50 aba rocks practice test Practice Questions: Question Bank 2025

A developer deploys a Pod that must write temporary files. Security policy requires avoiding writable container layers and limiting where writes can occur. Which configuration best meets this requirement?

A team wants to restrict Pods in the "payments" namespace so they can only communicate with the "payments-db" Pods on TCP port 5432, and deny all other ingress to "payments-db". What is the most appropriate Kubernetes-native control?

A container image used in production is discovered to contain a known vulnerable library. The security team wants to prevent future deployments of images that fail vulnerability policy checks. Which approach best enforces this at admission time?

You need to reduce the blast radius if a Pod is compromised and tries to access the Kubernetes API. What is the simplest effective step you can take at the Pod level when API access is not required?

A Pod in the "dev" namespace is unexpectedly able to create Pods in the "prod" namespace. Review shows a RoleBinding in "prod" that binds a Role to a subject. Which misconfiguration most likely caused this cross-namespace privilege escalation?

A security standard requires that containers cannot gain additional privileges and must drop all Linux capabilities unless explicitly needed. Which Pod security configuration best matches this requirement?

Your organization wants to ensure only signed images from an approved registry can be deployed, and to cryptographically verify provenance during admission. Which solution best meets this requirement?

A team wants to reduce data exposure in logs. An application currently logs full HTTP headers including Authorization tokens. What is the best remediation strategy from a Kubernetes security perspective?

You suspect a container is executing unexpected binaries at runtime. You have Falco installed as a DaemonSet. Which Falco rule intent would best detect this behavior with minimal false positives for typical microservices?

A cluster uses containerd and the default kubelet configuration. A compromised Pod attempts to access the node's container runtime socket to gain control over other containers. Which mitigation is most effective and aligns with least privilege?

A platform team wants to reduce the attack surface of the kubelet on worker nodes. They need pods to be able to pull images and run workloads, but they want to prevent the kubelet API from being reachable from outside the node. Which change best achieves this?

You are asked to ensure all containers run without privilege escalation by default, while still allowing teams to opt out on a per-namespace basis only after approval. Which Kubernetes mechanism best enforces this at admission time?

A team wants to prevent sensitive values from appearing in process listings and common crash dumps. They currently pass database passwords as container environment variables. What is the recommended alternative in Kubernetes?

You detect that a compromised Pod is using its ServiceAccount token to list Secrets across the namespace. The Pod should only read one specific Secret named 'app-cert'. What is the best RBAC design to apply?

A security review finds that developers can create Pods that use the node network namespace (hostNetwork: true), bypassing NetworkPolicies. You must prevent this across the cluster while still allowing kube-system components that require it. Which control is most appropriate?

Your organization requires that only signed container images from your CI system can be deployed. Developers sometimes reference public images directly. Which approach best enforces this policy at deploy time?

A Pod is running with a read-only root filesystem. The application fails because it tries to write temporary files to /tmp. You want to keep the root filesystem read-only while allowing safe temporary writes. What is the best fix?

Security wants auditability of all kubectl exec sessions into production Pods, including who executed commands and what was run. Which solution best meets this requirement in Kubernetes?

You suspect a container escape attempt. Runtime telemetry shows a container tried to load kernel modules and interact with /proc/kcore. You need a control that detects and blocks these actions at runtime with minimal changes to workloads. What is the most appropriate approach?

A GitOps pipeline applies Kubernetes manifests from a repo. An attacker gains commit access and adds a mutating webhook configuration that silently injects privileged sidecars into Pods. You need a defense-in-depth control that prevents such cluster-wide backdoors even if GitOps applies them. What is the best mitigation?

You want to minimize the blast radius if a container is compromised. A Deployment runs as root and does not require privilege escalation. Which change is the BEST immediate hardening step at the Pod level?

A Pod in namespace "payments" should never be able to reach the Kubernetes API server. Which is the MOST appropriate control to enforce this, assuming your CNI supports it?

You are investigating suspicious behavior in a container and need to get a consistent set of process, file, and network runtime events for future detections. Which approach is MOST aligned with CKS runtime security practices?

A team wants to prevent Pods from using the default service account tokens unless explicitly required. What is the BEST cluster-wide approach?

Your organization mandates that only images built by the CI system can run in the cluster. You already sign images during CI. Which control BEST enforces this at admission time?

