[2026年最新] 高合格率な最新KCSAテストノートとKCSA高合格率な試験ガイドを試そう [Q19-Q43]

Share

[2026年最新] 高合格率な最新KCSAテストノートとKCSA高合格率な試験ガイドを試そう

KCSA実際の問題アンサーPDFには100%カバーリアル試験問題

質問 # 19
Why mightNetworkPolicyresources have no effect in a Kubernetes cluster?

  • A. NetworkPolicy resources are only enforced if the user has the right RBAC permissions.
  • B. NetworkPolicy resources are only enforced for unprivileged Pods.
  • C. NetworkPolicy resources are only enforced if the Kubernetes scheduler supports them.
  • D. NetworkPolicy resources are only enforced if the networking plugin supports them.

正解:D

解説:
* NetworkPolicies define how Pods can communicate with each other and external endpoints.
* However, Kubernetes itselfdoes not enforce NetworkPolicy. Enforcement depends on theCNI plugin used (e.g., Calico, Cilium, Kube-Router, Weave Net).
* If a cluster is using a network plugin that does not support NetworkPolicies, then creating NetworkPolicy objects hasno effect.
References:
Kubernetes Documentation - Network Policies
CNCF Security Whitepaper - Platform security section: notes that security enforcement relies on CNI capabilities.


質問 # 20
What is a multi-stage build?

  • A. A build process that involves multiple stages of image creation, allowing for smaller, optimized images.
  • B. A build process that involves multiple repositories for storing container images.
  • C. A build process that involves multiple developers collaborating on building an image.
  • D. A build process that involves multiple containers running simultaneously to speed up the image creation.

正解:A

解説:
* Multi-stage buildsare a Docker/Kaniko feature that allows building images in multiple stages # final image contains only runtime artifacts, not build tools.
* This reducesimage size, attack surface, and security risks.
* Exact extract (Docker Docs):
* "Multi-stage builds allow you to use multiple FROM statements in a Dockerfile. You can copy artifacts from one stage to another, resulting in smaller, optimized images."
* Clarifications:
* A: Collaboration is not the definition.
* B: Multiple repositories # multi-stage builds.
* C: Build concurrency # multi-stage builds.
References:
Docker Docs - Multi-Stage Builds: https://docs.docker.com/develop/develop-images/multistage-build/


質問 # 21
A cluster is failing to pull more recent versions of images from k8s.gcr.io. Why may this be?

  • A. There is a bug in the container runtime or the image pull process.
  • B. The authentication credentials for accessing k8s.gcr.io are incorrectly scoped.
  • C. There is a network connectivity issue between the cluster and k8s.gcr.io.
  • D. The container image registry k8s.gcr.io has been deprecated.

正解:D

解説:
* k8s.gcr.iowas the historic Kubernetes image registry.
* It has beendeprecatedand replaced withregistry.k8s.io.
* Exact extract (Kubernetes Blog):
* "The k8s.gcr.io image registry will be frozen from April 3, 2023 and fully deprecated. All Kubernetes project images are now served from registry.k8s.io."
* Pulling newer versions from k8s.gcr.io fails because the registry no longer receives updates.
References:
Kubernetes Blog - Image Registry Update: https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze- announcement/


質問 # 22
Which of the following statements on static Pods is true?

  • A. The kubelet schedules static Pods local to its node without going through the kube-scheduler, making tracking and managing them difficult.
  • B. The kubelet can run a maximum of 5 static Pods on each node.
  • C. The kubelet only deploys static Pods when the kube-scheduler is unresponsive.
  • D. The kubelet can run static Pods that span multiple nodes, provided that it has the necessary privileges from the API server.

正解:A

解説:
* Static Podsare managed directly by thekubeleton each node.
* They arenot scheduled by the kube-schedulerand always remain bound to the node where they are defined.
* Exact extract (Kubernetes Docs - Static Pods):
* "Static Pods are managed directly by the kubelet daemon on a specific node, without the API server. They do not go through the Kubernetes scheduler."
* Clarifications:
* A: Static Pods do not span multiple nodes.
* B: No hard limit of 5 Pods per node.
* D: They are not a fallback mechanism; kubelet always manages them regardless of scheduler state.
References:
Kubernetes Docs - Static Pods: https://kubernetes.io/docs/tasks/configure-pod-container/static-pod/


質問 # 23
What kind of organization would need to be compliant with PCI DSS?

