[Golden Kubestronaut] KCSA Extra 30 Practice Questions - Advanced Cloud Native Security

Answer: B) Defines security levels to ensure the integrity of the software supply chain

SLSA is a security framework designed to prevent software supply chain attacks, defining security levels from Build Level 0 to Level 3. It requires provenance tracking of build processes, tamper prevention, and isolated build environments.

Answer: D) Falco - runtime threat detection

Sigstore consists of Cosign (image/artifact signing), Fulcio (short-lived certificate issuance for keyless signing), and Rekor (signature transparency log). Falco is a runtime security tool and a separate CNCF project.

Answer: B) The entire software supply chain process through layouts and links for step-by-step verification

in-toto protects the entire software supply chain process. Layouts define the expected steps of the supply chain, and link metadata records the actual execution of each step to detect tampering.

Answer: B) Real-time monitoring of system calls through eBPF or kernel modules

Falco uses eBPF probes or kernel modules to monitor system calls in real-time and detects abnormal behavior (e.g., unexpected shell execution, sensitive file access) based on YAML-based rules.

Answer: B) Applies security policies at the kernel level using eBPF and can immediately terminate processes

Tetragon is an eBPF-based security observability and runtime enforcement tool from the Cilium project. Unlike Falco, which focuses on detection, Tetragon can directly kill processes at the kernel level, providing runtime enforcement capabilities.

Answer: B) Verify every request regardless of network location and grant least privilege

The Zero Trust model follows the principle of "Never Trust, Always Verify." It requires authentication, authorization, and encryption for all requests even within the network perimeter, applying the principle of least privilege.

Answer: B) Assigns unified IDs (SPIFFE IDs) to workloads and authenticates through SVIDs

SPIFFE is a standard that assigns platform-independent IDs (in spiffe://trust-domain/path format) to workloads. SPIRE is the reference implementation that issues X.509 SVIDs or JWT SVIDs, enabling mTLS authentication between workloads.

Answer: B) Kubernetes Auth Method (ServiceAccount token-based)

Vault's Kubernetes Auth Method uses the Pod's ServiceAccount token to authenticate with Vault. Secrets can be injected into Pods via the Vault Agent Injector or CSI Provider, enabling dynamic secret management.

Answer: B) Using OIDC-based identity to sign with short-lived certificates without long-term key management

Keyless Signing obtains a short-lived signing certificate from Fulcio CA through OIDC authentication (e.g., Google, GitHub), signs the artifact, and records it in the Rekor transparency log. This eliminates the need for long-term private key management.

Answer: B) A standard tool for signing and verifying OCI artifacts

Notation is a CLI tool and library for signing and verifying OCI images and artifacts. It supports a plugin extension model and can integrate with KMS services like Azure Key Vault and AWS Signer.

Answer: B) Provides a list of all components (libraries, dependencies) included in software to support vulnerability management

SBOM is a "bill of materials" for software that documents all included components and their versions. When new CVEs are discovered, SBOMs enable rapid identification of affected software.

Answer: B) Both are SBOM format standards

CycloneDX (OWASP) and SPDX (Linux Foundation) are both standard formats for creating SBOMs. SPDX focuses on license compliance, while CycloneDX is optimized for security and vulnerability analysis.

Answer: A) Mutating -> Validating -> Object Persistence

After authentication and authorization, Kubernetes API requests first pass through MutatingAdmissionWebhooks to modify resources, then ValidatingAdmissionWebhooks for validation, and finally are persisted to etcd.

Answer: B) Defines policies in YAML, providing mutation and generation capabilities in addition to validation

Kyverno is a Kubernetes-native policy engine that defines policies in YAML and CEL. It supports validate, mutate, generate, and verifyImages rule types.

Answer: C) Rego

OPA is a general-purpose policy engine that uses Rego, a declarative query language, to define policies. Gatekeeper integrates OPA with Kubernetes, with policy logic written in Rego within ConstraintTemplates.

