1. What is the primary security risk associated with running privileged containers?
A) Increased container startup time
B) Limited network access
C) Full host access, leading to potential host compromise
D) Reduced CPU utilization
β
Answer: C) Full host access, leading to potential host compromise
π Explanation: Privileged containers run with root-like privileges and can interact with the host system, potentially allowing an attacker to escape the container and take control of the host machine.
2. What Kubernetes feature is used to control communication between pods?
A) PodSecurityPolicies
B) Network Policies
C) Role-Based Access Control (RBAC)
D) API Server
β
Answer: B) Network Policies
π Explanation: Network Policies define how pods can communicate with each other and with external services. This restricts unauthorized access and mitigates lateral movement in case of a breach.
3. How can you prevent container images from running as root in Kubernetes?
A) Use an admission controller to enforce non-root users
B) Assign root privileges to all containers
C) Allow SSH access to containers
D) Disable RBAC
β
Answer: A) Use an admission controller to enforce non-root users
π Explanation: Running containers as root is a security risk. Admission controllers like Pod Security Admission or Gatekeeper (OPA) can enforce that containers use non-root users.
4. Which tool can scan container images for vulnerabilities?
A) kube-bench
B) Trivy
C) iptables
D) tcpdump
β
Answer: B) Trivy
π Explanation: Trivy is a security scanner for container images that detects vulnerabilities in installed packages and dependencies.
5. What is the best way to prevent an attacker from modifying Kubernetes API server configurations?
A) Enable Kubernetes Dashboard
B) Use Role-Based Access Control (RBAC)
C) Allow anonymous access to the API server
D) Store secrets in environment variables
β
Answer: B) Use Role-Based Access Control (RBAC)
π Explanation: RBAC controls user access to Kubernetes resources, preventing unauthorized users from modifying API configurations.
6. Which of the following is NOT a recommended security practice for Kubernetes?
A) Enabling audit logging
B) Running containers as root
C) Applying network policies
D) Using read-only root file systems
β
Answer: B) Running containers as root
π Explanation: Running containers as root increases security risks, such as privilege escalation and container escapes.
7. What is the purpose of Kubernetes Pod Security Admission (PSA)?
A) Encrypts pod logs
B) Controls which security settings a pod must follow
C) Provides a web-based interface for managing pods
D) Disables network policies
β
Answer: B) Controls which security settings a pod must follow
π Explanation: Pod Security Admission (PSA) enforces security standards by controlling pod permissions, ensuring they meet security best practices.
8. How can you protect Kubernetes secrets from unauthorized access?
A) Store secrets in container images
B) Use Kubernetes Secrets with RBAC restrictions
C) Save secrets in plaintext ConfigMaps
D) Hardcode secrets in application code
β
Answer: B) Use Kubernetes Secrets with RBAC restrictions
π Explanation: Kubernetes Secrets provide a secure way to store sensitive data, but they should be protected with RBAC policies to restrict access.
9. What does the kube-bench tool do?
A) Scans Kubernetes clusters for compliance with security benchmarks
B) Measures cluster CPU and memory usage
C) Analyzes Kubernetes network traffic
D) Automates Kubernetes cluster scaling
β
Answer: A) Scans Kubernetes clusters for compliance with security benchmarks
π Explanation: kube-bench checks whether a Kubernetes cluster complies with the CIS (Center for Internet Security) benchmarks.
10. Which component is responsible for enforcing policies in Kubernetes?
A) kube-scheduler
B) kube-controller-manager
C) Gatekeeper (OPA)
D) etcd
β
Answer: C) Gatekeeper (OPA)
π Explanation: Gatekeeper (Open Policy Agent – OPA) helps enforce security policies by validating requests before they reach the Kubernetes API server.
11. What is a common security risk when using default Kubernetes ServiceAccount tokens?
A) Unauthorized cluster-wide access
B) Increased network latency
C) Excessive CPU consumption
D) Faster pod scheduling
β
Answer: A) Unauthorized cluster-wide access
π Explanation: Default ServiceAccount tokens often have broad permissions, leading to potential privilege escalation if compromised.
12. What is the recommended way to restrict access to the Kubernetes API server?
A) Disable RBAC
B) Use IP whitelisting and RBAC
C) Expose the API server to the public internet
D) Allow anonymous API access
β
Answer: B) Use IP whitelisting and RBAC
π Explanation: Limiting access to trusted IPs and enforcing RBAC policies enhances Kubernetes API security.
13. What is a benefit of using a read-only root file system for containers?
A) Prevents unauthorized modifications to the container filesystem
B) Reduces memory usage
C) Increases network bandwidth
D) Improves application logging
β
Answer: A) Prevents unauthorized modifications to the container filesystem
π Explanation: A read-only root filesystem helps prevent attackers from modifying files inside a container.
14. Which Kubernetes security feature allows encryption of secret data at rest?
A) Network policies
B) etcd Encryption
C) RBAC
D) Pod disruption budgets
β
Answer: B) etcd Encryption
π Explanation: Kubernetes supports encryption at rest for etcd, ensuring that stored secrets and sensitive data remain encrypted.
15. How can you prevent unauthorized container image usage in Kubernetes?
A) Use Image Policy Webhook
B) Remove RBAC restrictions
C) Use an insecure container registry
D) Allow all users to deploy images
β
Answer: A) Use Image Policy Webhook
π Explanation: Image Policy Webhook allows enforcing image signing and trust policies to prevent unauthorized images from running.
16. What is the main risk of exposed Kubernetes dashboards?
A) Increased storage usage
B) Unauthorized access and cluster takeover
C) Slower network traffic
D) High CPU load
β
Answer: B) Unauthorized access and cluster takeover
π Explanation: Exposing Kubernetes Dashboard without proper authentication can lead to privilege escalation and cluster compromise.
17. What does “Runtime Security Monitoring” mean in Kubernetes?
A) Scanning containers at rest
B) Monitoring and detecting security threats in running workloads
C) Stopping all pods for security reasons
D) Disabling kubelet logs
β
Answer: B) Monitoring and detecting security threats in running workloads
π Explanation: Runtime security monitoring tools like Falco detect suspicious activity in running containers.
18. What is a common attack against misconfigured Kubernetes Role-Based Access Control (RBAC)?
A) Privilege escalation
B) Faster pod scheduling
C) Increased disk usage
D) Reduced API latency
β
Answer: A) Privilege escalation
π Explanation: Weak RBAC configurations can allow attackers to gain admin privileges and take control of the cluster.
19. What security tool can monitor Kubernetes system calls?
A) Falco
B) Helm
C) Docker Compose
D) Prometheus
β
Answer: A) Falco
π Explanation: Falco is an open-source security tool that monitors system calls in Kubernetes for suspicious behavior.
20. How can you prevent unwanted pods from being scheduled on critical nodes?
A) Use node taints and tolerations
B) Disable kubelet
C) Increase node CPU allocation
D) Remove network policies
β
Answer: A) Use node taints and tolerations
π Explanation: Taints and tolerations help ensure only specific workloads run on critical nodes, reducing security risks.
21. What is the main purpose of Kubernetes Security Context?
A) It defines networking rules for pods
B) It controls security settings for individual containers
C) It configures monitoring dashboards
D) It sets up load balancing for services
β
Answer: B) It controls security settings for individual containers
π Explanation: A Security Context in Kubernetes specifies security-related configurations such as user ID, group ID, privilege escalation, and filesystem access for containers.
22. Which security feature prevents an attacker from executing arbitrary commands inside a container?
A) RBAC
B) seccomp (Secure Computing Mode)
C) Network Policies
D) kube-proxy
β
Answer: B) seccomp (Secure Computing Mode)
π Explanation: seccomp restricts system calls that containers can execute, reducing the risk of container breakout and privilege escalation.
23. Which of the following is a Kubernetes control plane security best practice?
A) Disable audit logging
B) Use static kubeconfig files
C) Restrict API server access with authentication and RBAC
D) Expose the API server to all networks
β
Answer: C) Restrict API server access with authentication and RBAC
π Explanation: The Kubernetes API server should be secured using authentication, RBAC policies, and access controls to prevent unauthorized actions.
24. How can you ensure that only signed container images are used in Kubernetes?
A) Enable imagePullSecrets
B) Use containerd instead of Docker
C) Implement Image Admission Policy with Notary or Cosign
D) Store images in a public registry
β
Answer: C) Implement Image Admission Policy with Notary or Cosign
π Explanation: Notary (Docker Content Trust) and Cosign allow organizations to enforce signed image policies, ensuring only trusted images are deployed.
25. What is the impact of running containers with the CAP_SYS_ADMIN capability?
A) It allows the container to manage Kubernetes RBAC
B) It grants excessive privileges, increasing the risk of container escape
C) It prevents the container from executing commands
D) It disables the container runtime
β
Answer: B) It grants excessive privileges, increasing the risk of container escape
π Explanation: The CAP_SYS_ADMIN capability gives containers near-root permissions, allowing them to bypass security restrictions and compromise the host.
