KCSA: Kubernetes and Cloud Native Security Associate Practice Exam

What the KCSA exam covers

• Overview of Cloud Native Security20 questions
• Kubernetes Cluster Component Security57 questions
• Kubernetes Security Fundamentals75 questions
• Kubernetes Threat Model45 questions
• Platform Security64 questions
• Compliance and Security Frameworks38 questions

Free KCSA sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 299.

1. Question 1Overview of Cloud Native Security

   The '4Cs of Cloud Native Security' model describes defense in depth across which layers?

   • AControl, Compute, Cache, Code
   • BCloud, CDN, Cache, Cluster
   • CContainer, CNI, CSI, CRI
   • DCloud, Cluster, Container, CodeCorrect
   ✓ Correct answer: D

   The 4Cs model provides hierarchical defense-in-depth: Cloud (outermost infrastructure), Cluster (Kubernetes control-plane), Container (image and runtime), and Code (application). Each layer protects the one inside it, ensuring multiple independent security boundaries. No single layer failure compromises the entire system.

   Why the other options are wrong

   • AA is incorrect because Control, Compute, Cache, Code is not the established 4Cs framework.
   • BB is incorrect because CDN and Cache are not part of cloud-native security defense layers. C is incorrect because CNI, CSI, and CRI are Kubernetes mechanisms, not the four defense tiers.
2. Question 2Kubernetes Cluster Component Security

   Which file permission is recommended for the kube-apiserver static pod manifest per the CIS Benchmark?

   • Achmod 600 /etc/kubernetes/manifests/kube-apiserver.yamlCorrect
   • Bchmod 755 /etc/kubernetes/manifests/kube-apiserver.yaml
   • Cchmod 666 /etc/kubernetes/manifests/kube-apiserver.yaml
   • Dchmod 777 /etc/kubernetes/manifests/kube-apiserver.yaml
   ✓ Correct answer: A

   The kube-apiserver is the central policy enforcement point in a Kubernetes cluster. All requests pass through it where authentication verifies identity, RBAC authorization determines permissions, and admission controllers enforce cluster policies. This centralized enforcement ensures uniform policy application across the cluster. is incorrect because it does not properly address the security concern in the question. is incorrect because it does not properly address the security concern in the question.

3. Question 3Kubernetes Security Fundamentals

   From a security standpoint, images should be pulled from where?

   • AEmail attachments
   • BRandom mirrors found online
   • CAny public registry without checks
   • DTrusted, controlled registries (ideally with signature verification and scanning)Correct
   ✓ Correct answer: D

   Pod Security Standards (PSS, replacing PodSecurityPolicy) define three policy levels (restricted, baseline, privileged) that enforce security constraints at the pod level. These include disabling privileged containers, enforcing non-root users, and restricting capabilities, providing crucial runtime protection. is incorrect because it does not properly address the security concern in the question. is incorrect because it does not properly address the security concern in the question.

4. Question 4Kubernetes Security Fundamentals

   A namespace is labeled pod-security.kubernetes.io/enforce: restricted. An existing Deployment already running privileged pods is then created/updated. What is the gotcha regarding already-running pods?

   • AAll running non-compliant pods are immediately terminated
   • BThe namespace label is rejected if any running pod violates it
   • CPSA mutates the running pods to make them compliant
   • Dpod Security Admission only evaluates pods at creation/update time; pods already running before the label was applied are not retroactively evictedCorrect
   ✓ Correct answer: D

   Pod Security Standards (PSS, replacing PodSecurityPolicy) define three policy levels (restricted, baseline, privileged) that enforce security constraints at the pod level. These include disabling privileged containers, enforcing non-root users, and restricting capabilities, providing crucial runtime protection. is incorrect because it does not properly address the security concern in the question. is incorrect because it does not properly address the security concern in the question.

