\"373\" height=\"98\" \/><img loading=\"lazy\" decoding=\"async\" id=\"\u56fe\u7247 124\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image029-6.jpg\" width=\"376\" height=\"140\" \/><\/div><input type='hidden' name='question_id[]' id='qID_14' value='451355' \/><input type='hidden' id='answerType451355' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-451355[]' id='answer-id-1745422' class='answer   answerof-451355 ' value='1745422'   \/><label for='answer-id-1745422' id='answer-label-1745422' class=' answer'><span><br><img decoding=\"async\" width=650 height=425 id=\"\u56fe\u7247 123\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image030-6.jpg\"><br>\r\n<br><br><img decoding=\"async\" width=649 height=628 id=\"\u56fe\u7247 122\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image031-8.jpg\"><br>\r\n<br><br><img decoding=\"async\" width=649 height=229 id=\"\u56fe\u7247 121\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image032-8.jpg\"><br>\r\n<br><br><img decoding=\"async\" width=649 height=298 id=\"\u56fe\u7247 120\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image033-7.jpg\"><br>\r\n<br><br><img decoding=\"async\" width=649 height=399 id=\"\u56fe\u7247 119\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image034-7.jpg\"><br><\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-15' style=';'><div id='questionWrap-15'  class='   watupro-question-id-451356'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>15. <\/span>SIMULATION<br \/>\r\n<br \/>\r\nFix all issues viaconfiguration and restart the affected components to ensure the new setting takes effect.<br \/>\r\n<br \/>\r\nFix all of the following violations that were found against the API server:-<br \/>\r\n<br \/>\r\n\u2711 a. Ensure the --authorization-mode argument includes RBAC<br \/>\r\n<br \/>\r\n\u2711 b. Ensure the --authorization-mode argument includes Node<br \/>\r\n<br \/>\r\n\u2711 c. Ensure that the --profiling argumentissettofalse<br \/>\r\n<br \/>\r\nFix all of the following violations that were found against the Kubelet:-<br \/>\r\n<br \/>\r\n\u2711 a. Ensure the --anonymous-auth argumentissettofalse.<br \/>\r\n<br \/>\r\n\u2711 b. Ensure thatthe --authorization-mode argumentissetto Webhook.<br \/>\r\n<br \/>\r\nFix all of the following violations that were found against the ETCD:<br \/>\r\n<br \/>\r\n\u2711 a. Ensure that the --auto-tls argument is not set to true<br \/>\r\n<br \/>\r\nHint: Take the use of Tool Kube-Bench<\/div><input type='hidden' name='question_id[]' id='qID_15' value='451356' \/><input type='hidden' id='answerType451356' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-451356[]' id='answer-id-1745423' class='answer   answerof-451356 ' value='1745423'   \/><label for='answer-id-1745423' id='answer-label-1745423' class=' answer'><span>API server: \r\n<br>&#10001; Ensure the --authorization-mode argument includes RBAC \r\n<br>Turn on Role Based Access Control.Role Based Access Control (RBAC) allows fine-grained control over the operations that different entities can perform on different objects in the cluster. It is recommended to use the RBAC authorization mode. Fix - BuildtimeKubernetesapiVersion: v1 \r\n<br>kind: Pod \r\n<br>metadata: \r\n<br>creationTimestamp: null \r\n<br>labels: \r\n<br>component: kube-apiserver \r\n<br>tier: control-plane \r\n<br>name:kube-apiserver \r\n<br>namespace: kube-system \r\n<br>spec: \r\n<br>containers: \r\n<br>-command: \r\n<br>+ - kube-apiserver \r\n<br>+ - --authorization-mode=RBAC,Node \r\n<br>image: gcr.io\/google_containers\/kube-apiserver-amd64:v1.6.0 \r\n<br>livenessProbe: \r\n<br>failureThreshold:8 \r\n<br>httpGet: \r\n<br>host:127.0.0.1 \r\n<br>path: \/healthz \r\n<br>port:6443 \r\n<br>scheme: HTTPS \r\n<br>initialDelaySeconds:15 \r\n<br>timeoutSeconds:15 \r\n<br>name: kube-apiserver-should-pass \r\n<br>resources: \r\n<br>requests: \r\n<br>cpu: 250m \r\n<br>volumeMounts: \r\n<br>-mountPath: \/etc\/kubernetes\/ \r\n<br>name: k8s \r\n<br>readOnly:true \r\n<br>-mountPath: \/etc\/ssl\/certs \r\n<br>name: certs \r\n<br>-mountPath: \/etc\/pki \r\n<br>name: pki \r\n<br>hostNetwork:true \r\n<br>volumes: \r\n<br>-hostPath: \r\n<br>path: \/etc\/kubernetes \r\n<br>name: k8s \r\n<br>-hostPath: \r\n<br>path: \/etc\/ssl\/certs \r\n<br>name: certs \r\n<br>-hostPath: \r\n<br>path: \/etc\/pki \r\n<br>name: pki \r\n<br>&#10001; Ensure the --authorization-mode argument includes Node \r\n<br>Remediation: Edit the API server pod specification file \/etc\/kubernetes\/manifests\/kube-apiserver.yaml on the master node and set the --authorization-mode parameter to a value that includes Node. \r\n<br>--authorization-mode=Node,RBAC \r\n<br>Audit: \r\n<br>\/bin\/ps -ef | grep kube-apiserver | grep -v grep \r\n<br>Expected result: \r\n<br>'Node,RBAC' has 'Node' \r\n<br>&#10001; Ensure that the --profiling argumentissettofalse \r\n<br>Remediation: Edit the API server pod specification file \/etc\/kubernetes\/manifests\/kube-apiserver.yaml on the master node and set the below parameter. \r\n<br>--profiling=false \r\n<br>Audit: \r\n<br>\/bin\/ps -ef | grep kube-apiserver | grep -v grep \r\n<br>Expected result: \r\n<br>'false' is equal to 'false' \r\n<br>Fix all of the following violations that were found against the Kubelet:- \r\n<br>&#10001; uk.co.certification.simulator.questionpool.PList@db811b0 \r\n<br>Remediation: If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to false. If using executable arguments, edit the kubelet service file \/etc\/systemd\/system\/kubelet.service.d\/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. \r\n<br>--anonymous-auth=false \r\n<br>Based on your system, restart the kubelet service. For example: \r\n<br>systemctl daemon-reload \r\n<br>systemctl restart kubelet.service \r\n<br>Audit: \r\n<br>\/bin\/ps -fC kubelet \r\n<br>Audit Config: \r\n<br>\/bin\/cat \/var\/lib\/kubelet\/config.yaml \r\n<br>Expected result: \r\n<br>&#10001; 'false' is equal to 'false' \r\n<br>2)Ensure that the --authorization-mode argumentissetto Webhook. \r\n<br>Audit \r\n<br>docker inspect kubelet | jq -e'.[0].Args[] |match(&quot;--authorization-mode=Webhook&quot;).string' \r\n<br>Returned Value: --authorization-mode=Webhook \r\n<br>Fix all of the following violations that were found against the ETCD:-a. Ensure that the --auto-tls argument is not set to true \r\n<br>Do not useself-signed certificates for TLS. etcd is a highly-available key value store used \r\n<br>by Kubernetes deployments for persistent storage of all of its REST API objects. These \r\n<br>objects are sensitive in nature and should not be available to unauthenticated clients.You \r\n<br>should enable the client authentication via valid certificates to secure the access to the etcd \r\n<br>service. \r\n<br>Fix - BuildtimeKubernetesapiVersion: v1 \r\n<br>kind: Pod \r\n<br>metadata: \r\n<br>annotations: \r\n<br>scheduler.alpha.kubernetes.io\/critical-pod:&quot;&quot; \r\n<br>creationTimestamp: null \r\n<br>labels: \r\n<br>component: etcd \r\n<br>tier: control-plane \r\n<br>name: etcd \r\n<br>namespace: kube-system \r\n<br>spec: \r\n<br>containers: \r\n<br>-command: \r\n<br>+ - etcd \r\n<br>+ - --auto-tls=true image:k8s.gcr.io\/etcd-amd64:3.2.18 imagePullPolicy: IfNotPresent livenessProbe: \r\n<br>exec: \r\n<br>command: - \/bin\/sh \r\n<br>- -ec \r\n<br>- ETCDCTL_API=3 etcdctl --endpoints=https:\/\/[192.168.22.9]:2379 -- cacert=\/etc\/kubernetes\/pki\/etcd\/ca.crt --cert=\/etc\/kubernetes\/pki\/etcd\/healthcheck-client.crt -- key=\/etc\/kubernetes\/pki\/etcd\/healthcheck-client.key \r\n<br>get foo failureThreshold:8 initialDelaySeconds:15 timeoutSeconds:15 name: etcd-should-fail resources: {} volumeMounts: -mountPath: \/var\/lib\/etcd name: etcd-data \r\n<br>-mountPath: \/etc\/kubernetes\/pki\/etcd \r\n<br>name: etcd-certs hostNetwork:true priorityClassName: system-cluster-critical volumes: \r\n<br>-hostPath: path:\/var\/lib\/etcd type: DirectoryOrCreate name: etcd-data -hostPath: \r\n<br>path: \/etc\/kubernetes\/pki\/etcd \r\n<br>type: DirectoryOrCreate \r\n<br>name: etcd-certs \r\n<br>status: {} \r\n<br><br><img decoding=\"async\" width=649 height=609 id=\"\u56fe\u7247 152\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image001-26.jpg\"><br>\r\n<br><br><img decoding=\"async\" width=649 height=378 id=\"\u56fe\u7247 151\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image002-23.jpg\"><br>\r\n<br><br><img decoding=\"async\" width=649 height=225 id=\"\u56fe\u7247 150\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image003-17.jpg\"><br>\r\n<br><br><img decoding=\"async\" width=532 height=373 id=\"\u56fe\u7247 149\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image004-16.jpg\"><br>\r\n<br><br><img decoding=\"async\" width=649 height=172 id=\"\u56fe\u7247 148\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image005-15.jpg\"><br>\r\n<br><br><img decoding=\"async\" width=649 height=337 id=\"\u56fe\u7247 147\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image006-17.jpg\"><br>\r\n<br><br><img decoding=\"async\" width=649 height=118 id=\"\u56fe\u7247 146\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image007-12.jpg\"><br><\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-16' style=';'><div id='questionWrap-16'  class='   watupro-question-id-451357'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>16. <\/span>SIMULATION<br \/>\r\n<br \/>\r\nA container image scanner is set up on the cluster.<br \/>\r\n<br \/>\r\nGiven an incomplete configuration in the directory<br \/>\r\n<br \/>\r\n\/etc\/kubernetes\/confcontrol and a functional container image scanner with HTTPS endpoint https:\/\/test-server.local.8081\/image_policy<br \/>\r\n<br \/>\r\n1. Enable the admission plugin.<br \/>\r\n<br \/>\r\n2. Validate the control configuration and change it to implicit deny.<br \/>\r\n<br \/>\r\nFinally, test the configuration by deploying the pod having the image tag as latest.<\/div><input type='hidden' name='question_id[]' id='qID_16' value='451357' \/><input type='hidden' id='answerType451357' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-451357[]' id='answer-id-1745424' class='answer   answerof-451357 ' value='1745424'   \/><label for='answer-id-1745424' id='answer-label-1745424' class=' answer'><span>ssh-add ~\/.ssh\/tempprivate \r\n<br>eval &quot;$(ssh-agent -s)&quot; \r\n<br>cd contrib\/terraform\/aws \r\n<br>vi terraform.tfvars terraform init \r\n<br>terraform apply -var-file=credentials.tfvars \r\n<br>ansible-playbook -i .\/inventory\/hosts .\/cluster.yml -e ansible_ssh_user=core -e bootstrap_os=coreos - b --become-user=root --flush-cache -e ansible_user=core \r\n<br><br><img decoding=\"async\" width=649 height=295 id=\"\u56fe\u7247 133\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image020-7.jpg\"><br><\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-17' style=';'><div id='questionWrap-17'  class='   watupro-question-id-451358'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>17. <\/span>SIMULATION<br \/>\r\n<br \/>\r\n<br \/>\r\n<img loading=\"lazy\" decoding=\"async\" id=\"\u56fe\u7247 140\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image013-11.jpg\" width=\"388\" height=\"675\" \/>Task<br \/>\r\n<br \/>\r\nCreate a NetworkPolicy named pod-access to restrict access to Pod users-service running in namespace dev-team.