26. What is the best way to store sensitive environment variables securely in Kubernetes?
A) Hardcode them in the container image
B) Store them in ConfigMaps
C) Use Kubernetes Secrets with RBAC restrictions
D) Pass them as command-line arguments
β
Answer: C) Use Kubernetes Secrets with RBAC restrictions
π Explanation: Kubernetes Secrets provide a secure way to store sensitive data. RBAC ensures only authorized components can access them.
27. Which attack exploits weak role-based access control (RBAC) settings in Kubernetes?
A) API Server Denial of Service
B) Privilege Escalation
C) Man-in-the-Middle Attack
D) Data Exfiltration
β
Answer: B) Privilege Escalation
π Explanation: Weak RBAC settings can allow attackers to gain higher privileges, enabling them to modify configurations or take over the cluster.
28. What is a benefit of using read-only filesystem mode for containers?
A) Prevents unauthorized writes and malware persistence
B) Improves logging performance
C) Enables faster image pull times
D) Reduces memory usage
β
Answer: A) Prevents unauthorized writes and malware persistence
π Explanation: Running containers with a read-only root filesystem prevents attackers from modifying files or planting malware inside the container.
29. How can you limit pod-to-pod communication in Kubernetes?
A) Use Kubernetes Ingress rules
B) Apply Network Policies
C) Enable Node Affinity
D) Use Persistent Volumes
β
Answer: B) Apply Network Policies
π Explanation: Network Policies restrict communication between pods and namespaces, preventing unauthorized lateral movement inside the cluster.
30. Which Kubernetes tool helps prevent configuration drifts in security policies?
A) kube-hunter
B) Kyverno
C) Calico
D) Prometheus
β
Answer: B) Kyverno
π Explanation: Kyverno is a Kubernetes-native policy engine that enforces security policies and prevents configuration drifts.
31. What is a risk of using an outdated container base image?
A) Reduced performance
B) Increased attack surface due to known vulnerabilities
C) Limited container portability
D) Increased storage usage
β
Answer: B) Increased attack surface due to known vulnerabilities
π Explanation: Older base images may contain unpatched vulnerabilities that attackers can exploit.
32. What Kubernetes security feature prevents the execution of unsigned or malicious workloads?
A) Admission Controllers
B) kube-proxy
C) API Gateway
D) Pod Disruption Budget
β
Answer: A) Admission Controllers
π Explanation: Admission Controllers enforce security policies, ensuring only trusted workloads are deployed.
33. Which attack can occur if Kubernetes API server logging is disabled?
A) Denial of Service
B) Privilege Escalation
C) Undetected malicious activities
D) Service Load Balancing Issues
β
Answer: C) Undetected malicious activities
π Explanation: Audit logging helps track API actions. Disabling logs makes it harder to detect unauthorized access or attacks.
34. How can you restrict egress traffic from a Kubernetes pod?
A) Enable Network Policies
B) Use Kubernetes Ingress rules
C) Disable kubelet logs
D) Assign the pod to a privileged namespace
β
Answer: A) Enable Network Policies
π Explanation: Network Policies can limit outgoing (egress) traffic, reducing exposure to data exfiltration risks.
35. Which Kubernetes security tool scans clusters for misconfigurations?
A) kube-bench
B) Falco
C) tcpdump
D) kubectl
β
Answer: A) kube-bench
π Explanation: kube-bench checks Kubernetes clusters for security misconfigurations against CIS benchmarks.
36. What is a common security risk of using publicly available container images?
A) Unpatched vulnerabilities and malware
B) Faster deployment times
C) Higher CPU efficiency
D) Improved load balancing
β
Answer: A) Unpatched vulnerabilities and malware
π Explanation: Public images may contain vulnerabilities or embedded malware, posing a security risk if not scanned and verified.
37. What is the main risk of running containers with unrestricted hostPath volumes?
A) Slower pod scheduling
B) Unauthorized access to the host filesystem
C) Increased network latency
D) Higher memory consumption
β
Answer: B) Unauthorized access to the host filesystem
π Explanation: Unrestricted hostPath volumes allow containers direct access to the hostβs filesystem, which can lead to privilege escalation.
38. Which Kubernetes security feature ensures encryption of data at rest?
A) etcd Encryption
B) Network Policies
C) Pod Affinity
D) Taints and Tolerations
β
Answer: A) etcd Encryption
π Explanation: etcd Encryption ensures sensitive Kubernetes data is stored securely.
39. What is a primary goal of Kubernetes Runtime Security?
A) Detecting and responding to suspicious activity in running containers
B) Improving cluster performance
C) Automating deployment pipelines
D) Enhancing database replication
β
Answer: A) Detecting and responding to suspicious activity in running containers
π Explanation: Runtime security tools like Falco detect real-time threats inside running containers.
40. What is a key risk of exposing Kubernetes API server to the internet?
A) Unauthorized access and cluster takeover
B) Increased pod restart times
C) Higher API response times
D) Increased storage usage
β
Answer: A) Unauthorized access and cluster takeover
π Explanation: Exposing Kubernetes API publicly allows attackers to brute force credentials and exploit API vulnerabilities.
41. Which Kubernetes feature restricts the scheduling of specific pods on a node?
A) Taints and Tolerations
B) Network Policies
C) ConfigMaps
D) Role-Based Access Control (RBAC)
β
Answer: A) Taints and Tolerations
π Explanation: Taints and Tolerations prevent specific pods from being scheduled on a node unless explicitly allowed, which helps in security isolation and resource protection.
42. What is a potential risk of allowing containers to mount /var/run/docker.sock?
A) Increases CPU load
B) Allows containers to control Docker and escape to the host
C) Slows down Kubernetes cluster communication
D) Causes excessive logging
β
Answer: B) Allows containers to control Docker and escape to the host
π Explanation: Mounting /var/run/docker.sock allows containers direct access to the Docker daemon, which can lead to container escape attacks and full host compromise.
43. How can you protect a Kubernetes cluster against credential theft?
A) Store credentials in container images
B) Use Kubernetes Secrets with RBAC restrictions
C) Share credentials between all pods
D) Disable authentication on the API server
β
Answer: B) Use Kubernetes Secrets with RBAC restrictions
π Explanation: Kubernetes Secrets store sensitive data securely, and RBAC ensures that only authorized pods or users can access them.
44. What is a major risk of exposing etcd without proper authentication?
A) Slower Kubernetes API performance
B) Attackers can read and modify Kubernetes cluster data
C) Increased network latency
D) Unstable pod deployments
β
Answer: B) Attackers can read and modify Kubernetes cluster data
π Explanation: etcd is the data store for Kubernetes. Unsecured etcd access allows attackers to steal secrets, modify configurations, or delete resources.
45. Which of the following best describes a Kubernetes Admission Controller?
A) A component that schedules pods onto nodes
B) A security mechanism that validates API requests before they are persisted
C) A network firewall for pods
D) A Kubernetes logging system
β
Answer: B) A security mechanism that validates API requests before they are persisted
π Explanation: Admission Controllers enforce security policies by validating requests before they reach the API server.
46. What is a major risk of using the default ServiceAccount in Kubernetes?
A) It allows excessive permissions, which may lead to privilege escalation
B) It improves security by restricting API access
C) It slows down pod deployments
D) It increases resource utilization
β
Answer: A) It allows excessive permissions, which may lead to privilege escalation
π Explanation: The default ServiceAccount is often granted broad permissions, which attackers can exploit for privilege escalation.
47. What is the purpose of Kubernetes Pod Disruption Budgets (PDBs)?
A) Ensures high availability by limiting the number of pod disruptions
B) Encrypts pod data
C) Secures pod-to-pod communication
D) Prevents pod deletion
β
Answer: A) Ensures high availability by limiting the number of pod disruptions
π Explanation: Pod Disruption Budgets (PDBs) prevent too many pods from being evicted at once, maintaining service availability.
48. Which Kubernetes tool helps detect container runtime security threats?
A) kube-bench
B) Falco
C) Helm
D) cAdvisor
β
Answer: B) Falco
π Explanation: Falco monitors container runtime activity and detects suspicious events in real-time.
49. What security risk does a Kubernetes cluster face if RBAC is misconfigured?
A) Network congestion
B) Unauthorized users can perform privileged actions
C) Increased CPU usage
D) Slower pod scheduling
β
Answer: B) Unauthorized users can perform privileged actions
π Explanation: Misconfigured RBAC can allow attackers or unauthorized users to escalate privileges and gain control over the cluster.
50. Which Kubernetes security best practice prevents unauthorized access to API requests?
A) Implementing RBAC with least privilege
B) Using public container images
C) Disabling audit logs
D) Allowing anonymous API access
β
Answer: A) Implementing RBAC with least privilege
π Explanation: RBAC with least privilege ensures that only necessary permissions are granted, reducing security risks.