5. Question 5Kubernetes Threat ModelSelect all that apply

   During a threat-modeling exercise for node compromise, which TWO architectural mitigations most reduce the chance that a compromised pod escapes to the host? (Choose TWO)

   • AEnforce restricted Pod Security (non-root, drop ALL capabilities, no privilege escalation, RuntimeDefault seccomp)Correct
   • BRun all workloads with privileged: true to standardize behavior
   • CBlock hostPath, host namespaces, and runtime-socket mounts via admission policyCorrect
   • DDisable RBAC so troubleshooting is faster
   ✓ Correct answer: A, C

   Threat modeling frameworks like STRIDE help systematically identify security threats in an architecture. STRIDE covers Spoofing (authentication), Tampering (integrity), Repudiation (audit trails), Information Disclosure (confidentiality), Denial of Service (availability), and Elevation of Privilege (authorization). This systematic approach ensures comprehensive threat analysis. is incorrect because it does not properly address the security concern in the question. is incorrect because it does not properly address the security concern in the question.

6. Question 6Platform Security

   What is an SBOM useful for?

   • AEncrypting the image
   • BListing an image's components so you can match them against new CVEs quicklyCorrect
   • CRouting traffic
   • DAssigning IPs
   ✓ Correct answer: B

   This answer addresses a fundamental platform-level security mechanism for isolating and constraining containers at the kernel level. is incorrect because it does not properly address the security concern in the question. is incorrect because it does not properly address the security concern in the question.

7. Question 7Platform Security

   To migrate sensitive multi-tenant workloads onto shared nodes with stronger isolation, which integration provides kernel-level sandboxing?

   • AAdding a LivenessProbe
   • BIncreasing the replica count
   • CSetting privileged: true on the pods
   • DA RuntimeClass pointing to a sandboxed runtime such as gVisor (runsc) or Kata ContainersCorrect
   ✓ Correct answer: D

   Container isolation on Linux uses namespaces (process, network, mount, IPC) to provide process-level isolation, and cgroups to enforce resource limits. Additional security features include seccomp profiles to restrict system calls, AppArmor/SELinux for mandatory access control, and capabilities to drop unnecessary privileged operations. is incorrect because it does not properly address the security concern in the question. is incorrect because it does not properly address the security concern in the question.

8. Question 8Kubernetes Security Fundamentals

   To optimize cluster cost while keeping security intact, a team sets CPU/memory requests on every pod. How do accurate requests help cost control?

   • AThey sign container images automatically
   • BThey let the scheduler bin-pack pods efficiently and let the cluster autoscaler right-size node count to actual demandCorrect
   • CThey disable anonymous authentication on the API server
   • DThey encrypt etcd at rest
   ✓ Correct answer: B

   Pod Security Standards (PSS, replacing PodSecurityPolicy) define three policy levels (restricted, baseline, privileged) that enforce security constraints at the pod level. These include disabling privileged containers, enforcing non-root users, and restricting capabilities, providing crucial runtime protection. is incorrect because it does not properly address the security concern in the question. is incorrect because it does not properly address the security concern in the question.

9. Question 9Kubernetes Threat Model

   On-call engineers notice a pod running a known web app suddenly spawned /bin/sh and ran 'curl' to an unknown external IP, then started a crypto-miner. Which capability would have detected this behavior at runtime?

   • AFalco rules alerting on an unexpected shell and outbound connection inside a containerCorrect
   • BA readinessProbe checking the HTTP endpoint
   • CA HorizontalPodAutoscaler scaling on CPU
   • DAn Ingress TLS certificate
   ✓ Correct answer: A

   This answer identifies a critical threat vector or attack path in a cloud-native Kubernetes environment. is incorrect because it does not properly address the security concern in the question. is incorrect because it does not properly address the security concern in the question.

10. Question 10Kubernetes Security Fundamentals

    A workload's pod authenticates to the API server using a projected ServiceAccount token. What property of these bound tokens improves security over legacy auto-mounted Secret tokens?

    • AThey disable RBAC for the pod
    • BThey are time-limited and audience-bound, and expire/rotate rather than living forever in a SecretCorrect
    • CThey grant cluster-admin automatically
    • DThey are stored unencrypted in a public ConfigMap
    ✓ Correct answer: B

    Kubernetes Secrets store sensitive data like credentials, tokens, and certificates. Protection requires encryption at rest in etcd, RBAC policies restricting access, and projection of Secrets via volumes or environment variables. Mounting as files rather than environment variables reduces accidental exposure in process listings. is incorrect because it does not properly address the security concern in the question. is incorrect because it does not properly address the security concern in the question.

KCSA practice exam FAQ