An administrator runs several critical workloads on vSphere Kubernetes Service (VKS).

Harbor reduces the risk of running vulnerable or tampered images primarily throughvulnerability scanningandimage signing.Vulnerability scanning (E)detects known CVEs in image layers (OS packages and application dependencies, depending on the scanner configuration). This allows teams to identify—and gate the use of—images that contain high/critical vulnerabilities before those images are deployed to Kubernetes clusters. Enforcing scanning as part of the image promotion process helps prevent outdated images with known CVEs from being pulled into production.Image signing (A)provides integrity and provenance controls by enabling consumers to verify that an image was produced and approved by a trusted publisher and has not been altered. When combined with admission controls/policies (for example, only allowing signed images from specific projects), signing helps block unauthorized or unapproved images from being deployed, which is critical when the incident involves exposed internal APIs and supply-chain risk.

The other choices do not directly prevent recurrence:automatic image update (B)is not a core Harbor registry control,deploy both container and VM images (C)is a content capability rather than a security control, andautomatic image validation (D)is not a standard Harbor registry capability distinct from signing/scanning.