Linux Foundation Kubernetes and Cloud Native Security Associate (KCSA) Free Practice Test

Question 1

Given a standard Kubernetes cluster architecture comprising a single control plane node (hosting bothetcdand the control plane as Pods) and three worker nodes, which of the following data flows crosses atrust boundary
?

A. From kubelet to Container Runtime

B. From kubelet to API Server

C. From API Server to Container Runtime

D. From kubelet to Controller Manager

Correct Answer: B

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 2

Which of the following represents a baseline security measure for containers?

A. Configuring a static IP for each container.

B. Configuring persistent storage for containers.

C. Run containers as the root user.

D. Implementing access control to restrict container access.

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 3

What is the difference between gVisor and Firecracker?

A. gVisor is a user-space kernel that provides isolation and security for containers. At the same time, Firecracker is a lightweight virtualization technology for creating and managing secure, multi-tenant container and function-as-a-service (FaaS) workloads.

B. gVisor is a lightweight virtualization technology for creating and managing secure, multi-tenant container and function-as-a-service (FaaS) workloads. At the same time, Firecracker is a user-space kernel that provides isolation and security for containers.

C. gVisor and Firecracker are two names for the same technology, which provides isolation and security for containers.

D. gVisor and Firecracker are both container runtimes that can be used interchangeably.

Correct Answer: A

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 4

An attacker compromises a Pod and attempts to use its service account token to escalate privileges within the cluster. Which Kubernetes security feature is designed tolimit what this service account can do?

A. PodSecurity admission

B. NetworkPolicy

C. RuntimeClass

D. Role-Based Access Control (RBAC)

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 5

As a Kubernetes and Cloud Native Security Associate, a user can set upaudit loggingin a cluster. What is the risk of logging every event at the fullRequestResponselevel?

A. Improved security and easier incident investigation.

B. No risk, as it provides the most comprehensive audit trail.

C. Reduced storage requirements and faster performance.

D. Increased storage requirements and potential impact on performance.

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 6

Why does the defaultbase64 encodingthat Kubernetes applies to the contents of Secret resources provide inadequate protection?

A. Base64 encoding relies on a shared key which can be easily compromised.

B. Base64 encoding is not supported by all Secret Stores.

C. Base64 encoding is vulnerable to brute-force attacks.

D. Base64 encoding does not encrypt the contents of the Secret, only obfuscates it.

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 7

Which information does a user need to verify a signed container image?

A. The image's SHA-256 hash and the private key of the signing authority.

B. The image's SHA-256 hash and the public key of the signing authority.

C. The image's digital signature and the private key of the signing authority.

D. The image's digital signature and the public key of the signing authority.

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Welcome to TestSimulate

Linux Foundation Kubernetes and Cloud Native Security Associate (KCSA) Free Practice Test