Question 36
Domain 5: Supply Chain SecurityWhat is the primary role of KubeLinter or a similar manifest-focused static analysis tool?
Correct answer: A
Explanation
KubeLinter is a manifest-focused static analysis tool, so its job is to inspect Kubernetes YAML before it is applied. Its primary role is to "detect risky Kubernetes configuration patterns before deployment," helping catch misconfigurations early.
Why each option is right or wrong
A. Detect risky Kubernetes configuration patterns before deployment
KubeLinter operates on Kubernetes manifests at the static-analysis stage, so it inspects YAML definitions before any `kubectl apply` or controller reconciliation occurs. Its purpose is to flag insecure or risky configuration patterns in the manifest itself—such as privileged containers, missing resource limits, or unsafe host access—rather than monitoring a live cluster or enforcing policy at runtime.
B. Encrypt Service traffic in transit
Encrypting Service traffic is typically handled by TLS, service meshes, or network components, not manifest linting.
C. Rotate ServiceAccount tokens
Token rotation is an identity and credential lifecycle function, not static YAML analysis.
D. Benchmark the host OS against CIS
CIS host OS benchmarking assesses node operating systems, whereas KubeLinter reviews Kubernetes manifests.