Kubernetes and Cloud Native Security Associate Certification Review Guide [KCNSA], Exams of Technology

A detailed security-focused review covering Kubernetes hardening, container runtime protection, RBAC, secrets management, policy enforcement, and vulnerability mitigation. The guide emphasizes best practices for securing cloud-native infrastructure with practical review questions and exam simulations.

Typology: Exams

2025/2026

Available from 03/01/2026

shilpi-jain-3
shilpi-jain-3 🇮🇳

2.5

(11)

80K documents

1 / 82

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Kubernetes and Cloud Native Security Associate
Certification Review Guide [KCNSA]
**Question 1**
Which of the following best describes the “4Cs” model in cloudnative security?
A) Compute, Containers, Credentials, Compliance
B) Cloud, Cluster, Container, Code
C) Cloud, Compute, Configuration, Cryptography
D) Cluster, Cache, Container, Credential
Answer: B
Explanation: The 4Cs model organizes security concerns into Cloud, Cluster, Container, and Code
layers, providing a holistic view of the stack.
**Question 2**
In the shared responsibility model, which security task is typically the cloud provider’s responsibility?
A) Patching the guest operating system inside a VM
B) Securing the physical data center facilities
C) Managing applicationlevel secrets in code repositories
D) Configuring network policies for pods
Answer: B
Explanation: Cloud providers secure the physical infrastructure (hardware, power, cooling).
Customers are responsible for OS, applications, and Kubernetes configurations.
**Question 3**
Which IAM principle helps limit the blast radius when a credential is compromised in a cloud
environment?
A) Least privilege
B) Role escalation
C) Single signon
D) Credential rotation
Answer: A
Explanation: Least privilege ensures a credential only has the permissions necessary for its purpose,
reducing impact of compromise.
**Question 4**
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52

Partial preview of the text

Download Kubernetes and Cloud Native Security Associate Certification Review Guide [KCNSA] and more Exams Technology in PDF only on Docsity!

Certification Review Guide [KCNSA]

Question 1 Which of the following best describes the “4Cs” model in cloud‑native security? A) Compute, Containers, Credentials, Compliance B) Cloud, Cluster, Container, Code C) Cloud, Compute, Configuration, Cryptography D) Cluster, Cache, Container, Credential Answer: B Explanation: The 4Cs model organizes security concerns into Cloud, Cluster, Container, and Code layers, providing a holistic view of the stack. Question 2 In the shared responsibility model, which security task is typically the cloud provider’s responsibility? A) Patching the guest operating system inside a VM B) Securing the physical data center facilities C) Managing application‑level secrets in code repositories D) Configuring network policies for pods Answer: B Explanation: Cloud providers secure the physical infrastructure (hardware, power, cooling). Customers are responsible for OS, applications, and Kubernetes configurations. Question 3 Which IAM principle helps limit the blast radius when a credential is compromised in a cloud environment? A) Least privilege B) Role escalation C) Single sign‑on D) Credential rotation Answer: A Explanation: Least privilege ensures a credential only has the permissions necessary for its purpose, reducing impact of compromise. Question 4

Certification Review Guide [KCNSA]

What Kubernetes object provides logical isolation of resources within a single cluster? A) Node B) Namespace C) ServiceAccount D) PersistentVolumeClaim Answer: B Explanation: Namespaces partition a cluster into virtual clusters, isolating resources, RBAC, and network policies. Question 5 Which runtime sandboxing technology runs each pod in a lightweight virtual machine rather than a Linux namespace? A) gVisor B) Docker C) Kata Containers D) cri‑o Answer: C Explanation: Kata Containers use lightweight VMs to provide stronger isolation than standard namespace‑based containers. Question 6 When scanning container images for vulnerabilities, which layer should be inspected first for known CVEs? A) Application code layer B) Base operating‑system layer C) Runtime layer (e.g., Dockerfile CMD) D) Metadata labels Answer: B Explanation: The base OS layer contains many system libraries and packages that are common sources of CVEs. Question 7

Certification Review Guide [KCNSA]