  • A. Non-profit organizations that handle sensitive customer data.
  • B. Government agencies that collect personally identifiable information.
  • C. Retail stores that only accept cash payments.
  • D. Merchants that process credit card payments.

正解:D

解説:
* PCI DSS (Payment Card Industry Data Security Standard):applies to any entity thatstores, processes, or transmits cardholder data.
* Exact extract (PCI DSS official summary):
* "PCI DSS applies to all entities that store, process or transmit cardholder data (CHD) and
/or sensitive authentication data (SAD)."
* Therefore,merchants who process credit card paymentsmust comply.
* Why others are wrong:
* A: No card payments, so no PCI scope.
* B: This falls underFISMA / NIST 800-53, not PCI DSS.
* C: Non-profits may handle sensitive data, but PCI only applies if they processcredit cards.
References:
PCI Security Standards Council - PCI DSS Summary: https://www.pcisecuritystandards.org/pci_security/


質問 # 24
Which of the following statements is true concerning the use ofmicroVMsover user-space kernel implementations for advanced container sandboxing?

  • A. MicroVMs offer higher isolation than user-space kernel implementations at the cost of a higher per- instance memory footprint.
  • B. MicroVMs allow for easier container management and orchestration than user-space kernel implementation.
  • C. MicroVMs offer lower isolation and security compared to user-space kernel implementations.
  • D. MicroVMs provide reduced application compatibility and higher per-system call overhead than user- space kernel implementations.

正解:A

解説:
* MicroVM-based runtimes(e.g., Firecracker, Kata Containers) use lightweight VMs to provide strong isolation between workloads.
* Compared touser-space kernel implementations(e.g., gVisor), microVMs generally:
* Offerhigher isolation and security(due to VM-level separation).
* Come with ahigher memory and resource overhead per instancethan user-space approaches.
* Incorrect options:
* (A) Orchestration is handled by Kubernetes, not inherently easier with microVMs.
* (C) Compatibility is typically better with microVMs, not worse.
* (D) Isolation is stronger, not weaker.
References:
CNCF Security Whitepaper - Workload isolation: microVMs vs. user-space kernel sandboxes.
Kata Containers Project - isolation trade-offs.


質問 # 25
How can a user enforce thePod Security Standardwithout third-party tools?

  • A. Use the PodSecurity admission controller.
  • B. No additional measures have to be taken to enforce the Pod Security Standard.
  • C. It is only possible to enforce the Pod Security Standard with additional tools within the cloud native ecosystem.
  • D. Through implementing Kyverno or OPA Policies.

正解:A

解説:
* ThePodSecurity admission controller(built-in as of Kubernetes v1.23+) enforces the Pod Security Standards (Privileged, Baseline, Restricted).
* Enforcement is namespace-scoped and configured throughnamespace labels.
* Incorrect options:
* (A) Kyverno/OPA are external policy tools (useful but not required).
* (C) Not true, PodSecurity admission provides native enforcement.
* (D) Enforcement requires explicit configuration, not automatic.
References:
Kubernetes Documentation - Pod Security Admission
CNCF Security Whitepaper - Policy enforcement and admission control.


質問 # 26
When should soft multitenancy be used over hard multitenancy?

  • A. When the priority is enabling resource sharing and efficiency between tenants.
  • B. When the priority is enabling fine-grained control over tenant resources.
  • C. When the priority is enabling strict security boundaries between tenants.
  • D. When the priority is enabling complete isolation between tenants.

正解:A

解説:
* Soft multitenancy(Namespaces, RBAC, Network Policies) # assumes some level of trust between tenants, focuses onresource sharing and efficiency.
* Hard multitenancy(separate clusters or strong virtualization) # strict isolation, used when tenants are untrusted.
* Exact extract (CNCF TAG Security Multi-Tenancy Whitepaper):
* "Soft multi-tenancy refers to multiple workloads running in the same cluster with some trust assumptions. It provides resource sharing and operational efficiency. Hard multi- tenancy requires stronger isolation guarantees, typically separate clusters." References:
CNCF Security TAG - Multi-Tenancy Whitepaper:https://github.com/cncf/tag-security/tree/main/multi- tenancy


質問 # 27
Which way of defining security policy brings consistency, minimizes toil, and reduces the probability of misconfiguration?

