antony@notes:~/misc$ cat "KCSA-真題.md"
KCSA 真題
KCSA 真題
Question #1
What is Grafana?
A. A cloud-native distributed tracing system for monitoring microservices architectures. B. A container orchestration platform for managing and scaling applications. C. A platform for monitoring and visualizing time-series data. D. A cloud-native security tool for scanning and detecting vulnerabilities in Kubernetes clusters.
:::spoiler Correct Answer:
C
:::
Question #2
Which step would give an attacker a foothold in a cluster but no long term persistence?
A. Modify file on host filesystem. B. Create restarting container on host using Docker. C. Modify Kubernetes objects stored within etcd. D. Starting a process in a running container.
:::spoiler Correct Answer:
D
:::
Question #3
What is the reasoning behind considering the Cloud as the trusted computing base of a Kubernetes cluster?
A. A vulnerability in the Cloud layer has a negligible impact on containers due to Linux isolation mechanisms. B. A Kubernetes cluster can only be trusted if the underlying Cloud provider is certified against international standards. C. A Kubernetes cluster can only be as secure as the security posture of its Cloud hosting. D. The Cloud enforces security controls at the Kubernetes cluster level, so application developers can focus on applications only.
:::spoiler Correct Answer:
C
:::
Question #4
By default, in a Kubeadm cluster, which authentication methods are enabled?
A. OIDC, Bootstrap tokens, and Service Account Tokens
B. X509 Client Certs, Bootstrap Tokens, and Service Account Tokens
C. X509 Client Certs, OIDC, and Service Account Tokens
D. X509 Client Certs, Webhook Authentication, and Service Account Tokens
:::spoiler Correct Answer:
B
:::
Question #5
Which technology can be used to apply security policy for internal cluster traffic at the application layer of the network?
A. Container Runtime B. Network Policy C. Service Mesh D. Ingress Controller
:::spoiler Correct Answer:
C
:::
Question #6
Which of the following statement regarding a container run with privileged: true is correct?
A. A container run with
privileged: truewithin a Namespace can access all Secrets used within that Namespace. B. A container run withprivileged: truewithin a cluster can access all Secrets used within that cluster. C. A container run withprivileged: truehas no additional access to Secrets than if it were run withprivileged: false. D. A container run withprivileged: trueon a node can access all Secrets used on that node.
:::spoiler Correct Answer:
C
:::
Question #7
Which of the following is a measure for data plane isolation in a Kubernetes multi-tenancy scenario?
A. Enforce Object Count Quotas via the ResourceQuota admission controller. B. Assign a dedicated namespace to Pods from each tenant. C. Assign a dedicated set of workers to run Pods from each tenant. D. Enforce Roles and RoleBindings tied to specific namespaces only, forbid cluster-wide roles.
:::spoiler Correct Answer:
C
:::
Question #8
How can a user enforce the Pod Security Standard without third party tools?
A. It is only possible to enforce the Pod Security Standard with additional tools within the cloud native ecosystem. B. Use the PodSecurity admission controller. C. No additional measures have to be taken to enforce the Pod Security Standard. D. Through implementing Kyverno or OPA Policies.
:::spoiler Correct Answer:
B
:::
Question #9
Which of the following statements best describe container image signing and verification in the cloud environment?
A. Container image signatures and their verification ensure their authenticity and integrity against tampering. B. Container image signatures affect the performance of containerized applications, as they increase the size of images with additional metadata. C. Container image signatures are concerned with defining developer ownership of applications within multi-tenant environments. D. Container image signatures are mandatory in cloud environments, as cloud providers would deny the execution of unsigned container images.
:::spoiler Correct Answer:
A
:::
Question #10
Which other controllers are part of the kube controller manager inside the Kubernetes cluster?
A. Replication controller, Endpoints controller, Namespace controller, and ServiceAccounts controller. B. Namespace controller, ConfigMap controller, and Secret controller. C. Pod, Service, and Ingress controller. D. Job controller, CronJob controller, and DaemonSet controller.
:::spoiler Correct Answer:
A 參考連結: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/
:::
Question #11
On a client machine, what directory (by default) contains sensitive credential information?
A.
/opt/kubernetes/secrets/B.$HOME/.kubeC.$HOME/.config/kubernetes/D./etc/kubernetes/
:::spoiler Correct Answer:
B
:::
Question #12
What mechanism can I use to block unsigned images from running in my cluster?
A. Enabling Admission Controllers to validate image signatures. B. Using PodSecurityPolicy (PSP) to enforce image signing and validation. C. Configuring Container Runtime Interface (CRI) to enforce image signing and validation. D. Using Pod Security Standards (PSS) to enforce validation of signatures.
:::spoiler Correct Answer:
A
:::
Question #13
What is the main reason an organization would use a Cloud Workload Protection Platform (CWPP) solution?
A. To manage networking between containerized workloads in the Kubernetes cluster. B. To automate the deployment and management of containerized workloads. C. To protect containerized workloads from known vulnerabilities and malware threats. D. To optimize resource utilization and scalability of containerized workloads.
:::spoiler Correct Answer:
C
:::
Question #14
What is the purpose of an egress NetworkPolicy?
