KCSA Kubernetes and Cloud Native Security Associate Practice Exam: 60 Questions

A) Code B) Container C) Cluster D) Cloud

Answer: D

Explanation: The 4C security model layers are Cloud (outermost) → Cluster → Container → Code (innermost). The Cloud layer covers IaaS infrastructure, network, and storage security. Each layer protects the inner layers; if an outer layer is compromised, inner layer security loses much of its value.

A) Focus on a single powerful security layer B) Implement multiple independent security layers so that if one fails, others still provide protection C) Focus all security at the external perimeter D) Meet all security requirements through encryption alone

Answer: B

Explanation: Defense in Depth implements multiple independent security controls (layers) so that if one control fails, others can still stop the attack. In Kubernetes, this means applying network policies, RBAC, Pod Security Standards, image scanning, and runtime security together.

A) Trust the internal network and only verify external requests B) "Never Trust, Always Verify" — authenticate all requests regardless of origin, grant minimum necessary permissions C) Trust all users connected via VPN D) Allow all traffic freely within the firewall

Answer: B

Explanation: Zero Trust operates on "Never Trust, Always Verify." Every request is authenticated and authorized regardless of network location (internal or external). Key components are least privilege, micro-segmentation, and continuous monitoring. In Kubernetes, RBAC, mTLS, and NetworkPolicy implement Zero Trust principles.

A) A unique identifier and public database for known software vulnerabilities B) A container image signing standard C) A Kubernetes security configuration framework D) A network vulnerability scanner tool

Answer: A

Explanation: CVE is a unique identifier assigned to publicly known software vulnerabilities (e.g., CVE-2024-XXXX). CVSS (Common Vulnerability Scoring System) measures severity on a 0.0–10.0 scale (Critical: 9.0–10.0, High: 7.0–8.9, Medium: 4.0–6.9, Low: 0.1–3.9). Container image scanning tools (Trivy, Grype) detect vulnerabilities based on CVE databases.

A) X.509 client certificates B) ServiceAccount tokens C) OIDC (OpenID Connect) D) MD5 password hash

Answer: D

Explanation: Supported Kubernetes API Server authentication mechanisms include X.509 certificates, Bearer Tokens (ServiceAccount), OIDC (Google, Dex, etc.), Webhook, and basic HTTP auth (deprecated). MD5 password hashes are not a Kubernetes authentication mechanism.

A) To improve etcd processing speed B) To prevent sensitive data like Secrets from being stored as plaintext in etcd C) To protect data during network transit D) To encrypt container images

Answer: B

Explanation: Kubernetes Secrets are by default stored in etcd with base64 encoding (not encryption). An attacker with direct access to etcd can read all Secret data. Enabling Encryption at Rest encrypts data written to etcd (especially Secrets) with AES-CBC or AES-GCM.

A) Anonymous auth makes the kubelet API accessible without authentication, creating a security risk B) Anonymous auth degrades performance C) Anonymous auth interferes with Pod scheduling D) Anonymous auth blocks communication with the Control Plane

Answer: A

Explanation: Kubelet serves an API on port 10250. With --anonymous-auth=true (default), unauthenticated requests are processed as the system:anonymous user. This can be exploited to list Pods, access logs, and execute commands on the node without authentication. Setting --anonymous-auth=false with Webhook authorization is recommended.

A) ClusterRole grants more powerful permissions B) Role applies only to resources within a specific Namespace; ClusterRole applies cluster-wide or to cluster-scoped resources C) ClusterRole can only be bound to ServiceAccounts D) Role can be used in all Namespaces

Answer: B

Explanation: A Role defines permissions for resources within a specific Namespace and is applied via RoleBinding. A ClusterRole defines permissions for cluster-wide or cluster-scoped resources (Nodes, PersistentVolumes) and is applied via ClusterRoleBinding. A ClusterRole can also be scoped to a specific Namespace using a RoleBinding.

A) Adding users to the cluster B) A plugin that validates or modifies API requests before they are stored in etcd C) Managing container runtimes D) Monitoring network traffic

Answer: B

Explanation: Admission Controllers are plugins that run in kube-apiserver after authentication/authorization but before etcd persistence. Validating Admission Webhooks validate requests (can reject them), and Mutating Admission Webhooks modify requests (inject defaults, sidecar injection, etc.). OPA Gatekeeper and Kyverno leverage this mechanism.