51. What is a Kubernetes Secret used for?
A) Storing sensitive data like passwords and API keys securely
B) Defining network rules
C) Logging API server requests
D) Managing storage volumes
β
Answer: A) Storing sensitive data like passwords and API keys securely
π Explanation: Kubernetes Secrets store and manage confidential data in a secure way.
52. Which of the following helps secure Kubernetes network traffic?
A) Helm
B) Network Policies
C) Service Accounts
D) Prometheus
β
Answer: B) Network Policies
π Explanation: Network Policies define rules for pod-to-pod communication, preventing unauthorized access.
53. What is the best way to mitigate privilege escalation in Kubernetes?
A) Assigning minimal permissions using RBAC
B) Running all workloads as root
C) Disabling authentication
D) Allowing unrestricted pod access
β
Answer: A) Assigning minimal permissions using RBAC
π Explanation: RBAC should follow least privilege principles to prevent unauthorized users from gaining elevated access.
54. How can you detect misconfigurations in Kubernetes cluster security settings?
A) Using kube-hunter or kube-bench
B) Checking pod logs manually
C) Increasing pod replicas
D) Disabling API authentication
β
Answer: A) Using kube-hunter or kube-bench
π Explanation: kube-hunter and kube-bench scan clusters for security vulnerabilities and misconfigurations.
55. What is the role of Kubernetes RoleBindings?
A) Assigns permissions to users or ServiceAccounts
B) Controls container CPU usage
C) Secures container image storage
D) Manages Kubernetes DNS settings
β
Answer: A) Assigns permissions to users or ServiceAccounts
π Explanation: RoleBindings associate RBAC roles with users, groups, or ServiceAccounts.
56. What is the security risk of allowing Kubernetes workloads to use the hostNetwork setting?
A) Increased pod startup time
B) Allows containers to bypass network policies and access the host network
C) Reduces memory usage
D) Enables pod-to-pod encryption
β
Answer: B) Allows containers to bypass network policies and access the host network
π Explanation: hostNetwork allows direct access to the hostβs network, which can be exploited by attackers.
57. How can you prevent unauthorized access to Kubernetes web dashboards?
A) Use RBAC and authentication controls
B) Allow all users to access the dashboard
C) Disable API logging
D) Store credentials in environment variables
β
Answer: A) Use RBAC and authentication controls
π Explanation: RBAC and authentication should be enforced to restrict access to the Kubernetes dashboard.
58. What is a common risk of misconfigured Ingress controllers?
A) Unauthorized external access to internal services
B) Slower pod scaling
C) Increased CPU load
D) Lower API response time
β
Answer: A) Unauthorized external access to internal services
π Explanation: Misconfigured Ingress controllers can expose internal services to external threats.
59. Which tool helps secure Kubernetes supply chain security?
A) Sigstore
B) kubelet
C) cAdvisor
D) Helm
β
Answer: A) Sigstore
π Explanation: Sigstore helps ensure container images are properly signed and verified before deployment.
60. What Kubernetes feature allows isolating workloads for multi-tenancy?
A) Namespaces
B) ConfigMaps
C) Service Accounts
D) Pod Affinity
β
Answer: A) Namespaces
π Explanation: Namespaces create logical separation of workloads, helping secure multi-tenant Kubernetes clusters.
61. What is the purpose of Kubernetes AppArmor profiles?
A) Define pod-to-pod communication rules
B) Restrict the actions that processes inside containers can perform
C) Manage container storage limits
D) Optimize CPU allocation for workloads
β
Answer: B) Restrict the actions that processes inside containers can perform
π Explanation: AppArmor is a Linux security module that restricts container actions to prevent unauthorized execution and limit potential attack surfaces.
62. What Kubernetes feature helps prevent untrusted container images from running in a cluster?
A) Image Admission Policies
B) kube-proxy
C) Persistent Volumes
D) kubelet
β
Answer: A) Image Admission Policies
π Explanation: Image Admission Policies ensure that only trusted and signed container images are deployed.
63. Which of the following security risks can arise from an exposed Kubernetes API server?
A) Brute force attacks and unauthorized cluster control
B) Increased pod start-up time
C) Network congestion
D) Faster API response times
β
Answer: A) Brute force attacks and unauthorized cluster control
π Explanation: Exposing the Kubernetes API server without proper security controls can allow brute force attacks, privilege escalation, and full cluster compromise.
64. What is a common security risk of using wildcard (*) permissions in Kubernetes RBAC?
A) Reduced cluster performance
B) Unrestricted access to cluster resources
C) Slower pod deployment times
D) Increased logging overhead
β
Answer: B) Unrestricted access to cluster resources
π Explanation: Wildcard (*) permissions in RBAC grant broad access, which can lead to privilege escalation and unauthorized actions.
65. How can you prevent Kubernetes workloads from running on specific nodes?
A) Apply Node Taints
B) Enable Host Network Mode
C) Increase pod priority
D) Use Persistent Volume Claims
β
Answer: A) Apply Node Taints
π Explanation: Node Taints prevent specific workloads from being scheduled on a node unless they have matching tolerations.
66. What is the primary function of Kubernetes PodSecurityPolicy (PSP)?
A) Define allowed security settings for pods
B) Enforce pod-to-pod network rules
C) Schedule pods efficiently
D) Manage persistent storage
β
Answer: A) Define allowed security settings for pods
π Explanation: PodSecurityPolicy (PSP) restricts privileged containers, root user access, and other security-sensitive settings.
67. How can you protect against Kubernetes secret theft?
A) Use RBAC to restrict secret access
B) Store secrets in environment variables
C) Hardcode secrets into application code
D) Allow all pods to access secrets
β
Answer: A) Use RBAC to restrict secret access
π Explanation: RBAC restrictions prevent unauthorized access to Kubernetes secrets, reducing the risk of data leaks.
68. What is the primary role of Kubernetes kubelet?
A) Schedules workloads across nodes
B) Manages individual node communication with the API server
C) Manages role-based access control
D) Encrypts API traffic
β
Answer: B) Manages individual node communication with the API server
π Explanation: kubelet is responsible for ensuring containers are running on a node, communicating with the API server.
69. What is the security benefit of disabling Kubernetes Dashboard?
A) Prevents unauthorized users from accessing cluster resources
B) Improves pod start-up times
C) Enhances CPU performance
D) Reduces network bandwidth usage
β
Answer: A) Prevents unauthorized users from accessing cluster resources
π Explanation: The Kubernetes Dashboard can be a security risk if exposed publicly, allowing attackers to gain access to cluster configurations.
70. How can you prevent a container escape attack in Kubernetes?
A) Enforce seccomp and AppArmor profiles
B) Grant pods root access
C) Use public container images without verification
D) Run all workloads on the host network
β
Answer: A) Enforce seccomp and AppArmor profiles
π Explanation: seccomp and AppArmor restrict system calls and process privileges, preventing container breakout attacks.
71. What Kubernetes feature can be used to limit the CPU and memory usage of a pod?
A) Resource Quotas and Limits
B) Pod Affinity
C) Taints and Tolerations
D) RBAC
β
Answer: A) Resource Quotas and Limits
π Explanation: Resource Quotas restrict CPU and memory usage, preventing one pod from consuming excessive cluster resources.
72. What is the best practice for handling failed container security scans?
A) Automatically block deployment
B) Ignore scan results
C) Deploy the container immediately
D) Grant more privileges to the container
β
Answer: A) Automatically block deployment
π Explanation: Blocking deployments of vulnerable images prevents known security risks from being introduced into the cluster.
73. How can you secure ingress traffic in Kubernetes?
A) Use TLS and HTTPS encryption
B) Enable anonymous access
C) Use hostNetwork: true
D) Allow unrestricted external access
β
Answer: A) Use TLS and HTTPS encryption
π Explanation: TLS encryption secures ingress traffic, preventing man-in-the-middle attacks and data interception.
74. What is the primary security risk of persistent volumes in Kubernetes?
A) Data persistence across pod restarts
B) Data exposure if storage is shared between tenants
C) Increased API latency
D) Higher storage costs
β
Answer: B) Data exposure if storage is shared between tenants
π Explanation: Persistent volumes must be properly secured to prevent unauthorized access to sensitive data.
75. How can secrets be protected in Kubernetes at rest?
A) Enable etcd encryption
B) Store secrets in ConfigMaps
C) Use environment variables
D) Disable RBAC
β
Answer: A) Enable etcd encryption
π Explanation: Encrypting secrets in etcd prevents data exposure in case of unauthorized access.
76. What is a potential risk of enabling hostPID and hostIPC in Kubernetes pods?
A) Allows containers to interact with host-level processes
B) Improves pod startup times
C) Reduces memory consumption
D) Enhances inter-pod communication
β
Answer: A) Allows containers to interact with host-level processes
π Explanation: Enabling hostPID or hostIPC can lead to privilege escalation and container breakout attacks.