A. To secure the Kubernetes cluster against unauthorized access. B. To control the incoming network traffic to a Kubernetes cluster. C. To control the outbound network traffic from a Kubernetes cluster. D. To control the outgoing network traffic from one or more Kubernetes Pods.
:::spoiler Correct Answer:
D
:::
Question #16
What information is stored in etcd?
A. Pod data contained in Persistent Volume Claims (e.g., hostPath). B. Application logs and monitoring data for auditing and troubleshooting purposes. C. Etcd manages the configuration data, state data, and metadata for Kubernetes. D. Sensitive user data such as usernames and passwords.
:::spoiler Correct Answer:
C
:::
Question #17
A container image is trojanized by an attacker by compromising the build server. Based on the STRIDE threat modeling framework, which threat category best defines this threat?
A. Denial Of Service B. Repudiation C. Tampering D. Spoofing
:::spoiler Correct Answer:
C
:::
Question #18
Which label should be added to the Namespace to block any privileged Pods from being created in that Namespace?
A.
privileged: trueB.pod.security.kubernetes.io/enforce: baselineC.privileged: falseD.pod.security.kubernetes.io/privileged: false
:::spoiler Correct Answer:
B
:::
Question #19
You are responsible for securing the kubelet component in a Kubernetes cluster. Which of the following statements about kubelet security is correct?
A. Kubelet does not have any built-in security features. B. Kubelet runs as a privileged container by default. C. Kubelet requires root access to interact with the host system. D. Kubelet supports TLS authentication and encryption for secure communication with the API server.
:::spoiler Correct Answer:
D
:::
Question #20
Which of the following statements best describes the role of the Scheduler in Kubernetes?
A. The Scheduler is responsible for monitoring and managing the health of the Kubernetes cluster. B. The Scheduler is responsible for ensuring the security of the Kubernetes cluster and its components. C. The Scheduler is responsible for managing the deployment and scaling of applications in the Kubernetes cluster. D. The Scheduler is responsible for assigning Pods to nodes based on resource availability and other constraints.
:::spoiler Correct Answer:
D
:::
Question #21
How do Kubernetes namespaces impact the application of policies when using Pod Security Admission?
A. Different policies can be applied to specific namespaces. B. Namespaces are ignored; Pod Security Admission policies apply cluster-wide only. C. The default namespace enforces the strictest security policies by default. D. Each namespace can have only one active policy.
:::spoiler Correct Answer:
A
:::
Question #22
Which of the following statements correctly describes a container breakout?
A. A container breakout is the process of escaping the container and gaining access to the cloud provider’s infrastructure. B. A container breakout is the process of escaping the container and gaining access to the host operating system. C. A container breakout is the process of escaping a container when it reaches its resource limits. D. A container breakout is the process of escaping the container and gaining access to the Pod’s network traffic.
:::spoiler Correct Answer:
B
:::
Question #23
What was the name of the precursor to Pod Security Standards?
A. Kubernetes Security Context B. Container Security Standards C. Pod Security Policy D. Container Runtime Security
:::spoiler Correct Answer:
C
:::
Question #24
Given a standard Kubernetes cluster architecture comprising a single control plane node (hosting both etcd and the control plane as Pods) and three worker nodes, which of the following data flows crosses a trust boundary?
A. From API Server to Container Runtime B. From kubelet to Controller Manager C. From kubelet to API Server D. From kubelet to Container Runtime
:::spoiler Correct Answer:
C
:::
Question #25
In Kubernetes, what is Public Key Infrastructure used for?
A. To monitor and analyze performance metrics of a Kubernetes cluster. B. To manage certificates and ensure secure communication in a Kubernetes cluster. C. To automate the scaling of containers in a Kubernetes cluster. D. To manage networking in a Kubernetes cluster.
:::spoiler Correct Answer:
B
:::
Question #26
When should soft multitenancy be used over hard multitenancy?
A. When the priority is enabling complete isolation between tenants. B. When the priority is enabling fine-grained control over tenant resources. C. When the priority is enabling resource sharing and efficiency between tenants. D. When the priority is enabling strict security boundaries between tenants.
:::spoiler Correct Answer:
C
:::
Question #27
You want to minimize security issues in running Kubernetes Pods. Which of the following actions can help achieve this goal?
A. Sharing sensitive data among Pods in the same cluster to improve collaboration. B. Implement Pod Security standards in the Pod’s YAML configuration. C. Deploying Pods with randomly generated names to obfuscate their identities. D. Running Pods with elevated privileges to maximize their capabilities.
:::spoiler Correct Answer:
B
:::
Question #28
Which of the following is a control for Supply Chain Risk Management according to NIST 800-53 Rev. 5?
A. Incident Response B. Supply Chain Risk Management Plan C. Access Control D. System and Communications Protection
:::spoiler Correct Answer:
B
:::
Question #29
Which standard approach to security is augmented by the 4C’s of Cloud Native security?
A. Secure-by-Design B. Least Privilege C. Zero Trust D. Defense-in-Depth
:::spoiler Correct Answer:
D
:::
Question #30
In a Kubernetes environment, what kind of Admission Controller can modify resource manifests when applied to the Kubernetes API to fix misconfigurations automatically?
