What is a ConfigMap?
An API object used to store non-confidential data in key-value pairs for pods to consume.
What is a Secret?
An object used to store sensitive data (passwords / tokens) encoded in base64.
How do you inject a ConfigMap into a Pod as an environment variable?
Use the ‘envFrom’ or ‘valueFrom’ field in the Pod spec.
What is a ServiceAccount?
An identity used by processes in a Pod to communicate with the Kubernetes API.
What is a SecurityContext?
A set of constraints that define the privilege and access control settings for a Pod/Container.
How do you run a container as a specific User ID?
Set ‘runAsUser: <ID>' inside the securityContext.</ID>
What are Resource Quotas?
Constraints that limit the total amount of CPU/Memory a Namespace can consume.
How do you prevent a ConfigMap from being updated once created to reduce Kubelet load?
Set ‘immutable: true’ in the ConfigMap metadata.
What is the ‘subPath’ field used for when mounting a ConfigMap?
To mount a single file from a ConfigMap into a directory without overwriting existing files in that directory.
How do you ensure a container cannot gain more privileges than its parent process?
Set ‘allowPrivilegeEscalation: false’ in the securityContext.
What happens to a Pod if a Secret it references as an environment variable is missing?
The Pod will remain in ‘CreateContainerConfigError’ and will not start.
How do you set the default file permissions (e.g. 0400) for all files in a mounted Secret volume?
Use ‘defaultMode: 0400’ under the ‘volumes’ -> ‘secret’ section.
How do you force a Pod to run as a non-root user even if the Docker image defaults to root?
Set ‘runAsNonRoot: true’ in the Pod or Container securityContext.
What are the three main parts of a Kubeconfig file?
Clusters, Contexts, and Users.
Where are the client certificates usually stored in a Kubeconfig for a user?
Under the ‘user’ section, either as file paths or ‘client-certificate-data’ (base64).
How do you view the ‘Common Name’ (CN) of a K8s certificate file using openssl?
openssl x509 -in <file> -text -noout | grep Subject</file>
What is the ‘system:masters’ group in Kubernetes?
A hard-coded RBAC group that bypasses all permission checks (full cluster-admin).
