2026年02月 Linux Foundation KCSA実際の問題とブレーン問題集 [Q14-Q31]

Share

2026年02月 Linux Foundation KCSA実際の問題とブレーン問題集

KCSA合格させる問題集でLinux Foundation24時間で試験合格できます

質問 # 14
Which of the following statements best describe container image signing and verification in the cloud environment?

  • A. Container image signatures are mandatory in cloud environments, as cloud providers would deny the execution of unsigned container images.
  • B. Container image signatures are concerned with defining developer ownership of applications within multi-tenant environments.
  • C. Container image signatures and their verification ensure their authenticity and integrity against tampering.
  • D. Container image signatures affect the performance of containerized applications, as they increase the size of images with additional metadata.

正解:C

解説:
* Image signing (withNotary, cosign, or similar tools) ensures that images are from a trusted source and have not been modified.
* Exact extract (Sigstore cosign docs):"Cosign allows you to sign and verify container images to ensure authenticity and integrity."
* Why others are wrong:
* B:Ownership can be inferred but it's aboutauthenticity & integritynot tenancy.
* C:Not mandatory; enforcement requiresadmission controllers.
* D:Metadata size is negligible and has no runtime performance impact.
References:
Sigstore Project: https://docs.sigstore.dev/cosign/overview
CNCF Security Whitepaper


質問 # 15
Which of the following statements best describes the role of the Scheduler in Kubernetes?

  • A. The Scheduler is responsible for managing the deployment and scaling of applications in the Kubernetes cluster.
  • B. The Scheduler is responsible for ensuring the security of the Kubernetes cluster and its components.
  • C. The Scheduler is responsible for assigning Pods to nodes based on resource availability and other constraints.
  • D. The Scheduler is responsible for monitoring and managing the health of the Kubernetes cluster.

正解:C

解説:
* TheKubernetes Schedulerassigns Pods to nodes based on:
* Resource requests & availability (CPU, memory, GPU, etc.)
* Constraints (affinity, taints, tolerations, topology, policies)
* Exact extract (Kubernetes Docs - Scheduler):
* "The scheduler is a control plane process that assigns Pods to Nodes. Scheduling decisions take into account resource requirements, affinity/anti-affinity, constraints, and policies."
* Other options clarified:
* A: Monitoring cluster health is theController Manager's/kubelet's job.
* B: Security is enforced throughRBAC, admission controllers, PSP/PSA, not the scheduler.
* C: Deployment scaling is handled by theController Manager(Deployment/ReplicaSet controller).
References:
Kubernetes Docs - Scheduler: https://kubernetes.io/docs/concepts/scheduling-eviction/kube-scheduler/


質問 # 16
A container image istrojanizedby an attacker by compromising the build server. Based on the STRIDE threat modeling framework, which threat category best defines this threat?

  • A. Tampering
  • B. Spoofing
  • C. Repudiation
  • D. Denial of Service

正解:A

解説:
* In STRIDE,Tamperingis the threat category forunauthorized modification of data or code/artifacts. A trojanized container image is, by definition, an attacker'smodificationof the build output (the image) after compromising the CI/build system-i.e., tampering with the artifact in the software supply chain.
* Why not the others?
* Spoofingis about identity/authentication (e.g., pretending to be someone/something).
* Repudiationis about denying having performed an action without sufficient audit evidence.
* Denial of Servicetargets availability (exhausting resources or making a service unavailable).The scenario explicitly focuses on analtered imageresulting from a compromised build server-this squarely maps toTampering.
Authoritative references (for verification and deeper reading):
* Kubernetes (official docs)- Supply Chain Security (discusses risks such as compromised CI/CD pipelines leading to modified/poisoned images and emphasizes verifying image integrity/signatures).
* Kubernetes Docs#Security#Supply chain securityandSecuring a cluster(sections on image provenance, signing, and verifying artifacts).
* CNCF TAG Security - Cloud Native Security Whitepaper (v2)- Threat modeling in cloud-native and software supply chain risks; describes attackers modifying build outputs (images/artifacts) via CI
/CD compromise as a form oftamperingand prescribes controls (signing, provenance, policy).
* CNCF TAG Security - Software Supply Chain Security Best Practices- Explicitly covers CI/CD compromise leading tomaliciously modified imagesand recommends SLSA, provenance attestation, and signature verification (policy enforcement via admission controls).
* Microsoft STRIDE (canonical reference)- DefinesTamperingasmodifying data or code, which directly fits a trojanized image produced by a compromised build system.


質問 # 17
In the event that kube-proxy is in a CrashLoopBackOff state, what impact does it have on the Pods running on the same worker node?

  • A. The Pod's security context restrictions cannot be enforced.
  • B. The Pods cannot communicate with other Pods in the cluster.
  • C. The Pod's resource utilization increases significantly.
  • D. The Pod cannot mount persistent volumes through CSI drivers.

正解:B

解説:
* kube-proxy:manages cluster network routing rules (via iptables or IPVS). It enables Pods to communicate with Services and Pods across nodes.
* If kube-proxy fails (CrashLoopBackOff), service IP routing and cluster-wide pod-to-pod networking breaks. Local Pod-to-Pod communication within the same node may still work, butcross-node communication fails.
* Exact extract (Kubernetes Docs - kube-proxy):
* "kube-proxy maintains network rules on nodes. These rules allow network communication to Pods from network sessions inside or outside of the cluster." References:
Kubernetes Docs - kube-proxy: https://kubernetes.io/docs/reference/command-line-tools-reference/kube- proxy/


質問 # 18
What is the purpose of an egress NetworkPolicy?

  • A. To control the outbound network traffic from a Kubernetes cluster.
  • B. To control the incoming network traffic to a Kubernetes cluster.
  • C. To secure the Kubernetes cluster against unauthorized access.
  • D. To control the outgoing network traffic from one or more Kubernetes Pods.

正解:D

解説:
* NetworkPolicycontrols network trafficat the Pod level.
* Ingress rules:controlincomingconnections to Pods.
* Egress rules:controloutgoingconnectionsfrom Pods.
* Exact extract (Kubernetes Docs - Network Policies):
* "An egress rule controls outgoing connections from Pods that match the policy."
* Clarifying wrong answers:
* A/B: Too broad (cluster-level); policies apply per Pod/Namespace.
* C: Security against unauthorized access is broader than egress policies.
References:
Kubernetes Docs - Network Policies: https://kubernetes.io/docs/concepts/services-networking/network- policies/


質問 # 19
Which of the following is a valid security risk caused by having no egress controls in a Kubernetes cluster?

  • A. Unauthorized access to external resources
  • B. Data exfiltration
  • C. Increased attack surface
  • D. Denial of Service

正解:B

解説:
* Egress NetworkPoliciesrestrict outbound traffic from Pods.
* Without egress restrictions, a compromised Pod could exfiltrate sensitive data (secrets, logs, customer data) to an attacker-controlled server.
* Exact extract (Kubernetes Docs - Network Policies):
* "Egress rules control outbound connections from Pods. Without such restrictions, compromised workloads can connect freely to external endpoints."
* Other options clarified:
* A: DoS is more about flooding, not egress absence.
* C: "Increased attack surface" is vague but not the main risk.
* D: True in a sense, but the precise and most common risk isdata exfiltration.
References:
Kubernetes Docs - Network Policies: https://kubernetes.io/docs/concepts/services-networking/network- policies/


質問 # 20
A Kubernetes cluster tenant can launch privileged Pods in contravention of therestricted Pod Security Standardmandated for cluster tenants and enforced by the built-inPodSecurity admission controller.
The tenant has full CRUD permissions on the namespace object and the namespaced resources. How did the tenant achieve this?

