Linux Foundation Kubernetes and Cloud Native Security Associate (KCSA) KCSA Exam Dumps: Updated Questions & Answers (September 2025)

Image signing (withNotary, cosign, or similar tools) ensures that images are from a trusted source and have not been modified.

Exact extract (Sigstore cosign docs):“Cosign allows you to sign and verify container images to ensure authenticity and integrity.”

Why others are wrong:

B:Ownership can be inferred but it’s aboutauthenticity & integritynot tenancy.

C:Not mandatory; enforcement requiresadmission controllers.

D:Metadata size is negligible and has no runtime performance impact.

TheNode authorization modeis designed to specifically limit what kubelets can do when they connect to the Kubernetes API server.

It authorizes requests from kubelets based on the Pods scheduled to run on their nodes, ensuring kubelets cannot interact with resources beyond their scope.

Incorrect options:

(B)AlwaysAllowallows unrestricted access (insecure).

(C) No kubelet authorization mode exists.

(D)Webhookmode delegates authorization decisions to an external service, not specifically for kubelets.

Kubernetes stores Secret data asbase64-encoded stringsin etcd by default.

Base64 is not encryption— it is a simple encoding scheme that merelyobfuscatesdata for transport and storage. Anyone with read access to etcd or the Secret manifest can easily decode the value back to plaintext.

For actual protection, Kubernetes supportsencryption at rest(via encryption providers) and external Secret management (Vault, KMS, etc.).

NIST SP 800-53 Rev. 5 introduces a dedicated family of controls calledSupply Chain Risk Management (SR).

Within SR,SR-2 (Supply Chain Risk Management Plan)is a specific control.

Exact extract from NIST 800-53 Rev. 5:

“The organization develops and implements a supply chain risk management plan for the system, system component, or system service.”

While Access Control, System and Communications Protection, and Incident Response are control families, the correctsupply chain-specific controlis theSupply Chain Risk Management Plan (SR-2).

Inhigh-availability clusters, multiple API server instances run behind a load balancer.

Thisdistributes client requests across multiple API servers, preventing a single API server from being overwhelmed.

Exact extract (Kubernetes Docs – High Availability Clusters):

“A highly available control plane runs multiple instances of kube-apiserver, typically fronted by a load balancer, so that if one instance fails or is overloaded, others continue serving requests.”

Other options clarified:

A: Network segmentation does not directly mitigate API server DoS.

C: Adding resources helps, but doesn’t solve single-point-of-failure.

D: Rate limiting is a valid mitigation but not provided by HA alone.

Trust boundariesexist where data flows between different security domains.

In Kubernetes:

Communication between thekubelet (node agent)and theAPI Server (control plane)crosses thenode-to-control-plane trust boundary.

(A) Kubelet to container runtime is local, no boundary crossing.

(C) Kubelet does not communicate directly with the controller manager.

(D) API server does not talk directly to the container runtime; it delegates to kubelet.

Therefore, (B) is the correct trust boundary crossing flow.

gVisor:

Google-developed, implemented as auser-space kernelthat intercepts and emulates syscalls made by containers.

Providesstrong isolationwithout requiring a full VM.

Official docs: “gVisor is a user-space kernel, written in Go, that implements a substantial portion of the Linux system call interface.”

Source: https://gvisor.dev/docs/

Firecracker:

AWS-developed,lightweight virtualization technologybuilt on KVM, used in AWS Lambda and Fargate.

Optimized for running secure, multi-tenant microVMs (MicroVMs) for containers and FaaS.

Official docs: “Firecracker is an open-source virtualization technology that is purpose-built for creating and managing secure, multi-tenant container and function-based services.”

Source: https://firecracker-microvm.github.io/

Key difference:gVisor → syscall interception in userspace kernel (container isolation). Firecracker → lightweight virtualization with microVMs (multi-tenant security).

Therefore, optionAis correct.

In NIST SP 800-53 Rev. 5,SR-6: Supplier Assessments and Reviewsrequires evaluating and monitoring suppliers’ security and risk practices.

Exact extract (NIST SP 800-53 Rev. 5, SR-6):

“The organization assesses and monitors suppliers to ensure they are meeting the security requirements specified in contracts and agreements.”

This is aboutongoing monitoringof supplier adherence, not financial audits, not contract creation, and not supplier discovery.

MicroVM-based runtimes(e.g., Firecracker, Kata Containers) use lightweight VMs to provide strong isolation between workloads.

Compared touser-space kernel implementations(e.g., gVisor), microVMs generally:

Offerhigher isolation and security(due to VM-level separation).

Come with ahigher memory and resource overhead per instancethan user-space approaches.

Incorrect options:

(A) Orchestration is handled by Kubernetes, not inherently easier with microVMs.

(C) Compatibility is typically better with microVMs, not worse.

(D) Isolation is stronger, not weaker.

Thekube-schedulerexposes aprofiling/debugging endpointwhen --profiling=true (default).

This can unnecessarily increase the attack surface.

Best practice: set --profiling=false in production.

Exact extract (Kubernetes Docs – kube-scheduler flags):

“--profiling (default true): Enable profiling via web interface host:port/debug/pprof/.”

Why others are wrong:

--scheduler-name: just identifies the scheduler, not a security risk.

--secure-kubeconfig: not a valid flag.

--bind-address: changing it limits exposure but is not the default risk parameter for profiling.