  • A. Implementing security policies through manual scripting on an ad-hoc basis.
  • B. Relying on manual audits and inspections for security policy enforcement.
  • C. Manually configuring security controls for each individual resource, regularly.
  • D. Using a declarative approach to define security policies as code.

正解:D

解説:
* Defining policiesas code (declarative)is a best practice in Kubernetes and cloud-native security.
* This is aligned withGitOpsandPolicy-as-Codeprinciples (OPA Gatekeeper, Kyverno, etc.).
* Exact extract (CNCF Security Whitepaper):
* "Policy-as-Code enables declarative definition and enforcement of security policies, bringing consistency, automation, and reducing misconfiguration risk."
* Manual audits, ad-hoc scripting, or individual configurations are error-prone and inconsistent.
References:
CNCF Security Whitepaper:https://github.com/cncf/tag-security
Kubernetes Docs - Policy as Code (OPA, Kyverno): https://kubernetes.io/docs/concepts/security/


質問 # 28
Which of the following snippets from a RoleBinding correctly associates user bob with Role pod-reader ?

  • A. subjects:
    - kind: User
    name: bob
    apiGroup: rbac.authorization.k8s.io
    roleRef:
    kind: ClusterRole
    name: pod-reader
    apiGroup: rbac.authorization.k8s.io
  • B. subjects:
    - kind: User
    name: bob
    apiGroup: rbac.authorization.k8s.io
    roleRef:
    kind: Role
    name: pod-reader
    apiGroup: rbac.authorization.k8s.io
  • C. subjects:
    - kind: User
    name: pod-reader
    apiGroup: rbac.authorization.k8s.io
    roleRef:
    kind: Role
    name: bob
    apiGroup: rbac.authorization.k8s.io
  • D. subjects:
    - kind: Group
    name: bob
    apiGroup: rbac.authorization.k8s.io
    roleRef:
    kind: Role
    name: pod-reader
    apiGroup: rbac.authorization.k8s.io

正解:B

解説:
Kubernetes RBAC usesRoleBindingto grant permissions defined in aRoleto asubject(user, group, or service account) within a namespace. The official example shows binding user jane to Role pod-reader:
"A RoleBinding grants the permissions defined in a Role to a user or set of users...." Example:
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
- Kubernetes docs, RBAC: RoleBinding and ClusterRoleBinding
OptionBmatches this pattern exactly, with name: bob as theUsersubject and roleRef pointing to theRole named pod-reader.
* Aswaps the names (subject is pod-reader, role is bob) # incorrect.
* Creferences aClusterRole, not aRole(the question asks for Role).
* Duses kind: Group even though we need theUserbob.
References:
Kubernetes Docs - Using RBAC Authorization #RoleBinding and ClusterRoleBinding: https://kubernetes.io
/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding


質問 # 29
What does thecluster-adminClusterRole enable when used in a RoleBinding?

  • A. It gives full control over every resource in the cluster and in all namespaces.
  • B. It gives full control over every resource in the role binding's namespace, including the namespace itself.
  • C. It allows read/write access to most resources in the role binding's namespace. This role does not allow write access to resource quota, to the namespace itself, and to EndpointSlices (or Endpoints).
  • D. It gives full control over every resource in the role binding's namespace, not including the namespace object for isolation purposes.

正解:A

解説:
* Thecluster-adminClusterRole is asuperuser rolein Kubernetes.
* Binding it (via RoleBinding or ClusterRoleBinding) grantsunrestricted control over all resources in the cluster, across all namespaces.
* This includes management of cluster-scoped resources (nodes, CRDs, RBAC rules) and namespace- scoped resources.
* Therefore, cluster-admin is equivalent toroot-level accessin Kubernetes and must be used with extreme caution.
References:
Kubernetes Documentation - Default Roles and Role Bindings
CNCF Security Whitepaper - Identity and Access Management: cautions against assigningcluster-admin broadly due to its unrestricted nature.


質問 # 30
Given a standard Kubernetes cluster architecture comprising a single control plane node (hosting bothetcdand the control plane as Pods) and three worker nodes, which of the following data flows crosses atrust boundary
?