A. ValidatingAdmissionController B. PodSecurityPolicy C. MutatingAdmissionController D. ResourceQuota
:::spoiler Correct Answer:
C
:::
Question #31
A container running in a Kubernetes cluster has permission to modify host processes on the underlying node. What combination of privileges and capabilities is most likely to have led to this privilege escalation?
A.
hostNetworkandNET_RAWB. There is no combination of privileges and capabilities that permits this. C.hostPathandAUDIT_WRITED.hostPIDandSYS_PTRACE
:::spoiler Correct Answer:
D
:::
Question #32
What kind of organization would need to be compliant with PCI DSS?
A. Merchants that process credit card payments. B. Retail stores that only accept cash payments. C. Government agencies that collect personally identifiable information. D. Non-profit organizations that handle sensitive customer data.
:::spoiler Correct Answer:
A
:::
Question #33
As a Kubernetes and Cloud Native Security Associate, a user can set up audit logging in a cluster. What is the risk of logging every event at the full RequestResponse level?
A. Reduced storage requirements and faster performance. B. Increased storage requirements and potential impact on performance. C. Improved security and easier incident investigation. D. No risk, as it provides the most comprehensive audit trail.
:::spoiler Correct Answer:
B
:::
Question #34
In a Kubernetes cluster, what are the security risks associated with using ConfigMaps for storing secrets?
A. Storing secrets in ConfigMaps does not allow for fine-grained access control via RBAC. B. ConfigMaps store sensitive information in etcd encoded in base64 format automatically, which does not ensure confidentiality of data. C. Storing secrets in ConfigMaps can expose sensitive information as they are stored in plaintext and can be accessed by unauthorized users. D. Using ConfigMaps for storing secrets might make applications incompatible with the Kubernetes cluster.
:::spoiler Correct Answer:
C
:::
Question #35
In the event that kube-proxy is in a CrashLoopBackOff state, what impact does it have on the Pods running on the same worker node?
A. The Pod cannot mount persistent volumes through CSI drivers. B. The Pod’s resource utilization increases significantly. C. The Pods cannot communicate with other Pods in the cluster. D. The Pod’s security context restrictions cannot be enforced.
:::spoiler Correct Answer:
C
:::
Question #36
Which of the following statements on static Pods is true?
A. The kubelet schedules static Pods local to its node without going through the kube-scheduler, making tracking and managing them difficult. B. The kubelet can run a maximum of 5 static Pods on each node. C. The kubelet only deploys static Pods when the kube-scheduler is unresponsive. D. The kubelet can run static Pods that span multiple nodes, provided that it has the necessary privileges from the API server.
:::spoiler Correct Answer:
A
:::
Question #37
A user runs a command with kubectl to apply a change to a deployment. What is the first Kubernetes component that the request reaches?
A. kubelet B. Kubernetes Scheduler C. Kubernetes Controller Manager D. Kubernetes API Server
:::spoiler Correct Answer:
D
:::
Question #38
Which of the following represents a baseline security measure for containers?
A. Configuring a static IP for each container. B. Run containers as the root user. C. Configuring persistent storage for containers. D. Implementing access control to restrict container access.
:::spoiler Correct Answer:
D
:::
Question #39
Which way of defining security policy brings consistency, minimizes toil, and reduces the probability of misconfiguration?
A. Manually configuring security controls for each individual resource, regularly. B. Using a declarative approach to define security policies as code. C. Implementing security policies through manual scripting on an ad-hoc basis. D. Relying on manual audits and inspections for security policy enforcement.
:::spoiler Correct Answer:
B
:::
Question #40
Why might NetworkPolicy resources have no effect in a Kubernetes cluster?
A. NetworkPolicy resources are only enforced for unprivileged Pods. B. NetworkPolicy resources are only enforced if the user has the right RBAC permissions. C. NetworkPolicy resources are only enforced if the networking plugin supports them. D. NetworkPolicy resources are only enforced if the Kubernetes scheduler supports them.
:::spoiler Correct Answer:
C
:::
Question #41
What is the difference between gVisor and Firecracker?
A. gVisor is a user-space kernel that provides isolation and security for containers. At the same time, Firecracker is a lightweight virtualization technology for creating and managing secure, multi-tenant container and function-as-a-service (FaaS) workloads. B. gVisor is a lightweight virtualization technology for creating and managing secure, multi-tenant container and function-as-a-service (FaaS) workloads. At the same time, Firecracker is a user-space kernel that provides isolation and security for containers. C. gVisor and Firecracker are two names for the same technology, which provides isolation and security for containers. D. gVisor and Firecracker are both container runtimes that can be used interchangeably.
:::spoiler Correct Answer:
A
:::
Question #42
An attacker has access to the network segment that the cluster is on. What happens when a compromised Pod attempts to connect to the API server?
A. The compromised Pod is automatically isolated from the network to prevent any connections to the API server. B. The compromised Pod is allowed to connect to the API server without any restrictions. C. The compromised Pod connects to the API server and is granted elevated privileges by default. D. The compromised Pod attempts to connect to the API server, but its requests may be blocked due to network policies.
:::spoiler Correct Answer:
D
:::
Question #43
Why does the default base64 encoding that Kubernetes applies to the contents of Secret resources provide inadequate protection?
A. Base64 encoding does not encrypt the contents of the Secret, only obfuscates it. B. Base64 encoding is not supported by all Secret Stores. C. Base64 encoding relies on a shared key which can be easily compromised. D. Base64 encoding is vulnerable to brute-force attacks.
