1 - Imagine that you are responsible for managing security for a multi-tenant service, which exposes a REST API. A new client has requested that we restrict all communication to TLS1.2+, whereas we currently support secure, earlier TLS versions. How would you explain the security implications of enforcing this restriction?

2 - The engineering team has built a new microservice that will be interacting with other existing applications. The service is a small Flask application, which will be used by a known subset of current production traffic. In your view, what are the three most important steps to take before deploying the application to ensure it will be stable and run as intended in production? Why those three?

3 - Imagine you're running a system that consists of a single database server and a single web application server. What sort of anomalies would you look for to identify one of these servers has been compromised?

4 - You are given the deployment and service specifications below for a containerized application. The app needs to communicate with one of our databases as well as an external API, which requires authentication using PEM formatted certificates.

The application needs to be available at all times, but will be updated regularly. It is built using an existing pipeline that tags the resulting image with both a unique hash and 'latest'. How would you change the yaml definitions to follow best practices and ensure a stable deployment? Include a brief explanation of why you would make these changes.

If you would like to rewrite the manifest itself as part of your answer, please enclose it Markdown-style with three backticks above and below your code blocks. If we can't easily read your code, we will ignore it in our evaluation.

apiVersion: apps/v1 kind: Deployment metadata: labels: app: dbapp name: dbapp namespace: test spec: replicas: 4 selector: matchLabels: app: dbapp strategy: rollingUpdate: maxSurge: 25% maxUnavailable: 75% type: RollingUpdate template: metadata: labels: app: dbapp spec: containers: - command: ["python"] args: ["main.py"] env: - name: ENVIRONMENT value: test - name: DATABASE_HOST value: psql.internal:5432 - name: DATABASE_PASSWORD value: "12345" image: registry.hub.docker.com/applibrary/dbapp:latest imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 25 initialDelaySeconds: 60 periodSeconds: 30 successThreshold: 1 tcpSocket: port: 80 timeoutSeconds: 1 name: dbapp ports: - containerPort: 80 protocol: TCP readinessProbe: failureThreshold: 3 initialDelaySeconds: 60 periodSeconds: 10 successThreshold: 1 tcpSocket: port: 80 timeoutSeconds: 1 resources: limits: cpu: "1" memory: 200Mi requests: cpu: "1" memory: 100Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /api-keys/ name: api-keys readOnly: true dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler securityContext: {} volumes: - name: api-keys configMap: defaultMode: 420 items: - key: private.pem path: private.pem - key: public.pem path: public.pem name: api-keys --- apiVersion: v1 kind: Service metadata: labels: app: dbapp name: dbapp namespace: test spec: externalTrafficPolicy: Cluster ports: - port: 8888 protocol: TCP targetPort: 80 selector: app: dbapp sessionAffinity: None type: LoadBalancer