20:00Min. left

PDF|

Guide for KCSA: Kubernetes and Cloud Native Security Associate (KCSA)

Quiz KCSA: Kubernetes and Cloud Native Security Associate (KCSA)

Updated on 2026/06/06

PDF|

Guide for KCSA: Kubernetes and Cloud Native Security Associate (KCSA)

Updated on 2026/06/06

Randomized | 10 Questions per Test | 20 Minutes | 70% to pass

Learning Mode

Free Test

Question: / 10

20:00Min. left

Question: / 10

5.0

Quiz

Question 1/101/10

Which standard approach to security is augmented by the 4C's of Cloud Native security?

Select the answer:Select the answer

1 correct answer

Zero Trust

Least Privilege

Defense-in-Depth

Secure-by-Design

Quiz

Question 2/102/10

In a Kubernetes cluster, what are the security risks associated with using ConfigMaps for storing
secrets?

Select multiple answer: (Choose 2)Select the answer

2 correct answers

Storing secrets in ConfigMaps does not allow for fine-grained access control via RBAC.

Storing secrets in ConfigMaps can expose sensitive information as they are stored in plaintext and can be accessed by unauthorized users.

Using ConfigMaps for storing secrets might make applications incompatible with the Kubernetes cluster.

ConfigMaps store sensitive information in etcd encoded in base64 format automatically, which does not ensure confidentiality of data.

The correct answers are B and D.
ConfigMaps are intended for non-sensitive configuration data, not secrets. When they are misused to store secrets, they introduce security risks.
B. Storing secrets in ConfigMaps can expose sensitive information as they are stored in plaintext and can be accessed by unauthorized users.
This is correct. ConfigMaps are not encrypted by default and are designed to be readable configuration objects. Anyone with sufficient access to the cluster, or to the ConfigMap resource itself, may be able to view the data. If sensitive information such as passwords, API keys, or tokens is stored there, it may be exposed in plaintext.
D. ConfigMaps store sensitive information in etcd encoded in base64 format automatically, which does not ensure confidentiality of data.
This is also correct in spirit. In Kubernetes, data is typically stored in etcd and may be represented in base64 when viewed in certain resources, but base64 is not encryption. It is only an encoding mechanism and provides no security. So even if the data looks obscured, it can be easily decoded, meaning confidentiality is not guaranteed.
Why the other options are incorrect:
A. Storing secrets in ConfigMaps does not allow for fine-grained access control via RBAC.
This is not the main security risk described. RBAC can still control access to ConfigMaps, but the issue is that ConfigMaps are not meant for secrets and do not provide secret-specific protections. The statement is misleading because the problem is not absence of RBAC, but improper use of a non-secure storage mechanism.
C. Using ConfigMaps for storing secrets might make applications incompatible with the Kubernetes cluster.
This is not a security risk and is generally false. Applications will usually still function if they read from ConfigMaps, but that does not make the practice secure.
Summary:
The key risks are that ConfigMaps store data in a form that is not meant to be secret and that base64 encoding does not protect sensitive information. Therefore, B and D are correct.

Right Answer: B, D

Quiz

Question 3/103/10

What is the difference between gVisor and Firecracker?

Select the answer:Select the answer

1 correct answer

gVisor is a user-space kernel that provides isolation and security for containers. At the same time, Firecracker is a lightweight virtualization technology for creating and managing secure, multi-tenant container and function-as-a-service (FaaS) workloads.

gVisor is a lightweight virtualization technology for creating and managing secure, multi-tenant container and function-as-a-service (FaaS) workloads. At the same time, Firecracker is a user-space kernel that provides isolation and security for containers.

gVisor and Firecracker are both container runtimes that can be used interchangeably.

gVisor and Firecracker are two names for the same technology, which provides isolation and security for containers.

Quiz

Question 4/104/10

You want to minimize security issues in running Kubernetes Pods. Which of the following actions can
help achieve this goal?

Select the answer:Select the answer

1 correct answer

Sharing sensitive data among Pods in the same cluster to improve collaboration.

