A security team is hardening a Kubernetes cluster. They need to ensure that all control plane components run with the least privilege. Which approach should they take?
Trap 1: Use seccomp profiles to block privilege escalation syscalls
Seccomp restricts system calls but does not change the user the container runs as.
Trap 2: Apply AppArmor profiles to all control plane pods
AppArmor profiles restrict specific programs, but not the user context of the container.
Trap 3: Enable PodSecurityPolicy with 'MustRunAsNonRoot' for control plane…
PodSecurityPolicy is deprecated in Kubernetes 1.21+ and removed in 1.25. Also, it does not enforce read-only filesystem.
- A
Use seccomp profiles to block privilege escalation syscalls
Why wrong: Seccomp restricts system calls but does not change the user the container runs as.
- B
Apply AppArmor profiles to all control plane pods
Why wrong: AppArmor profiles restrict specific programs, but not the user context of the container.
- C
Configure control plane containers to run as non-root user and with read-only root filesystem
This directly reduces privileges by avoiding root execution and preventing writes to the filesystem.
- D
Enable PodSecurityPolicy with 'MustRunAsNonRoot' for control plane namespaces
Why wrong: PodSecurityPolicy is deprecated in Kubernetes 1.21+ and removed in 1.25. Also, it does not enforce read-only filesystem.