DumpsFree provides high-quality dumps PDF & dumps VCE for candidates who are willing to pass exams and get certifications soon. We provide dumps free download before purchasing dumps VCE. 100% pass exam!

[Sep 22, 2025] Latest Questions KCSA Guide to Prepare Free Practice Tests [Q33-Q53]

Share

[Sep 22, 2025] Latest Questions KCSA Guide to Prepare Free Practice Tests

Reliable KCSA Dumps Questions Available as Web-Based Practice Test Engine

NEW QUESTION # 33
A container image istrojanizedby an attacker by compromising the build server. Based on the STRIDE threat modeling framework, which threat category best defines this threat?

  • A. Denial of Service
  • B. Repudiation
  • C. Spoofing
  • D. Tampering

Answer: D

Explanation:
* In STRIDE,Tamperingis the threat category forunauthorized modification of data or code/artifacts. A trojanized container image is, by definition, an attacker'smodificationof the build output (the image) after compromising the CI/build system-i.e., tampering with the artifact in the software supply chain.
* Why not the others?
* Spoofingis about identity/authentication (e.g., pretending to be someone/something).
* Repudiationis about denying having performed an action without sufficient audit evidence.
* Denial of Servicetargets availability (exhausting resources or making a service unavailable).The scenario explicitly focuses on analtered imageresulting from a compromised build server-this squarely maps toTampering.
Authoritative references (for verification and deeper reading):
* Kubernetes (official docs)- Supply Chain Security (discusses risks such as compromised CI/CD pipelines leading to modified/poisoned images and emphasizes verifying image integrity/signatures).
* Kubernetes Docs#Security#Supply chain securityandSecuring a cluster(sections on image provenance, signing, and verifying artifacts).
* CNCF TAG Security - Cloud Native Security Whitepaper (v2)- Threat modeling in cloud-native and software supply chain risks; describes attackers modifying build outputs (images/artifacts) via CI
/CD compromise as a form oftamperingand prescribes controls (signing, provenance, policy).
* CNCF TAG Security - Software Supply Chain Security Best Practices- Explicitly covers CI/CD compromise leading tomaliciously modified imagesand recommends SLSA, provenance attestation, and signature verification (policy enforcement via admission controls).
* Microsoft STRIDE (canonical reference)- DefinesTamperingasmodifying data or code, which directly fits a trojanized image produced by a compromised build system.


NEW QUESTION # 34
Which information does a user need to verify a signed container image?

  • A. The image's digital signature and the private key of the signing authority.
  • B. The image's SHA-256 hash and the public key of the signing authority.
  • C. The image's SHA-256 hash and the private key of the signing authority.
  • D. The image's digital signature and the public key of the signing authority.

Answer: D

Explanation:
* Container image signing (e.g., withcosign, Notary v2) uses asymmetric cryptography.
* Verification process:
* Retrieve theimage's digital signature.
* Validate the signature with thepublic keyof the signer.
* Exact extract (Sigstore Cosign Docs):
* "Verification of an image requires the signature and the signer's public key. The signature proves authenticity and integrity."
* Why others are wrong:
* A & B: The private key is only used by the signer, never shared.
* C: The hash alone cannot prove authenticity without the digital signature.
References:
Sigstore Cosign Docs: https://docs.sigstore.dev/cosign/overview


NEW QUESTION # 35
Which of the following is a control for Supply Chain Risk Management according to NIST 800-53 Rev. 5?

  • A. Access Control
  • B. Supply Chain Risk Management Plan
  • C. Incident Response
  • D. System and Communications Protection

Answer: B

Explanation:
* NIST SP 800-53 Rev. 5 introduces a dedicated family of controls calledSupply Chain Risk Management (SR).
* Within SR,SR-2 (Supply Chain Risk Management Plan)is a specific control.
* Exact extract from NIST 800-53 Rev. 5:
* "The organization develops and implements a supply chain risk management plan for the system, system component, or system service."
* While Access Control, System and Communications Protection, and Incident Response are control families, the correctsupply chain-specific controlis theSupply Chain Risk Management Plan (SR-2).
References:
NIST SP 800-53 Rev. 5 -Security and Privacy Controls for Information Systems and Organizations:
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final


NEW QUESTION # 36
In order to reduce the attack surface of the Scheduler, which default parameter should be set to false?

