A cloud security architect is designing a secure CI/CD pipeline for a containerized application deployed on a Kubernetes cluster. The pipeline must ensure that only approved images are deployed. Which TWO of the following controls should be implemented? (Choose two.)
An admission controller can enforce policies at deployment time, rejecting pods that do not meet criteria such as image signature verification.
Why this answer
Option B is correct because Kubernetes admission controllers can enforce policies such as rejecting pods that use unsigned images, ensuring only images with verified signatures are deployed. This directly addresses the requirement to deploy only approved images by validating image integrity at admission time.
Exam trap
ISC2 often tests the distinction between controls that prevent unauthorized images from being deployed (signing and admission control) versus controls that manage access or detect vulnerabilities but do not enforce approval at deployment time.