CKS Question #77: Real Exam Question with Answer & Explanation

Question

For compliance, all user namespaces enforce the restricted Pod Security Standard. The confidential namespace contains a Deployment that is not compliant with the restricted Pod Security Standard, and its Pods cannot be scheduled. Modify the Deployment at `/home/candidate/nginx-unprivileged.yaml` to be compliant and verify that the Pods are running.

Explanation

This question tests your ability to identify and remediate a Kubernetes Deployment that violates the 'restricted' Pod Security Standard, which enforces strict container hardening rules at the namespace level.

Approach. The 'restricted' Pod Security Standard requires four key changes to the Deployment's securityContext fields. At the Pod level, set runAsNonRoot: true and seccompProfile.type: RuntimeDefault. At the container level, set allowPrivilegeEscalation: false and capabilities.drop: [ALL]. After editing /home/candidate/nginx-unprivileged.yaml with these fields, apply it with kubectl apply -f /home/candidate/nginx-unprivileged.yaml -n confidential and confirm Pods reach Running state via kubectl get pods -n confidential. The nginx-unprivileged image is pre-configured to run as UID 101, so it is compatible with runAsNonRoot: true without further changes.

Concept tested. Kubernetes Pod Security Standards (PSS) - specifically remediating a Deployment to satisfy the 'restricted' policy by configuring securityContext at both the Pod and container level (runAsNonRoot, seccompProfile, allowPrivilegeEscalation, capability drops).

Reference. https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted

No community discussion yet for this question.