Introduction
These 25 sample KCSA practice questions are designed to replicate the style, difficulty, and content coverage of the actual KCSA exam. Use these questions to assess your knowledge and identify areas needing further study.
Each question includes detailed explanations to help you understand not just the correct answer, but the underlying concepts. Work through these questions without looking at answers first for the most accurate assessment.
Domain 1: Cloud Native Security Overview (3 questions)
Question 1
Which of the following best describes the “least privilege” principle in cloud-native security?
A) Systems should have multiple layers of security controls B) Applications and users should have only the minimum permissions necessary to perform their functions C) All systems should block traffic by default D) Administrative access should be limited to a single person
Correct Answer: B
Explanation: The least privilege principle requires that every user, application, and system component receives only the minimum permissions necessary to perform their role. This reduces the impact of compromise or misconfiguration. While options A and C are security best practices, they address different concepts (defense in depth and zero trust). Option D is an example of least privilege but not its definition.
Domain: Cloud Native Security Overview Difficulty: Easy
Question 2
In the cloud computing shared responsibility model, which component’s security is the cloud provider’s responsibility when using managed Kubernetes (e.g., AWS EKS)?
A) The security of containerized applications deployed in the cluster B) The encryption of application data at rest C) The security of the Kubernetes control plane components D) Network policies for the organization’s applications
Correct Answer: C
Explanation: In managed Kubernetes services, the provider (AWS, GCP, Azure) is responsible for securing the control plane—API server, etcd, scheduler, controller manager, kubelet on control plane nodes, and related infrastructure. Organizations remain responsible for securing worker nodes, applications, data, and configuration. Options A, B, and D are customer responsibilities.
Domain: Cloud Native Security Overview Difficulty: Easy
Question 3
What is the primary advantage of immutable infrastructure in cloud-native security?
A) It prevents users from making mistakes B) It ensures that applications can’t be modified after deployment, reducing drift and limiting attack surface C) It eliminates the need for RBAC D) It prevents all security vulnerabilities
Correct Answer: B
Explanation: Immutable infrastructure means infrastructure is never modified after deployment; instead, new versions replace old ones. This prevents configuration drift, makes changes auditable, and limits the attack surface (no malicious modification of running systems). Options A, C, and D overstate the benefits—immutable infrastructure is one security control among many.
Domain: Cloud Native Security Overview Difficulty: Easy
Domain 2: Kubernetes Cluster Component Security (6 questions)
Question 4
What is the security risk if a Kubernetes API server is started with --insecure-port=8080?
A) The API server will only accept encrypted connections B) The API server will accept unencrypted HTTP requests without authentication C) The API server will require client certificates D) All connections to the API server will be blocked
Correct Answer: B
Explanation: The --insecure-port flag (deprecated in newer versions) causes the API server to listen on unencrypted HTTP without any authentication. This allows anyone with network access to issue commands to the API server. Modern Kubernetes uses only the secure port (6443) with TLS. Options A, C, and D are incorrect; insecure port does the opposite—it enables unencrypted, unauthenticated access.
Domain: Kubernetes Cluster Component Security Difficulty: Easy
Question 5
You need to verify that the kubelet on a worker node requires authorization for API requests. Which setting should be enabled?
A) --authentication-mode=X509
B) --authorization-mode=Webhook or --authorization-mode=RBAC
C) --read-only-port=0
D) --anonymous-auth=true
Correct Answer: B
Explanation: The --authorization-mode flag determines how the kubelet authorizes requests to its API. Setting it to Webhook or RBAC ensures that API requests are authorized according to policy. Option A is about authentication (verifying who), not authorization (allowing what). Option C disables the read-only port but doesn’t enforce authorization. Option D enables anonymous access, which weakens security.
Domain: Kubernetes Cluster Component Security Difficulty: Medium
Question 6
What is the primary reason that etcd should be encrypted at rest in production Kubernetes clusters?
A) To improve cluster performance B) To prevent unauthorized access to cluster state data through disk access C) To ensure TLS encryption for API server communication D) To satisfy Kubernetes API version requirements
Correct Answer: B
Explanation: Encryption at rest protects etcd data on disk. If someone gains access to the physical disk or backups, they can’t read the sensitive data (secrets, credentials) stored in etcd without decryption keys. Option A is incorrect (encryption typically reduces performance). Options C and D are about other security controls or requirements.