  • A. From kubelet to API Server
  • B. From kubelet to Container Runtime
  • C. From kubelet to Controller Manager
  • D. From API Server to Container Runtime

正解:A

解説:
* Trust boundariesexist where data flows between different security domains.
* In Kubernetes:
* Communication between thekubelet (node agent)and theAPI Server (control plane)crosses the node-to-control-plane trust boundary.
* (A) Kubelet to container runtime is local, no boundary crossing.
* (C) Kubelet does not communicate directly with the controller manager.
* (D) API server does not talk directly to the container runtime; it delegates to kubelet.
* Therefore, (B) is the correct trust boundary crossing flow.
References:
CNCF Security Whitepaper - Kubernetes Threat Model: identifies node-to-control-plane communications (kubelet # API Server) as crossing trust boundaries.
Kubernetes Documentation - Cluster Architecture


質問 # 31
You are responsible for securing thekubeletcomponent in a Kubernetes cluster.
Which of the following statements about kubelet security is correct?

  • A. Kubelet supports TLS authentication and encryption for secure communication with the API server.
  • B. Kubelet does not have any built-in security features.
  • C. Kubelet requires root access to interact with the host system.
  • D. Kubelet runs as a privileged container by default.

正解:A

解説:
* Thekubeletis the primary agent that runs on each node in a Kubernetes cluster and communicates with the control plane.
* Kubeletsupports TLS (Transport Layer Security)for both authentication and encryption when interacting with the API server. This is a core security feature that ensures secure node-to-control-plane communication.
* Incorrect options:
* (A) Kubelet does not run as a privileged container by default; it runs as a system process (typically systemd-managed) on the host.
* (B) Kubelet does include built-in security features such asTLS authentication, authorization modes, and read-only vs secured ports.
* (D) While kubelet interacts with the host system (e.g., cgroups, container runtimes), it does not inherently require root access for communication security; RBAC and TLS handle authentication.
References:
Kubernetes Documentation - Kubelet authentication/authorization
CNCF Security Whitepaper - Cluster Component Security (discusses TLS and mutual authentication between kubelet and API server).


質問 # 32
Which of the following is a valid security risk caused by having no egress controls in a Kubernetes cluster?

  • A. Denial of Service
  • B. Data exfiltration
  • C. Increased attack surface
  • D. Unauthorized access to external resources

正解:B

解説:
* Egress NetworkPoliciesrestrict outbound traffic from Pods.
* Without egress restrictions, a compromised Pod could exfiltrate sensitive data (secrets, logs, customer data) to an attacker-controlled server.
* Exact extract (Kubernetes Docs - Network Policies):
* "Egress rules control outbound connections from Pods. Without such restrictions, compromised workloads can connect freely to external endpoints."
* Other options clarified:
* A: DoS is more about flooding, not egress absence.
* C: "Increased attack surface" is vague but not the main risk.
* D: True in a sense, but the precise and most common risk isdata exfiltration.
References:
Kubernetes Docs - Network Policies: https://kubernetes.io/docs/concepts/services-networking/network- policies/


質問 # 33
On a client machine, what directory (by default) contains sensitive credential information?

  • A. /opt/kubernetes/secrets/
  • B. /etc/kubernetes/
  • C. $HOME/.config/kubernetes/
  • D. $HOME/.kube

正解:D

解説:
* Thekubectlclient uses configuration from$HOME/.kube/configby default.
* This file contains: cluster API server endpoint, user certificates, tokens, or kubeconfigs #sensitive credentials.
* Exact extract (Kubernetes Docs - Configure Access to Clusters):
* "By default, kubectl looks for a file named config in the $HOME/.kube directory. This file contains configuration information including user credentials."
* Other options clarified:
* A: /etc/kubernetes/ exists on nodes (control plane) not client machines.
* C: /opt/kubernetes/secrets/ is not a standard path.
* D: $HOME/.config/kubernetes/ is not where kubeconfig is stored by default.
References:
Kubernetes Docs - Configure Access to Clusters: https://kubernetes.io/docs/concepts/configuration/organize- cluster-access-kubeconfig/


質問 # 34
A container running in a Kubernetes cluster has permission to modify host processes on the underlying node.
What combination of privileges and capabilities is most likely to have led to this privilege escalation?

