aba rocks practice test Practice Exam 2025: Latest Questions

A cluster has multiple namespaces. Developers report they can read Secrets from other namespaces when they use their service account. Which change most directly prevents cross-namespace Secret reads while following least privilege?

Security wants to prevent workloads from running with a writable root filesystem unless explicitly required. Which Pod-level setting best enforces this behavior?

You need to reduce the blast radius if a Pod is compromised by restricting its access to the Kubernetes API. What is the most effective first step for typical application Pods that do not need API access?

A node was recently added to the cluster. You want to ensure the kubelet cannot modify arbitrary node objects and is limited to its own node. Which mechanism provides this protection?

You are implementing an admission control policy to block Pods that request privileged mode or add dangerous Linux capabilities. Which approach best aligns with CKS expectations for enforceable, auditable controls?

A security incident indicates a container exploited a kernel vulnerability to escape. You need a control that reduces impact by isolating workloads at the kernel boundary without changing application code. Which is the best option?

Your organization wants to ensure only images built by the internal pipeline can run in the cluster, and that images are verified at admission time. Which solution best meets this requirement?

A team wants to reduce the risk of credential leakage from application containers. They currently inject cloud credentials via environment variables from a Secret. What is the best improvement within Kubernetes to reduce accidental exposure in logs and process listings?

You suspect a compromised Pod is executing unexpected binaries. You want to detect this in near real time across nodes and capture process execution events for investigation. Which approach is most appropriate?

A highly regulated environment requires that etcd contents (including Secrets) remain confidential even if disk snapshots are stolen, and that compromise of one key does not expose all historical data. Which design best satisfies this?

You need to ensure all Kubernetes API server traffic from kubelets is encrypted and authenticated. Which configuration best achieves this goal?

A developer asks for permission to create pods cluster-wide for debugging. You want the least-privilege RBAC approach. Which is the best solution?

You want to reduce the blast radius if a pod is compromised by ensuring it cannot access the Kubernetes API unless explicitly required. What is the most effective default setting in pod specs?

A multi-tenant cluster must prevent workloads in namespace team-a from directly reaching workloads in namespace team-b unless explicitly allowed. What is the best Kubernetes-native control to implement this?

A pod is failing to start with an error indicating it cannot write to the root filesystem. Your security baseline requires containers to run with readOnlyRootFilesystem: true. The application needs a writable directory for temporary files at /tmp. What is the best fix?

Your organization wants to ensure only images built by the CI pipeline and signed by the security team can run in the cluster. Which approach best enforces this at admission time?

A cluster node has been suspected of compromise. You need to preserve evidence while preventing further damage. Which sequence is the best immediate response?

You want to reduce attack surface on worker nodes by limiting what the kubelet exposes. Which kubelet hardening action is most appropriate?

You are investigating suspicious outbound connections from a pod. You want to detect and alert on unexpected network connections initiated by containers at runtime, with minimal changes to application code. Which solution best fits?

A legacy workload requires a Linux capability (NET_ADMIN) to configure an in-container VPN interface. Security policy forbids privileged containers and requires minimizing granted privileges. What is the best Kubernetes configuration approach?

A developer can exec into a running pod and curl the Kubernetes API successfully, even though the pod's ServiceAccount should not have any Kubernetes permissions. You want to reduce the blast radius quickly without changing RBAC. What is the MOST effective change to prevent the pod from automatically receiving API credentials?

You suspect a compromised container is making suspicious outbound connections. You need to capture and preserve evidence of which processes are creating network connections in real time, with minimal changes to workloads. Which approach BEST fits Kubernetes runtime security practices?

Your team wants to ensure every container image admitted to the cluster is signed by your CI system, and any unsigned or tampered image is rejected. Where should this control be enforced for the strongest supply chain security posture?

A namespace contains a legacy app that requires a writable root filesystem. Security policy requires a read-only root filesystem for all other apps, but you cannot break this one workload. What is the MOST secure Kubernetes-native compromise?

Your security team wants to detect and block containers from executing unexpected binaries at runtime (e.g., a web server container spawning a shell). You want policy enforcement that is resistant to container escape attempts and applies even if the attacker has Kubernetes API access within a namespace. Which control is MOST appropriate on Linux nodes?