KCSA Kubernetes and Cloud Native Security Associate (KCSA) Questions and Answers

TheKubernetes Schedulerassigns Pods to nodes based on:

Resource requests & availability (CPU, memory, GPU, etc.)

Constraints (affinity, taints, tolerations, topology, policies)

Exact extract (Kubernetes Docs – Scheduler):

“The scheduler is a control plane process that assigns Pods to Nodes. Scheduling decisions take into account resource requirements, affinity/anti-affinity, constraints, and policies.”

Other options clarified:

A: Monitoring cluster health is theController Manager’s/kubelet’s job.

B: Security is enforced throughRBAC, admission controllers, PSP/PSA, not the scheduler.

C: Deployment scaling is handled by theController Manager(Deployment/ReplicaSet controller).

ConfigMaps are explicitly not for confidential data.

Exact extract (ConfigMap concept):“A ConfigMap is an API object used to store non-confidential data in key-value pairs.”

Exact extract (ConfigMap concept):“ConfigMaps are not intended to hold confidential data. Use a Secret for confidential data.”

Why this is risky:data placed into a ConfigMap is stored as regular (plaintext) string values in the API and etcd (unless you deliberately use binaryData for base64 content you supply). That means if someone has read access to the namespace or to etcd/APIServer storage, they can view the values.

Secrets vs ConfigMaps (to clarify distractor D):

Exact extract (Secret concept):“By default, secret data is stored as unencrypted base64-encoded strings.You canenable encryption at restto protect Secrets stored in etcd.”

This base64 behavior applies toSecrets, not to ConfigMap data. Thus optionDis incorrect for ConfigMaps.

About RBAC (to clarify distractor A):Kubernetesdoessupport fine-grained RBAC forbothConfigMaps and Secrets; the issue isn’t lack of RBAC but that ConfigMaps arenotdesigned for confidential material.

About compatibility (to clarify distractor C):Using ConfigMaps for secrets doesn’t make apps “incompatible”; it’s simplyinsecureand against guidance.

Kubernetes supports workload-specific runtimes viaRuntimeClass.

Amutating admission controllercan enforce this automatically by:

Intercepting workload creation requests.

Modifying the Pod spec to set runtimeClassName based on labels or policies.

Incorrect options:

(A) Manual modification is not scalable or secure.

(B) kube-apiserver cannot enforce per-application runtime policies.

(C) A validating webhook can onlyreject, not modify, the runtime.

gVisor:

Google-developed, implemented as auser-space kernelthat intercepts and emulates syscalls made by containers.

Providesstrong isolationwithout requiring a full VM.

Official docs: “gVisor is a user-space kernel, written in Go, that implements a substantial portion of the Linux system call interface.”

Source: https://gvisor.dev/docs/

Firecracker:

AWS-developed,lightweight virtualization technologybuilt on KVM, used in AWS Lambda and Fargate.

Optimized for running secure, multi-tenant microVMs (MicroVMs) for containers and FaaS.

Official docs: “Firecracker is an open-source virtualization technology that is purpose-built for creating and managing secure, multi-tenant container and function-based services.”

Source: https://firecracker-microvm.github.io/

Key difference:gVisor → syscall interception in userspace kernel (container isolation). Firecracker → lightweight virtualization with microVMs (multi-tenant security).

Therefore, optionAis correct.

Inhigh-availability clusters, multiple API server instances run behind a load balancer.

Thisdistributes client requests across multiple API servers, preventing a single API server from being overwhelmed.

Exact extract (Kubernetes Docs – High Availability Clusters):

“A highly available control plane runs multiple instances of kube-apiserver, typically fronted by a load balancer, so that if one instance fails or is overloaded, others continue serving requests.”

Other options clarified:

A: Network segmentation does not directly mitigate API server DoS.

C: Adding resources helps, but doesn’t solve single-point-of-failure.

D: Rate limiting is a valid mitigation but not provided by HA alone.

kube-controller-managerruns a set of controllers that regulate the cluster’s state.

Exact extract (Kubernetes Docs):“The kube-controller-manager runs controllers that are core to Kubernetes. Examples of controllers are: Node controller, Replication controller, Endpoints controller, Namespace controller, and ServiceAccounts controller.”

Why D is correct:All listed are actual controllers within kube-controller-manager.

Why others are wrong:

A:Job and CronJob controllers are managed by kube-controller-manager, but DaemonSet controller is managed by the kube-scheduler/deployment logic.

B:Pod, Service, Ingress controllers are not part of kube-controller-manager.

C:ConfigMap and Secret do not have dedicated controllers.

Kubernetes stores Secret data asbase64-encoded stringsin etcd by default.

Base64 is not encryption— it is a simple encoding scheme that merelyobfuscatesdata for transport and storage. Anyone with read access to etcd or the Secret manifest can easily decode the value back to plaintext.

For actual protection, Kubernetes supportsencryption at rest(via encryption providers) and external Secret management (Vault, KMS, etc.).

Service Mesh (e.g., Istio, Linkerd, Consul):operates atLayer 7 (application layer), enforcing policies like mTLS, authorization, and routing between services.

NetworkPolicy:works atLayer 3/4 (IP/port), not Layer 7.

Ingress Controller:handles external traffic ingress, not internal service-to-service traffic.

Container Runtime:responsible for running containers, not enforcing application-layer security.

Exact extract (Istio docs):

“Istio provides security by enforcing authentication, authorization, and encryption of service-to-service communication.”

RBAC in Kubernetesis coarse-grained: it controlsverbs(get, update, patch, delete) onresources(e.g., deployments), butnot individual fieldswithin a resource.

There isno /image subresource for deployments(there is one for pods but only for ephemeral containers).

Therefore,RBAC cannot restrict changes only to the image field.

Admission Webhooks(mutating/validating)canenforce fine-grained policies (e.g., deny updates that change anything other than spec.containers[*].image).

Exact extract (Kubernetes Docs – Admission Webhooks):

“Admission webhooks can be used to enforce custom policies on objects being admitted.”

Access control (RBAC, least privilege, user restrictions)is abaseline container security best practice.

Exact extract (Kubernetes Pod Security Standards – Baseline):

“The baseline profile is designed to prevent known privilege escalations. It prohibits running privileged containers or containers as root.”

Other options clarified:

B: Static IPs not a security measure.

C: Persistent storage is functionality, not security.

D: Running as root is explicitlyinsecure.

Pod Security Standards (PSS):

Kubernetes providesPod Security Admission (PSA)to enforce security controls based on policies.

Official extract: “Pod Security Standards define different isolation levels for Pods. The standards focus on restricting what Pods can do and what they can access.”

The three standard profiles are:

Privileged: unrestricted (not recommended).

Baseline: minimal restrictions.

Restricted: highly restricted, enforcing least privilege.

Why option C is correct:

Applying Pod Security Standards in YAML ensures Pods adhere tobest practiceslike:

No root user.

Restricted host access.

No privilege escalation.

Seccomp/AppArmor profiles.

This directly minimizes security risks.

Why others are wrong:

A:Sharing sensitive data increases risk of exposure.

B:Running with elevated privileges contradicts least privilege principle.

D:Random Pod names donotcontribute to security.

kube-proxy:manages cluster network routing rules (via iptables or IPVS). It enables Pods to communicate with Services and Pods across nodes.

If kube-proxy fails (CrashLoopBackOff), service IP routing and cluster-wide pod-to-pod networking breaks. Local Pod-to-Pod communication within the same node may still work, butcross-node communication fails.

Exact extract (Kubernetes Docs – kube-proxy):

“kube-proxy maintains network rules on nodes. These rules allow network communication to Pods from network sessions inside or outside of the cluster.”

hostPID:When enabled, the container shares the host’s process namespace → container can see and potentially interact with host processes.

SYS_PTRACE capability:Grants the container the ability to trace, inspect, and modify other processes (e.g., via ptrace).

Combination of hostPID + SYS_PTRACE allows a container toattach to and modify host processes, which is a direct privilege escalation.

Other options explained:

hostPath + AUDIT_WRITE:hostPath exposes filesystem paths but does not inherently allow process modification.

hostNetwork + NET_RAW:grants raw socket access but only for networking, not host process modification.

A:Incorrect — such combinationsdo exist(like B).

Kubernetes originally had a feature calledPodSecurityPolicy (PSP), which provided controls to restrict pod behavior.

Official docs:

“PodSecurityPolicy was deprecated in Kubernetes v1.21 and removed in v1.25.”

“Pod Security Standards (PSS) replace PodSecurityPolicy (PSP) with a simpler, policy-driven approach.”

PSP was often complex and hard to manage, so it was replaced by Pod Security Admission (PSA) which enforcesPod Security Standards.

Inmanaged Kubernetes services(EKS, GKE, AKS), the control plane is operated by thecloud provider.

This includesetcd, API server, controller manager, scheduler.

Users manageworker nodes(in some models) and workloads, but not the control plane.

Exact extract (GKE Docs):

“The control plane, including the API server and etcd database, is managed and maintained by Google.”

Similarly forEKSandAKS, etcd is fully managed by the provider.