← KCSA hub

KCSA — Kubernetes Cluster Component Security

22% of the KCSA exam. Sample questions below; the full library has 26 questions tagged to this domain.

Sample questions on Kubernetes Cluster Component Security

Kubernetes Cluster Component Security

Q1. Which Kubernetes component is responsible for assigning pods to nodes, and what security risk exists if it is compromised?

Reveal answer and explanations
  1. A kube-scheduler; compromise allows assigning pods to specific nodes to facilitate node attacks or resource exhaustion

    Correct. The kube-scheduler determines pod-to-node placement. If compromised, an attacker can place pods on specific nodes for lateral movement, colocate pods to steal data, or overload nodes.

  2. B etcd; compromise exposes all Secrets

    Incorrect. While etcd compromise is serious, that is not the kube-scheduler's role.

  3. C API server; compromise disables all authentication

    Incorrect. The API server controls authentication, not scheduling.

  4. D kubelet; compromise allows disabling container resource limits

    Incorrect. The kubelet runs on nodes but is not the scheduler.

Kubernetes Cluster Component Security

Q2. Which of the following best describes the security benefit of using gVisor as a container runtime sandbox?

Reveal answer and explanations
  1. A It automatically patches all CVEs in the kernel

    Incorrect. gVisor does not patch CVEs; it provides isolation from the kernel.

  2. B It provides an additional layer of isolation by intercepting syscalls and reducing the kernel attack surface exposed to containers

    Correct. gVisor (runsc) intercepts and filters syscalls, providing isolation from the host kernel and reducing the potential impact of kernel exploits.

  3. C It enables direct access to host networking for better performance

    Incorrect. gVisor restricts host networking access; it does not enable direct access.

  4. D It reduces memory usage by 50% compared to standard containers

    Incorrect. gVisor may have different memory characteristics but memory reduction is not its primary security benefit.

Kubernetes Cluster Component Security

Q3. What is the security benefit of storing kubeconfig files with restrictive file permissions (e.g., 600)?

Reveal answer and explanations
  1. A It disables kubelet communication with the API server

    Incorrect. File permissions do not affect kubelet-API server communication.

  2. B It prevents pods from being scheduled on specific nodes

    Incorrect. File permissions do not affect pod scheduling.

  3. C It ensures only the intended user can read the client credentials and access the cluster

    Correct. kubeconfig files contain client certificates and tokens. Restrictive permissions prevent unauthorized users on the system from reading the file and gaining cluster access.

  4. D It encrypts API server communication automatically

    Incorrect. File permissions do not encrypt network communication.

Kubernetes Cluster Component Security

Q4. In the context of container runtime security, what does CRI (Container Runtime Interface) abstraction provide?

Reveal answer and explanations
  1. A Direct enforcement of AppArmor and seccomp profiles

    Incorrect. While CRI enables runtime integration, AppArmor and seccomp are enforced by the kubelet, not the CRI interface itself.

  2. B A standardized interface that allows Kubernetes to work with different runtimes (containerd, CRI-O) without vendor lock-in

    Correct. CRI provides a standardized API that allows Kubernetes to manage different container runtimes, improving flexibility and reducing vendor dependency.

  3. C Network policy enforcement at the container level

    Incorrect. Network policies are enforced by the CNI plugin, not CRI.

  4. D Automatic encryption of container layers

    Incorrect. Image layer encryption is handled by image registries and tools, not CRI.

Kubernetes Cluster Component Security

Q5. How does setting proper kubelet authorization rules enhance cluster security?

Reveal answer and explanations
  1. A It prevents container images from being pulled from public registries

    Incorrect. Kubelet authorization does not control image registry access.

  2. B It automatically encrypts all Secrets at the container runtime level

    Incorrect. Kubelet authorization does not handle Secret encryption.

  3. C It disables all networking between pods

    Incorrect. Kubelet authorization does not control pod networking.

  4. D It restricts which operations the kubelet can perform based on incoming requests

    Correct. Kubelet authorization enforces which API operations (like pod creation, log access, exec) are allowed, preventing privilege escalation and lateral movement.

Drill Kubernetes Cluster Component Security with the full bankDomain Drill mode targets your weak areas — paid feature

How this domain is tested

Kubernetes Cluster Component Security accounts for 22% of the KCSA exam. Expect questions that test recall of terminology and the ability to read short scenarios — not deep configuration. Use the sample questions above as difficulty calibration; if any feel hard, the rest of our 26-question domain bank will close those gaps.