  • A. By deleting the PodSecurity admission controller deployment running in their namespace.
  • B. By tampering with the namespace labels.
  • C. The scope of the tenant role means privilege escalation is impossible.
  • D. By using higher-level access credentials obtained reading secrets from another namespace.

正解:B

解説:
* ThePodSecurity admission controllerenforces Pod Security Standards (Baseline, Restricted, Privileged)based on namespace labels.
* If a tenant has full CRUD on the namespace object, they canmodify the namespace labelsto remove or weaken the restriction (e.g., setting pod-security.kubernetes.io/enforce=privileged).
* This allows privileged Pods to be admitted despite the security policy.
* Incorrect options:
* (A) is false - namespace-level access allows tampering.
* (C) is invalid - PodSecurity admission is not namespace-deployed, it's a cluster-wide admission controller.
* (D) is unrelated - Secrets from other namespaces wouldn't directly bypass PodSecurity enforcement.
References:
Kubernetes Documentation - Pod Security Admission
CNCF Security Whitepaper - Admission control and namespace-level policy enforcement weaknesses.


質問 # 21
Is it possible to restrict permissions so that a controller can only change the image of a deployment (without changing anything else about it, e.g., environment variables, commands, replicas, secrets)?

  • A. Yes, by granting permission to the /image subresource.
  • B. No, because granting access to the spec.containers.image field always grants access to the rest of the spec object.
  • C. Yes, with a 'managed fields' annotation.
  • D. Not with RBAC, but it is possible with an admission webhook.

正解:D

解説:
* RBAC in Kubernetesis coarse-grained: it controlsverbs(get, update, patch, delete) onresources(e.g., deployments), butnot individual fieldswithin a resource.
* There isno /image subresource for deployments(there is one for pods but only for ephemeral containers).
* Therefore,RBAC cannot restrict changes only to the image field.
* Admission Webhooks(mutating/validating)canenforce fine-grained policies (e.g., deny updates that change anything other than spec.containers[*].image).
* Exact extract (Kubernetes Docs - Admission Webhooks):
* "Admission webhooks can be used to enforce custom policies on objects being admitted." References:
Kubernetes Docs - RBAC: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ Kubernetes Docs - Admission Webhooks: https://kubernetes.io/docs/reference/access-authn-authz
/extensible-admission-controllers/


質問 # 22
As a Kubernetes and Cloud Native Security Associate, a user can set upaudit loggingin a cluster. What is the risk of logging every event at the fullRequestResponselevel?

  • A. No risk, as it provides the most comprehensive audit trail.
  • B. Increased storage requirements and potential impact on performance.
  • C. Improved security and easier incident investigation.
  • D. Reduced storage requirements and faster performance.

正解:B

解説:
* Audit loggingrecords API server requests and responses for security monitoring.
* TheRequestResponse levellogs the full request and response bodies, which can:
* Significantly increasestorage and performance overhead.
* Potentially log sensitive data (including Secrets).
* Therefore, while comprehensive, it introduces risks of performance degradation and excessive log volume.
References:
Kubernetes Documentation - Auditing
CNCF Security Whitepaper - Logging and monitoring: trade-offs between verbosity, storage, and security.


質問 # 23
Which way of defining security policy brings consistency, minimizes toil, and reduces the probability of misconfiguration?

  • A. Manually configuring security controls for each individual resource, regularly.
  • B. Using a declarative approach to define security policies as code.
  • C. Relying on manual audits and inspections for security policy enforcement.
  • D. Implementing security policies through manual scripting on an ad-hoc basis.

正解:B

解説:
* Defining policiesas code (declarative)is a best practice in Kubernetes and cloud-native security.
* This is aligned withGitOpsandPolicy-as-Codeprinciples (OPA Gatekeeper, Kyverno, etc.).
* Exact extract (CNCF Security Whitepaper):
* "Policy-as-Code enables declarative definition and enforcement of security policies, bringing consistency, automation, and reducing misconfiguration risk."
* Manual audits, ad-hoc scripting, or individual configurations are error-prone and inconsistent.
References:
CNCF Security Whitepaper:https://github.com/cncf/tag-security
Kubernetes Docs - Policy as Code (OPA, Kyverno): https://kubernetes.io/docs/concepts/security/


質問 # 24
Why does the defaultbase64 encodingthat Kubernetes applies to the contents of Secret resources provide inadequate protection?

