Which of the following is a measure for data plane isolation in a Kubernetes multi-tenancy scenario?
AAssign a dedicated set of workers to run Pods from each tenant.
BAssign a dedicated namespace to Pods from each tenant.
CEnforce Roles and RoleBindings tied to specific namespaces only, forbid cluster-wide roles.
DEnforce Object Count Quotas via the ResourceQuota admission controller.
A malicious user is targeting the etcd key-value store of a Kubernetes cluster for data exfiltration.
Which option describes how an adversary can access sensitive data from etcd?
ABy spoofing the IP address of a legitimate client to gain access to the etcd cluster
BBy exploiting a vulnerability in the kubelet to gain direct access to the etcd cluster.
CBy gaining physical access to the server hosting the etcd cluster and extracting the sensitive data.
DBy intercepting network traffic between the Kubernetes API server and the etcd cluster to capture sensitive data.
A user needs to maintain the audit policy of a Kubernetes cluster and wants to make sure that they log the most information in regard to Pod changes.
Which level do they select for the Pod resource?
ARequest
BRequestResponse
CRequestResponseMetadata
DMetadata
Which of the following is a recommendation in the NSA and CISA Kubernetes Hardening Guidance on namespaces?
AAssign a single and unique namespace to each tenant.
BUse the default namespace for all workloads.
CUser Pods should not be placed in kube-system or kube-public.
DShare the same namespace for all workloads to improve resource utilization.
Review the following pod manifest and answer the question that follows.
Which OWASP Top 10 for Kubernetes risks does the following pod manifest introduce?
AInsecure Design
BOutdated and Vulnerable Kubernetes Components
CInsecure Workload Configurations
DBroken Authentication Mechanisms
A user is tasked with securing the Kubernetes API Server. Which mechanism cannot be used to secure the Kubernetes API?
AEnabling and configuring API server audit logging
BImplementing Role Based Access Control (RBAC).
CDisabling TLS encryption for faster API communication.
DEnabling and configuring authentication plugins.
A malicious actor with root access on a node wants to run a container without it being visible in the Kubernetes API.
How can the attacker achieve this?
ABy creating a static Pod using a filesystem-hosted static Pod manifest
BBy exploiting a vulnerability in the Kubernetes control plane components
CBy leveraging a Kubernetes admission controller to hide the container.
DBy running the container using the underlying container runtime
AppArmor profiles preventing access to sensitive resources have been loaded onto a Node, but the Pods running on the Node can still access those resources.
How can the Pods be configured correctly constrained by the AppArmor profiles?
AEnable AppArmor for the Pods running on the Node.
BEdit the Pod YAML files to include the correct AppArmor profile annotations.
CRestart the Pods to apply the profiles to the Pods running on the Node.
DReload the AppArmor profiles on the Node.
Which of the following statements correctly describes a container breakout?
AA container breakout is the process of escaping the container and gaining access to the Pod s network traffic.
BA container breakout is the process of escaping the container and gaining access to the cloud provider's infrastructure.
CA container breakout is the process of escaping a container when it reaches its resource limits.
DA container breakout is the process of escaping the container and gaining access to the host operating system.
Which of the following statements best describes the role of the Scheduler in Kubernetes?
AThe Scheduler is responsible for ensuring the security of the Kubernetes cluster and its components.
BThe Scheduler is responsible for assigning Pods to nodes based on resource availability and other constraints.
CThe Scheduler is responsible for monitoring and managing the health of the Kubernetes cluster.
DThe Scheduler is responsible for managing the deployment and scaling of applications in the Kubernetes cluster.
A Kubernetes cluster runs on a cloud platform. The platform's metadata API provides information about the cluster (e.g., cloud credentials for that node).
What should be done to mitigate the risk associated with cloud metadata API access?
ARestrict Pod access to the cloud metadata API via network policies
BEnsure that all sensitive data in the cloud metadata API is encrypted.
CRegularly audit the access logs of the cloud metadata API.
