Chapter 32 Quiz: Container and Kubernetes Security

Test your understanding of container and Kubernetes security concepts, attack techniques, and defensive strategies.

Question 1: Which Linux kernel feature provides process isolation by giving each container its own view of system resources such as PIDs, network interfaces, and mount points?

A) Cgroups B) Namespaces C) SELinux D) Seccomp

Question 2: A penetration tester discovers that a Docker container was started with the --privileged flag. Which of the following is the most accurate description of the security impact?

A) The container runs with the same user permissions as the Docker daemon B) The container can access host devices, bypass AppArmor/SELinux, and effectively has full host capabilities C) The container can communicate with other containers on the same network D) The container has read-only access to the host filesystem

Question 3: During a container security assessment, you find /var/run/docker.sock mounted inside a container. What is the most significant risk this presents?

A) The container can read Docker daemon log files B) The container can create new containers with arbitrary configurations, including host filesystem mounts C) The container can restart itself if it crashes D) The container can monitor resource usage of other containers

Question 4: A developer removed a secret from a Docker image by adding RUN rm /app/secrets.json in a subsequent Dockerfile layer. Is the secret still accessible? Why or why not?

A) No, the rm command permanently deletes the file from all layers B) Yes, because Docker images are composed of additive layers, and the secret persists in the earlier layer where it was added C) No, Docker automatically squashes layers that contain delete operations D) Yes, but only if the image was built without the --squash flag

Question 5: Which Kubernetes component stores all cluster state, including Secrets in plaintext by default, and represents one of the highest-value targets in a cluster assessment?

A) kube-apiserver B) kube-scheduler C) etcd D) kube-controller-manager

Question 6: You are inside a Kubernetes pod and want to determine what actions your service account can perform. Which command provides this information?

A) kubectl get serviceaccount B) kubectl auth can-i --list C) kubectl describe pod D) kubectl cluster-info

Question 7: A Kubernetes ClusterRole contains the following rule: apiGroups: ["*"], resources: ["*"], verbs: ["*"]. What does this mean from a security perspective?

A) The role has read-only access to all resources B) The role can only manage pods and services C) The role has unrestricted access to all Kubernetes API resources—equivalent to cluster-admin D) The role can manage all resources within a single namespace

Question 8: Kubernetes Secrets are stored using which encoding method by default (NOT encryption)?

A) AES-256 B) SHA-256 hash C) Base64 D) ROT13

Question 9: During a Kubernetes penetration test, you discover that no NetworkPolicies exist in any namespace. What is the security implication?

A) Pods can only communicate with pods in the same namespace B) All pod-to-pod communication is denied by default C) Any pod can communicate with any other pod in the cluster without restriction D) External traffic is blocked but internal communication is allowed

Question 10: Which attack technique involves planting malicious instructions in container images hosted on public registries with names similar to popular legitimate images?

A) Dependency confusion B) Typosquatting C) Tag mutability exploitation D) Layer injection

Question 11: The kubelet API (port 10250) on a Kubernetes worker node is accessible without authentication. What can an attacker do?

A) Only view node resource utilization metrics B) List pods on that node and execute commands in any pod, bypassing Kubernetes RBAC C) Modify the Kubernetes API server configuration D) Access the etcd database directly

Question 12: Which tool automates checking Docker host and container configurations against the CIS Docker Benchmark?

A) Trivy B) kube-hunter C) Docker Bench for Security D) Falco

Question 13: In a cloud-hosted Kubernetes cluster (e.g., AWS EKS), an attacker compromises a pod and accesses http://169.254.169.254/latest/meta-data/iam/security-credentials/. What are they targeting?

A) The Kubernetes API server credentials B) The cloud provider's Instance Metadata Service to obtain temporary IAM credentials C) The Docker registry authentication tokens D) The etcd encryption keys

Question 14: Which container runtime provides additional isolation by implementing an application kernel that intercepts system calls, preventing direct host kernel interaction?

A) runc B) containerd C) gVisor (runsc) D) CRI-O

Question 15: A Kubernetes admission controller rejects a pod deployment because the image uses the latest tag. What security principle does this enforce?

