- A
Require signed, scanned images from an approved registry before deployment.
Image signing and scanning help ensure the cluster only deploys trusted builds that have been checked for known vulnerabilities. Using an approved registry adds supply-chain control and reduces the chance of pulling tampered or unreviewed images. This directly addresses the risk of altered or unsafe container content entering production.
- B
Run each container as root so file permissions inside the container do not block apps.
Why wrong: Running containers as root increases the impact of a compromise and weakens isolation. It is easier for attackers to abuse privileged processes or escape into host resources when applications run with unnecessary rights. The goal is to reduce privilege, not expand it for convenience.
- C
Use namespaces and network policies to separate the workloads by trust zone.
Namespaces and network policies provide logical separation inside a shared cluster, which is essential when multiple teams or customers coexist. They help prevent one workload from freely reaching another workload's services or data. This is the container equivalent of segmentation and supports tenant isolation.
- D
Mount the host filesystem into every pod so support staff can troubleshoot more quickly.
Why wrong: Mounting the host filesystem into pods greatly expands the damage a compromised container can do. It also creates unnecessary access to host resources and sensitive paths. Troubleshooting convenience is not worth the security tradeoff in a shared environment.
- E
Run containers with the minimum Linux capabilities and a read-only root filesystem where possible.
Dropping capabilities and using a read-only root filesystem reduce what an attacker can do even if a container is compromised. These settings limit privilege escalation paths and make persistent tampering harder. They are practical hardening controls that align with least privilege and stronger containment.
Quick Answer
The answer is to run containers with minimum Linux capabilities and a read-only root filesystem, enforce signed images from an approved registry, and implement namespace isolation. These three actions directly address the core threats in a shared cluster: a compromised container with excessive privileges can escape its namespace to access another team’s data, while an unsigned image could be an altered, malicious deployment. On the Security+ SY0-701 exam, this scenario tests your understanding of secure Kubernetes container isolation images—specifically how defense-in-depth layers like image signing (via Docker Content Trust or Notary) and vulnerability scanning prevent tampered images from reaching runtime. A common trap is focusing only on network policies or secrets management, but the question explicitly targets image integrity and container escape risks. Remember the mnemonic “S.I.M.”—Signed images, Isolation (namespace), and Minimal capabilities—to recall the three pillars of container security tested here.
SY0-701 Security Architecture Practice Question
This SY0-701 practice question tests your understanding of security architecture. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A development team runs multiple customer workloads in a shared Kubernetes cluster. Security wants to reduce the risk that one compromised container can read another team's data or deploy an altered image. Which three actions best improve the design? Select three.
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue:
"best"Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Require signed, scanned images from an approved registry before deployment.
Requiring signed, scanned images from an approved registry ensures that only trusted, vulnerability-free images are deployed. Image signing (e.g., using Docker Content Trust or Notary) verifies the image's integrity and origin, preventing tampered images from being deployed. Scanning catches known vulnerabilities before runtime, reducing the attack surface. This directly addresses the risk of deploying an altered image.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
Require signed, scanned images from an approved registry before deployment.
Why this is correct
Image signing and scanning help ensure the cluster only deploys trusted builds that have been checked for known vulnerabilities. Using an approved registry adds supply-chain control and reduces the chance of pulling tampered or unreviewed images. This directly addresses the risk of altered or unsafe container content entering production.
Clue confirmation
The clue word "best" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Run each container as root so file permissions inside the container do not block apps.
Why it's wrong here
Running containers as root increases the impact of a compromise and weakens isolation. It is easier for attackers to abuse privileged processes or escape into host resources when applications run with unnecessary rights. The goal is to reduce privilege, not expand it for convenience.
- ✓
Use namespaces and network policies to separate the workloads by trust zone.
Why this is correct
Namespaces and network policies provide logical separation inside a shared cluster, which is essential when multiple teams or customers coexist. They help prevent one workload from freely reaching another workload's services or data. This is the container equivalent of segmentation and supports tenant isolation.
Clue confirmation
The clue word "best" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Mount the host filesystem into every pod so support staff can troubleshoot more quickly.
Why it's wrong here
Mounting the host filesystem into pods greatly expands the damage a compromised container can do. It also creates unnecessary access to host resources and sensitive paths. Troubleshooting convenience is not worth the security tradeoff in a shared environment.
