KCSA Questions and Answers

Starting a process in a running containerprovides an attacker withtemporary execution (foothold)inside the cluster, but once the container is stopped or restarted, that malicious process is lost. This means the attacker has nolong-term persistence.

Incorrect options:

(A) Modifying objects inetcdgrants persistent access since cluster state is stored in etcd.

(B) Modifying files on thehost filesystemcan create persistence across reboots or container restarts.

(D) Creating a restarting container directly on the host via Docker bypasses Kubernetes but persists across pod restarts if Docker restarts it.

kube-controller-managerruns a set of controllers that regulate the cluster’s state.

Exact extract (Kubernetes Docs):“The kube-controller-manager runs controllers that are core to Kubernetes. Examples of controllers are: Node controller, Replication controller, Endpoints controller, Namespace controller, and ServiceAccounts controller.”

Why D is correct:All listed are actual controllers within kube-controller-manager.

Why others are wrong:

A:Job and CronJob controllers are managed by kube-controller-manager, but DaemonSet controller is managed by the kube-scheduler/deployment logic.

B:Pod, Service, Ingress controllers are not part of kube-controller-manager.

C:ConfigMap and Secret do not have dedicated controllers.

Egress NetworkPoliciesrestrict outbound traffic from Pods.

Without egress restrictions, a compromised Pod could exfiltrate sensitive data (secrets, logs, customer data) to an attacker-controlled server.

Exact extract (Kubernetes Docs – Network Policies):

“Egress rules control outbound connections from Pods. Without such restrictions, compromised workloads can connect freely to external endpoints.”

Other options clarified:

A: DoS is more about flooding, not egress absence.

C: “Increased attack surface” is vague but not the main risk.

D: True in a sense, but the precise and most common risk isdata exfiltration.

Kubernetes Admission Controllers can eithervalidateormutateincoming requests.

MutatingAdmissionWebhook (Mutating Admission Controller):

Canmodify or mutate resource manifestsbefore they are persisted in etcd.

Used for automatic injection of sidecars (e.g., Istio Envoy proxy), setting default values, or fixing misconfigurations.

ValidatingAdmissionWebhook (Validating Admission Controller):only allows/denies but doesnotchange requests.

PodSecurityPolicy:deprecated; cannot mutate requests.

ResourceQuota:enforces resource usage, but does not mutate manifests.

Exact Extract:

“Mutating admission webhooks are invoked first, and can modify objects to enforce defaults. Validating admission webhooks are invoked second, and can reject requests to enforce invariants.”

TheNode authorization modeis designed to specifically limit what kubelets can do when they connect to the Kubernetes API server.

It authorizes requests from kubelets based on the Pods scheduled to run on their nodes, ensuring kubelets cannot interact with resources beyond their scope.

Incorrect options:

(B)AlwaysAllowallows unrestricted access (insecure).

(C) No kubelet authorization mode exists.

(D)Webhookmode delegates authorization decisions to an external service, not specifically for kubelets.

Kubernetes stores Secret data asbase64-encoded stringsin etcd by default.

Base64 is not encryption— it is a simple encoding scheme that merelyobfuscatesdata for transport and storage. Anyone with read access to etcd or the Secret manifest can easily decode the value back to plaintext.

For actual protection, Kubernetes supportsencryption at rest(via encryption providers) and external Secret management (Vault, KMS, etc.).

ThePodSecurity admission controller(built-in as of Kubernetes v1.23+) enforces the Pod Security Standards (Privileged, Baseline, Restricted).

Enforcement is namespace-scoped and configured throughnamespace labels.

Incorrect options:

(A) Kyverno/OPA are external policy tools (useful but not required).

(C) Not true, PodSecurity admission provides native enforcement.

(D) Enforcement requires explicit configuration, not automatic.

Kubernetes supports workload-specific runtimes viaRuntimeClass.

Amutating admission controllercan enforce this automatically by:

Intercepting workload creation requests.

Modifying the Pod spec to set runtimeClassName based on labels or policies.

Incorrect options:

(A) Manual modification is not scalable or secure.

(B) kube-apiserver cannot enforce per-application runtime policies.

(C) A validating webhook can onlyreject, not modify, the runtime.

The4C’s of Cloud Native Security(Cloud, Cluster, Container, Code) model starts withCloudas the base layer.

If the Cloud (infrastructure layer) is compromised, every higher layer (Cluster, Container, Code) inherits that compromise.

Exact extract (Kubernetes Security Overview):

“The 4C’s of Cloud Native security are Cloud, Clusters, Containers, and Code. You can think of the 4C’s as a layered approach. A Kubernetes cluster can only be as secure as the cloud infrastructure it is deployed on.”

This means the cloud is part of thetrusted computing baseof a Kubernetes cluster.

Thekube-schedulerexposes aprofiling/debugging endpointwhen --profiling=true (default).

This can unnecessarily increase the attack surface.

Best practice: set --profiling=false in production.

Exact extract (Kubernetes Docs – kube-scheduler flags):

“--profiling (default true): Enable profiling via web interface host:port/debug/pprof/.”

Why others are wrong:

--scheduler-name: just identifies the scheduler, not a security risk.

--secure-kubeconfig: not a valid flag.

--bind-address: changing it limits exposure but is not the default risk parameter for profiling.

k8s.gcr.iowas the historic Kubernetes image registry.

It has beendeprecatedand replaced withregistry.k8s.io.

Exact extract (Kubernetes Blog):

“The k8s.gcr.io image registry will be frozen from April 3, 2023 and fully deprecated. All Kubernetes project images are now served from registry.k8s.io.”

Pulling newer versions from k8s.gcr.io fails because the registry no longer receives updates.

Kubernetes usesPKI certificatesextensively to secure communication between control plane components (API server, etcd, kube-scheduler, kube-controller-manager) and with kubelets.

Certificates enablemutual TLS authentication and encryptionacross components.

PKI does not handle scaling, networking, or monitoring.

PCI DSS (Payment Card Industry Data Security Standard):applies to any entity thatstores, processes, or transmits cardholder data.

Exact extract (PCI DSS official summary):

“PCI DSS applies to all entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).”

Therefore,merchants who process credit card paymentsmust comply.

Why others are wrong:

A: No card payments, so no PCI scope.

B: This falls underFISMA / NIST 800-53, not PCI DSS.

C: Non-profits may handle sensitive data, but PCI only applies if they processcredit cards.