Domain: Kubernetes Cluster Component Security Difficulty: Medium
Question 7
Which Kubernetes component should have exclusive network access to etcd in a production cluster?
A) Worker node kubelets B) The Kubernetes API server C) All pods running in the cluster D) The scheduler and controller manager
Correct Answer: B
Explanation: Only the API server should communicate with etcd. The API server acts as the gatekeeper for cluster state. Direct etcd access from other components bypasses API server authorization and audit logging. Options A, C, and D represent security risks if they communicated directly with etcd.
Domain: Kubernetes Cluster Component Security Difficulty: Medium
Question 8
You’re auditing your Kubernetes cluster and find that the kubelet read-only port is enabled on port 10255. What should you do?
A) This is acceptable; read-only operations are safe
B) Disable the read-only port by setting --read-only-port=0 on all kubelets
C) Encrypt the read-only port with TLS
D) Restrict the read-only port to localhost only
Correct Answer: B
Explanation: The read-only port (default 10255) provides unauthenticated, unencrypted access to kubelet APIs. Even though it’s read-only, it exposes sensitive cluster information. The recommended practice is to disable it entirely by setting --read-only-port=0. Options A is incorrect (unauthenticated access is a risk). Options C and D attempt to secure it but don’t address the root issue.
Domain: Kubernetes Cluster Component Security Difficulty: Medium
Question 9
In a production Kubernetes cluster, which certificate authority (CA) should sign the kubelet’s certificate?
A) A self-signed certificate created by the kubelet itself B) The Kubernetes cluster CA C) A publicly-trusted CA (like Let’s Encrypt) D) No certificate is needed if kubelet runs on localhost
Correct Answer: B
Explanation: The kubelet’s certificate should be signed by the cluster CA, enabling mutual TLS between kubelet and API server. This ensures that the API server can verify it’s communicating with a legitimate kubelet, and the kubelet can verify the API server. Option A doesn’t enable verification. Option C is unnecessary and complicates rotation. Option D is incorrect; localhost communication is not appropriate for cluster communication.
Domain: Kubernetes Cluster Component Security Difficulty: Medium
Domain 3: Kubernetes Security Fundamentals (6 questions)
Question 10
You want to ensure that a service account named app-viewer in the production namespace can only list and watch pods, but not create, delete, or update them. Which Kubernetes resource should you create?
A) A ClusterRole with verbs: [“list”, “watch”] on resources: [“pods”] B) A ClusterRoleBinding binding the app-viewer service account to a cluster-admin role C) A Role with verbs: [“list”, “watch”] on resources: [“pods”] and a RoleBinding binding it to app-viewer D) A Role with verbs: [”*”] on resources: [“pods”]
Correct Answer: C
Explanation: A Role defines permissions within a single namespace, and a RoleBinding grants those permissions to a specific subject (service account). The verbs [“list”, “watch”] provide read-only access. Option A uses ClusterRole (cluster-wide, unnecessary). Option B grants cluster-admin, far exceeding the requirement. Option D grants all verbs, violating least privilege.
Domain: Kubernetes Security Fundamentals Difficulty: Easy
Question 11
Consider this network policy:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
spec:
podSelector: {}
policyTypes:
- IngressWhat is the effect of this policy?
A) All traffic is blocked (ingress and egress) B) All ingress traffic is blocked; egress traffic is allowed C) The policy has no effect D) All pods must use TLS for communication
Correct Answer: B
Explanation: This policy creates a default-deny ingress policy (blocks all incoming traffic). The podSelector: {} applies to all pods in the namespace. Since policyTypes only specifies “Ingress”, egress traffic remains unaffected. Option A is incorrect (egress isn’t blocked). Options C and D are incorrect interpretations.
Domain: Kubernetes Security Fundamentals Difficulty: Easy
Question 12
You have a Pod Security Standard enforced on a namespace with the “restricted” profile. Which of the following containers would be rejected when deployed to this namespace?
