Question 22
Domain 3: System HardeningAn organization wants administrators to reach a Kubernetes cluster without exposing the cluster endpoint to the public internet. Which approach best aligns with minimizing external network access for cluster administration?
Correct answer: B
Explanation
To minimize external exposure, use a private cluster endpoint and provide network-level connectivity from trusted environments rather than publishing the control plane publicly. — cks_syllabus.txt
Why each option is right or wrong
A. Expose the cluster endpoint publicly and restrict access only with administrator credentials
Private cluster endpoints avoid exposing the cluster endpoint to the public internet.
B. Use a private cluster endpoint and connect the administrator network through VPC peering
The stated goal is to avoid exposing the cluster endpoint publicly while still allowing administrator access. The source material explicitly identifies private cluster endpoints and VPC peering for cluster access as the relevant approach for minimizing external network access in this context.
C. Place the cluster endpoint on the public internet and rely on network monitoring to detect misuse
VPC peering is used for cluster access without requiring public endpoint exposure.
D. Keep the cluster endpoint public but limit access to specific administrator IP addresses
Minimizing external access favors private endpoints over publicly reachable endpoints with filters.