Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free KCSA Practice Questions

Pass your Kubernetes and Cloud Native Security Associate (KCSA) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

What is the MITRE ATT&CK framework for Containers?

A
B
C
D
to track
Same family resources

Explore More CNCF Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CKA

Practice Questions
1 blog

KCNA

Practice Questions
1 blog

CKS

Practice Questions

CKAD

Practice Questions

More From This Family

Videos and articles for deeper review.

ArticleCKA 2026 Troubleshooting Command Playbook: How to Win the 30% Domain Under Time Pressure15 min readArticleFREE KCNA Exam Guide 2026: Kubernetes and Cloud Native Associate12 min read
2026 Statistics

Key Facts: KCSA Exam

60

Exam Questions

CNCF

75%

Passing Score

CNCF

90 min

Exam Duration

CNCF

$250

Exam Fee

Includes retake

5

Content Domains

KCSA Curriculum

3 years

Certification Validity

CNCF

The KCSA exam has 60 multiple-choice questions in 90 minutes with a 75% passing score. It covers cluster setup and hardening (20%), supply chain security (20%), platform security (25%), runtime security (15%), and compliance/observability (20%). KCSA is the associate-level entry point for Kubernetes security certifications.

Sample KCSA Practice Questions

Try these sample questions to test your KCSA exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1In Kubernetes, what is the primary purpose of Role-Based Access Control (RBAC)?
A.To encrypt data stored in etcd
B.To regulate access to Kubernetes API resources based on the roles assigned to users and service accounts
C.To manage container image registries
D.To schedule pods across nodes
Explanation: Kubernetes RBAC controls who can perform what actions on which resources within a cluster. It uses Roles and ClusterRoles to define permissions, and RoleBindings and ClusterRoleBindings to assign those permissions to users, groups, or service accounts. RBAC is the primary authorization mechanism in production Kubernetes clusters and follows the principle of least privilege.
2What is a Kubernetes NetworkPolicy used for?
A.Managing DNS resolution within the cluster
B.Controlling traffic flow between pods and network endpoints at the IP address or port level
C.Configuring load balancer settings
D.Defining storage classes for persistent volumes
Explanation: NetworkPolicies are Kubernetes resources that control the flow of network traffic to and from pods. By default, all pods in a Kubernetes cluster can communicate with each other. NetworkPolicies allow you to restrict traffic based on pod selectors, namespace selectors, and IP blocks for both ingress and egress. A CNI plugin that supports NetworkPolicies (like Calico or Cilium) is required for enforcement.
3What is the purpose of Pod Security Admission in Kubernetes?
A.To manage pod scheduling across nodes
B.To enforce security standards on pods by restricting privileged containers, host namespaces, and dangerous capabilities
C.To configure pod resource limits
D.To manage pod DNS settings
Explanation: Pod Security Admission (PSA) is the built-in Kubernetes mechanism that enforces Pod Security Standards (Privileged, Baseline, Restricted) at the namespace level. It can operate in enforce, audit, or warn modes. PSA replaced PodSecurityPolicy (removed in v1.25) and prevents pods from running with dangerous configurations like privileged mode, host networking, or root user access.
4What type of information is stored in Kubernetes Secrets, and how are they stored by default in etcd?
A.Container images; encrypted with AES-256
B.Sensitive data like passwords and tokens; base64-encoded but not encrypted by default
C.Network policies; stored in plaintext
D.Pod specifications; compressed with gzip
Explanation: Kubernetes Secrets store sensitive information such as passwords, OAuth tokens, TLS certificates, and SSH keys. By default, Secrets are stored as base64-encoded data in etcd without encryption, which is not a security measure since base64 is trivially reversible. To protect Secrets at rest, administrators should enable etcd encryption at rest using EncryptionConfiguration with providers like AES-CBC or KMS.
5What is a container image vulnerability scanner designed to detect?
A.Runtime container performance issues
B.Known CVEs in OS packages and application dependencies within container images
C.Network connectivity problems between containers
D.Storage capacity limitations
Explanation: Container image scanners (like Trivy, Grype, Snyk, and Clair) analyze the software packages, libraries, and dependencies within a container image and compare them against vulnerability databases (NVD, vendor advisories) to identify known CVEs. Scanning should occur in the CI/CD pipeline before images are pushed to registries and as part of admission control before pods are deployed to clusters.
6What is the principle of least privilege as applied to Kubernetes service accounts?
A.All service accounts should have cluster-admin access
B.Service accounts should be granted only the minimum permissions needed to perform their intended function
C.Service accounts should be shared across all namespaces
D.Service accounts should always have write access to all secrets
Explanation: The principle of least privilege requires that service accounts receive only the permissions necessary for their workloads. In Kubernetes, this means creating specific Roles with minimal verb permissions (get, list, watch vs. create, update, delete) on only the required resources, and binding them to dedicated service accounts per application rather than using the default service account with broad permissions.
7What does 'container runtime security' refer to in Kubernetes?
A.Securing the Kubernetes API server
B.Monitoring and protecting container behavior during execution, including system calls, file access, and network activity
C.Encrypting container images in the registry
D.Managing container resource quotas
Explanation: Container runtime security involves monitoring containers during execution to detect and prevent malicious behavior. This includes tracking system calls (using tools like Falco or Sysdig), monitoring file system modifications, network connections, process execution, and capability usage. Runtime security detects threats that evade static analysis, such as compromised applications, container escape attempts, and cryptomining.
8What is the purpose of Kubernetes audit logging?
A.To log container application output
B.To record all requests to the Kubernetes API server for security auditing, compliance, and forensic investigation
C.To monitor node CPU and memory usage
D.To track container image pull statistics
Explanation: Kubernetes audit logging captures a chronological record of all requests made to the API server, including who made the request, what action was performed, on which resource, and the result. Audit policies define which events to record at what detail level (None, Metadata, Request, RequestResponse). These logs are essential for security monitoring, compliance requirements, and investigating suspicious cluster activity.
9What is the primary function of an admission controller in Kubernetes?
A.To authenticate users connecting to the API server
B.To intercept and validate or mutate API requests before objects are persisted in etcd
C.To schedule pods to appropriate nodes
D.To manage cluster networking
Explanation: Admission controllers are plugins that intercept requests to the Kubernetes API server after authentication and authorization but before the object is persisted in etcd. They can validate requests (rejecting those that violate policies) or mutate requests (automatically adding labels, resource limits, or sidecar containers). Important security-related admission controllers include PodSecurity, LimitRanger, ResourceQuota, and webhook-based controllers like OPA Gatekeeper.
10What is a Software Bill of Materials (SBOM) in the context of container supply chain security?
A.A list of all Kubernetes nodes in the cluster
B.A comprehensive inventory of all components, libraries, and dependencies included in a software artifact
C.A pricing document for software licenses
D.A deployment manifest for Kubernetes workloads
Explanation: A Software Bill of Materials (SBOM) is a formal, machine-readable inventory of all components, packages, libraries, and their versions contained in a software product or container image. SBOMs are critical for supply chain security because they enable organizations to quickly identify whether they are affected by newly discovered vulnerabilities (like Log4Shell) without rescanning all images. Standard formats include SPDX and CycloneDX.

