ISC2 Certified Cloud Security Professional (CCSP) Practice Question
Your organization is moving a set of microservices from virtual machines to a provider-hosted Kubernetes service. As part of updating the cloud reference architecture, you must ensure that the new container platform aligns with secure-by-design principles adopted in the DevSecOps pipeline. Which design choice BEST addresses container security risks while maintaining the agility benefits that motivated the migration?
Run each microservice in a separate VM inside the cluster so that a hypervisor provides isolation in addition to the container engine.
Require all images to be digitally signed and enforce an admission controller that rejects unsigned or out-of-date images before they are scheduled.
Deploy application containers directly on bare-metal worker nodes using a user-space sandbox such as gVisor to avoid kernel overhead.
Replace the container approach with provider serverless functions, shifting all security responsibility to the cloud service provider.
Abandon containers and migrate the services to serverless functions, relying on the cloud provider to handle all security responsibilities.
Implement mandatory image signing and use a Kubernetes admission controller to block any unsigned or out-of-date container images before they are scheduled.
Run each microservice in a dedicated virtual machine inside the Kubernetes cluster to gain an extra hypervisor layer of isolation.
Deploy containers directly on bare-metal worker nodes using a user-space sandbox such as gVisor for isolation.
A secure cloud reference architecture for containers must mitigate two high-impact risks highlighted in widely cited guidance: supply-chain compromise of images and weak runtime isolation. Enforcing mandatory image signing and using a Kubernetes admission controller that blocks unsigned or un-vetted images tackles the supply-chain threat at the earliest point of deployment, aligning with DevSecOps shift-left principles while still leveraging the lightweight isolation already provided by Linux namespaces and cgroups. Deploying every microservice in its own virtual machine adds substantial operational overhead and does nothing to assure image provenance. Relying solely on a user-space sandbox like gVisor reduces kernel-escape risk but still allows untrusted or vulnerable images to reach production. Migrating to serverless functions changes the execution model and transfers only a subset of security duties to the provider, leaving responsibilities such as code security, IAM, and data protection with the customer. Consequently, mandatory image signing enforced by an admission controller is the most balanced and effective design choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Admission Controller in Kubernetes?
Open an interactive chat with Bash
How does image signing mitigate supply chain risks?
Open an interactive chat with Bash
What are the benefits of 'shift-left' in DevSecOps?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Concepts, Architecture and Design
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .