KCSA Kubernetes and Cloud Native Security Associate (KCSA) Questions and Answers

Setting privileged: true grants a container elevated access to the host node , including access to host devices, kernel capabilities, and the ability to modify the host.

However, Secrets in Kubernetes are not automatically exposed to privileged containers. Secrets are mounted into Pods only if explicitly referenced.

Thus, being privileged does not grant additional access to Kubernetes Secrets compared to a non-privileged Pod.

The risk lies in node compromise: if a privileged container can take over the node, it could then indirectly gain access to Secrets (e.g., by reading kubelet credentials).

The Kubernetes Scheduler assigns Pods to nodes based on:

Resource requests & availability (CPU, memory, GPU, etc.)

Constraints (affinity, taints, tolerations, topology, policies)

Exact extract (Kubernetes Docs – Scheduler):

“ The scheduler is a control plane process that assigns Pods to Nodes. Scheduling decisions take into account resource requirements, affinity/anti-affinity, constraints, and policies. ”

Other options clarified:

A: Monitoring cluster health is the Controller Manager’s /kubelet’s job.

B: Security is enforced through RBAC, admission controllers, PSP/PSA , not the scheduler.

C: Deployment scaling is handled by the Controller Manager (Deployment/ReplicaSet controller).

Kubernetes Pod Security Admission (PSA) enforces Pod Security Standards by applying labels on Namespaces.

Exact extract (Kubernetes Docs – Pod Security Admission):

“ You can label a namespace with pod-security.kubernetes.io/enforce: baseline to enforce the Baseline policy. ”

The baseline profile explicitly disallows privileged pods and other unsafe features.

Why others are wrong:

A & D: These labels do not exist in Kubernetes.

B: Setting privileged: true would allow privileged pods, not block them.

Container breakout refers to an attacker escaping container isolation and reaching the host OS .

Once the host is compromised, the attacker can access other containers, Kubernetes nodes, or escalate further .

Exact extract (Kubernetes Security Docs):

“ If an attacker gains access to a container, they may attempt a container breakout to gain access to the host system. ”

Other options clarified:

A: Network access inside a Pod ≠ breakout.

B: Resource exhaustion is a DoS , not a breakout.

C: Cloud infrastructure compromise is possible after host compromise, but not the definition of breakout.

Container image signing (e.g., with cosign , Notary v2) uses asymmetric cryptography.

Verification process:

Retrieve the image’s digital signature .

Validate the signature with the public key of the signer.

Exact extract (Sigstore Cosign Docs):

“ Verification of an image requires the signature and the signer’s public key. The signature proves authenticity and integrity. ”

Why others are wrong:

A & B: The private key is only used by the signer, never shared.

C: The hash alone cannot prove authenticity without the digital signature.

Grafana: An open-source analytics and visualization platform widely used with Prometheus, Loki, etc.

Exact extract (Grafana Docs): “ Grafana is the open-source analytics and monitoring solution for every database. It allows you to query, visualize, alert on, and understand your metrics no matter where they are stored. ”

A is wrong: That describes Jaeger (distributed tracing).

B is wrong: That’s Kubernetes itself.

D is wrong: That’s Trivy/Aqua/Prisma type tools.

etcd is Kubernetes’ key-value store for cluster state .

Stores: ConfigMaps, Secrets, Pod definitions, Deployments, RBAC policies, and metadata.

Exact extract (Kubernetes Docs – etcd):

“ etcd is a consistent and highly-available key-value store used as Kubernetes’ backing store for all cluster data. ”

Clarifications:

B: Logs/metrics are handled by logging/monitoring solutions, not etcd.

C: Secrets may be stored here but encoded in base64, not specifically "usernames/passwords" as primary use.

D: Persistent Volumes are external storage, not stored in etcd.

The PodSecurity admission controller (built-in as of Kubernetes v1.23+) enforces the Pod Security Standards (Privileged, Baseline, Restricted).

Enforcement is namespace-scoped and configured through namespace labels .

Incorrect options:

(A) Kyverno/OPA are external policy tools (useful but not required).

(C) Not true, PodSecurity admission provides native enforcement.

(D) Enforcement requires explicit configuration, not automatic.

Pod Security Admission (PSA) enforces policies by applying labels on namespaces , not globally across the cluster.

Exact extract (Kubernetes Docs – Pod Security Admission):

“ You can apply Pod Security Standards to namespaces by adding labels such as pod-security.kubernetes.io/enforce. Different namespaces can enforce different policies. ”

Clarifications:

A: Incorrect, namespaces are the unit of enforcement.

C: Misleading — a namespace can have multiple enforcement modes (enforce, audit, warn).

D: Default namespace does not enforce strict policies unless labeled.

Audit logging records API server requests and responses for security monitoring.