:::spoiler Correct Answer:
A
:::
Question #44
A cluster is failing to pull more recent versions of images from k8s.gcr.io. Why may this be?
A. The authentication credentials for accessing k8s.gcr.io are incorrectly scoped. B. There is a network connectivity issue between the cluster and k8s.gcr.io. C. The container image registry k8s.gcr.io has been deprecated. D. There is a bug in the container runtime or the image pull process.
:::spoiler Correct Answer:
C
:::
Question #45
A Kubernetes cluster tenant can launch privileged pods in contravention of the restricted Pod Security Standard mandated for cluster tenants and enforced by the built-in PodSecurity admission controller. The tenant has full CRUD permissions on the namespace object and the namespaced resources. How did the tenant achieve this?
A. By deleting the PodSecurity admission controller deployment running in their namespace. B. The scope of the tenant role means privilege escalation is impossible. C. By using higher-level access credentials obtained from another namespace. D. By tampering with the namespace labels.
:::spoiler Correct Answer:
D
:::
Question #46
Is it possible to restrict permissions so that a controller can only change the image of a deployment (without changing anything else about it, e.g., environment variables, commands, replicas, secrets)?
A. No, because granting access to the
spec.containers.imagefield always grants access to the rest of the spec object. B. Yes, with a ‘managed fields’ annotation. C. Not with RBAC, but it is possible with an admission webhook. D. Yes, by granting permission to the/imagesubresource.
:::spoiler Correct Answer:
C
:::
Question #47
Which of the following statements is true concerning the use of microVMs over user-space kernel implementations for advanced container sandboxing?
A. MicroVMs offer higher isolation than user-space kernel implementations at the cost of a higher per-instance memory footprint. B. MicroVMs provide reduced application compatibility and higher per-system call overhead than user-space kernel implementations. C. MicroVMs allow for easier container management and orchestration than user-space kernel implementation. D. MicroVMs offer lower isolation and security compared to user-space kernel implementations.
:::spoiler Correct Answer:
A
:::
Question #48
In a cluster that contains Nodes with multiple container runtimes installed, how can a Pod be configured to be created on a specific runtime?
A. By setting the container runtime as an environment variable in the Pod. B. By specifying the container runtime in the Pod’s YAML file. C. By using a command-line flag when creating the Pod. D. By modifying the Docker daemon configuration.
:::spoiler Correct Answer:
B
:::
Question #49
Which of the following is a valid security risk caused by having no egress controls in a Kubernetes cluster?
A. Data exfiltration. B. Increased attack surface. C. Unauthorized access to external resources. D. Denial of Service.
:::spoiler Correct Answer:
A
:::
Question #50
What is the purpose of the Supplier Assessments and Reviews control in the NIST 800-53 Rev. 5 set of controls for Supply Chain Risk Management?
A. To establish contractual agreements with suppliers. B. To identify potential suppliers for the organization. C. To evaluate and monitor existing suppliers for adherence to security requirements. D. To conduct regular audits of suppliers’ financial performance.
:::spoiler Correct Answer:
C
:::
Question #51
When using a cloud provider’s managed Kubernetes service, who is responsible for maintaining the etcd cluster?
A. Kubernetes administrator B. Application developer C. Namespace administrator D. Cloud provider
:::spoiler Correct Answer:
D
:::
Question #52
In order to reduce the attack surface of the Scheduler, which default parameter should be set to false?
A. –secure-kubeconfig B. –scheduler-name C. –bind-address D. –profiling
:::spoiler Correct Answer:
D
:::
Question #53
A cluster administrator wants to enforce the use of a different container runtime depending on the application a workload belongs to. How could a mutating admission controller be configured to achieve this?
A. By manually modifying the container runtime for each workload after it has been created. B. By modifying the kube-apiserver configuration file to specify the desired container runtime for each application. C. By configuring a mutating admission controller webhook that intercepts new workload creation requests and modifies the container runtime based on the application label. D. By configuring a validating admission controller webhook that verifies the container runtime based on the application label and rejects requests that do not comply.
:::spoiler Correct Answer:
C
:::
Question #54
An attacker has successfully overwhelmed the Kubernetes API server in a cluster with a single control plane node by flooding it with requests. How would implementing a high-availability mode with multiple control plane nodes mitigate this attack?
A. By implementing rate limiting and throttling mechanisms on the API server to restrict the number of requests allowed. B. By implementing network segmentation to isolate the API server from the rest of the cluster, preventing the attack from spreading. C. By increasing the resources allocated to the API server, allowing it to handle a higher volume of requests. D. By distributing the workload across multiple API servers, reducing the load on each server.
:::spoiler Correct Answer:
D
:::
Question #55
In which order are the validating and mutating admission controllers run while the Kubernetes API server processes a request?
A. Validating admission controllers run before mutating admission controllers. B. Mutating admission controllers run before validating admission controllers. C. The order of execution varies and is determined by the cluster configuration. D. Validating and mutating admission controllers run simultaneously.
:::spoiler Correct Answer:
B
:::
Question #56
Question: Which security knowledge-base focuses specifically on offensive tools, techniques, and procedures?
