Kubernetes usesPKI certificatesextensively to secure communication between control plane components (API server, etcd, kube-scheduler, kube-controller-manager) and with kubelets.

Certificates enablemutual TLS authentication and encryptionacross components.

PKI does not handle scaling, networking, or monitoring.

Pod Security Admission (PSA)enforces policies by applyinglabels on namespaces, not globally across the cluster.

Exact extract (Kubernetes Docs – Pod Security Admission):

“You can apply Pod Security Standards to namespaces by adding labels such as pod-security.kubernetes.io/enforce. Different namespaces can enforce different policies.”

Clarifications:

A: Incorrect, namespaces are the unit of enforcement.

C: Misleading — a namespace can have multiple enforcement modes (enforce, audit, warn).

D: Default namespace doesnotenforce strict policies unless labeled.

Thekubectlclient uses configuration from$HOME/.kube/configby default.

This file contains: cluster API server endpoint, user certificates, tokens, or kubeconfigs →sensitive credentials.

Exact extract (Kubernetes Docs – Configure Access to Clusters):

“By default, kubectl looks for a file named config in the $HOME/.kube directory. This file contains configuration information including user credentials.”

Other options clarified:

A: /etc/kubernetes/ exists on nodes (control plane) not client machines.

C: /opt/kubernetes/secrets/ is not a standard path.

D: $HOME/.config/kubernetes/ is not where kubeconfig is stored by default.

ConfigMaps are explicitly not for confidential data.

Exact extract (ConfigMap concept):“A ConfigMap is an API object used to store non-confidential data in key-value pairs.”

Exact extract (ConfigMap concept):“ConfigMaps are not intended to hold confidential data. Use a Secret for confidential data.”

Why this is risky:data placed into a ConfigMap is stored as regular (plaintext) string values in the API and etcd (unless you deliberately use binaryData for base64 content you supply). That means if someone has read access to the namespace or to etcd/APIServer storage, they can view the values.

Secrets vs ConfigMaps (to clarify distractor D):

Exact extract (Secret concept):“By default, secret data is stored as unencrypted base64-encoded strings.You canenable encryption at restto protect Secrets stored in etcd.”

This base64 behavior applies toSecrets, not to ConfigMap data. Thus optionDis incorrect for ConfigMaps.

About RBAC (to clarify distractor A):Kubernetesdoessupport fine-grained RBAC forbothConfigMaps and Secrets; the issue isn’t lack of RBAC but that ConfigMaps arenotdesigned for confidential material.

About compatibility (to clarify distractor C):Using ConfigMaps for secrets doesn’t make apps “incompatible”; it’s simplyinsecureand against guidance.

TheNode authorization modeis designed to specifically limit what kubelets can do when they connect to the Kubernetes API server.

It authorizes requests from kubelets based on the Pods scheduled to run on their nodes, ensuring kubelets cannot interact with resources beyond their scope.

Incorrect options:

(B)AlwaysAllowallows unrestricted access (insecure).

(C) No kubelet authorization mode exists.

(D)Webhookmode delegates authorization decisions to an external service, not specifically for kubelets.

ThePodSecurity admission controller(built-in as of Kubernetes v1.23+) enforces the Pod Security Standards (Privileged, Baseline, Restricted).

Enforcement is namespace-scoped and configured throughnamespace labels.

Incorrect options:

(A) Kyverno/OPA are external policy tools (useful but not required).

(C) Not true, PodSecurity admission provides native enforcement.

(D) Enforcement requires explicit configuration, not automatic.

gVisor:

Google-developed, implemented as auser-space kernelthat intercepts and emulates syscalls made by containers.

Providesstrong isolationwithout requiring a full VM.

Official docs: “gVisor is a user-space kernel, written in Go, that implements a substantial portion of the Linux system call interface.”

Source: https://gvisor.dev/docs/

Firecracker:

AWS-developed,lightweight virtualization technologybuilt on KVM, used in AWS Lambda and Fargate.

Optimized for running secure, multi-tenant microVMs (MicroVMs) for containers and FaaS.

Official docs: “Firecracker is an open-source virtualization technology that is purpose-built for creating and managing secure, multi-tenant container and function-based services.”

Source: https://firecracker-microvm.github.io/

Key difference:gVisor → syscall interception in userspace kernel (container isolation). Firecracker → lightweight virtualization with microVMs (multi-tenant security).

Therefore, optionAis correct.