aba rocks practice test Intermediate Practice Exam: Medium Difficulty 2025

You are reviewing a newly bootstrapped cluster and want to reduce the blast radius if the Kubernetes API server’s serving certificate key is exfiltrated from disk. Which change most directly improves protection of at-rest PKI material on control plane nodes without relying on application-level encryption?

A namespace contains several Pods that should only be reachable through an ingress controller. Today, any Pod in the cluster can connect to them directly. You need to implement network segmentation so only traffic from the ingress controller namespace can reach the app Pods on TCP 8080, and all other inbound traffic is denied. What is the best Kubernetes-native approach?

A team accidentally granted a ServiceAccount in namespace "dev" a ClusterRoleBinding to cluster-admin. They now want the smallest-privilege fix so the workload can only read ConfigMaps in its own namespace and nothing cluster-wide. Which change best meets the requirement?

You’re hardening worker nodes. A security scan shows that kubelet’s HTTPS endpoint is reachable from many subnets and may expose sensitive information if misconfigured. You want to reduce exposure while keeping normal cluster operations working. Which action is the best first step?

A containerized workload was compromised and the attacker attempted to run "mount" and access host files. You want to make this harder across the cluster without changing application code. Which Pod-level configuration best reduces the likelihood of host filesystem access via privileged operations?

A legacy application writes temporary files and sometimes attempts to write into the container image filesystem, which you want to prevent. The app still needs a writable /tmp and to write logs to /var/log/app. What is the most appropriate configuration?

Your organization wants to ensure only images from a trusted registry and only with a specific prefix (e.g., "registry.corp/approved/") can run in the cluster. You want a preventive control at admission time. Which solution best fits?

A CI pipeline builds images and pushes them to an internal registry. You want Kubernetes to verify that images are signed before they can be deployed, and you want the check to occur during admission. What is the best approach?

You are investigating suspicious activity where a container spawned an interactive shell and attempted to install tools at runtime. You want an approach that can both detect this behavior and help you respond quickly with actionable context. Which combination is most appropriate?

A platform team wants to detect and prevent cryptomining workloads that often request high CPU and run with suspicious binaries. They already have audit logs and basic metrics. Which is the best next step to improve runtime detection with Kubernetes context while minimizing false positives?