A) runAsNonRoot: true B) allowPrivilegeEscalation: false C) privileged: true D) seccompProfile configuration

Answer: C

Explanation: The Restricted profile is the most stringent Pod Security Standard. It requires runAsNonRoot: true, allowPrivilegeEscalation: false, readOnlyRootFilesystem: true (strongly recommended), seccompProfile configuration, and prohibits host namespace usage. privileged: true is only permitted in the Privileged profile and is explicitly forbidden in Restricted.

A) Disable networking options in kube-apiserver B) Create a NetworkPolicy with an empty podSelector that blocks all traffic C) Configure firewall rules on each node D) Disable networking in containerd configuration

Answer: B

Explanation: To implement Default Deny with Kubernetes NetworkPolicy, apply a NetworkPolicy with an empty podSelector: {} (matches all Pods) and empty ingress: [] (blocks all ingress) to a Namespace. A separate Default Deny for Egress can also be created. Then add additional NetworkPolicies to allow only the required traffic.

A) Secrets are completely secure and require no additional measures B) Secrets are only base64-encoded by default; etcd encryption + external secret management (Vault, ESO) is recommended C) Creating more Secrets enhances security D) Secrets are always more secure than ConfigMaps

Answer: B

Explanation: Kubernetes Secret security issues: 1) Stored in etcd with base64 encoding (not encryption), 2) Accessible to all users in the Namespace without RBAC, 3) Risk of exposure via logs or environment variable printing. Mitigations: Enable etcd Encryption at Rest, apply RBAC least privilege, use HashiCorp Vault / External Secrets Operator (ESO) / Sealed Secrets.

A) Restricts the container to read-only operations B) Makes the container's root filesystem read-only, preventing file modification at runtime C) Blocks container image downloads D) Mounts Secret files as read-only

Answer: B

Explanation: readOnlyRootFilesystem: true sets the container's root filesystem to read-only. Even if an attacker compromises the container, they cannot write malware or modify configuration on the filesystem. If write access is needed for specific paths, mount an emptyDir volume at those locations.

A) Grant cluster-admin ClusterRole to all Pods B) Set automountServiceAccountToken: false and explicitly grant only required permissions C) Share a single ServiceAccount across all Pods D) Avoid using ServiceAccounts altogether

Answer: B

Explanation: Applying least privilege: 1) Set automountServiceAccountToken: false for Pods that don't need Kubernetes API access, 2) Create a dedicated ServiceAccount per application, 3) Define granular RBAC Roles permitting only the required resources/verbs, 4) Minimize use of the default ServiceAccount.

A) Security, Threats, Risk, Identity, Defense, Encryption B) Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege C) System, Technology, Runtime, Infrastructure, Development, Environment D) Scanning, Testing, Review, Inspection, Detection, Enforcement

Answer: B

Explanation: STRIDE is Microsoft's threat modeling framework: Spoofing (identity impersonation), Tampering (data modification), Repudiation (denial of actions), Information Disclosure (data leakage), Denial of Service (disrupting availability), Elevation of Privilege (gaining unauthorized access). Kubernetes security designs controls against each threat category.

A) runAsNonRoot: true B) privileged: true C) readOnlyRootFilesystem: true D) allowPrivilegeEscalation: false

Answer: B

Explanation: privileged: true grants the container nearly the same permissions as the host node. Such containers can access all host devices, load kernel modules, and modify network configuration, making it possible to escape the container boundary and take over the host node. This setting is prohibited by Pod Security Standards at Baseline level and above.

A) API server exposure only affects performance B) If authentication is weak, attackers can take full control of the cluster C) The API server should always be publicly exposed D) API server exposure has no security implications

Answer: B

Explanation: kube-apiserver is the central control point for the cluster. A public API server combined with weak authentication allows attackers to deploy malicious Pods, manipulate RBAC, steal Secrets, and take over nodes. Attacks scanning for exposed Kubernetes API servers are common. At minimum, the API server should be protected with IP allowlisting and strong authentication.

