Question 23
Domain 4: Minimize Microservice VulnerabilitiesA Kubernetes security team is updating cluster policy after a control used to enforce pod-level restrictions was deprecated. Which mechanism should they adopt to replace PodSecurityPolicy for this purpose?
Correct answer: B
Explanation
When PodSecurityPolicy is deprecated, pod-level security enforcement should be migrated to Pod Security Admission (PSA). The key distinction is that PSP is the deprecated mechanism, while PSA is the replacement admission approach. — cks_syllabus.txt
Why each option is right or wrong
A. Continue using PodSecurityPolicy as the preferred long-term control
PodSecurityPolicy is deprecated and is not the replacement mechanism.
B. Adopt Pod Security Admission to enforce pod security requirements
The source material explicitly identifies migration from PodSecurityPolicy (deprecated) to PSA. In this scenario, the deprecated pod-level restriction mechanism is PodSecurityPolicy, so the replacement to adopt is Pod Security Admission (PSA).
C. Replace PodSecurityPolicy with a general Kubernetes deprecation policy
PSA is the named migration target; a deprecation policy does not enforce pod security rules.
D. Use PodSecurityPolicy only for system pods and PSA for application pods
The source material states migration from PodSecurityPolicy to PSA, not a split-use model.