KCSA Sample Questions Answers

Inhigh-availability clusters, multiple API server instances run behind a load balancer.

Thisdistributes client requests across multiple API servers, preventing a single API server from being overwhelmed.

Exact extract (Kubernetes Docs – High Availability Clusters):

“A highly available control plane runs multiple instances of kube-apiserver, typically fronted by a load balancer, so that if one instance fails or is overloaded, others continue serving requests.”

Other options clarified:

A: Network segmentation does not directly mitigate API server DoS.

C: Adding resources helps, but doesn’t solve single-point-of-failure.

D: Rate limiting is a valid mitigation but not provided by HA alone.

Kubernetes supports workload-specific runtimes viaRuntimeClass.

Amutating admission controllercan enforce this automatically by:

Intercepting workload creation requests.

Modifying the Pod spec to set runtimeClassName based on labels or policies.

Incorrect options:

(A) Manual modification is not scalable or secure.

(B) kube-apiserver cannot enforce per-application runtime policies.

(C) A validating webhook can onlyreject, not modify, the runtime.

Egress NetworkPoliciesrestrict outbound traffic from Pods.

Without egress restrictions, a compromised Pod could exfiltrate sensitive data (secrets, logs, customer data) to an attacker-controlled server.

Exact extract (Kubernetes Docs – Network Policies):

“Egress rules control outbound connections from Pods. Without such restrictions, compromised workloads can connect freely to external endpoints.”

Other options clarified:

A: DoS is more about flooding, not egress absence.

C: “Increased attack surface” is vague but not the main risk.

D: True in a sense, but the precise and most common risk isdata exfiltration.

NetworkPolicycontrols network trafficat the Pod level.

Ingress rules:controlincomingconnections to Pods.

Egress rules:controloutgoingconnectionsfrom Pods.

Exact extract (Kubernetes Docs – Network Policies):

“An egress rule controls outgoing connections from Pods that match the policy.”

Clarifying wrong answers:

A/B: Too broad (cluster-level); policies apply per Pod/Namespace.

C: Security against unauthorized access is broader than egress policies.

MicroVM-based runtimes(e.g., Firecracker, Kata Containers) use lightweight VMs to provide strong isolation between workloads.

Compared touser-space kernel implementations(e.g., gVisor), microVMs generally:

Offerhigher isolation and security(due to VM-level separation).

Come with ahigher memory and resource overhead per instancethan user-space approaches.

Incorrect options:

(A) Orchestration is handled by Kubernetes, not inherently easier with microVMs.

(C) Compatibility is typically better with microVMs, not worse.

(D) Isolation is stronger, not weaker.

Setting privileged: true grants a containerelevated access to the host node, including access to host devices, kernel capabilities, and the ability to modify the host.

However, Secrets in Kubernetes are not automatically exposedto privileged containers. Secrets are mounted into Pods only if explicitly referenced.

Thus, being privilegeddoes not grant additional access to Kubernetes Secretscompared to a non-privileged Pod.

The risk lies in node compromise: if a privileged container can take over the node, it could then indirectly gain access to Secrets (e.g., by reading kubelet credentials).

TheNode authorization modeis designed to specifically limit what kubelets can do when they connect to the Kubernetes API server.

It authorizes requests from kubelets based on the Pods scheduled to run on their nodes, ensuring kubelets cannot interact with resources beyond their scope.

Incorrect options:

(B)AlwaysAllowallows unrestricted access (insecure).

(C) No kubelet authorization mode exists.

(D)Webhookmode delegates authorization decisions to an external service, not specifically for kubelets.

Thekubeletis the primary agent that runs on each node in a Kubernetes cluster and communicates with the control plane.

Kubeletsupports TLS (Transport Layer Security)for both authentication and encryption when interacting with the API server. This is a core security feature that ensures secure node-to-control-plane communication.

Incorrect options:

(A) Kubelet does not run as a privileged container by default; it runs as a system process (typically systemd-managed) on the host.

(B) Kubelet does include built-in security features such asTLS authentication, authorization modes, and read-only vs secured ports.

(D) While kubelet interacts with the host system (e.g., cgroups, container runtimes), it does not inherently require root access for communication security; RBAC and TLS handle authentication.