B) By storing etcd on a NFS share C) By encrypting the etcd datastore with a secret key D) By running etcd in privileged mode Answer: C Explanation: etcd supports encryption of its data files using a secret key, protecting data at rest. Question 11 Which Kubernetes feature can restrict anonymous access to the kubelet API? A) Admission Controllers B) kubelet authentication with client certificates C) Pod Security Policies D) ServiceAccounts Answer: B Explanation: Configuring the kubelet to require client certificates prevents unauthenticated access. Question 12 In a typical CNI plugin, which component enforces network isolation between pods? A) kube‑proxy B) iptables / eBPF rules applied by the CNI plugin C) kubelet D) etcd Answer: B Explanation: CNI plugins program iptables/eBPF rules to implement pod‑to‑pod isolation. Question 13 Which Kubernetes object is used to define persistent storage that survives pod restarts? A) ConfigMap B) PersistentVolume (PV) C) Service D) DaemonSet

Certification Review Guide [KCNSA]

Answer: B Explanation: PVs represent storage resources that remain independent of pod lifecycles. Question 14 When configuring RBAC, which resource grants permissions to a set of users or groups? A) RoleBinding B) ServiceAccount C) NetworkPolicy D) PodSecurityPolicy Answer: A Explanation: RoleBinding (or ClusterRoleBinding) attaches a Role/ClusterRole to subjects (users, groups, ServiceAccounts). Question 15 Which admission controller validates that incoming pod specifications conform to a predefined policy? A) NamespaceLifecycle B) NodeRestriction C) ValidatingAdmissionWebhook D) ServiceAccount Answer: C Explanation: ValidatingAdmissionWebhook can reject or accept requests based on custom validation logic. Question 16 Pod Security Standards (PSS) define three levels of security. Which level permits the use of privileged containers? A) Restricted B) Baseline C) Privileged D) Standard Answer: C

Certification Review Guide [KCNSA]

Question 20 ResourceQuotas in a namespace help mitigate which type of attack? A) Man‑in‑the‑middle (MITM) B) Credential stuffing C) Denial‑of‑Service (DoS) via resource exhaustion D) Supply‑chain tampering Answer: C Explanation: Quotas limit CPU, memory, and other resources, preventing a single tenant from exhausting cluster capacity. Question 21 Which tool can be used to sign and verify container images as part of a supply‑chain security strategy? A) Helm B) Cosign C) Kustomize D) Prometheus Answer: B Explanation: Cosign provides cryptographic signing and verification of OCI images. Question 22 A Software Bill of Materials (SBOM) primarily helps with: A) Runtime performance tuning B) Tracking all components and dependencies inside an artifact C) Automating pod scaling D) Managing TLS certificates Answer: B Explanation: An SBOM lists every library, binary, and dependency, aiding vulnerability tracking. Question 23

Certification Review Guide [KCNSA]

Falco is an example of a runtime security tool that works by: A) Scanning container images before they are deployed B) Detecting anomalous system calls on the host and containers C) Encrypting traffic between services automatically D) Managing Kubernetes secrets lifecycle Answer: B Explanation: Falco monitors syscalls to identify suspicious activity in real time. Question 24 Mutual TLS (mTLS) in a service mesh primarily provides which security benefit? A) Automatic secret rotation for Pods B) End‑to‑end encryption and strong identity verification between services C) NetworkPolicy enforcement at the node level D) Prevention of container image reuse Answer: B Explanation: mTLS ensures both client and server authenticate each other and encrypt traffic. Question 25 Which component of the Kubernetes control plane issues TLS certificates for internal communication? A) kube‑apiserver B) kube‑controller‑manager C) kube‑scheduler D) kube‑adm (or the built‑in Certificate Authority) Answer: D Explanation: kube‑adm or the embedded CA creates and signs certificates for cluster components. Question 26 The CIS Benchmark for Kubernetes recommends which of the following for the kube‑apiserver? A) Run it as a privileged container B) Disable anonymous authentication

Certification Review Guide [KCNSA]

D) PersistentVolumeClaim Answer: B Explanation: Kyverno registers a MutatingAdmissionWebhook to modify pod specs, such as adding sidecars. Question 30 When configuring a ServiceAccount for a pod, which file inside the container holds the token used for API authentication? A) /var/run/secrets/kubernetes.io/serviceaccount/token B) /etc/kubernetes/pki/ca.crt C) /opt/app/config.yaml D) /var/log/kubelet.log Answer: A Explanation: The token is mounted at that path by default for the pod’s ServiceAccount. Question 31 Which of the following is NOT a recommended practice for securing the kube‑proxy component? A) Running it in IPVS mode for better performance B) Enabling strict firewall rules to limit its host‑network access C) Running kube‑proxy with elevated privileges (CAP_SYS_ADMIN) D) Using TLS for health‑check endpoints Answer: C Explanation: Granting excessive capabilities increases the attack surface; kube‑proxy should run with minimal privileges. Question 32 What does the “NodeRestriction” admission controller protect? A) Prevents pods from being scheduled on unschedulable nodes B) Restricts kubelet’s ability to modify node objects that it does not own C) Enforces network policies at node level D) Limits the number of nodes a user can create

Certification Review Guide [KCNSA]

Answer: B Explanation: NodeRestriction ensures a kubelet can only modify its own Node object and associated Pod objects. Question 33 Which of the following is a key difference between a ClusterRole and a Role? A) ClusterRoles can be bound only to ServiceAccounts B) Roles are namespace‑scoped, while ClusterRoles are cluster‑wide C) ClusterRoles cannot contain resource names D) Roles support only read‑only verbs Answer: B Explanation: Roles apply within a single namespace; ClusterRoles apply across the entire cluster. Question 34 A pod is configured with securityContext.runAsUser: 0. Which security risk does this introduce? A) The pod will be unable to access any volume mounts B) The container runs as root, increasing privilege‑escalation risk C) The pod will be scheduled on a node with taints only D) The pod will be denied network access by default Answer: B Explanation: UID 0 is the root user; running containers as root expands the potential impact of a compromise. Question 35 Which Kubernetes feature enables automatic rotation of ServiceAccount tokens? A) TokenRequest API B) kubelet certificate rotation flag C) SecretProviderClass D) ImagePullSecrets Answer: A Explanation: The TokenRequest API issues short‑lived tokens, reducing the risk of token reuse.

Certification Review Guide [KCNSA]

Question 39 What is the main purpose of the kube‑scheduler component? A) Persist cluster state to etcd B) Assign newly created pods to appropriate nodes based on constraints and resource availability C) Validate incoming API requests for syntax errors D) Manage network load balancing for services Answer: B Explanation: The scheduler matches pods to nodes, considering affinity, taints, and resource requests. Question 40 Which of the following best describes a “Zero Trust” network model within a Kubernetes cluster? A) All traffic inside the cluster is allowed by default B) Every connection is authenticated and authorized, regardless of source C) Only external traffic is inspected, internal traffic is trusted implicitly D) Pods can communicate freely if they share the same namespace Answer: B Explanation: Zero Trust assumes no implicit trust; each request must be verified. Question 41 If an attacker gains access to a pod’s ServiceAccount token, which Kubernetes resource is most likely to be abused? A) PersistentVolumeClaims B) API server resources via kubectl commands C) Node hardware specifications D) Container image registries Answer: B Explanation: The token authenticates to the API server, allowing the attacker to issue API calls. Question 42 Which of the following is an effective way to limit the impact of a compromised container image?

Certification Review Guide [KCNSA]

A) Running the container as the root user B) Enabling read‑only root filesystem in the pod security context C) Disabling all network policies for the namespace D) Allowing privileged escalation in the pod spec Answer: B Explanation: A read‑only root filesystem prevents the container from writing to its base image, limiting tampering. Question 43 What does the etcdctl snapshot save command accomplish? A) Creates a backup of the etcd key‑value store for disaster recovery B) Generates a new encryption key for etcd data at rest C) Performs a live migration of etcd to a new node D) Clears all stored secrets from etcd Answer: A Explanation: snapshot save writes a point‑in‑time backup of the etcd database to a file. Question 44 Which Kubernetes feature can be used to enforce that pods cannot run as privileged? A) PodSecurityAdmission with restricted level B) ServiceAccount with no token C) NodeSelector set to no-privileged D) Deployment replica count set to zero Answer: A Explanation: The restricted PSA level disallows privileged containers, among other security settings. Question 45 When using Istio, which component issues and rotates mTLS certificates for workloads? A) Pilot B. Mixer C) Citadel (or Istiod)

Certification Review Guide [KCNSA]

