CDP CDP Container & Kubernetes Security

Question 1

Which Docker best practice reduces the attack surface of a container image?

Accepted Answer

Using minimal base images such as Alpine or distroless

Answer

Minimal base images contain fewer packages and binaries, reducing the number of potential vulnerabilities present in the image.

Question 2

What does a Kubernetes NetworkPolicy resource control?

Accepted Answer

Which pods can communicate with each other and with external endpoints

Answer

NetworkPolicy enforces micro-segmentation by defining ingress and egress rules at the pod level, limiting lateral movement in the cluster.

Question 3

Running containers as a non-root user is important because:

Accepted Answer

It limits the damage an attacker can cause if the container is compromised

Answer

A non-root process cannot modify system files or install packages, containing the impact of a container escape or code execution vulnerability.

Question 4

Image scanning in a container registry is used to:

Accepted Answer

Detect known CVEs in OS packages and application libraries within the image

Answer

Registry-integrated scanners check image layers against vulnerability databases and block or alert on images that exceed policy thresholds.

Question 5

A Kubernetes PodSecurityContext setting `readOnlyRootFilesystem: true` helps security by:

Accepted Answer

Stopping attackers from writing malicious files to the container filesystem

Answer

A read-only root filesystem prevents post-exploitation techniques that rely on dropping or modifying binaries inside the container.

(CDP) Certified DevSecOps Professional Practice Test