Pass the Linux Foundation Kubernetes and Cloud Native KCSA Questions and answers with ValidTests

Defining policiesas code (declarative)is a best practice in Kubernetes and cloud-native security.

This is aligned withGitOpsandPolicy-as-Codeprinciples (OPA Gatekeeper, Kyverno, etc.).

Exact extract (CNCF Security Whitepaper):

“Policy-as-Code enables declarative definition and enforcement of security policies, bringing consistency, automation, and reducing misconfiguration risk.”

Manual audits, ad-hoc scripting, or individual configurations are error-prone and inconsistent.

RBAC in Kubernetesis coarse-grained: it controlsverbs(get, update, patch, delete) onresources(e.g., deployments), butnot individual fieldswithin a resource.

There isno /image subresource for deployments(there is one for pods but only for ephemeral containers).

Therefore,RBAC cannot restrict changes only to the image field.

Admission Webhooks(mutating/validating)canenforce fine-grained policies (e.g., deny updates that change anything other than spec.containers[*].image).

Exact extract (Kubernetes Docs – Admission Webhooks):

“Admission webhooks can be used to enforce custom policies on objects being admitted.”

KubernetesPod Security Admission (PSA)enforcesPod Security Standardsby applying labels on Namespaces.

Exact extract (Kubernetes Docs – Pod Security Admission):

“You can label a namespace with pod-security.kubernetes.io/enforce: baseline to enforce the Baseline policy.”

Thebaselineprofile explicitly disallowsprivileged podsand other unsafe features.

Why others are wrong:

A & D: These labels do not exist in Kubernetes.

B: Setting privileged: true would allow privileged pods, not block them.

Container image signing (e.g., withcosign, Notary v2) uses asymmetric cryptography.

Verification process:

Retrieve theimage’s digital signature.

Validate the signature with thepublic keyof the signer.

Exact extract (Sigstore Cosign Docs):

“Verification of an image requires the signature and the signer’s public key. The signature proves authenticity and integrity.”

Why others are wrong:

A & B: The private key is only used by the signer, never shared.

C: The hash alone cannot prove authenticity without the digital signature.

Thekubectlclient uses configuration from$HOME/.kube/configby default.

This file contains: cluster API server endpoint, user certificates, tokens, or kubeconfigs →sensitive credentials.

Exact extract (Kubernetes Docs – Configure Access to Clusters):

“By default, kubectl looks for a file named config in the $HOME/.kube directory. This file contains configuration information including user credentials.”

Other options clarified:

A: /etc/kubernetes/ exists on nodes (control plane) not client machines.

C: /opt/kubernetes/secrets/ is not a standard path.

D: $HOME/.config/kubernetes/ is not where kubeconfig is stored by default.

hostPID:When enabled, the container shares the host’s process namespace → container can see and potentially interact with host processes.

SYS_PTRACE capability:Grants the container the ability to trace, inspect, and modify other processes (e.g., via ptrace).

Combination of hostPID + SYS_PTRACE allows a container toattach to and modify host processes, which is a direct privilege escalation.

Other options explained:

hostPath + AUDIT_WRITE:hostPath exposes filesystem paths but does not inherently allow process modification.

hostNetwork + NET_RAW:grants raw socket access but only for networking, not host process modification.

A:Incorrect — such combinationsdo exist(like B).

Pod Security Admission (PSA)enforces policies by applyinglabels on namespaces, not globally across the cluster.

Exact extract (Kubernetes Docs – Pod Security Admission):

“You can apply Pod Security Standards to namespaces by adding labels such as pod-security.kubernetes.io/enforce. Different namespaces can enforce different policies.”

Clarifications:

A: Incorrect, namespaces are the unit of enforcement.

C: Misleading — a namespace can have multiple enforcement modes (enforce, audit, warn).

D: Default namespace doesnotenforce strict policies unless labeled.

Static Podsare managed directly by thekubeleton each node.

They arenot scheduled by the kube-schedulerand always remain bound to the node where they are defined.

Exact extract (Kubernetes Docs – Static Pods):

“Static Pods are managed directly by the kubelet daemon on a specific node, without the API server. They do not go through the Kubernetes scheduler.”

Clarifications:

A: Static Pods do not span multiple nodes.

B: No hard limit of 5 Pods per node.

D: They are not a fallback mechanism; kubelet always manages them regardless of scheduler state.

Soft multitenancy(Namespaces, RBAC, Network Policies) → assumes some level of trust between tenants, focuses onresource sharing and efficiency.

Hard multitenancy(separate clusters or strong virtualization) → strict isolation, used when tenants are untrusted.

Exact extract (CNCF TAG Security Multi-Tenancy Whitepaper):

“Soft multi-tenancy refers to multiple workloads running in the same cluster with some trust assumptions. It provides resource sharing and operational efficiency. Hard multi-tenancy requires stronger isolation guarantees, typically separate clusters.”

MITRE ATT&CKis a globally recognizedknowledge base of adversary tactics, techniques, and procedures (TTPs). It is focused on describingoffensive behaviorsattackers use.

Incorrect options:

(B)OWASP Top 10highlights common application vulnerabilities, not attacker techniques.

(C)CIS Controlsare defensive best practices, not offensive tools.

(D)NIST Cybersecurity Frameworkprovides a risk-based defensive framework, not adversary TTPs.