77. Which Kubernetes security feature helps detect compromised workloads in real-time?
A) Runtime Security Monitoring (e.g., Falco)
B) kube-proxy
C) Helm Charts
D) ConfigMaps
β
Answer: A) Runtime Security Monitoring (e.g., Falco)
π Explanation: Falco and similar tools monitor live container activity for malicious behavior.
78. What is a best practice for managing third-party Kubernetes integrations securely?
A) Review security policies before deploying
B) Install third-party components without verification
C) Disable all security settings
D) Allow integrations to run with unrestricted privileges
β
Answer: A) Review security policies before deploying
π Explanation: Third-party integrations should be reviewed and validated to ensure they follow security best practices.
79. How can you restrict elevated permissions for a pod?
A) Use securityContext to drop unnecessary Linux capabilities
B) Allow root access
C) Enable host networking
D) Remove resource quotas
β
Answer: A) Use securityContext to drop unnecessary Linux capabilities
π Explanation: Dropping capabilities like CAP_SYS_ADMIN prevents privilege escalation.
80. What is the primary purpose of Kubernetes NetworkPolicy?
A) Restrict unauthorized pod-to-pod communication
B) Increase storage performance
C) Improve container logging
D) Schedule pods more efficiently
β
Answer: A) Restrict unauthorized pod-to-pod communication
π Explanation: Network Policies enforce fine-grained access control over pod communication, preventing unauthorized access.
81. What is the role of Kubernetes RBAC (Role-Based Access Control)?
A) Controls permissions for users and service accounts
B) Schedules pods on worker nodes
C) Manages network traffic between services
D) Handles persistent storage for containers
β
Answer: A) Controls permissions for users and service accounts
π Explanation: RBAC allows administrators to define and enforce permissions for users, groups, and service accounts, limiting access to Kubernetes resources.
82. What security risk does an exposed kubelet API pose?
A) Unauthorized access to node and pod management actions
B) Increased container startup time
C) Slower network traffic
D) Reduced logging performance
β
Answer: A) Unauthorized access to node and pod management actions
π Explanation: The kubelet API should be secured with authentication and RBAC to prevent attackers from gaining control over nodes and workloads.
83. What is a common risk of using hostPath volumes in Kubernetes?
A) Containers can access and modify host filesystem
B) Increased network latency
C) Higher CPU utilization
D) Reduced API response times
β
Answer: A) Containers can access and modify host filesystem
π Explanation: hostPath volumes allow containers to mount directories from the host, which can lead to unauthorized access and privilege escalation.
84. Which security risk arises from running containers as root?
A) Potential for container escape and host compromise
B) Increased logging overhead
C) Slower pod scheduling
D) Higher memory consumption
β
Answer: A) Potential for container escape and host compromise
π Explanation: Running containers as root increases the risk of attackers breaking out of the container and gaining control over the host system.
85. How can you restrict a Kubernetes service to be accessible only within the cluster?
A) Use a ClusterIP service type
B) Expose the service with LoadBalancer
C) Use an Ingress controller
D) Enable host networking
β
Answer: A) Use a ClusterIP service type
π Explanation: ClusterIP services are only accessible within the Kubernetes cluster, preventing external access.
86. What is a best practice for securing container image registries?
A) Enforce image signing and scanning
B) Use default public registries without verification
C) Allow anonymous access
D) Store credentials in container images
β
Answer: A) Enforce image signing and scanning
π Explanation: Image signing and scanning help ensure that only trusted and vulnerability-free images are deployed.
87. What Kubernetes feature ensures fine-grained control over container permissions?
A) Pod Security Context
B) Helm Charts
C) Persistent Volumes
D) ConfigMaps
β
Answer: A) Pod Security Context
π Explanation: Pod Security Context defines security policies, such as running as non-root, restricting privilege escalation, and controlling filesystem access.
88. What does enabling etcd encryption in Kubernetes do?
A) Encrypts sensitive data such as Secrets stored in etcd
B) Increases pod start-up times
C) Reduces API server response times
D) Disables Kubernetes audit logging
β
Answer: A) Encrypts sensitive data such as Secrets stored in etcd
π Explanation: etcd encryption protects sensitive cluster data (e.g., Secrets, ConfigMaps) from unauthorized access.
89. What is the purpose of Kubernetes SecurityContext?
A) Defines security settings for pods and containers
B) Manages pod replicas
C) Controls network traffic between services
D) Optimizes resource allocation
β
Answer: A) Defines security settings for pods and containers
π Explanation: SecurityContext enforces security constraints like user privileges, capabilities, and privilege escalation restrictions.
90. How can you prevent pod-to-pod communication in Kubernetes?
A) Use Network Policies
B) Enable LoadBalancer services
C) Disable kube-proxy
D) Expose all pods to external networks
β
Answer: A) Use Network Policies
π Explanation: Network Policies restrict communication between pods, preventing unauthorized access.
91. What tool is commonly used to scan Kubernetes configurations for misconfigurations?
A) kube-bench
B) Helm
C) cAdvisor
D) Prometheus
β
Answer: A) kube-bench
π Explanation: kube-bench audits Kubernetes cluster configurations for CIS benchmark compliance.
92. What happens if an attacker gains access to a misconfigured ServiceAccount with high privileges?
A) They can escalate privileges and take over the cluster
B) They get read-only access to logs
C) They can only restart containers
D) They are restricted to their namespace
β
Answer: A) They can escalate privileges and take over the cluster
π Explanation: Overprivileged ServiceAccounts can allow attackers to perform privileged operations and compromise cluster security.
93. What is the role of PodSecurityAdmission in Kubernetes?
A) Enforces security policies for pods
B) Manages storage volumes
C) Assigns pod replicas across nodes
D) Balances network traffic
β
Answer: A) Enforces security policies for pods
π Explanation: PodSecurityAdmission ensures that pods comply with security standards before they are created.
94. What is a risk of exposing a Kubernetes LoadBalancer service to the internet?
A) Unauthorized external access to workloads
B) Reduced storage performance
C) Increased CPU usage
D) Faster API response times
β
Answer: A) Unauthorized external access to workloads
π Explanation: Exposing LoadBalancer services without authentication can lead to unwanted access to Kubernetes workloads.
95. How can you protect Kubernetes ingress traffic?
A) Use TLS and HTTPS encryption
B) Allow all external traffic
C) Disable authentication
D) Deploy all services on public networks
β
Answer: A) Use TLS and HTTPS encryption
π Explanation: TLS and HTTPS encryption protect ingress traffic from eavesdropping and tampering.
96. Which tool can be used to detect runtime security threats in Kubernetes?
A) Falco
B) Helm
C) cAdvisor
D) kube-proxy
β
Answer: A) Falco
π Explanation: Falco monitors container runtime behavior for suspicious activity.
97. What is a recommended way to restrict Kubernetes API access?
A) Use RBAC and authentication controls
B) Allow all IP addresses to access the API
C) Disable authentication
D) Expose the API server publicly
β
Answer: A) Use RBAC and authentication controls
π Explanation: RBAC, authentication, and IP whitelisting prevent unauthorized API access.
98. What security risk arises from using an outdated Kubernetes version?
A) Exposure to known vulnerabilities and exploits
B) Increased pod scheduling times
C) Higher storage costs
D) Increased CPU usage
β
Answer: A) Exposure to known vulnerabilities and exploits
π Explanation: Old Kubernetes versions may contain unpatched security vulnerabilities that attackers can exploit.
99. What is the main benefit of sandboxed containers in Kubernetes?
A) Provides stronger isolation between workloads
B) Reduces logging overhead
C) Increases API response times
D) Improves pod scheduling
β
Answer: A) Provides stronger isolation between workloads
π Explanation: Sandboxed containers provide strong security isolation, reducing the risk of cross-container attacks.
100. What is a best practice for securing container image builds?
A) Use multi-stage builds and scanning tools
B) Store secrets inside images
C) Allow all users to push images
D) Disable security policies
β
Answer: A) Use multi-stage builds and scanning tools
π Explanation: Multi-stage builds reduce the attack surface, and scanning tools ensure images are free from vulnerabilities.
101. What is the primary purpose of Kubernetes Admission Controllers?
A) Enforce policies before Kubernetes objects are created
B) Schedule pods across worker nodes
C) Monitor container CPU and memory usage
D) Handle DNS resolution in the cluster
β
Answer: A) Enforce policies before Kubernetes objects are created
π Explanation: Admission Controllers intercept API requests before they are persisted, allowing enforcement of security policies and best practices.
102. What is a risk of using unrestricted RoleBindings in Kubernetes RBAC?
A) Unauthorized users can escalate privileges across the cluster
B) Increased network congestion
C) Slower pod startup times
D) Higher storage consumption
β
Answer: A) Unauthorized users can escalate privileges across the cluster
π Explanation: Improperly configured RoleBindings can allow attackers to escalate their privileges, leading to full cluster compromise.
