Interview › Security & DevSecOps
How do you secure container runtime (seccomp, AppArmor, capabilities, read-only root)? [Advanced]
Answer
I secure container runtime by reducing privileges and attack surface: run as non-root, drop Linux capabilities, use seccomp/AppArmor/SELinux profiles, set read-only root filesystems, avoid privileged mode, restrict host namespaces and hostPath mounts, and keep images minimal and patched.
Technical explanation
Runtime security starts in the Dockerfile and Kubernetes securityContext.
seccomp limits syscalls, AppArmor/SELinux enforce mandatory access controls, and capabilities control fine-grained root privileges.
Read-only filesystems and no-root execution make post-exploitation harder.
Hands-on example
Kubernetes securityContext:
securityContext:
runAsNonRoot: true
runAsUser: 10001
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
seccompProfile:
type: RuntimeDefault
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]