KCSA Kubernetes and Cloud Native Security Associate (KCSA) Questions and Answers

ConfigMaps are explicitly not for confidential data.

Exact extract (ConfigMap concept):“A ConfigMap is an API object used to store non-confidential data in key-value pairs.”

Exact extract (ConfigMap concept):“ConfigMaps are not intended to hold confidential data. Use a Secret for confidential data.”

Why this is risky:data placed into a ConfigMap is stored as regular (plaintext) string values in the API and etcd (unless you deliberately use binaryData for base64 content you supply). That means if someone has read access to the namespace or to etcd/APIServer storage, they can view the values.

Secrets vs ConfigMaps (to clarify distractor D):

Exact extract (Secret concept):“By default, secret data is stored as unencrypted base64-encoded strings.You canenable encryption at restto protect Secrets stored in etcd.”

This base64 behavior applies toSecrets, not to ConfigMap data. Thus optionDis incorrect for ConfigMaps.

About RBAC (to clarify distractor A):Kubernetesdoessupport fine-grained RBAC forbothConfigMaps and Secrets; the issue isn’t lack of RBAC but that ConfigMaps arenotdesigned for confidential material.

About compatibility (to clarify distractor C):Using ConfigMaps for secrets doesn’t make apps “incompatible”; it’s simplyinsecureand against guidance.

Audit loggingrecords API server requests and responses for security monitoring.

TheRequestResponse levellogs the full request and response bodies, which can:

Significantly increasestorage and performance overhead.

Potentially log sensitive data (including Secrets).

Therefore, while comprehensive, it introduces risks of performance degradation and excessive log volume.

Kubernetes originally had a feature calledPodSecurityPolicy (PSP), which provided controls to restrict pod behavior.

Official docs:

“PodSecurityPolicy was deprecated in Kubernetes v1.21 and removed in v1.25.”

“Pod Security Standards (PSS) replace PodSecurityPolicy (PSP) with a simpler, policy-driven approach.”

PSP was often complex and hard to manage, so it was replaced by Pod Security Admission (PSA) which enforcesPod Security Standards.

TheNode authorization modeis designed to specifically limit what kubelets can do when they connect to the Kubernetes API server.

It authorizes requests from kubelets based on the Pods scheduled to run on their nodes, ensuring kubelets cannot interact with resources beyond their scope.

Incorrect options:

(B)AlwaysAllowallows unrestricted access (insecure).

(C) No kubelet authorization mode exists.

(D)Webhookmode delegates authorization decisions to an external service, not specifically for kubelets.

CWPP (Cloud Workload Protection Platform):As defined by Gartner and adopted across cloud security practices, CWPPs are designed tosecure workloads(VMs, containers, serverless functions) in hybrid and cloud environments.

They providevulnerability scanning, runtime protection, compliance checks, and malware detection.

Exact extract (Gartner CWPP definition):“Cloud workload protection platforms protect workloads regardless of location, including physical machines, VMs, containers, and serverless workloads. They provide vulnerability management, system integrity protection, intrusion detection and prevention, and malware protection.”

TheKubernetes Schedulerassigns Pods to nodes based on:

Resource requests & availability (CPU, memory, GPU, etc.)

Constraints (affinity, taints, tolerations, topology, policies)

Exact extract (Kubernetes Docs – Scheduler):

“The scheduler is a control plane process that assigns Pods to Nodes. Scheduling decisions take into account resource requirements, affinity/anti-affinity, constraints, and policies.”

Other options clarified:

A: Monitoring cluster health is theController Manager’s/kubelet’s job.

B: Security is enforced throughRBAC, admission controllers, PSP/PSA, not the scheduler.

C: Deployment scaling is handled by theController Manager(Deployment/ReplicaSet controller).

Access control (RBAC, least privilege, user restrictions)is abaseline container security best practice.

Exact extract (Kubernetes Pod Security Standards – Baseline):

“The baseline profile is designed to prevent known privilege escalations. It prohibits running privileged containers or containers as root.”

Other options clarified:

B: Static IPs not a security measure.

C: Persistent storage is functionality, not security.

D: Running as root is explicitlyinsecure.

Trust boundariesexist where data flows between different security domains.

