KCSA Linux-Foundation Exam Questions and Free Practice Test

Question 13

Which of the following statements is true concerning the use ofmicroVMsover user-space kernel implementations for advanced container sandboxing?

A. MicroVMs allow for easier container management and orchestration than user-space kernel implementation.

B. MicroVMs offer higher isolation than user-space kernel implementations at the cost of a higher per-instance memory footprint.

C. MicroVMs provide reduced application compatibility and higher per-system call overhead than user-space kernel implementations.

D. MicroVMs offer lower isolation and security compared to user-space kernel implementations.

Correct Answer:B
MicroVM-based runtimes(e.g., Firecracker, Kata Containers) use lightweight VMs to provide strong isolation between workloads.
Compared touser-space kernel implementations(e.g., gVisor), microVMs generally:
Offerhigher isolation and security(due to VM-level separation).
Come with ahigher memory and resource overhead per instancethan user-space approaches.
Incorrect options:
(A) Orchestration is handled by Kubernetes, not inherently easier with microVMs.
(C) Compatibility is typically better with microVMs, not worse.
(D) Isolation is stronger, not weaker.
[References:, CNCF Security Whitepaper – Workload isolation: microVMs vs. user-space kernel sandboxes., Kata Containers Project – isolation trade-offs., ]

Question 14

In a Kubernetes cluster, what are the security risks associated with using ConfigMaps for storing secrets?

A. Storing secrets in ConfigMaps does not allow for fine-grained access control via RBAC.

B. Storing secrets in ConfigMaps can expose sensitive information as they are stored in plaintext and can be accessed by unauthorized users.

C. Using ConfigMaps for storing secrets might make applications incompatible with the Kubernetes cluster.

D. ConfigMaps store sensitive information in etcd encoded in base64 format automatically, which does not ensure confidentiality of data.

Correct Answer:B
KCSA dumps exhibit ConfigMaps are explicitly not for confidential data.
Exact extract (ConfigMap concept):"A ConfigMap is an API object used to store non-confidential data in key-value pairs."
Exact extract (ConfigMap concept):"ConfigMaps are not intended to hold confidential data. Use a Secret for confidential data."
KCSA dumps exhibit Why this is risky:data placed into a ConfigMap is stored as regular (plaintext) string values in the API and etcd (unless you deliberately use binaryData for base64 content you supply). That means if someone has read access to the namespace or to etcd/APIServer storage, they can view the values.
KCSA dumps exhibit Secrets vs ConfigMaps (to clarify distractor D):
Exact extract (Secret concept):"By default, secret data is stored as unencrypted base64-encoded strings.You canenable encryption at restto protect Secrets stored in etcd."
This base64 behavior applies toSecrets, not to ConfigMap data. Thus optionDis incorrect for ConfigMaps.
KCSA dumps exhibit About RBAC (to clarify distractor A):Kubernetesdoessupport fine-grained RBAC forbothConfigMaps and Secrets; the issue isn't lack of RBAC but that ConfigMaps arenotdesigned for confidential material.
About compatibility (to clarify distractor C):Using ConfigMaps for secrets doesn't make apps "incompatible"; it's simplyinsecureand against guidance.
[References:, Kubernetes Docs —ConfigMaps: https://kubernetes.io/docs/concepts/configuration/configmap/, Kubernetes Docs —Secrets: https://kubernetes.io/docs/concepts/configuration/secret/, Kubernetes Docs —Encrypting Secret Data at Rest: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/, Note: The citations above are from the official Kubernetes documentation and reflect the stated guidance that ConfigMaps are fornon-confidentialdata, while Secrets (with encryption at rest enabled) are forconfidentialdata, and that the 4C's map todefense in depth., ]

Question 15

A Kubernetes cluster tenant can launch privileged Pods in contravention of therestricted Pod Security Standardmandated for cluster tenants and enforced by the built-inPodSecurity admission controller.
The tenant has full CRUD permissions on the namespace object and the namespaced resources. How did the tenant achieve this?

A. The scope of the tenant role means privilege escalation is impossible.

B. By tampering with the namespace labels.

C. By deleting the PodSecurity admission controller deployment running in their namespace.

D. By using higher-level access credentials obtained reading secrets from another namespace.

Correct Answer:B
ThePodSecurity admission controllerenforces Pod Security Standards (Baseline, Restricted, Privileged)based on namespace labels.
If a tenant has full CRUD on the namespace object, they canmodify the namespace labelsto remove or weaken the restriction (e.g., setting pod-security.kubernetes.io/enforce=privileged).
This allows privileged Pods to be admitted despite the security policy.
KCSA dumps exhibit Incorrect options:
(A) is false — namespace-level access allows tampering.
(C) is invalid — PodSecurity admission is not namespace-deployed, it??s a cluster-wide admission controller.
(D) is unrelated — Secrets from other namespaces wouldn??t directly bypass PodSecurity enforcement.
References:
Kubernetes Documentation – Pod Security Admission
CNCF Security Whitepaper – Admission control and namespace-level policy enforcement weaknesses.

Question 16

Which other controllers are part of the kube-controller-manager inside the Kubernetes cluster?

A. Job controller, CronJob controller, and DaemonSet controller

B. Pod, Service, and Ingress controller

C. Namespace controller, ConfigMap controller, and Secret controller

D. Replication controller, Endpoints controller, Namespace controller, and ServiceAccounts controller

Correct Answer:D
KCSA dumps exhibit kube-controller-managerruns a set of controllers that regulate the cluster??s state.
Exact extract (Kubernetes Docs): "The kube-controller-manager runs controllers that are core to Kubernetes. Examples of controllers are: Node controller, Replication controller, Endpoints controller, Namespace controller, and ServiceAccounts controller."
KCSA dumps exhibit Why D is correct:All listed are actual controllers within kube-controller-manager.
Why others are wrong:
A:Job and CronJob controllers are managed by kube-controller-manager, but DaemonSet controller is managed by the kube-scheduler/deployment logic.
B:Pod, Service, Ingress controllers are not part of kube-controller-manager.
KCSA dumps exhibit C:ConfigMap and Secret do not have dedicated controllers.
[References:, Kubernetes Docs — kube-controller-manager: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/, ]

START KCSA EXAM