Skip to content

Linkerd Security Quiz

This quiz tests your understanding of Linkerd security features.

Quiz Questions

1. How is mTLS enabled in Linkerd?

A. Manual configuration required for each service B. Automatically applied to all mesh traffic C. Configuration via Kubernetes Secrets required D. Must be enabled per namespace

Show Answer

Answer: B. Automatically applied to all mesh traffic

Explanation: One of Linkerd's core values is "security by default." All traffic between services in the mesh automatically has mTLS applied without any configuration.

2. What is the role of the Server resource?

A. Define external server connections B. Define inbound traffic port and protocol C. Store server certificates D. Configure load balancers

Show Answer

Answer: B. Define inbound traffic port and protocol

Explanation: The Server resource defines inbound traffic for specific Pods. It specifies target Pods with podSelector, port with port, and protocol (HTTP/1, HTTP/2, gRPC, opaque) with proxyProtocol.

3. What does meshTLS.serviceAccounts specify in ServerAuthorization?

A. ServiceAccount for the server to use B. Client ServiceAccounts allowed to access C. ServiceAccount with certificate issuance permission D. ServiceAccount with metrics collection permission

Show Answer

Answer: B. Client ServiceAccounts allowed to access

Explanation: ServerAuthorization's meshTLS.serviceAccounts specifies which client ServiceAccounts can access the Server. Only workloads with the specified ServiceAccounts are allowed access.

4. How is traffic allowed in default-deny policy mode?

A. All traffic is automatically allowed B. Explicit ServerAuthorization definition required C. Allow via namespace labels D. Configure whitelist in ConfigMap

Show Answer

Answer: B. Explicit ServerAuthorization definition required

Explanation: In default-deny mode, all traffic is denied by default. To allow traffic, Server and ServerAuthorization must be explicitly defined. This is a zero-trust security model.

A. 24 hours B. 1 year C. 1-10 years D. Unlimited

Show Answer

Answer: C. 1-10 years

Explanation: Trust Anchor (Root CA) should be valid for a long period. 1-10 years is generally recommended. Since Trust Anchor replacement is complex, set a sufficiently long validity period, adjusting for security requirements.

6. What ServerAuthorization setting allows unauthenticated clients (outside mesh)?

A. meshTLS.identities: ["*"] B. unauthenticated: true C. external: allowed D. client: any

Show Answer

Answer: B. unauthenticated: true

Explanation: Setting client.unauthenticated: true allows access from clients without mTLS authentication (outside mesh). This is used for traffic from health checks or ingress.

7. What is required when renewing the Identity Issuer certificate?

A. All proxies must be restarted B. Trust Anchor must also be replaced C. Update Kubernetes Secret and restart Identity Controller D. Full cluster restart required

Show Answer

Answer: C. Update Kubernetes Secret and restart Identity Controller

Explanation: When renewing Identity Issuer: 1) Update Secret with new certificate, 2) Restart Identity Controller. Proxies automatically renew with the new certificate. No Trust Anchor replacement needed if it remains the same.

8. Which policy mode allows only mTLS traffic from within the mesh?

A. deny B. all-unauthenticated C. all-authenticated D. cluster-unauthenticated

Show Answer

Answer: C. all-authenticated

Explanation:all-authenticated mode allows only mTLS-authenticated traffic from within the mesh. Unauthenticated traffic from outside the mesh is denied.

9. What setting is required in cert-manager Certificate resource for Linkerd integration?

A. isCA: false B. isCA: true C. usages: [digital signature] D. algorithm: RSA

Show Answer

Answer: B. isCA: true

Explanation: The Linkerd Identity Issuer acts as an intermediate CA, so cert-manager Certificate must have isCA: true. This certificate signs workload certificates.

10. What can be verified with the linkerd viz edges command?

A. Network edge router status B. Service-to-service mTLS connection status C. Cluster boundary policies D. DNS edge cache status

Show Answer

Answer: B. Service-to-service mTLS connection status

Explanation:linkerd viz edges shows connections (edges) between services, with the SECURED column indicating mTLS status. Traffic from outside the mesh shows X in SECURED.

11. What is the correct relationship between Linkerd security and application security?

A. Linkerd handles all security so application security is unnecessary B. Linkerd handles transport layer, applications handle business logic security C. Application security alone is sufficient, Linkerd security is optional D. Both securities are completely independent with no interaction

Show Answer

Answer: B. Linkerd handles transport layer, applications handle business logic security

Explanation: Following defense-in-depth principles, Linkerd handles transport encryption (mTLS) and service authorization, while applications handle business logic security like user authentication (JWT), RBAC, and input validation.

12. Which is NOT a Linkerd security metric to monitor with Prometheus alerts?

A. Certificate expiration time B. Non-mTLS traffic ratio C. Application login failure count D. Authorization denied request count

Show Answer

Answer: C. Application login failure count

Explanation: Linkerd security metrics include: certificate expiration time, non-mTLS traffic ratio, authorization denied request count. Application login failures are application-level metrics outside Linkerd's scope.