Question 2
Domain 6: Monitoring, Logging and Runtime SecurityA security engineer wants a containerized workload to consume data from a mounted volume while preventing the application from modifying files in that mount at runtime. Which configuration best supports this goal?
Correct answer: B
Explanation
Use a read-only volume mount when a container must access mounted data without being able to change it at runtime. This helps preserve immutability by allowing reads while blocking writes through that mount. — cks_syllabus.txt
Why each option is right or wrong
A. Mount the volume with standard read-write access so the application can manage the files directly.
Standard read-write mounts allow file modification through the mount.
B. Mount the volume as read-only so the application can access the data without changing it.
The stated goal is to let the workload consume mounted data while preventing modification at runtime. A read-only volume mount directly matches that requirement by permitting access to the files in the mount without allowing writes through that mount.
C. Avoid mounting the volume and copy the data into the container so the files remain available.
The requirement is specifically about controlling access on a mounted volume.
D. Mount the volume normally and rely on the application to avoid writing to the files.
Immutability is enforced by mount configuration, not by application restraint alone.