Question 1

Which information does a user need to verify a signed container image?

Accepted Answer

D

Explanation: The verification of a signed container image is based on asymmetric (public-key) cryptography. The signing authority uses its secret private key to generate a digital signature for the image. To verify the image's authenticity and integrity, a user needs the digital signature itself and the corresponding public key of the signing authority. The verification process uses the public key to confirm that the signature is valid for the image, proving it was signed by the holder of the private key and has not been tampered with.

Question 2

A container running in a Kubernetes cluster has permission to modify host processes on the
underlying node.
What combination of privileges and capabilities is most likely to have led to this privilege escalation?

Accepted Answer

B

Explanation: This scenario describes a container breakout achieved through process injection. The hostPID: true setting in a Pod's security context breaks the process ID (PID) namespace isolation. This allows processes inside the container to see all other processes running on the host node. However, seeing the processes is not enough to modify them. The SYSPTRACE Linux capability grants the permission to trace and manipulate arbitrary processes using system calls like ptrace(2). The combination of seeing host processes (hostPID) and having the permission to manipulate them (SYSPTRACE) directly enables this privilege escalation.

Question 3

What is a multi-stage build?

Accepted Answer

D

Explanation: A multi-stage build is a feature used in Dockerfiles to create more efficient and smaller container images. It involves using multiple FROM instructions, where each FROM starts a new, temporary build stage. An initial stage might use a larger image containing compilers, SDKs, and build tools to compile the application. A subsequent, final stage then starts from a minimal base image (e.g., alpine or distroless) and copies only the necessary compiled artifacts from the initial stage. This process discards all intermediate build tools and dependencies, resulting in a significantly smaller, optimized, and more secure production image.

Question 4

What is the difference between gVisor and Firecracker?

Accepted Answer

A

Explanation: gVisor is an application kernel, often called a user-space kernel, that intercepts system calls from a containerized application and handles them within a sandboxed environment, isolating the application from the host kernel. This provides a strong security boundary without the overhead of a full virtual machine. In contrast, Firecracker is a Virtual Machine Monitor (VMM) that utilizes the Linux Kernel-based Virtual Machine (KVM) to create and manage minimalist micro-VMs. This approach provides hardware-virtualized isolation, which is ideal for secure, multi-tenant workloads like those in function-as-a-service (FaaS) platforms.

Question 5

Which of the following statements on static Pods is true?

Accepted Answer

C

Explanation: Static Pods are managed directly by the kubelet daemon on a specific node, bypassing the Kubernetes control plane components like the API server and the scheduler for their creation. The kubelet watches a specific path on the node's filesystem (e.g., /etc/kubernetes/manifests) for Pod manifest files. When a manifest appears, the kubelet creates the Pod on that node without any intervention from the kube-scheduler. Because they are not managed by standard API-driven controllers (like Deployments or ReplicaSets), their lifecycle is tied directly to the kubelet on a single node, which makes centralized tracking, scaling, and management more difficult compared to standard Pods.

Question 6

A cluster is failing to pull more recent versions of images from k8s.gcr.io. Why may this be?

Accepted Answer

D

Explanation: The Kubernetes project has officially migrated its container image registry from k8s.gcr.io to registry.k8s.io. As of April 3, 2023, the k8s.gcr.io registry was frozen, meaning no new images or updates are published to it. Consequently, any attempt to pull image versions released after this date from the old k8s.gcr.io address will fail because they do not exist there. The cluster must be updated to pull images from the new registry.k8s.io endpoint to access the latest versions.

Question 7

What mechanism can I use to block unsigned images from running in my cluster?

Accepted Answer

A

Explanation: Admission controllers are the primary Kubernetes mechanism for enforcing policies on objects during their creation, update, and deletion. A validating admission webhook, a type of admission controller, can be configured to intercept Pod creation requests sent to the API server. This webhook can then invoke an external service to verify that the container images specified in the Pod manifest have valid signatures (e.g., using Sigstore/Cosign). If an image is unsigned or the signature is invalid, the admission controller denies the request, preventing the Pod from being scheduled and thus blocking the image from running in the cluster.

Question 8

Which technology can be used to apply security policy for internal cluster traffic at the application layer of the network?