  • A. Base64 encoding is vulnerable to brute-force attacks.
  • B. Base64 encoding is not supported by all Secret Stores.
  • C. Base64 encoding relies on a shared key which can be easily compromised.
  • D. Base64 encoding does not encrypt the contents of the Secret, only obfuscates it.

正解:D

解説:
* Kubernetes stores Secret data asbase64-encoded stringsin etcd by default.
* Base64 is not encryption- it is a simple encoding scheme that merelyobfuscatesdata for transport and storage. Anyone with read access to etcd or the Secret manifest can easily decode the value back to plaintext.
* For actual protection, Kubernetes supportsencryption at rest(via encryption providers) and external Secret management (Vault, KMS, etc.).
References:
Kubernetes Documentation - Secrets
CNCF Security Whitepaper - Data protection section: highlights that base64 encoding does not protect data and encryption at rest is recommended.


質問 # 25
Why mightNetworkPolicyresources have no effect in a Kubernetes cluster?

  • A. NetworkPolicy resources are only enforced if the networking plugin supports them.
  • B. NetworkPolicy resources are only enforced for unprivileged Pods.
  • C. NetworkPolicy resources are only enforced if the user has the right RBAC permissions.
  • D. NetworkPolicy resources are only enforced if the Kubernetes scheduler supports them.

正解:A

解説:
* NetworkPolicies define how Pods can communicate with each other and external endpoints.
* However, Kubernetes itselfdoes not enforce NetworkPolicy. Enforcement depends on theCNI plugin used (e.g., Calico, Cilium, Kube-Router, Weave Net).
* If a cluster is using a network plugin that does not support NetworkPolicies, then creating NetworkPolicy objects hasno effect.
References:
Kubernetes Documentation - Network Policies
CNCF Security Whitepaper - Platform security section: notes that security enforcement relies on CNI capabilities.


質問 # 26
Which of the following statements on static Pods is true?

  • A. The kubelet schedules static Pods local to its node without going through the kube-scheduler, making tracking and managing them difficult.
  • B. The kubelet can run a maximum of 5 static Pods on each node.
  • C. The kubelet can run static Pods that span multiple nodes, provided that it has the necessary privileges from the API server.
  • D. The kubelet only deploys static Pods when the kube-scheduler is unresponsive.

正解:A

解説:
* Static Podsare managed directly by thekubeleton each node.
* They arenot scheduled by the kube-schedulerand always remain bound to the node where they are defined.
* Exact extract (Kubernetes Docs - Static Pods):
* "Static Pods are managed directly by the kubelet daemon on a specific node, without the API server. They do not go through the Kubernetes scheduler."
* Clarifications:
* A: Static Pods do not span multiple nodes.
* B: No hard limit of 5 Pods per node.
* D: They are not a fallback mechanism; kubelet always manages them regardless of scheduler state.
References:
Kubernetes Docs - Static Pods: https://kubernetes.io/docs/tasks/configure-pod-container/static-pod/


質問 # 27
What is Grafana?

  • A. A container orchestration platform for managing and scaling applications.
  • B. A cloud-native distributed tracing system for monitoring microservices architectures.
  • C. A platform for monitoring and visualizing time-series data.
  • D. A cloud-native security tool for scanning and detecting vulnerabilities in Kubernetes clusters.

