CAS-004 Scripting, Containers and Automation • Complete Question Bank
Complete CAS-004 Scripting, Containers and Automation question bank — all 0 questions with answers and detailed explanations.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Cloud Access Security Broker
Data Loss Prevention
Identity and Access Management
Security Information and Event Management
Security Orchestration, Automation, and Response
Drag a concept onto its matching description — or click a concept then click the description.
Protects web applications from attacks
Detects intrusions and alerts
Detects and blocks intrusions in real-time
Host-based intrusion detection system
Network-based intrusion detection system
$ docker inspect myservice | jq '.[].Mounts'
[
{
"Type": "bind",
"Source": "/data/config",
"Destination": "/app/config",
"Mode": "ro",
"RW": false,
"Propagation": "rprivate"
}
]apiVersion: v1
kind: Pod
metadata:
name: security-pod
spec:
containers:
- name: app
image: nginx:latest
securityContext:
capabilities:
add: ["NET_ADMIN", "SYS_ADMIN"]
readOnlyRootFilesystem: trueinput_user = request.args.get('user')
playbook = """
- hosts: all
tasks:
- name: Greet {{ user }}
debug:
msg: "Hello {{ user }}"
""".replace('{{ user }}', input_user)apiVersion: v1
kind: Pod
metadata:
name: security-example
spec:
containers:
- name: my-container
image: nginx:latest
securityContext:
capabilities:
add: ["NET_ADMIN", "SYS_ADMIN"]{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}
]
}[Unit] Description=Auto-patch service After=network.target [Service] ExecStart=/usr/local/bin/patch.sh Restart=on-failure User=root
Refer to the exhibit.
```yaml
apiVersion: v1
kind: Pod
metadata:
name: web-server
spec:
containers:
- name: nginx
image: nginx:latest
securityContext:
runAsNonRoot: true
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
volumeMounts:
- name: host-volume
mountPath: /data
volumes:
- name: host-volume
hostPath:
path: /var/data
type: Directory
```# kubectl describe pod my-app-pod
Name: my-app-pod
Namespace: default
Node: worker-node-1/192.168.1.10
Start Time: Tue, 15 Aug 2023 14:30:00 UTC
Labels: app=my-app
Annotations: none
Status: Running
Containers:
my-app-container:
Container ID: docker://abc123
Image: myregistry.com/my-app:v1.0
Image ID: docker-pullable://myregistry.com/my-app@sha256:xyz
Port: 8080/TCP
Host Port: 0/TCP
State: Running
Started: Tue, 15 Aug 2023 14:30:05 UTC
Ready: True
Restart Count: 0
Environment:
DB_PASSWORD: <set to the key 'db-password' in secret 'db-secret'> Optional: false
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-abc (ro)An organization is migrating its on-premises monolithic application to a containerized microservices architecture on a Kubernetes cluster. The development team has created a set of Docker images that are stored in a private registry. The security team requires that all container images be scanned for vulnerabilities before deployment. The current CI/CD pipeline uses Jenkins to build images, push them to the registry, and then deploy to Kubernetes via kubectl. The scanning is performed by a tool that generates a report, but developers have been ignoring critical vulnerabilities and deploying anyway. The security team wants to enforce a policy that blocks deployment if the image has any critical or high-severity vulnerabilities. Additionally, the cluster must ensure that containers run with the least privilege and that secrets are not exposed in environment variables. The operations team is concerned about performance overhead from runtime security monitoring.
Which of the following approaches best addresses these requirements while minimizing operational overhead?