Script Valley
Kubernetes: From Containers to Clusters
Security, RBAC, and Production Readiness/Assessment

Practice & Assessment

Test your understanding of Security, RBAC, and Production Readiness

Multiple Choice Questions

5
1

A Role is created in the 'staging' namespace granting 'list' on pods. A RoleBinding binds this Role to a ServiceAccount in the 'production' namespace. What is the effect?

2

A ResourceQuota is set in a namespace with `requests.cpu: 10`. A developer tries to create a Pod with no CPU request. What happens?

3

What type of disruption does a PodDisruptionBudget NOT protect against?

4

You set `automountServiceAccountToken: false` on a ServiceAccount. A Pod explicitly sets `automountServiceAccountToken: true` in its spec and uses this ServiceAccount. What happens?

5

Which security context setting prevents a process inside a container from gaining more privileges than its parent process?

Coding Challenges

1
1

Least-Privilege RBAC for a Monitoring Agent

Create a namespace called 'app-ns'. Create a ServiceAccount named 'metrics-reader' in namespace 'monitoring'. Write a Role in 'app-ns' that allows the metrics-reader ServiceAccount to get, list, and watch pods and their logs only — no other resources or verbs. Create a RoleBinding in 'app-ns' binding the role to the ServiceAccount. Deploy a debug Pod using the metrics-reader ServiceAccount and verify with `kubectl auth can-i` that it can list pods in app-ns but cannot list Secrets or create Deployments. Expected output: `can-i list pods` returns yes; `can-i list secrets` returns no. Time estimate: 25 minutes.

Medium

Mini Project

1

Production-Ready Kubernetes Application

Deploy a complete production-ready application stack in namespace 'production'. Requirements: (1) A 3-replica nginx Deployment with resource requests/limits, liveness and readiness probes, a hardened security context (nonRoot, readOnly filesystem, drop ALL capabilities), and a PodDisruptionBudget ensuring minAvailable=2. (2) A custom ServiceAccount with automountServiceAccountToken disabled, bound to a Role allowing only 'get' on ConfigMaps in the namespace. (3) A ResourceQuota capping the namespace at 4 CPUs and 8Gi memory with a LimitRange providing defaults. (4) A ConfigMap for non-sensitive config and a Secret for a mock API key, both injected into the Deployment. (5) ClusterIP Service and Ingress to expose the app. Test that: a Pod respects the security context (runs as nonRoot), the ResourceQuota is visible in namespace describe, and the ServiceAccount cannot list Secrets.

Hard