A) Container image vulnerability scanning B) Runtime security — detecting anomalous container behavior at the system call level in real time C) Automatically generating Kubernetes network policies D) Automatically configuring RBAC permissions

Answer: B

Explanation: Falco is a CNCF graduated project that monitors system calls in real time via Linux kernel eBPF/kernel modules. It uses rule-based detection to alert on anomalous behavior (unauthorized network connections, sensitive file access, shell execution, etc.). Unlike image scanning (static analysis), Falco monitors actual runtime behavior.

A) A tool for calculating software licensing costs B) A list of all components, libraries, and dependencies that make up a piece of software — used for vulnerability identification and compliance C) A container image build automation tool D) A policy engine for controlling code deployment

Answer: B

Explanation: An SBOM (Software Bill of Materials) lists all components, libraries, dependencies, and their versions in a software package. When a CVE vulnerability is discovered, the SBOM quickly identifies which software is affected and verifies open-source license compliance. SPDX and CycloneDX are the major SBOM formats.

A) Container runtime security monitoring B) Signing and verifying container images and software artifacts — supply chain security C) Kubernetes cluster vulnerability scanning D) Network traffic encryption

Answer: B

Explanation: Sigstore is a Linux Foundation project consisting of Cosign (image signing/verification), Fulcio (code signing certificate issuance), and Rekor (transparent signature log). Developers sign container images and software artifacts; signatures are verified at deploy time to prevent supply chain attacks (image tampering). Admission Controllers can be configured to allow only signed images.

A) Kubernetes cluster configuration monitoring B) Scanning container images, filesystems, and Git repositories for CVE vulnerabilities, secrets, and IaC misconfigurations C) Monitoring system calls at runtime D) Managing service mesh mTLS

Answer: B

Explanation: Trivy is an open-source vulnerability scanner developed by Aqua Security. It detects CVE vulnerabilities, exposed secrets, and Dockerfile/IaC misconfigurations in container images, filesystems, Git repositories, and Kubernetes clusters. Integrating Trivy into CI/CD pipelines enables blocking vulnerable image deployments at build time.

A) Container image signature verification B) Mutual authentication and encryption between services — both sides prove identity with certificates C) Load balancing traffic between Pods D) Encrypting database connections

Answer: B

Explanation: mTLS (mutual TLS) differs from standard TLS in that both client and server prove their identity with certificates. Service meshes (Istio, Linkerd) automatically apply mTLS to all inter-service communication, preventing eavesdropping and Man-in-the-Middle (MITM) attacks on the internal network. It is a key component of Zero Trust networking.

A) To manage Kubernetes cluster deployments B) Centralized secret management — dynamic secret generation, automatic expiration, and audit logging C) To use as a container image registry D) To manage Kubernetes network policies

Answer: B

Explanation: HashiCorp Vault is an enterprise-grade secret management solution. When integrated with Kubernetes: dynamically generated database credentials (temporary credentials issued per request), automatic expiration/renewal, access logging, and strong encryption. Vault Agent or External Secrets Operator (ESO) synchronizes Vault secrets into Kubernetes Secrets.

A) Permanently deletes Secrets from the filesystem B) Encrypts Secrets with a public key into a SealedSecret object safe for Git storage; only the cluster controller can decrypt it C) Backs up Secrets to an external server D) Replicates Secrets across multiple Namespaces

Answer: B

Explanation: Sealed Secrets is a Bitnami tool. The kubeseal CLI uses the cluster's public key to encrypt a Secret into a SealedSecret object, which can be safely stored in Git. Only the Sealed Secrets controller in the cluster can decrypt it using the private key. This works well with GitOps workflows.

A) A study guide for Kubernetes certification exams B) Providing security configuration best practices and hardening guidelines for Kubernetes clusters C) Kubernetes cost optimization per cloud provider D) Kubernetes performance benchmarking

Answer: B

Explanation: The CIS Kubernetes Benchmark provides security configuration guidelines developed by the Center for Internet Security. It covers hundreds of security recommendations for API server settings, etcd security, kubelet configuration, RBAC, and logging. The kube-bench tool can automatically assess whether a cluster meets CIS standards.

A) Automating Kubernetes cluster deployments B) Policy as Code — enforcing policies on Kubernetes resource creation/modification via Admission Controller C) Detecting container runtime vulnerabilities D) Managing service mesh configuration

Answer: B

Explanation: OPA (Open Policy Agent) Gatekeeper is a CNCF graduated project that enforces policies via Kubernetes Admission Webhooks. Policies written in Rego language (as ConstraintTemplate + Constraint) can declaratively define and automatically enforce rules like "prohibit privileged containers," "allow only latest images," or "require specific labels."