A) A container running as a non-root user with a read-only root filesystem
B) A container with securityContext.runAsNonRoot=true and securityContext.allowPrivilegeEscalation=false
C) A container with securityContext.privileged=true
D) A container with securityContext.runAsUser=1000
Correct Answer: C
Explanation: The restricted PSS profile prohibits privileged containers (securityContext.privileged=true). Options A and B comply with restricted requirements. Option D is allowed; non-root numeric UIDs are acceptable in restricted profile.
Domain: Kubernetes Security Fundamentals Difficulty: Medium
Question 13
How would you prevent privilege escalation from a non-root container user to root within the container?
A) Use a network policy to block root processes
B) Set securityContext.allowPrivilegeEscalation=false and drop the CAP_SYS_ADMIN capability
C) Encrypt the container filesystem
D) Remove the container’s service account
Correct Answer: B
Explanation: Setting allowPrivilegeEscalation=false prevents processes from gaining additional privileges. Dropping unnecessary capabilities (like CAP_SYS_ADMIN) limits privilege escalation vectors. Option A is incorrect (network policies operate at network layer, not process privileges). Options C and D don’t prevent privilege escalation.
Domain: Kubernetes Security Fundamentals Difficulty: Medium
Question 14
In Kubernetes RBAC, which combination is required to grant a user permission to delete pods?
A) A ClusterRole and a ServiceAccount B) A Role and a ClusterRoleBinding C) A Role (or ClusterRole) with verb “delete” and a RoleBinding (or ClusterRoleBinding) D) A SecurityPolicy and a NetworkPolicy
Correct Answer: C
Explanation: RBAC requires two components: (1) a Role or ClusterRole defining what can be done (including “delete” verb), and (2) a RoleBinding or ClusterRoleBinding assigning that role to a subject. Options A, B don’t pair correctly. Option D refers to different security controls.
Domain: Kubernetes Security Fundamentals Difficulty: Easy
Question 15
You want to ensure that a Webhook admission controller validates all pods before they’re created. What must be configured?
A) A ValidatingAdmissionWebhook with an appropriate rule set B) A MutatingAdmissionWebhook configured to reject pods C) An RBAC policy that denies pod creation D) A network policy that blocks pod traffic
Correct Answer: A
Explanation: ValidatingAdmissionWebhooks intercept and validate requests based on rules (which operations, resources, etc.). MutatingAdmissionWebhooks modify requests but don’t typically validate them. Options C and D are different security controls.
Domain: Kubernetes Security Fundamentals Difficulty: Medium
Domain 4: Kubernetes Threat Model (4 questions)
Question 16
What is the primary security risk of running a pod with securityContext.privileged=true?
A) The pod uses more CPU and memory B) The pod can directly access and escape the container runtime to the host kernel C) The pod cannot communicate with other pods D) The pod’s environment variables are exposed to other users
Correct Answer: B
Explanation: Privileged pods bypass most security controls and have access to kernel interfaces, allowing container escape to the host. This is a critical security risk. Options A, C, and D are incorrect or unrelated to the privilege escalation risk.
Domain: Kubernetes Threat Model Difficulty: Medium
Question 17
A pod is accidentally deployed with access to the host’s /var/lib/kubelet directory via a hostPath volume. What sensitive data could an attacker access?
A) Only the pod’s own logs B) Service account tokens of all pods running on that node C) Kubernetes secrets stored in etcd D) Only data written by the pod itself
Correct Answer: B
Explanation: The kubelet directory contains mounted service account tokens for all pods on the node. Access to this directory gives an attacker the tokens of all pods, enabling lateral movement and privilege escalation. Options A, C, and D are incorrect about what this directory contains.
Domain: Kubernetes Threat Model Difficulty: Hard
Question 18
How can a compromised pod exfiltrate data from your cluster to an external attacker-controlled server?
A) Through the pod’s standard output (stdout) B) Through outbound network connections (egress traffic) C) Through Kubernetes secrets in etcd D) Through the container image registry
Correct Answer: B
Explanation: Compromised pods can establish outbound (egress) connections to external servers. Network policies with egress restrictions and egress monitoring can prevent or detect this. Options A, C, and D are not typical exfiltration paths.