  • A. --bind-address
  • B. --profiling
  • C. --scheduler-name
  • D. --secure-kubeconfig

Answer: B

Explanation:
* Thekube-schedulerexposes aprofiling/debugging endpointwhen --profiling=true (default).
* This can unnecessarily increase the attack surface.
* Best practice: set --profiling=false in production.
* Exact extract (Kubernetes Docs - kube-scheduler flags):
* "--profiling (default true): Enable profiling via web interface host:port/debug/pprof/."
* Why others are wrong:
* --scheduler-name: just identifies the scheduler, not a security risk.
* --secure-kubeconfig: not a valid flag.
* --bind-address: changing it limits exposure but is not the default risk parameter for profiling.
References:
Kubernetes Docs - kube-scheduler options: https://kubernetes.io/docs/reference/command-line-tools- reference/kube-scheduler/


NEW QUESTION # 37
To restrict the kubelet's rights to the Kubernetes API, whatauthorization modeshould be set on the Kubernetes API server?

  • A. Webhook
  • B. Node
  • C. AlwaysAllow
  • D. kubelet

Answer: B

Explanation:
* TheNode authorization modeis designed to specifically limit what kubelets can do when they connect to the Kubernetes API server.
* It authorizes requests from kubelets based on the Pods scheduled to run on their nodes, ensuring kubelets cannot interact with resources beyond their scope.
* Incorrect options:
* (B)AlwaysAllowallows unrestricted access (insecure).
* (C) No kubelet authorization mode exists.
* (D)Webhookmode delegates authorization decisions to an external service, not specifically for kubelets.
References:
Kubernetes Documentation - Node Authorization
CNCF Security Whitepaper - Access control: kubelet authorization and Node authorizer.


NEW QUESTION # 38
In a Kubernetes environment, what kind of Admission Controller can modify resource manifests when applied to the Kubernetes API to fix misconfigurations automatically?

  • A. MutatingAdmissionController
  • B. ResourceQuota
  • C. ValidatingAdmissionController
  • D. PodSecurityPolicy

Answer: A

Explanation:
* Kubernetes Admission Controllers can eithervalidateormutateincoming requests.
* MutatingAdmissionWebhook (Mutating Admission Controller):
* Canmodify or mutate resource manifestsbefore they are persisted in etcd.
* Used for automatic injection of sidecars (e.g., Istio Envoy proxy), setting default values, or fixing misconfigurations.
* ValidatingAdmissionWebhook (Validating Admission Controller):only allows/denies but doesnot change requests.
* PodSecurityPolicy:deprecated; cannot mutate requests.
* ResourceQuota:enforces resource usage, but does not mutate manifests.
Exact Extract:
* "Mutating admission webhooks are invoked first, and can modify objects to enforce defaults.
Validating admission webhooks are invoked second, and can reject requests to enforce invariants.
"
References:
Kubernetes Docs - Admission Controllers: https://kubernetes.io/docs/reference/access-authn-authz
/admission-controllers/
Kubernetes Docs - Admission Webhooks: https://kubernetes.io/docs/reference/access-authn-authz
/extensible-admission-controllers/


NEW QUESTION # 39
Why does the defaultbase64 encodingthat Kubernetes applies to the contents of Secret resources provide inadequate protection?

  • A. Base64 encoding is vulnerable to brute-force attacks.
  • B. Base64 encoding is not supported by all Secret Stores.
  • C. Base64 encoding does not encrypt the contents of the Secret, only obfuscates it.
  • D. Base64 encoding relies on a shared key which can be easily compromised.

Answer: C

Explanation:
* Kubernetes stores Secret data asbase64-encoded stringsin etcd by default.
* Base64 is not encryption- it is a simple encoding scheme that merelyobfuscatesdata for transport and storage. Anyone with read access to etcd or the Secret manifest can easily decode the value back to plaintext.
* For actual protection, Kubernetes supportsencryption at rest(via encryption providers) and external Secret management (Vault, KMS, etc.).
References:
Kubernetes Documentation - Secrets
CNCF Security Whitepaper - Data protection section: highlights that base64 encoding does not protect data and encryption at rest is recommended.


NEW QUESTION # 40
A container image istrojanizedby an attacker by compromising the build server. Based on the STRIDE threat modeling framework, which threat category best defines this threat?

