Who is Muhammad Usman Akbar?

Muhammad Usman Akbar is a world-class AI Transformation Consultant and Agentic Architect focused on achieving 30x industrial efficiency through autonomous ecosystems.

What results can an AI Transformation Consultant provide?

By replacing manual work with autonomous AI workflows, a consultant like Muhammad Usman can deliver up to 30x growth in output while reducing operational overhead by 40%.

What is Agentic AI Orchestration?

It is the engineering of multi-agent systems where autonomous AI entities collaborate to manage complex industrial operations in production environments.

Assessment: Production Security & Compliance

Proficiency Level	Bloom's Levels	Time Limit	Total Points	Passing Score
B1 (Intermediate)	Apply (40%), Analyze (60%)	45 minutes	100	70%

Learning Objectives Assessed

ID	Objective	Success Criterion
LO-001	Apply the 4C security model to classify controls	SC-002
LO-002	Implement ServiceAccount RBAC with least privilege	SC-003
LO-003	Configure NetworkPolicy default-deny with explicit allows	SC-004
LO-004	Write PSS Restricted-compliant pod specifications	SC-005
LO-005	Interpret Trivy vulnerability scan results	SC-006
LO-006	Execute and interpret 10-point security audit	SC-007
LO-007	Map Kubernetes controls to compliance frameworks	SC-008
LO-008	Apply skill-first learning pattern for security	SC-001

Cognitive Distribution

Bloom's Level	Question Count	Percentage
Apply	4	40%
Analyze	6	60%

Section A: Multiple Choice (20 points)

Question 1 (5 points) [Type: MCQ] [Bloom: Analyze] [SC-002]

Your Task API needs to access ConfigMaps for configuration, communicate with a PostgreSQL database in another namespace, and write logs to a persistent volume. You are classifying security controls by 4C layer. Which classification is CORRECT?

A) ConfigMap access control: Code layer; Database NetworkPolicy: Container layer; Volume encryption: Cluster layer

B) ConfigMap access control: Cluster layer; Database NetworkPolicy: Cluster layer; Volume encryption: Cloud layer

C) ConfigMap access control: Container layer; Database NetworkPolicy: Code layer; Volume encryption: Cluster layer

D) ConfigMap access control: Cloud layer; Database NetworkPolicy: Container layer; Volume encryption: Code layer

Question 2 (5 points) [Type: MCQ] [Bloom: Analyze] [SC-003]

You run kubectl auth can-i get secrets --as=system:serviceaccount:task-api:task-api-sa -n task-api and receive "yes". Your Role definition is:

yaml

rules:
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "list"]

What is the MOST LIKELY cause of this security violation?

A) The ServiceAccount has a ClusterRoleBinding granting additional permissions beyond the Role

B) The Role should use apiGroups: ["v1"] instead of apiGroups: [""] to properly restrict access

C) The verbs array needs ["get"] only because "list" implicitly includes secret access

D) The namespace label is missing pod-security.kubernetes.io/enforce: restricted

Question 3 (5 points) [Type: MCQ] [Bloom: Apply] [SC-004]

After applying a default-deny NetworkPolicy, your Task API pods cannot resolve service names. The nslookup command times out. Which NetworkPolicy egress rule CORRECTLY fixes DNS resolution?

yaml

egress:
- to:
  - podSelector:
      matchLabels:
        k8s-app: kube-dns
  ports:
  - protocol: UDP
    port: 53

yaml

egress:
- to:
  - namespaceSelector:
      matchLabels:
        kubernetes.io/metadata.name: kube-system
  ports:
  - protocol: UDP
    port: 53
  - protocol: TCP
    port: 53

yaml

egress:
- to:
  - ipBlock:
      cidr: 10.96.0.0/16
  ports:
  - protocol: UDP
    port: 53

yaml

egress:
- to:
  - namespaceSelector: {}
  ports:
  - protocol: UDP
    port: 53

Question 4 (5 points) [Type: MCQ] [Bloom: Analyze] [SC-001]

In the skill-first learning pattern used in this chapter, you created your cloud-security skill BEFORE learning the detailed security concepts. What is the PRIMARY pedagogical reason for this approach?