  • A. hostPath and AUDIT_WRITE
  • B. There is no combination of privileges and capabilities that permits this.
  • C. hostNetwork and NET_RAW
  • D. hostPID and SYS_PTRACE

正解:D

解説:
* hostPID:When enabled, the container shares the host's process namespace # container can see and potentially interact with host processes.
* SYS_PTRACE capability:Grants the container the ability to trace, inspect, and modify other processes (e.g., via ptrace).
* Combination of hostPID + SYS_PTRACE allows a container toattach to and modify host processes, which is a direct privilege escalation.
* Other options explained:
* hostPath + AUDIT_WRITE:hostPath exposes filesystem paths but does not inherently allow process modification.
* hostNetwork + NET_RAW:grants raw socket access but only for networking, not host process modification.
* A:Incorrect - such combinationsdo exist(like B).
References:
Kubernetes Docs - Configure a Pod to use hostPID: https://kubernetes.io/docs/tasks/configure-pod-container
/share-process-namespace/
Linux Capabilities man page: https://man7.org/linux/man-pages/man7/capabilities.7.html


質問 # 35
To restrict the kubelet's rights to the Kubernetes API, whatauthorization modeshould be set on the Kubernetes API server?

  • A. AlwaysAllow
  • B. kubelet
  • C. Node
  • D. Webhook

正解:C

解説:
* TheNode authorization modeis designed to specifically limit what kubelets can do when they connect to the Kubernetes API server.
* It authorizes requests from kubelets based on the Pods scheduled to run on their nodes, ensuring kubelets cannot interact with resources beyond their scope.
* Incorrect options:
* (B)AlwaysAllowallows unrestricted access (insecure).
* (C) No kubelet authorization mode exists.
* (D)Webhookmode delegates authorization decisions to an external service, not specifically for kubelets.
References:
Kubernetes Documentation - Node Authorization
CNCF Security Whitepaper - Access control: kubelet authorization and Node authorizer.


質問 # 36
In the event that kube-proxy is in a CrashLoopBackOff state, what impact does it have on the Pods running on the same worker node?

  • A. The Pod's security context restrictions cannot be enforced.
  • B. The Pod's resource utilization increases significantly.
  • C. The Pods cannot communicate with other Pods in the cluster.
  • D. The Pod cannot mount persistent volumes through CSI drivers.

正解:C

解説:
* kube-proxy:manages cluster network routing rules (via iptables or IPVS). It enables Pods to communicate with Services and Pods across nodes.
* If kube-proxy fails (CrashLoopBackOff), service IP routing and cluster-wide pod-to-pod networking breaks. Local Pod-to-Pod communication within the same node may still work, butcross-node communication fails.
* Exact extract (Kubernetes Docs - kube-proxy):
* "kube-proxy maintains network rules on nodes. These rules allow network communication to Pods from network sessions inside or outside of the cluster." References:
Kubernetes Docs - kube-proxy: https://kubernetes.io/docs/reference/command-line-tools-reference/kube- proxy/


質問 # 37
A Kubernetes cluster tenant can launch privileged Pods in contravention of therestricted Pod Security Standardmandated for cluster tenants and enforced by the built-inPodSecurity admission controller.
The tenant has full CRUD permissions on the namespace object and the namespaced resources. How did the tenant achieve this?

  • A. By using higher-level access credentials obtained reading secrets from another namespace.
  • B. By deleting the PodSecurity admission controller deployment running in their namespace.
  • C. The scope of the tenant role means privilege escalation is impossible.
  • D. By tampering with the namespace labels.

正解:D

解説:
* ThePodSecurity admission controllerenforces Pod Security Standards (Baseline, Restricted, Privileged)based on namespace labels.
* If a tenant has full CRUD on the namespace object, they canmodify the namespace labelsto remove or weaken the restriction (e.g., setting pod-security.kubernetes.io/enforce=privileged).
* This allows privileged Pods to be admitted despite the security policy.
* Incorrect options:
* (A) is false - namespace-level access allows tampering.
* (C) is invalid - PodSecurity admission is not namespace-deployed, it's a cluster-wide admission controller.
* (D) is unrelated - Secrets from other namespaces wouldn't directly bypass PodSecurity enforcement.
References:
Kubernetes Documentation - Pod Security Admission
CNCF Security Whitepaper - Admission control and namespace-level policy enforcement weaknesses.


