Question 194 of 1,152
Security ArchitecturehardMultiple SelectObjective-mapped

Quick Answer

The answer is to run containers with minimum Linux capabilities and a read-only root filesystem, enforce signed images from an approved registry, and implement namespace isolation. These three actions directly address the core threats in a shared cluster: a compromised container with excessive privileges can escape its namespace to access another team’s data, while an unsigned image could be an altered, malicious deployment. On the Security+ SY0-701 exam, this scenario tests your understanding of secure Kubernetes container isolation images—specifically how defense-in-depth layers like image signing (via Docker Content Trust or Notary) and vulnerability scanning prevent tampered images from reaching runtime. A common trap is focusing only on network policies or secrets management, but the question explicitly targets image integrity and container escape risks. Remember the mnemonic “S.I.M.”—Signed images, Isolation (namespace), and Minimal capabilities—to recall the three pillars of container security tested here.

SY0-701 Security Architecture Practice Question

This SY0-701 practice question tests your understanding of security architecture. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A development team runs multiple customer workloads in a shared Kubernetes cluster. Security wants to reduce the risk that one compromised container can read another team's data or deploy an altered image. Which three actions best improve the design? Select three.

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "best"

    Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

Question 1hardmulti select
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Require signed, scanned images from an approved registry before deployment.

Requiring signed, scanned images from an approved registry ensures that only trusted, vulnerability-free images are deployed. Image signing (e.g., using Docker Content Trust or Notary) verifies the image's integrity and origin, preventing tampered images from being deployed. Scanning catches known vulnerabilities before runtime, reducing the attack surface. This directly addresses the risk of deploying an altered image.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Require signed, scanned images from an approved registry before deployment.

    Why this is correct

    Image signing and scanning help ensure the cluster only deploys trusted builds that have been checked for known vulnerabilities. Using an approved registry adds supply-chain control and reduces the chance of pulling tampered or unreviewed images. This directly addresses the risk of altered or unsafe container content entering production.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Run each container as root so file permissions inside the container do not block apps.

    Why it's wrong here

    Running containers as root increases the impact of a compromise and weakens isolation. It is easier for attackers to abuse privileged processes or escape into host resources when applications run with unnecessary rights. The goal is to reduce privilege, not expand it for convenience.

  • Use namespaces and network policies to separate the workloads by trust zone.

    Why this is correct

    Namespaces and network policies provide logical separation inside a shared cluster, which is essential when multiple teams or customers coexist. They help prevent one workload from freely reaching another workload's services or data. This is the container equivalent of segmentation and supports tenant isolation.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Mount the host filesystem into every pod so support staff can troubleshoot more quickly.

    Why it's wrong here

    Mounting the host filesystem into pods greatly expands the damage a compromised container can do. It also creates unnecessary access to host resources and sensitive paths. Troubleshooting convenience is not worth the security tradeoff in a shared environment.

  • Run containers with the minimum Linux capabilities and a read-only root filesystem where possible.

    Why this is correct

    Dropping capabilities and using a read-only root filesystem reduce what an attacker can do even if a container is compromised. These settings limit privilege escalation paths and make persistent tampering harder. They are practical hardening controls that align with least privilege and stronger containment.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often think running containers as root is necessary for app functionality, but Kubernetes security best practices (and the CIS Benchmark for Kubernetes) explicitly require running containers with non-root users and read-only root filesystems to limit damage from a compromise.

Detailed technical explanation

How to think about this question

Kubernetes namespaces provide logical isolation, but network policies (using CNI plugins like Calico or Cilium) enforce micro-segmentation at the IP/port level, preventing lateral movement between pods in different trust zones. Image signing uses cryptographic signatures (e.g., with Sigstore Cosign) to ensure the image was produced by a trusted entity; scanning tools like Trivy or Grype check for CVEs in OS packages and application libraries. Together, these controls enforce supply chain security and network segmentation, which are critical in multi-tenant clusters.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A security team runs a vulnerability scan on a web application and discovers an unpatched SQL injection flaw. The team prioritises remediation by CVSS score — critical flaws are patched within 24 hours, high within 7 days. Questions like this test whether you understand vulnerability management processes, scanning tools, and remediation prioritisation.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SY0-701 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SY0-701 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SY0-701 question test?

Security Architecture — This question tests Security Architecture — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Require signed, scanned images from an approved registry before deployment. — Requiring signed, scanned images from an approved registry ensures that only trusted, vulnerability-free images are deployed. Image signing (e.g., using Docker Content Trust or Notary) verifies the image's integrity and origin, preventing tampered images from being deployed. Scanning catches known vulnerabilities before runtime, reducing the attack surface. This directly addresses the risk of deploying an altered image.

What should I do if I get this SY0-701 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More SY0-701 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SY0-701 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SY0-701 exam.