Running Pods with elevated privileges to maximize their capabilities.

Implement Pod Security standards in the Pod's YAML configuration.

Deploying Pods with randomly generated names to obfuscate their identities.

Quiz

Question 5/105/10

What was the name of the precursor to Pod Security Standards?

Select the answer:Select the answer

1 correct answer

Container Runtime Security

Kubernetes Security Context

Container Security Standards

Pod Security Policy

Quiz

Question 6/106/10

Which of the following is a control for Supply Chain Risk Management according to NIST 800-53 Rev.
5?

Select the answer:Select the answer

1 correct answer

Access Control

System and Communications Protection

Supply Chain Risk Management Plan

Incident Response

Quiz

Question 7/107/10

In a Kubernetes environment, what kind of Admission Controller can modify resource manifests
when applied to the Kubernetes API to fix misconfigurations automatically?

Select the answer:Select the answer

1 correct answer

ValidatingAdmissionController

PodSecurityPolicy

MutatingAdmissionController

ResourceQuota

Quiz

Question 8/108/10

By default, in a Kubeadm cluster, which authentication methods are enabled?

Select the answer:Select the answer

1 correct answer

OIDC, Bootstrap tokens, and Service Account Tokens

X509 Client Certs, OIDC, and Service Account Tokens

X509 Client Certs, Bootstrap Tokens, and Service Account Tokens

X509 Client Certs, Webhook Authentication, and Service Account Tokens

Quiz

Question 9/109/10

A container running in a Kubernetes cluster has permission to modify host processes on the
underlying node.
What combination of privileges and capabilities is most likely to have led to this privilege escalation?

Select the answer:Select the answer

1 correct answer

There is no combination of privileges and capabilities that permits this.

hostPID and SYS_PTRACE

hostPath and AUDIT_WRITE

hostNetwork and NET_RAW

The correct answer is A.
A container normally runs in its own isolated namespaces and is restricted from interacting with processes on the underlying host node. To modify host processes, a container would need some form of direct access to the host’s process namespace or extremely powerful privileges.
Looking at the options:
A. There is no combination of privileges and capabilities that permits this.
This is the correct choice in the context of the question. The listed combinations do not grant the ability to modify host processes on their own.
B. hostPID and SYS_PTRACE
hostPID allows a container to share the host’s process namespace, which can expose host processes. SYS_PTRACE can allow tracing and potentially interacting with processes. However, this does not automatically mean the container can modify host processes, and in typical Kubernetes security models this combination alone is not sufficient to claim direct modification capability.
C. hostPath and AUDIT_WRITE
hostPath gives access to host files, not direct control over host processes. AUDIT_WRITE is related to writing audit logs, not process manipulation. This combination is unrelated to modifying host processes.
D. hostNetwork and NET_RAW
hostNetwork allows the container to share the host network namespace, and NET_RAW allows raw packet manipulation. These affect networking, not process control. They do not provide the ability to modify host processes.
Why A is the best answer:
The question asks which combination of privileges and capabilities is most likely to have led to privilege escalation allowing modification of host processes. None of the listed combinations directly grants that capability in a standard Kubernetes context. Therefore, the correct answer is that no such combination among the options would permit it.
In practice, modifying host processes would usually require much stronger access, such as running privileged containers, access to the host PID namespace with additional dangerous capabilities, or other major misconfigurations.

Right Answer: A

Quiz

Question 10/1010/10

What is the purpose of the Supplier Assessments and Reviews control in the NIST 800-53 Rev. 5 set of
controls for Supply Chain Risk Management?

Select the answer:Select the answer

1 correct answer

To evaluate and monitor existing suppliers for adherence to security requirements.

To conduct regular audits of suppliers' financial performance.

To establish contractual agreements with suppliers.

To identify potential suppliers for the organization.

