In order to reduce the attack surface of the Scheduler, which default parameter should be set to false?

Correct Answer:B
Thekube-schedulerexposes aprofiling/debugging endpointwhen --profiling=true (default).
This can unnecessarily increase the attack surface.
Best practice: set --profiling=false in production.
Exact extract (Kubernetes Docs – kube-scheduler flags):
"--profiling (default true): Enable profiling via web interface host:port/debug/pprof/."
Why others are wrong:
--scheduler-name: just identifies the scheduler, not a security risk.
--secure-kubeconfig: not a valid flag.
--bind-address: changing it limits exposure but is not the default risk parameter for profiling.
[References:, Kubernetes Docs — kube-scheduler options: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/, , ]

An attacker has access to the network segment that the cluster is on.
What happens when a compromised Pod attempts to connect to the API server?

Correct Answer:C
By default,Pods can connect to the API server(since ServiceAccount tokens are mounted).
However, whether they succeed in acting depends on:
Network Policies(may block egress).
RBAC(controls permissions).
Exact extract (Kubernetes Docs – API Access):
??Pods authenticate to the API server using the service account token mounted into the Pod.
Authorization is then enforced by RBAC. NetworkPolicies may further restrict access.??
Clarifications:
A: No default automatic isolation.
B: Not always unrestricted; policies may apply.
D: Pods get minimal default privileges, not automatic elevation.
References:
Kubernetes Docs — API Access to Pods: https://kubernetes.io/docs/concepts/security/service-accounts/ Kubernetes Docs — Network Policies: https://kubernetes.io/docs/concepts/services-networking/network-
policies/

A container image istrojanizedby an attacker by compromising the build server. Based on the STRIDE threat modeling framework, which threat category best defines this threat?

Correct Answer:D
In STRIDE,Tamperingis the threat category forunauthorized modification of data or code/artifacts. A trojanized container image is, by definition, an attacker??smodificationof the build output (the image) after compromising the CI/build system—i.e., tampering with the artifact in the software supply chain.
Why not the others?
Spoofingis about identity/authentication (e.g., pretending to be someone/something).
Repudiationis about denying having performed an action without sufficient audit evidence.
Denial of Servicetargets availability (exhausting resources or making a service unavailable).The scenario explicitly focuses on analtered imageresulting from a compromised build server—this squarely maps toTampering.
Authoritative references (for verification and deeper reading):
Kubernetes (official docs)– Supply Chain Security (discusses risks such as compromised CI/CD pipelines leading to modified/poisoned images and emphasizes verifying image integrity/signatures).
Kubernetes Docs#Security#Supply chain securityandSecuring a cluster(sections on image provenance, signing, and verifying artifacts).
CNCF TAG Security – Cloud Native Security Whitepaper (v2)– Threat modeling in cloud-native and software supply chain risks; describes attackers modifying build outputs (images/artifacts) via CI
/CD compromise as a form oftamperingand prescribes controls (signing, provenance, policy).
CNCF TAG Security – Software Supply Chain Security Best Practices– Explicitly covers CI/CD compromise leading tomaliciously modified imagesand recommends SLSA, provenance attestation, and signature verification (policy enforcement via admission controls).
Microsoft STRIDE (canonical reference)– DefinesTamperingasmodifying data or code, which directly fits a trojanized image produced by a compromised build system.

In a Kubernetes environment, what kind of Admission Controller can modify resource manifests when applied to the Kubernetes API to fix misconfigurations automatically?

Correct Answer:C
Kubernetes Admission Controllers can eithervalidateormutateincoming requests.
MutatingAdmissionWebhook (Mutating Admission Controller):
Canmodify or mutate resource manifestsbefore they are persisted in etcd.
Used for automatic injection of sidecars (e.g., Istio Envoy proxy), setting default values, or fixing misconfigurations.
ValidatingAdmissionWebhook (Validating Admission Controller):only allows/denies but doesnot change requests.
PodSecurityPolicy:deprecated; cannot mutate requests.
ResourceQuota:enforces resource usage, but does not mutate manifests.
Exact Extract:
??Mutating admission webhooks are invoked first, and can modify objects to enforce defaults.
Validating admission webhooks are invoked second, and can reject requests to enforce invariants.??
References:
Kubernetes Docs — Admission Controllers: https://kubernetes.io/docs/reference/access-authn-authz
/admission-controllers/
Kubernetes Docs — Admission Webhooks: https://kubernetes.io/docs/reference/access-authn-authz
/extensible-admission-controllers/

Is it possible to restrict permissions so that a controller can only change the image of a deployment (without changing anything else about it, e.g., environment variables, commands, replicas, secrets)?

Correct Answer:B
RBAC in Kubernetesis coarse-grained: it controlsverbs(get, update, patch, delete) onresources(e.g., deployments), butnot individual fieldswithin a resource.
There isno /image subresource for deployments(there is one for pods but only for ephemeral containers).
Therefore,RBAC cannot restrict changes only to the image field.
Admission Webhooks(mutating/validating)canenforce fine-grained policies (e.g., deny updates that change anything other than spec.containers[*].image).
Exact extract (Kubernetes Docs – Admission Webhooks):
"Admission webhooks can be used to enforce custom policies on objects being admitted."
[References:, Kubernetes Docs — RBAC: https://kubernetes.io/docs/reference/access-authn-authz/rbac/, Kubernetes Docs — Admission Webhooks: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/, ]

When using a cloud provider's managed Kubernetes service, who is responsible for maintaining the etcd cluster?

Correct Answer:C
Inmanaged Kubernetes services(EKS, GKE, AKS), the control plane is operated by thecloud provider.
This includesetcd, API server, controller manager, scheduler.
Users manageworker nodes(in some models) and workloads, but not the control plane.
Exact extract (GKE Docs):
"The control plane, including the API server and etcd database, is managed and maintained by Google."
Similarly forEKSandAKS, etcd is fully managed by the provider.
[References:, GKE Architecture: https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-architecture, EKS Architecture: https://docs.aws.amazon.com/eks/latest/userguide/eks-architecture.html, AKS Docs: https://learn.microsoft.com/en-us/azure/aks/concepts-clusters-workloads, ]