A) Skills created before learning are automatically more accurate because they use official documentation

B) Creating the skill first establishes ownership and provides a concrete artifact to test and improve as concepts are learned

C) AI skills should always be created at the beginning of each chapter to ensure consistent formatting

D) The skill creation process is faster when the student has less domain knowledge to interfere with AI suggestions

Section B: Code Completion (30 points)

Question 5 (15 points) [Type: Code-Completion] [Bloom: Apply] [SC-005]

Complete the missing securityContext fields in this Deployment to make it PSS Restricted-compliant. The Task API writes temporary files to /tmp and runs the application as user 1000.

yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: task-api
  namespace: production
spec:
  template:
    spec:
      # Pod-level security context
      securityContext:
        runAsNonRoot: ___(A)___
        runAsUser: ___(B)___
        runAsGroup: 1000
        fsGroup: 1000
        seccompProfile:
          type: ___(C)___
      containers:
      - name: task-api
        image: task-api:v1.0.0
        # Container-level security context
        securityContext:
          allowPrivilegeEscalation: ___(D)___
          readOnlyRootFilesystem: ___(E)___
          capabilities:
            drop:
              - ___(F)___
        volumeMounts:
        - name: tmp
          mountPath: /tmp
      volumes:
      - name: tmp
        emptyDir: {}

Fill in the blanks:

Blank	Your Answer	Explanation (required)
(A)
(B)
(C)
(D)
(E)
(F)

Question 6 (15 points) [Type: Code-Completion] [Bloom: Apply] [SC-003, SC-004]

Complete this RBAC configuration for a monitoring service that needs to read Pod metrics across the production and staging namespaces, but NOT other namespaces. The service should NOT have cluster-wide access.

yaml

# ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
  name: metrics-collector-sa
  namespace: monitoring
automountServiceAccountToken: ___(A)___
---
# Reusable permission definition (not namespace-scoped)
apiVersion: rbac.authorization.k8s.io/v1
kind: ___(B)___
metadata:
  name: pod-metrics-reader
rules:
- apiGroups: ["metrics.k8s.io"]
  resources: ["pods"]
  verbs: ["get", "list"]
---
# Binding for production namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: ___(C)___
metadata:
  name: metrics-production
  namespace: production
subjects:
- kind: ServiceAccount
  name: metrics-collector-sa
  namespace: ___(D)___
roleRef:
  kind: ___(E)___
  name: pod-metrics-reader
  apiGroup: rbac.authorization.k8s.io

Fill in the blanks:

Blank	Your Answer	Why this choice? (required)
(A)
(B)
(C)
(D)
(E)

Section C: Scenario Analysis (30 points)

Question 7 (10 points) [Type: Scenario-Analysis] [Bloom: Analyze] [SC-006]

You run a Trivy scan on your Task API image and receive this output:

text

task-api:v1.2.0 (debian 12.5)
=============================
Total: 47 (UNKNOWN: 0, LOW: 32, MEDIUM: 11, HIGH: 3, CRITICAL: 1)

Library          Vulnerability   Severity   Installed      Fixed Version
libssl3          CVE-2024-0727   CRITICAL   3.0.11-1       3.0.13-1
libcurl4         CVE-2024-2398   HIGH       7.88.1-10      7.88.1-10+deb12u5
python3.11       CVE-2024-0450   HIGH       3.11.2-6       3.11.2-6+deb12u2
zlib1g           CVE-2023-45853  HIGH       1.2.13         (not yet fixed)

Part A (4 points): Your CI/CD pipeline uses trivy image --exit-code 1 --severity CRITICAL. Will this build PASS or FAIL? Explain why.

Your answer:

Part B (3 points): For the HIGH vulnerability in zlib1g with no fixed version, what is the MOST appropriate immediate action?

A) Wait for upstream fix and do nothing B) Remove zlib1g from the image since it's optional C) Document the risk, monitor for exploits, consider alternative base images D) Downgrade to an older version of zlib1g

Your answer and justification:

Part C (3 points): After fixing the CRITICAL vulnerability and the two fixable HIGH vulnerabilities, you rebuild. The scan now shows Total: 44 (LOW: 32, MEDIUM: 11, HIGH: 1). Is this image ready for production deployment according to the 10-point audit? Why or why not?