Looking for more questions?Buy now

KCSA: Kubernetes and Cloud Native Security Associate (KCSA) Practice test unlocks all online simulator questions

Thank you for choosing the free version of the KCSA: Kubernetes and Cloud Native Security Associate (KCSA) practice test! Further deepen your knowledge on Linux Foundation Simulator; by unlocking the full version of our KCSA: Kubernetes and Cloud Native Security Associate (KCSA) Simulator you will be able to take tests with over 59 constantly updated questions and easily pass your exam. 98% of people pass the exam in the first attempt after preparing with our 59 questions.

BUY NOW

What to expect from our KCSA: Kubernetes and Cloud Native Security Associate (KCSA) practice tests and how to prepare for any exam?

The KCSA: Kubernetes and Cloud Native Security Associate (KCSA) Simulator Practice Tests are part of the Linux Foundation Database and are the best way to prepare for any KCSA: Kubernetes and Cloud Native Security Associate (KCSA) exam. The KCSA: Kubernetes and Cloud Native Security Associate (KCSA) practice tests consist of 59 questions and are written by experts to help you and prepare you to pass the exam on the first attempt. The KCSA: Kubernetes and Cloud Native Security Associate (KCSA) database includes questions from previous and other exams, which means you will be able to practice simulating past and future questions. Preparation with KCSA: Kubernetes and Cloud Native Security Associate (KCSA) Simulator will also give you an idea of the time it will take to complete each section of the KCSA: Kubernetes and Cloud Native Security Associate (KCSA) practice test . It is important to note that the KCSA: Kubernetes and Cloud Native Security Associate (KCSA) Simulator does not replace the classic KCSA: Kubernetes and Cloud Native Security Associate (KCSA) study guides; however, the Simulator provides valuable insights into what to expect and how much work needs to be done to prepare for the KCSA: Kubernetes and Cloud Native Security Associate (KCSA) exam.

BUY NOW

KCSA: Kubernetes and Cloud Native Security Associate (KCSA) Practice test therefore represents an excellent tool to prepare for the actual exam together with our Linux Foundation practice test . Our KCSA: Kubernetes and Cloud Native Security Associate (KCSA) Simulator will help you assess your level of preparation and understand your strengths and weaknesses. Below you can read all the quizzes you will find in our KCSA: Kubernetes and Cloud Native Security Associate (KCSA) Simulator and how our unique KCSA: Kubernetes and Cloud Native Security Associate (KCSA) Database made up of real questions:

Info quiz:

Quiz name:KCSA: Kubernetes and Cloud Native Security Associate (KCSA)
Total number of questions:59
Number of questions for the test:50
Pass score:80%

You can prepare for the KCSA: Kubernetes and Cloud Native Security Associate (KCSA) exams with our mobile app. It is very easy to use and even works offline in case of network failure, with all the functions you need to study and practice with our KCSA: Kubernetes and Cloud Native Security Associate (KCSA) Simulator.

Use our Mobile App, available for both Android and iOS devices, with our KCSA: Kubernetes and Cloud Native Security Associate (KCSA) Simulator . You can use it anywhere and always remember that our mobile app is free and available on all stores.

Our Mobile App contains all KCSA: Kubernetes and Cloud Native Security Associate (KCSA) practice tests which consist of 59 questions and also provide study material to pass the final KCSA: Kubernetes and Cloud Native Security Associate (KCSA) exam with guaranteed success. Our KCSA: Kubernetes and Cloud Native Security Associate (KCSA) database contain hundreds of questions and Linux Foundation Tests related to KCSA: Kubernetes and Cloud Native Security Associate (KCSA) Exam. This way you can practice anywhere you want, even offline without the internet.

BUY NOW

Quiz KCSA: Kubernetes and Cloud Native Security Associate (KCSA)

Free Test - Simulator KCSA: Kubernetes and Cloud Native Security Associate (KCSA)

KCSA: Kubernetes and Cloud Native Security Associate (KCSA) Practice test unlocks all online simulator questions

What to expect from our KCSA: Kubernetes and Cloud Native Security Associate (KCSA) practice tests and how to prepare for any exam?