In Kubernetes:

Communication between thekubelet (node agent)and theAPI Server (control plane)crosses thenode-to-control-plane trust boundary.

(A) Kubelet to container runtime is local, no boundary crossing.

(C) Kubelet does not communicate directly with the controller manager.

(D) API server does not talk directly to the container runtime; it delegates to kubelet.

Therefore, (B) is the correct trust boundary crossing flow.

Service Mesh (e.g., Istio, Linkerd, Consul):operates atLayer 7 (application layer), enforcing policies like mTLS, authorization, and routing between services.

NetworkPolicy:works atLayer 3/4 (IP/port), not Layer 7.

Ingress Controller:handles external traffic ingress, not internal service-to-service traffic.

Container Runtime:responsible for running containers, not enforcing application-layer security.

Exact extract (Istio docs):

“Istio provides security by enforcing authentication, authorization, and encryption of service-to-service communication.”

Image signing (withNotary, cosign, or similar tools) ensures that images are from a trusted source and have not been modified.

Exact extract (Sigstore cosign docs):“Cosign allows you to sign and verify container images to ensure authenticity and integrity.”

Why others are wrong:

B:Ownership can be inferred but it’s aboutauthenticity & integritynot tenancy.

C:Not mandatory; enforcement requiresadmission controllers.

D:Metadata size is negligible and has no runtime performance impact.

etcdis Kubernetes’key-value storeforcluster state.

Stores: ConfigMaps, Secrets, Pod definitions, Deployments, RBAC policies, and metadata.

Exact extract (Kubernetes Docs – etcd):

“etcd is a consistent and highly-available key-value store used as Kubernetes’ backing store for all cluster data.”

Clarifications:

B: Logs/metrics are handled by logging/monitoring solutions, not etcd.

C: Secrets may be stored here but encoded in base64, not specifically "usernames/passwords" as primary use.

D: Persistent Volumes are external storage, not stored in etcd.

Soft multitenancy(Namespaces, RBAC, Network Policies) → assumes some level of trust between tenants, focuses onresource sharing and efficiency.

Hard multitenancy(separate clusters or strong virtualization) → strict isolation, used when tenants are untrusted.

Exact extract (CNCF TAG Security Multi-Tenancy Whitepaper):

“Soft multi-tenancy refers to multiple workloads running in the same cluster with some trust assumptions. It provides resource sharing and operational efficiency. Hard multi-tenancy requires stronger isolation guarantees, typically separate clusters.”

kube-controller-managerruns a set of controllers that regulate the cluster’s state.

Exact extract (Kubernetes Docs):“The kube-controller-manager runs controllers that are core to Kubernetes. Examples of controllers are: Node controller, Replication controller, Endpoints controller, Namespace controller, and ServiceAccounts controller.”

Why D is correct:All listed are actual controllers within kube-controller-manager.

Why others are wrong:

A:Job and CronJob controllers are managed by kube-controller-manager, but DaemonSet controller is managed by the kube-scheduler/deployment logic.

B:Pod, Service, Ingress controllers are not part of kube-controller-manager.

C:ConfigMap and Secret do not have dedicated controllers.

The4C’s of Cloud Native Security(Cloud, Cluster, Container, Code) model starts withCloudas the base layer.

If the Cloud (infrastructure layer) is compromised, every higher layer (Cluster, Container, Code) inherits that compromise.

Exact extract (Kubernetes Security Overview):

“The 4C’s of Cloud Native security are Cloud, Clusters, Containers, and Code. You can think of the 4C’s as a layered approach. A Kubernetes cluster can only be as secure as the cloud infrastructure it is deployed on.”

This means the cloud is part of thetrusted computing baseof a Kubernetes cluster.

NIST SP 800-53 Rev. 5 introduces a dedicated family of controls calledSupply Chain Risk Management (SR).

Within SR,SR-2 (Supply Chain Risk Management Plan)is a specific control.

Exact extract from NIST 800-53 Rev. 5:

“The organization develops and implements a supply chain risk management plan for the system, system component, or system service.”

While Access Control, System and Communications Protection, and Incident Response are control families, the correctsupply chain-specific controlis theSupply Chain Risk Management Plan (SR-2).