Summer Certification Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = getmirror

Home
Linux Foundation
Kubernetes and Cloud Native
KCSA
Kubernetes and Cloud Native Security Associate (KCSA) Questions and Answers

Pass the Linux Foundation Kubernetes and Cloud Native KCSA Questions and answers with ExamsMirror

Practice at least 50% of the questions to maximize your chances of passing.

Exam KCSA Premium Access

View all detail and faqs for the KCSA exam

Go to Exam

716 Students Passed

94% Average Score

90% Same Questions

Viewing page 2 out of 2 pages

Viewing questions 11-20 out of questions

Questions # 11:

A cluster is failing to pull more recent versions of images from k8s.gcr.io. Why may this be?

Options:

There is a network connectivity issue between the cluster and k8s.gcr.io.

There is a bug in the container runtime or the image pull process.

The authentication credentials for accessing k8s.gcr.io are incorrectly scoped.

The container image registry k8s.gcr.io has been deprecated.

Answer

Explanation

k8s.gcr.iowas the historic Kubernetes image registry.

It has beendeprecatedand replaced withregistry.k8s.io.

Exact extract (Kubernetes Blog):

“The k8s.gcr.io image registry will be frozen from April 3, 2023 and fully deprecated. All Kubernetes project images are now served from registry.k8s.io.”

Pulling newer versions from k8s.gcr.io fails because the registry no longer receives updates.

[References:, Kubernetes Blog — Image Registry Update: https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/, ]

Questions # 12:

In a cluster that contains Nodes withmultiple container runtimesinstalled, how can a Pod be configured to be created on a specific runtime?

Options:

By using a command-line flag when creating the Pod.

By modifying the Docker daemon configuration.

By setting the container runtime as an environment variable in the Pod.

By specifying the container runtime in the Pod's YAML file.

Answer

Explanation

Kubernetes supportsmultiple container runtimeson a node via theRuntimeClassresource.

To select a runtime, you specify the runtimeClassName field in thePod’s YAML manifest. Example:

apiVersion: v1

kind: Pod

metadata:

name: example

spec:

runtimeClassName: gvisor

containers:

- name: app

image: nginx

Incorrect options:

(A) You cannot specify container runtime through a kubectl command-line flag.

(B) Modifying the Docker daemon config does not direct Kubernetes Pods to a runtime.

[References:, Kubernetes Documentation – RuntimeClass, CNCF Security Whitepaper – Workload isolation via different runtimes (e.g., gVisor, Kata) for enhanced security., , ]

Questions # 13:

Which step would give an attacker a foothold in a cluster butno long-term persistence?

Options:

Modify Kubernetes objects stored within etcd.

Modify file on host filesystem.

Starting a process in a running container.

Create restarting container on host using Docker.

Answer

Explanation

Starting a process in a running containerprovides an attacker withtemporary execution (foothold)inside the cluster, but once the container is stopped or restarted, that malicious process is lost. This means the attacker has nolong-term persistence.

Incorrect options:

(A) Modifying objects inetcdgrants persistent access since cluster state is stored in etcd.

(B) Modifying files on thehost filesystemcan create persistence across reboots or container restarts.

(D) Creating a restarting container directly on the host via Docker bypasses Kubernetes but persists across pod restarts if Docker restarts it.

[References:, CNCF Security Whitepaper – Threat Modeling section: Describes howephemeral processes inside containersprovide attackers short-term control but not durable persistence., Kubernetes Documentation – Cluster Threat Model emphasizes ephemeral vs. persistent attacker footholds., ]

Questions # 14:

When should soft multitenancy be used over hard multitenancy?

Options:

When the priority is enabling resource sharing and efficiency between tenants.

When the priority is enabling complete isolation between tenants.

When the priority is enabling fine-grained control over tenant resources.

When the priority is enabling strict security boundaries between tenants.

Answer

Explanation

Soft multitenancy(Namespaces, RBAC, Network Policies) → assumes some level of trust between tenants, focuses onresource sharing and efficiency.

Hard multitenancy(separate clusters or strong virtualization) → strict isolation, used when tenants are untrusted.

