KCSA Linux Foundation Kubernetes and Cloud Native Security Associate (KCSA) Free Practice Exam Questions (2025 Updated)

MITRE ATT&CKis a globally recognizedknowledge base of adversary tactics, techniques, and procedures (TTPs). It is focused on describingoffensive behaviorsattackers use.

Incorrect options:

(B)OWASP Top 10highlights common application vulnerabilities, not attacker techniques.

(C)CIS Controlsare defensive best practices, not offensive tools.

(D)NIST Cybersecurity Frameworkprovides a risk-based defensive framework, not adversary TTPs.

Access control (RBAC, least privilege, user restrictions)is abaseline container security best practice.

Exact extract (Kubernetes Pod Security Standards – Baseline):

“The baseline profile is designed to prevent known privilege escalations. It prohibits running privileged containers or containers as root.”

Other options clarified:

B: Static IPs not a security measure.

C: Persistent storage is functionality, not security.

D: Running as root is explicitlyinsecure.

Multi-stage buildsare a Docker/Kaniko feature that allows building images in multiple stages → final image contains only runtime artifacts, not build tools.

This reducesimage size, attack surface, and security risks.

Exact extract (Docker Docs):

“Multi-stage builds allow you to use multiple FROM statements in a Dockerfile. You can copy artifacts from one stage to another, resulting in smaller, optimized images.”

Clarifications:

A: Collaboration is not the definition.

B: Multiple repositories ≠ multi-stage builds.

C: Build concurrency ≠ multi-stage builds.

gVisor:

Google-developed, implemented as auser-space kernelthat intercepts and emulates syscalls made by containers.

Providesstrong isolationwithout requiring a full VM.

Official docs: “gVisor is a user-space kernel, written in Go, that implements a substantial portion of the Linux system call interface.”

Source: https://gvisor.dev/docs/

Firecracker:

AWS-developed,lightweight virtualization technologybuilt on KVM, used in AWS Lambda and Fargate.

Optimized for running secure, multi-tenant microVMs (MicroVMs) for containers and FaaS.

Official docs: “Firecracker is an open-source virtualization technology that is purpose-built for creating and managing secure, multi-tenant container and function-based services.”

Source: https://firecracker-microvm.github.io/

Key difference:gVisor → syscall interception in userspace kernel (container isolation). Firecracker → lightweight virtualization with microVMs (multi-tenant security).

Therefore, optionAis correct.

ConfigMaps are explicitly not for confidential data.

Exact extract (ConfigMap concept):“A ConfigMap is an API object used to store non-confidential data in key-value pairs.”

Exact extract (ConfigMap concept):“ConfigMaps are not intended to hold confidential data. Use a Secret for confidential data.”

Why this is risky:data placed into a ConfigMap is stored as regular (plaintext) string values in the API and etcd (unless you deliberately use binaryData for base64 content you supply). That means if someone has read access to the namespace or to etcd/APIServer storage, they can view the values.

Secrets vs ConfigMaps (to clarify distractor D):

Exact extract (Secret concept):“By default, secret data is stored as unencrypted base64-encoded strings.You canenable encryption at restto protect Secrets stored in etcd.”

This base64 behavior applies toSecrets, not to ConfigMap data. Thus optionDis incorrect for ConfigMaps.

About RBAC (to clarify distractor A):Kubernetesdoessupport fine-grained RBAC forbothConfigMaps and Secrets; the issue isn’t lack of RBAC but that ConfigMaps arenotdesigned for confidential material.

About compatibility (to clarify distractor C):Using ConfigMaps for secrets doesn’t make apps “incompatible”; it’s simplyinsecureand against guidance.

Pod Security Standards (PSS):

Kubernetes providesPod Security Admission (PSA)to enforce security controls based on policies.

Official extract: “Pod Security Standards define different isolation levels for Pods. The standards focus on restricting what Pods can do and what they can access.”

The three standard profiles are:

Privileged: unrestricted (not recommended).

Baseline: minimal restrictions.

Restricted: highly restricted, enforcing least privilege.

Why option C is correct:

Applying Pod Security Standards in YAML ensures Pods adhere tobest practiceslike:

No root user.

Restricted host access.

No privilege escalation.

Seccomp/AppArmor profiles.

This directly minimizes security risks.

Why others are wrong:

A:Sharing sensitive data increases risk of exposure.

B:Running with elevated privileges contradicts least privilege principle.

D:Random Pod names donotcontribute to security.

TheKubernetes Schedulerassigns Pods to nodes based on:

Resource requests & availability (CPU, memory, GPU, etc.)

Constraints (affinity, taints, tolerations, topology, policies)

Exact extract (Kubernetes Docs – Scheduler):

“The scheduler is a control plane process that assigns Pods to Nodes. Scheduling decisions take into account resource requirements, affinity/anti-affinity, constraints, and policies.”

Other options clarified:

A: Monitoring cluster health is theController Manager’s/kubelet’s job.

B: Security is enforced throughRBAC, admission controllers, PSP/PSA, not the scheduler.

C: Deployment scaling is handled by theController Manager(Deployment/ReplicaSet controller).

Egress NetworkPoliciesrestrict outbound traffic from Pods.