<br \/>\r\n<br \/>\r\nOnly allow the following Pods to connect to Pod users-service:<br \/>\r\n<br \/>\r\n\u2711 Pods in the namespace qa<br \/>\r\n<br \/>\r\n\u2711 Pods with label environment: testing, in any namespace<br \/>\r\n<br \/>\r\n<br \/>\r\n<img loading=\"lazy\" decoding=\"async\" id=\"\u56fe\u7247 139\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image014-9.jpg\" width=\"392\" height=\"111\" \/><img loading=\"lazy\" decoding=\"async\" id=\"\u56fe\u7247 138\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image015-8.jpg\" width=\"387\" height=\"223\" \/><\/div><input type='hidden' name='question_id[]' id='qID_17' value='451358' \/><input type='hidden' id='answerType451358' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-451358[]' id='answer-id-1745425' class='answer   answerof-451358 ' value='1745425'   \/><label for='answer-id-1745425' id='answer-label-1745425' class=' answer'><span><br><img decoding=\"async\" width=649 height=234 id=\"\u56fe\u7247 137\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image016-10.jpg\"><br>\r\n<br><br><img decoding=\"async\" width=454 height=454 id=\"\u56fe\u7247 136\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image017-10.jpg\"><br>\r\n<br><br><img decoding=\"async\" width=507 height=930 id=\"\u56fe\u7247 135\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image018-8.jpg\"><br>\r\n<br><br><img decoding=\"async\" width=587 height=494 id=\"\u56fe\u7247 134\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image019-7.jpg\"><br><\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-18' style=';'><div id='questionWrap-18'  class='   watupro-question-id-451359'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>18. <\/span>SIMULATION<br \/>\r\n<br \/>\r\nCreate a new NetworkPolicy named deny-all in the namespace testing which denies all traffic of type ingress and egress traffic<\/div><input type='hidden' name='question_id[]' id='qID_18' value='451359' \/><input type='hidden' id='answerType451359' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-451359[]' id='answer-id-1745426' class='answer   answerof-451359 ' value='1745426'   \/><label for='answer-id-1745426' id='answer-label-1745426' class=' answer'><span>You can create a &quot;default&quot; isolation policy for a namespace by creating a NetworkPolicy that selects all pods but does not allow any ingress traffic to those pods. \r\n<br>apiVersion: networking.k8s.io\/v1 \r\n<br>kind: NetworkPolicy \r\n<br>metadata: \r\n<br>name: default-deny-ingress \r\n<br>spec: \r\n<br>podSelector: {} \r\n<br>policyTypes: \r\n<br>- Ingress \r\n<br>You can create a &quot;default&quot; egress isolation policy for a namespace by creating a NetworkPolicy that selects all pods but does not allow any egress traffic from those pods. \r\n<br>apiVersion: networking.k8s.io\/v1 \r\n<br>kind: NetworkPolicy \r\n<br>metadata: \r\n<br>name: allow-all-egress \r\n<br>spec: \r\n<br>podSelector: {} \r\n<br>egress: \r\n<br>- {} \r\n<br>policyTypes: \r\n<br>- Egress \r\n<br>Default deny all ingress and all egress traffic \r\n<br>You can create a &quot;default&quot; policy for a namespace which prevents all ingress AND egress traffic by creating the following NetworkPolicy in that namespace. \r\n<br>apiVersion: networking.k8s.io\/v1 \r\n<br>kind: NetworkPolicy \r\n<br>metadata: \r\n<br>name: default-deny-all \r\n<br>spec: \r\n<br>podSelector: {} \r\n<br>policyTypes: \r\n<br>- Ingress \r\n<br>- Egress \r\n<br>This ensures that even pods that aren't selected by any other NetworkPolicy will not be allowed ingress or egress traffic.