Your answer:

Question 8 (10 points) [Type: Scenario-Analysis] [Bloom: Analyze] [SC-006]

You are executing the 10-point security audit on your Task API deployment. Here are the results for three checks:

Check 2 (Minimal RBAC):

bash

$ kubectl auth can-i get secrets --as=system:serviceaccount:task-api:task-api-sa -n task-api
no
$ kubectl auth can-i get configmaps --as=system:serviceaccount:task-api:task-api-sa -n task-api
yes
$ kubectl auth can-i get configmaps --as=system:serviceaccount:task-api:task-api-sa -n kube-system
no

Check 3 (Default-deny NetworkPolicy):

bash

$ kubectl get networkpolicy -n task-api default-deny-all -o jsonpath='{.spec.policy
Types}'
["Ingress"]

Check 6 (PSS Restricted):

bash

$ kubectl apply -f deployment.yaml --dry-run=server
deployment.apps/task-api created (server dry run)

Part A (4 points): Which checks PASS and which FAIL? Complete the table:

Check	Status (PASS/FAIL)	Evidence
Check 2
Check 3
Check 6

Part B (3 points): For any FAILED check, what is the specific fix needed?

Your answer:

Part C (3 points): If Check 3 fails, what security vulnerability does this create for your Task API pods?

Your answer:

Question 9 (10 points) [Type: Scenario-Analysis] [Bloom: Analyze] [SC-007]

An auditor asks: "How do you demonstrate SOC2 CC6.1 (logical access restriction) and HIPAA 164.312(e)(1) (transmission security) for your Task API?"

Part A (5 points): Map TWO Kubernetes controls to SOC2 CC6.1. For each, provide the evidence collection command.

Control	How It Satisfies CC6.1	Evidence Command

Part B (5 points): Explain how Dapr mTLS satisfies HIPAA 164.312(e)(1) transmission security. Include the verification command that demonstrates mTLS is active.

Your answer:

Section D: Practical Exercise (20 points)

Question 10 (20 points) [Type: Practical-Exercise] [Bloom: Apply/Analyze] [SC-002, SC-003, SC-004, SC-005]

Scenario: You are deploying a new payment-processor service that:

Processes credit card transactions (PCI-DSS relevant)
Needs to read Secrets (not ConfigMaps) in its own namespace
Must communicate ONLY with a payment-gateway service in the same namespace
Should NOT reach the internet or other namespaces
Must run with maximum container security restrictions

Task: Design the complete security configuration by answering each part.

Part A (5 points): Write the RBAC Role that grants ONLY the necessary permissions for reading Secrets.

yaml

# Your Role YAML here:

Part B (5 points): Write a default-deny NetworkPolicy AND an ingress allow rule that permits traffic ONLY from pods with label app: payment-gateway within the same namespace.

yaml

# Your Network
Policy YAML here (can be multiple policies):

Part C (5 points): List the 6 securityContext fields required for PSS Restricted compliance and their correct values for this payment service running as UID 2000.

Level	Field	Value
Pod
Pod
Pod
Container
Container
Container

Part D (5 points): A penetration tester deploys this pod in the payment namespace:

yaml

apiVersion: v1
kind: Pod
metadata:
  name: attacker
  namespace: payment
spec:
  containers:
  - name: attacker
    image: curlimages/curl
    command: ["sleep", "3600"]

The tester then runs: kubectl exec -n payment attacker -- curl -s payment-processor:8080/health

Question: Will this request succeed or be blocked? Explain which control prevents or allows it, and what the attacker would need to change to bypass that control.

Your answer:

Answer Key

Section A: Multiple Choice

Question 1: B

ConfigMap RBAC is Cluster layer (Kubernetes authorization)
Database NetworkPolicy is Cluster layer (pod-to-pod traffic rules)
Volume encryption at rest is Cloud layer (cloud provider infrastructure)

Question 2: A

A ClusterRoleBinding can grant additional permissions beyond namespace-scoped Roles. This is a common RBAC misconfiguration.

Question 3: B

Must use namespaceSelector with kubernetes.io/metadata.name: kube-system to target CoreDNS.
Must include BOTH UDP and TCP port 53.

