Security Quiz
Quiz
Question 1 of 24
(0 answered)
Question 1
In the Kubernetes security layers model, which layer answers the question ‘What can you do?’
✓
Correct!
Authorization (RBAC) determines what actions a user can perform after their identity is verified through authentication.
✗
Incorrect
Authorization (RBAC) determines what actions a user can perform after their identity is verified through authentication.
Think about which layer defines permissions and roles.
Question 2
Which of the following are considered ‘Admin-Level Verbs’ that pose security risks in RBAC?
✓
Correct!
impersonate (act as another user), bind (assign roles), and escalate (modify roles with more permissions) are admin-level verbs that can lead to privilege escalation.
✗
Incorrect
impersonate (act as another user), bind (assign roles), and escalate (modify roles with more permissions) are admin-level verbs that can lead to privilege escalation.
These verbs allow gaining additional privileges beyond normal operations.
Question 3
By default, Kubernetes network policies deny all traffic between pods.
✓
Correct!
Kubernetes default is ALLOW ALL (no isolation). NetworkPolicy must be explicitly created to enable isolation. Once a NetworkPolicy’s podSelector matches a pod, that pod becomes isolated.
✗
Incorrect
Kubernetes default is ALLOW ALL (no isolation). NetworkPolicy must be explicitly created to enable isolation. Once a NetworkPolicy’s podSelector matches a pod, that pod becomes isolated.
Consider what happens when no NetworkPolicy exists in a namespace.
Question 4
What field is used to disable automatic mounting of service account tokens in a ServiceAccount spec?
✓
Correct!
Setting
automountServiceAccountToken: false in a ServiceAccount or Pod spec prevents automatic token mounting, reducing credential exposure risk.✗
Incorrect
Setting
automountServiceAccountToken: false in a ServiceAccount or Pod spec prevents automatic token mounting, reducing credential exposure risk.It’s a boolean field that controls automatic mounting behavior.
Question 5
What does this kubectl command check?
kubectl auth can-i create pods --as=system:serviceaccount:default:my-saWhat will this code output?
✓
Correct!
The
kubectl auth can-i command with --as flag simulates permission checking for a specific user or service account without actually performing the action.✗
Incorrect
The
kubectl auth can-i command with --as flag simulates permission checking for a specific user or service account without actually performing the action.The ‘can-i’ subcommand is for permission checking, and ‘–as’ is for impersonation.
Question 6
What is the difference between a Role and a ClusterRole in Kubernetes RBAC?
What is the difference between a Role and a ClusterRole in Kubernetes RBAC?
Role: Namespace-scoped - permissions apply only within a single namespace.
ClusterRole: Cluster-scoped - permissions apply across the entire cluster.
Hybrid use: A ClusterRole can be bound with a RoleBinding to reuse cluster-defined roles in specific namespaces.
Did you get it right?
✓
Correct!
✗
Incorrect
Question 7
Arrange the Kubernetes API request flow in correct order:
Drag to arrange in the correct order
⋮⋮
Authentication Module
⋮⋮
Mutating Admission
⋮⋮
Authorization (RBAC)
⋮⋮
Validating Admission
⋮⋮
Persist to etcd
✓
Correct!
Requests flow: Authentication → Authorization (RBAC) → Mutating Admission → Schema Validation → Validating Admission → Persist to etcd.
✗
Incorrect
Requests flow: Authentication → Authorization (RBAC) → Mutating Admission → Schema Validation → Validating Admission → Persist to etcd.
Question 8
Complete the security context to drop all Linux capabilities:
Fill in the missing keyword
capabilities:
drop:
- _____✓
Correct!
Using
drop: [ALL] removes all Linux capabilities from the container. You can then selectively add back only the capabilities needed using the add field.✗
Incorrect
Using
drop: [ALL] removes all Linux capabilities from the container. You can then selectively add back only the capabilities needed using the add field.Question 9
What is the purpose of the
seccompProfile field in a Pod’s security context?✓
Correct!