DTurn off the cloud metadata API.
A user is responsible for securing their Kubernetes pipeline and ensuring that the components are signed, and their signatures are validated.
What is the purpose of pipeline attestation?
APipeline attestation is a process of automatically deploying and testing new versions of components in the pipeline.
BPipeline attestation is a security feature that encrypts the communication between the pipeline components.
CPipeline attestation ensures that all components in the pipeline are up to date and have the latest security patches.
DPipeline attestation verifies the integrity of the software supply chain and ensures that the components have not been tampered with.
When working with container images, how can users prevent misconfiguration?
AMisconfiguration will always exist and cannot be prevented
BContainer images are concerned with the packages and building the code base, not with the configuration of the application.
CCopy and paste Dockerfile configurations from trusted sources.
DFollow industry best practices, only use container images from trusted sources, and use a misconfiguration scanner to scan the Dockerfile configuration before building container images.
Which of the following are valid RBAC verbs in a Kubernetes Role?
Aget, head, post, put, delete, connect, options, trace, patch
In Kubernetes, what type of certificate does the API server use to prove its identity to clients?
ARoot certificate
BClient certificate
CServer certificate
DIntermediate certificate
What is a trust boundary in the context of Kubernetes?
AThe boundary between two Nodes in different subnets.
BThe boundary between two Pods from different applications.
CThe boundary between two components where trust levels change.
DThe boundary between two Services defined by different teams.
What is the best definition of the Provenance control from NIST 800-53 Rev. 5?
AProvenance control ensures compliance with legal and regulatory requirements throughout the supply chain.
BProvenance control ensures software and firmware components integrity, authenticity, and confidentiality throughout the supply chain.
CProvenance control focuses on the physical security of hardware components during the supply chain process.
DProvenance control ensures the availability and reliability of software and firmware components throughout the supply chain.
Which organisation provides Kubernetes Security Benchmarks for both self-hosted and managed platforms?
AThe Open Web Application Security Project (OWASP)
BThe Center for Internet Security (CIS)
CThe National Institute of Standards and Technology (NIST)
DThe Cloud Native Computing Foundation (CNCF)
How can containers in the same Pod communicate over the network?
AContainers in the same Pod cannot communicate over the network
BContainers in the same Pod can communicate over the network using a shared network namespace.
CContainers in the same Pod can communicate over the network using a separate network namespace.
DContainers in the same Pod can communicate over the network using the host network namespace.
An attacker has disabled the log forwarding for a Kubernetes cluster with the aim of hiding evidence of their malicious activity from incident response.
Which attack type in STRIDE would this fall under?
ARepudiation
BDenial of Service
CTampering
DSpoofing
What is the difference between gVisor and Firecracker?
AgVisor and Firecracker are both container runtimes that can be used interchangeably.
BgVisor is a lightweight virtualization technology for creating and managing secure, multi-tenant container and function-as а-service (FaaS) workloads. At the same time, Firecracker is a user space kernel that provides isolation and security for containers.
CgVisor is a user-space kernel that provides isolation and security for containers. At the same time, Firecracker is a lightweight virtualization technology for creating and managing secure, multi-tenant container and function-as-a-service (FaaS) workloads.
DgVisor and Firecracker are two names for the same technology, which provides isolation and security for containers.
A user runs a command with kubectl to apply a change to a deployment. What is the first Kubernetes component that the request reaches?
AKubernetes Scheduler
BKubernetes Controller Manager
Ckubelet
DKubernetes API Server
How does the kube-proxy forward traffic to a Pod based on its Service configuration?
AThe kube proxy configures eBPF on the node to forward traffic from the Service to the Pod
BThe kube proxy implements a virtual IP mechanism for Services (e.g., via iptables).
CThe kube proxy injects multiple A records in the CoreDNS Pod for each Service.
DThe kube-proxy injects reverse proxy configuration in the Ingress Controller (e.g., nginx).
Which components should be able to access etcd at the network level directly?
Preview
