
[2026年最新] 高合格率な最新KCSAテストノートとKCSA高合格率な試験ガイドを試そう
KCSA実際の問題アンサーPDFには100%カバーリアル試験問題
質問 # 19
Why mightNetworkPolicyresources have no effect in a Kubernetes cluster?
- A. NetworkPolicy resources are only enforced if the user has the right RBAC permissions.
- B. NetworkPolicy resources are only enforced for unprivileged Pods.
- C. NetworkPolicy resources are only enforced if the Kubernetes scheduler supports them.
- D. NetworkPolicy resources are only enforced if the networking plugin supports them.
正解:D
解説:
* NetworkPolicies define how Pods can communicate with each other and external endpoints.
* However, Kubernetes itselfdoes not enforce NetworkPolicy. Enforcement depends on theCNI plugin used (e.g., Calico, Cilium, Kube-Router, Weave Net).
* If a cluster is using a network plugin that does not support NetworkPolicies, then creating NetworkPolicy objects hasno effect.
References:
Kubernetes Documentation - Network Policies
CNCF Security Whitepaper - Platform security section: notes that security enforcement relies on CNI capabilities.
質問 # 20
What is a multi-stage build?
- A. A build process that involves multiple stages of image creation, allowing for smaller, optimized images.
- B. A build process that involves multiple repositories for storing container images.
- C. A build process that involves multiple developers collaborating on building an image.
- D. A build process that involves multiple containers running simultaneously to speed up the image creation.
正解:A
解説:
* Multi-stage buildsare a Docker/Kaniko feature that allows building images in multiple stages # final image contains only runtime artifacts, not build tools.
* This reducesimage size, attack surface, and security risks.
* Exact extract (Docker Docs):
* "Multi-stage builds allow you to use multiple FROM statements in a Dockerfile. You can copy artifacts from one stage to another, resulting in smaller, optimized images."
* Clarifications:
* A: Collaboration is not the definition.
* B: Multiple repositories # multi-stage builds.
* C: Build concurrency # multi-stage builds.
References:
Docker Docs - Multi-Stage Builds: https://docs.docker.com/develop/develop-images/multistage-build/
質問 # 21
A cluster is failing to pull more recent versions of images from k8s.gcr.io. Why may this be?
- A. There is a bug in the container runtime or the image pull process.
- B. The authentication credentials for accessing k8s.gcr.io are incorrectly scoped.
- C. There is a network connectivity issue between the cluster and k8s.gcr.io.
- D. The container image registry k8s.gcr.io has been deprecated.
正解:D
解説:
* k8s.gcr.iowas the historic Kubernetes image registry.
* It has beendeprecatedand replaced withregistry.k8s.io.
* Exact extract (Kubernetes Blog):
* "The k8s.gcr.io image registry will be frozen from April 3, 2023 and fully deprecated. All Kubernetes project images are now served from registry.k8s.io."
* Pulling newer versions from k8s.gcr.io fails because the registry no longer receives updates.
References:
Kubernetes Blog - Image Registry Update: https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze- announcement/
質問 # 22
Which of the following statements on static Pods is true?
- A. The kubelet schedules static Pods local to its node without going through the kube-scheduler, making tracking and managing them difficult.
- B. The kubelet can run a maximum of 5 static Pods on each node.
- C. The kubelet only deploys static Pods when the kube-scheduler is unresponsive.
- D. The kubelet can run static Pods that span multiple nodes, provided that it has the necessary privileges from the API server.
正解:A
解説:
* Static Podsare managed directly by thekubeleton each node.
* They arenot scheduled by the kube-schedulerand always remain bound to the node where they are defined.
* Exact extract (Kubernetes Docs - Static Pods):
* "Static Pods are managed directly by the kubelet daemon on a specific node, without the API server. They do not go through the Kubernetes scheduler."
* Clarifications:
* A: Static Pods do not span multiple nodes.
* B: No hard limit of 5 Pods per node.
* D: They are not a fallback mechanism; kubelet always manages them regardless of scheduler state.
References:
Kubernetes Docs - Static Pods: https://kubernetes.io/docs/tasks/configure-pod-container/static-pod/
質問 # 23
What kind of organization would need to be compliant with PCI DSS?
- A. Non-profit organizations that handle sensitive customer data.
- B. Government agencies that collect personally identifiable information.
- C. Retail stores that only accept cash payments.
- D. Merchants that process credit card payments.