A) Kyverno supports more complex policies B) Kyverno writes policies in YAML (Kubernetes-native); OPA Gatekeeper uses Rego language C) OPA Gatekeeper is only specialized for Kubernetes D) Both tools provide identical functionality

Answer: B

Explanation: Kyverno is a Kubernetes-native policy engine that uses YAML for policies, making it familiar to Kubernetes users. It supports Validate, Mutate, and Generate policy types. OPA Gatekeeper integrates the general-purpose OPA policy engine into Kubernetes using Rego language, which allows more complex logical expressions but has a steeper learning curve.

A) Container image signing and verification (Sigstore/Cosign) B) Using only trusted base images C) Vulnerability scanning in CI/CD pipelines D) Setting higher resource limits on Pods

Answer: D

Explanation: Supply chain security methods: image signing and verification (Cosign), using trusted-source base images, CI/CD vulnerability scanning with Trivy/Grype, generating SBOMs, using private container registries, allowing only signed images via Admission Controllers. Setting resource limits relates to performance/availability, not supply chain security.

A) Ingress: traffic entering the cluster; Egress: traffic leaving the cluster B) Ingress: controls traffic entering a Pod; Egress: controls traffic leaving a Pod C) Ingress: controls HTTP traffic only; Egress: controls TCP traffic only D) Ingress and Egress are identical rules

Answer: B

Explanation: In NetworkPolicy, ingress rules specify allowed sources (Pods, Namespaces, IP blocks) for traffic entering a specific Pod. egress rules specify allowed destinations for traffic leaving a specific Pod. Using both enables fine-grained bidirectional traffic control to implement micro-segmentation.

A) Permission to delete a resource B) Permission to stream resource changes in real time (subscribe to updates) C) Permission to modify a resource D) Permission to list resources

Answer: B

Explanation: Key Kubernetes RBAC verbs: get (retrieve a single resource), list (retrieve a list), watch (stream changes in real time), create, update (full modification), patch (partial modification), delete. watch is used by controllers to detect resource changes in real time. Under least privilege, unnecessary watch permissions should be avoided.

A) enforce, audit, warn — enforce blocks Pod creation on violation; audit and warn only log/warn B) allow, deny, monitor C) strict, normal, permissive D) active, passive, silent

Answer: A

Explanation: PSA (Pod Security Admission) supports 3 modes: enforce (block Pod creation on policy violation), audit (record violations in audit logs, allow creation), warn (return user warnings, allow creation). They are configured via Namespace labels (e.g., pod-security.kubernetes.io/enforce: restricted).

A) Set all Services to ClusterIP type B) Set --anonymous-auth=false on the API server C) Block all external traffic with NetworkPolicy D) Configure PodDisruptionBudgets on Pods

Answer: B

Explanation: Setting --anonymous-auth=false on kube-apiserver prevents unauthenticated requests from being processed as system:anonymous. Removing permissions granted to system:anonymous and system:unauthenticated groups via RBAC should also be done. The CIS Kubernetes Benchmark recommends this setting.

A) Use minimal base images (Alpine, Distroless) B) Avoid running as root in the image C) Include an SSH server in the image D) Use multi-stage builds to exclude build tools

Answer: C

Explanation: Container image security best practices: minimal base images (reduce attack surface), run as non-root, multi-stage builds to exclude build tools, vulnerability scanning, image signing. Including an SSH server in a container image is bad practice. For debugging, use kubectl exec or ephemeral containers instead.

A) SOC2 defines Kubernetes performance standards B) Cloud native applications handling card payment data must meet SOC2 requirements; Kubernetes cluster security contributes to SOC2 compliance C) SOC2 is a Kubernetes-specific security standard D) Kubernetes must be used to comply with SOC2

Answer: B

Explanation: SOC2 is a security standard for service providers developed by the AICPA, based on five Trust Service Criteria (TSC) principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Implementing Kubernetes security controls (RBAC, audit logging, network policies, encryption) contributes to meeting SOC2 requirements.

