ISC2 Certified Cloud Security Professional (CCSP) Practice Question
Your organization is refactoring a monolithic web shop into several microservices that will be deployed as containers on a managed Kubernetes cluster. Security wants the strongest possible runtime isolation so that, even if an attacker obtains root inside one container, they cannot escape to the node's kernel or gain access to other namespaces-without forcing developers to rewrite code. Which approach best meets this requirement?
Apply custom AppArmor profiles to every node to limit the system calls available to containers.
Enable Kubernetes PodSecurityPolicies to drop all privileged capabilities and enforce non-root containers.
Create default-deny Kubernetes network policies between namespaces and only whitelist required service ports.
Run each microservice with a hypervisor-isolated container runtime (e.g., Kata Containers) so every pod executes inside a lightweight VM.
Lightweight hypervisor-based runtimes such as Kata Containers launch each pod inside its own micro-VM. Because the guest kernel is separated from the host kernel by hardware virtualization boundaries, a compromise inside the container does not give the attacker direct access to the host or to containers in other namespaces.
PodSecurityPolicies and AppArmor profiles can remove Linux capabilities and restrict system calls, but the workload still shares the host kernel, so a kernel-level escape remains possible. Kubernetes network policies control East-West traffic but provide no protection against host breakout. Therefore, using a hypervisor-isolated container runtime offers the strongest containment with minimal application changes.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Kata Containers and how do they provide isolation?
Open an interactive chat with Bash
How does hardware virtualization protect the kernel in the context of Kubernetes?
Open an interactive chat with Bash
What are the limitations of PodSecurityPolicies and AppArmor profiles compared to hypervisor isolation?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .