






























































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A set of questions and answers designed to help individuals prepare for the kubernetes and cloud native security associate exam. It covers key concepts and best practices related to kubernetes security, including pod security standards, network policies, rbac, and more. The questions are structured to test understanding of core components and security measures within kubernetes environments, making it a valuable resource for exam preparation and knowledge reinforcement. This resource is useful for students and professionals seeking to validate their expertise in cloud native security.
Typology: Exams
1 / 70
This page cannot be seen from the preview
Don't miss anything!































































Question 1. Which of the following is NOT one of the 4Cs of Cloud Native Security? A) Code B) Cluster C) Compliance D) Cloud Answer: C Explanation: The 4Cs are Code, Container, Cluster, and Cloud. Compliance is not one of the 4Cs. Question 2. What is the main purpose of Pod Security Standards in Kubernetes? A) To provide logging for pods B) To define levels of isolation and restrictions for pods C) To enforce network policies D) To manage persistent storage Answer: B Explanation: Pod Security Standards define levels of security controls for pods, such as Privileged, Baseline, and Restricted. Question 3. Which Kubernetes component stores all cluster data and state? A) Kubelet B) Etcd C) Controller Manager D) Scheduler Answer: B Explanation: Etcd is the distributed key-value store used to store all cluster data and state in Kubernetes. Question 4. Which of the following frameworks provides security benchmarks specifically for Kubernetes? A) ISO 27001 B) CIS
Answer: B Explanation: The Center for Internet Security (CIS) provides security benchmarks specifically for Kubernetes. Question 5. What is the primary function of Kubernetes namespaces? A) To enforce pod security policies B) To isolate resources within the same cluster C) To provide persistent storage D) To control ingress traffic Answer: B Explanation: Namespaces are used to logically separate and isolate resources within a Kubernetes cluster. Question 6. Which cloud provider service is responsible for managing Kubernetes clusters in GCP? A) EKS B) AKS C) GKE D) OpenShift Answer: C Explanation: Google Kubernetes Engine (GKE) is the managed Kubernetes service in Google Cloud Platform. Question 7. What is the recommended way to store sensitive information like passwords in Kubernetes? A) ConfigMap B) Pod annotations C) Kubernetes Secret D) Environment variables Answer: C
B) A set of permissions within a namespace C) The node type D) The cluster version Answer: B Explanation: Roles define sets of permissions to resources within a namespace. Question 12. What does the Kubernetes API Server do? A) Schedules pods B) Stores cluster state C) Serves as the main entry point for all REST commands D) Manages container runtimes Answer: C Explanation: The API Server is the central management entity that handles REST requests. Question 13. Which of the following is a best practice for securing container images? A) Use the latest tag for all images B) Scan images for vulnerabilities before deployment C) Allow root access in all images D) Disable image caching Answer: B Explanation: Scanning images for vulnerabilities before deployment is a key security best practice. Question 14. What is the default behavior of Kubernetes regarding pod-to-pod communication? A) All traffic is blocked B) Only same namespace traffic is allowed C) All traffic is allowed D) Only ingress traffic is allowed Answer: C Explanation: By default, all pods can communicate with each other unless restricted by Network Policies.
Question 15. Which resource is used to enforce limits on CPU and memory usage in a namespace? A) ResourceQuota B) LimitRange C) PodSecurityPolicy D) NetworkPolicy Answer: A Explanation: ResourceQuota enforces limits on resource consumption within a namespace. Question 16. What is the primary role of the kubelet? A) Schedule pods on nodes B) Manage container runtime on each node C) Act as a cluster DNS D) Store secrets Answer: B Explanation: The kubelet runs on each node and is responsible for managing containers. Question 17. What should be avoided in application code to reduce security risks in cloud native environments? A) Using open-source libraries B) Hardcoding secrets C) Logging errors D) Using environment variables Answer: B Explanation: Hardcoding secrets in code is a security risk and should be avoided. Question 18. Which Kubernetes object is designed for storing non-sensitive configuration data? A) Service B) ConfigMap
Question 22. Which command is used to access a Kubernetes cluster using a kubeconfig file? A) kubectl connect B) kubectl run C) kubectl get D) kubectl Answer: D Explanation: The kubectl command uses the kubeconfig file to access the cluster. Question 23. Which of the following is a recommended practice for managing Kubernetes Secrets? A) Store as plain text files B) Use encryption at rest C) Share secrets openly across namespaces D) Use ConfigMaps instead Answer: B Explanation: Encrypting secrets at rest enhances their security. Question 24. What is the function of the Kubernetes Controller Manager? A) Manages container runtimes B) Watches cluster state and makes changes to match desired state C) Handles user authentication D) Controls ingress network traffic Answer: B Explanation: The Controller Manager ensures the actual state matches the desired state. Question 25. Which security control restricts which users or service accounts can perform actions on specific resources? A) NetworkPolicy B) RBAC C) PodSecurityStandard
D) ResourceQuota Answer: B Explanation: RBAC (Role-Based Access Control) defines permissions for users and service accounts. Question 26. Which Kubernetes resource manages access to external storage? A) PersistentVolume B) ConfigMap C) ServiceAccount D) Ingress Answer: A Explanation: PersistentVolume provides access to external storage resources. Question 27. What is a common use of Kubernetes audit logs? A) Auto-scaling B) Intrusion detection and compliance C) Upgrading clusters D) Creating namespaces Answer: B Explanation: Audit logs are used to detect suspicious activity and meet compliance requirements. Question 28. How can you restrict a service account’s access to Kubernetes resources? A) NetworkPolicy B) RBAC C) PersistentVolumeClaim D) StorageClass Answer: B Explanation: RBAC controls which actions service accounts can perform. Question 29. Which of the following is NOT a best practice for securing Kubernetes workloads?
Explanation: NetworkPolicy objects control allowed network traffic to/from pods. Question 33. What is a secure method to distribute secrets to applications running in Kubernetes? A) Environment variables in deployment YAML B) Mounting secrets as volumes C) Storing secrets in application code D) Using node labels Answer: B Explanation: Mounting secrets as volumes is a secure method for applications to access sensitive data. Question 34. What is the primary function of the kube-proxy component? A) Managing pod security B) Enabling network communication to services C) Scheduling pods D) Managing persistent storage Answer: B Explanation: kube-proxy maintains network rules for service communication. Question 35. Which of the following is a core principle of the “least privilege” security model? A) Grant all users admin access B) Give users only the permissions they need C) Disable authentication D) Share secrets across all users Answer: B Explanation: Least privilege means granting only necessary access to users or services. Question 36. What is a potential risk of not regularly updating container images? A) Increased storage usage B) Exposure to known vulnerabilities
C) Faster deployments D) Improved performance Answer: B Explanation: Outdated images may contain unpatched vulnerabilities. Question 37. Which Kubernetes resource would you use to limit the number of resources a user can create? A) LimitRange B) ResourceQuota C) PodDisruptionBudget D) Secret Answer: B Explanation: ResourceQuota limits resource consumption and object creation within a namespace. Question 38. Which of the following best describes the “defense in depth” approach? A) Using a single security layer B) Multiple overlapping security measures C) Open access for all users D) Relying solely on application security Answer: B Explanation: Defense in depth uses multiple security layers for comprehensive protection. Question 39. What is the purpose of a ServiceAccount in Kubernetes? A) Store configuration B) Identify and authenticate pods C) Define network policies D) Manage storage classes Answer: B Explanation: ServiceAccounts provide identities for pods to interact with the API server.
B) Enforcing authentication and authorization C) Scheduling pods D) Managing persistent volumes Answer: B Explanation: The API Server is responsible for authenticating and authorizing all requests. Question 44. Which of the following is a standard for securing communication over the network in Kubernetes? A) SSH B) TLS C) Telnet D) HTTP Answer: B Explanation: TLS (Transport Layer Security) ensures secure communication. Question 45. What is the best way to limit a user’s ability to view Kubernetes Secrets? A) Assign ClusterAdmin role B) Use RBAC to limit access C) Add user to all namespaces D) Share secrets using ConfigMaps Answer: B Explanation: RBAC can be used to restrict users’ access to Secrets. Question 46. Which Kubernetes resource enables you to automatically scan container images for vulnerabilities before deployment? A) Admission Controller B) ServiceAccount C) LimitRange D) PersistentVolume
Answer: A Explanation: Admission Controllers can enforce policies like image scanning before accepting deployments. Question 47. What does the term “blast radius” refer to in cloud native security? A) The speed of deployments B) The potential impact of a security breach C) The number of containers running D) The network bandwidth Answer: B Explanation: Blast radius is the scope of damage a security incident can cause. Question 48. What is a key benefit of using namespaces for isolation in Kubernetes? A) Ensures high availability B) Enables logical separation of resources C) Guarantees encryption D) Automates updates Answer: B Explanation: Namespaces provide logical separation and isolation. Question 49. Which Kubernetes object allows or denies traffic based on labels? A) LimitRange B) NetworkPolicy C) PersistentVolumeClaim D) ConfigMap Answer: B Explanation: NetworkPolicies use labels to select which pods traffic is allowed or denied. Question 50. What should you do to protect data “in transit” in Kubernetes?
Answer: A Explanation: Image signing and verification ensure that only trusted images are deployed. Question 54. What does RBAC stand for? A) Resource-Based Access Control B) Role-Based Access Control C) Resource Block Access Control D) Role Blocked Access Control Answer: B Explanation: RBAC stands for Role-Based Access Control. Question 55. Which Kubernetes resource can be used to log all requests made to the API server? A) Pod B) Deployment C) Audit Policy D) ConfigMap Answer: C Explanation: Audit Policies configure logging of API Server requests. Question 56. What is the main security concern with using privileged containers? A) They use more storage B) They have unrestricted access to the host system C) They are slower to start D) They require more CPU Answer: B Explanation: Privileged containers can access host resources, increasing risk. Question 57. Which standard is commonly used to benchmark Kubernetes security? A) SOX
B) CIS Kubernetes Benchmark C) GDPR D) HIPAA Answer: B Explanation: The CIS Kubernetes Benchmark provides recommended security settings. Question 58. Which Kubernetes feature enables secret rotation without restarting pods? A) ConfigMap B) Projected Volumes C) PodDisruptionBudget D) StatefulSet Answer: B Explanation: Projected volumes allow dynamic updates to Secrets without pod restarts. Question 59. What is the default behavior for storage of Kubernetes Secrets? A) Stored in etcd unencrypted B) Stored in ConfigMaps C) Encrypted by default D) Stored on worker nodes Answer: A Explanation: By default, Secrets are stored unencrypted in etcd unless encryption is enabled. Question 60. How can you minimize the attack surface of a container image? A) Use minimal base images B) Install all available packages C) Run as root D) Disable image scanning Answer: A Explanation: Minimal base images reduce unnecessary components and vulnerabilities.
C) Store secrets D) Serve API requests Answer: B Explanation: CNI plugins manage network connectivity for containers. Question 65. Which of the following is a requirement for encrypting Secrets at rest in Kubernetes? A) Enable encryption configuration file for API Server B) Store Secrets in ConfigMaps C) Use the “latest” image tag D) Run all containers as privileged Answer: A Explanation: An encryption configuration must be set up for the API Server. Question 66. What is the benefit of using a private container registry? A) Public access to images B) Enhanced control and security for image distribution C) Automatic scaling D) Shared secrets Answer: B Explanation: Private registries restrict access and provide better image control. Question 67. What is a purpose of Kubernetes Admission Controllers? A) Provide persistent storage B) Intercept API requests and enforce policies C) Manage node networking D) Schedule pods Answer: B Explanation: Admission Controllers enforce custom policies on API requests.
Question 68. What is a drawback of running all workloads in a single Kubernetes namespace? A) Increased isolation B) Increased risk of privilege escalation C) Improved security D) Faster deployments Answer: B Explanation: Single namespace increases risk of privilege escalation and reduces isolation. Question 69. Which of the following helps prevent container image tampering in a registry? A) Image signing B) Using “latest” tag C) Disabling authentication D) Using public registries Answer: A Explanation: Image signing verifies image authenticity and integrity. Question 70. What is the attack surface in a Kubernetes environment? A) The number of pods running B) All points where an attacker can attempt access or compromise C) The available CPU resources D) The external load balancer Answer: B Explanation: The attack surface includes all points where an attacker can attempt entry or compromise. Question 71. Which Kubernetes resource is commonly used for externalizing application configuration? A) Secret B) ConfigMap C) ServiceAccount D) PodDisruptionBudget