Questions
- True or false – containers are "lightweight VMs."
- True
- False
- Can a container access resources from its host?
- No, it's isolated.
- If marked as privileged, yes.
- Only if explicitly granted by a policy.
- Sometimes.
- How could an attacker gain access to a cluster through a container?
- A bug in the container's application can lead to a remote code execution, which can be used in a breakout of a vulnerable container, and is then used to get the kubelet's credentials.
- Compromised credentials with the ability to create a container in one namespace can be used to create a container that mounts the node's filesystem to get the kubelet's credentials.
- Both of the above.
- How does the
PodSecurityPolicy
admission controller determine which policy to apply to a Pod?- By reading an...