← KCSA hub

KCSA — Compliance and Security Frameworks

10% of the KCSA exam. Sample questions below; the full library has 12 questions tagged to this domain.

Sample questions on Compliance and Security Frameworks

Compliance and Security Frameworks

Q1. What is the primary goal of implementing security policies and governance in a Kubernetes environment?

Reveal answer and explanations
  1. A To eliminate the need for monitoring

    Incorrect. Governance enables better monitoring and control.

  2. B To grant all users administrator access for flexibility

    Incorrect. Governance is the opposite of granting unrestricted access.

  3. C Consistent security and compliance guardrails

    Correct. Security policies and governance frameworks define what is allowed, enforce compliance requirements, and provide a baseline standard for secure cluster operations.

  4. D To prevent all pod creation

    Incorrect. Governance should enable secure operation, not prevent legitimate workloads.

Compliance and Security Frameworks

Q2. Your platform hosts several tenants in one Kubernetes cluster, including teams with different regulatory obligations and access levels. Which security boundary design is most appropriate to prevent data leakage and privilege escalation between tenants?

Reveal answer and explanations
  1. A Kubernetes handles multi-tenancy automatically

    Incorrect. Kubernetes requires intentional multi-tenancy configuration.

  2. B Tenant isolation with RBAC, NetworkPolicy, quotas, and separate credentials

    Correct. Multi-tenant clusters require layered isolation: RBAC, NetworkPolicies, ResourceQuotas, and separate secret storage to maintain tenant boundaries.

  3. C Multi-tenancy only affects networking

    Incorrect. Multi-tenancy affects all layers: authentication, authorization, storage, and networking.

  4. D Tenants always have separate clusters

    Incorrect. Shared clusters require strong isolation controls.

Compliance and Security Frameworks

Q3. What is the purpose of the kube-bench compliance tool?

Reveal answer and explanations
  1. A To measure pod performance

    Incorrect. kube-bench does not measure performance.

  2. B To deploy patches automatically

    Incorrect. kube-bench does not deploy patches.

  3. C To optimize container image size

    Incorrect. kube-bench does not optimize images.

  4. D To audit Kubernetes clusters against the CIS Kubernetes Benchmark and report security configuration gaps

    Correct. kube-bench runs CIS Benchmark checks against a cluster, reporting which security controls are passing or failing, helping identify configuration issues.

Compliance and Security Frameworks

Q4. What should be included in a security incident response plan for containerized environments?

Reveal answer and explanations
  1. A Password reset procedures only

    Incorrect. Incident response extends beyond password management.

  2. B Only network isolation procedures

    Incorrect. Incident response is broader than network controls.

  3. C Container-specific forensics and remediation runbooks

    Correct. Container incident response must address container-specific concerns: image validation, log shipping, ephemeral nature, and rapid remediation.

  4. D Manual security audits quarterly

    Incorrect. Incident response requires rapid action, not just quarterly reviews.

Compliance and Security Frameworks

Q5. How might PCI-DSS requirements affect Kubernetes deployments handling payment card data?

Reveal answer and explanations
  1. A PCI-DSS only applies to physical card readers

    Incorrect. PCI-DSS applies to all systems handling card data, including digital.

  2. B PCI-DSS permits storing plaintext card data in Secrets

    Incorrect. PCI-DSS forbids storing plaintext card data.

  3. C PCI-DSS does not apply to Kubernetes

    Incorrect. PCI-DSS applies to all systems handling card data.

  4. D PCI controls: encryption, access control, audit logs, and segmentation

    Correct. PCI-DSS mandates encryption (at rest and transit), access controls, audit trails, and segmentation. Kubernetes deployments must enforce these through RBAC, encryption, NetworkPolicies, and audit logging.

Drill Compliance and Security Frameworks with the full bankDomain Drill mode targets your weak areas — paid feature

How this domain is tested

Compliance and Security Frameworks accounts for 10% of the KCSA exam. Expect questions that test recall of terminology and the ability to read short scenarios — not deep configuration. Use the sample questions above as difficulty calibration; if any feel hard, the rest of our 12-question domain bank will close those gaps.