22% of the KCSA exam. Sample questions below; the full library has 26 questions tagged to this domain.
Sample questions on Kubernetes Security Fundamentals
Kubernetes Security Fundamentals
Q1. What is the purpose of Linux capability restrictions in SecurityContext?
Reveal answer and explanations
ATo limit which Kubernetes API operations a pod can perform
Incorrect. Capability restrictions operate at the OS level, not the Kubernetes API.
BTo prevent pods from writing to PersistentVolumes
Incorrect. Capability restrictions do not control volume access.
CTo control pod resource limits like CPU and memory
Incorrect. Resource limits are managed separately.
DTo drop unnecessary Linux capabilities from the container, reducing the kernel surface a compromised container can exploit
Correct. Linux capabilities control what system calls a process can make. Dropping unnecessary capabilities (like CAP_SYS_ADMIN) reduces attack surface.
Kubernetes Security Fundamentals
Q2. Which of the following is an effective practice for reducing the risk of privilege escalation in Kubernetes?
Reveal answer and explanations
ARemoving all capability restrictions
Incorrect. Capability restrictions reduce attack surface; removing them increases risk.
BSetting allowPrivilegeEscalation: false and runAsNonRoot: true in the PodSecurityContext
Incorrect. Running as root increases the impact of container escapes.
DDisabling seccomp profiles
Incorrect. Seccomp profiles are essential defensive controls.
Kubernetes Security Fundamentals
Q3. What is the relationship between AppArmor, SELinux, and seccomp in container security?
Reveal answer and explanations
AAppArmor is for pods, SELinux for nodes, and seccomp is not used
Incorrect. While SELinux is typically host-based, all three can protect containers.
BOnly AppArmor is supported in Kubernetes; SELinux and seccomp are for other container platforms
Incorrect. All three are supported in Kubernetes through SecurityContext profiles.
CAll three are Linux mandatory access control or syscall filtering mechanisms that can restrict container behavior at the kernel level
Correct. AppArmor and SELinux are mandatory access control systems that restrict what operations are allowed, while seccomp restricts which system calls a process can invoke. All three can enhance container security.
DThey are three different names for the same security mechanism
Incorrect. They are distinct mechanisms with different approaches.
Kubernetes Security Fundamentals
Q4. You need to audit which users and service accounts access sensitive resources in your cluster. Which audit log level provides the best visibility?
Reveal answer and explanations
ANone
Incorrect. 'None' provides no audit information.
BRequestResponse
Correct. 'RequestResponse' logs both request and response details, enabling comprehensive auditing of resource access.
CRequest
Incorrect. 'Request' provides request details but not responses.
DMetadata
Incorrect. 'Metadata' shows who accessed what, but not the details of requests.
Kubernetes Security Fundamentals
Q5. What does this SecurityContext field enforce? ```yaml
runAsNonRoot: true
```
Reveal answer and explanations
AThe pod cannot read Kubernetes Secrets
Incorrect. Secret access is controlled by RBAC, not this field.
BThe pod cannot mount volumes from the host
Incorrect. Volume mounting is controlled by separate fields.
CThe pod cannot access network resources
Incorrect. This setting does not control network access.
DThe container must run as a non-root user, preventing privilege escalation attacks that rely on root access
Correct. Setting runAsNonRoot: true ensures the container process runs as an unprivileged user, limiting damage if the application is compromised.
Kubernetes Security Fundamentals accounts for 22% of the KCSA exam. Expect questions that test recall of terminology and the ability to read short scenarios — not deep configuration. Use the sample questions above as difficulty calibration; if any feel hard, the rest of our 26-question domain bank will close those gaps.