Question 04
Question
You must modify a Deployment named hotfix-deployment in namespace quetzal so that:
- Containers run with user ID 30000
- Privilege escalation is forbidden
The manifest file is located at:
~/broker-deployment/hotfix-deployment.yaml
🧩 Step-by-step reasoning
1️⃣ The wording “containers run with user ID 30000”
You’re spot on. When the question says “containers” (plural) — it implies all containers in the Pod must run as that user.
Now — in Kubernetes, the cleanest and most correct way to make all containers run as a specific user is to set it at the Pod level (spec.template.spec.securityContext).
✅ So:
spec:
template:
spec:
securityContext:
runAsUser: 30000
This applies automatically to all containers unless they override it inside their own container securityContext.
Hence, setting
runAsUserat Pod level (not Container level, even it ONE container only) is the best and intended answer.
2️⃣ The wording “Privilege escalation is forbidden”
This is a container-level field, not a Pod-level one. The key name is allowPrivilegeEscalation, and it must go inside each container’s securityContext.
Example:
spec:
template:
spec:
containers:
- name: app
image: nginx
securityContext:
allowPrivilegeEscalation: false
- name: sidecar
image: busybox
securityContext:
allowPrivilegeEscalation: false
So, yes — if the Deployment has one container → add it there. if multiple → add it under each container.
3️⃣ Difference between
allowPrivilegeEscalation: falseprivileged: false
These are two different security controls — and in the exam, you must know which one they are referring to.
| Field | Meaning | Level | Common Wording |
|---|---|---|---|
allowPrivilegeEscalation | Prevents the container from gaining extra privileges (e.g., via setuid binaries). | Container-level | “Privilege escalation is forbidden” |
privileged | Allows container to run in full root (host-level privileges). | Container-level | “Container must not run in privileged mode” |
✅ Exam tip: If the question uses “Privilege escalation is forbidden” → it’s allowPrivilegeEscalation: false If it says “Container must not be privileged” or “Container should not run in privileged mode” → it’s privileged: false
They’re not interchangeable.
✅ Final Exam-Perfect Answer
apiVersion: apps/v1
kind: Deployment
metadata:
name: hotfix-deployment
namespace: quetzal
spec:
template:
spec:
securityContext:
runAsUser: 30000 # applies to all containers
containers:
- name: app
image: nginx
securityContext:
allowPrivilegeEscalation: false
- name: sidecar
image: busybox
securityContext:
allowPrivilegeEscalation: false
⚡ Quick CKAD logic summary
| Requirement in question | Placement | YAML Key | Notes |
|---|---|---|---|
| “Containers run with user ID XXXX” | Pod-level | runAsUser | Affects all containers |
| “Privilege escalation is forbidden” | Container-level | allowPrivilegeEscalation: false | Must be set per container |
| “Container must not be privileged” | Container-level | privileged: false | Different setting |