← KCSA hub

Free KCSA Sample Questions

10 KCSA questions with full explanations for every option, free to view on this page.

Kubernetes Cluster Component Security

Q1. What is the security risk of running the kubelet with `--read-only-port` enabled?

Reveal answer and explanations
  1. A Unauthenticated clients can read sensitive pod information via the read-only port

    Correct. The kubelet read-only port (default 10255) serves metrics and pod information without authentication, allowing any network-accessible client to gather intelligence about running pods and nodes.

  2. B etcd encryption is automatically disabled

    Incorrect. The read-only port does not affect etcd encryption settings.

  3. C Pod specification files cannot be read by authorized users

    Incorrect. The read-only port allows authorized reading, but the security issue is lack of authentication.

  4. D Container logs are not encrypted in transit

    Incorrect. The read-only port does not directly relate to log encryption.

Kubernetes Cluster Component Security

Q2. Which of the following is a key advantage of RBAC over ABAC in Kubernetes?

Reveal answer and explanations
  1. A RBAC does not require authentication

    Incorrect. Both RBAC and ABAC operate after authentication.

  2. B ABAC is the default authorization mode in modern Kubernetes versions

    Incorrect. RBAC is the standard; ABAC is rarely used in production due to complexity.

  3. C RBAC is simpler to understand and manage because it groups permissions into predefined roles

    Correct. RBAC abstracts permissions into reusable roles (ClusterRole, Role) and bindings, making policies easier to understand and maintain at scale compared to ABAC's attribute-based matching.

  4. D ABAC provides better performance than RBAC

    Incorrect. Performance differences between RBAC and ABAC are negligible; RBAC is favored for manageability.

Kubernetes Cluster Component Security

Q3. What is the purpose of kubelet client certificate authentication?

Reveal answer and explanations
  1. A To sign container images in the registry

    Incorrect. Certificate authentication for kubelets does not sign container images.

  2. B To encrypt data stored in etcd

    Incorrect. Kubelet client certificates do not encrypt etcd storage.

  3. C To authenticate end users connecting to the Kubernetes cluster

    Incorrect. Kubelet certificates authenticate components to each other, not end users.

  4. D To verify that API server requests to the kubelet come from legitimate cluster components

    Correct. Kubelet client certificate authentication ensures that only authorized components (like the API server) can communicate with the kubelet, preventing spoofed requests.

Kubernetes Cluster Component Security

Q4. You discover that etcd peers are communicating without mutual TLS authentication. What is the immediate security concern?

Reveal answer and explanations
  1. A All Secrets are automatically deleted

    Incorrect. Secrets are not automatically deleted due to communication encryption issues.

  2. B The cluster data is exposed to man-in-the-middle attacks and unauthorized access to etcd data

    Correct. Without mutual TLS between etcd peers, attackers on the network can intercept cluster state data, potentially leading to compromise of all cluster resources.

  3. C The API server becomes read-only

    Incorrect. While etcd unavailability would stop the cluster, unencrypted communication doesn't make the API server read-only.

  4. D Pods cannot schedule on the affected nodes

    Incorrect. Etcd peer communication issues would affect the entire cluster, not pod scheduling individually.

Kubernetes Cluster Component Security

Q5. Which of the following best describes kube-proxy's role in cluster security?

Reveal answer and explanations
  1. A It encrypts all pod-to-pod communication

    Incorrect. kube-proxy does not encrypt pod-to-pod communication; that requires a service mesh or NetworkPolicies.

  2. B It maintains network rules for routing traffic to Service endpoints

    Correct. kube-proxy creates and maintains network rules (via iptables, IPVS, or other mechanisms) to route traffic to Services, making it critical for proper network isolation and traffic control.

  3. C It authenticates users and authorizes API requests

    Incorrect. Authentication and authorization are the API server's responsibility.

  4. D It proxies external HTTP traffic to Services

    Incorrect. While kube-proxy is involved in routing, it is not specifically an HTTP proxy.