The RequestResponse level logs the full request and response bodies, which can:

Significantly increase storage and performance overhead .

Potentially log sensitive data (including Secrets).

Therefore, while comprehensive, it introduces risks of performance degradation and excessive log volume.

ConfigMaps are explicitly not for confidential data.

Exact extract (ConfigMap concept): “ A ConfigMap is an API object used to store non-confidential data in key-value pairs. ”

Exact extract (ConfigMap concept): “ ConfigMaps are not intended to hold confidential data. Use a Secret for confidential data. ”

Why this is risky: data placed into a ConfigMap is stored as regular (plaintext) string values in the API and etcd (unless you deliberately use binaryData for base64 content you supply). That means if someone has read access to the namespace or to etcd/APIServer storage, they can view the values.

Secrets vs ConfigMaps (to clarify distractor D):

Exact extract (Secret concept): “ By default, secret data is stored as unencrypted base64-encoded strings. You can enable encryption at rest to protect Secrets stored in etcd.”

This base64 behavior applies to Secrets , not to ConfigMap data. Thus option D is incorrect for ConfigMaps.

About RBAC (to clarify distractor A): Kubernetes does support fine-grained RBAC for both ConfigMaps and Secrets; the issue isn’t lack of RBAC but that ConfigMaps are not designed for confidential material.

About compatibility (to clarify distractor C): Using ConfigMaps for secrets doesn’t make apps “incompatible”; it’s simply insecure and against guidance.

In STRIDE, Tampering is the threat category for unauthorized modification of data or code/artifacts . A trojanized container image is, by definition, an attacker’s modification of the build output (the image) after compromising the CI/build system—i.e., tampering with the artifact in the software supply chain.

Why not the others?

Spoofing is about identity/authentication (e.g., pretending to be someone/something).

Repudiation is about denying having performed an action without sufficient audit evidence.

Denial of Service targets availability (exhausting resources or making a service unavailable). The scenario explicitly focuses on an altered image resulting from a compromised build server—this squarely maps to Tampering .

Authoritative references (for verification and deeper reading):

Kubernetes (official docs) – Supply Chain Security (discusses risks such as compromised CI/CD pipelines leading to modified/poisoned images and emphasizes verifying image integrity/signatures).

Kubernetes Docs ➜ Security ➜ Supply chain security and Securing a cluster (sections on image provenance, signing, and verifying artifacts).

CNCF TAG Security – Cloud Native Security Whitepaper (v2) – Threat modeling in cloud-native and software supply chain risks; describes attackers modifying build outputs (images/artifacts) via CI/CD compromise as a form of tampering and prescribes controls (signing, provenance, policy).

CNCF TAG Security – Software Supply Chain Security Best Practices – Explicitly covers CI/CD compromise leading to maliciously modified images and recommends SLSA, provenance attestation, and signature verification (policy enforcement via admission controls).

Microsoft STRIDE (canonical reference) – Defines Tampering as modifying data or code , which directly fits a trojanized image produced by a compromised build system.

The kubelet is the primary agent that runs on each node in a Kubernetes cluster and communicates with the control plane.

Kubelet supports TLS (Transport Layer Security) for both authentication and encryption when interacting with the API server. This is a core security feature that ensures secure node-to-control-plane communication.

Incorrect options:

(A) Kubelet does not run as a privileged container by default; it runs as a system process (typically systemd-managed) on the host.

(B) Kubelet does include built-in security features such as TLS authentication, authorization modes, and read-only vs secured ports .

(D) While kubelet interacts with the host system (e.g., cgroups, container runtimes), it does not inherently require root access for communication security; RBAC and TLS handle authentication.

The kubectl client uses configuration from $HOME/.kube/config by default.

This file contains: cluster API server endpoint, user certificates, tokens, or kubeconfigs → sensitive credentials .

Exact extract (Kubernetes Docs – Configure Access to Clusters):

“ By default, kubectl looks for a file named config in the $HOME/.kube directory. This file contains configuration information including user credentials. ”

Other options clarified:

A: /etc/kubernetes/ exists on nodes (control plane) not client machines.

C: /opt/kubernetes/secrets/ is not a standard path.

D: $HOME/.config/kubernetes/ is not where kubeconfig is stored by default.

Kubernetes supports multiple container runtimes on a node via the RuntimeClass resource.

To select a runtime, you specify the runtimeClassName field in the Pod’s YAML manifest . Example:

apiVersion: v1

kind: Pod

metadata:

name: example

spec:

runtimeClassName: gvisor

containers:

- name: app

image: nginx

Incorrect options:

(A) You cannot specify container runtime through a kubectl command-line flag.

(B) Modifying the Docker daemon config does not direct Kubernetes Pods to a runtime.

(C) Environment variables inside a Pod spec do not control container runtimes.