Exam KCNA topic 1 question 86 discussion

The Restricted policy in Kubernetes is designed to enforce strict security constraints on containers, but it does allow certain capabilities that are considered safe and necessary for common container operations. Among the capabilities listed, NET_BIND_SERVICE is typically allowed under the Restricted policy because it is often needed for binding to network ports below 1024, which is a common requirement for many applications

The Restricted policy in Kubernetes is designed to be very secure, so it only allows a minimal set of capabilities. SYS_CHROOT is considered safe enough because: - It doesn't give elevated privileges - It's often needed for container operations - It can't be easily exploited

In Kubernetes, the Restricted policy is a security context that enforces tight constraints on what a container can do. When using the Restricted policy, the capabilities granted to containers are minimal and restricted to those necessary for basic functionality. The CHOWN capability is typically allowed in restricted environments because it is essential for many applications to modify file ownership within the container.

D. NET_BIND_SERVICE The Restricted policy in Kubernetes is designed to limit the capabilities that can be added to containers to enhance security. Among the options provided, NET_BIND_SERVICE is the capability allowed under the Restricted policy.

Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability. Reference: https://kubernetes.io/docs/concepts/security/pod-security-standards/#:~:text=add%20back%20the-,NET_BIND_SERVICE,-capability.%20This

https://kubernetes.io/docs/concepts/security/pod-security-standards/ Capabilities (v1.22+) Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability. This is Linux only policy in v1.25+ (.spec.os.name != "windows")

https://docs.openshift.com/dedicated/authentication/managing-security-context-constraints.html

Option : A