A container running in a Kubernetes cluster has permission to modify host processes on the underlying node. What combination of privileges and capabilities is most likely to have led to this privilege escalation?
Correct Answer: B
* hostPID:When enabled, the container shares the host's process namespace # container can see and potentially interact with host processes. * SYS_PTRACE capability:Grants the container the ability to trace, inspect, and modify other processes (e.g., via ptrace). * Combination of hostPID + SYS_PTRACE allows a container toattach to and modify host processes, which is a direct privilege escalation. * Other options explained: * hostPath + AUDIT_WRITE:hostPath exposes filesystem paths but does not inherently allow process modification. * hostNetwork + NET_RAW:grants raw socket access but only for networking, not host process modification. * A:Incorrect - such combinationsdo exist(like B). References: Kubernetes Docs - Configure a Pod to use hostPID: https://kubernetes.io/docs/tasks/configure-pod-container /share-process-namespace/ Linux Capabilities man page: https://man7.org/linux/man-pages/man7/capabilities.7.html
Question 12
Which of the following is a control for Supply Chain Risk Management according to NIST 800-53 Rev. 5?
Correct Answer: C
* NIST SP 800-53 Rev. 5 introduces a dedicated family of controls calledSupply Chain Risk Management (SR). * Within SR,SR-2 (Supply Chain Risk Management Plan)is a specific control. * Exact extract from NIST 800-53 Rev. 5: * "The organization develops and implements a supply chain risk management plan for the system, system component, or system service." * While Access Control, System and Communications Protection, and Incident Response are control families, the correctsupply chain-specific controlis theSupply Chain Risk Management Plan (SR-2). References: NIST SP 800-53 Rev. 5 -Security and Privacy Controls for Information Systems and Organizations: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
Question 13
In Kubernetes, what isPublic Key Infrastructure (PKI)used for?
Correct Answer: A
* Kubernetes usesPKI certificatesextensively to secure communication between control plane components (API server, etcd, kube-scheduler, kube-controller-manager) and with kubelets. * Certificates enablemutual TLS authentication and encryptionacross components. * PKI does not handle scaling, networking, or monitoring. References: Kubernetes Documentation - Certificates CNCF Security Whitepaper - Cluster communication security and the role of PKI.
Question 14
A container image istrojanizedby an attacker by compromising the build server. Based on the STRIDE threat modeling framework, which threat category best defines this threat?
Correct Answer: D
* In STRIDE,Tamperingis the threat category forunauthorized modification of data or code/artifacts. A trojanized container image is, by definition, an attacker'smodificationof the build output (the image) after compromising the CI/build system-i.e., tampering with the artifact in the software supply chain. * Why not the others? * Spoofingis about identity/authentication (e.g., pretending to be someone/something). * Repudiationis about denying having performed an action without sufficient audit evidence. * Denial of Servicetargets availability (exhausting resources or making a service unavailable).The scenario explicitly focuses on analtered imageresulting from a compromised build server-this squarely maps toTampering. Authoritative references (for verification and deeper reading): * Kubernetes (official docs)- Supply Chain Security (discusses risks such as compromised CI/CD pipelines leading to modified/poisoned images and emphasizes verifying image integrity/signatures). * Kubernetes Docs#Security#Supply chain securityandSecuring a cluster(sections on image provenance, signing, and verifying artifacts). * CNCF TAG Security - Cloud Native Security Whitepaper (v2)- Threat modeling in cloud-native and software supply chain risks; describes attackers modifying build outputs (images/artifacts) via CI /CD compromise as a form oftamperingand prescribes controls (signing, provenance, policy). * CNCF TAG Security - Software Supply Chain Security Best Practices- Explicitly covers CI/CD compromise leading tomaliciously modified imagesand recommends SLSA, provenance attestation, and signature verification (policy enforcement via admission controls). * Microsoft STRIDE (canonical reference)- DefinesTamperingasmodifying data or code, which directly fits a trojanized image produced by a compromised build system.
Question 15
Which of the following statements on static Pods is true?
Correct Answer: C
* Static Podsare managed directly by thekubeleton each node. * They arenot scheduled by the kube-schedulerand always remain bound to the node where they are defined. * Exact extract (Kubernetes Docs - Static Pods): * "Static Pods are managed directly by the kubelet daemon on a specific node, without the API server. They do not go through the Kubernetes scheduler." * Clarifications: * A: Static Pods do not span multiple nodes. * B: No hard limit of 5 Pods per node. * D: They are not a fallback mechanism; kubelet always manages them regardless of scheduler state. References: Kubernetes Docs - Static Pods: https://kubernetes.io/docs/tasks/configure-pod-container/static-pod/