Kubernetes Cluster Component Security

Q6. A new worker node is joining your cluster without pre-provisioned kubelet client certificates. What does kubelet TLS bootstrapping provide?

Reveal answer and explanations
  1. A To encrypt the container runtime communication protocol

    Incorrect. Container runtime communication is configured separately from TLS bootstrapping.

  2. B To allow kubelets to request client certificates from the API server without pre-provisioned credentials

    Correct. TLS bootstrapping allows new nodes to join the cluster securely by using a bootstrap token to request a client certificate from the CA, eliminating the need to pre-distribute credentials.

  3. C To enable automatic cluster scaling based on resource utilization

    Incorrect. Cluster autoscaling uses different mechanisms than TLS bootstrapping.

  4. D To authenticate users logging into worker nodes via SSH

    Incorrect. SSH authentication is a separate concern from kubelet certificate provisioning.

Kubernetes Cluster Component Security

Q7. What is a security implication of running the container runtime without proper access controls?

Reveal answer and explanations
  1. A The API server cannot authenticate Service accounts

    Incorrect. Container runtime access does not prevent API server authentication.

  2. B Kubernetes Secrets are automatically exposed in pod logs

    Incorrect. Secrets exposure in logs is a separate concern from container runtime access.

  3. C Unauthorized users can interact directly with the container runtime to run privileged containers or access host resources

    Correct. The container runtime is a critical security boundary. Unrestricted access allows bypassing Kubernetes security controls to run arbitrary containers with escalated privileges.

  4. D etcd communication becomes unencrypted

    Incorrect. Container runtime access does not affect etcd encryption.

Kubernetes Cluster Component Security

Q8. A misconfigured kubelet is listening on port 10250 with client certificate authentication disabled. Which of the following is a realistic attack scenario?

Reveal answer and explanations
  1. A Attackers can read pod logs and execute commands inside containers via the kubelet API

    Correct. An unauthenticated kubelet API allows remote code execution, container escape, and data exfiltration from pods.

  2. B Attackers can revoke user API server access tokens

    Incorrect. Token management is the responsibility of the API server, not the kubelet.

  3. C Attackers can change the admission webhook URL

    Incorrect. Admission webhooks are configured in the API server, not the kubelet.

  4. D Attackers can modify the control plane configuration

    Incorrect. The control plane configuration is protected by the API server, not the kubelet.

Kubernetes Cluster Component Security

Q9. How does setting proper kubelet authorization rules enhance cluster security?

Reveal answer and explanations
  1. A It prevents container images from being pulled from public registries

    Incorrect. Kubelet authorization does not control image registry access.

  2. B It automatically encrypts all Secrets at the container runtime level

    Incorrect. Kubelet authorization does not handle Secret encryption.

  3. C It disables all networking between pods

    Incorrect. Kubelet authorization does not control pod networking.

  4. D It restricts which operations the kubelet can perform based on incoming requests

    Correct. Kubelet authorization enforces which API operations (like pod creation, log access, exec) are allowed, preventing privilege escalation and lateral movement.

Kubernetes Cluster Component Security

Q10. A security audit finds the read-only kubelet port (10255) exposed on worker nodes in a production cluster. What risk does this present?

Reveal answer and explanations
  1. A Disables all network policies on the node

    Incorrect. The read-only port does not affect network policy enforcement.

  2. B Allows anyone to make changes to the kubelet configuration

    Incorrect. The read-only port does not permit modifications; it is read-only.

  3. C Directly enables privilege escalation to root

    Incorrect. While reconnaissance can lead to privilege escalation, the port itself does not directly enable it.

  4. D Provides read-only access to pod and node information without authentication, enabling reconnaissance for further attacks

    Correct. The unauthenticated read-only port exposes sensitive information like running pods, their configuration, and node details, which attackers can use for reconnaissance.

Take the full timed KCSA mock90 minutes · 60 questions · free with account

About these questions

These questions are written against the current KCSA curriculum — not scraped exam dumps. The full KCSA library here has 120 questions; the broader platform covers the rest of the Golden Kubestronaut path.