A. NIST Cybersecurity Framework B. MITRE ATT&CK C. CIS Controls D. OWASP Top 10
:::spoiler Correct Answer:
B
:::
Question #57
Question: What does the ‘cluster-admin’ ClusterRole enable when used in a RoleBinding?
A. It gives full control over every resource in the cluster and in all namespaces. B. It gives full control over every resource in the role binding’s namespace, including the namespace itself. C. It gives full control over every resource in the role binding’s namespace, not including the namespace object for isolation purposes. D. It allows read/write access to most resources in the role binding’s namespace. This role does not allow write access to resource quota, to the namespace itself, and to EndpointSlices (or Endpoints).
:::spoiler Correct Answer:
B
:::
Question #58
Question: To restrict the kubelet’s rights to the Kubernetes API, what authorization mode should be set on the Kubernetes API server?
A. AlwaysAllow B. Node C. Webhook D. kubelet
:::spoiler Correct Answer:
B
:::
Question #59
Question: What is a multi-stage build?
A. A build process that involves multiple repositories for storing container images. B. A build process that involves multiple developers collaborating on building an image. C. A build process that involves multiple containers running simultaneously to speed up the image creation. D. A build process that involves multiple stages of image creation, allowing for smaller, optimized images.
:::spoiler Correct Answer:
D
:::
Question #60
Question: Which information does a user need to verify a signed container image?
A. The image’s SHA-256 hash and the public key of the signing authority. B. The image’s digital signature and the private key of the signing authority. C. The image’s digital signature and the public key of the signing authority. D. The image’s SHA-256 hash and the private key of the signing authority.
:::spoiler Correct Answer:
C
:::
Question #61
Which of the following snippets from a RoleBinding correctly associates user bob with Role pod-reader?
A.
subjects:
-kind: User
name: pod-reader
apiGroup:rbac.authorization.k8s.io
roleRef:
kind: Role
name: bob
apiGroup:rbac.authorization.k8s.ioB.
subjects:
kind: User
name: bob
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: pod-reader
apiGroup:rbac.authorization.k8s.ioC.
subjects:
kind: Group
name: bob
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.ioD.
subjects:
kind: User
name: bob
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup:rbac.authorization.k8s.io:::spoiler Correct Answer:
D
:::
Question #62
Which of the following is a benefit of signing container images?
A. Prevents container images with vulnerabilities from running B. Preserves the confidentiality of code within the container image C. Ensures the authenticity and integrity of the cotnainer image D. Ensure that container images are free of malicious code
:::spoiler Correct Answer:
C
:::
Question #63
Which organisation provides Kubernetes Security Benchmarks for both self-hosted and managed platform
A. The Open Web Application Security Project (OWASP) B. The Cloud Native Computing FOundation (CNCF) C. The Center for Internet Security (CIS) D. The National Institute of Standards and Technology (NIST)
:::spoiler Correct Answer:
C
:::
Question #64
An attacker has disabled the log forward for a Kubernetes cluster with the aim of hiding evidence of their malicious activity from incident. Which attack type in STRIDE would this fall under
A. Repudiation B. Spoofing C. Tampering D. Denial of Service
:::spoiler Correct Answer:
A
:::
Question #65
A Kubernetes cluster runs on a cloud platform. The platform’s metadata API provides information about the cluster (e.g.). What should be done to mitigate the risk associated with cloud metadata API access?
A. Regularly audit the access logs of the cloud metadata API B. Restrict Pod access to the cloud metadata API via network policies C. Turn off the cloud metadata API D. Ensure that all sensitive data in the cloud metadata API is encrypted
:::spoiler Correct Answer:
B
:::
Question #66
Which of the following is a recommendation in the NSA and CISA Kubernetes Hardening Guidance on namespaces?
A. Use the default namespace for all workloads B. Use Pods should not be placed in Kube-system or kube-public C. Share the same namespace for all workloads to improve resource utilization D. Assign a single and unique namespace to each tenant
:::spoiler Correct Answer:
D
:::
Question #67
What is the name for the process of assessing the validity of vulnerabilities detected in the code or dependencies of a piece of software
A. Penetration Testing B. Static Code Analysis C. Vulnerability Triage D. Vulnerability Scanning
:::spoiler Correct Answer:
C
:::
Question #68
The user is configuring user authentication to a Kubernetes cluster. WHich of the following standards can be used to configure user authentication to a Kubernetes cluster without the use of an authentication webhook?
A. SAML B. OAuth 2.0 C. Kerberos D. OpenID Connect :::spoiler Correct Answer:
D
:::
Question #69
A user is responsible for managing a multi-tenant Kubernetes platform’s security. They are worried about data condifentiality across to different tenants, and the impact of a compromise in case of an attacker eavesdropping traffic at the node level. Why would they implement a service mesh for this specific use case?
A. To improve network security by encrypting traffic between services through mutual TLS B. To enhance observability and monitoring of services within the Kubernetes platform C. To improve the performance and scalability of services within the Kubernetes platform D. To simplify the management and configuration of services in a Kubernetes cluster
:::spoiler Correct Answer:
A
:::
Question #70
What is the effect of allowing privilege escalation at the container security context level?