MITRE ATT&CKis a globally recognizedknowledge base of adversary tactics, techniques, and procedures (TTPs). It is focused on describingoffensive behaviorsattackers use.

Incorrect options:

(B)OWASP Top 10highlights common application vulnerabilities, not attacker techniques.

(C)CIS Controlsare defensive best practices, not offensive tools.

(D)NIST Cybersecurity Frameworkprovides a risk-based defensive framework, not adversary TTPs.

The 4C’s model (Cloud, Cluster, Container, Code) is presented in the official Kubernetes documentation as alayeredmodel that explicitly maps todefense-in-depth.

Exact extracts from Kubernetes docs(security overview):

“The 4C’s of Cloud Native Security are Cloud, Clusters, Containers, and Code.”

“You can think of the 4C’s asa layered approach to security; applying security measures at each layer reduces risk.”

“This layered approach is commonly known asdefense in depth.”

Kubernetes RBAC usesRoleBindingto grant permissions defined in aRoleto asubject(user, group, or service account) within a namespace. The official example shows binding user jane to Role pod-reader:

“A RoleBinding grants the permissions defined in a Role to a user or set of users….”

Example:

subjects:

- kind: User

name: jane

apiGroup: rbac.authorization.k8s.io

roleRef:

kind: Role

name: pod-reader

apiGroup: rbac.authorization.k8s.io

— Kubernetes docs, RBAC: RoleBinding and ClusterRoleBinding

OptionBmatches this pattern exactly, with name: bob as theUsersubject and roleRef pointing to theRolenamed pod-reader.

Aswaps the names (subject is pod-reader, role is bob) → incorrect.

Creferences aClusterRole, not aRole(the question asks for Role).

Duses kind: Group even though we need theUserbob.

gVisor:

Google-developed, implemented as auser-space kernelthat intercepts and emulates syscalls made by containers.

Providesstrong isolationwithout requiring a full VM.

Official docs: “gVisor is a user-space kernel, written in Go, that implements a substantial portion of the Linux system call interface.”

Source: https://gvisor.dev/docs/

Firecracker:

AWS-developed,lightweight virtualization technologybuilt on KVM, used in AWS Lambda and Fargate.

Optimized for running secure, multi-tenant microVMs (MicroVMs) for containers and FaaS.

Official docs: “Firecracker is an open-source virtualization technology that is purpose-built for creating and managing secure, multi-tenant container and function-based services.”

Source: https://firecracker-microvm.github.io/

Key difference:gVisor → syscall interception in userspace kernel (container isolation). Firecracker → lightweight virtualization with microVMs (multi-tenant security).

Therefore, optionAis correct.

Defining policiesas code (declarative)is a best practice in Kubernetes and cloud-native security.

This is aligned withGitOpsandPolicy-as-Codeprinciples (OPA Gatekeeper, Kyverno, etc.).

Exact extract (CNCF Security Whitepaper):

“Policy-as-Code enables declarative definition and enforcement of security policies, bringing consistency, automation, and reducing misconfiguration risk.”

Manual audits, ad-hoc scripting, or individual configurations are error-prone and inconsistent.

Pod Security Admission (PSA)enforces policies by applyinglabels on namespaces, not globally across the cluster.

Exact extract (Kubernetes Docs – Pod Security Admission):

“You can apply Pod Security Standards to namespaces by adding labels such as pod-security.kubernetes.io/enforce. Different namespaces can enforce different policies.”

Clarifications:

A: Incorrect, namespaces are the unit of enforcement.

C: Misleading — a namespace can have multiple enforcement modes (enforce, audit, warn).

D: Default namespace doesnotenforce strict policies unless labeled.

kube-controller-managerruns a set of controllers that regulate the cluster’s state.

Exact extract (Kubernetes Docs):“The kube-controller-manager runs controllers that are core to Kubernetes. Examples of controllers are: Node controller, Replication controller, Endpoints controller, Namespace controller, and ServiceAccounts controller.”

Why D is correct:All listed are actual controllers within kube-controller-manager.

Why others are wrong:

A:Job and CronJob controllers are managed by kube-controller-manager, but DaemonSet controller is managed by the kube-scheduler/deployment logic.

B:Pod, Service, Ingress controllers are not part of kube-controller-manager.

C:ConfigMap and Secret do not have dedicated controllers.