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-19' style=';'><div id='questionWrap-19'  class='   watupro-question-id-451360'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>19. <\/span>SIMULATION<br \/>\r\n<br \/>\r\nEnable audit logs in the cluster, To Do so, enable the log backend, and ensure that<br \/>\r\n<br \/>\r\n1. logs are stored at \/var\/log\/kubernetes\/kubernetes-logs.txt.<br \/>\r\n<br \/>\r\n2. Log files are retained for 5 days.<br \/>\r\n<br \/>\r\n3. at maximum, a number of 10 old audit logs files are retained.<br \/>\r\n<br \/>\r\nEdit and extend the basic policy to log:<br \/>\r\n<br \/>\r\n1. Cronjobs changes at RequestResponse<br \/>\r\n<br \/>\r\n2. Log the request body of deployments changes in the namespace kube-system.<br \/>\r\n<br \/>\r\n3. Log all other resources in core and extensions at the Request level.<br \/>\r\n<br \/>\r\n4. Don't log watch requests by the \"system:kube-proxy\" on endpoints or<\/div><input type='hidden' name='question_id[]' id='qID_19' value='451360' \/><input type='hidden' id='answerType451360' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-451360[]' id='answer-id-1745427' class='answer   answerof-451360 ' value='1745427'   \/><label for='answer-id-1745427' id='answer-label-1745427' class=' answer'><span><br><img decoding=\"async\" width=649 height=596 id=\"\u56fe\u7247 115\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image038-4.jpg\"><br>\r\n<br><br><img decoding=\"async\" width=649 height=405 id=\"\u56fe\u7247 114\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image039-5.jpg\"><br>\r\n<br><br><img decoding=\"async\" width=649 height=413 id=\"\u56fe\u7247 113\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image040-6.jpg\"><br>\r\n<br><br><img decoding=\"async\" width=649 height=356 id=\"\u56fe\u7247 112\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image041-5.jpg\"><br>\r\n<br><br><img decoding=\"async\" width=649 height=264 id=\"\u56fe\u7247 111\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image042-7.jpg\"><br><\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-20' style=';'><div id='questionWrap-20'  class='   watupro-question-id-451361'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>20. <\/span>SIMULATION<br \/>\r\n<br \/>\r\nGiven an existing Pod named nginx-pod running in the namespace test-system, fetch the service-account-name used and put the content in \/candidate\/KSC00124.txt<br \/>\r\n<br \/>\r\nCreate a new Role named dev-test-role in the namespace test-system, which can perform update operations, on resources of type namespaces.<br \/>\r\n<br \/>\r\nCreate a new RoleBinding named dev-test-role-binding, which binds the newly created Role to the Pod's ServiceAccount (found in the Nginx pod running in namespace test-system).<\/div><input type='hidden' name='question_id[]' id='qID_20' value='451361' \/><input type='hidden' id='answerType451361' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-451361[]' id='answer-id-1745428' class='answer   answerof-451361 ' value='1745428'   \/><label for='answer-id-1745428' id='answer-label-1745428' class=' answer'><span><br><img decoding=\"async\" width=649 height=439 id=\"\u56fe\u7247 118\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image035-5.jpg\"><br>\r\n<br><br><img decoding=\"async\" width=509 height=187 id=\"\u56fe\u7247 117\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image036-5.jpg\"><br>\r\n<br><br><img decoding=\"async\" width=649 height=485 id=\"\u56fe\u7247 116\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/uploads\/2026\/01\/image037-5.jpg\"><br><\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div style='display:none' id='question-21'>\n\t<div class='question-content'>\n\t\t<img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/img\/loading.gif\" width=\"16\" height=\"16\" alt=\"Loading...