Answer: B Explanation: ResourceQuota can set a cap on pod count, among other resources. Question 49 In the context of Kubernetes, what does “image provenance” refer to? A) The geographic location where the image was built B) The documented origin, creation process, and signatures of a container image C) The size of the image in megabytes D) The number of layers in the image Answer: B Explanation: Provenance tracks who built the image, how, and includes cryptographic signatures for verification. Question 50 Which of the following is a recommended practice for managing TLS certificates in a Kubernetes cluster? A) Store private keys directly in ConfigMaps B) Use the built‑in Kubernetes Certificate Authority to issue short‑lived certificates for components C) Disable TLS for intra‑cluster communication to reduce overhead D) Share the same certificate across all namespaces Answer: B Explanation: The Kubernetes CA can issue and rotate short‑lived certs, reducing risk of compromised long‑term keys. Question 51 Which of the following best describes the purpose of kubectl auth can-i? A) Checks if the current user can perform a specific verb on a resource, helping verify RBAC permissions B) Generates a new ServiceAccount token C) Lists all pods in a namespace D) Applies a network policy to a namespace Answer: A

Certification Review Guide [KCNSA]

Explanation: auth can-i evaluates the RBAC rules for the caller. Question 52 What is the effect of setting readOnlyRootFilesystem: true in a pod’s security context? A) The container’s root filesystem is mounted as read‑only, preventing writes to the image layers B) The container can only read environment variables C) The container is forced to run as a non‑root user D) The container cannot access any ConfigMaps Answer: A Explanation: This flag makes the root file system immutable, limiting tampering. Question 53 Which of the following is a primary advantage of using eBPF‑based CNI plugins (e.g., Cilium) over iptables‑based plugins? A) They require no kernel support B) They provide fine‑grained, high‑performance network security policies with identity‑aware filtering C) They automatically encrypt all traffic without configuration D) They eliminate the need for Service objects Answer: B Explanation: eBPF enables efficient, identity‑based policies and low‑latency packet processing. Question 54 Which of the following Kubernetes objects is used to enforce a maximum amount of CPU a pod can consume? A) HorizontalPodAutoscaler B) LimitRange C) PodDisruptionBudget D) ServiceAccount Answer: B Explanation: LimitRange can set default and maximum CPU/memory requests and limits for pods.

Certification Review Guide [KCNSA]

In a Kubernetes cluster running on AWS, which IAM role is typically used by the kube‑controller‑manager to interact with AWS APIs? A) NodeInstanceRole B) ClusterAutoscalerRole C) ControllerManagerRole D) EKS‑Cluster‑Role Answer: D Explanation: EKS creates a cluster role that grants the controller manager necessary permissions (e.g., ELB, EBS). Question 59 Which of the following is the most appropriate way to store a TLS private key for an Ingress controller? A) As a plain‑text file inside a ConfigMap B) In a Kubernetes Secret of type tls and referenced by the Ingress resource C) Directly in the pod spec’s env section D) In the node’s /etc/ssl directory without encryption Answer: B Explanation: tls Secrets store the key and certificate base64‑encoded and are accessed securely by the Ingress controller. Question 60 What is the primary security benefit of using “immutable” container images? A) They cannot be pulled from a registry B) They cannot be altered after being built, preventing post‑build tampering C) They automatically delete themselves after use D) They enforce read‑only networking rules Answer: B Explanation: Immutable images ensure the same binary is run everywhere, reducing risk of hidden changes. Question 61

Certification Review Guide [KCNSA]

Which of the following best describes a “Sidecar” pattern in Kubernetes? A) Running a second container in the same pod to provide auxiliary functionality (e.g., logging, proxy) B) Deploying a pod on a separate node for high availability C) Using a daemonset to expose host ports D) Creating a Service that routes traffic to multiple backends Answer: A Explanation: The sidecar container shares the pod’s network and storage, augmenting the main container. Question 62 Which of the following options is a common way to rotate etcd encryption keys without downtime? A) Delete the etcd pod and restart it B) Use etcdctl rotate-encryption-key and then restart the API server to pick up the new key C) Change the --etcd-cafile flag on the kubelet D) Disable encryption entirely and re‑enable it later Answer: B Explanation: The rotate command generates a new key and re‑encrypts data; the API server must be restarted to use the new key. Question 63 What does the PodDisruptionBudget (PDB) object protect against? A) Unauthorized pod creation B) Excessive CPU usage by pods C) Voluntary disruptions (e.g., node drain) that could reduce the number of available pods below a defined threshold D) Network packet loss Answer: C Explanation: PDB ensures a minimum number of pods remain available during maintenance. Question 64 Which of the following is a recommended practice for limiting the attack surface of the kubelet’s HTTP endpoint?