Platform Security Questions

Which mechanism replaces deprecated SSH tunnels for control plane to node communication?

A RuntimeClass is configured with a scheduling.nodeSelector that targets only hardened nodes. A Pod using that RuntimeClass also sets its own nodeSele...

How does Prometheus primarily collect metrics from targets?

Which CNCF policy engine uses Kubernetes-native YAML policies (no Rego) to validate, mutate, and generate resources via a dynamic admission webhook?

Which Linux kernel feature filters and audits the system calls that a container process is allowed to invoke, and is referenced by the Pod Security St...

Within Sigstore, which component is the public, append-only transparency log that records signing events for artifacts and attestations?

An Istio mesh administrator must allow only Pods with ServiceAccount `frontend` in namespace `web` to call the `payments` Service on path `/charge`. W...

Which CNCF supply-chain framework defines progressively stronger levels (L1 through L3+) for software build integrity and provenance?

A platform team wants build-time provenance attestations that are signed and verifiable, including who built what from which source. Which CNCF specif...

An organization wants to enforce mTLS between every workload-to-workload connection without modifying application code. Which cloud native pattern mos...

Which two Linux subsystems are examples of Mandatory Access Control (MAC) used to confine container processes beyond standard DAC permissions?

Which statement correctly contrasts AppArmor and SELinux?

A node must pull private images for static Pods before the API server is reachable. Which approach is most robust?

Which statement about privileged containers is correct from a platform hardening perspective?

Which control set is most appropriate as a baseline for namespace-based multi-tenancy?