Question 33
Domain 1: Cluster SetupWhich egress posture is usually safer for sensitive namespaces?
Correct answer: C
Explanation
NetworkPolicy guidance emphasizes “default-deny policies” and “namespace isolation,” so the safer egress posture is to block unnecessary outbound traffic first. Then explicitly allow only required destinations, which follows least privilege and reduces the attack surface for sensitive namespaces.
Why each option is right or wrong
A. Allow all outbound traffic by default forever
Default-deny policies block outbound traffic until explicit egress अनुमति rules are added.
B. Start with broad allow rules and tighten later if time permits
Least privilege starts restrictive; broad allow rules increase exposure before tightening.
C. Deny unnecessary outbound traffic and explicitly allow required destinations
Kubernetes NetworkPolicy is the relevant control here: egress rules are namespace-scoped and, when a default-deny egress policy is applied, all outbound traffic is blocked unless explicitly permitted by a rule selecting the pod and destination. In practice, that means sensitive namespaces should start from deny-all and then add only the required CIDR/namespace/port exceptions, which is the least-privilege posture expected under CKS Task Statement 1.1 on default-deny policies and namespace isolation.
D. Disable DNS resolution so Pods cannot connect anywhere
NetworkPolicy controls traffic, not DNS availability; disabling DNS is not the standard egress control.