Domain: Kubernetes Threat Model Difficulty: Easy
Question 19
Which of the following is the most effective way to prevent a pod from accessing the kubelet API on its node?
A) Disable the kubelet API entirely B) Use network policies to block traffic to the kubelet port (10250) C) Require kubelet API authentication and configure the kubelet’s authorization mode D) Run the kubelet in a separate namespace
Correct Answer: C
Explanation: Requiring kubelet authentication and authorization (option B is a network control, which helps but is not sufficient). The kubelet API can be accessed by legitimate system components; authentication and authorization ensure that only authorized clients (API server) can issue commands. Option B (network policies) should also be used as a defense-in-depth measure. Options A and D are not practical.
Domain: Kubernetes Threat Model Difficulty: Hard
Domain 5: Platform Security (3 questions)
Question 20
You want to ensure that only container images that have been scanned for vulnerabilities and certified as safe are deployed in your cluster. Which mechanism would you use?
A) A network policy that blocks image registry traffic B) Binary authorization or OPA/Gatekeeper policies that verify image signatures C) Encrypting the container image registry D) Storing all images in a private registry
Correct Answer: B
Explanation: Binary authorization and OPA/Gatekeeper can enforce policies that only allow images signed by authorized build pipelines (ensuring they’ve been scanned and verified). Option A blocks registries (impractical). Options C and D don’t ensure vulnerability scanning.
Domain: Platform Security Difficulty: Medium
Question 21
What does a Software Bill of Materials (SBOM) provide in terms of supply chain security?
A) A list of all files in a container image B) A complete inventory of dependencies and components in software, enabling vulnerability tracking C) Encryption keys for the container image D) Network access logs for the image registry
Correct Answer: B
Explanation: An SBOM documents all components, dependencies, and libraries in software, enabling organizations to identify when known vulnerabilities affect their dependencies. Options A, C, and D are incorrect.
Domain: Platform Security Difficulty: Easy
Question 22
In a CI/CD pipeline, at which stage should container image scanning occur to catch vulnerabilities early?
A) After deployment to production B) During the build stage, before pushing to the registry C) Only in the staging environment D) Scanning is only necessary for public images
Correct Answer: B
Explanation: Scanning during the build stage enables catching vulnerabilities before they enter the registry and production. This is the most effective point in the pipeline. Options A (too late), C (limited coverage), and D (incorrect assumption) are less ideal.
Domain: Platform Security Difficulty: Easy
Domain 6: Compliance and Security Frameworks (3 questions)
Question 23
Which of the following is true about Kubernetes audit logs in terms of PCI-DSS compliance?
A) Audit logs are not required by PCI-DSS B) PCI-DSS requires audit logs of all access to systems; Kubernetes audit logs provide this trail C) Only API server logs are needed for compliance D) Audit logs must be stored unencrypted for regulatory inspection
Correct Answer: B
Explanation: PCI-DSS requires audit logging of access to systems handling cardholder data. Kubernetes audit logs document all API requests, providing the required audit trail. Options A, C, and D are incorrect.
Domain: Compliance and Security Frameworks Difficulty: Medium
Question 24
What is the primary purpose of defining a security baseline in your Kubernetes cluster documentation?
A) To improve cluster performance B) To establish a documented standard of required security controls and configuration for audit and compliance purposes C) To prevent users from accessing the cluster D) To eliminate all security risks
Correct Answer: B
Explanation: Security baselines document required security configurations (RBAC policies, network policies, pod security standards, etc.). They enable auditing, compliance verification, and consistent enforcement. Options A, C, and D are incorrect.
Domain: Compliance and Security Frameworks Difficulty: Easy
Question 25
Which event level should be configured in Kubernetes audit logging to capture the full request and response for sensitive operations (e.g., secret creation)?
A) None (no logging) B) Metadata (only log metadata, not request/response body) C) RequestResponse (log full request and response) D) RequestResponse is too verbose; only log the outcome
Correct Answer: C
Explanation: The RequestResponse level logs both the request and response bodies, capturing complete information about sensitive operations. This is necessary for auditing secret access. Option B is lower fidelity (only metadata). Options A and D skip important audit information.
