Test yourself
Kubernetes attack & defense
Final exam · 60 questions · answers explained as you pick
Threat model & ATT&CK
12 questions
01The MITRE ATT&CK for Containers matrix organizes…
Correct — A shared language for the attacker’s playbook against clusters.
Incorrect — That is CVSS, not ATT&CK.
Incorrect — Unrelated to ATT&CK.
Incorrect — Not what ATT&CK describes.
02The most exposed control-plane component to protect is…
Incorrect — DNS matters but is not the primary attack target.
Correct — It is the front door; exposure or weak auth is critical.
Incorrect — A minor component, not the crown jewel.
Incorrect — There is no such exposed UI by default.
03An exposed, unauthenticated kubelet API (port 10250) lets an attacker…
Correct — anonymous-auth must be off; an open kubelet is a direct foothold.
Incorrect — It exposes far more, including exec.
Incorrect — Misconfigured kubelets allow anonymous access.
Incorrect — Not a kubelet capability for an attacker.
04etcd is a top-priority target because it…
Incorrect — etcd is the datastore, not the scheduler.
Correct — Read access to etcd is read access to every secret.
Incorrect — Unrelated to etcd.
Incorrect — Not etcd’s role.
05From a compromised pod, a classic initial pivot is to…
Correct — Reaching 169.254.169.254 can yield cloud IAM credentials.
Incorrect — Not a typical pivot.
Incorrect — Not an attack technique.
Incorrect — Not accessible from a normal pod.
06The Kubernetes Dashboard has historically been a risk when…
Incorrect — It is fine if properly locked down.
Correct — The Tesla cryptojacking incident exploited exactly this.
Incorrect — Metrics display is not the risk.
Incorrect — HTTPS is good, not a risk.
07Threat-modeling a cluster means asking, for each component…
Correct — You trace pivots: pod → SA token → API → other namespaces → node → cloud.
Incorrect — Performance is not threat modeling.
Incorrect — Irrelevant.
Incorrect — Cost is not the security question.
08The blast radius of a single compromised node includes…
Incorrect — A node hosts many pods; all are reachable from the node.
Correct — Node compromise exposes all co-located workloads’ identities.
Incorrect — Node access is far broader than one container.
Incorrect — Not directly reachable from a node.
09A multi-tenant cluster’s core risk is that…
Correct — A namespace alone is not a strong security boundary.
Incorrect — They do not; additional controls are required.
Incorrect — It is possible with deliberate controls.
Incorrect — That would be a misconfiguration, not the inherent risk.
10ATT&CK’s "Credential Access" tactic in K8s maps to techniques like…
Incorrect — Not a credential technique.
Correct — Harvesting identities to move laterally.
Incorrect — Not credential access.
Incorrect — Unrelated.
11Reducing the cluster attack surface starts with…
Correct — Close the front doors before hardening the interior.
Incorrect — More exposed UIs increase surface.
Incorrect — That expands, not reduces, risk.
Incorrect — That removes visibility.
12Mapping your detections to ATT&CK techniques helps you…
Incorrect — Not the point.
Correct — A structured way to measure and improve detection.
Incorrect — Unrelated to cost.
Incorrect — Irrelevant to performance.
12 questions · explanations appear as you answer
RBAC & privilege escalation
12 questions
01A Kubernetes RBAC rule grants…
Correct — Role/ClusterRole + RoleBinding/ClusterRoleBinding define who-can-do-what.
Incorrect — RBAC is authorization, not networking.
Incorrect — Unrelated to RBAC.
Incorrect — Not what RBAC grants.
02The RBAC verb "escalate" on roles is dangerous because it…
Incorrect — It permits granting permissions the user lacks.
Correct — It bypasses the normal privilege-escalation prevention.
Incorrect — Not what escalate does.
Incorrect — Unrelated.
03The verb "bind" (granted on the referenced Role/ClusterRole, not the binding object) enables escalation by…
Correct — Even without escalate, bind can attach cluster-admin.
Incorrect — Not what bind does.
Incorrect — It is about creating bindings.
Incorrect — Unrelated.
04Granting "create pods" is effectively powerful because a pod can…
Incorrect — A pod can mount tokens, hostPath, and run privileged.
Correct — Pod creation is a well-known escalation primitive.
Incorrect — It can mount secrets and SA tokens.
Incorrect — With hostPath/privileged it can.
05The "impersonate" verb allows a subject to…
Correct — A direct escalation if you can impersonate a privileged identity.
Incorrect — Not what impersonate does.
Incorrect — Far more powerful than that.
Incorrect — Unrelated.
06pods/exec as a subresource grants the ability to…
Incorrect — exec runs commands inside a running pod.
Correct — A powerful, often-overlooked permission.
Incorrect — Different resource/verb.
Incorrect — Not what exec does.
07get/list on Secrets across the cluster is dangerous because…
Correct — Secrets are base64, readable by anyone with get/list.
Incorrect — get returns the full data.
Incorrect — RBAC read returns plaintext data.
Incorrect — It is a top credential-access technique.
08A service-account token mounted in a pod is risky when the SA…
Incorrect — A powerless token is low risk.
Correct — Scope SAs tightly; a leaked token is API access.
Incorrect — The name is not the risk; the bound permissions are.
Incorrect — Short-lived projected tokens are safer, not riskier.
09automountServiceAccountToken: false helps because…
Correct — Remove the credential where it is not needed.
Incorrect — It prevents mounting, not encrypts.
Incorrect — Not a performance measure.
Incorrect — RBAC still applies where tokens exist.
10Bound (projected) service-account tokens improve on legacy tokens by…
Incorrect — That describes the legacy tokens they replace.
Correct — A leaked bound token expires and is narrower in scope.
Incorrect — RBAC still governs what the token can do.
Incorrect — They are not long-lived secrets.
11Auditing RBAC for escalation means hunting for subjects with…
Correct — These verbs/resources are the escalation surface to review.
Incorrect — Low-risk, not an escalation path.
Incorrect — Read-only events are low risk.
Incorrect — Namespace listing alone is not escalation.
12The principle for RBAC is…
Incorrect — That is broad-by-default — the opposite of safe.
Correct — Grant only the verbs/resources a subject truly needs.
Incorrect — Maximal blast radius.
Incorrect — RBAC is the authorization control; use it well.
12 questions · explanations appear as you answer
Admission control internals
12 questions
01In the API request flow, admission control runs…
Incorrect — Authn and authz come first.
Correct — Admission is the last gate before etcd.
Incorrect — It runs before persistence, to allow rejection.
Incorrect — It runs on create/update/delete as configured.
02Mutating admission webhooks run before validating ones so that…
Correct — Mutation → schema validation → validation is the order.
Incorrect — Validation still runs after mutation.
Incorrect — Webhooks do not encrypt.
Incorrect — The ordering is defined and deliberate.
03A ValidatingWebhookConfiguration lets you…
Incorrect — That is a MutatingWebhookConfiguration.
Correct — e.g. reject privileged pods or unsigned images.
Incorrect — That is the scheduler.
Incorrect — Unrelated.
04Pod Security Admission (PSA) replaced PodSecurityPolicy and enforces…
Correct — A built-in admission plugin with enforce/audit/warn modes.
Incorrect — That is a CNI concern, not PSA.
Incorrect — That needs a policy engine/verifier, not PSA.
Incorrect — PSA governs pod security context, not RBAC.
05The PSA "restricted" profile enforces things like…
Incorrect — Restricted forbids those.
Correct — The hardened baseline that blocks most escape enablers.
Incorrect — In enforce mode it blocks non-compliant pods.
Incorrect — PSA governs security context, not resource limits.
06A webhook with failurePolicy: Ignore can be bypassed when…
Correct — An attacker who can disrupt the webhook evades the policy.
