Question 16
Domain 4: Minimize Microservice VulnerabilitiesWhich workload choice most weakens container isolation?
Correct answer: B
Explanation
Using hostPID, hostIPC, and privileged access breaks the normal namespace and privilege boundaries that isolate a Pod from the node and other workloads. These settings let the container share the host’s process and IPC spaces and gain elevated control, so they should only be used when strictly required.
Why each option is right or wrong
A. Using a distinct RuntimeClass for sandboxed workloads
A sandboxed RuntimeClass generally adds stronger runtime isolation rather than weakening it.
B. Running the Pod with hostPID, hostIPC, and privileged access when not strictly required
Kubernetes Pod security settings are governed by the Pod Security Standards and the Linux namespace model: `hostPID: true` joins the host’s PID namespace, `hostIPC: true` joins the host’s IPC namespace, and `privileged: true` grants the container essentially all Linux capabilities plus access to host devices. In a normal Pod, each of these boundaries is separate; removing all three at once most directly collapses process, IPC, and privilege isolation, which is why this workload choice most weakens container isolation.
C. Dropping unused capabilities
Dropping unused capabilities reduces the container’s privilege set and improves isolation.
D. Disabling automatic API token mounts
Disabling automatic API token mounts limits credential exposure, not namespace isolation.