hostPID: When enabled, the container shares the host’s process namespace → container can see and potentially interact with host processes.

SYS_PTRACE capability: Grants the container the ability to trace, inspect, and modify other processes (e.g., via ptrace).

Combination of hostPID + SYS_PTRACE allows a container to attach to and modify host processes , which is a direct privilege escalation.

Other options explained:

hostPath + AUDIT_WRITE: hostPath exposes filesystem paths but does not inherently allow process modification.

hostNetwork + NET_RAW: grants raw socket access but only for networking, not host process modification.

A: Incorrect — such combinations do exist (like B).

Kubernetes Admission Controllers can either validate or mutate incoming requests.

MutatingAdmissionWebhook (Mutating Admission Controller):

Can modify or mutate resource manifests before they are persisted in etcd.

Used for automatic injection of sidecars (e.g., Istio Envoy proxy), setting default values, or fixing misconfigurations.

ValidatingAdmissionWebhook (Validating Admission Controller): only allows/denies but does not change requests.

PodSecurityPolicy: deprecated; cannot mutate requests.

ResourceQuota: enforces resource usage, but does not mutate manifests.

Exact Extract:

“ Mutating admission webhooks are invoked first, and can modify objects to enforce defaults. Validating admission webhooks are invoked second, and can reject requests to enforce invariants. ”

The kubelet is the primary agent that runs on each node in a Kubernetes cluster and communicates with the control plane.

Kubelet supports TLS (Transport Layer Security) for both authentication and encryption when interacting with the API server. This is a core security feature that ensures secure node-to-control-plane communication.

Incorrect options:

(A) Kubelet does not run as a privileged container by default; it runs as a system process (typically systemd-managed) on the host.

(B) Kubelet does include built-in security features such as TLS authentication, authorization modes, and read-only vs secured ports .

(D) While kubelet interacts with the host system (e.g., cgroups, container runtimes), it does not inherently require root access for communication security; RBAC and TLS handle authentication.

Soft multitenancy (Namespaces, RBAC, Network Policies) → assumes some level of trust between tenants, focuses on resource sharing and efficiency .

Hard multitenancy (separate clusters or strong virtualization) → strict isolation, used when tenants are untrusted.

Exact extract (CNCF TAG Security Multi-Tenancy Whitepaper):

“ Soft multi-tenancy refers to multiple workloads running in the same cluster with some trust assumptions. It provides resource sharing and operational efficiency. Hard multi-tenancy requires stronger isolation guarantees, typically separate clusters. ”

Kubernetes uses PKI certificates extensively to secure communication between control plane components (API server, etcd, kube-scheduler, kube-controller-manager) and with kubelets.

Certificates enable mutual TLS authentication and encryption across components.

PKI does not handle scaling, networking, or monitoring.

Kubernetes supports multiple container runtimes on a node via the RuntimeClass resource.

To select a runtime, you specify the runtimeClassName field in the Pod’s YAML manifest . Example:

apiVersion: v1

kind: Pod

metadata:

name: example

spec:

runtimeClassName: gvisor

containers:

- name: app

image: nginx

Incorrect options:

(A) You cannot specify container runtime through a kubectl command-line flag.

(B) Modifying the Docker daemon config does not direct Kubernetes Pods to a runtime.

(C) Environment variables inside a Pod spec do not control container runtimes.

Audit logging records API server requests and responses for security monitoring.

The RequestResponse level logs the full request and response bodies, which can:

Significantly increase storage and performance overhead .

Potentially log sensitive data (including Secrets).

Therefore, while comprehensive, it introduces risks of performance degradation and excessive log volume.

Kubernetes Pod Security Admission (PSA) enforces Pod Security Standards by applying labels on Namespaces.

Exact extract (Kubernetes Docs – Pod Security Admission):

“ You can label a namespace with pod-security.kubernetes.io/enforce: baseline to enforce the Baseline policy. ”

The baseline profile explicitly disallows privileged pods and other unsafe features.

Why others are wrong:

A & D: These labels do not exist in Kubernetes.

B: Setting privileged: true would allow privileged pods, not block them.