正解:D
解説:
* PCI DSS (Payment Card Industry Data Security Standard):applies to any entity thatstores, processes, or transmits cardholder data.
* Exact extract (PCI DSS official summary):
* "PCI DSS applies to all entities that store, process or transmit cardholder data (CHD) and
/or sensitive authentication data (SAD)."
* Therefore,merchants who process credit card paymentsmust comply.
* Why others are wrong:
* A: No card payments, so no PCI scope.
* B: This falls underFISMA / NIST 800-53, not PCI DSS.
* C: Non-profits may handle sensitive data, but PCI only applies if they processcredit cards.
References:
PCI Security Standards Council - PCI DSS Summary: https://www.pcisecuritystandards.org/pci_security/
質問 # 24
Which of the following statements is true concerning the use ofmicroVMsover user-space kernel implementations for advanced container sandboxing?
- A. MicroVMs offer higher isolation than user-space kernel implementations at the cost of a higher per- instance memory footprint.
- B. MicroVMs allow for easier container management and orchestration than user-space kernel implementation.
- C. MicroVMs offer lower isolation and security compared to user-space kernel implementations.
- D. MicroVMs provide reduced application compatibility and higher per-system call overhead than user- space kernel implementations.
正解:A
解説:
* MicroVM-based runtimes(e.g., Firecracker, Kata Containers) use lightweight VMs to provide strong isolation between workloads.
* Compared touser-space kernel implementations(e.g., gVisor), microVMs generally:
* Offerhigher isolation and security(due to VM-level separation).
* Come with ahigher memory and resource overhead per instancethan user-space approaches.
* Incorrect options:
* (A) Orchestration is handled by Kubernetes, not inherently easier with microVMs.
* (C) Compatibility is typically better with microVMs, not worse.
* (D) Isolation is stronger, not weaker.
References:
CNCF Security Whitepaper - Workload isolation: microVMs vs. user-space kernel sandboxes.
Kata Containers Project - isolation trade-offs.
質問 # 25
How can a user enforce thePod Security Standardwithout third-party tools?
- A. Use the PodSecurity admission controller.
- B. No additional measures have to be taken to enforce the Pod Security Standard.
- C. It is only possible to enforce the Pod Security Standard with additional tools within the cloud native ecosystem.
- D. Through implementing Kyverno or OPA Policies.
正解:A
解説:
* ThePodSecurity admission controller(built-in as of Kubernetes v1.23+) enforces the Pod Security Standards (Privileged, Baseline, Restricted).
* Enforcement is namespace-scoped and configured throughnamespace labels.
* Incorrect options:
* (A) Kyverno/OPA are external policy tools (useful but not required).
* (C) Not true, PodSecurity admission provides native enforcement.
* (D) Enforcement requires explicit configuration, not automatic.
References:
Kubernetes Documentation - Pod Security Admission
CNCF Security Whitepaper - Policy enforcement and admission control.
質問 # 26
When should soft multitenancy be used over hard multitenancy?
- A. When the priority is enabling resource sharing and efficiency between tenants.
- B. When the priority is enabling fine-grained control over tenant resources.
- C. When the priority is enabling strict security boundaries between tenants.
- D. When the priority is enabling complete isolation between tenants.
正解:A
解説:
* Soft multitenancy(Namespaces, RBAC, Network Policies) # assumes some level of trust between tenants, focuses onresource sharing and efficiency.
* Hard multitenancy(separate clusters or strong virtualization) # strict isolation, used when tenants are untrusted.
* Exact extract (CNCF TAG Security Multi-Tenancy Whitepaper):
* "Soft multi-tenancy refers to multiple workloads running in the same cluster with some trust assumptions. It provides resource sharing and operational efficiency. Hard multi- tenancy requires stronger isolation guarantees, typically separate clusters." References:
CNCF Security TAG - Multi-Tenancy Whitepaper:https://github.com/cncf/tag-security/tree/main/multi- tenancy
質問 # 27
Which way of defining security policy brings consistency, minimizes toil, and reduces the probability of misconfiguration?
- A. Implementing security policies through manual scripting on an ad-hoc basis.
- B. Relying on manual audits and inspections for security policy enforcement.
- C. Manually configuring security controls for each individual resource, regularly.
- D. Using a declarative approach to define security policies as code.
正解:D
解説:
* Defining policiesas code (declarative)is a best practice in Kubernetes and cloud-native security.
* This is aligned withGitOpsandPolicy-as-Codeprinciples (OPA Gatekeeper, Kyverno, etc.).
