# Container and Runtime Security Operations One-sentence definition: Operate defenses for images, registries, and cluster workloads at runtime. ## Key Facts - Enforce signed images; scan on push/pull; block critical CVEs. - Admission controllers enforce policies; least privilege (no root/capabilities). - Monitor runtime anomalies (syscalls, network egress); isolate pods. - Rotate secrets; use KMS; audit registry access. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose admission + signed images to prevent risky deployments. **Mnemonic:** “**Sign** it, **screen** it, **schedule** safely.” ## Mini Scenario Q: Image from public repo runs as root—ops response? A: Block at admission; rebuild with least privilege; sign and redeploy. ## Revision Checklist - Two admission checks. - Runtime monitor target. - Secret handling. ## Related [[Container and Kubernetes Security Testing]] · [[IaC Security Testing and Policy-as-Code]] · [[Cloud SOC Operations (CSPM CWPP CIEM)]] · [[Service-to-Service Auth (API Keys OAuth mTLS DPoP)]] · [[Domain 7 - Index]]