Linux Foundation KCSA Dumps

In NIST SP 800-53 Rev. 5,SR-6: Supplier Assessments and Reviewsrequires evaluating and monitoring suppliers’ security and risk practices.

Exact extract (NIST SP 800-53 Rev. 5, SR-6):

“The organization assesses and monitors suppliers to ensure they are meeting the security requirements specified in contracts and agreements.”

This is aboutongoing monitoringof supplier adherence, not financial audits, not contract creation, and not supplier discovery.

Image signing (withNotary, cosign, or similar tools) ensures that images are from a trusted source and have not been modified.

Exact extract (Sigstore cosign docs):“Cosign allows you to sign and verify container images to ensure authenticity and integrity.”

Why others are wrong:

B:Ownership can be inferred but it’s aboutauthenticity & integritynot tenancy.

C:Not mandatory; enforcement requiresadmission controllers.

D:Metadata size is negligible and has no runtime performance impact.

Kubernetes stores Secret data asbase64-encoded stringsin etcd by default.

Base64 is not encryption— it is a simple encoding scheme that merelyobfuscatesdata for transport and storage. Anyone with read access to etcd or the Secret manifest can easily decode the value back to plaintext.

For actual protection, Kubernetes supportsencryption at rest(via encryption providers) and external Secret management (Vault, KMS, etc.).

Kubernetes supportsmultiple container runtimeson a node via theRuntimeClassresource.

To select a runtime, you specify the runtimeClassName field in thePod’s YAML manifest. Example:

apiVersion: v1

kind: Pod

metadata:

name: example

spec:

runtimeClassName: gvisor

containers:

- name: app

image: nginx

Incorrect options:

(A) You cannot specify container runtime through a kubectl command-line flag.

(B) Modifying the Docker daemon config does not direct Kubernetes Pods to a runtime.

(C) Environment variables inside a Pod spec do not control container runtimes.

Thekube-schedulerexposes aprofiling/debugging endpointwhen --profiling=true (default).

This can unnecessarily increase the attack surface.

Best practice: set --profiling=false in production.

Exact extract (Kubernetes Docs – kube-scheduler flags):

“--profiling (default true): Enable profiling via web interface host:port/debug/pprof/.”

Why others are wrong:

--scheduler-name: just identifies the scheduler, not a security risk.

--secure-kubeconfig: not a valid flag.

--bind-address: changing it limits exposure but is not the default risk parameter for profiling.

ConfigMaps are explicitly not for confidential data.

Exact extract (ConfigMap concept):“A ConfigMap is an API object used to store non-confidential data in key-value pairs.”

Exact extract (ConfigMap concept):“ConfigMaps are not intended to hold confidential data. Use a Secret for confidential data.”

Why this is risky:data placed into a ConfigMap is stored as regular (plaintext) string values in the API and etcd (unless you deliberately use binaryData for base64 content you supply). That means if someone has read access to the namespace or to etcd/APIServer storage, they can view the values.

Secrets vs ConfigMaps (to clarify distractor D):

Exact extract (Secret concept):“By default, secret data is stored as unencrypted base64-encoded strings.You canenable encryption at restto protect Secrets stored in etcd.”

This base64 behavior applies toSecrets, not to ConfigMap data. Thus optionDis incorrect for ConfigMaps.

About RBAC (to clarify distractor A):Kubernetesdoessupport fine-grained RBAC forbothConfigMaps and Secrets; the issue isn’t lack of RBAC but that ConfigMaps arenotdesigned for confidential material.

About compatibility (to clarify distractor C):Using ConfigMaps for secrets doesn’t make apps “incompatible”; it’s simplyinsecureand against guidance.

The4C’s of Cloud Native Security(Cloud, Cluster, Container, Code) model starts withCloudas the base layer.

If the Cloud (infrastructure layer) is compromised, every higher layer (Cluster, Container, Code) inherits that compromise.

Exact extract (Kubernetes Security Overview):

“The 4C’s of Cloud Native security are Cloud, Clusters, Containers, and Code. You can think of the 4C’s as a layered approach. A Kubernetes cluster can only be as secure as the cloud infrastructure it is deployed on.”

This means the cloud is part of thetrusted computing baseof a Kubernetes cluster.

Thekubectlclient uses configuration from$HOME/.kube/configby default.

This file contains: cluster API server endpoint, user certificates, tokens, or kubeconfigs →sensitive credentials.

Exact extract (Kubernetes Docs – Configure Access to Clusters):

“By default, kubectl looks for a file named config in the $HOME/.kube directory. This file contains configuration information including user credentials.”

Other options clarified:

A: /etc/kubernetes/ exists on nodes (control plane) not client machines.

C: /opt/kubernetes/secrets/ is not a standard path.

D: $HOME/.config/kubernetes/ is not where kubeconfig is stored by default.

NetworkPolicies define how Pods can communicate with each other and external endpoints.

However, Kubernetes itselfdoes not enforce NetworkPolicy. Enforcement depends on theCNI pluginused (e.g., Calico, Cilium, Kube-Router, Weave Net).