* Exact extract (CNCF Security Whitepaper):
* "Policy-as-Code enables declarative definition and enforcement of security policies, bringing consistency, automation, and reducing misconfiguration risk."
* Manual audits, ad-hoc scripting, or individual configurations are error-prone and inconsistent.
References:
CNCF Security Whitepaper:https://github.com/cncf/tag-security
Kubernetes Docs - Policy as Code (OPA, Kyverno): https://kubernetes.io/docs/concepts/security/
質問 # 28
Which of the following snippets from a RoleBinding correctly associates user bob with Role pod-reader ?
- A. subjects:
- kind: User
name: bob
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: pod-reader
apiGroup: rbac.authorization.k8s.io - B. subjects:
- kind: User
name: bob
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io - C. subjects:
- kind: User
name: pod-reader
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: bob
apiGroup: rbac.authorization.k8s.io - D. subjects:
- kind: Group
name: bob
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
正解:B
解説:
Kubernetes RBAC usesRoleBindingto grant permissions defined in aRoleto asubject(user, group, or service account) within a namespace. The official example shows binding user jane to Role pod-reader:
"A RoleBinding grants the permissions defined in a Role to a user or set of users...." Example:
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
- Kubernetes docs, RBAC: RoleBinding and ClusterRoleBinding
OptionBmatches this pattern exactly, with name: bob as theUsersubject and roleRef pointing to theRole named pod-reader.
* Aswaps the names (subject is pod-reader, role is bob) # incorrect.
* Creferences aClusterRole, not aRole(the question asks for Role).
* Duses kind: Group even though we need theUserbob.
References:
Kubernetes Docs - Using RBAC Authorization #RoleBinding and ClusterRoleBinding: https://kubernetes.io
/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding
質問 # 29
What does thecluster-adminClusterRole enable when used in a RoleBinding?
- A. It gives full control over every resource in the cluster and in all namespaces.
- B. It gives full control over every resource in the role binding's namespace, including the namespace itself.
- C. It allows read/write access to most resources in the role binding's namespace. This role does not allow write access to resource quota, to the namespace itself, and to EndpointSlices (or Endpoints).
- D. It gives full control over every resource in the role binding's namespace, not including the namespace object for isolation purposes.
正解:A
解説:
* Thecluster-adminClusterRole is asuperuser rolein Kubernetes.
* Binding it (via RoleBinding or ClusterRoleBinding) grantsunrestricted control over all resources in the cluster, across all namespaces.
* This includes management of cluster-scoped resources (nodes, CRDs, RBAC rules) and namespace- scoped resources.
* Therefore, cluster-admin is equivalent toroot-level accessin Kubernetes and must be used with extreme caution.
References:
Kubernetes Documentation - Default Roles and Role Bindings
CNCF Security Whitepaper - Identity and Access Management: cautions against assigningcluster-admin broadly due to its unrestricted nature.
質問 # 30
Given a standard Kubernetes cluster architecture comprising a single control plane node (hosting bothetcdand the control plane as Pods) and three worker nodes, which of the following data flows crosses atrust boundary
?
- A. From kubelet to API Server
- B. From kubelet to Container Runtime
- C. From kubelet to Controller Manager
- D. From API Server to Container Runtime
正解:A
解説:
* Trust boundariesexist where data flows between different security domains.
* In Kubernetes:
* Communication between thekubelet (node agent)and theAPI Server (control plane)crosses the node-to-control-plane trust boundary.
* (A) Kubelet to container runtime is local, no boundary crossing.
* (C) Kubelet does not communicate directly with the controller manager.
* (D) API server does not talk directly to the container runtime; it delegates to kubelet.
* Therefore, (B) is the correct trust boundary crossing flow.
References:
CNCF Security Whitepaper - Kubernetes Threat Model: identifies node-to-control-plane communications (kubelet # API Server) as crossing trust boundaries.
Kubernetes Documentation - Cluster Architecture
質問 # 31
You are responsible for securing thekubeletcomponent in a Kubernetes cluster.
Which of the following statements about kubelet security is correct?
- A. Kubelet supports TLS authentication and encryption for secure communication with the API server.
- B. Kubelet does not have any built-in security features.
- C. Kubelet requires root access to interact with the host system.
- D. Kubelet runs as a privileged container by default.
正解:A
解説:
* Thekubeletis the primary agent that runs on each node in a Kubernetes cluster and communicates with the control plane.