Answer: B) Privileged, Baseline, Restricted

Pod Security Standards define three levels: Privileged (unrestricted), Baseline (minimal restrictions to prevent known privilege escalation), and Restricted (maximum security applying Pod hardening best practices).

Answer: B) enforce, audit, warn

Pod Security Admission supports three modes: enforce (reject violations), audit (record violations in audit logs), and warn (display warning messages for violations). They are applied via namespace labels.

Answer: B) Complex usage, confusing RBAC bindings, and unpredictable scope of application

PSP had unintuitive binding mechanisms through RBAC, and it was difficult to predict which PSP applied to which Pod. It was removed in Kubernetes 1.25, replaced by Pod Security Admission, Kyverno, and OPA/Gatekeeper.

Answer: B) Without NetworkPolicy, all traffic is allowed; once applied, only explicitly allowed traffic passes

By default, Kubernetes allows all Pod-to-Pod communication. When NetworkPolicy is applied, only explicitly allowed ingress/egress traffic passes for selected Pods. Note that the CNI plugin must support NetworkPolicy.

Answer: B) Only Base64-encoded in etcd by default; EncryptionConfiguration must be configured separately for encryption

Kubernetes Secrets are stored Base64-encoded in etcd by default. This is not encryption, so anyone with etcd access can read the secrets. For encryption at rest, configure EncryptionConfiguration or use a KMS provider.

Answer: D) Helm

Trivy (Aqua Security), Grype (Anchore), and Clair (Quay) are all container image vulnerability scanning tools. Helm is a Kubernetes package manager unrelated to security scanning.

Answer: B) Create Roles containing only necessary resources and verbs, and use minimum-scope RoleBindings

The principle of least privilege means granting only the minimum necessary permissions. Create Roles that allow only specific verbs on specific resources and apply them with namespace-scoped RoleBindings. Avoid wildcard usage and cluster-admin abuse.

Answer: B) Both server and client authenticate each other with certificates and encrypt communication

mTLS (mutual TLS) performs bidirectional authentication where both server and client present certificates. Service meshes like Istio and Linkerd automatically apply mTLS between services through sidecar proxies.

Answer: D) RequestResponse

Kubernetes audit logging supports four levels: None (no logging), Metadata (request metadata only), Request (metadata + request body), and RequestResponse (metadata + request + response body). RequestResponse is the most detailed.

Answer: C) networkPolicy

Pod SecurityContext can configure runAsUser, runAsNonRoot, runAsGroup, fsGroup, supplementalGroups, sysctls, and seccompProfile. NetworkPolicy is a separate Kubernetes resource unrelated to SecurityContext.

Answer: B) Filters system calls that a container can use

Seccomp (Secure Computing Mode) filters the system calls a process can make using allow lists or block lists. In Kubernetes, you can apply RuntimeDefault or custom profiles through seccompProfile.

Answer: B) Apply policies through Admission Controllers (Kyverno, OPA) to only allow signed images

Kyverno's verifyImages rules or OPA/Gatekeeper's ConstraintTemplates can enforce that only images with verified cosign or Notation signatures are deployed. This is a key element of supply chain security.

Answer: B) Auto-mounted permanent tokens are no longer created; short-lived tokens via TokenRequest API are recommended

Since Kubernetes 1.24, Secrets are no longer automatically created with ServiceAccounts. Instead, time-limited short-lived tokens issued through the TokenRequest API are recommended, enhancing security.

Answer: B) Reduce container escape risk by not sharing the kernel or adding extra isolation layers

gVisor provides a user-space kernel (application kernel) that intercepts direct system calls to the host kernel. Kata Containers run containers inside lightweight VMs for hardware-level isolation. Both are selected through RuntimeClass.

Answer: D) Running all workloads as root with privileged mode

Defense in Depth layers multiple security controls so that if one layer fails, others provide protection. It combines image security, network security, access control, and runtime security. Running as root with privileged mode contradicts security best practices.