Exact extract (CNCF TAG Security Multi-Tenancy Whitepaper):

“Soft multi-tenancy refers to multiple workloads running in the same cluster with some trust assumptions. It provides resource sharing and operational efficiency. Hard multi-tenancy requires stronger isolation guarantees, typically separate clusters.”

[References:, CNCF Security TAG — Multi-Tenancy Whitepaper:https://github.com/cncf/tag-security/tree/main/multi-tenancy, ]

Questions # 15:

In which order are thevalidating and mutating admission controllersrun while the Kubernetes API server processes a request?

Options:

The order of execution varies and is determined by the cluster configuration.

Validating admission controllers run before mutating admission controllers.

Validating and mutating admission controllers run simultaneously.

Mutating admission controllers run before validating admission controllers.

Answer

Explanation

Theadmission control flowin Kubernetes:

Mutating admission controllersrun first and can modify incoming requests.

Validating admission controllersrun after mutations to ensure the final object complies with policies.

This ensures policies validate thefinal, mutated object.

[References:, Kubernetes Documentation – Admission Controllers, CNCF Security Whitepaper – Admission control workflow., ]

Questions # 16:

As a Kubernetes and Cloud Native Security Associate, a user can set upaudit loggingin a cluster. What is the risk of logging every event at the fullRequestResponselevel?

Options:

No risk, as it provides the most comprehensive audit trail.

Increased storage requirements and potential impact on performance.

Improved security and easier incident investigation.

Reduced storage requirements and faster performance.

Answer

Explanation

Audit loggingrecords API server requests and responses for security monitoring.

TheRequestResponse levellogs the full request and response bodies, which can:

Significantly increasestorage and performance overhead.

Potentially log sensitive data (including Secrets).

Therefore, while comprehensive, it introduces risks of performance degradation and excessive log volume.

[References:, Kubernetes Documentation – Auditing, CNCF Security Whitepaper – Logging and monitoring: trade-offs between verbosity, storage, and security., ]

Questions # 17:

Which other controllers are part of the kube-controller-manager inside the Kubernetes cluster?

Options:

Job controller, CronJob controller, and DaemonSet controller

Pod, Service, and Ingress controller

Namespace controller, ConfigMap controller, and Secret controller

Replication controller, Endpoints controller, Namespace controller, and ServiceAccounts controller

Answer

Explanation

kube-controller-managerruns a set of controllers that regulate the cluster’s state.

Exact extract (Kubernetes Docs):“The kube-controller-manager runs controllers that are core to Kubernetes. Examples of controllers are: Node controller, Replication controller, Endpoints controller, Namespace controller, and ServiceAccounts controller.”

Why D is correct:All listed are actual controllers within kube-controller-manager.

Why others are wrong:

A:Job and CronJob controllers are managed by kube-controller-manager, but DaemonSet controller is managed by the kube-scheduler/deployment logic.

B:Pod, Service, Ingress controllers are not part of kube-controller-manager.

C:ConfigMap and Secret do not have dedicated controllers.

[References:, Kubernetes Docs — kube-controller-manager: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/, ]

Questions # 18:

Why does the defaultbase64 encodingthat Kubernetes applies to the contents of Secret resources provide inadequate protection?

Options:

Base64 encoding is vulnerable to brute-force attacks.

Base64 encoding relies on a shared key which can be easily compromised.

Base64 encoding does not encrypt the contents of the Secret, only obfuscates it.

Base64 encoding is not supported by all Secret Stores.

Answer

Explanation

Kubernetes stores Secret data asbase64-encoded stringsin etcd by default.

Base64 is not encryption— it is a simple encoding scheme that merelyobfuscatesdata for transport and storage. Anyone with read access to etcd or the Secret manifest can easily decode the value back to plaintext.

For actual protection, Kubernetes supportsencryption at rest(via encryption providers) and external Secret management (Vault, KMS, etc.).

[References:, Kubernetes Documentation – Secrets, CNCF Security Whitepaper – Data protection section: highlights that base64 encoding does not protect data and encryption at rest is recommended., ]

Viewing page 2 out of 2 pages

Viewing questions 11-20 out of questions