* Kubeletsupports TLS (Transport Layer Security)for both authentication and encryption when interacting with the API server. This is a core security feature that ensures secure node-to-control-plane communication.
* Incorrect options:
* (A) Kubelet does not run as a privileged container by default; it runs as a system process (typically systemd-managed) on the host.
* (B) Kubelet does include built-in security features such asTLS authentication, authorization modes, and read-only vs secured ports.
* (D) While kubelet interacts with the host system (e.g., cgroups, container runtimes), it does not inherently require root access for communication security; RBAC and TLS handle authentication.
References:
Kubernetes Documentation - Kubelet authentication/authorization
CNCF Security Whitepaper - Cluster Component Security (discusses TLS and mutual authentication between kubelet and API server).
質問 # 32
Which of the following is a valid security risk caused by having no egress controls in a Kubernetes cluster?
- A. Denial of Service
- B. Data exfiltration
- C. Increased attack surface
- D. Unauthorized access to external resources
正解:B
解説:
* Egress NetworkPoliciesrestrict outbound traffic from Pods.
* Without egress restrictions, a compromised Pod could exfiltrate sensitive data (secrets, logs, customer data) to an attacker-controlled server.
* Exact extract (Kubernetes Docs - Network Policies):
* "Egress rules control outbound connections from Pods. Without such restrictions, compromised workloads can connect freely to external endpoints."
* Other options clarified:
* A: DoS is more about flooding, not egress absence.
* C: "Increased attack surface" is vague but not the main risk.
* D: True in a sense, but the precise and most common risk isdata exfiltration.
References:
Kubernetes Docs - Network Policies: https://kubernetes.io/docs/concepts/services-networking/network- policies/
質問 # 33
On a client machine, what directory (by default) contains sensitive credential information?
- A. /opt/kubernetes/secrets/
- B. /etc/kubernetes/
- C. $HOME/.config/kubernetes/
- D. $HOME/.kube
正解:D
解説:
* Thekubectlclient uses configuration from$HOME/.kube/configby default.
* This file contains: cluster API server endpoint, user certificates, tokens, or kubeconfigs #sensitive credentials.
* Exact extract (Kubernetes Docs - Configure Access to Clusters):
* "By default, kubectl looks for a file named config in the $HOME/.kube directory. This file contains configuration information including user credentials."
* Other options clarified:
* A: /etc/kubernetes/ exists on nodes (control plane) not client machines.
* C: /opt/kubernetes/secrets/ is not a standard path.
* D: $HOME/.config/kubernetes/ is not where kubeconfig is stored by default.
References:
Kubernetes Docs - Configure Access to Clusters: https://kubernetes.io/docs/concepts/configuration/organize- cluster-access-kubeconfig/
質問 # 34
A container running in a Kubernetes cluster has permission to modify host processes on the underlying node.
What combination of privileges and capabilities is most likely to have led to this privilege escalation?
- A. hostPath and AUDIT_WRITE
- B. There is no combination of privileges and capabilities that permits this.
- C. hostNetwork and NET_RAW
- D. hostPID and SYS_PTRACE
正解:D
解説:
* hostPID:When enabled, the container shares the host's process namespace # container can see and potentially interact with host processes.
* SYS_PTRACE capability:Grants the container the ability to trace, inspect, and modify other processes (e.g., via ptrace).
* Combination of hostPID + SYS_PTRACE allows a container toattach to and modify host processes, which is a direct privilege escalation.
* Other options explained:
* hostPath + AUDIT_WRITE:hostPath exposes filesystem paths but does not inherently allow process modification.
* hostNetwork + NET_RAW:grants raw socket access but only for networking, not host process modification.
* A:Incorrect - such combinationsdo exist(like B).
References:
Kubernetes Docs - Configure a Pod to use hostPID: https://kubernetes.io/docs/tasks/configure-pod-container
/share-process-namespace/
Linux Capabilities man page: https://man7.org/linux/man-pages/man7/capabilities.7.html
質問 # 35
To restrict the kubelet's rights to the Kubernetes API, whatauthorization modeshould be set on the Kubernetes API server?
- A. AlwaysAllow
- B. kubelet
- C. Node
- D. Webhook
正解:C
解説:
* TheNode authorization modeis designed to specifically limit what kubelets can do when they connect to the Kubernetes API server.
* It authorizes requests from kubelets based on the Pods scheduled to run on their nodes, ensuring kubelets cannot interact with resources beyond their scope.
