Kubernetes and Cloud Native Security Associate Questions and Answers

200 questions organized by topic with detailed explanations

Linux Foundation
KCSA
200 questions
6 topics
Updated May 2026

Overview of Cloud Native Security

28 questions8 easy13 medium7 hard~14% of exam
View All
In a multi-tenant cluster, an image has already been pulled onto a node once. The security team wants every new Pod star...A security instructor explains the 4Cs model for cloud native security. Which layer is the outermost layer in that model...A Pod in namespace payments must pull from a private registry. Where must the referenced imagePullSecret exist for the P...

Kubernetes Cluster Component Security

43 questions12 easy21 medium10 hard~22% of exam
View All
A security administrator must allow API server to kubelet communication across an untrusted network and wants the API se...Traffic sent to a ClusterIP Service must be forwarded to the correct backend Pod on each node. Which component typically...A node is upgraded to Kubernetes v1.26+, but the container runtime on that node still lacks support for CRI v1. What sho...

Kubernetes Security Fundamentals

45 questions12 easy21 medium12 hard~22% of exam
View All
An audit policy contains several rules that could match the same API request. Which rule determines the audit level that...A namespace has a default deny egress NetworkPolicy and applications suddenly cannot resolve DNS names. What is the most...A developer needs to store confidential API credentials for a workload. Which Kubernetes object is designed for that pur...

Kubernetes Threat Model

32 questions7 easy16 medium9 hard~16% of exam
View All
A security reviewer sees that a user has get access on nodes/proxy. Why is this more dangerous than it first appears?Why is granting permission to create Pods or workload resources in a namespace considered a privilege-escalation risk?In normal Kubernetes operation, which control plane component do nodes and Pods talk to remotely when using the cluster ...

Platform Security

32 questions8 easy16 medium8 hard~16% of exam
View All
A platform team wants a serverless layer for stateless HTTP workloads on Kubernetes that can automatically scale down to...Which certificate relationship is used when the API server authenticates to etcd?Which Prometheus ecosystem component handles alert deduplication, grouping, routing, silences, and inhibition?

Compliance and Security Frameworks

20 questions5 easy13 medium2 hard~10% of exam
View All
Which Tekton resource instantiates a Pipeline for execution with specific inputs, outputs, and execution parameters?What is Falco primarily observing when it performs runtime detection on Linux systems?Which CNCF project is designed to provide runtime security detection across hosts, containers, Kubernetes, and cloud env...

All Questions

#QuestionTopicDifficulty
1A platform team wants a serverless layer for stateless HTTP workloads on Kubernetes that can automat...Platform Security
medium
2Which certificate relationship is used when the API server authenticates to etcd?Platform Security
medium
3In a multi-tenant cluster, an image has already been pulled onto a node once. The security team want...Overview of Cloud Native Security
hard
4Which Tekton resource instantiates a Pipeline for execution with specific inputs, outputs, and execu...Compliance and Security Frameworks
easy
5A security reviewer sees that a user has get access on nodes/proxy. Why is this more dangerous than ...Kubernetes Threat Model
hard

Sign in to see all 200 questions

Create a free account to browse all questions — completely free during our launch phase.

Sign Up FreeSign In

Ready to test your knowledge?

Take a full Kubernetes and Cloud Native Security Associate practice test with timed exam simulation.

Start Practice Test