103. What is the recommended way to secure Kubernetes ConfigMaps that contain sensitive data?
A) Use Kubernetes Secrets instead of ConfigMaps
B) Store them in container images
C) Expose them to all pods
D) Allow unauthenticated access
β
Answer: A) Use Kubernetes Secrets instead of ConfigMaps
π Explanation: ConfigMaps are not encrypted, making them unsuitable for sensitive data. Kubernetes Secrets should be used instead.
104. How can you limit API access based on user roles?
A) Implement Role-Based Access Control (RBAC)
B) Use Kubernetes Ingress Controllers
C) Enable anonymous API access
D) Disable authentication
β
Answer: A) Implement Role-Based Access Control (RBAC)
π Explanation: RBAC enforces fine-grained permissions for users and service accounts, restricting unauthorized access.
105. What is a potential risk of exposing Kubernetes metrics (Prometheus) publicly?
A) Attackers can gather sensitive cluster information for reconnaissance
B) Increased memory usage
C) Faster API responses
D) Reduced logging overhead
β
Answer: A) Attackers can gather sensitive cluster information for reconnaissance
π Explanation: Exposed Prometheus metrics provide insights into workloads, pods, and security configurations, which attackers can exploit.
106. What Kubernetes security risk can occur if anonymous authentication is enabled?
A) Unauthorized users can make API requests without credentials
B) Slower pod scheduling
C) Reduced storage performance
D) Increased cluster logging
β
Answer: A) Unauthorized users can make API requests without credentials
π Explanation: Anonymous authentication allows unauthenticated users to interact with the API, posing a security risk.
107. What security feature helps prevent man-in-the-middle attacks in Kubernetes?
A) Mutual TLS (mTLS) encryption
B) Disabling RBAC
C) Running all workloads as root
D) Using default network policies
β
Answer: A) Mutual TLS (mTLS) encryption
π Explanation: mTLS encrypts communication between services, preventing interception and tampering.
108. How can you protect Kubernetes workloads from container escape attacks?
A) Enforce seccomp, AppArmor, and SELinux policies
B) Run all containers as root
C) Expose the host filesystem to all containers
D) Disable security policies
β
Answer: A) Enforce seccomp, AppArmor, and SELinux policies
π Explanation: These security mechanisms limit container privileges and access to host resources, reducing escape risks.
109. What is a risk of running legacy Kubernetes versions?
A) Exposure to known security vulnerabilities
B) Slower pod networking
C) Higher CPU utilization
D) Reduced storage performance
β
Answer: A) Exposure to known security vulnerabilities
π Explanation: Older Kubernetes versions may lack security patches, making them vulnerable to exploits.
110. How can you restrict SSH access to Kubernetes nodes?
A) Use bastion hosts and private network access
B) Open SSH ports on all nodes
C) Allow root access via SSH
D) Disable firewall rules
β
Answer: A) Use bastion hosts and private network access
π Explanation: Bastion hosts provide controlled access to SSH and prevent direct node exposure.
111. What is a common risk of allowing hostIPC access in a pod?
A) Containers can access host-level inter-process communication (IPC)
B) Higher API response times
C) Increased pod startup times
D) Reduced network performance
β
Answer: A) Containers can access host-level inter-process communication (IPC)
π Explanation: hostIPC allows pods to interact with the host’s memory space, leading to privilege escalation risks.
112. How can you prevent containerized workloads from executing arbitrary system commands?
A) Implement seccomp profiles
B) Allow privileged containers
C) Use default configurations
D) Disable Kubernetes audit logs
β
Answer: A) Implement seccomp profiles
π Explanation: seccomp restricts system calls, preventing unauthorized command execution.
113. What is a benefit of enforcing read-only root file systems in containers?
A) Prevents malicious modifications to container files
B) Speeds up pod scheduling
C) Reduces storage costs
D) Improves logging performance
β
Answer: A) Prevents malicious modifications to container files
π Explanation: Read-only root filesystems prevent attacks that modify application files or inject malicious scripts.
114. How can you prevent unauthorized pod deployments in Kubernetes?
A) Use Admission Controllers with policy enforcement
B) Allow all users to create pods
C) Disable authentication
D) Use hostNetwork: true
β
Answer: A) Use Admission Controllers with policy enforcement
π Explanation: Admission Controllers enforce rules and validation for pod deployments, preventing unauthorized workloads.
115. What is a major risk of running privileged containers?
A) They can modify host system files and kernel parameters
B) Reduced memory usage
C) Increased API response times
D) Faster pod startup
β
Answer: A) They can modify host system files and kernel parameters
π Explanation: Privileged containers can access the host system, making them highly vulnerable to attacks.
116. How can you ensure that only verified container images are deployed?
A) Use Image Admission Policies with signing enforcement
B) Store images in public registries
C) Allow any user to pull images
D) Hardcode secrets in container images
β
Answer: A) Use Image Admission Policies with signing enforcement
π Explanation: Image signing ensures that only trusted images are approved for deployment.
117. What security risk arises from using default Kubernetes ServiceAccounts?
A) They may have broad permissions, leading to privilege escalation
B) Increased CPU consumption
C) Reduced pod scheduling efficiency
D) Higher memory utilization
β
Answer: A) They may have broad permissions, leading to privilege escalation
π Explanation: Default ServiceAccounts often lack strict permissions, allowing attackers to escalate privileges.
118. What is a primary goal of container runtime security?
A) Detect and prevent malicious activity in running containers
B) Reduce API logging
C) Increase pod networking speed
D) Disable Kubernetes auditing
β
Answer: A) Detect and prevent malicious activity in running containers
π Explanation: Runtime security solutions (e.g., Falco) monitor container activity to detect malicious actions.
119. What is a security benefit of using PodSecurityAdmission?
A) Enforces pod security policies automatically
B) Schedules pods faster
C) Improves pod-to-pod communication
D) Increases CPU allocation
β
Answer: A) Enforces pod security policies automatically
π Explanation: PodSecurityAdmission ensures that pods comply with predefined security constraints.
120. How can you prevent Kubernetes API abuse?
A) Enable audit logging and RBAC policies
B) Allow all users to make API requests
C) Disable authentication
D) Use public load balancers
β
Answer: A) Enable audit logging and RBAC policies
π Explanation: Audit logs and RBAC help track suspicious API activities and restrict unauthorized access.
121. What is the primary security risk of using a LoadBalancer service with an open firewall rule?
A) It exposes internal services to external attackers
B) It slows down network communication
C) It increases CPU consumption
D) It reduces the number of available pods
β
Answer: A) It exposes internal services to external attackers
π Explanation: LoadBalancer services expose applications to the internet, which can lead to unauthorized access if not properly restricted.
122. How can you enforce namespace-based isolation in Kubernetes?
A) Use RBAC and Network Policies to control access
B) Deploy all workloads in the same namespace
C) Allow all pods to communicate freely
D) Disable namespace-based restrictions
β
Answer: A) Use RBAC and Network Policies to control access
π Explanation: Namespaces provide logical isolation, and RBAC/Network Policies ensure proper security enforcement between workloads.
123. What security concern arises from allowing Kubernetes hostPID access?
A) Containers can access host processes and escalate privileges
B) Increased API response times
C) Faster pod scheduling
D) Improved container networking
β
Answer: A) Containers can access host processes and escalate privileges
π Explanation: hostPID: true allows a container to see and interact with the hostβs processes, which can lead to privilege escalation.
124. How can you prevent container privilege escalation in Kubernetes?
A) Set allowPrivilegeEscalation: false in securityContext
B) Use root user in all containers
C) Deploy all workloads with hostNetwork: true
D) Disable pod logging
β
Answer: A) Set allowPrivilegeEscalation: false in securityContext
π Explanation: This setting ensures that containers cannot gain additional privileges beyond what they started with.
125. What is the best way to enforce compliance policies for Kubernetes workloads?
A) Use OPA Gatekeeper or Kyverno
B) Allow unrestricted pod access
C) Store secrets in ConfigMaps
D) Disable API authentication
β
Answer: A) Use OPA Gatekeeper or Kyverno
π Explanation: OPA Gatekeeper and Kyverno allow enforcing security policies, ensuring compliance with best practices.
126. What does Kubernetes PodSecurityAdmission do?
A) Enforces security constraints on pods at admission time
B) Speeds up pod networking
C) Assigns CPU limits to workloads
D) Optimizes storage utilization
β
Answer: A) Enforces security constraints on pods at admission time
π Explanation: PodSecurityAdmission ensures pods adhere to security guidelines, preventing unsafe configurations.
