Free Kubernetes and Cloud Native Security Associate practice questions with full explanations on every option. Kubernetes security, threat modeling, and compliance.
Q1. Which of the following best describes the primary goal of implementing defense-in-depth in cloud native environments?
Reveal answer and explanations
ATo prioritize network security above all other security concerns
Incorrect. While network security is important, defense-in-depth balances all security domains equally.
BTo reduce the number of security tools required in a system
Incorrect. Defense-in-depth typically increases the number of security controls, not reduces it.
CTo eliminate the need for multiple security layers by using a single comprehensive solution
Incorrect. Defense-in-depth specifically requires multiple layers rather than eliminating them.
DTo ensure that if one layer fails, others contain the attack
Correct. Defense-in-depth implements multiple overlapping security controls so that compromise of one layer does not grant an attacker full system access.
Kubernetes Cluster Component Security
Q2. What does enabling TLS on the Kubernetes API server primarily protect against?
Reveal answer and explanations
AUnauthorized access and credential interception
Correct. TLS encrypts API server communications, preventing client credentials and sensitive data from being intercepted over the network and ensuring clients connect only to the legitimate API server.
BDenial of service attacks from external networks
Incorrect. TLS does not provide DDoS protection.
CMalicious code execution inside running pods
Incorrect. TLS on the API server does not prevent pod code execution.
DPrivilege escalation within the kubelet
Incorrect. TLS does not directly prevent kubelet privilege escalation.
Kubernetes Security Fundamentals
Q3. What is the primary purpose of Pod Security Standards (PSS)?
Reveal answer and explanations
ATo manage networking, traffic shaping, and routing between pods across different cluster namespaces
Incorrect. Pod Security Standards do not manage pod networking.
BTo encrypt Kubernetes Secrets automatically
Incorrect. Secret encryption is managed separately from Pod Security Standards.
CTo authenticate users accessing pods via kubectl
Incorrect. User authentication is handled by the API server, not PSS.
DTo define baseline levels of pod security configuration (Privileged, Baseline, Restricted)
Correct. Pod Security Standards define three security policy profiles: Privileged (unrestricted), Baseline (minimal restrictions), and Restricted (hardened), allowing clusters to enforce security baselines.
Kubernetes Threat Model
Q4. What trust boundary must be carefully protected in Kubernetes?
Reveal answer and explanations
AThe boundary between pods and ConfigMaps
Incorrect. ConfigMaps are less sensitive than the API-etcd link.
BThe boundary between the pod and its PersistentVolume since misconfigured StorageClasses can leak data across tenants
Incorrect. While volumes are important, the API-etcd link is more critical.
CThe boundary between the API server and etcd, since compromise of this link could expose all cluster state
Correct. The API server-etcd communication is a critical trust boundary. If this link is compromised (via TLS stripping, unencrypted traffic, or unauth access), all cluster Secrets and state are exposed.
DThe boundary between users and the kubectl CLI
Incorrect. Users and kubectl are outside the cluster boundary.
Platform Security
Q5. How does properly configured ingress controller security protect the cluster?
Reveal answer and explanations
AIt authenticates and authorizes external traffic before it reaches internal services, enforcing TLS and rate limiting
Correct. A secure ingress controller validates TLS certificates, enforces authentication policies, applies rate limiting, and acts as the gateway for external traffic to the cluster.
BIt prevents all external traffic
Incorrect. An ingress controller's purpose is to terminate, route, and secure legitimate inbound traffic to Services; blocking everything would defeat the workload's external exposure — what controllers actually do is enforce TLS, request auth, rate limiting, and WAF policies on permitted traffic.
CIt manages pod-to-pod communication exclusively to support advanced canary, blue-green, and shadow deployment workflows
Incorrect. Ingress handles external-to-internal traffic, not pod-to-pod.
DIt encrypts etcd at rest
Incorrect. Ingress security does not manage etcd encryption.
Compliance and Security Frameworks
Q6. How do NIST frameworks apply to container and Kubernetes security?
Incorrect. NIST guidance is platform-agnostic and can inform controls for Linux, cloud, and containerized systems.
CNIST frameworks only apply to physical data centers and on-premises hardware controlled by the federal government
Incorrect. NIST guidance extends to cloud and containerized environments.
DNIST provides guidance on security controls and risk management applicable to cloud and container environments
Correct. NIST Cybersecurity Framework and NIST SP 800-190 provide controls and guidance for container image security, supply chain, and risk management that apply to Kubernetes.
90 minutes, multi-choice format. See the official CNCF page for the current question count.
How difficult is the KCSA exam?
Rated intermediate. Plan 2–8 weeks depending on your background.
How much does the KCSA exam cost?
Pricing changes periodically — check the official CNCF KCSA page at https://www.cncf.io/training/certification/kcsa/.
Are these KCSA mock exams free?
Sample questions on this page are free with no account. Full timed KCSA mocks require a paid plan.
How is this mock exam different from the real KCSA exam?
Original questions written against the official CNCF curriculum — not scraped dumps. Format mirrors the real exam; the real one is proctored, these are self-paced.
What is the best way to study for KCSA?
Work through the official curriculum in order of domain weight (heaviest first), then run full timed mocks until you hit 85%+ consistently.