Without egress restrictions, a compromised Pod could exfiltrate sensitive data (secrets, logs, customer data) to an attacker-controlled server.

Exact extract (Kubernetes Docs – Network Policies):

“Egress rules control outbound connections from Pods. Without such restrictions, compromised workloads can connect freely to external endpoints.”

Other options clarified:

A: DoS is more about flooding, not egress absence.

C: “Increased attack surface” is vague but not the main risk.

D: True in a sense, but the precise and most common risk isdata exfiltration.

PCI DSS (Payment Card Industry Data Security Standard):applies to any entity thatstores, processes, or transmits cardholder data.

Exact extract (PCI DSS official summary):

“PCI DSS applies to all entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).”

Therefore,merchants who process credit card paymentsmust comply.

Why others are wrong:

A: No card payments, so no PCI scope.

B: This falls underFISMA / NIST 800-53, not PCI DSS.

C: Non-profits may handle sensitive data, but PCI only applies if they processcredit cards.

Kubernetes supportsmultiple container runtimeson a node via theRuntimeClassresource.

To select a runtime, you specify the runtimeClassName field in thePod’s YAML manifest. Example:

apiVersion: v1

kind: Pod

metadata:

name: example

spec:

runtimeClassName: gvisor

containers:

- name: app

image: nginx

Incorrect options:

(A) You cannot specify container runtime through a kubectl command-line flag.

(B) Modifying the Docker daemon config does not direct Kubernetes Pods to a runtime.

(C) Environment variables inside a Pod spec do not control container runtimes.

KubernetesAdmission Controllers(particularlyValidatingAdmissionWebhooks) can be used to enforce policies that validate image signatures.

This is commonly implemented withtools like Sigstore/cosign, Kyverno, or OPA Gatekeeper.

PodSecurityPolicy (PSP):deprecated and never supported image signature validation.

Pod Security Standards (PSS):only apply to pod security fields (privilege, users, host access), not image signatures.

CRI:while runtimes (containerd, CRI-O) may integrate with signature verification tools, enforcement in Kubernetes is generally done viaAdmission Controllersat the API layer.

Exact extract (Admission Controllers docs):

“Admission webhooks can be used to enforce custom policies on the objects being admitted.” (e.g., validating signatures).

Kubernetes originally had a feature calledPodSecurityPolicy (PSP), which provided controls to restrict pod behavior.

Official docs:

“PodSecurityPolicy was deprecated in Kubernetes v1.21 and removed in v1.25.”

“Pod Security Standards (PSS) replace PodSecurityPolicy (PSP) with a simpler, policy-driven approach.”

PSP was often complex and hard to manage, so it was replaced by Pod Security Admission (PSA) which enforcesPod Security Standards.

NetworkPolicycontrols network trafficat the Pod level.

Ingress rules:controlincomingconnections to Pods.

Egress rules:controloutgoingconnectionsfrom Pods.

Exact extract (Kubernetes Docs – Network Policies):

“An egress rule controls outgoing connections from Pods that match the policy.”

Clarifying wrong answers:

A/B: Too broad (cluster-level); policies apply per Pod/Namespace.

C: Security against unauthorized access is broader than egress policies.

ThePodSecurity admission controller(built-in as of Kubernetes v1.23+) enforces the Pod Security Standards (Privileged, Baseline, Restricted).

Enforcement is namespace-scoped and configured throughnamespace labels.

Incorrect options:

(A) Kyverno/OPA are external policy tools (useful but not required).

(C) Not true, PodSecurity admission provides native enforcement.

(D) Enforcement requires explicit configuration, not automatic.

Thekubeletis the primary agent that runs on each node in a Kubernetes cluster and communicates with the control plane.

Kubeletsupports TLS (Transport Layer Security)for both authentication and encryption when interacting with the API server. This is a core security feature that ensures secure node-to-control-plane communication.

Incorrect options:

(A) Kubelet does not run as a privileged container by default; it runs as a system process (typically systemd-managed) on the host.

(B) Kubelet does include built-in security features such asTLS authentication, authorization modes, and read-only vs secured ports.

(D) While kubelet interacts with the host system (e.g., cgroups, container runtimes), it does not inherently require root access for communication security; RBAC and TLS handle authentication.

When a Pod is created, Kubernetes automatically mounts aservice account tokenthat can authenticate to the API server.

TheRole-Based Access Control (RBAC)system defines what actions a service account can perform.

By carefully restricting Roles and RoleBindings, administrators limit the blast radius of a compromised Pod.

Incorrect options:

(A)PodSecurity admissionenforces workload-level security settings but does not control API access.

(B)NetworkPolicycontrols network communication, not API privileges.

(D)RuntimeClassselects container runtimes, unrelated to privilege escalation through API tokens.

Trust boundariesexist where data flows between different security domains.

In Kubernetes:

Communication between thekubelet (node agent)and theAPI Server (control plane)crosses thenode-to-control-plane trust boundary.

(A) Kubelet to container runtime is local, no boundary crossing.

(C) Kubelet does not communicate directly with the controller manager.

(D) API server does not talk directly to the container runtime; it delegates to kubelet.

Therefore, (B) is the correct trust boundary crossing flow.