A. Privilege escalation facilitates smoother cluster scaling by allowing Pods to adapt to increased workloads B. Privilege escalation can allow a container to gain more privileges than its parent process, which may be used for exploitation C. Privilege escalation optimizes resource utilization within the cluster by enabling Pods to share resources via namespaces D. Privilege escalation ensures better isolation between containers in a Pod, limiting the impact of security breaches
:::spoiler Correct Answer:
B
:::
Question #71
What is a trust boundary in the context of Kubernetes
A. The boundary between two components where trust levels change B. The boundary between two Services defined by different teams C. The boundary between two Nodes in different subnets D. The boundary between two Pods from different applications
:::spoiler Correct Answer:
A
:::
Question #72
Which explicitly describes the respective security and operations obligations of both the cloud provider and the cloud user?
A. Segregation of Duties Model B. Least Privilege Model C. Shared Responsibility Model D. Zero Trust Model
:::spoiler Correct Answer:
C
:::
Question #73
A malicious actor with root access on a node wants to run a container without it being visible in the Kubernetes API. How can attacker achieve this?
A. By Exploiting a vulnberability in the Kubernetes control plane components B. By running the container using the underlying container runtime C. By creating a static Pod using a filesystem-hosted static Pod manifest D. By leveraging a Kubernetes admission controller to hide the controller
:::spoiler Correct Answer:
B
:::
Question #74
A user has a client X.509 certificate with Subject including O=system:masters that lets them authenticate to the Kubernetes API server. What consequence of this?
A. The user will have no access to the Kubernetes cluster B. The user will have read-only access to the Kubernetes cluster C. The user will have limited access to specific namespaces in the Kubernetes cluster D. The user will have full administrator access to the Kubernetes cluster
:::spoiler Correct Answer:
D
:::
Question #75
AppArmor profiles preventing access to sensitive resources have been loaded onto a Node, but the Pods running on the Node can still acr resources. How can the Pods be configured correctly constrained by the AppArmor profiles?
A. Edit the Pod YAML files to include the correct AppArmor profile annotations. B. Restart the Pods to apply the profiles to the Pods running on the Node. C. Reload the AppArmor profiles on the Node. D. Enable AppArmor for the Pods running on the Node.
:::spoiler Correct Answer:
A
:::
Question #76
In a multi-tenant Kubernetes environment where each team has distinct access requirements and workloads, which combination of s enhance client security and maintain workload isolation?
A. Enable anonymous authentication, enforce mutual TLS (mTLS), and segregate workloads using pod affinities. B. Rely solely on basic authentication with a shared password across all teams, utilize node taints and tolerations, and tur optimize performance. C. Use service account tokens for all external and internal clients, store client credentials in ConfigMaps, and rely on na workload isolation. D. Utilize bearer tokens with a third-party identity service, employ network policies for Pod-level isolation, and leverag interactions.
:::spoiler Correct Answer:
D
:::
Question #77
What is the operational impact of a failing kube-controller-manager Pod in the Kubernetes control plane?
A. Pods can no longer be scheduled on the worker node running the failing kube-controller-manager Pod. Other worker nodes are not impacted. B. Due to the lack of egress network policies, Pods can no longer communicate with external networks. C. The container runtime on the worker node running the failing kube-controller-manager Pod evicts all existing containers from the same node. Other worker nodes are not impacted. D. The cluster does not correctly manage the life-cycle of cluster resources, which makes it subject to a Denial of Service.
:::spoiler Correct Answer:
D
:::
Question #78
In a Kubernetes environment, how do Linux namespaces ensure the isolation of containers?
A. Linux namespaces ensure that processes within containers are only granted specific privileges without granting all the B. Linux namespaces provide a mechanism for isolating groups of Kubernetes resources within a single cluster, includir Services. C. Linux namespaces provide process isolation of filesystems, network resources, process IDs, and other Operating System separate namespaces for processes within containers. D. Linux namespaces constrain resources that are allocated to processes within containers, such as CPU/memory
:::spoiler Correct Answer:
C
:::
Question #79
In Kubernetes, which of the following conditions must be met for a user to be able to create or update a Role?
A. The user is granted a role to create/update RoleBinding or ClusterRoleBinding objects. B. The user is granted explicit permission to perform the ‘bind’ verb on the roles or ClusterRoles resource in the rbac.authenticate.kubernetes.io API group. C. The user is granted explicit permission to perform the ’escalate’ verb on its own User resource in the authenticate.kubernetes.io D. The user already has all the permissions contained in the role at the same scope as the object being modified.
:::spoiler Correct Answer:
D
:::
Question #80
In the STRIDE threat modelling framework, what does the letter D stand for?
A. Denial of Service B. Data Tampering C. Disclosure D. Deception
:::spoiler Correct Answer:
A
:::
Question #81
A user is responsible for securing their Kubernetes pipeline and ensuring that the components are signed, and their signatures are validated. What is the purpose of pipeline attestation?
A. Pipeline attestation verifies the integrity of the software supply chain and ensures that the components have not been breaked B. Pipeline attestation is a process of automatically deploying and testing new versions of components in the pipeline C. Pipeline attestation is a security feature that encrypts the communication between the pipeline components. D. Pipeline attestation ensures that all components in the pipeline are up to date and have the latest security patches
:::spoiler Correct Answer:
A
:::
Question #82
Which components should be able to access etcd at the network level directly?
