NetworkPolicies define how Pods can communicate with each other and external endpoints.

However, Kubernetes itself does not enforce NetworkPolicy . Enforcement depends on the CNI plugin used (e.g., Calico, Cilium, Kube-Router, Weave Net).

If a cluster is using a network plugin that does not support NetworkPolicies, then creating NetworkPolicy objects has no effect .

NetworkPolicy controls network traffic at the Pod level .

Ingress rules: control incoming connections to Pods.

Egress rules: control outgoing connections from Pods .

Exact extract (Kubernetes Docs – Network Policies):

“ An egress rule controls outgoing connections from Pods that match the policy. ”

Clarifying wrong answers:

A/B: Too broad (cluster-level); policies apply per Pod/Namespace.

C: Security against unauthorized access is broader than egress policies.

Kubernetes originally had a feature called PodSecurityPolicy (PSP) , which provided controls to restrict pod behavior.

Official docs:

“ PodSecurityPolicy was deprecated in Kubernetes v1.21 and removed in v1.25. ”

“ Pod Security Standards (PSS) replace PodSecurityPolicy (PSP) with a simpler, policy-driven approach. ”

PSP was often complex and hard to manage, so it was replaced by Pod Security Admission (PSA) which enforces Pod Security Standards .

The 4C’s model (Cloud, Cluster, Container, Code) is presented in the official Kubernetes documentation as a layered model that explicitly maps to defense-in-depth .

Exact extracts from Kubernetes docs (security overview):

“ The 4C’s of Cloud Native Security are Cloud, Clusters, Containers, and Code. ”

“You can think of the 4C’s as a layered approach to security ; applying security measures at each layer reduces risk.”

“This layered approach is commonly known as defense in depth .”

All kubectl requests go to the Kubernetes API Server .

The API server is the front-end of the control plane and validates/authenticates requests before other components act.

Exact extract (Kubernetes Docs – Components):

“ The API server is a component of the Kubernetes control plane that exposes the Kubernetes API. It is the front end for the Kubernetes control plane. ”

Other options clarified:

Controller Manager: reconciles state after API Server processes the request.

Scheduler: assigns Pods to nodes after API Server accepts workload objects.

kubelet: node agent, only communicates after API Server updates desired state.

Access control (RBAC, least privilege, user restrictions) is a baseline container security best practice .

Exact extract (Kubernetes Pod Security Standards – Baseline):

“ The baseline profile is designed to prevent known privilege escalations. It prohibits running privileged containers or containers as root. ”

Other options clarified:

B: Static IPs not a security measure.

C: Persistent storage is functionality, not security.

D: Running as root is explicitly insecure .

By default, Pods can connect to the API server (since ServiceAccount tokens are mounted).

However, whether they succeed in acting depends on:

Network Policies (may block egress).

RBAC (controls permissions).

Exact extract (Kubernetes Docs – API Access):

“ Pods authenticate to the API server using the service account token mounted into the Pod. Authorization is then enforced by RBAC. NetworkPolicies may further restrict access. ”

Clarifications:

A: No default automatic isolation.

B: Not always unrestricted; policies may apply.

D: Pods get minimal default privileges, not automatic elevation.

Defining policies as code (declarative) is a best practice in Kubernetes and cloud-native security.

This is aligned with GitOps and Policy-as-Code principles (OPA Gatekeeper, Kyverno, etc.).

Exact extract (CNCF Security Whitepaper):

“ Policy-as-Code enables declarative definition and enforcement of security policies, bringing consistency, automation, and reducing misconfiguration risk. ”

Manual audits, ad-hoc scripting, or individual configurations are error-prone and inconsistent.

k8s.gcr.io was the historic Kubernetes image registry.

It has been deprecated and replaced with registry.k8s.io .

Exact extract (Kubernetes Blog):

“ The k8s.gcr.io image registry will be frozen from April 3, 2023 and fully deprecated. All Kubernetes project images are now served from registry.k8s.io. ”

Pulling newer versions from k8s.gcr.io fails because the registry no longer receives updates.

Static Pods are managed directly by the kubelet on each node.

They are not scheduled by the kube-scheduler and always remain bound to the node where they are defined.

Exact extract (Kubernetes Docs – Static Pods):

“ Static Pods are managed directly by the kubelet daemon on a specific node, without the API server. They do not go through the Kubernetes scheduler. ”

Clarifications:

A: Static Pods do not span multiple nodes.

B: No hard limit of 5 Pods per node.

D: They are not a fallback mechanism; kubelet always manages them regardless of scheduler state.