Interview › Security & DevSecOps
How do you prevent privilege escalation in a Kubernetes cluster? [Advanced]
Answer
I prevent privilege escalation in Kubernetes with least-privilege RBAC, Pod Security Admission restricted mode, no privileged containers, no hostPath/hostNetwork unless approved, dropped capabilities, allowPrivilegeEscalation=false, image/admission policies, secret access controls, and network segmentation.
Technical explanation
Cluster-admin should be tightly controlled and regularly audited.
Service accounts should not use default broad permissions and automountServiceAccountToken should be disabled when unnecessary.
Admission policies should prevent dangerous pod specs from reaching the cluster.
Hands-on example
Checklist: enforce restricted Pod Security for app namespaces, use Role not ClusterRole where possible, block privileged=true, block hostPath, require runAsNonRoot, restrict exec access in production, rotate service-account tokens, and monitor audit logs for escalation attempts.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]