Free KCSA Mock Exam Sample Questions

10 KCSA practice questions with full explanations on every option. Original questions written against the current CNCF curriculum.

Kubernetes Cluster Component Security

Q1. What is the security risk of running the kubelet with `--read-only-port` enabled?

Reveal answer and explanations
  1. A Anon clients read pod info via read-only port

    Correct. The kubelet read-only port (default 10255) serves metrics and pod information without authentication, allowing any network-accessible client to gather intelligence about running pods and nodes.

  2. B etcd encryption is automatically disabled

    Incorrect. The read-only port does not affect etcd encryption settings.

  3. C Pod specification files cannot be read by authorized users

    Incorrect. The read-only port allows authorized reading, but the security issue is lack of authentication.

  4. D Container logs are not encrypted in transit

    Incorrect. The read-only port does not directly relate to log encryption.

Kubernetes Cluster Component Security

Q2. Which of the following is a key advantage of RBAC over ABAC in Kubernetes?

Reveal answer and explanations
  1. A RBAC does not require authentication

    Incorrect. Both RBAC and ABAC operate after authentication.

  2. B ABAC is the default authorization mode in modern Kubernetes versions

    Incorrect. RBAC is the standard; ABAC is rarely used in production due to complexity.

  3. C RBAC groups permissions into predefined roles

    Correct. RBAC abstracts permissions into reusable roles (ClusterRole, Role) and bindings, making policies easier to understand and maintain at scale compared to ABAC's attribute-based matching.

  4. D ABAC provides better performance than RBAC

    Incorrect. Performance differences between RBAC and ABAC are negligible; RBAC is favored for manageability.

Kubernetes Cluster Component Security

Q3. What is the purpose of certificate-based authentication for requests from the API server to the kubelet?

Reveal answer and explanations
  1. A To sign container images that the kubelet pulls from the registry

    Incorrect. Image signing is handled by supply-chain tooling such as Cosign at build/registry time; certificate-based authentication between the API server and kubelet never signs the images the kubelet pulls.

  2. B To encrypt data stored in etcd

    Incorrect. Encrypting data at rest in etcd is configured via an EncryptionConfiguration on the API server, not by certificate authentication on the kubelet endpoint.

  3. C To authenticate end users connecting to the API server

    Incorrect. End-user authentication to the API server relies on mechanisms like OIDC, bearer tokens, or user client certificates, which are unrelated to the API-server-to-kubelet trust relationship.

  4. D To verify that requests from the API server to the kubelet are legitimate

    Correct. The API server presents a client certificate (configured via `--kubelet-client-certificate`) so the kubelet, with its `--authentication` settings, can verify that incoming requests originate from the legitimate API server and reject spoofed callers.

Kubernetes Cluster Component Security

Q4. You discover that etcd peers are communicating without mutual TLS authentication. What is the immediate security concern?

Reveal answer and explanations
  1. A All Secrets are automatically deleted

    Incorrect. Secrets are not automatically deleted due to communication encryption issues.

  2. B Cluster data exposed to MITM and unauthorized etcd access

    Correct. Without mutual TLS between etcd peers, attackers on the network can intercept cluster state data, potentially leading to compromise of all cluster resources.

  3. C The API server becomes read-only

    Incorrect. While etcd unavailability would stop the cluster, unencrypted communication doesn't make the API server read-only.

  4. D Pods cannot schedule on the affected nodes

    Incorrect. Etcd peer communication issues would affect the entire cluster, not pod scheduling individually.

Kubernetes Cluster Component Security

Q5. Which of the following best describes kube-proxy's role in cluster security?

Reveal answer and explanations
  1. A It encrypts all pod-to-pod communication

    Incorrect. kube-proxy does not encrypt pod-to-pod communication; that requires a service mesh or NetworkPolicies.

  2. B It maintains rules to route Service traffic

    Correct. kube-proxy creates and maintains network rules (via iptables, IPVS, or other mechanisms) to route traffic to Services, making it critical for proper network isolation and traffic control.

  3. C It authenticates users and authorizes API requests

    Incorrect. Authentication and authorization are the API server's responsibility.

