Explore fundamental container security concepts with this quiz focused on best practices and common vulnerabilities in Docker and Kubernetes environments. Strengthen your understanding of risks and mitigation strategies relevant to container orchestration and deployment.
Which approach best ensures you reduce security risks when obtaining container images for your deployments?
Explanation: Downloading images from official and verified repositories significantly minimizes the chance of including malicious code or outdated software, thus improving security. Using any public image (option B) may expose your systems to risks if the image isn't maintained or verified. Receiving images via email or messaging (option C) is insecure and could introduce tampered files. Opting for images with the lowest download count (option D) doesn't guarantee security and may mean those images are untested or outdated.
What is the primary benefit of implementing role-based access control (RBAC) within a Kubernetes cluster?
Explanation: RBAC enables administrators to finely control which users and services can perform specific actions, reducing the risk of unauthorized changes or privilege escalation. While blocking pods from untrusted namespaces (option A) is not the main function of RBAC, nor does RBAC automatically encrypt communication between pods (option C). Scanning images (option D) is handled by other tools, not RBAC.
Why is it important to run containers with the least required privileges, for example by avoiding running as the root user?
Explanation: Running containers with minimal privileges reduces the impact if an attacker gains access, as they have limited capabilities inside and outside the container. Option A is incorrect since privileges do not directly affect resource usage. Faster starts (option C) and central logging (option D) are unrelated to privilege levels.
What is a recommended method for restricting traffic between pods in a Kubernetes environment?
Explanation: Network policies offer granular control over which pods can communicate with each other, enabling strong security boundaries. Setting resource limits (option A) focuses on CPU and memory, not networking. Environment variables (option C) do not enforce network rules, and disabling storage mounts (option D) is unrelated to traffic control.
When a critical vulnerability is discovered in a running container image, what is the most secure remediation step?
Explanation: Patching the image and redeploying ensures the vulnerability is addressed while maintaining service continuity. Simply stopping and removing containers (option A) stops the service but doesn't fix the vulnerability for future deployments. Raising resource limits (option C) doesn't mitigate security flaws. Altering the entrypoint command (option D) is unlikely to eliminate the underlying issue unless the vulnerability is never triggered, which isn't a reliable method.