A) Network segmentation B) Immutability and reproducibility of deployments through explicit image versioning C) Encryption at rest D) Least privilege access

Question 16: During a container assessment, you use nsenter --target 1 --mount --uts --ipc --net --pid -- /bin/bash from inside a privileged container. What does this command accomplish?

A) Creates a new namespace for the container B) Enters the host's namespaces by targeting PID 1, effectively escaping the container C) Restarts the container with new isolation parameters D) Lists all namespaces available to the container

Question 17: Which of the following is the MOST effective defense against Docker image supply chain attacks?

A) Running containers as root for better compatibility B) Using the latest tag to always get the newest version C) Referencing images by SHA256 digest and enforcing image signing with cosign or Notary D) Pulling images only from Docker Hub's official library

Question 18: An organization uses Kubernetes Secrets for database credentials but has not enabled encryption at rest for etcd. What additional risk does this introduce beyond base64 encoding?

A) No additional risk—base64 is sufficient encryption B) Anyone with filesystem access to the etcd data directory can read all Secrets in plaintext C) The Secrets are encrypted by Kubernetes automatically regardless of etcd settings D) Only cluster-admin users can access etcd data files

Answer Key

1: B — Namespaces provide isolation of system resources (PIDs, network, mounts, etc.). Cgroups limit resource usage. SELinux and seccomp provide access control and system call filtering, respectively.

2: B — The --privileged flag disables almost all containment mechanisms, granting the container full access to host devices, the ability to bypass MAC systems like AppArmor and SELinux, and effectively all Linux capabilities.

3: B — The Docker socket provides full control over the Docker daemon. An attacker can create new containers with host filesystem mounts, privileged mode, or any other configuration, enabling complete host compromise.

4: B — Docker images use a union filesystem with additive layers. Deleting a file in a later layer only adds a "whiteout" marker; the original file remains in its layer and can be extracted using docker save and tar.

5: C — etcd stores all cluster state, including Secrets. Directly accessing etcd bypasses all RBAC controls. By default, Secrets in etcd are not encrypted at rest.

6: B — kubectl auth can-i --list shows all permissions for the current user or service account. This is the primary tool for RBAC enumeration during a penetration test.

7: C — Wildcards in apiGroups, resources, and verbs grant unrestricted access to all Kubernetes API operations, which is functionally equivalent to the built-in cluster-admin ClusterRole.

8: C — Kubernetes Secrets are base64-encoded, not encrypted. This is a common misconception; base64 is an encoding scheme that provides no confidentiality. Encryption at rest must be explicitly configured.

9: C — Without NetworkPolicies, Kubernetes allows all pod-to-pod communication by default. There is no network segmentation between namespaces or pods unless explicitly implemented.

10: B — Typosquatting involves publishing malicious packages or images with names similar to popular legitimate ones, exploiting typographical errors by users.

11: B — An unauthenticated kubelet API allows listing all pods on the node and executing commands in any pod. This bypasses Kubernetes RBAC because the kubelet API operates independently of the API server's authorization.

12: C — Docker Bench for Security is the official automated CIS Docker Benchmark checking tool. Trivy scans for vulnerabilities, kube-hunter tests Kubernetes, and Falco provides runtime monitoring.

13: B — The IP 169.254.169.254 is the cloud provider's Instance Metadata Service (IMDS). On AWS, this path returns temporary IAM credentials associated with the instance's IAM role.

14: C — gVisor (runsc) implements an application kernel in user space that intercepts and handles system calls, preventing containers from directly interacting with the host kernel. This mitigates kernel exploitation escape techniques.

15: B — Rejecting the latest tag enforces explicit image versioning. The latest tag is mutable and can be overwritten, making deployments non-reproducible and vulnerable to tag manipulation attacks.

16: B — nsenter enters existing namespaces. By targeting PID 1 (the host's init process) with all namespace flags, the command enters the host's mount, UTS, IPC, network, and PID namespaces—effectively providing a host shell from within the container.

17: C — SHA256 digest references are immutable and cannot be overwritten. Combined with image signing (cosign/Notary) and verification at deployment, this provides the strongest supply chain integrity guarantee.

18: B — Without encryption at rest, etcd stores Secrets in plaintext on disk. Anyone with access to the etcd data directory or etcd backup files can read all Secrets without needing Kubernetes authentication or RBAC permissions.