|
| Security Solution on Container Service(Exam) Answers |
Notice!
Always refer to the official Alibaba Documentaion for the most accurate and up-to-date information.
Attention!
If you have any questions that are not covered in this post, please feel free to leave them in the comments section below. Thank you for your engagement.
Exam Question
True/False1.In a Kubernetes cluster, pods on different nodes can communicate with each other by default.
True
False
False
True/False
2.In Kubernetes clusters provided by Container Service, the communication link occurred will be verified with TLS certificates when kubelet on the worker node actively connects to apiserver on the master node.
True
False
False
True/False
3.Alibaba Cloud Container Registry (ACR)'s delivery chain includes image building, image security scanning, image synchronization and image distribution. If any one of these steps fails, the deployment process cannot continue, and customers will not be able to continue their deployment.
True
False
False
True/False
4.By default, each new cluster is assigned to a new security group with the minimum security risks. This security group only allows ICMP for the inbound Internet traffic.
True
False
False
True/False
5.Alibaba Cloud Container Service for Kubernetes (ACK) provides images signed by using your own encryption key during the development process. It also enforces signature validation during deployment.
True
False
False
True/False
6.Role-based access control (RBAC) works at the Alibaba Cloud Container Service for Kubernetes (ACK) cluster layer, controlling access to resources such as ConfigMaps, Pods, Services, Namespaces, and Deployments.
True
False
False
True/False
7.You can use KMS to encrypt not only your data at rest but also the data in transmission.
True
False
False
True/False
8.Kubernetes clusters can use Container Registry to manage images and perform image security scans.
True
False
False
True/False
9.Only Alibaba Cloud Container Service for Kubernetes (ACK) Dedicated Clusters support "Encrypting Secret Data at Rest with KMS".
True
False
False
True/False
10.Resource Access Management (RAM) controls Alibaba Cloud's resource layer access, such as creating clusters, adding nodes and auto-scaling.
True
False
False
Multiple answers
11.Which of the following statements are correct regarding Alibaba Cloud Container Service for Kubernetes (ACK)'s audit functionality? (Number of correct answers: 4)
A. Alibaba Cloud provides different types of audit functionality, such as API server auditing, ingress traffic auditing and Kubernetes resource event auditing.
B. Log Service collects service logs, where they can be viewed and searched, using Log Service's powerful built-in capabilities.
C. Using audit logs can help administrators track operations performed by different users. This is an essential part of security maintenance operations.
D. Event center can provide key event detail for cluster DevOps, including failed image pool and pod eviction events.
E. Ingress traffic can provide the inbound and outbound traffic information and PV/UV statistics, but these metrics must be defined manually by customers.
B. Log Service collects service logs, where they can be viewed and searched, using Log Service's powerful built-in capabilities.
C. Using audit logs can help administrators track operations performed by different users. This is an essential part of security maintenance operations.
D. Event center can provide key event detail for cluster DevOps, including failed image pool and pod eviction events.
E. Ingress traffic can provide the inbound and outbound traffic information and PV/UV statistics, but these metrics must be defined manually by customers.
Multiple answers
12.Which of the following steps are included in Alibaba Cloud Container Service for Kubernetes (ACK)'s cluster control plane for daily scanning? (Number of correct answers: 3)
A. Harden cluster control-plane security based on CIS Kubernetes Benchmark
B. Ensure system pods and controllers are configured using best practices
C. Ensure there is no critical CVE vulnerability in system pods‘ images
D. Ensure each cluster does not have known vulnerabilities in its images
B. Ensure system pods and controllers are configured using best practices
C. Ensure there is no critical CVE vulnerability in system pods‘ images
D. Ensure each cluster does not have known vulnerabilities in its images
Multiple answers
13.Which of the following statements are correct about Alibaba Cloud Container Service for Kubernetes (ACK)'s Sandboxed Pods? (Number of correct answers: 3)
A. Sandboxed Pod is a type of Docker runtime container. It can run any docker image.
B. Sandboxed Pods provide an independent kernel to enable enhanced security isolation.
C. Sandboxed Pods can be run on both ECS and ECS Bare Metal (EBM) instances.
D. Sandboxed Pods can support multiple running containers per Pod.
B. Sandboxed Pods provide an independent kernel to enable enhanced security isolation.
C. Sandboxed Pods can be run on both ECS and ECS Bare Metal (EBM) instances.
D. Sandboxed Pods can support multiple running containers per Pod.
Multiple answers
14.Which of the following options are correct, regarding Alibaba Cloud cloud-native security? (Number of correct answers: 5)
A. Alibaba Cloud provides 3 levels of security: Infrastructure, Software supply chain, and Runtime Security
B. At the Infrastructure layer, Alibaba Cloud Container Service for Kubernetes (ACK) integrates RAM to achieve authN (Authentication) and RBAC authZ (Authorization)
C. For Software Supply Chain, Alibaba Cloud provides Image Signing and Image Scanning to secure docker images
D. Fur Runtime Security, ACK provides network policy based on Flannel and Terway networks
E. Security Center can defend application runtimes on ACK, and it also can detect attacks within ACK
F. ACK supports Sandboxed containers which provide an independent kernel to enable enhanced security isolation
B. At the Infrastructure layer, Alibaba Cloud Container Service for Kubernetes (ACK) integrates RAM to achieve authN (Authentication) and RBAC authZ (Authorization)
C. For Software Supply Chain, Alibaba Cloud provides Image Signing and Image Scanning to secure docker images
D. Fur Runtime Security, ACK provides network policy based on Flannel and Terway networks
E. Security Center can defend application runtimes on ACK, and it also can detect attacks within ACK
F. ACK supports Sandboxed containers which provide an independent kernel to enable enhanced security isolation
Multiple answers
15.Which of the following options are security features supported by Alibaba Cloud Container Service for Kubernetes (ACK)? (Number of correct answers: 3)
A. AuthN, AuthZ
B. Role-based Access Control
C. DevSecOps includes scanning container images and signing container images in ACR Default Instance Edition and Enterprise Edition
D. Data encryption of volumes
B. Role-based Access Control
C. DevSecOps includes scanning container images and signing container images in ACR Default Instance Edition and Enterprise Edition
D. Data encryption of volumes