Kubernetes and Cloud Native Security Associate v1.0

Page:    1 / 4   
Exam contains 60 questions
Expand All

What mechanism can I use to block unsigned images from running in my cluster?

  • A. Using PodSecurityPolicy (PSP) to enforce image signing and validation
  • B. Using Pod Security Standards (PSS) to enforce validation of signatures.
  • C. Configuring Container Runtime Interface (CRI) to enforce image signing and validation.
  • D. Enabling Admission Controllers to validate image signatures.


Answer : D

In the context of Kubernetes, what is privilege escalation?

  • A. It is the process of transferring controls to another user within the same namespace
  • B. It is the process of enhancing security measures to prevent unauthorized access.
  • C. It is the process of granting excessive privileges to users in a cluster.
  • D. It is the process of elevating the privileges of a container or Pod beyond the initial level of grants.


Answer : D

Which of the following best defines the shared responsibility model in the Cloud?

  • A. Cloud providers ensure end-to-end security, allowing customers to focus solely on business operations.
  • B. Cloud customers are responsible for all security aspects, from infrastructure management to application protection.
  • C. Cloud providers handle only hardware infrastructure security, leaving firmware, software, and application protection entirely to customers.
  • D. Cloud providers are responsible for securing the foundational infrastructure, while customers are accountable for safeguarding their applications and data.


Answer : D

In a multi-tenant Kubernetes environment where each team has distinct access requirements and workloads, which combination of strategies would enhance client security and maintain workload isolation?

  • A. Rely solely on basic authentication with a shared password across all teams, utilize node taints and tolerations, and turn off logging to optimize performance
  • B. Utilize bearer tokens with a third party identity service, employ network policies for Pod-level isolation, and leverage Audit Logs to track client interactions.
  • C. Use service account tokens for all external and internal clients, store client credentials in ConfigMaps, and rely on namespace quotas for workload isolation.
  • D. Enable anonymous authentication, enforce mutual TLS (mTLS), and segregate workloads using pod affinities.


Answer : B

A company is using Kubernetes to manage its cloud-native applications. They want to ensure that the security controls are consistently configured and reduce the probability of misconfiguration.
Which option is the best approach to achieve this?

  • A. Implementing infrastructure as code (IaC) and performing security testing on the code
  • B. Relying on manual security testing during penetration testing.
  • C. Ignoring manual or automatic security testing and relying on cloud provider's default security settings.
  • D. Manually reviewing the security controls after each deployment to ensure consistency.


Answer : A

What security risks are introduced by Pod misconfiguration?

  • A. Automatically scaling Pods can introduce vulnerabilities due to inadequate security measures on new instances.
  • B. Pods might have improper DNS configurations, leading to potential data leaks or unauthorized communication.
  • C. Pods may inadvertently bypass Pod Security Standards enforced on them by administrators.
  • D. Pods may inadvertently expose ports, leading to unauthorized access by adversaries.


Answer : D

A user has a client X.509 certificate with Subject including 0=system:masters that lets them authenticate to the Kubernetes API server. What is the consequence of this?

  • A. The user will have no access to the Kubernetes cluster
  • B. The user will have full administrator access to the Kubernetes cluster
  • C. The user will have limited access to specific namespaces in the Kubernetes cluster
  • D. The user will have read-only access to the Kubernetes cluster.


Answer : B

Which value of the runAsUser field in the security context for a Pod denotes that the Pod is running as root?

  • A. 5000
  • B. 1001
  • C. 1000
  • D. 0


Answer : D

What was the name of the precursor to Pod Security Standards?

  • A. Container Runtime Security
  • B. Pod Security Policy
  • C. Kubernetes Security Context
  • D. Container Security Standards


Answer : B

What is the recommended way to pass Secrets into a container running in a Pod?

  • A. Pass the Secrets as environment variables to the container
  • B. Store the Secrets in a ConfigMap and mount the ConfigMap as a volume in the Pod.
  • C. Include the Secrets directly in the container image.
  • D. Mount the Secrets as a volume in the Pod.


Answer : D

Which components should be able to access etcd at the network level directly?

  • A. All Kubernetes control plane components
  • B. All Pods running in the cluster.
  • C. Only worker nodes in the cluster.
  • D. Only the Kubernetes API server.


Answer : D

How does the kube-proxy forward traffic to a Pod based on its Service configuration?

  • A. The kube proxy configures eBPF on the node to forward traffic from the Service to the Pod
  • B. The kube proxy implements a virtual IP mechanism for Services (e.g., via iptables).
  • C. The kube proxy injects multiple A records in the CoreDNS Pod for each Service.
  • D. The kube-proxy injects reverse proxy configuration in the Ingress Controller (e.g., nginx).


Answer : B

A user runs a command with kubectl to apply a change to a deployment. What is the first Kubernetes component that the request reaches?

  • A. Kubernetes Scheduler
  • B. Kubernetes Controller Manager
  • C. kubelet
  • D. Kubernetes API Server


Answer : D

What is the difference between gVisor and Firecracker?

  • A. gVisor and Firecracker are both container runtimes that can be used interchangeably.
  • B. gVisor is a lightweight virtualization technology for creating and managing secure, multi-tenant container and function-as а-service (FaaS) workloads. At the same time, Firecracker
    is a user space kernel that provides isolation and security for containers.
  • C. gVisor is a user-space kernel that provides isolation and security for containers. At the same time, Firecracker is a lightweight virtualization technology for creating and managing
    secure, multi-tenant container and function-as-a-service (FaaS) workloads.
  • D. gVisor and Firecracker are two names for the same technology, which provides isolation and security for containers.


Answer : C

What is the name for the process of assessing the validity of vulnerabilities detected in the code or dependencies of a piece of software?

  • A. Static Code Analysis
  • B. Vulnerability Triage
  • C. Vulnerability Scanning
  • D. Penetration Testing


Answer : B

Page:    1 / 4   
Exam contains 60 questions
Expand All

Talk to us!

Have any questions or issues ? Please dont hesitate to contact us

[email protected]

Certlibrary.com is owned by MBS Tech Limited: Room 1905 Nam Wo Hong Building, 148 Wing Lok Street, Sheung Wan, Hong Kong. Company registration number: 2310926
Certlibrary doesn't offer Real Microsoft Exam Questions. Certlibrary Materials do not contain actual questions and answers from Cisco's Certification Exams.
CFA Institute does not endorse, promote or warrant the accuracy or quality of Certlibrary. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.
Terms & Conditions | Privacy Policy | Amazon Exams | Cisco Exams | CompTIA Exams | Databricks Exams | Fortinet Exams | Google Exams | Microsoft Exams | VMware Exams