Accepted Answer

D

Explanation: A service mesh is a dedicated infrastructure layer designed to manage service-to-service communication within a microservices architecture. It operates at the application layer (Layer 7) by injecting sidecar proxies (e.g., Envoy) into each application pod. These proxies intercept all network traffic, enabling the enforcement of fine-grained security policies for internal (east-west) cluster traffic. This includes features like mutual TLS (mTLS) for identity and encryption, and authorization policies based on application-level attributes such as HTTP methods, headers, or gRPC service names, which is not possible with standard Kubernetes resources.

Question 9

A container image is trojanised by an attacker by compromising the build server. Based on the STRIDE threat modeling framework, which threat category best defines this threat?

Accepted Answer

D

Explanation: The act of "trojanising" a container image is a direct manipulation and unauthorized modification of its contents. The STRIDE threat modeling framework categorizes threats based on the type of security property violated. In this scenario, the integrity of the container image is compromised. The Tampering category specifically addresses the unauthorized modification of data or code. By injecting malicious code into the image on the build server, the attacker has tampered with the asset, violating its integrity.

Question 10

What is Grafana?

Accepted Answer

C

Explanation: Grafana is an open-source analytics and interactive visualization web application. It enables users to query, visualize, alert on, and understand metrics from various data sources. Its primary function is to create dashboards for time-series data, which is crucial for monitoring the performance of applications and infrastructure. Grafana connects to popular time-series databases like Prometheus, InfluxDB, and Elasticsearch, allowing operators to build comprehensive monitoring solutions by visualizing complex data in graphs, charts, and alerts.

Question 11

Why does the default base64 encoding that Kubernetes applies to the contents of Secret resources provide inadequate protection?

Accepted Answer

C

Explanation: Base64 is an encoding scheme, not an encryption algorithm. Its purpose within Kubernetes is to ensure that binary data (like certificates or tokens) can be safely represented as text within YAML or JSON manifests. This process is easily reversible by anyone with access to the encoded data, offering no confidentiality. The Kubernetes documentation explicitly states that base64 encoding is used and that this is not a method of encryption. Therefore, it only obfuscates the data, making it unreadable at a glance, but provides no actual security protection against unauthorized viewing.

Question 12

Which of the following statements best describes the role of the Scheduler in Kubernetes?

Accepted Answer

D

Explanation: The Kubernetes Scheduler is a core control plane component whose exclusive responsibility is to assign newly created Pods to nodes. It watches the API Server for Pods that do not have a .spec.nodeName field set. For each such Pod, the Scheduler executes a decision-making process to find the best possible node. This process involves two steps: filtering, which finds the set of feasible nodes that can satisfy the Pod's requirements (e.g., CPU/memory requests, affinity rules), and scoring, which ranks the feasible nodes to select the most suitable one. The Scheduler then binds the Pod to the chosen node.

Question 13

Which standard approach to security is augmented by the 4C's of Cloud Native security?

Accepted Answer

C

Explanation: The 4C's of Cloud Native security (Cloud, Cluster, Container, Code) model is a direct application and augmentation of the Defense-in-Depth strategy. This strategy involves creating multiple, independent, and redundant layers of security controls to protect assets. The 4C's framework provides a structured way to apply this layered approach to a cloud-native stack. Each 'C' represents a distinct layer, and security controls are implemented at each one. The security of an inner layer (e.g., Code) is dependent on the security of the outer layers (e.g., Container, Cluster, Cloud), creating a comprehensive, multi-layered defense posture.

Question 14

How do Kubernetes namespaces impact the application of policies when using Pod Security Admission?

Accepted Answer

B

Explanation: Pod Security Admission (PSA) is a built-in Kubernetes admission controller that enforces Pod Security Standards. Its configuration is managed at the namespace level through the use of labels. By applying specific labels to a namespace, administrators can define which policy level (privileged, baseline, or restricted) should be enforced, audited, or warned against for pods created within that namespace. This mechanism allows for granular control, enabling different security postures for different workloads across the cluster. For example, a namespace for system components might allow privileged pods, while an application namespace enforces the restricted standard.

Question 15

Which label should be added to the Namespace to block any privileged Pods from being created in that Namespace?

Accepted Answer

C

Explanation: The Kubernetes Pod Security Standards (PSS) use namespace labels to define the security level for pods running within that namespace. The baseline policy is designed to prevent known privilege escalations. A key control in the baseline profile is the disallowance of privileged containers (i.e., pods with securityContext.privileged: true). By applying the label pod-security.kubernetes.io/enforce: baseline to a namespace, the Pod Security admission controller will reject any new pods that violate this policy, effectively blocking privileged pods from being created.

Free Linux Foundation KCSA Actual Exam Questions s