Incorrect — It only bypasses on webhook failure.
Incorrect — Unrelated to RBAC.
Incorrect — Ignore trades availability for a security gap on failure.
07failurePolicy: Fail is more secure but…
Incorrect — That is Ignore; Fail blocks on failure.
Correct — Secure-by-default, but you must keep the webhook highly available.
Incorrect — It changes failure behavior, not enables/disables.
Incorrect — Unrelated.
08Excluding kube-system (or using a namespaceSelector) on a policy webhook can…
Correct — Overbroad exclusions are a common admission-policy weakness.
Incorrect — Exclusions widen the gap, not close it.
Incorrect — Unrelated.
Incorrect — Not the effect.
09Kyverno and Gatekeeper (OPA) are used at admission to…
Incorrect — They enforce policy, not routing.
Correct — Policy-as-code as an admission gate.
Incorrect — Not their function.
Incorrect — Unrelated.
10The admission webhook itself is an attack target because…
Correct — It sees and gates all matching API writes — protect it like the control plane.
Incorrect — It is a privileged, high-value component.
Incorrect — It receives the full object under review.
Incorrect — It runs on the operations it is configured for.
11Rolling out an admission policy safely means…
Incorrect — A bad policy then blocks every deploy at once.
Correct — Mirrors every policy rollout in the course.
Incorrect — That is the outage you are avoiding.
Incorrect — Policy is code; version and review it.
12Defense in depth for admission combines PSA with…
Correct — PSA covers pod security context; the engine covers the rest.
Incorrect — Never; RBAC is a separate essential control.
Incorrect — Exclusions weaken enforcement.
Incorrect — Not viable.
12 questions · explanations appear as you answer
Control plane & operators
12 questions
01Encrypting Secrets at rest in etcd matters because…
Correct — Enable an EncryptionConfiguration (ideally KMS-backed).
Incorrect — At-rest encryption is off unless configured.
Incorrect — All cluster state, including Secrets, lives in etcd.
Incorrect — Not a performance feature.
02Access to etcd (or its backups) is equivalent to…
Incorrect — Far more — it is the whole cluster state.
Correct — Restrict etcd to the API server and protect its backups.
Incorrect — It is the most sensitive datastore in the cluster.
Incorrect — It holds far more than logs.
03A hardened kubelet configuration disables…
Correct — Otherwise the kubelet API can be hit unauthenticated.
Incorrect — You keep logging.
Incorrect — The kubelet runs pods; that is its job.
Incorrect — You keep TLS on.
04The API server should be protected by…
Incorrect — Public exposure is a major risk.
Correct — Lock the front door and record everything.
Incorrect — Anonymous auth should be disabled.
Incorrect — That removes forensic visibility.
05A Kubernetes operator/controller is a security concern because it…
Correct — A malicious/vulnerable operator can act across the cluster.
Incorrect — Operators typically hold significant write permissions.
Incorrect — It uses (often broad) RBAC.
Incorrect — It talks to the API with its service account.
06Installing a third-party operator should be treated as…
Incorrect — It runs privileged code in your cluster.
Correct — Its ClusterRole often requests broad permissions; scrutinize them.
Incorrect — A compromised operator can own the cluster.
Incorrect — It is not; it holds real permissions.
07A CRD-driven operator expands the attack surface via…
Correct — Crafting a malicious CR can drive the controller to do harm.
Incorrect — Not a security effect.
Incorrect — It typically needs more RBAC, not less.
Incorrect — Unrelated.
08Least privilege for an operator means…
Incorrect — That maximizes blast radius on compromise.
Correct — Tighten what a compromised operator could touch.
Incorrect — Unnecessary and dangerous.
Incorrect — You want its actions logged.
09The API server audit log is the control-plane equivalent of…
Correct — The primary source for detection and forensics.
Incorrect — It records actions, not performance.
Incorrect — It logs API activity, not packets.
Incorrect — Unrelated to storage.
