Interview › Security & DevSecOps
How do you prevent vulnerable images from being deployed (admission control, registry policy)? [Intermediate]
Answer
I prevent vulnerable images from being deployed by combining CI scan gates, registry policies, image signing, and Kubernetes admission control. The cluster should admit only trusted images that meet vulnerability and policy thresholds.
Technical explanation
CI should fail high-risk images before they reach the registry.
The registry should prevent promotion of images that fail policy or lack required metadata/signatures.
Admission controllers such as Kyverno, OPA Gatekeeper, or Sigstore policy-controller can enforce allowed registries, signatures, and vulnerability attestations at deploy time.
Hands-on example
Example Kyverno-style policy outcome: deny Pods if image registry is not approved, image tag is latest, signature verification fails, or the attached scan attestation contains critical KEV findings. Allow emergency override only through audited break-glass.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]