A cluster uses containerd. You find that kubelet allows Pods to run with unsafe sysctls and swap enabled on nodes, leading to unpredictable behavior and potential abuse. Which combination is the BEST remediation path?

A security review finds that many containers run with a writable root filesystem, and attackers previously modified binaries inside running containers. Which is the BEST Kubernetes-native mitigation for most stateless workloads?

You suspect a compromised Pod is attempting to exfiltrate credentials by reading service account tokens and contacting the API server. The Pod runs in a namespace with many legitimate workloads, and you need a targeted runtime containment action immediately. What is the BEST response?

Your cluster enforces that only approved registries can be used. An attacker submits a Pod that references an image via a short name (e.g., "nginx") and it pulls from an unexpected registry due to default resolution rules. What is the BEST preventative control?

A platform team wants to ensure that kube-apiserver audit logs capture security-relevant events while limiting sensitive data exposure. Which audit policy choice is MOST appropriate?

A security audit finds that kubelet authentication is configured to allow anonymous requests on worker nodes. Which change most directly prevents unauthenticated access to kubelet endpoints?

You must ensure that all containers run without root privileges by default, but you still want the ability to grant exceptions in a controlled way. Which Kubernetes mechanism best enforces this cluster-wide with possible namespace-level exemptions?

A node compromise is suspected. You want to reduce the blast radius by preventing containers from gaining new privileges via setuid binaries or file capabilities. Which container security setting is the most direct mitigation?

You are asked to tighten supply chain security so that workloads only run images verified by the organization. What is the best Kubernetes-native approach to enforce image signature verification at admission time?

A container repeatedly crashes because it cannot write to /tmp after you enabled readOnlyRootFilesystem: true. You want to keep a read-only root filesystem while allowing temporary writes. What is the best fix?

Security wants a process-level runtime detection capability for suspicious syscalls (e.g., spawning shells in app containers) across all nodes, with alerts forwarded to a SIEM. Which solution best fits this requirement?

A team wants to prevent pods from accessing the instance metadata service (IMDS) on cloud nodes to reduce credential theft risk. What is the most effective Kubernetes-level control to apply in clusters that use a CNI supporting NetworkPolicy?

A workstation used by cluster admins is suspected compromised. You need to reduce the chance that stolen kubeconfigs can be used to access the cluster. Which control most directly limits the impact of stolen long-lived client credentials?

You suspect a compromised pod is using the Kubernetes API with an over-privileged ServiceAccount. You want to quickly confirm what API calls were made and by which identity, without relying on application logs. What is the best primary data source?

You are designing a secure build-to-deploy pipeline. Requirement: prevent deployment of images unless there is cryptographic evidence they were built by your trusted CI and passed vulnerability scanning. Which approach best satisfies this end-to-end requirement?

You need to ensure no Pod can use the host network namespace in the "payments" namespace, while allowing normal Pod networking. Which control is the most direct and namespace-scoped way to enforce this?

A developer wants to run a one-off debug container in an existing Pod to inspect the filesystem after an incident, but you must prevent the debug container from gaining extra privileges compared to the original workload. Which approach is most appropriate?

Your organization wants to reduce the chance of command injection in a container image used by multiple teams. Which image change is the most effective baseline hardening step?

A production cluster must ensure images are only pulled from an internal registry and must deny any Pod that references external registries. Where should this enforcement be implemented for the strongest control?

You suspect a compromised container is making unexpected syscalls. You have runtime security tooling deployed that can generate alerts based on syscall rules. What is the best immediate action to both confirm the behavior and preserve evidence?

A Pod in namespace "dev" needs to call the Kubernetes API to read ConfigMaps only in its own namespace. The Pod currently uses the default ServiceAccount and can list Secrets cluster-wide due to an overly permissive binding. What should you do to apply least privilege?

A team uses a CI pipeline to build images. You need to ensure that only signed images are deployed and that signature verification happens at deploy time inside the cluster. Which solution best fits this requirement?

A cluster must allow workloads to write to /tmp but prevent them from writing anywhere else in the container filesystem. Which configuration best achieves this while keeping the image unchanged?

During a security review, you discover the kubelet on several nodes is configured to allow anonymous access to its HTTPS endpoint, and metrics endpoints are reachable from other namespaces. What is the best remediation strategy?

You must ensure that even if an attacker gains access to a node, they cannot easily read Kubernetes Secrets stored on disk. Which design change best addresses this at the cluster level?