A) Collecting container stdout/stderr logs B) Recording who requested what on the API server, when, and with what result C) Recording node system resource usage D) Recording network traffic between containers

Answer: B

Explanation: Kubernetes Audit Logging records all requests made to kube-apiserver. A policy file sets the recording level (None, Metadata, Request, RequestResponse). It is essential for security incident investigation, detecting abnormal API activity, and proving compliance. Logs include requester (user), timestamp, target resource, HTTP method, and response code.

A) The container cannot run as root B) Container processes cannot gain more privileges than their parent (prevents setuid/setgid) C) The container cannot use host networking D) The container cannot communicate with other containers

Answer: B

Explanation: allowPrivilegeEscalation: false prevents container processes from gaining more privileges than their parent process (blocking setuid/setgid binary execution). For example, it blocks privilege escalation via setuid binaries like sudo and passwd. This setting is required in the Restricted Pod Security Standard.

A) Plaintext HTTP communication B) TLS certificate-based communication — TLS encryption between each component (kube-apiserver, kubelet, etc.) C) SSH tunneling only D) Direct internet communication without VPN

Answer: B

Explanation: Communication between Kubernetes components is encrypted with TLS: kube-apiserver ↔ etcd, kube-apiserver ↔ kubelet, Control Plane ↔ Worker Nodes. Each component uses certificates signed by the cluster CA (Certificate Authority). Setting up a cluster with kubeadm automatically configures this PKI infrastructure.

A) PCI-DSS does not apply to cloud environments B) Cloud native applications that process card payment data must comply with PCI-DSS requirements C) PCI-DSS is a Kubernetes-specific standard D) PCI-DSS only applies to internet traffic

Answer: B

Explanation: PCI-DSS (Payment Card Industry Data Security Standard) applies to all organizations that process, store, or transmit credit card data. Cloud native environments handling card data must also comply with PCI-DSS. Kubernetes security controls (encryption, access control, audit logging, network segmentation) contribute to meeting PCI-DSS requirements.

A) Use private registries B) Automate image vulnerability scanning C) Use any public internet image without validation D) Sign and verify images

Answer: C

Explanation: Container Registry security best practices: use private registries (minimize external dependencies), automated vulnerability scanning, image signing and verification (Cosign), registry access control (RBAC), old image cleanup policies. Using unverified public internet images risks supply chain attacks and running malicious images.

A) Degrades Pod performance B) Allows direct access to the node's filesystem, enabling manipulation of the host or access to sensitive files (kubelet config, secrets) C) HostPath is a completely safe volume type D) Pods using HostPath cannot be restarted

Answer: B

Explanation: HostPath volumes directly mount a path on the node's filesystem into a container. A malicious or compromised container can access or modify sensitive paths like /etc, /var/lib/kubelet, and /proc via HostPath, enabling container escape and host takeover. The Restricted Pod Security Standard prohibits HostPath volumes.

A) Synchronizes Kubernetes Secrets to an external database B) Synchronizes secrets from external secret management systems (Vault, AWS Secrets Manager, etc.) into Kubernetes Secrets C) Connects Kubernetes clusters to external clusters D) Manages external user access to the Kubernetes API

Answer: B

Explanation: External Secrets Operator (ESO) integrates Kubernetes with various external secret management systems: AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager, Azure Key Vault, and more. ExternalSecret objects reference external secrets, and ESO automatically synchronizes and renews them as Kubernetes Secrets.

A) Flannel B) Cilium (eBPF-based, L7 NetworkPolicy, encryption support) C) Bridge D) Host networking

Answer: B

Explanation: Cilium is an eBPF-based high-performance network plugin that provides not only standard NetworkPolicy but also L7 (HTTP path, method) policies, inter-node encryption (WireGuard/IPSec), and network traffic visibility (Hubble). Calico also supports NetworkPolicy and encryption. Flannel only provides basic L3 networking.

A) Token expiration limits are for performance improvements B) Even if a token is stolen, a short validity period limits the time an attacker can use it C) Kubernetes does not support token expiration D) Token expiration time has no relation to security

Answer: B

Explanation: If a ServiceAccount token is stolen, an attacker can use it to access the API server. Short expiration times minimize the usefulness of stolen tokens. Kubernetes 1.22+ automatically uses bound tokens with expiration via Projected ServiceAccount Tokens. Using the TokenRequest API for short-lived tokens is best practice.

