← KCSA hub

KCSA — Kubernetes Threat Model

16% of the KCSA exam. Sample questions below; the full library has 20 questions tagged to this domain.

Sample questions on Kubernetes Threat Model

Kubernetes Threat Model

Q1. How can persistence be achieved in a Kubernetes cluster after initial compromise?

Reveal answer and explanations
  1. A Using environment variables to store configuration

    Incorrect. Environment variables disappear with the pod.

  2. B Storing data in pod logs

    Incorrect. Pod logs are transient and can be deleted.

  3. C Creating a DaemonSet to run a backdoor on every node, or creating a ServiceAccount with cluster-admin permissions

    Correct. An attacker can establish persistence by deploying a DaemonSet (persistent across node reboots), creating a backdoor ServiceAccount with cluster-admin RBAC, or injecting a webhook to maintain control.

  4. D Writing to the pod's temporary filesystem

    Incorrect. Temporary filesystems are ephemeral.

Kubernetes Threat Model

Q2. An attacker compromises a private container registry and injects malicious code into container images. What is the most critical impact?

Reveal answer and explanations
  1. A All containers pulled from that registry will execute the malicious code, potentially compromising all workloads cluster-wide

    Correct. A compromised registry can distribute backdoored images to all consumers, affecting all workloads across environments.

  2. B Only the registry metadata is affected

    Incorrect. Compromised images execute malicious code, not just metadata.

  3. C The registry becomes slow

    Incorrect. Performance is not the primary security concern.

  4. D The cluster automatically rejects images from the registry

    Incorrect. Clusters do not automatically reject registry images; detection relies on image scanning and verification.

Kubernetes Threat Model

Q3. What trust boundary must be carefully protected in Kubernetes?

Reveal answer and explanations
  1. A The boundary between pods and ConfigMaps

    Incorrect. ConfigMaps are less sensitive than the API-etcd link.

  2. B The boundary between the pod and its PersistentVolume

    Incorrect. While volumes are important, the API-etcd link is more critical.

  3. C The boundary between the API server and etcd, since compromise of this link could expose all cluster state

    Correct. The API server-etcd communication is a critical trust boundary. If this link is compromised (via TLS stripping, unencrypted traffic, or unauth access), all cluster Secrets and state are exposed.

  4. D The boundary between users and the kubectl CLI

    Incorrect. Users and kubectl are outside the cluster boundary.

Kubernetes Threat Model

Q4. A Pod mounts `/var/run/docker.sock` from the host. What critical security risk does this create?

Reveal answer and explanations
  1. A Host Docker socket access gives node-level control

    Correct. Docker socket access allows a container to manage all containers on the host, including launching privileged containers or accessing the host filesystem.

  2. B It only affects log file access

    Incorrect. Docker socket enables container control, not just logging.

  3. C It disables container resource limits

    Incorrect. Docker socket access does not affect resource limits.

  4. D It increases disk I/O latency

    Incorrect. Performance is not the primary concern.

Kubernetes Threat Model

Q5. What is a credential theft attack in Kubernetes and how might it succeed?

Reveal answer and explanations
  1. A Preventing users from changing their passwords

    Incorrect. Password changes are not the attack vector.

  2. B Forcing pods to use plaintext communications

    Incorrect. Plaintext communications are a separate issue.

  3. C Removing authentication from the API server

    Incorrect. Removing authentication is a different attack type.

  4. D ServiceAccount token theft for API impersonation

    Correct. ServiceAccount tokens (mounted in /var/run/secrets/kubernetes.io/serviceaccount/token) can be stolen from a compromised pod. The attacker then uses this token to impersonate the ServiceAccount and access the API.

Drill Kubernetes Threat Model with the full bankDomain Drill mode targets your weak areas — paid feature

How this domain is tested

Kubernetes Threat Model accounts for 16% of the KCSA exam. Expect questions that test recall of terminology and the ability to read short scenarios — not deep configuration. Use the sample questions above as difficulty calibration; if any feel hard, the rest of our 20-question domain bank will close those gaps.