127. What is a risk of using a shared volume between multiple pods?
A) One compromised pod can modify shared data and impact others
B) Faster pod startup times
C) Reduced storage costs
D) Improved networking performance
β
Answer: A) One compromised pod can modify shared data and impact others
π Explanation: Shared volumes introduce security risks if one pod is compromised and can modify shared files.
128. How can you prevent secrets from being exposed in Kubernetes logs?
A) Avoid passing secrets as environment variables
B) Store secrets in ConfigMaps
C) Disable Kubernetes logging
D) Use the latest tag for container images
β
Answer: A) Avoid passing secrets as environment variables
π Explanation: Environment variables are often logged, so secrets should be accessed using Kubernetes Secrets with proper security measures.
129. Why is it a security risk to allow privileged containers in Kubernetes?
A) They can modify the host system and kernel settings
B) They improve pod startup times
C) They reduce storage consumption
D) They optimize network bandwidth
β
Answer: A) They can modify the host system and kernel settings
π Explanation: Privileged containers have elevated privileges, which can lead to host takeovers if compromised.
130. How can you enforce least privilege access for Kubernetes workloads?
A) Use RBAC to restrict permissions
B) Grant cluster-admin to all service accounts
C) Allow unrestricted API access
D) Disable network security policies
β
Answer: A) Use RBAC to restrict permissions
π Explanation: RBAC should follow the principle of least privilege, ensuring only necessary permissions are granted.
131. What is the benefit of using read-only file systems for Kubernetes workloads?
A) Prevents modification of system files by attackers
B) Improves pod startup times
C) Enhances logging efficiency
D) Reduces memory consumption
β
Answer: A) Prevents modification of system files by attackers
π Explanation: Read-only file systems prevent tampering with critical files, reducing the risk of container-based attacks.
132. What is a best practice for securing Kubernetes container runtime?
A) Use containerd or CRI-O instead of Docker
B) Run all containers as root
C) Disable runtime security monitoring
D) Allow unrestricted system calls
β
Answer: A) Use containerd or CRI-O instead of Docker
π Explanation: containerd and CRI-O offer better security models, reducing the attack surface compared to traditional Docker setups.
133. How can you prevent Kubernetes API server abuse?
A) Enable audit logging and RBAC policies
B) Allow all API requests
C) Use publicly exposed etcd instances
D) Store authentication credentials in ConfigMaps
β
Answer: A) Enable audit logging and RBAC policies
π Explanation: Audit logging helps track malicious actions, and RBAC ensures only authorized users can perform operations.
134. What Kubernetes security risk arises if anonymous authentication is enabled?
A) Attackers can access cluster resources without authentication
B) Faster API response times
C) Lower memory utilization
D) Increased pod scheduling efficiency
β
Answer: A) Attackers can access cluster resources without authentication
π Explanation: Anonymous authentication allows unauthorized users to interact with the cluster, creating security risks.
135. What is a security risk of using the latest container image tag in production?
A) It can introduce unexpected and untested changes
B) It increases pod networking latency
C) It reduces container startup times
D) It improves API response times
β
Answer: A) It can introduce unexpected and untested changes
π Explanation: The latest tag does not guarantee a stable version, leading to security vulnerabilities and unpredictable behavior.
136. What is the best way to encrypt network traffic between Kubernetes pods?
A) Use mutual TLS (mTLS) encryption
B) Allow all pods to communicate freely
C) Disable encryption for performance reasons
D) Use default network policies
β
Answer: A) Use mutual TLS (mTLS) encryption
π Explanation: mTLS encrypts traffic between services, ensuring secure communication and preventing interception.
137. How can you protect Kubernetes workloads from DoS attacks?
A) Implement rate limiting and network policies
B) Expose all workloads to public networks
C) Use unrestricted API access
D) Allow unlimited ingress connections
β
Answer: A) Implement rate limiting and network policies
π Explanation: Rate limiting and network policies help mitigate DoS attacks by controlling incoming requests.
138. What is a primary risk of storing secrets in Kubernetes ConfigMaps?
A) ConfigMaps are stored in plain text and can be accessed easily
B) They reduce API response times
C) They optimize CPU consumption
D) They improve network efficiency
β
Answer: A) ConfigMaps are stored in plain text and can be accessed easily
π Explanation: ConfigMaps are not encrypted, making them unsuitable for storing sensitive data like passwords or API keys.
139. How can you prevent container escape attacks?
A) Use seccomp, AppArmor, and SELinux policies
B) Allow all pods to run as root
C) Disable security logging
D) Use privileged containers
β
Answer: A) Use seccomp, AppArmor, and SELinux policies
π Explanation: These tools restrict system access, preventing attackers from escaping containers.
140. What is the primary security risk of running a multi-tenant Kubernetes cluster?
A) One tenant could gain unauthorized access to anotherβs resources
B) Slower pod scheduling
C) Higher storage utilization
D) Increased API response times
β
Answer: A) One tenant could gain unauthorized access to anotherβs resources
π Explanation: Multi-tenancy requires strict RBAC and network policies to isolate workloads between different tenants.
141. What is a recommended way to enforce container runtime security in Kubernetes?
A) Use Falco for real-time threat detection
B) Run all containers with root privileges
C) Disable Kubernetes network policies
D) Store security credentials in container images
β
Answer: A) Use Falco for real-time threat detection
π Explanation: Falco is a runtime security tool that detects suspicious activity inside running Kubernetes workloads.
142. What Kubernetes feature ensures that only signed images are deployed?
A) Image Admission Policies
B) Role-Based Access Control (RBAC)
C) PodSecurityAdmission
D) Network Policies
β
Answer: A) Image Admission Policies
π Explanation: Image Admission Policies enforce the use of signed and verified container images, preventing unauthorized deployments.
143. How can you prevent insider threats in a Kubernetes environment?
A) Enforce least privilege access with RBAC
B) Grant cluster-admin to all users
C) Store secrets in environment variables
D) Expose all workloads to the public internet
β
Answer: A) Enforce least privilege access with RBAC
π Explanation: RBAC should follow the principle of least privilege, ensuring that users only have necessary permissions.
144. What is a primary security concern when using hostNetwork: true in Kubernetes pods?
A) It allows the pod to access the host network, increasing attack surface
B) It speeds up pod deployment
C) It improves API response times
D) It reduces storage usage
β
Answer: A) It allows the pod to access the host network, increasing attack surface
π Explanation: hostNetwork: true allows direct access to the hostβs network, which increases the risk of security breaches.
145. How can you mitigate risks associated with third-party Kubernetes plugins?
A) Review and verify plugin security policies before deployment
B) Deploy all plugins without verification
C) Store plugin configurations in public Git repositories
D) Disable logging for third-party components
β
Answer: A) Review and verify plugin security policies before deployment
π Explanation: Third-party plugins should be verified, reviewed, and monitored to avoid introducing security vulnerabilities.
146. How can you ensure that only authorized services communicate with each other in Kubernetes?
A) Use Network Policies to restrict pod communication
B) Deploy all workloads in the same namespace
C) Disable Kubernetes security controls
D) Expose all services externally
β
Answer: A) Use Network Policies to restrict pod communication
π Explanation: Network Policies define rules that restrict communication between pods, ensuring only authorized interactions.
147. What security risk arises from running outdated Kubernetes cluster versions?
A) Exposure to known vulnerabilities
B) Increased pod scheduling speed
C) Faster API request processing
D) Lower storage usage
β
Answer: A) Exposure to known vulnerabilities
π Explanation: Older Kubernetes versions often contain unpatched security flaws, making clusters susceptible to attacks.
148. How can you prevent unauthorized changes to Kubernetes resources?
A) Use Audit Logging and Role-Based Access Control (RBAC)
B) Store Kubernetes configurations in a public Git repository
C) Allow all users to edit cluster resources
D) Disable authentication
β
Answer: A) Use Audit Logging and Role-Based Access Control (RBAC)
π Explanation: RBAC prevents unauthorized access, while Audit Logging tracks all changes made to cluster resources.
149. What Kubernetes feature allows you to define security constraints for a podβs execution environment?
A) SecurityContext
B) Ingress Controller
C) Node Affinity
D) kube-proxy
β
Answer: A) SecurityContext
π Explanation: SecurityContext controls security settings like privilege escalation, filesystem access, and user privileges for pods.
150. What is the purpose of Kubernetes PodSecurityAdmission?
A) Enforces security policies when pods are created
B) Increases CPU and memory efficiency
C) Improves Kubernetes network performance
D) Manages persistent storage for containers
β
Answer: A) Enforces security policies when pods are created
π Explanation: PodSecurityAdmission ensures that pods comply with predefined security policies, preventing unsafe configurations.
151. What is the primary risk of using a public container image repository?
A) Images may contain vulnerabilities, malware, or misconfigurations
B) Faster deployment times
C) Reduced storage usage
D) Improved API response times
β
Answer: A) Images may contain vulnerabilities, malware, or misconfigurations
π Explanation: Public repositories often include unverified images, which can introduce security threats.