  4. D It proxies external HTTP traffic to Services

    Incorrect. While kube-proxy is involved in routing, it is not specifically an HTTP proxy.

Kubernetes Cluster Component Security

Q6. A new worker node is joining your cluster without pre-provisioned kubelet client certificates. What does kubelet TLS bootstrapping provide?

Reveal answer and explanations
  1. A To encrypt the container runtime communication protocol

    Incorrect. Container runtime communication is configured separately from TLS bootstrapping.

  2. B To kubelets request client certs without pre-provisioned creds

    Correct. TLS bootstrapping allows new nodes to join the cluster securely by using a bootstrap token to request a client certificate from the CA, eliminating the need to pre-distribute credentials.

  3. C To enable automatic cluster scaling based on resource utilization

    Incorrect. Cluster autoscaling uses different mechanisms than TLS bootstrapping.

  4. D To authenticate users logging into worker nodes via SSH

    Incorrect. SSH authentication is a separate concern from kubelet certificate provisioning.

Kubernetes Cluster Component Security

Q7. What is a security implication of running the container runtime without proper access controls?

Reveal answer and explanations
  1. A The API server cannot authenticate Service accounts

    Incorrect. Container runtime access does not prevent API server authentication.

  2. B Kubernetes Secrets become automatically visible in plaintext pod logs

    Incorrect. Secrets exposure in logs is a separate concern from container runtime access.

  3. C Direct runtime access enables privileged containers or host

    Correct. The container runtime is a critical security boundary. Unrestricted access allows bypassing Kubernetes security controls to run arbitrary containers with escalated privileges.

  4. D etcd communication becomes unencrypted

    Incorrect. Container runtime access does not affect etcd encryption.

Kubernetes Cluster Component Security

Q8. A misconfigured kubelet is listening on port 10250 with client certificate authentication disabled. Which of the following is a realistic attack scenario?

Reveal answer and explanations
  1. A Read pod logs and exec via kubelet API

    Correct. An unauthenticated kubelet API (port 10250) exposes /exec, /run, /attach, and /logs, enabling remote command execution inside running pods, log access, and data exfiltration; this escalates to host compromise (container escape) only if a targeted pod is already privileged or mounts host paths.

  2. B Attackers can revoke user API server access tokens

    Incorrect. Token issuance and revocation are handled by the API server and its authentication layer, not by the kubelet on port 10250.

  3. C Attackers can change the admission webhook URL

    Incorrect. ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects live in the API server's configuration, so they cannot be altered through the kubelet API.

  4. D Attackers can modify the control plane configuration

    Incorrect. Control plane configuration is owned by the API server and etcd, which are not reachable through the kubelet endpoint on port 10250.

Kubernetes Cluster Component Security

Q9. How does setting proper kubelet authorization rules enhance cluster security?

Reveal answer and explanations
  1. A It prevents container images from being pulled from public registries

    Incorrect. Kubelet authorization does not control image registry access.

  2. B It automatically encrypts all Secrets at the container runtime level

    Incorrect. Kubelet authorization does not handle Secret encryption.

  3. C It disables all networking between pods

    Incorrect. Kubelet authorization does not control pod networking.

  4. D It restricts kubelet operations by incoming requests

    Correct. Kubelet authorization enforces which API operations (like pod creation, log access, exec) are allowed, preventing privilege escalation and lateral movement.

Kubernetes Cluster Component Security

Q10. A security audit finds the read-only kubelet port (10255) exposed on worker nodes in a production cluster. What risk does this present?

Reveal answer and explanations
  1. A Disables all network policies on the node

    Incorrect. The read-only port does not affect network policy enforcement.

  2. B Allows anyone to make changes to the kubelet configuration

    Incorrect. The read-only port does not permit modifications; it is read-only.

  3. C Directly enables privilege escalation to root

    Incorrect. While reconnaissance can lead to privilege escalation, the port itself does not directly enable it.

  4. D Read-only pod/node info without auth, enabling recon

    Correct. The unauthenticated read-only port exposes sensitive information like running pods, their configuration, and node details, which attackers can use for reconnaissance.

Take the full timed KCSA mock exam90 minutes · free with account