During a security audit, you discover that a container running as root inside a pod has been compromised. The pod uses the default service account. Which two measures should you implement to harden the cluster? (Select TWO)
Trap 1: Apply a PodSecurityPolicy that restricts containers from running as…
PSP is deprecated and replaced by Pod Security Admission; also it does not prevent token mounting.
Trap 2: Create a new service account with no roles bound and assign it to…
The pod would still use the default SA if not explicitly set, and the new SA without roles still has no access but does not prevent mounting of the default SA token.
Trap 3: Set automountServiceAccountToken: false in the pod spec.
This only affects that pod, not the default SA, and the question asks for measures to harden the cluster globally.
- A
Apply a PodSecurityPolicy that restricts containers from running as root.
Why wrong: PSP is deprecated and replaced by Pod Security Admission; also it does not prevent token mounting.
- B
Create a new service account with no roles bound and assign it to the pod.
Why wrong: The pod would still use the default SA if not explicitly set, and the new SA without roles still has no access but does not prevent mounting of the default SA token.
- C
Edit the default service account to set automountServiceAccountToken: false.
Prevents automatic mounting of the default SA token in pods that do not specify a service account.
- D
Set automountServiceAccountToken: false in the pod spec.
Why wrong: This only affects that pod, not the default SA, and the question asks for measures to harden the cluster globally.
- E
Add securityContext: runAsNonRoot: true to the pod spec.
Ensures the container runs as a non-root user, reducing impact of compromise.