You want to ensure that the Kubernetes Dashboard is accessed only by authenticated users with specific permissions. What is the BEST approach?
This ensures secure access with authentication and least privilege.
Why this answer
Option D is correct because the Kubernetes Dashboard should be secured using an Ingress controller with authentication (e.g., OIDC, basic auth, or client certificate) combined with fine-grained RBAC roles to restrict what each authenticated user can do. This ensures that only authorized users with specific permissions can access the Dashboard, following the principle of least privilege and cluster hardening best practices.
Exam trap
The trap here is that candidates often think network-level controls (NodePort + firewall) are sufficient for securing the Dashboard, but the CKS exam emphasizes that Kubernetes security requires authentication and authorization at the API level, not just network segmentation.
How to eliminate wrong answers
Option A is wrong because exposing the Dashboard via NodePort bypasses authentication and authorization, relying solely on network firewalls which do not provide user-level access control or audit logging. Option B is wrong because granting cluster-admin to all service accounts would give every service account full administrative privileges, violating the principle of least privilege and creating a massive security risk. Option C is wrong because setting the Dashboard to use HTTP instead of HTTPS exposes all traffic in plaintext, allowing man-in-the-middle attacks and credential theft, and does not address authentication or authorization.