A. Only worker nodes in the cluster. B. All Pods running in the cluster. C. Only the Kubernetes API server. D. All Kubernetes control plane components.
:::spoiler Correct Answer:
C
:::
Question #83
A user needs to maintain the audit policy of a Kubernetes cluster and wants to make sure that they log the most information in regard to. Which level do they select for the Pod resource?
A. RequestResponse B. RequestResponseMetadata C. Request D. Metadata
:::spoiler Correct Answer:
A
:::
Question #84
Why is setting resource limits and requests for Kubernetes pods important to prevent internal Denial of Service scenarios?
A. To optimize the network performance of the cluster B. To ensure even distribution of storage resources among pods C. To prevent a single pod from consuming excessive resources, impacting overall cluster stability D. To facilitate rapid scaling of applications in response to demand
:::spoiler Correct Answer:
C
:::
Question #85
What is the primary security advantage of using client certificate authentication for Kubernetes API server access?
A. To enable rapid deployment of Kubernetes resources B. To provide a secure method of authentication that minimizes the risk of credential theft C. To optimize the network traffic flow within the Kubernetes cluster D. To facilitate the integration of Kubernetes with cloud-based storage services
:::spoiler Correct Answer:
B
:::
Question #86
Which of the following is a key benefit of implementing a Service Mesh in a cloud-native application architecture from a security perspective?
A. Automatic scaling of application resources B. Simplified service discovery and load balancing C. Enhanced traffic encryption and fine-grained access control D. Reduced need for application-level logging
:::spoiler Correct Answer:
C
:::
Question #87
What is a key security measure for the Kubernetes Controller Manager to prevent unauthorized control of cluster components?
A. Configuring Horizontal Pod Autoscaling for the Controller Manager B. Enabling Role-Based Access Control (RBAC) for the Controller Manager’s operations C. Implementing network policies specific to the Controller Manager D. Regularly updating container runtime environments in the cluster
:::spoiler Correct Answer:
B
:::
Question #88
Why is it important to enable and configure Kubelet client certificate rotation in a Kubernetes cluster?
A. To improve the performance efficiency of the Kubelet B. To ensure efficient resource allocation by the Kubelet C. To facilitate smoother upgrades of Kubelet software D. To enhance security through regular updating of authentication credentials
:::spoiler Correct Answer:
D
:::
Question #89
What is the role of a Certificate Authority (CA) in the PKI setup of a Kubernetes cluster?
A. To provide load balancing between different Kubernetes services B. To manage the distribution of secrets within the Kubernetes cluster C. To issue and manage digital certificates for secure communication within the cluster D. To optimize network traffic routing within the Kubernetes environment
:::spoiler Correct Answer:
C
:::
Question #90
In Kubernetes, why is it important to configure Pod Security Admissions to audit mode?
A. To automatically scale pods based on the detected security risk B. To evaluate the impact of proposed security policies without enforcing them C. To enhance the data throughput performance of pods D. To manage the allocation of persistent storage resources to pods
:::spoiler Correct Answer:
B
:::
Question #91
Why is pod isolation crucial in a multi-tenant Kubernetes environment?
A. To optimize the load balancing of network traffic among different tenants B. To manage the allocation of storage resources to different tenant namespaces C. To prevent a compromised or malicious pod in one tenant environment from affecting others D. To ensure uniform resource utilization across different tenant environments
:::spoiler Correct Answer:
C
:::
Question #92
Why is the secure management of secrets in persistent storage important in Kubernetes threat modeling?
A. To facilitate seamless scaling of applications based on storage demands B. To prevent unauthorized access to sensitive information like credentials and keys stored as secrets C. To optimize the load balancing across different storage resources D. To improve the network communication efficiency between storage volumes and pods
:::spoiler Correct Answer:
B
:::
Question #93
Which practice is most effective in securing workload and application code in a cloud-native environment against unauthorized access and data breaches?
A. Implementing auto-scaling for workloads B. Performing regular network penetration testing C. Enforcing role-based access control (RBAC) at the application level D. Using container orchestration tools for deployment automation
:::spoiler Correct Answer:
C
:::
Question #94
What is a crucial measure in Kubernetes to secure communication and data transfer, thereby mitigating the risk posed by an attacker on the network?
A. Increasing the number of pod replicas to distribute network traffic B. Implementing network policies to control and restrict pod-to-pod communication C. Automating pod deployments to reduce configuration errors D. Using load balancers to evenly distribute incoming network traffic
:::spoiler Correct Answer:
B
:::
Question #95
Why is restricting access to Kubernetes’ cluster-level resources critical in mitigating the risk of privilege escalation?
A. To enhance the performance of cluster components B. To optimize resource distribution among different cluster services C. To prevent unauthorized users or compromised applications from gaining extensive control over the cluster D. To facilitate seamless communication between cluster services
:::spoiler Correct Answer:
C
:::
Question #96
Which security practice is most effective in preventing unauthorized or compromised container images from being deployed in a Kubernetes environment?
A. Regularly updating Kubernetes and its dependencies B. Implementing continuous integration/continuous deployment (CI/CD) pipelines C. Enforcing image scanning and vulnerability assessment D. Using network policies to control pod-to-pod communication
:::spoiler Correct Answer:
C
:::
Question #97
What is the primary security benefit of isolating Kubernetes service traffic using a Service Mesh like Istio or Linkerd?
