An attacker compromises a Pod and attempts to use its service account token to escalate privileges within the cluster. Which Kubernetes security feature is designed tolimit what this service account can do?
Correct Answer: C
* When a Pod is created, Kubernetes automatically mounts aservice account tokenthat can authenticate to the API server. * TheRole-Based Access Control (RBAC)system defines what actions a service account can perform. * By carefully restricting Roles and RoleBindings, administrators limit the blast radius of a compromised Pod. * Incorrect options: * (A)PodSecurity admissionenforces workload-level security settings but does not control API access. * (B)NetworkPolicycontrols network communication, not API privileges. * (D)RuntimeClassselects container runtimes, unrelated to privilege escalation through API tokens. References: Kubernetes Documentation - Using RBAC Authorization CNCF Security Whitepaper - Identity & Access Management: limiting lateral movement by constraining service account permissions.