HomeCKS practice tasks › Detect and Stop a Pod Accessing /dev/mem
CKS · Monitoring, Logging and Runtime Security

Detect and Stop a Pod Accessing /dev/mem

A Pod in the cluster is accessing /dev/mem.

Solve this on a real cluster — free → All CKS tasks
🗓️ Free Task of the Week: one CKS task is unlocked free for everyone every week — no card, real cluster, auto-graded (2 tries/week). Create a free account and check whether this one is live now.

The task

Task

A Pod in the cluster is accessing /dev/mem.

Requirements

  1. Create a custom Falco rule to detect access to /dev/mem
  2. Use Falco alerts to identify the bad Pod
  3. Once identified, scale the Deployment that owns the bad Pod to 0

Verify that no Pods from that Deployment are running anymore.

Exam
CKS
Domain
Monitoring, Logging and Runtime Security
Grading
Programmatic · partial credit
Reference
Kubernetes docs ↗

What this tests

Detect threats at runtime with Falco, behavioral analytics, and audit logging. On the CKS exam, Monitoring, Logging and Runtime Security tasks are graded purely on what you build in the cluster — not multiple choice — so the only way to get faster is to do them on a real cluster against a clock.

Practice it for real

prepium.sh drops you into your own isolated Kubernetes cluster in the browser — no install, no credit card. You solve the task in a real terminal, hit validate, and a programmatic checker scores exactly what you got right and wrong (with partial credit). The canonical solution unlocks after you attempt it, so you learn the fast, exam-ready way to do it.

Start free → CKS overview

Related CKS tasks

Configure API Server Audit Logging