A. To enhance the auto-scaling capabilities of services based on traffic B. To enable automatic routing and load balancing of service requests C. To provide encrypted communication and fine-grained access control between services D. To improve the efficiency of resource utilization among services
:::spoiler Correct Answer:
C
:::
Question #98
Why is setting Pod Security Admissions (PSA) to ‘audit’ mode beneficial during the initial implementation phase?
A. To improve the data processing efficiency within the cluster B. To manage the allocation of resources based on security policy evaluation C. To record policy violations for assessment, allowing administrators to fine-tune security policies before enforcement D. To optimize the distribution of network traffic among microservices
:::spoiler Correct Answer:
C
:::
Question #99
Why is configuring access controls on a Kubernetes image repository crucial for platform security?
A. To optimize the distribution of images across multiple clusters B. To ensure only authorized personnel and systems can push or pull images C. To enhance the speed of image deployment to production environments D. To facilitate the integration of the repository with external monitoring tools
:::spoiler Correct Answer:
B
:::
Question #100
When assessing the security of a cloud-native infrastructure, which of the following would not typically be the direct responsibility of the cloud service provider?
A. Physical security of data center facilities B. Patching the host operating system of virtual machines C. Encrypting data at rest within the customer’s application D. Ensuring the availability of network infrastructure
:::spoiler Correct Answer:
C
:::
Question #101
In Kubernetes, why is it important to restrict the use of host network and host PID namespaces in pods?
A. To improve the load balancing of network traffic among pods B. To enhance the isolation of pods from the underlying host system C. To facilitate better resource allocation to pods D. To streamline the deployment process of pods
:::spoiler Correct Answer:
B
:::
Question #102
What is an effective security measure in Kubernetes to mitigate risks from an attacker present on the network?
A. Implementing resource quotas to limit the use of cluster resources by pods B. Encrypting data in transit between pods and services within the cluster C. Automating the deployment process of pods and services D. Utilizing load balancers to distribute network traffic evenly across pods
:::spoiler Correct Answer:
B
:::
Question #103
What is the primary purpose of enabling mutual TLS (mTLS) authentication on the Kubernetes API Server?
A. To increase the processing speed of API requests B. To ensure load balancing of API requests across multiple servers C. To provide encrypted and authenticated communication between clients and the API server D. To facilitate automatic scaling of the API server based on traffic
:::spoiler Correct Answer:
C
:::
Question #104
Which component of the 4Cs of Cloud Native Security is directly responsible for implementing security policies and controls within the application code to prevent vulnerabilities?
A. Code Security B. Container Security C. Cloud Infrastructure Security D. Cluster Security
:::spoiler Correct Answer:
A
:::
Question #105
Why is the ‘Restricted’ policy in Kubernetes Pod Security Standards important for handling sensitive workloads?
A. To optimize resource allocation for sensitive applications B. To implement strict security constraints that minimize the risk of security breaches in sensitive applications C. To increase the computational speed of applications handling sensitive data D. To ensure high availability of sensitive applications in the cluster
:::spoiler Correct Answer:
B
:::
Question #106
In the context of Kubernetes cluster security, how can the Scheduler component be secured to prevent unauthorized scheduling of pods?
A. By implementing Horizontal Pod Autoscaling for the Scheduler B. By applying Network Policies specific to the Scheduler C. By enforcing Role-Based Access Control (RBAC) for scheduling decisions D. By using a Service Mesh to manage traffic to the Scheduler
:::spoiler Correct Answer:
C
:::
Question #107
Pod Root access is uing what PID
A. 0 B. 1000 C. 1001 D. 5000
:::spoiler Correct Answer:
A
:::
Question #108
Use images scanning is setting in?
A. CRI B. PodSecurityPolicy (PSP) C. PodSecurityContext (PSC) D. Pod Security Admission (PSA)
:::spoiler Correct Answer:
D
:::
Question #109
Signed container images pull from private registry is what permission for security.
A. Read only B. Read Write C. No Need set any permission D. Write only
:::spoiler Correct Answer:
A
:::
Question #110
POD Admission controller take action in what stage?
A. Before authentication Before Authorization B. Before authentication After Authorization C. After authentication Before Authorization D. After authentication After Authorization
:::spoiler Correct Answer:
D
:::
Question #111
API server send request to kubelet use what certificate
A. Use root certificates B. Use CA certificates C. Use server certificates D. Use client certificates
:::spoiler Correct Answer:
D
:::
2025 考試實戰心得
多的考題
- STRIDE 的 D 是什麼
- trust boundary 的描述定義(題目給好幾個定義描述去挑),原本題庫也有,但換了個問法,關鍵在於跨兩個安全信任等級不同的區域
- 考 Networkpolicy egress 的 yaml 寫法, 要讓兩個 pod 能夠通
- NIST 800-53 的定義要多了解一下,它會換個方式問
- cloud vender 跟客戶對於 K8S 的安全性,怎麼分責的定義(題目給好幾個定義描述去挑)
- 有一個人叫 Bob,他的 role 的 yaml 內容會長什麼樣?考 role yaml 的格式,四個選項,選格式是正確的。