Domain: Compliance and Security Frameworks Difficulty: Easy
Answer Summary
| Question | Domain | Difficulty | Correct Answer |
|---|---|---|---|
| 1 | Cloud Native Security Overview | Easy | B |
| 2 | Cloud Native Security Overview | Easy | C |
| 3 | Cloud Native Security Overview | Easy | B |
| 4 | Cluster Component Security | Easy | B |
| 5 | Cluster Component Security | Medium | B |
| 6 | Cluster Component Security | Medium | B |
| 7 | Cluster Component Security | Medium | B |
| 8 | Cluster Component Security | Medium | B |
| 9 | Cluster Component Security | Medium | B |
| 10 | Security Fundamentals | Easy | C |
| 11 | Security Fundamentals | Easy | B |
| 12 | Security Fundamentals | Medium | C |
| 13 | Security Fundamentals | Medium | B |
| 14 | Security Fundamentals | Easy | C |
| 15 | Security Fundamentals | Medium | A |
| 16 | Threat Model | Medium | B |
| 17 | Threat Model | Hard | B |
| 18 | Threat Model | Easy | B |
| 19 | Threat Model | Hard | C |
| 20 | Platform Security | Medium | B |
| 21 | Platform Security | Easy | B |
| 22 | Platform Security | Easy | B |
| 23 | Compliance & Frameworks | Medium | B |
| 24 | Compliance & Frameworks | Easy | B |
| 25 | Compliance & Frameworks | Easy | C |
Scoring Your Practice Exam
25 questions = approximately 25% of actual KCSA exam
- Passing score: 75% = approximately 19 out of 25 correct on this sample
- Advanced score: 85%+ = approximately 21+ out of 25 correct
If you scored below 75%, identify which domains (shown in the answer summary) were challenging and review that domain material.
Domain Coverage
This sample includes:
- 3 questions on Cloud Native Security Overview (14% domain weight)
- 6 questions on Cluster Component Security (22% domain weight)
- 6 questions on Security Fundamentals (22% domain weight)
- 4 questions on Threat Model (16% domain weight)
- 3 questions on Platform Security (16% domain weight)
- 3 questions on Compliance & Frameworks (10% domain weight)
Next Steps
Now that you’ve practiced these sample questions:
- Review your incorrect answers: Understand not just the correct answer, but why you chose incorrectly
- Identify weak domains: Focus additional study on domains where you scored below 75%
- Take full practice exams: Move from sample questions to complete KCSA practice exam bundles
- Build hands-on experience: Complement these questions with practical lab work using real Kubernetes clusters
- Review relevant material: For each missed question, review the corresponding domain section in our KCSA exam topics guide
Get Comprehensive Practice Materials
These 25 questions provide a good introduction to KCSA content. However, the actual exam has 60 questions across all domains with varying difficulty levels. For thorough preparation:
- Take Sailor.sh’s full-length KCSA practice exams
- Use Sailor.sh’s comprehensive practice exam bundle with detailed explanations
- Track your progress across all domains
- Identify and strengthen weak areas
Frequently Asked Questions
Q: How accurate are these sample questions compared to the real KCSA exam? A: These questions are modeled after official KCSA exam patterns and domains. However, actual exam questions may vary in specific wording and context. Use these for concept validation, then practice with official resources.
Q: I scored below 75% on this sample. Am I ready for the real exam? A: Not yet. Use this as a diagnostic to identify weak areas. Study those domains thoroughly, then retake practice exams. Most people need to score 75%+ on multiple full-length practice exams before taking the real exam.
Q: Should I memorize these questions? A: No. Focus on understanding the concepts and reasoning. Actual exam questions will test the same concepts but with different wording. Understanding beats memorization.
Q: Where can I find more practice questions? A: Sailor.sh’s KCSA practice platform offers hundreds of practice questions with detailed explanations, organized by domain.
Ready for Full-Length Practice?
Start your KCSA certification journey with comprehensive preparation:
- Take another diagnostic with Sailor.sh’s free practice exam
- Get detailed feedback on your domain performance
- Access our complete KCSA practice exam bundle for full-length exams
- Follow a structured study plan with domain-by-domain guidance
Your KCSA certification is within reach. Keep practicing with Sailor.sh and you’ll be exam-ready soon.