Prisma Certified Cloud Security Engineer (PCCSE) — Question 30

Review this admission control policy:
match[{"msg": msg}] {
input.request.operation == "CREATE"
input.request.kind.kind == "Pod"
input.request.resource.resource == "pods"
input.request.object.spec.containers[_].securityContext.privileged msg := "Privileged"
}
Which response to this policy will be achieved when the effect is set to `block`?

Answer options

• A. The policy will block all pods on a Privileged host.
• B. The policy will replace Defender with a privileged Defender.
• C. The policy will alert only the administrator when a privileged pod is created.
• D. The policy will block the creation of a privileged pod.

Correct answer: D

Explanation

When the effect is set to `block`, the policy specifically targets privileged pods and prevents their creation. Option A is incorrect because it generalizes the blocking to all pods, not just privileged ones. Options B and C do not correctly reflect the policy's functionality, as they suggest replacement and notification rather than blocking.