A) Install different CNI plugins per Namespace B) Use NetworkPolicy to block traffic from Pods in other Namespaces C) Deleting a Namespace automatically blocks its traffic D) Isolate Namespaces via kube-apiserver settings

Answer: B

Explanation: By default, Kubernetes allows cross-Namespace traffic. NetworkPolicy can use namespaceSelector to allow traffic only from specific Namespaces or block all cross-Namespace traffic. Implement a Default Deny with podSelector: {} (all Pods) and empty ingress rules, then add policies to allow only required traffic.

A) Plan, Design, Build, Test, Deploy B) Identify, Protect, Detect, Respond, Recover C) Scan, Patch, Monitor, Alert, Fix D) Authenticate, Authorize, Encrypt, Log, Review

Answer: B

Explanation: NIST CSF five functions: Identify (asset and risk identification), Protect (implement protective controls), Detect (detect security events), Respond (incident response), Recover (recovery). In Kubernetes security, this framework guides systematic security strategy development.

A) Secrets injected as environment variables are automatically encrypted B) Environment variables risk exposure via process dumps, log output, or kubectl describe C) Injecting as environment variables automatically deletes the Secret D) Environment variable injection is always more secure than volume mounts

Answer: B

Explanation: Risks of environment variable Secret injection: 1) Exposed in kubectl describe pod output, 2) May be included in application error logs, 3) Exposed in process memory dumps. Volume mount (file) approach is more secure. Mounting on tmpfs prevents writing to disk. Also, Secret changes auto-update with volume mounts but require Pod restart for environment variables.

A) Grant root permissions to all containers B) Grant only the minimum required Linux capabilities and remove unnecessary ones C) Run all containers in privileged mode D) Grant ClusterAdmin role to all ServiceAccounts

Answer: B

Explanation: Least privilege for containers means using Linux capabilities to grant only what's needed. For example, a web server only needs NET_BIND_SERVICE (binding ports below 1024). The best practice is to securityContext.capabilities.drop: ["ALL"] (drop all) and then add only what's needed. The Restricted PSS requires all capabilities to be dropped by default.

A) Never update the image B) Pull the latest image from the registry each time, preventing use of a tampered local cache C) Disables image downloads D) Shares images between nodes

Answer: B

Explanation: ImagePullPolicy: Always downloads the image from the registry every time a Pod starts. From a security perspective, it prevents the use of tampered locally cached images. Using a specific digest (SHA256) instead of the latest tag provides even stronger image integrity guarantees. However, if the registry fails, Pod startup will fail.

A) Controls network traffic between Pods B) Guarantees minimum Pod availability during voluntary disruptions (node drain, upgrades) C) Defines Pod security policies D) Limits resource usage

Answer: B

Explanation: PodDisruptionBudget (PDB) limits how many Pods can be simultaneously disrupted during voluntary disruptions. Configured with minAvailable (minimum available Pods) or maxUnavailable (maximum unavailable Pods). Ensures service availability during node drains, cluster upgrades, and automated Pod restarts.

A) etcd storage → Authentication → Authorization → Admission Control B) Authentication → Authorization → Mutating Admission → Validating Admission → etcd storage C) Admission Control → Authentication → Authorization → etcd storage D) Authorization → Authentication → etcd storage → Admission Control

Answer: B

Explanation: API request processing order: 1) Authentication (who are you?), 2) Authorization (what can you do? RBAC), 3) Mutating Admission Webhooks (modify request), 4) Object Schema Validation, 5) Validating Admission Webhooks (validate request), 6) etcd storage. Mutating runs before Validating to validate the final state after modifications.

A) They are automatically issued by kubectl B) Via the CertificateSigningRequest (CSR) API, issuing certificates signed by the cluster CA C) Only obtainable from an external Certificate Authority D) ServiceAccount tokens make certificates unnecessary

Answer: B

Explanation: Kubernetes supports user X.509 certificate issuance via CertificateSigningRequest (CSR) objects. The user generates a private key and CSR; the cluster admin approves it with kubectl certificate approve; and the cluster CA issues the signed certificate. This certificate is added to kubeconfig for use.

