☁️ Free practice test question from: Container Orchestration (KCNA)

Container Runtimes Types K8s: Namespaced, Virtualized, Sandboxed

A) containerd with Linux cgroups and namespaces: This is the standard container runtime setup in Kubernetes. While cgroups and namespaces provide resource isolation and process separation, they still share the same kernel. This means a vulnerability in the kernel could potentially affect all containers. This offers a good level of isolation but not the maximum requested.

B) Kata containers with a hypervisor-based runtime: Kata Containers uses lightweight virtual machines (VMs) to run each container. This provides strong isolation as each container runs in its own isolated kernel and hardware environment. This is the closest to maximum isolation among the choices.

C) gVisor with sandboxed system call interception: gVisor provides a user-space kernel that intercepts system calls. This creates a strong security boundary, preventing containers from directly accessing the host kernel. While it offers better isolation than standard containers, it doesn't provide the same level of hardware-level isolation as VMs.

D) CRI-O with standard namespace isolation: CRI-O is another container runtime, but it relies on the same Linux cgroups and namespaces as containerd. Therefore, it offers the same level of isolation as option A, which is not the maximum we are looking for.