Explore key principles of container and Kubernetes security with this quiz designed to assess your understanding of best practices, common threats, and critical concepts in secure orchestration environments. Ideal for IT professionals and learners aiming to enhance their knowledge in containerized application security.
Which of the following poses the greatest security risk when building container images from public sources in a deployment pipeline?
Explanation: Using unknown or untrusted base images from public sources increases the risk of including vulnerabilities or malicious code in your containers. Setting the CMD instruction to a shell is often a deployment choice but does not inherently introduce risk. Exposing only port 80 is merely a configuration for networking and does not directly relate to image integrity. Labeling a container with metadata is a standard practice for organization and does not pose a security threat.
What is the primary objective of implementing Role-Based Access Control (RBAC) within a Kubernetes cluster?
Explanation: RBAC is designed to ensure that users and services possess only the minimum permissions needed to perform their functions, thus reducing the risk of accidental or malicious actions. Limiting resource consumption by pods is managed through resource quotas, not RBAC. Preventing pods from accessing host storage is achieved via security contexts or policies, not RBAC. Encrypting node traffic relates to network security settings rather than access control.
How does using namespaces enhance security in a containerized environment?
Explanation: Namespaces ensure that containers only see and interact with their own processes, network interfaces, and other resources, increasing isolation and reducing the impact of breaches. Sharing filesystems is usually restricted, not done by default, as it would weaken isolation. Automatic patching must be implemented separately and is not a function of namespaces. Namespaces do not enforce password requirements; that relates to authentication mechanisms.
When storing sensitive data such as database credentials in Kubernetes, what is the recommended resource type to use?
Explanation: Kubernetes Secrets are specifically intended for storing sensitive information like passwords and tokens and provide an additional layer of protection compared to ConfigMaps. ConfigMaps are designed for non-sensitive configuration data and do not offer the same security controls. Deployments are used for managing application replicas and do not store data. PersistentVolumes are for storage, not credentials or secrets.
What is the main security concern associated with running containers in privileged mode?
Explanation: Privileged mode grants the container elevated permissions, allowing it to interact with host resources and potentially compromise the host system. Automatic scaling is unaffected by privilege and is a matter of deployment configuration. Network policies still apply to privileged containers unless otherwise specified. Kubernetes scheduling rules are not bypassed by privileged containers, as privilege only affects the container's capabilities within its environment.