Stage 7 · Master
KCSA — Kubernetes & Cloud Native Security Associate
KCSA Full Mock Exam
60 questions covering all five security domains — the real thing without the pressure.
Exam Format
The KCSA (Kubernetes and Cloud Native Security Associate) exam is a proctored, multiple-choice exam delivered through PSI. You get 90 minutes to answer 60 questions. It tests security knowledge across the entire cloud native stack.
| Detail | Value |
|---|---|
| Questions | 60 multiple choice |
| Time | 90 minutes |
| Passing score | 67% (40 out of 60) |
| Delivery | Online proctored via PSI |
| Prerequisites | None (but KCNA knowledge helps) |
Domain Weights
| Domain | Weight | Questions (approx) |
|---|---|---|
| Kubernetes Cluster Component Security | 22% | 13 |
| Kubernetes Threat Model | 16% | 10 |
| Platform Security | 16% | 10 |
| Overview of Cloud Native Security | 14% | 8 |
| Compliance & Hardening | 10% | 6 |
| Security Governance | — | Included in above |
Cluster Component Security (22%) is the largest domain. Master RBAC, API server security, and etcd protection. The Threat Model (16%) and Platform Security (16%) are also high-value targets.
Sample Questions
Answer: etcd. Secrets are stored as base64-encoded values in etcd. They are not encrypted by default — you must enable EncryptionConfiguration to encrypt Secrets at rest.
Answer: It limits the kubelet's ability to modify Node and Pod objects. This prevents a compromised kubelet from escalating privileges or accessing Secrets from other Pods.
Answer: Privileged and Baseline. The Restricted level blocks hostNetwork: true. Baseline blocks only the most dangerous host access while allowing some host networking features.
Answer: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege. It is a threat classification model used to systematically identify security threats.
Answer: Set --authorization-mode=RBAC,Node on the API server. This enables both RBAC authorization and Node authorizer for kubelet permissions.
Answer: RoleBinding grants a Role within a single namespace. ClusterRoleBinding grants a ClusterRole across the entire cluster. A ClusterRole can be bound at namespace scope using a RoleBinding.
Answer: Trivy. It scans container images, file systems, and Git repositories for CVEs, misconfigurations, and secrets. Other options include Grype, Snyk, and Clair.
Answer: Cloud, Cluster, Container, Code. Each layer builds on the one below it. Security must be addressed at every layer — a vulnerability in any layer compromises the layers above.
Time Strategy
- First pass — Answer all questions you know immediately. Skip uncertain ones.
- Time check — At 45 minutes, you should have answered at least 30 questions.
- Eliminate wrong answers — Even if unsure, eliminating two options improves your odds.
- Never leave blank — There is no penalty for guessing.
Scoring and Passing
The passing score is 67% — 40 out of 60 correct answers. The exam result is immediate. You receive a score report showing your performance in each domain.
Guess if you do not know the answer. An educated guess is always better than leaving a question blank. Use elimination to improve your odds.
Last-Minute Tips
- Read each question carefully — look for NOT, EXCEPT, or FIRST.
- Know the 4Cs model cold — it is the foundation for most security questions.
- Understand RBAC — Roles, ClusterRoles, Bindings, and the principle of least privilege.
- Know Pod Security Standards — Privileged, Baseline, Restricted.
- Review etcd security — encryption, authentication, network isolation.
- Practice with killer.sh if available with your exam voucher.
Before the exam, test your PSI browser, webcam, and internet connection. Have your ID ready. Close all other applications. The proctor may ask you to show your desk and room.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.