Pass the Linux Foundation Kubernetes and Cloud Native KCSA Questions and answers with ExamsMirror

KubernetesPod Security Admission (PSA)enforcesPod Security Standardsby applying labels on Namespaces.

Exact extract (Kubernetes Docs – Pod Security Admission):

“You can label a namespace with pod-security.kubernetes.io/enforce: baseline to enforce the Baseline policy.”

Thebaselineprofile explicitly disallowsprivileged podsand other unsafe features.

Why others are wrong:

A & D: These labels do not exist in Kubernetes.

B: Setting privileged: true would allow privileged pods, not block them.

Access control (RBAC, least privilege, user restrictions)is abaseline container security best practice.

Exact extract (Kubernetes Pod Security Standards – Baseline):

“The baseline profile is designed to prevent known privilege escalations. It prohibits running privileged containers or containers as root.”

Other options clarified:

B: Static IPs not a security measure.

C: Persistent storage is functionality, not security.

D: Running as root is explicitlyinsecure.

Kubernetes usesPKI certificatesextensively to secure communication between control plane components (API server, etcd, kube-scheduler, kube-controller-manager) and with kubelets.

Certificates enablemutual TLS authentication and encryptionacross components.

PKI does not handle scaling, networking, or monitoring.

Static Podsare managed directly by thekubeleton each node.

They arenot scheduled by the kube-schedulerand always remain bound to the node where they are defined.

Exact extract (Kubernetes Docs – Static Pods):

“Static Pods are managed directly by the kubelet daemon on a specific node, without the API server. They do not go through the Kubernetes scheduler.”

Clarifications:

A: Static Pods do not span multiple nodes.

B: No hard limit of 5 Pods per node.

D: They are not a fallback mechanism; kubelet always manages them regardless of scheduler state.

Allkubectl requestsgo to theKubernetes API Server.

The API server is thefront-end of the control planeand validates/authenticates requests before other components act.

Exact extract (Kubernetes Docs – Components):

“The API server is a component of the Kubernetes control plane that exposes the Kubernetes API. It is the front end for the Kubernetes control plane.”

Other options clarified:

Controller Manager: reconciles state after API Server processes the request.

Scheduler: assigns Pods to nodes after API Server accepts workload objects.

kubelet: node agent, only communicates after API Server updates desired state.

MicroVM-based runtimes(e.g., Firecracker, Kata Containers) use lightweight VMs to provide strong isolation between workloads.

Compared touser-space kernel implementations(e.g., gVisor), microVMs generally:

Offerhigher isolation and security(due to VM-level separation).

Come with ahigher memory and resource overhead per instancethan user-space approaches.

Incorrect options:

(A) Orchestration is handled by Kubernetes, not inherently easier with microVMs.

(C) Compatibility is typically better with microVMs, not worse.

(D) Isolation is stronger, not weaker.

PCI DSS (Payment Card Industry Data Security Standard):applies to any entity thatstores, processes, or transmits cardholder data.

Exact extract (PCI DSS official summary):

“PCI DSS applies to all entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).”

Therefore,merchants who process credit card paymentsmust comply.

Why others are wrong:

A: No card payments, so no PCI scope.

B: This falls underFISMA / NIST 800-53, not PCI DSS.

C: Non-profits may handle sensitive data, but PCI only applies if they processcredit cards.

In NIST SP 800-53 Rev. 5,SR-6: Supplier Assessments and Reviewsrequires evaluating and monitoring suppliers’ security and risk practices.

Exact extract (NIST SP 800-53 Rev. 5, SR-6):

“The organization assesses and monitors suppliers to ensure they are meeting the security requirements specified in contracts and agreements.”

This is aboutongoing monitoringof supplier adherence, not financial audits, not contract creation, and not supplier discovery.

Pod Security Admission (PSA)enforces policies by applyinglabels on namespaces, not globally across the cluster.

Exact extract (Kubernetes Docs – Pod Security Admission):

“You can apply Pod Security Standards to namespaces by adding labels such as pod-security.kubernetes.io/enforce. Different namespaces can enforce different policies.”

Clarifications:

A: Incorrect, namespaces are the unit of enforcement.

C: Misleading — a namespace can have multiple enforcement modes (enforce, audit, warn).

D: Default namespace doesnotenforce strict policies unless labeled.

Defining policiesas code (declarative)is a best practice in Kubernetes and cloud-native security.

This is aligned withGitOpsandPolicy-as-Codeprinciples (OPA Gatekeeper, Kyverno, etc.).

Exact extract (CNCF Security Whitepaper):

“Policy-as-Code enables declarative definition and enforcement of security policies, bringing consistency, automation, and reducing misconfiguration risk.”

Manual audits, ad-hoc scripting, or individual configurations are error-prone and inconsistent.