A) Limits container CPU usage B) Restricts the Linux system calls a container process can make, reducing the attack surface C) Encrypts communication between containers D) Verifies container image signatures

Answer: B

Explanation: seccomp (Secure Computing Mode) controls which Linux system calls a process can use via whitelist/blacklist. Setting seccompProfile: RuntimeDefault on a container allows only safe system calls and blocks dangerous ones. The Restricted PSS requires a seccomp profile. Along with AppArmor, it is a key container runtime security mechanism.

A) Creating a NetworkPolicy object automatically applies it B) A CNI plugin (Calico, Cilium, etc.) that enforces NetworkPolicy must be installed C) kube-proxy automatically handles NetworkPolicy D) An Ingress Controller installation is required

Answer: B

Explanation: A Kubernetes NetworkPolicy object defines the policy as an API resource. However, the actual network rules are enforced by the CNI (Container Network Interface) plugin. NetworkPolicy-supporting CNIs: Calico, Cilium, Antrea, WeaveNet. Non-supporting CNIs: Flannel (by default). Without a supporting CNI, NetworkPolicy objects have no effect.

A) Runs the container as UID 0 (root), increasing container escape risk B) Runs the container as the minimum privilege user C) Blocks the container from starting D) Has no impact on security

Answer: A

Explanation: runAsUser: 0 runs the container as UID 0 (root). If a container escape vulnerability is present, a root-running container has a much higher risk of gaining root access to the host node. Always use runAsNonRoot: true and runAsUser: 1000 or higher. The Restricted PSS prohibits running as root.

A) None B) Metadata C) Request D) RequestResponse

Answer: D

Explanation: Kubernetes Audit Log levels: None (no recording), Metadata (only records requester, timestamp, resource, verb), Request (metadata + request body), RequestResponse (metadata + request body + response body). RequestResponse is the most detailed but significantly increases log volume. Secret-related APIs should be logged at least at the Metadata level.

A) Degrades Pod network performance B) Allows the Pod to directly access the node's network interface, enabling eavesdropping or modification of all node network traffic C) Automatically strengthens network policies D) Has no security risk

Answer: B

Explanation: hostNetwork: true runs the Pod in the node's network namespace. The Pod can directly access all network interfaces on the node, enabling node network traffic eavesdropping, port conflicts, and network configuration changes. Should only be used for system-level Pods (CNI, etc.). Prohibited in the Restricted PSS.

A) Grant secrets: ["*"] permission to all users B) Explicitly name the specific Secrets the application needs and grant only get permission C) Grant a ClusterRole allowing list of Secrets in all Namespaces D) Grant cluster-admin permission to ServiceAccounts

Answer: B

Explanation: Least privilege for Secret RBAC: use resourceNames to specify specific Secret names and grant only get or watch on those Secrets. The list and watch verbs on all Secrets are risky. Use Namespace-level Roles to restrict cluster-wide access.

A) To increase build speed B) To detect and block vulnerable images early before they are deployed to production C) To reduce container image size D) To automate Kubernetes cluster configuration

Answer: B

Explanation: Integrating image vulnerability scanning (Trivy, Grype, Snyk, etc.) into CI/CD pipelines realizes "Shift Left Security." Detecting vulnerabilities early in the development cycle means lower fix costs and significantly reduces the risk of production breaches. CVSS score thresholds can automatically block builds with High/Critical vulnerabilities.

A) New versions only improve performance B) New versions include patches for known CVE security vulnerabilities C) Upgrades are unrelated to security D) Upgrades always weaken security

Answer: B

Explanation: Kubernetes regularly releases new versions that include security patches. Outdated Kubernetes clusters are exposed to known CVE vulnerabilities. Kubernetes's support policy only provides maintenance patches for the latest three minor versions. Keeping the cluster on a supported version is a security fundamental.

A) Commit the kubeconfig file to a Git repository B) Restrict file permissions (chmod 600), use encrypted storage, use least-privilege kubeconfigs C) Share the same admin kubeconfig across all team members D) kubeconfig files pose no security risk

Answer: B

Explanation: kubeconfig contains cluster access credentials; especially cluster-admin kubeconfig is highly sensitive. Security best practices: chmod 600 ~/.kube/config (owner read/write only), never commit to Git (add to .gitignore), issue each team member a least-privilege kubeconfig, regularly audit credential expiration. Individual service accounts are preferred over shared team accounts.