Question 35
Domain 4: Minimize Microservice VulnerabilitiesWhich statement about Pod Security Standards is most accurate?
Correct answer: A
Explanation
Pod Security Standards define “Privileged, Baseline, Restricted” levels and are used to “setup appropriate OS level security domains,” so they reduce risky workload settings. They are only one control in the broader hardening model, alongside RBAC, NetworkPolicy, secrets management, and runtime security.
Why each option is right or wrong
A. They are a framework for reducing risky workload settings, not a substitute for every other security control
Pod Security Standards are defined in the Kubernetes documentation as three namespace-level policy profiles—Privileged, Baseline, and Restricted—intended to constrain pod fields such as privilege escalation, host namespaces, and Linux capabilities, which is why they reduce risky workload settings rather than replace broader controls. The standards are enforced through Pod Security Admission labels on namespaces, and Kubernetes explicitly treats them as one layer in the hardening model; they do not provide RBAC, NetworkPolicy, secret encryption, or runtime isolation, so they cannot substitute for those controls.
B. They replace TLS, RBAC, and image signing with one feature
Pod Security Standards govern pod security domains, not TLS, RBAC, or image signing.
C. They only matter on Windows clusters
Pod Security Standards apply to Kubernetes Pods and namespaces, not only Windows clusters.
D. They affect Service resources but not Pods
Pod Security Standards target Pod security settings at the namespace level, not Service resources.