Question 28
Domain 3: System HardeningA worker node includes compilers, package repositories, and troubleshooting tools that production workloads never need. Why is that undesirable?
Correct answer: A
Explanation
Including compilers, package repositories, and troubleshooting tools increases the host’s attack surface. If an attacker compromises the node, those tools can be used to build malware, install additional packages, or diagnose defenses, so they "expand post-compromise capabilities for an attacker on the host."
Why each option is right or wrong
A. Those tools can expand post-compromise capabilities for an attacker on the host
Under the least-privilege / attack-surface principle, a production worker node should not retain build and admin utilities that are not required for runtime. In practice, tools like compilers, package managers, and diagnostics give an intruder on the host immediate capability to compile payloads, fetch additional software, and inspect the environment, which materially increases what can be done after initial compromise.
B. Kubernetes cannot schedule Pods on nodes with shell access
Kubernetes can schedule Pods on nodes regardless of ordinary shell access; scheduling is not based on that.
C. Compilers disable seccomp
Compilers do not inherently disable seccomp; seccomp is a separate kernel syscall-filtering control.
D. Package managers are required for RBAC
RBAC governs permissions in Kubernetes or AWS-integrated systems, not package manager availability on nodes.