Question 28
Domain 3: Application Environment, Configuration, and SecurityWhich Pod spec correctly creates a container with a read-only root filesystem while still allowing writes to /tmp?
Correct answer: A
Explanation
Setting "securityContext.readOnlyRootFilesystem: true" makes the container’s root filesystem read-only, which blocks writes everywhere except mounted writable paths. Mounting an "emptyDir" at "/tmp" provides a writable directory for temporary files while preserving the read-only root filesystem.
Why each option is right or wrong
A. Set container securityContext.readOnlyRootFilesystem: true and mount an emptyDir volume at /tmp
Kubernetes container securityContext supports `readOnlyRootFilesystem: true`, which makes the container’s root filesystem immutable at runtime, so any write attempt to paths on `/` fails unless that path is backed by a writable volume. To preserve write access specifically for temporary files, the Pod must mount a writable volume at `/tmp`; `emptyDir` is the standard ephemeral volume for this purpose and is writable for the lifetime of the Pod, while the rest of the root filesystem remains read-only.
B. Set pod securityContext.readOnlyRootFilesystem: true and mount a hostPath volume at /tmp
C. Set container securityContext.readOnlyRootFilesystem: true and mount a ConfigMap volume at /tmp
D. Set container securityContext.privileged: true and mount an emptyDir volume at /tmp