Seccomp (Secure Computing Mode) restricts system calls a container can make, preventing containers from exploiting kernel vulnerabilities.
✗
Incorrect
Seccomp (Secure Computing Mode) restricts system calls a container can make, preventing containers from exploiting kernel vulnerabilities.
Seccomp uses BPF (Berkeley Packet Filter) for syscall filtering.
Question 10
Which of the following are valid Pod Security Standards (PSS) levels?
✓
Correct!
The three Pod Security Standards levels are: Privileged (no restrictions), Baseline (minimal restrictions), and Restricted (most secure).
✗
Incorrect
The three Pod Security Standards levels are: Privileged (no restrictions), Baseline (minimal restrictions), and Restricted (most secure).
There are exactly three levels, from least to most restrictive.
Question 11
In Kubernetes RBAC, a RoleBinding can reference a ClusterRole to grant permissions within a specific namespace.
✓
Correct!
This is the ‘Hybrid’ pattern: ClusterRole + RoleBinding allows reusing a cluster-defined role within specific namespaces, limiting its scope.
✗
Incorrect
This is the ‘Hybrid’ pattern: ClusterRole + RoleBinding allows reusing a cluster-defined role within specific namespaces, limiting its scope.
Consider how you might reuse common permission sets across namespaces.
Question 12
What happens when a NetworkPolicy’s podSelector matches a pod?
✓
Correct!
Once a NetworkPolicy’s podSelector matches a pod, that pod becomes isolated and ONLY explicitly allowed traffic (defined in ingress/egress rules) is permitted.
✗
Incorrect
Once a NetworkPolicy’s podSelector matches a pod, that pod becomes isolated and ONLY explicitly allowed traffic (defined in ingress/egress rules) is permitted.
NetworkPolicy enables isolation on a per-pod basis.
Question 13
What is IRSA and why is it important for AWS EKS security?
What is IRSA and why is it important for AWS EKS security?
IRSA (IAM Roles for Service Accounts) allows Kubernetes ServiceAccounts to assume AWS IAM roles.
Benefits:
- Separate IAM role per service account
- Fine-grained AWS permissions
- Automatic credential rotation
- No hardcoded AWS secrets in pods
Pods annotated with eks.amazonaws.com/role-arn automatically receive temporary AWS credentials.
Did you get it right?
✓
Correct!
✗
Incorrect
Question 14
What does this namespace label configuration enforce?
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restrictedWhat will this code output?
✓
Correct!
This configures all three PSA modes: enforce (reject non-compliant pods), audit (log violations), and warn (show warning to user) - all at the ‘restricted’ level.
✗
Incorrect
This configures all three PSA modes: enforce (reject non-compliant pods), audit (log violations), and warn (show warning to user) - all at the ‘restricted’ level.
Each label controls a different enforcement mode.
Question 15
What Linux capability allows a container to bind to ports below 1024?
✓
Correct!
CAP_NET_BIND_SERVICE allows binding to privileged ports (< 1024) without requiring full root access.
✗
Incorrect
CAP_NET_BIND_SERVICE allows binding to privileged ports (< 1024) without requiring full root access.
It’s related to network and service binding.
Question 16
Which authentication methods are supported by Kubernetes?
✓
Correct!
Kubernetes supports x509 certificates, service account tokens, OIDC/OAuth, and bearer tokens for authentication. Biometric authentication is not a native Kubernetes feature.
✗
Incorrect
Kubernetes supports x509 certificates, service account tokens, OIDC/OAuth, and bearer tokens for authentication. Biometric authentication is not a native Kubernetes feature.
Think about methods that can be verified by the API server.
Question 17
Arrange Pod Security Standards from LEAST secure to MOST secure:
Drag to arrange from least to most secure
⋮⋮
Baseline
⋮⋮
Restricted
⋮⋮
Privileged
✓
Correct!