- ✓
Run containers with the minimum Linux capabilities and a read-only root filesystem where possible.
Why this is correct
Dropping capabilities and using a read-only root filesystem reduce what an attacker can do even if a container is compromised. These settings limit privilege escalation paths and make persistent tampering harder. They are practical hardening controls that align with least privilege and stronger containment.
Clue confirmation
The clue word "best" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often think running containers as root is necessary for app functionality, but Kubernetes security best practices (and the CIS Benchmark for Kubernetes) explicitly require running containers with non-root users and read-only root filesystems to limit damage from a compromise.
Detailed technical explanation
How to think about this question
Kubernetes namespaces provide logical isolation, but network policies (using CNI plugins like Calico or Cilium) enforce micro-segmentation at the IP/port level, preventing lateral movement between pods in different trust zones. Image signing uses cryptographic signatures (e.g., with Sigstore Cosign) to ensure the image was produced by a trusted entity; scanning tools like Trivy or Grype check for CVEs in OS packages and application libraries. Together, these controls enforce supply chain security and network segmentation, which are critical in multi-tenant clusters.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A security team runs a vulnerability scan on a web application and discovers an unpatched SQL injection flaw. The team prioritises remediation by CVSS score — critical flaws are patched within 24 hours, high within 7 days. Questions like this test whether you understand vulnerability management processes, scanning tools, and remediation prioritisation.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Security Architecture — study guide chapter
Learn the concepts, then practise the questions
- →
Security Architecture practice questions
Targeted practice on this topic area only
- →
All SY0-701 questions
1,152 questions across all exam domains
- →
Security+ SY0-701 study guide
Full concept coverage aligned to exam objectives
- →
SY0-701 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related SY0-701 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
General Security Concepts practice questions
Practise SY0-701 questions linked to General Security Concepts.
Threats, Vulnerabilities, and Mitigations practice questions
Practise SY0-701 questions linked to Threats, Vulnerabilities, and Mitigations.
Security Architecture practice questions
Practise SY0-701 questions linked to Security Architecture.
Security Operations practice questions
Practise SY0-701 questions linked to Security Operations.
Security Program Management and Oversight practice questions
Practise SY0-701 questions linked to Security Program Management and Oversight.
Security+ social engineering questions
Practise SY0-701 questions linked to Security+ social engineering questions.
Security+ cryptography practice questions
Practise SY0-701 questions linked to Security+ cryptography.
Security+ IAM questions
Practise SY0-701 questions linked to Security+ IAM questions.
Security+ risk management questions
Practise SY0-701 questions linked to Security+ risk management questions.
Security+ incident response questions
Practise SY0-701 questions linked to Security+ incident response questions.
Security+ malware questions
Practise SY0-701 questions linked to Security+ malware questions.
Security+ vulnerability management questions
Practise SY0-701 questions linked to Security+ vulnerability management questions.
Practice this exam
Start a free SY0-701 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this SY0-701 question test?
Security Architecture — This question tests Security Architecture — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Require signed, scanned images from an approved registry before deployment. — Requiring signed, scanned images from an approved registry ensures that only trusted, vulnerability-free images are deployed. Image signing (e.g., using Docker Content Trust or Notary) verifies the image's integrity and origin, preventing tampered images from being deployed. Scanning catches known vulnerabilities before runtime, reducing the attack surface. This directly addresses the risk of deploying an altered image.
What should I do if I get this SY0-701 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Are there clue words in this question I should notice?
Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Keep practising
More SY0-701 practice questions
- An HR analyst must send a salary file to an external auditor. The auditor only needs names, departments, and salary tota…
- An investigator receives a suspect laptop drive that may be used in court. Which approach best supports a forensically s…
- An investigator must collect data from a suspected insider-threat laptop so the evidence could be used in an HR and lega…
- An NDR tool shows a production web server sending small, periodic DNS queries to random-looking subdomains under a domai…
- An investigator needs to make a forensic image of a suspect laptop without changing the original drive contents. Which t…
- An operations team manages Linux servers over SSH. The security team wants to stop direct management access from employe…
Last reviewed: Jun 11, 2026
This SY0-701 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SY0-701 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.