Which kubectl command is used to check whether AppArmor is enabled and which profiles are loaded on a node?
Correct. aa-status shows AppArmor status and loaded profiles.
Why this answer
The `aa-status` command is a standard Linux utility that displays the status of AppArmor, including whether it is enabled and which profiles are loaded. Since AppArmor is a Linux Security Module (LSM) enforced at the node level, not a Kubernetes resource, you must use a node-level command like `aa-status` to check its status. This command directly queries the AppArmor module in the kernel and lists all loaded profiles.
Exam trap
The trap here is that candidates assume AppArmor can be managed like a Kubernetes resource using kubectl, but it is a node-level security module that must be checked with Linux-native commands, not Kubernetes API objects.
How to eliminate wrong answers
Option A is wrong because `kubectl get seccomp` is not a valid kubectl command; seccomp profiles are managed via pod security contexts or runtime classes, not through a dedicated kubectl subcommand. Option B is wrong because `kubectl get apparmor` is also invalid; AppArmor profiles are not Kubernetes API resources and cannot be retrieved with kubectl. Option D is wrong because `systemctl status apparmor` only checks the systemd service status, not whether AppArmor is enabled in the kernel or which profiles are loaded; the service may be running but AppArmor could be in complain mode or have no profiles loaded.