Questions for the KCSA were updated on : Nov 21 ,2025
Page 1 out of 4. Viewing questions 1-15 out of 59
Question 1
How can a user enforce the Pod Security Standard without third-party tools?
A. Through implementing Kyverno or OPA Policies.
B. Use the PodSecurity admission controller.
C. It is only possible to enforce the Pod Security Standard with additional tools within the cloud native ecosystem.
D. No additional measures have to be taken to enforce the Pod Security Standard.
Answer:
B
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 2
A cluster administrator wants to enforce the use of a different container runtime depending on the application a workload belongs to.
A. By manually modifying the container runtime for each workload after it has been created.
B. By modifying the kube-apiserver configuration file to specify the desired container runtime for each application.
C. By configuring a validating admission controller webhook that verifies the container runtime based on the application label and rejects requests that do not comply.
D. By configuring a mutating admission controller webhook that intercepts new workload creation requests and modifies the container runtime based on the application label.
Answer:
C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 3
In which order are the validating and mutating admission controllers run while the Kubernetes API server processes a request?
A. The order of execution varies and is determined by the cluster configuration.
B. Validating admission controllers run before mutating admission controllers.
C. Validating and mutating admission controllers run simultaneously.
D. Mutating admission controllers run before validating admission controllers.
Answer:
D
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 4
Which of the following statements is true concerning the use of microVMs over user-space kernel implementations for advanced container sandboxing?
A. MicroVMs allow for easier container management and orchestration than user-space kernel implementation.
B. MicroVMs offer higher isolation than user-space kernel implementations at the cost of a higher per-instance memory footprint.
C. MicroVMs provide reduced application compatibility and higher per-system call overhead than user-space kernel implementations.
D. MicroVMs offer lower isolation and security compared to user-space kernel implementations.
Answer:
B
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 5
To restrict the kubelet's rights to the Kubernetes API, what authorization mode should be set on the Kubernetes API server?
A. Node
B. AlwaysAllow
C. kubelet
D. Webhook
Answer:
A
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 6
Given a standard Kubernetes cluster architecture comprising a single control plane node (hosting both etcd and the control plane as Pods) and three worker nodes, which of the following data flows crosses a trust boundary?
A. From kubelet to Container Runtime
B. From kubelet to API Server
C. From kubelet to Controller Manager
D. From API Server to Container Runtime
Answer:
B
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 7
As a Kubernetes and Cloud Native Security Associate, a user can set up audit logging in a cluster. What is the risk of logging every event at the full RequestResponse level?
A. No risk, as it provides the most comprehensive audit trail.
B. Increased storage requirements and potential impact on performance.
C. Improved security and easier incident investigation.
D. Reduced storage requirements and faster performance.
Answer:
B
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 8
In Kubernetes, what is Public Key Infrastructure used for?
A. To manage certificates and ensure secure communication in a Kubernetes cluster.
B. To automate the scaling of containers in a Kubernetes cluster.
C. To manage networking in a Kubernetes cluster.
D. To monitor and analyze performance metrics of a Kubernetes cluster.
Answer:
A
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 9
A Kubernetes cluster tenant can launch privileged pods in contravention of the restricted Pod Security Standard mandated for cluster tenants and enforced by the built-in PodSecurity admission controller. The tenant has full CRUD permissions on the namespace object and the namespaced resources. How did the tenant achieve this?
A. The scope of the tenant role means privilege escalation is impossible.
B. By tampering with the namespace labels.
C. By deleting the PodSecurity admission controller deployment running in their namespace.
D. By using higher-level access credentials obtained reading secrets from another namespace.
Answer:
B
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 10
Which of the following statements regarding a container run with privileged: true is correct?
A. A container run with privileged: true within a cluster can access all Secrets used within that cluster.
B. A container run with privileged: true within a Namespace can access all Secrets used within that Namespace.
C. A container run with privileged: true on a node can access all Secrets used on that node.
D. A container run with privileged: true has no additional access to Secrets than if it were run with privileged: false.
Answer:
D
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 11
What does the 'cluster-admin' ClusterRole enable when used in a RoleBinding?
A. It gives full control over every resource in the role binding's namespace, not including the namespace object for isolation purposes.
B. It gives full control over every resource in the cluster and in all namespaces.
C. It gives full control over every resource in the role binding's namespace, including the namespace itself.
D. It allows read/write access to most resources in the role binding's namespace. This role does not allow write access to resource quota, to the namespace itself, and to EndpointSlices (or Endpoints).
Answer:
B
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 12
Which security knowledge-base focuses specifically on offensive tools, techniques, and procedures?
A. MITRE ATT&CK
B. OWASP Top 10
C. CIS Controls
D. NIST Cybersecurity Framework
Answer:
A
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 13
Why might NetworkPolicy resources have no effect in a Kubernetes cluster?
A. NetworkPolicy resources are only enforced if the Kubernetes scheduler supports them.
B. NetworkPolicy resources are only enforced if the networking plugin supports them.
C. NetworkPolicy resources are only enforced for unprivileged Pods.
D. NetworkPolicy resources are only enforced if the user has the right RBAC permissions.
Answer:
B
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 14
Why does the default base64 encoding that Kubernetes applies to the contents of Secret resources provide inadequate protection?
A. Base64 encoding is vulnerable to brute-force attacks.
B. Base64 encoding relies on a shared key which can be easily compromised.
C. Base64 encoding does not encrypt the contents of the Secret, only obfuscates it.
D. Base64 encoding is not supported by all Secret Stores.
Answer:
C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 15
In a cluster that contains Nodes with multiple container runtimes installed, how can a Pod be configured to be created on a specific runtime?
A. By using a command-line flag when creating the Pod.
B. By modifying the Docker daemon configuration.
C. By setting the container runtime as an environment variable in the Pod.
D. By specifying the container runtime in the Pod's YAML file.