About the KCSA Exam

The Kubernetes and Cloud Native Security Associate (KCSA) validates foundational knowledge of Kubernetes and cloud-native security concepts including cluster hardening, supply chain security, RBAC, network policies, pod security, runtime monitoring, compliance scanning, and security observability. KCSA is an entry-level certification from CNCF.

Questions

100 scored questions

Time Limit

90 minutes

Passing Score

75%

Exam Fee

$250 (includes one free retake) (Cloud Native Computing Foundation / Linux Foundation)

KCSA Exam Content Outline

20%

Cluster Setup & Hardening

API server security, etcd encryption, kubelet authentication, certificate rotation, CIS Benchmark, and dashboard security

20%

Supply Chain Security

Image scanning, Sigstore/Cosign, SBOM, SLSA framework, private registries, distroless images, and image provenance

25%

Platform Security

RBAC, network policies, Pod Security Admission, SecurityContext, service accounts, capabilities, and service mesh mTLS

15%

Runtime Security

Falco, seccomp profiles, AppArmor, container escape prevention, runtime class, and eBPF-based monitoring

20%

Compliance & Observability

Audit logging, OPA Gatekeeper, Kyverno, kubescape, kube-bench, network observability, and regulatory compliance

How to Pass the KCSA Exam

What You Need to Know

  • Passing score: 75%
  • Exam length: 100 questions
  • Time limit: 90 minutes
  • Exam fee: $250 (includes one free retake)

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

KCSA Study Tips from Top Performers

1Master Kubernetes RBAC concepts — Roles vs ClusterRoles, RoleBindings vs ClusterRoleBindings, and the least privilege principle
2Understand all three Pod Security Standards: Privileged, Baseline, and Restricted and what each enforces
3Know the SecurityContext fields: runAsNonRoot, allowPrivilegeEscalation, readOnlyRootFilesystem, and capabilities
4Study the CNCF Cloud Native Security Whitepaper's four lifecycle phases: Develop, Distribute, Deploy, Runtime
5Learn Sigstore components: Cosign (signing), Fulcio (certificate authority), and Rekor (transparency log)
6Understand NetworkPolicies including default deny, ingress/egress rules, and namespace selectors
7Practice with kube-bench and kubescape to understand CIS Benchmark and NSA/CISA recommendations
8Study SBOM formats (SPDX, CycloneDX) and understand the SLSA framework's four levels

Frequently Asked Questions

What is the KCSA exam format?

The KCSA exam has 60 multiple-choice questions to be completed in 90 minutes with a 75% passing score. It is an online proctored exam that tests foundational Kubernetes and cloud-native security knowledge. One free retake is included with the exam purchase.

What is the difference between KCSA and CKS?

KCSA is an associate-level multiple-choice exam testing security knowledge. CKS (Certified Kubernetes Security Specialist) is an advanced hands-on exam requiring practical demonstration of Kubernetes security skills in a live cluster. KCSA is the recommended starting point before pursuing CKS.

How much does the KCSA exam cost?

The KCSA exam costs $250 and includes one free retake if needed. No additional training purchase is required. The Linux Foundation also offers bundle deals combining the exam with training courses at discounted prices.

What Kubernetes knowledge do I need for KCSA?

KCSA requires foundational Kubernetes knowledge including understanding of pods, deployments, services, namespaces, RBAC, and basic cluster architecture. Prior hands-on experience with kubectl and Kubernetes resource definitions is recommended but not required.

Does KCSA cover supply chain security?

Yes, supply chain security is a significant portion (20%) of the KCSA exam. Topics include container image scanning, image signing with Sigstore/Cosign, SBOM (Software Bill of Materials), SLSA framework, private registries, and Dockerfile best practices.