\" title=\"Loading...\" \/>&nbsp;Loading...\t<\/div>\n<\/div>\n\n<br \/>\n\t\n\t\t\t<div class=\"watupro_buttons flex \" id=\"watuPROButtons11493\" >\n\t\t  <div id=\"prev-question\" style=\"display:none;\"><input type=\"button\" value=\"&lt; Previous\" onclick=\"WatuPRO.nextQuestion(event, 'previous');\"\/><\/div>\t\t  \t\t  \t\t   \n\t\t   \t  \t\t<div><input type=\"button\" name=\"action\" class=\"watupro-submit-button\" onclick=\"WatuPRO.submitResult(event)\" id=\"action-button\" value=\"View Results\"  \/>\n\t\t<\/div>\n\t\t<\/div>\n\t\t\n\t<input type=\"hidden\" name=\"quiz_id\" value=\"11493\" id=\"watuPROExamID\"\/>\n\t<input type=\"hidden\" name=\"start_time\" id=\"startTime\" value=\"2026-05-11 13:59:02\" \/>\n\t<input type=\"hidden\" name=\"start_timestamp\" id=\"startTimeStamp\" value=\"1778507942\" \/>\n\t<input type=\"hidden\" name=\"question_ids\" value=\"\" \/>\n\t<input type=\"hidden\" name=\"watupro_questions\" value=\"451342:1745409 | 451343:1745410 | 451344:1745411 | 451345:1745412 | 451346:1745413 | 451347:1745414 | 451348:1745415 | 451349:1745416 | 451350:1745417 | 451351:1745418 | 451352:1745419 | 451353:1745420 | 451354:1745421 | 451355:1745422 | 451356:1745423 | 451357:1745424 | 451358:1745425 | 451359:1745426 | 451360:1745427 | 451361:1745428\" \/>\n\t<input type=\"hidden\" name=\"no_ajax\" value=\"0\">\t\t\t<\/form>\n\t<p>&nbsp;<\/p>\n<\/div>\n\n<script type=\"text\/javascript\">\n\/\/jQuery(document).ready(function(){\ndocument.addEventListener(\"DOMContentLoaded\", function(event) { \t\nvar question_ids = \"451342,451343,451344,451345,451346,451347,451348,451349,451350,451351,451352,451353,451354,451355,451356,451357,451358,451359,451360,451361\";\nWatuPROSettings[11493] = {};\nWatuPRO.qArr = question_ids.split(',');\nWatuPRO.exam_id = 11493;\t    \nWatuPRO.post_id = 122407;\nWatuPRO.store_progress = 0;\nWatuPRO.curCatPage = 1;\nWatuPRO.requiredIDs=\"0\".split(\",\");\nWatuPRO.hAppID = \"0.56800200 1778507942\";\nvar url = \"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/show_exam.php\";\nWatuPRO.examMode = 1;\nWatuPRO.siteURL=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-admin\/admin-ajax.php\";\nWatuPRO.emailIsNotRequired = 0;\nWatuPROIntel.init(11493);\nWatuPRO.inCategoryPages=1;});    \t \n<\/script>\n","protected":false},"excerpt":{"rendered":"<p>Achieving the Certified Kubernetes Security Specialist (CKS) certification will prove that you have security &amp; Kubernetes skills to open a career door. To ensure you are fully prepared for the CKS exam 2026, DumpsBase has updated the CKS exam dumps to V10.02. Our latest collection of CKS exam dumps (V10.02) provides a comprehensive and reliable [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12877,10387],"tags":[21021],"class_list":["post-122407","post","type-post","status-publish","format-standard","hentry","category-kubernetes-security-specialist","category-the-linux-foundation","tag-certified-kubernetes-security-specialist-cks"],"_links":{"self":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/122407","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/comments?post=122407"}],"version-history":[{"count":1,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/122407\/revisions"}],"predecessor-version":[{"id":122408,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/122407\/revisions\/122408"}],"wp:attachment":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/media?parent=122407"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/categories?post=122407"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/tags?post=122407"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}