Free Practice Questions for Linux Foundation KCSA Exam

MITRE ATT&CKis a globally recognizedknowledge base of adversary tactics, techniques, and procedures (TTPs). It is focused on describingoffensive behaviorsattackers use.

Incorrect options:

(B)OWASP Top 10highlights common application vulnerabilities, not attacker techniques.

(C)CIS Controlsare defensive best practices, not offensive tools.

(D)NIST Cybersecurity Frameworkprovides a risk-based defensive framework, not adversary TTPs.

PCI DSS (Payment Card Industry Data Security Standard):applies to any entity thatstores, processes, or transmits cardholder data.

Exact extract (PCI DSS official summary):

“PCI DSS applies to all entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).”

Therefore,merchants who process credit card paymentsmust comply.

Why others are wrong:

A: No card payments, so no PCI scope.

B: This falls underFISMA / NIST 800-53, not PCI DSS.

C: Non-profits may handle sensitive data, but PCI only applies if they processcredit cards.

Kubernetes originally had a feature calledPodSecurityPolicy (PSP), which provided controls to restrict pod behavior.

Official docs:

“PodSecurityPolicy was deprecated in Kubernetes v1.21 and removed in v1.25.”

“Pod Security Standards (PSS) replace PodSecurityPolicy (PSP) with a simpler, policy-driven approach.”

PSP was often complex and hard to manage, so it was replaced by Pod Security Admission (PSA) which enforcesPod Security Standards.

Container breakoutrefers to an attacker escaping container isolation and reaching thehost OS.

Once the host is compromised, the attacker can accessother containers, Kubernetes nodes, or escalate further.

Exact extract (Kubernetes Security Docs):

“If an attacker gains access to a container, they may attempt a container breakout to gain access to the host system.”

Other options clarified:

A: Network access inside a Pod ≠ breakout.

B: Resource exhaustion is aDoS, not a breakout.

C: Cloud infrastructure compromise is possibleafterhost compromise, but not the definition of breakout.

When a Pod is created, Kubernetes automatically mounts aservice account tokenthat can authenticate to the API server.

TheRole-Based Access Control (RBAC)system defines what actions a service account can perform.

By carefully restricting Roles and RoleBindings, administrators limit the blast radius of a compromised Pod.

Incorrect options:

(A)PodSecurity admissionenforces workload-level security settings but does not control API access.

(B)NetworkPolicycontrols network communication, not API privileges.

(D)RuntimeClassselects container runtimes, unrelated to privilege escalation through API tokens.

Starting a process in a running containerprovides an attacker withtemporary execution (foothold)inside the cluster, but once the container is stopped or restarted, that malicious process is lost. This means the attacker has nolong-term persistence.

Incorrect options:

(A) Modifying objects inetcdgrants persistent access since cluster state is stored in etcd.

(B) Modifying files on thehost filesystemcan create persistence across reboots or container restarts.

(D) Creating a restarting container directly on the host via Docker bypasses Kubernetes but persists across pod restarts if Docker restarts it.

Kubernetes Admission Controllers can eithervalidateormutateincoming requests.

MutatingAdmissionWebhook (Mutating Admission Controller):

Canmodify or mutate resource manifestsbefore they are persisted in etcd.

Used for automatic injection of sidecars (e.g., Istio Envoy proxy), setting default values, or fixing misconfigurations.

ValidatingAdmissionWebhook (Validating Admission Controller):only allows/denies but doesnotchange requests.

PodSecurityPolicy:deprecated; cannot mutate requests.

ResourceQuota:enforces resource usage, but does not mutate manifests.

Exact Extract:

“Mutating admission webhooks are invoked first, and can modify objects to enforce defaults. Validating admission webhooks are invoked second, and can reject requests to enforce invariants.”

kube-proxy:manages cluster network routing rules (via iptables or IPVS). It enables Pods to communicate with Services and Pods across nodes.

If kube-proxy fails (CrashLoopBackOff), service IP routing and cluster-wide pod-to-pod networking breaks. Local Pod-to-Pod communication within the same node may still work, butcross-node communication fails.

Exact extract (Kubernetes Docs – kube-proxy):

“kube-proxy maintains network rules on nodes. These rules allow network communication to Pods from network sessions inside or outside of the cluster.”

In akubeadm cluster, by default the API server enables several authentication mechanisms:

X509 Client Certs: Used for authenticating kubelets, admins, and control-plane components.

Bootstrap Tokens: Temporary credentials used for node bootstrap/joining clusters.

Service Account Tokens: Used by workloads in pods to authenticate with the API server.

Exact extract (Kubernetes Docs – Authentication):

“Kubernetes uses client certificates, bearer tokens, an authenticating proxy, or HTTP basic auth to authenticate API requests.”

“Bootstrap tokens are a simple bearer token that is meant to be used when creating new clusters or joining new nodes to an existing cluster.”

“Service accounts are special accounts that provide an identity for processes that run in a Pod.”