16% of the KCSA exam. Sample questions below; the full library has 20 questions tagged to this domain.
Sample questions on Platform Security
Platform Security
Q1. What security capability does Kyverno provide as a Kubernetes-native policy engine?
Reveal answer and explanations
APolicy enforcement for image verification and security baselines
Correct. Kyverno is a Kubernetes-native policy engine that can enforce image signature verification, Pod Security Standards, network policies, and other security controls using CRDs.
BIt compiles container images
Incorrect. Kyverno does not compile images.
CIt schedules pods
Incorrect. Kyverno does not schedule pods.
DIt manages etcd backups
Incorrect. Kyverno does not manage backups.
Platform Security
Q2. Your platform team plans certificate rotation across Kubernetes control-plane and workload components. What is the primary security challenge?
Reveal answer and explanations
ARotation only affects development clusters
Incorrect. Production clusters require rotation as much as development clusters.
BCertificate rotation is not necessary
Incorrect. Regular certificate rotation is a security best practice.
CCertificates cannot be rotated automatically
Incorrect. Automated rotation tools and approaches exist.
DCoordinated rotation without service disruption
Correct. Rotating certificates across multiple components requires careful coordination to avoid service outages and ensure graceful transitions.
Platform Security
Q3. How do admission controllers like OPA/Gatekeeper enhance Kubernetes security?
Reveal answer and explanations
AThey monitor pod logs for errors
Incorrect. Admission controllers do not monitor logs.
BThey can enforce fine-grained policies on resource creation, rejection of non-compliant workloads before they run
Correct. OPA/Gatekeeper policies validate all resources against security rules (e.g., 'no privileged pods', 'require security context') and reject non-compliant requests before they are admitted.
CThey encrypt all pod communication
Incorrect. Admission controllers do not encrypt communication.
DThey manage container registries to enforce policy compliance automatically
Incorrect. They do not manage registries.
Platform Security
Q4. How does mTLS enforcement via a service mesh improve cluster security?
Reveal answer and explanations
AIt increases CPU usage significantly
Incorrect. Modern service meshes use efficient sidecar injection.
BIt automatically scales pods
Incorrect. Service mesh does not control scaling.
CEncrypted and authenticated service-to-service communication
Correct. A service mesh (like Istio) enforces mTLS transparently, encrypts inter-service communication, and provides advanced traffic management.
DIt disables network policies
Incorrect. Service mesh policies complement NetworkPolicies.
Platform Security
Q5. What is the security purpose of network segmentation in a Kubernetes cluster?
Reveal answer and explanations
ATo automatically patch vulnerabilities
Incorrect. Segmentation does not patch vulnerabilities.
BTo improve container image pull speed
Incorrect. Network segmentation does not affect pull speed.
CTo increase pod resource limits
Incorrect. Segmentation does not affect resource limits.
DTo limit the blast radius by restricting traffic between different security zones or environments
Correct. Network segmentation (via namespaces, NetworkPolicies, or separate networks) isolates different workloads or environments, preventing lateral movement if one zone is compromised.
Platform Security accounts for 16% of the KCSA exam. Expect questions that test recall of terminology and the ability to read short scenarios — not deep configuration. Use the sample questions above as difficulty calibration; if any feel hard, the rest of our 20-question domain bank will close those gaps.