Question 3
Domain 1: Cluster SetupA managed Kubernetes service controls the control-plane nodes. Which kube-bench result should you interpret most carefully?
Correct answer: B
Explanation
Managed Kubernetes services control the control plane, so kube-bench findings about host-level control-plane flags may be outside your direct administration. CIS/kube-bench audits “hardening etcd, kubelet, kube-apiserver, kube-controller-manager, kube-scheduler,” but on managed platforms you should weigh only settings you can actually change.
Why each option is right or wrong
A. A finding about a Pod label typo
Pod labels are workload metadata, not control-plane host settings.
B. A finding about control-plane host flags you cannot directly administer
CIS Kubernetes Benchmark sections for the control plane cover host-level settings on kube-apiserver, kube-controller-manager, and kube-scheduler, and kube-bench reports those as node checks. On a managed control plane, those flags are administered by the provider, so a failure there is not necessarily actionable for you; by contrast, findings on worker-node components or namespace/pod settings are usually within your scope.
C. A finding about a namespaced RoleBinding you created
RoleBindings are namespaced RBAC objects you can directly manage.
D. A finding about a container image digest mismatch
Image digest checks belong to supply-chain verification, not kube-bench control-plane auditing.