If a cluster is using a network plugin that does not support NetworkPolicies, then creating NetworkPolicy objects hasno effect.

ThePodSecurity admission controllerenforces Pod Security Standards (Baseline, Restricted, Privileged)based on namespace labels.

If a tenant has full CRUD on the namespace object, they canmodify the namespace labelsto remove or weaken the restriction (e.g., setting pod-security.kubernetes.io/enforce=privileged).

This allows privileged Pods to be admitted despite the security policy.

Incorrect options:

(A) is false — namespace-level access allows tampering.

(C) is invalid — PodSecurity admission is not namespace-deployed, it’s a cluster-wide admission controller.

(D) is unrelated — Secrets from other namespaces wouldn’t directly bypass PodSecurity enforcement.

KubernetesPod Security Admission (PSA)enforcesPod Security Standardsby applying labels on Namespaces.

Exact extract (Kubernetes Docs – Pod Security Admission):

“You can label a namespace with pod-security.kubernetes.io/enforce: baseline to enforce the Baseline policy.”

Thebaselineprofile explicitly disallowsprivileged podsand other unsafe features.

Why others are wrong:

A & D: These labels do not exist in Kubernetes.

B: Setting privileged: true would allow privileged pods, not block them.

Pod Security Admission (PSA)enforces policies by applyinglabels on namespaces, not globally across the cluster.

Exact extract (Kubernetes Docs – Pod Security Admission):

“You can apply Pod Security Standards to namespaces by adding labels such as pod-security.kubernetes.io/enforce. Different namespaces can enforce different policies.”

Clarifications:

A: Incorrect, namespaces are the unit of enforcement.

C: Misleading — a namespace can have multiple enforcement modes (enforce, audit, warn).

D: Default namespace doesnotenforce strict policies unless labeled.

PCI DSS (Payment Card Industry Data Security Standard):applies to any entity thatstores, processes, or transmits cardholder data.

Exact extract (PCI DSS official summary):

“PCI DSS applies to all entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).”

Therefore,merchants who process credit card paymentsmust comply.

Why others are wrong:

A: No card payments, so no PCI scope.

B: This falls underFISMA / NIST 800-53, not PCI DSS.

C: Non-profits may handle sensitive data, but PCI only applies if they processcredit cards.

Container breakoutrefers to an attacker escaping container isolation and reaching thehost OS.

Once the host is compromised, the attacker can accessother containers, Kubernetes nodes, or escalate further.

Exact extract (Kubernetes Security Docs):

“If an attacker gains access to a container, they may attempt a container breakout to gain access to the host system.”

Other options clarified:

A: Network access inside a Pod ≠ breakout.

B: Resource exhaustion is aDoS, not a breakout.

C: Cloud infrastructure compromise is possibleafterhost compromise, but not the definition of breakout.

In akubeadm cluster, by default the API server enables several authentication mechanisms:

X509 Client Certs: Used for authenticating kubelets, admins, and control-plane components.

Bootstrap Tokens: Temporary credentials used for node bootstrap/joining clusters.

Service Account Tokens: Used by workloads in pods to authenticate with the API server.

Exact extract (Kubernetes Docs – Authentication):

“Kubernetes uses client certificates, bearer tokens, an authenticating proxy, or HTTP basic auth to authenticate API requests.”

“Bootstrap tokens are a simple bearer token that is meant to be used when creating new clusters or joining new nodes to an existing cluster.”

“Service accounts are special accounts that provide an identity for processes that run in a Pod.”

Kubernetes Admission Controllers can eithervalidateormutateincoming requests.

MutatingAdmissionWebhook (Mutating Admission Controller):

Canmodify or mutate resource manifestsbefore they are persisted in etcd.

Used for automatic injection of sidecars (e.g., Istio Envoy proxy), setting default values, or fixing misconfigurations.

ValidatingAdmissionWebhook (Validating Admission Controller):only allows/denies but doesnotchange requests.

PodSecurityPolicy:deprecated; cannot mutate requests.

ResourceQuota:enforces resource usage, but does not mutate manifests.

Exact Extract:

“Mutating admission webhooks are invoked first, and can modify objects to enforce defaults. Validating admission webhooks are invoked second, and can reject requests to enforce invariants.”

Service Mesh (e.g., Istio, Linkerd, Consul):operates atLayer 7 (application layer), enforcing policies like mTLS, authorization, and routing between services.

NetworkPolicy:works atLayer 3/4 (IP/port), not Layer 7.

Ingress Controller:handles external traffic ingress, not internal service-to-service traffic.

Container Runtime:responsible for running containers, not enforcing application-layer security.

Exact extract (Istio docs):

“Istio provides security by enforcing authentication, authorization, and encryption of service-to-service communication.”

Thecluster-adminClusterRole is asuperuser rolein Kubernetes.

Binding it (via RoleBinding or ClusterRoleBinding) grantsunrestricted control over all resources in the cluster, across all namespaces.

This includes management of cluster-scoped resources (nodes, CRDs, RBAC rules) and namespace-scoped resources.

Therefore, cluster-admin is equivalent toroot-level accessin Kubernetes and must be used with extreme caution.