Question 4: B

Skill-first creates ownership and a testable artifact that improves with each lesson.

Section B: Code Completion

Question 5:

Blank	Answer	Explanation
(A)	true	PSS Restricted requires containers run as non-root
(B)	1000	Explicit non-root UID matching the application user
(C)	RuntimeDefault	PSS Restricted requires a seccomp profile
(D)	false	Prevents privilege escalation via setuid/setgid
(E)	true	Prevents filesystem modification (security + immutability)
(F)	ALL	Drop all Linux capabilities for minimal attack surface

Question 6:

Blank	Answer	Explanation
(A)	false	API access not needed, reduces attack surface
(B)	ClusterRole	Reusable across namespaces without granting cluster-wide access
(C)	RoleBinding	Limits scope to production namespace only
(D)	monitoring	SA exists in monitoring namespace, must specify
(E)	ClusterRole	References the ClusterRole defined above

Section C: Scenario Analysis

Question 7:

Part A: FAIL. The scan found 1 CRITICAL vulnerability (CVE-2024-0727 in libssl3). The --exit-code 1 flag causes Trivy to return exit code 1.
Part B: C. Document the risk, monitor for exploits, consider alternative base images.
Part C: YES, ready for production. The 10-point audit check 7 requires "No CRITICAL vulnerabilities."

Question 8:

Part A:

Check	Status	Evidence
Check 2	PASS	Secrets denied, ConfigMaps allowed in own namespace, denied in others
Check 3	FAIL	Only "Ingress" in policyTypes, missing "Egress"
Check 6	PASS	Dry-run accepted without PSS violations

Part B: Check 3 fix: Add "Egress" to the policyTypes array.
Part C: Without egress default-deny, compromised pods can make outbound connections to any destination (data exfiltration, command & control).

Question 9:

Part A:

Control	How It Satisfies CC6.1	Evidence Command
RBAC	Restricts API access per identity	kubectl get rolebindings -n task-api -o yaml
NetworkPolicy	Restricts network access to services	kubectl get networkpolicies -n task-api -o yaml

Part B: Dapr mTLS encrypts all service-to-service communication between Dapr sidecars. Verification: dapr status -k | grep dapr-sentry showing "Running".

Section D: Practical Exercise

Question 10:

Part A:

yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: payment-processor-role
  namespace: payment
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list"]

Part B:

yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: payment
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-payment-gateway
  namespace: payment
spec:
  podSelector:
    matchLabels:
      app: payment-processor
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: payment-gateway
    ports:
    - protocol: TCP
      port: 8080

Part C:

Level	Field	Value
Pod	runAsNonRoot	true
Pod	runAsUser	2000
Pod	seccompProfile.type	RuntimeDefault
Container	allowPrivilegeEscalation	false
Container	readOnlyRootFilesystem	true
Container	capabilities.drop	["ALL"]

Part D: The request will be BLOCKED by the NetworkPolicy. The allow-payment-gateway ingress rule only permits traffic from pods with label app: payment-gateway. The attacker pod has no labels.

To bypass, the attacker would need the label app: payment-gateway or compromise an existing pod with that label.

Diagnostic Indicators

Question	Gap Type	Remediation
Q1	Conceptual	Review L01 4C model
Q2, Q5, Q6	Procedural	Review L02 RBAC patterns
Q3, Q8C, Q10B	Procedural	Review L03 default-deny + DNS
Q5, Q10C	Procedural	Review L05 PSS checklist
Q7	Analytical	Review L06 severity levels
Q8	Evaluative	Practice 10-point audit script
Q9	Conceptual	Review L08 compliance matrix
Q4, Q10D	Integrative	Capstone review

Success Criteria Mapping

Success Criterion	Questions Testing It
SC-001: Skill-first pedagogy	Q4
SC-002: 4C layer classification	Q1
SC-003: ServiceAccount RBAC	Q2, Q6, Q10A
SC-004: NetworkPolicy blocking	Q3, Q8, Q10B
SC-005: PSS restricted compliance	Q5, Q10C
SC-006: Trivy vulnerability scanning	Q7
SC-007: 10-point audit checklist	Q8
SC-008: Compliance control mapping	Q9