A Pod within a Kubernetes cluster can discover and attempt to connect to the API server using the automatically mounted ServiceAccount credentials and internal service discovery. However, this connection is subject to network-level controls. Kubernetes Network Policies are the standard mechanism for enforcing network segmentation. A properly configured egress Network Policy can explicitly deny traffic from a Pod (or a group of Pods) to the API server's endpoint, thereby blocking the connection attempt. This is a critical security practice to limit the potential impact of a compromised workload by preventing it from interacting with the cluster's control plane.

A. Kubernetes does not have a built-in feature to automatically detect a "compromise" and then isolate the Pod. This functionality requires external security monitoring and response tools.

B. This is incorrect because Network Policies can, and in a secure environment often do, place restrictions on which Pods are allowed to communicate with the API server.

D. This is fundamentally incorrect. Kubernetes operates on a principle of least privilege. A Pod's ServiceAccount is granted minimal (often no) permissions by default via RBAC.

1. Kubernetes Official Documentation

"Network Policies": This document explains how Network Policies control traffic flow. The section on "Egress rules" details how to specify destinations that Pods are allowed to connect to. A policy could be written to deny egress traffic to the API server's IP range for most Pods. (See: kubernetes.io/docs/concepts/services-networking/network-policies/#egress-rules)

2. Kubernetes Official Documentation

"Accessing the Cluster": This page describes how a Pod can communicate with the API server. The section "Accessing the API from a Pod" states

"When accessing the API from a pod

the location of the API server is injected into the pod...". This confirms the Pod can attempt the connection

which Network Policies can then block. (See: kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod)

3. The Linux Foundation

"Kubernetes and Cloud Native Security" (LFS260 Courseware): University-level courseware developed by the Linux Foundation often covers these principles. For instance

modules on cluster security emphasize using Network Policies for micro-segmentation to limit the "blast radius" of a compromise

including restricting access to the control plane (API server) as a primary defense strategy. The KCSA exam curriculum explicitly lists "Understand Network Policy" under the "Cluster Security" domain.