10Protecting the control plane’s trust anchor means guarding…
Incorrect — Cosmetic, not a trust anchor.
Correct — CA compromise lets an attacker forge any client cert.
Incorrect — Not a trust anchor.
Incorrect — Not the trust anchor.
11A managed control plane (EKS/GKE/AKS) shifts responsibility so that you focus on…
Correct — Shared responsibility: they run the API server/etcd; you secure what you deploy.
Incorrect — You still own workloads, RBAC, and network policy.
Incorrect — The provider manages the control plane.
Incorrect — Not your responsibility.
12Restricting who can create/modify webhook configurations matters because…
Correct — Webhook config write is a powerful, cluster-wide capability.
Incorrect — They actively mutate/validate objects.
Incorrect — Not a performance concern.
Incorrect — It is a high-impact security control.
12 questions · explanations appear as you answer
Attack, detect & respond
12 questions
01Lateral movement in a cluster commonly follows the path…
Correct — Each stolen identity opens the next door.
Incorrect — That is not the typical internal pivot chain.
Incorrect — An oversimplification that misses the real chain.
Incorrect — Lateral movement is a core cluster risk.
02A NetworkPolicy default-deny limits lateral movement by…
Incorrect — That is mTLS; NetworkPolicy controls reachability.
Correct — Zero-trust networking boxes in a compromised pod.
Incorrect — It filters traffic, not lifecycle.
Incorrect — Unrelated to NetworkPolicy.
03The primary detection source for cluster attacks is…
Correct — It records exec, secret access, RBAC changes, and more.
Incorrect — Too narrow; the audit log is the control-plane record.
Incorrect — A weak, indirect signal.
Incorrect — Not a runtime attack source.
04High-signal audit events to alert on include…
Incorrect — Too noisy and low value.
Correct — These map to credential access, escalation, and persistence.
Incorrect — Not a security signal.
Incorrect — Usually benign.
05Runtime detection (Falco/Tetragon) complements the audit log by…
Correct — Audit = control plane; runtime = what happens inside pods/nodes.
Incorrect — They are complementary, not redundant.
Incorrect — Unrelated.
Incorrect — Not a detection function.
06A honeytoken in a cluster (e.g. a decoy Secret) is valuable because…
Incorrect — It grants nothing; it only signals.
Correct — Nothing legitimate touches the decoy, so a hit is near-certain intrusion.
Incorrect — It is a decoy, not crypto.
Incorrect — It adds a signal, not throughput.
07On confirmed compromise of a pod’s service account, an early action is…
Correct — Invalidate the identity, then scope the blast radius.
Incorrect — Not measured containment.
Incorrect — Too broad for the immediate threat.
Incorrect — Active compromise is an incident.
08Isolating a compromised pod for forensics means…
Incorrect — Deletion discards process state/memory evidence.
Correct — Contain and preserve, then evict.
Incorrect — A reboot can wipe volatile evidence.
Incorrect — That worsens exposure.
09Hunting persistence after a cluster compromise means checking for…
Correct — Attackers persist in RBAC, admission, and workloads — not just the pod.
Incorrect — A competent attacker plants more footholds.
Incorrect — Not persistence indicators.
Incorrect — Not where K8s persistence hides.
10A tuned audit policy matters because…
Incorrect — It is expensive and drowns signal in noise.
Correct — Tune levels per resource so real events surface.
Incorrect — Audit policy is about logging, not crypto.
Incorrect — Different control.
11Recovering from a control-plane-level compromise may require…
Correct — If the CA or etcd was reachable, assume trust is broken and re-establish it.
Incorrect — Insufficient for a control-plane compromise.
Incorrect — A control-plane compromise is severe.
Incorrect — Does not address the compromise.
12The through-line of cluster defense is…
Incorrect — No one control suffices; layer them.
Correct — Prevent the easy paths, and detect what gets through.
Incorrect — A namespace is a soft boundary.
Incorrect — That blinds detection.
12 questions · explanations appear as you answer