Question 37
Domain 5: Supply Chain SecurityWhy is image signing less valuable if the cluster never verifies signatures before running workloads?
Correct answer: A
Explanation
Image signing only helps when the cluster enforces verification at admission or before execution. If the cluster never verifies signatures, “signed and unsigned images are treated the same at enforcement time,” so signing adds no control over what actually runs.
Why each option is right or wrong
A. Because unsigned and signed images are treated the same at enforcement time
Kubernetes image-signing controls only have effect if an admission controller or policy engine actually checks the signature before the Pod is admitted; otherwise the API server will still accept the Pod spec and the kubelet will pull and start the image regardless. Under the CKS supply-chain controls (e.g., ImagePolicyWebhook, Connaisseur, or Cosign-backed verification), the enforcement point is admission, so if the cluster never performs that verification step, a signed image and an unsigned image are operationally identical at run time.
B. Because signatures disappear after upload
Image signatures are separate from the image contents and do not disappear after upload.
C. Because Kubernetes cannot store image metadata
Kubernetes can store and use image references and metadata; the issue is verification, not storage.
D. Because signing only works for Windows containers
Image signing applies to container images generally, not only Windows containers.