152. How can you secure Kubernetes secrets at rest?
A) Enable etcd encryption
B) Store secrets in container images
C) Use ConfigMaps instead of Secrets
D) Allow all users to access Secrets
β
Answer: A) Enable etcd encryption
π Explanation: Encrypting etcd storage ensures that sensitive secrets remain protected from unauthorized access.
153. How can you prevent Denial-of-Service (DoS) attacks in Kubernetes?
A) Implement rate limiting and request quotas
B) Disable Kubernetes authentication
C) Allow unrestricted traffic
D) Expose all services with LoadBalancer
β
Answer: A) Implement rate limiting and request quotas
π Explanation: Rate limiting and quotas restrict the number of requests per service, mitigating DoS attacks.
154. How can you enforce network isolation in a multi-tenant Kubernetes cluster?
A) Use Network Policies and Namespaces
B) Run all workloads in a single namespace
C) Allow unrestricted communication between pods
D) Use ConfigMaps for authentication
β
Answer: A) Use Network Policies and Namespaces
π Explanation: Namespaces provide logical separation, while Network Policies prevent unauthorized pod communication.
155. What is the benefit of enabling audit logging in Kubernetes?
A) Helps detect and track unauthorized access
B) Improves cluster load balancing
C) Reduces API request processing times
D) Increases pod restart speed
β
Answer: A) Helps detect and track unauthorized access
π Explanation: Audit logs provide visibility into API requests and security events, helping detect potential attacks.
156. What is a common risk of using unrestricted RoleBindings in RBAC?
A) Unauthorized users can gain admin privileges
B) Reduced cluster network speed
C) Increased API response times
D) Higher CPU consumption
β
Answer: A) Unauthorized users can gain admin privileges
π Explanation: Unrestricted RoleBindings can allow attackers to escalate privileges and compromise the cluster.
157. What Kubernetes tool can detect misconfigured security settings in clusters?
A) kube-hunter
B) Helm
C) kube-proxy
D) cAdvisor
β
Answer: A) kube-hunter
π Explanation: kube-hunter scans Kubernetes clusters for security misconfigurations and vulnerabilities.
158. How can you restrict container system calls in Kubernetes?
A) Use seccomp profiles
B) Enable unrestricted host networking
C) Store security policies in ConfigMaps
D) Disable Kubernetes audit logs
β
Answer: A) Use seccomp profiles
π Explanation: seccomp restricts system calls, preventing containers from executing dangerous actions.
159. What is a best practice for securing API traffic within Kubernetes?
A) Use mutual TLS (mTLS) encryption
B) Disable authentication
C) Expose all services publicly
D) Allow unrestricted API access
β
Answer: A) Use mutual TLS (mTLS) encryption
π Explanation: mTLS encrypts API communications, preventing eavesdropping and data tampering.
160. How can you secure container-to-container communication inside Kubernetes?
A) Implement Network Policies
B) Store credentials in environment variables
C) Allow unrestricted pod networking
D) Use hostNetwork: true
β
Answer: A) Implement Network Policies
π Explanation: Network Policies enforce rules for inter-container communication, reducing attack vectors.
161. What is the primary risk of running a Kubernetes cluster without enforcing role-based access control (RBAC)?
A) Unauthorized users can gain access to cluster resources
B) Faster pod scheduling
C) Lower API request latency
D) Improved logging performance
β
Answer: A) Unauthorized users can gain access to cluster resources
π Explanation: Without RBAC, any user or service can perform privileged operations, leading to data breaches or service disruptions.
162. How can you secure sensitive environment variables in Kubernetes?
A) Use Kubernetes Secrets instead of environment variables
B) Store them in container images
C) Hardcode credentials in ConfigMaps
D) Allow unrestricted access to pod logs
β
Answer: A) Use Kubernetes Secrets instead of environment variables
π Explanation: Kubernetes Secrets encrypt sensitive data and prevent accidental exposure in logs or environment variables.
163. How can you prevent cross-namespace network access in Kubernetes?
A) Apply Network Policies to restrict pod communication
B) Allow unrestricted communication between namespaces
C) Run all services in the default namespace
D) Disable RBAC
β
Answer: A) Apply Network Policies to restrict pod communication
π Explanation: Network Policies define rules that limit traffic between namespaces, enhancing security.
164. What Kubernetes component is responsible for scheduling pods to worker nodes?
A) kube-scheduler
B) kube-proxy
C) API Server
D) etcd
β
Answer: A) kube-scheduler
π Explanation: kube-scheduler determines which node a pod should run on based on resource availability and constraints.
165. How can you prevent brute-force attacks against Kubernetes API authentication?
A) Enable strong authentication and rate limiting
B) Use anonymous authentication
C) Expose the API to the internet without restrictions
D) Store authentication tokens in ConfigMaps
β
Answer: A) Enable strong authentication and rate limiting
π Explanation: Enforcing authentication mechanisms and rate limiting helps protect the API from brute-force attacks.
166. What is a security risk of allowing unrestricted exec commands in running Kubernetes containers?
A) Attackers can execute arbitrary commands inside containers
B) Slower pod startup times
C) Increased network congestion
D) Higher storage utilization
β
Answer: A) Attackers can execute arbitrary commands inside containers
π Explanation: Allowing unrestricted kubectl exec access can enable attackers to compromise containers and escalate privileges.
167. How can you enforce secure Kubernetes cluster upgrades?
A) Use rolling updates and test patches in a staging environment
B) Upgrade all nodes at once without testing
C) Disable Kubernetes auto-updates
D) Store old Kubernetes versions for rollback
β
Answer: A) Use rolling updates and test patches in a staging environment
π Explanation: Rolling upgrades and testing patches help prevent downtime and ensure security patches do not break workloads.
168. What is the purpose of Pod Disruption Budgets (PDBs) in Kubernetes?
A) Prevent excessive pod disruptions during maintenance
B) Increase pod start-up times
C) Improve storage efficiency
D) Reduce network traffic
β
Answer: A) Prevent excessive pod disruptions during maintenance
π Explanation: Pod Disruption Budgets (PDBs) ensure that critical services maintain minimum availability during node maintenance.
169. How can you protect Kubernetes worker nodes from direct SSH attacks?
A) Use bastion hosts and disable direct SSH access
B) Open SSH access to all IP addresses
C) Allow all users to log in as root
D) Disable firewall rules
β
Answer: A) Use bastion hosts and disable direct SSH access
π Explanation: Bastion hosts act as a controlled access point, preventing direct SSH access to Kubernetes nodes.
170. How can you ensure only trusted container images are used in Kubernetes?
A) Use an Image Policy Admission Controller
B) Allow all users to deploy any image
C) Use only public container registries
D) Store images inside pod configurations
β
Answer: A) Use an Image Policy Admission Controller
π Explanation: Image Policy Admission Controllers enforce signed and verified image usage, reducing security risks.
171. What is a security risk of not limiting pod resource usage in Kubernetes?
A) A compromised pod can consume all resources, causing Denial-of-Service (DoS)
B) Increased pod deployment speed
C) Improved storage performance
D) Faster API response times
β
Answer: A) A compromised pod can consume all resources, causing Denial-of-Service (DoS)
π Explanation: Resource limits prevent one pod from monopolizing resources, ensuring cluster stability.
172. How can you restrict pod egress traffic in Kubernetes?
A) Use Network Policies to define allowed destinations
B) Enable unrestricted networking
C) Disable API authentication
D) Allow all workloads to connect to the internet
β
Answer: A) Use Network Policies to define allowed destinations
π Explanation: Network Policies control which pods can send outbound traffic, preventing data exfiltration.
173. What is the benefit of using a read-only root filesystem for containers?
A) Prevents attackers from modifying container files
B) Improves API response times
C) Speeds up pod networking
D) Lowers Kubernetes resource consumption
β
Answer: A) Prevents attackers from modifying container files
π Explanation: Read-only root filesystems prevent file tampering, reducing the risk of persistent malware.
174. How can you prevent secrets from being exposed to unauthorized users?
A) Use RBAC to restrict access to Kubernetes Secrets
B) Store secrets in plaintext files inside pods
C) Allow all users to access secrets
D) Use ConfigMaps instead of Secrets
β
Answer: A) Use RBAC to restrict access to Kubernetes Secrets
π Explanation: RBAC ensures only authorized services and users can access sensitive secrets.
175. What is the security risk of using an insecure container runtime?
A) Containers may be vulnerable to escape attacks
B) Faster pod scheduling
C) Reduced API request latency
D) Lower memory consumption
β
Answer: A) Containers may be vulnerable to escape attacks
π Explanation: Insecure container runtimes may allow containers to break out of isolation and access the host system.
176. How can you enforce encrypted communication between Kubernetes services?
A) Use mutual TLS (mTLS)
B) Disable Kubernetes authentication
C) Allow all pods to communicate without restrictions
D) Store encryption keys in ConfigMaps
β
Answer: A) Use mutual TLS (mTLS)
π Explanation: mTLS encrypts communication between services, preventing eavesdropping and tampering.