正解:C

解説:
* Grafana:An open-source analytics and visualization platform widely used with Prometheus, Loki, etc.
* Exact extract (Grafana Docs):"Grafana is the open-source analytics and monitoring solution for every database. It allows you to query, visualize, alert on, and understand your metrics no matter where they are stored."
* A is wrong:That describesJaeger(distributed tracing).
* B is wrong:That'sKubernetesitself.
* D is wrong:That'sTrivy/Aqua/Prismatype tools.
References:
Grafana Docs: https://grafana.com/docs/grafana/latest/


質問 # 28
What was the name of the precursor to Pod Security Standards?

  • A. Kubernetes Security Context
  • B. Pod Security Policy
  • C. Container Runtime Security
  • D. Container Security Standards

正解:B

解説:
* Kubernetes originally had a feature calledPodSecurityPolicy (PSP), which provided controls to restrict pod behavior.
* Official docs:
* "PodSecurityPolicy was deprecated in Kubernetes v1.21 and removed in v1.25."
* "Pod Security Standards (PSS) replace PodSecurityPolicy (PSP) with a simpler, policy- driven approach."
* PSP was often complex and hard to manage, so it was replaced by Pod Security Admission (PSA) which enforcesPod Security Standards.
References:
Kubernetes Docs - PodSecurityPolicy (deprecated): https://kubernetes.io/docs/concepts/security/pod- security-policy/ Kubernetes Blog - PodSecurityPolicy Deprecation: https://kubernetes.io/blog/2021/04/06/podsecuritypolicy- deprecation-past-present-and-future/


質問 # 29
What does thecluster-adminClusterRole enable when used in a RoleBinding?

  • A. It allows read/write access to most resources in the role binding's namespace. This role does not allow write access to resource quota, to the namespace itself, and to EndpointSlices (or Endpoints).
  • B. It gives full control over every resource in the role binding's namespace, including the namespace itself.
  • C. It gives full control over every resource in the cluster and in all namespaces.
  • D. It gives full control over every resource in the role binding's namespace, not including the namespace object for isolation purposes.

正解:C

解説:
* Thecluster-adminClusterRole is asuperuser rolein Kubernetes.
* Binding it (via RoleBinding or ClusterRoleBinding) grantsunrestricted control over all resources in the cluster, across all namespaces.
* This includes management of cluster-scoped resources (nodes, CRDs, RBAC rules) and namespace- scoped resources.
* Therefore, cluster-admin is equivalent toroot-level accessin Kubernetes and must be used with extreme caution.
References:
Kubernetes Documentation - Default Roles and Role Bindings
CNCF Security Whitepaper - Identity and Access Management: cautions against assigningcluster-admin broadly due to its unrestricted nature.


質問 # 30
What is the purpose of the Supplier Assessments and Reviews control in the NIST 800-53 Rev. 5 set of controls for Supply Chain Risk Management?

  • A. To establish contractual agreements with suppliers.
  • B. To identify potential suppliers for the organization.
  • C. To evaluate and monitor existing suppliers for adherence to security requirements.
  • D. To conduct regular audits of suppliers' financial performance.

正解:C

解説:
* In NIST SP 800-53 Rev. 5,SR-6: Supplier Assessments and Reviewsrequires evaluating and monitoring suppliers' security and risk practices.
* Exact extract (NIST SP 800-53 Rev. 5, SR-6):
* "The organization assesses and monitors suppliers to ensure they are meeting the security requirements specified in contracts and agreements."
* This is aboutongoing monitoringof supplier adherence, not financial audits, not contract creation, and not supplier discovery.
References:
NIST SP 800-53 Rev. 5, Control SR-6 (Supplier Assessments and Reviews): https://csrc.nist.gov/publications
/detail/sp/800-53/rev-5/final


質問 # 31
......

最新問題をダウンロードKCSA問題集で2026年最新のKCSA試験問題集:https://jp.fast2test.com/KCSA-premium-file.html

最新問題を使おうKCSA試験問題と解答PDFで一年間無料更新:https://drive.google.com/open?id=16KiJhM-eKEQVJPTz37e_guGV_FH1X5Yd


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어