CKS Mock exam 1 Q1 - restricted

Can someone please help me how the solution was coming to the below yaml?
apiVersion: v1
kind: Pod
metadata:
labels:
run: nginx
name: frontend-site
namespace: omni
spec:
securityContext:
appArmorProfile:
type: Localhost
localhostProfile: restricted-frontend
serviceAccountName: frontend-default #Use the service account with least privileges
containers:

  • image: nginx:alpine
    name: nginx
    volumeMounts:
    • mountPath: /usr/share/nginx/html
      name: test-volume
      volumes:
  • name: test-volume
    hostPath:
    path: /data/pages
    type: Directory

Below are the steps i followed:
Step 1: since the pod yaml is not given i have taken the existing pod to yaml using the below command
k get pod -n omni frontend-site -oyaml>q1pod.yaml

Step 2: I have defined the service account name as frontend-default as it has the least amount of priviliges.

Step 3: applied the apparmor first loaded apparmor file using apparmor_parser -q /etc/apparmor.d/frontend

Step 4: Deleted the service account volumeMounts

Step 5: Below is the existing output yaml that was defined. But the site is still not restricted.

apiVersion: v1
kind: Pod
metadata:
creationTimestamp: “2025-05-22T12:18:10Z”
labels:
run: nginx
name: frontend-site
namespace: omni
resourceVersion: “12398”
uid: 8859ac31-8681-4b80-97a4-fbfbe7c8355e
spec:
containers:

  • image: nginx:alpine
    imagePullPolicy: IfNotPresent
    name: nginx
    resources: {}
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    • mountPath: /usr/share/nginx/html
      name: test-volume
    • mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-tbghm
      readOnly: true
      dnsPolicy: ClusterFirst
      enableServiceLinks: true
      nodeName: controlplane
      preemptionPolicy: PreemptLowerPriority
      priority: 0
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: frontend-default
      serviceAccountName: frontend-default
      terminationGracePeriodSeconds: 30
      tolerations:
  • effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 300
  • effect: NoExecute

First of all, you’ll need to input your YAML so we can actually use it; the Discourse software corrupts your YAML when you just paste it in, as you’ve done. Please read this guide to learn how to do a code block – that’s what you need to prevent this problem. Once the YAML is readable, we’ll help you with your issue.