Privileged (no restrictions) → Baseline (minimal restrictions) → Restricted (most secure with non-root, no host access, limited capabilities).
✗
Incorrect
Privileged (no restrictions) → Baseline (minimal restrictions) → Restricted (most secure with non-root, no host access, limited capabilities).
Question 18
What is the key difference between Built-in Admission Controllers and Admission Webhooks?
✓
Correct!
Built-in admission controllers are compiled into the API server binary and cannot be modified without recompiling. Admission webhooks are custom logic in external HTTP services that you write and deploy.
✗
Incorrect
Built-in admission controllers are compiled into the API server binary and cannot be modified without recompiling. Admission webhooks are custom logic in external HTTP services that you write and deploy.
Consider where each type of controller runs and how it’s modified.
Question 19
Setting
readOnlyRootFilesystem: true means the container cannot write to any filesystem location.✓
Correct!
With readOnlyRootFilesystem: true, the root filesystem is immutable, but you can still mount writable volumes (like emptyDir) at specific paths for temporary files or caches.
✗
Incorrect
With readOnlyRootFilesystem: true, the root filesystem is immutable, but you can still mount writable volumes (like emptyDir) at specific paths for temporary files or caches.
Consider how applications that need to write temporary files would work.
Question 20
Explain the RBAC mental model: WHO can do WHAT on WHICH resources WHERE?
Explain the RBAC mental model: WHO can do WHAT on WHICH resources WHERE?
WHO: Subjects - User, Group, or ServiceAccount
WHAT: Verbs - get, list, create, delete, update, patch, watch, etc.
WHICH: Resources - pods, services, deployments, secrets, etc.
WHERE: Scope - Namespace-scoped (Role) or Cluster-wide (ClusterRole)
RoleBindings connect WHO to WHAT+WHICH+WHERE by linking subjects to roles.
Did you get it right?
✓
Correct!
✗
Incorrect
Question 21
Complete the Pod spec to run as non-root user with UID 1000:
Fill in the missing field name
securityContext:
_____: 1000
runAsNonRoot: true✓
Correct!
The
runAsUser field specifies the UID to run the container process. Combined with runAsNonRoot: true, it ensures the container runs as a non-root user.✗
Incorrect
The
runAsUser field specifies the UID to run the container process. Combined with runAsNonRoot: true, it ensures the container runs as a non-root user.Question 22
Why is granting the ‘bind’ verb in RBAC considered a security risk?
✓
Correct!
The ‘bind’ verb allows assigning roles to users, which can be used for privilege escalation - a user could grant themselves higher permissions than intended.
✗
Incorrect
The ‘bind’ verb allows assigning roles to users, which can be used for privilege escalation - a user could grant themselves higher permissions than intended.
Think about what happens when someone can assign any role to themselves.
Question 23
Which securityContext fields are available ONLY at the container level (not pod level)?
✓
Correct!
capabilities, readOnlyRootFilesystem, and allowPrivilegeEscalation are container-level only. runAsUser works at both levels, and fsGroup is pod-level only.
✗
Incorrect
capabilities, readOnlyRootFilesystem, and allowPrivilegeEscalation are container-level only. runAsUser works at both levels, and fsGroup is pod-level only.
Container-level fields typically control container-specific runtime behavior.
Question 24
Every Kubernetes namespace automatically gets a ‘default’ ServiceAccount created.
✓
Correct!
The ServiceAccount admission controller automatically creates a ‘default’ ServiceAccount in every namespace. Pods use this by default unless a different ServiceAccount is specified.
✗
Incorrect
The ServiceAccount admission controller automatically creates a ‘default’ ServiceAccount in every namespace. Pods use this by default unless a different ServiceAccount is specified.
Consider what happens when you create a new namespace.
Quiz Results
Score
0/0
Accuracy
0%
Right
0
Wrong
Skipped
0
Last updated on