質問 # 38
Is it possible to restrict permissions so that a controller can only change the image of a deployment (without changing anything else about it, e.g., environment variables, commands, replicas, secrets)?

  • A. Yes, by granting permission to the /image subresource.
  • B. Not with RBAC, but it is possible with an admission webhook.
  • C. Yes, with a 'managed fields' annotation.
  • D. No, because granting access to the spec.containers.image field always grants access to the rest of the spec object.

正解:B

解説:
* RBAC in Kubernetesis coarse-grained: it controlsverbs(get, update, patch, delete) onresources(e.g., deployments), butnot individual fieldswithin a resource.
* There isno /image subresource for deployments(there is one for pods but only for ephemeral containers).
* Therefore,RBAC cannot restrict changes only to the image field.
* Admission Webhooks(mutating/validating)canenforce fine-grained policies (e.g., deny updates that change anything other than spec.containers[*].image).
* Exact extract (Kubernetes Docs - Admission Webhooks):
* "Admission webhooks can be used to enforce custom policies on objects being admitted." References:
Kubernetes Docs - RBAC: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ Kubernetes Docs - Admission Webhooks: https://kubernetes.io/docs/reference/access-authn-authz
/extensible-admission-controllers/


質問 # 39
In a Kubernetes environment, what kind of Admission Controller can modify resource manifests when applied to the Kubernetes API to fix misconfigurations automatically?

  • A. PodSecurityPolicy
  • B. ResourceQuota
  • C. ValidatingAdmissionController
  • D. MutatingAdmissionController

正解:D

解説:
* Kubernetes Admission Controllers can eithervalidateormutateincoming requests.
* MutatingAdmissionWebhook (Mutating Admission Controller):
* Canmodify or mutate resource manifestsbefore they are persisted in etcd.
* Used for automatic injection of sidecars (e.g., Istio Envoy proxy), setting default values, or fixing misconfigurations.
* ValidatingAdmissionWebhook (Validating Admission Controller):only allows/denies but doesnot change requests.
* PodSecurityPolicy:deprecated; cannot mutate requests.
* ResourceQuota:enforces resource usage, but does not mutate manifests.
Exact Extract:
* "Mutating admission webhooks are invoked first, and can modify objects to enforce defaults.
Validating admission webhooks are invoked second, and can reject requests to enforce invariants.
"
References:
Kubernetes Docs - Admission Controllers: https://kubernetes.io/docs/reference/access-authn-authz
/admission-controllers/
Kubernetes Docs - Admission Webhooks: https://kubernetes.io/docs/reference/access-authn-authz
/extensible-admission-controllers/


質問 # 40
Which security knowledge-base focuses specifically onoffensive tools, techniques, and procedures?

  • A. CIS Controls
  • B. MITRE ATT&CK
  • C. OWASP Top 10
  • D. NIST Cybersecurity Framework

正解:B

解説:
* MITRE ATT&CKis a globally recognizedknowledge base of adversary tactics, techniques, and procedures (TTPs). It is focused on describingoffensive behaviorsattackers use.
* Incorrect options:
* (B)OWASP Top 10highlights common application vulnerabilities, not attacker techniques.
* (C)CIS Controlsare defensive best practices, not offensive tools.
* (D)NIST Cybersecurity Frameworkprovides a risk-based defensive framework, not adversary TTPs.
References:
MITRE ATT&CK Framework
CNCF Security Whitepaper - Threat intelligence section: references MITRE ATT&CK for describing attacker behavior.


質問 # 41
What is the reasoning behind considering the Cloud as the trusted computing base of a Kubernetes cluster?

  • A. The Cloud enforces security controls at the Kubernetes cluster level, so application developers can focus on applications only.
  • B. A vulnerability in the Cloud layer has a negligible impact on containers due to Linux isolation mechanisms.
  • C. A Kubernetes cluster can only be as secure as the security posture of its Cloud hosting.
  • D. A Kubernetes cluster can only be trusted if the underlying Cloud provider is certified against international standards.

