Kubernetes security, threat modeling, and compliance. Free practice questions sampled from our full 120-question bank, with detailed explanations for every option.
Format
multi-choice
Duration
90 min
Pass mark
75%
Study time
2–8 wks
Mocks here
2
What the KCSA exam tests
The Kubernetes and Cloud Native Security Associate exam is structured around 6 weighted domains. Each domain link below opens a focused practice page with sample questions from that area.
One representative question per domain, drawn from the 120-question pool. Click "Reveal answer" to see the correct option plus explanations for every distractor.
Overview of Cloud Native Security
Q1. Which of the following best describes the primary goal of implementing defense-in-depth in cloud native environments?
Reveal answer and explanations
ATo prioritize network security above all other security concerns
Incorrect. While network security is important, defense-in-depth balances all security domains equally.
BTo reduce the number of security tools required in a system
Incorrect. Defense-in-depth typically increases the number of security controls, not reduces it.
CTo eliminate the need for multiple security layers by using a single comprehensive solution
Incorrect. Defense-in-depth specifically requires multiple layers rather than eliminating them.
DTo ensure that if one security layer is compromised, the attack is still contained by subsequent layers
Correct. Defense-in-depth implements multiple overlapping security controls so that compromise of one layer does not grant an attacker full system access.
Kubernetes Cluster Component Security
Q2. What does enabling TLS on the Kubernetes API server primarily protect against?
Reveal answer and explanations
AUnauthorized access by clients and interception of credentials in transit
Correct. TLS encrypts API server communications, preventing client credentials and sensitive data from being intercepted over the network and ensuring clients connect only to the legitimate API server.
BDenial of service attacks from external networks
Incorrect. TLS does not provide DDoS protection.
CMalicious code execution inside running pods
Incorrect. TLS on the API server does not prevent pod code execution.
DPrivilege escalation within the kubelet
Incorrect. TLS does not directly prevent kubelet privilege escalation.
Kubernetes Security Fundamentals
Q3. What is the primary purpose of Pod Security Standards (PSS)?
Reveal answer and explanations
ATo manage networking between pods in different namespaces
Incorrect. Pod Security Standards do not manage pod networking.
BTo encrypt Kubernetes Secrets automatically
Incorrect. Secret encryption is managed separately from Pod Security Standards.
CTo authenticate users accessing pods via kubectl
Incorrect. User authentication is handled by the API server, not PSS.
DTo define baseline levels of pod security configuration (Privileged, Baseline, Restricted)
Correct. Pod Security Standards define three security policy profiles: Privileged (unrestricted), Baseline (minimal restrictions), and Restricted (hardened), allowing clusters to enforce security baselines.
Kubernetes Threat Model
Q4. What trust boundary must be carefully protected in Kubernetes?
Reveal answer and explanations
AThe boundary between pods and ConfigMaps
Incorrect. ConfigMaps are less sensitive than the API-etcd link.
BThe boundary between the pod and its PersistentVolume
Incorrect. While volumes are important, the API-etcd link is more critical.
CThe boundary between the API server and etcd, since compromise of this link could expose all cluster state
Correct. The API server-etcd communication is a critical trust boundary. If this link is compromised (via TLS stripping, unencrypted traffic, or unauth access), all cluster Secrets and state are exposed.
DThe boundary between users and the kubectl CLI
Incorrect. Users and kubectl are outside the cluster boundary.
Platform Security
Q5. How does properly configured ingress controller security protect the cluster?
Reveal answer and explanations
AIt authenticates and authorizes external traffic before it reaches internal services, enforcing TLS and rate limiting
Correct. A secure ingress controller validates TLS certificates, enforces authentication policies, applies rate limiting, and acts as the gateway for external traffic to the cluster.
BIt prevents all external traffic
Incorrect. Ingress allows legitimate traffic.
CIt manages pod-to-pod communication only to support canary and blue-green deployments
Incorrect. Ingress handles external-to-internal traffic, not pod-to-pod.
DIt encrypts etcd at rest
Incorrect. Ingress security does not manage etcd encryption.
Compliance and Security Frameworks
Q6. How do NIST frameworks apply to container and Kubernetes security?
Incorrect. NIST guidance is platform-agnostic and can inform controls for Linux, cloud, and containerized systems.
CNIST frameworks only apply to physical data centers
Incorrect. NIST guidance extends to cloud and containerized environments.
DNIST provides guidance on security controls and risk management applicable to cloud and container environments
Correct. NIST Cybersecurity Framework and NIST SP 800-190 provide controls and guidance for container image security, supply chain, and risk management that apply to Kubernetes.
Roughly 2–8 weeks of focused study, but it depends heavily on what you already know. Engineers with hands-on production Kubernetes (or Cilium / Argo / OTel / etc. for project-specific certs) can compress this to a week or two of mocks; people coming in cold should expect the upper end. The exam is multi-choice and recall-heavy — practice exams matter more than reading documentation cover to cover. Aim for 85%+ on full timed mocks before booking the real exam.
Why this practice library
This library was built by a Platform Engineer chasing Golden Kubestronaut who got frustrated by the lack of decent practice material for the associate-tier CNCF exams. Question banks track curriculum updates from CNCF and Linux Foundation.