* Incorrect options:
* (B)AlwaysAllowallows unrestricted access (insecure).
* (C) No kubelet authorization mode exists.
* (D)Webhookmode delegates authorization decisions to an external service, not specifically for kubelets.
References:
Kubernetes Documentation - Node Authorization
CNCF Security Whitepaper - Access control: kubelet authorization and Node authorizer.
質問 # 36
In the event that kube-proxy is in a CrashLoopBackOff state, what impact does it have on the Pods running on the same worker node?
- A. The Pod's security context restrictions cannot be enforced.
- B. The Pod's resource utilization increases significantly.
- C. The Pods cannot communicate with other Pods in the cluster.
- D. The Pod cannot mount persistent volumes through CSI drivers.
正解:C
解説:
* kube-proxy:manages cluster network routing rules (via iptables or IPVS). It enables Pods to communicate with Services and Pods across nodes.
* If kube-proxy fails (CrashLoopBackOff), service IP routing and cluster-wide pod-to-pod networking breaks. Local Pod-to-Pod communication within the same node may still work, butcross-node communication fails.
* Exact extract (Kubernetes Docs - kube-proxy):
* "kube-proxy maintains network rules on nodes. These rules allow network communication to Pods from network sessions inside or outside of the cluster." References:
Kubernetes Docs - kube-proxy: https://kubernetes.io/docs/reference/command-line-tools-reference/kube- proxy/
質問 # 37
A Kubernetes cluster tenant can launch privileged Pods in contravention of therestricted Pod Security Standardmandated for cluster tenants and enforced by the built-inPodSecurity admission controller.
The tenant has full CRUD permissions on the namespace object and the namespaced resources. How did the tenant achieve this?
- A. By using higher-level access credentials obtained reading secrets from another namespace.
- B. By deleting the PodSecurity admission controller deployment running in their namespace.
- C. The scope of the tenant role means privilege escalation is impossible.
- D. By tampering with the namespace labels.
正解:D
解説:
* ThePodSecurity admission controllerenforces Pod Security Standards (Baseline, Restricted, Privileged)based on namespace labels.
* If a tenant has full CRUD on the namespace object, they canmodify the namespace labelsto remove or weaken the restriction (e.g., setting pod-security.kubernetes.io/enforce=privileged).
* This allows privileged Pods to be admitted despite the security policy.
* Incorrect options:
* (A) is false - namespace-level access allows tampering.
* (C) is invalid - PodSecurity admission is not namespace-deployed, it's a cluster-wide admission controller.
* (D) is unrelated - Secrets from other namespaces wouldn't directly bypass PodSecurity enforcement.
References:
Kubernetes Documentation - Pod Security Admission
CNCF Security Whitepaper - Admission control and namespace-level policy enforcement weaknesses.
質問 # 38
Is it possible to restrict permissions so that a controller can only change the image of a deployment (without changing anything else about it, e.g., environment variables, commands, replicas, secrets)?
- A. Yes, by granting permission to the /image subresource.
- B. Not with RBAC, but it is possible with an admission webhook.
- C. Yes, with a 'managed fields' annotation.
- D. No, because granting access to the spec.containers.image field always grants access to the rest of the spec object.
正解:B
解説:
* RBAC in Kubernetesis coarse-grained: it controlsverbs(get, update, patch, delete) onresources(e.g., deployments), butnot individual fieldswithin a resource.
* There isno /image subresource for deployments(there is one for pods but only for ephemeral containers).
* Therefore,RBAC cannot restrict changes only to the image field.
* Admission Webhooks(mutating/validating)canenforce fine-grained policies (e.g., deny updates that change anything other than spec.containers[*].image).
* Exact extract (Kubernetes Docs - Admission Webhooks):
* "Admission webhooks can be used to enforce custom policies on objects being admitted." References:
Kubernetes Docs - RBAC: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ Kubernetes Docs - Admission Webhooks: https://kubernetes.io/docs/reference/access-authn-authz
/extensible-admission-controllers/
質問 # 39
In a Kubernetes environment, what kind of Admission Controller can modify resource manifests when applied to the Kubernetes API to fix misconfigurations automatically?
- A. PodSecurityPolicy
- B. ResourceQuota
- C. ValidatingAdmissionController
- D. MutatingAdmissionController
正解:D
解説:
* Kubernetes Admission Controllers can eithervalidateormutateincoming requests.
