Exam
CKS
Home › CKS practice tasks › Fix Insecure Kubelet and etcd
CKS · Cluster Setup
Fix Insecure Kubelet and etcd
A cluster node has been configured insecurely.
🗓️ Free Task of the Week: one CKS task is unlocked free for everyone every week — no card, real cluster, auto-graded (2 tries/week). Create a free account and check whether this one is live now.
The task
Task
A cluster node has been configured insecurely.
Requirements
- Ensure the kubelet is configured with:
anonymous-auth=falseauthorization-mode=Webhook
- Review the etcd static Pod manifest and fix any insecure configuration related to anonymous or unauthenticated access if present.
Verify
kubectl get nodesThe node must be Ready after your changes.
> Note: After saving your changes and restarting the kubelet, the node may take up to 60 seconds to return to Ready. If kubectl get nodes shows NotReady at first, wait a moment and re-run it.
What this tests
Lock down network access, the kubelet, API authentication, and ingress TLS, and run CIS benchmark checks. On the CKS exam, Cluster Setup tasks are graded purely on what you build in the cluster — not multiple choice — so the only way to get faster is to do them on a real cluster against a clock.
Practice it for real
prepium.sh drops you into your own isolated Kubernetes cluster in the browser — no install, no credit card. You solve the task in a real terminal, hit validate, and a programmatic checker scores exactly what you got right and wrong (with partial credit). The canonical solution unlocks after you attempt it, so you learn the fast, exam-ready way to do it.