Least-Privilege Identity and Access Management

A container running as root with a mounted ServiceAccount token and unrestricted capabilities is not a workload. It is an invitation. The attacker who compromises that container inherits every permission the token grants, every syscall the kernel allows, and every file the host exposes.

CKS Domain 4, System Hardening, tests whether you can lock down the layers between a container process and the host kernel. The exam scenarios hand you over-provisioned nodes and over-privileged workloads, then ask you to harden them: restrict Linux user contexts, lock down SSH, scope RBAC to the minimum, and enforce Pod Security Standards across namespaces.