* MutatingAdmissionWebhook (Mutating Admission Controller):
* Canmodify or mutate resource manifestsbefore they are persisted in etcd.
* Used for automatic injection of sidecars (e.g., Istio Envoy proxy), setting default values, or fixing misconfigurations.
* ValidatingAdmissionWebhook (Validating Admission Controller):only allows/denies but doesnot change requests.
* PodSecurityPolicy:deprecated; cannot mutate requests.
* ResourceQuota:enforces resource usage, but does not mutate manifests.
Exact Extract:
* "Mutating admission webhooks are invoked first, and can modify objects to enforce defaults.
Validating admission webhooks are invoked second, and can reject requests to enforce invariants.
"
References:
Kubernetes Docs - Admission Controllers: https://kubernetes.io/docs/reference/access-authn-authz
/admission-controllers/
Kubernetes Docs - Admission Webhooks: https://kubernetes.io/docs/reference/access-authn-authz
/extensible-admission-controllers/
質問 # 40
Which security knowledge-base focuses specifically onoffensive tools, techniques, and procedures?
- A. CIS Controls
- B. MITRE ATT&CK
- C. OWASP Top 10
- D. NIST Cybersecurity Framework
正解:B
解説:
* MITRE ATT&CKis a globally recognizedknowledge base of adversary tactics, techniques, and procedures (TTPs). It is focused on describingoffensive behaviorsattackers use.
* Incorrect options:
* (B)OWASP Top 10highlights common application vulnerabilities, not attacker techniques.
* (C)CIS Controlsare defensive best practices, not offensive tools.
* (D)NIST Cybersecurity Frameworkprovides a risk-based defensive framework, not adversary TTPs.
References:
MITRE ATT&CK Framework
CNCF Security Whitepaper - Threat intelligence section: references MITRE ATT&CK for describing attacker behavior.
質問 # 41
What is the reasoning behind considering the Cloud as the trusted computing base of a Kubernetes cluster?
- A. The Cloud enforces security controls at the Kubernetes cluster level, so application developers can focus on applications only.
- B. A vulnerability in the Cloud layer has a negligible impact on containers due to Linux isolation mechanisms.
- C. A Kubernetes cluster can only be as secure as the security posture of its Cloud hosting.
- D. A Kubernetes cluster can only be trusted if the underlying Cloud provider is certified against international standards.
正解:C
解説:
* The4C's of Cloud Native Security(Cloud, Cluster, Container, Code) model starts withCloudas the base layer.
* If the Cloud (infrastructure layer) is compromised, every higher layer (Cluster, Container, Code) inherits that compromise.
* Exact extract (Kubernetes Security Overview):
* "The 4C's of Cloud Native security are Cloud, Clusters, Containers, and Code. You can think of the 4C's as a layered approach. A Kubernetes cluster can only be as secure as the cloud infrastructure it is deployed on."
* This means the cloud is part of thetrusted computing baseof a Kubernetes cluster.
References:
Kubernetes Docs - Security Overview (4C's): https://kubernetes.io/docs/concepts/security/overview/#the-
4cs-of-cloud-native-security
質問 # 42
As a Kubernetes and Cloud Native Security Associate, a user can set upaudit loggingin a cluster. What is the risk of logging every event at the fullRequestResponselevel?
- A. Increased storage requirements and potential impact on performance.
- B. Improved security and easier incident investigation.
- C. No risk, as it provides the most comprehensive audit trail.
- D. Reduced storage requirements and faster performance.
正解:A
解説:
* Audit loggingrecords API server requests and responses for security monitoring.
* TheRequestResponse levellogs the full request and response bodies, which can:
* Significantly increasestorage and performance overhead.
* Potentially log sensitive data (including Secrets).
* Therefore, while comprehensive, it introduces risks of performance degradation and excessive log volume.
References:
Kubernetes Documentation - Auditing
CNCF Security Whitepaper - Logging and monitoring: trade-offs between verbosity, storage, and security.
質問 # 43
......
Linux Foundation KCSA 認定試験の出題範囲:
| トピック | 出題範囲 |
|---|---|
| トピック 1 |
|
| トピック 2 |
|
| トピック 3 |
|
| トピック 4 |
|
| トピック 5 |
|
KCSA試験問題とアンサー:https://jp.fast2test.com/KCSA-premium-file.html
合格できるKCSA試験情報と無料練習テスト:https://drive.google.com/open?id=1j2W05ALc8hPUyUmmo8iPL18D-RIwR0W3