177. What Kubernetes tool helps detect network security threats in real-time?
A) Cilium
B) Helm
C) cAdvisor
D) kubelet
β
Answer: A) Cilium
π Explanation: Cilium provides network observability and security policies, helping detect malicious network activity.
178. How can you protect Kubernetes from supply chain attacks?
A) Use image signing and verification
B) Allow unrestricted image pulls
C) Disable container scanning
D) Use public, unverified images
β
Answer: A) Use image signing and verification
π Explanation: Image signing ensures that only trusted images are deployed, reducing supply chain risks.
179. What is the purpose of Kubernetes Service Accounts?
A) Provide identity and permissions for workloads
B) Manage persistent storage
C) Control network routing
D) Encrypt API server requests
β
Answer: A) Provide identity and permissions for workloads
π Explanation: Service Accounts define identity and access rights for Kubernetes workloads.
180. How can you mitigate insider threats in a Kubernetes cluster?
A) Implement least privilege access control with RBAC
B) Allow all users cluster-admin permissions
C) Disable Kubernetes security policies
D) Store authentication credentials in environment variables
β
Answer: A) Implement least privilege access control with RBAC
π Explanation: RBAC limits what users and workloads can do, reducing insider threats.
181. What is the primary security benefit of enabling etcd encryption in Kubernetes?
A) Protects sensitive data like Secrets from unauthorized access
B) Increases pod scheduling efficiency
C) Reduces API server latency
D) Improves network performance
β
Answer: A) Protects sensitive data like Secrets from unauthorized access
π Explanation: etcd encryption ensures that sensitive data stored in Kubernetes (like Secrets) remains encrypted at rest, reducing exposure to attackers.
182. How can you protect a Kubernetes cluster against container breakout attacks?
A) Implement seccomp, AppArmor, and SELinux policies
B) Allow all pods to run as root
C) Store authentication credentials in ConfigMaps
D) Disable security policies
β
Answer: A) Implement seccomp, AppArmor, and SELinux policies
π Explanation: Security mechanisms like seccomp, AppArmor, and SELinux restrict container privileges, reducing the risk of container escape attacks.
183. What Kubernetes feature can prevent an attacker from exploiting an insecure pod configuration?
A) PodSecurityAdmission
B) ServiceAccount Tokens
C) kube-proxy
D) Ingress Controllers
β
Answer: A) PodSecurityAdmission
π Explanation: PodSecurityAdmission enforces security policies on pods, preventing unsafe configurations.
184. How can you ensure that only trusted workloads run in your Kubernetes cluster?
A) Use Admission Controllers with image validation policies
B) Deploy workloads without authentication
C) Allow users to push images without restrictions
D) Use public, unverified container images
β
Answer: A) Use Admission Controllers with image validation policies
π Explanation: Admission Controllers ensure that only approved images and configurations are allowed in the cluster.
185. What is a potential risk of over-permissive RBAC roles in Kubernetes?
A) Unauthorized users may gain access to sensitive resources
B) Increased pod deployment speed
C) Reduced CPU consumption
D) Lower network latency
β
Answer: A) Unauthorized users may gain access to sensitive resources
π Explanation: Overly permissive RBAC roles allow attackers or insiders to perform unauthorized actions, leading to security breaches.
186. What is the purpose of a Kubernetes audit log?
A) Tracks API requests and detects unauthorized access attempts
B) Improves pod start-up times
C) Reduces cluster CPU utilization
D) Enhances service load balancing
β
Answer: A) Tracks API requests and detects unauthorized access attempts
π Explanation: Audit logs help administrators track API actions, making it easier to detect security incidents and unauthorized activity.
187. How can you prevent lateral movement of an attacker within a Kubernetes cluster?
A) Apply Network Policies to restrict pod-to-pod communication
B) Use unrestricted ServiceAccounts
C) Disable authentication
D) Allow all API requests
β
Answer: A) Apply Network Policies to restrict pod-to-pod communication
π Explanation: Network Policies prevent compromised pods from communicating freely, limiting lateral movement in case of an attack.
188. What security risk arises if default ServiceAccounts are used without restrictions?
A) They might have excessive permissions, leading to privilege escalation
B) Reduced cluster storage capacity
C) Higher pod deployment speed
D) Lower network bandwidth consumption
β
Answer: A) They might have excessive permissions, leading to privilege escalation
π Explanation: Default ServiceAccounts may grant unnecessary permissions, allowing attackers to escalate privileges.
189. What is the risk of allowing privileged containers in Kubernetes?
A) They can modify the host system and escalate privileges
B) Faster pod networking
C) Improved API server latency
D) Reduced memory utilization
β
Answer: A) They can modify the host system and escalate privileges
π Explanation: Privileged containers can access host resources, making them vulnerable to host takeovers.
190. How can you enforce strong authentication for Kubernetes API access?
A) Use OIDC, certificates, or service account tokens
B) Allow anonymous API access
C) Use static API keys stored in pods
D) Disable authentication
β
Answer: A) Use OIDC, certificates, or service account tokens
π Explanation: OpenID Connect (OIDC), client certificates, and service account tokens provide strong authentication mechanisms.
191. How can you prevent Kubernetes API server abuse?
A) Enable RBAC and rate-limiting policies
B) Allow unrestricted access to the API server
C) Store API credentials in public repositories
D) Use anonymous API authentication
β
Answer: A) Enable RBAC and rate-limiting policies
π Explanation: RBAC restricts access, while rate-limiting prevents brute-force attacks on the API.
192. How can you ensure that only signed container images are deployed?
A) Use Cosign or Notary for image signing and verification
B) Deploy images from untrusted sources
C) Store images in public registries
D) Disable image scanning tools
β
Answer: A) Use Cosign or Notary for image signing and verification
π Explanation: Cosign and Notary enforce image signing, ensuring only trusted images are deployed.
193. What is a best practice to secure multi-tenant Kubernetes clusters?
A) Use RBAC, Namespaces, and Network Policies for isolation
B) Allow tenants to modify cluster-wide configurations
C) Deploy all workloads in a single namespace
D) Disable authentication
β
Answer: A) Use RBAC, Namespaces, and Network Policies for isolation
π Explanation: Multi-tenancy requires proper isolation using RBAC, namespaces, and network policies.
194. What is the purpose of Kubernetes Secrets?
A) Securely store sensitive data like passwords and API keys
B) Manage persistent storage volumes
C) Improve network latency
D) Reduce container start-up times
β
Answer: A) Securely store sensitive data like passwords and API keys
π Explanation: Secrets store sensitive information securely, ensuring that credentials are not exposed.
195. What is the risk of exposing etcd without authentication?
A) Attackers can modify Kubernetes cluster data
B) Reduced pod scheduling efficiency
C) Increased CPU load
D) Lower network throughput
β
Answer: A) Attackers can modify Kubernetes cluster data
π Explanation: etcd stores all cluster data; if exposed, attackers can steal secrets, modify workloads, or delete resources.
196. How can you prevent unrestricted root access in Kubernetes pods?
A) Set runAsNonRoot: true in SecurityContext
B) Allow all pods to run as root
C) Disable Kubernetes authentication
D) Expose all pods to external networks
β
Answer: A) Set runAsNonRoot: true in SecurityContext
π Explanation: Enforcing runAsNonRoot prevents containers from running with root privileges, reducing security risks.
197. What tool can detect Kubernetes misconfigurations in real-time?
A) kube-bench
B) Helm
C) cAdvisor
D) kubelet
β
Answer: A) kube-bench
π Explanation: kube-bench checks Kubernetes clusters for misconfigurations based on CIS benchmarks.
198. How can you prevent external access to internal Kubernetes services?
A) Use ClusterIP service type instead of LoadBalancer
B) Expose all services to the public internet
C) Store API tokens in plaintext
D) Disable Kubernetes network policies
β
Answer: A) Use ClusterIP service type instead of LoadBalancer
π Explanation: ClusterIP services are only accessible inside the cluster, preventing external exposure.
**199. What is the risk of using wildcard (*) permissions in Kubernetes RBAC?
A) It grants broad access, increasing the attack surface
B) Improved network bandwidth
C) Reduced API response times
D) Faster pod scheduling
β
Answer: A) It grants broad access, increasing the attack surface
π Explanation: Wildcard permissions allow excessive access, leading to security vulnerabilities.
200. What is the best way to prevent unauthorized Kubernetes API access?
A) Implement RBAC, authentication, and network restrictions
B) Use public API keys without authentication
C) Disable Kubernetes logging
D) Allow anonymous users to make requests
β
Answer: A) Implement RBAC, authentication, and network restrictions
π Explanation: RBAC, authentication, and network policies help prevent unauthorized access to the API.