正解:C

解説:
* The4C's of Cloud Native Security(Cloud, Cluster, Container, Code) model starts withCloudas the base layer.
* If the Cloud (infrastructure layer) is compromised, every higher layer (Cluster, Container, Code) inherits that compromise.
* Exact extract (Kubernetes Security Overview):
* "The 4C's of Cloud Native security are Cloud, Clusters, Containers, and Code. You can think of the 4C's as a layered approach. A Kubernetes cluster can only be as secure as the cloud infrastructure it is deployed on."
* This means the cloud is part of thetrusted computing baseof a Kubernetes cluster.
References:
Kubernetes Docs - Security Overview (4C's): https://kubernetes.io/docs/concepts/security/overview/#the-
4cs-of-cloud-native-security


質問 # 42
As a Kubernetes and Cloud Native Security Associate, a user can set upaudit loggingin a cluster. What is the risk of logging every event at the fullRequestResponselevel?

  • A. Increased storage requirements and potential impact on performance.
  • B. Improved security and easier incident investigation.
  • C. No risk, as it provides the most comprehensive audit trail.
  • D. Reduced storage requirements and faster performance.

正解:A

解説:
* Audit loggingrecords API server requests and responses for security monitoring.
* TheRequestResponse levellogs the full request and response bodies, which can:
* Significantly increasestorage and performance overhead.
* Potentially log sensitive data (including Secrets).
* Therefore, while comprehensive, it introduces risks of performance degradation and excessive log volume.
References:
Kubernetes Documentation - Auditing
CNCF Security Whitepaper - Logging and monitoring: trade-offs between verbosity, storage, and security.


質問 # 43
......


Linux Foundation KCSA 認定試験の出題範囲:

トピック出題範囲
トピック 1
  • Kubernetes クラスタコンポーネントのセキュリティ:この試験セクションでは、Kubernetes 管理者のスキルを評価し、Kubernetes クラスタを構成するコアコンポーネントのセキュリティ保護に焦点を当てます。API サーバー、etcd、kubelet、コンテナランタイム、ネットワーク要素といった主要コンポーネントのセキュリティ構成と潜在的な脆弱性を網羅し、各コンポーネントが攻撃に対して強化されていることを確認します。
トピック 2
  • クラウドネイティブセキュリティの概要:このセクションでは、クラウドセキュリティアーキテクトのスキルを評価し、クラウドネイティブ環境のセキュリティの基本原則を網羅します。4Cセキュリティモデル、クラウドインフラストラクチャの共有責任モデル、共通セキュリティコントロールとコンプライアンスフレームワーク、リソースの分離とコンテナイメージやアプリケーションコードなどのアーティファクトのセキュリティ保護手法に関する理解が含まれます。
トピック 3
  • コンプライアンスとセキュリティフレームワーク:このセクションでは、コンプライアンス担当者のスキルを評価し、セキュリティを確保し、規制要件を満たすための正式な構造の適用に焦点を当てます。業界標準のコンプライアンスおよび脅威モデリングフレームワークの活用、サプライチェーンのセキュリティ要件の理解、組織のセキュリティ体制の維持と証明のための自動化ツールの活用などが網羅されます。
トピック 4
  • Kubernetes脅威モデル:このセクションでは、クラウドセキュリティアーキテクトのスキルを評価し、Kubernetesクラスターに対する潜在的な脅威を特定し、軽減する能力が問われます。権限昇格、サービス拒否攻撃、悪意のあるコード実行、ネットワークベースの攻撃といった一般的な攻撃ベクトルに加え、機密データを保護し、攻撃者が環境内で永続性を獲得するのを防ぐための戦略を理解することが求められます。
トピック 5
  • Kubernetes セキュリティの基礎:このセクションでは、Kubernetes 管理者のスキルを評価し、Kubernetes における主要なセキュリティメカニズムを網羅します。これには、ポッドセキュリティ標準とアドミッションの実装、RBAC などの堅牢な認証・認可システムの設定、シークレットの適切な管理、ネットワークポリシーと監査ログを使用した分離の実施とクラスターアクティビティの監視が含まれます。

 

KCSA試験問題とアンサー:https://jp.fast2test.com/KCSA-premium-file.html

合格できるKCSA試験情報と無料練習テスト:https://drive.google.com/open?id=1j2W05ALc8hPUyUmmo8iPL18D-RIwR0W3


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어