  • A. Denial of Service
  • B. Repudiation
  • C. Spoofing
  • D. Tampering

Answer: D

Explanation:
* In STRIDE,Tamperingis the threat category forunauthorized modification of data or code/artifacts. A trojanized container image is, by definition, an attacker'smodificationof the build output (the image) after compromising the CI/build system-i.e., tampering with the artifact in the software supply chain.
* Why not the others?
* Spoofingis about identity/authentication (e.g., pretending to be someone/something).
* Repudiationis about denying having performed an action without sufficient audit evidence.
* Denial of Servicetargets availability (exhausting resources or making a service unavailable).The scenario explicitly focuses on analtered imageresulting from a compromised build server-this squarely maps toTampering.
Authoritative references (for verification and deeper reading):
* Kubernetes (official docs)- Supply Chain Security (discusses risks such as compromised CI/CD pipelines leading to modified/poisoned images and emphasizes verifying image integrity/signatures).
* Kubernetes Docs#Security#Supply chain securityandSecuring a cluster(sections on image provenance, signing, and verifying artifacts).
* CNCF TAG Security - Cloud Native Security Whitepaper (v2)- Threat modeling in cloud-native and software supply chain risks; describes attackers modifying build outputs (images/artifacts) via CI
/CD compromise as a form oftamperingand prescribes controls (signing, provenance, policy).
* CNCF TAG Security - Software Supply Chain Security Best Practices- Explicitly covers CI/CD compromise leading tomaliciously modified imagesand recommends SLSA, provenance attestation, and signature verification (policy enforcement via admission controls).
* Microsoft STRIDE (canonical reference)- DefinesTamperingasmodifying data or code, which directly fits a trojanized image produced by a compromised build system.


NEW QUESTION # 41
Which way of defining security policy brings consistency, minimizes toil, and reduces the probability of misconfiguration?

  • A. Relying on manual audits and inspections for security policy enforcement.
  • B. Using a declarative approach to define security policies as code.
  • C. Implementing security policies through manual scripting on an ad-hoc basis.
  • D. Manually configuring security controls for each individual resource, regularly.

Answer: B

Explanation:
* Defining policiesas code (declarative)is a best practice in Kubernetes and cloud-native security.
* This is aligned withGitOpsandPolicy-as-Codeprinciples (OPA Gatekeeper, Kyverno, etc.).
* Exact extract (CNCF Security Whitepaper):
* "Policy-as-Code enables declarative definition and enforcement of security policies, bringing consistency, automation, and reducing misconfiguration risk."
* Manual audits, ad-hoc scripting, or individual configurations are error-prone and inconsistent.
References:
CNCF Security Whitepaper:https://github.com/cncf/tag-security
Kubernetes Docs - Policy as Code (OPA, Kyverno): https://kubernetes.io/docs/concepts/security/


NEW QUESTION # 42
Which other controllers are part of the kube-controller-manager inside the Kubernetes cluster?

  • A. Replication controller, Endpoints controller, Namespace controller, and ServiceAccounts controller
  • B. Namespace controller, ConfigMap controller, and Secret controller
  • C. Job controller, CronJob controller, and DaemonSet controller
  • D. Pod, Service, and Ingress controller

Answer: A

Explanation:
* kube-controller-managerruns a set of controllers that regulate the cluster's state.
* Exact extract (Kubernetes Docs):"The kube-controller-manager runs controllers that are core to Kubernetes. Examples of controllers are: Node controller, Replication controller, Endpoints controller, Namespace controller, and ServiceAccounts controller."
* Why D is correct:All listed are actual controllers within kube-controller-manager.
* Why others are wrong:
* A:Job and CronJob controllers are managed by kube-controller-manager, but DaemonSet controller is managed by the kube-scheduler/deployment logic.
* B:Pod, Service, Ingress controllers are not part of kube-controller-manager.
* C:ConfigMap and Secret do not have dedicated controllers.
References:
Kubernetes Docs - kube-controller-manager: https://kubernetes.io/docs/reference/command-line-tools- reference/kube-controller-manager/


NEW QUESTION # 43
What mechanism can I use to block unsigned images from running in my cluster?

  • A. Configuring Container Runtime Interface (CRI) to enforce image signing and validation.
  • B. Using Pod Security Standards (PSS) to enforce validation of signatures.
  • C. Using PodSecurityPolicy (PSP) to enforce image signing and validation.
  • D. Enabling Admission Controllers to validate image signatures.

Answer: D

Explanation:
* KubernetesAdmission Controllers(particularlyValidatingAdmissionWebhooks) can be used to enforce policies that validate image signatures.
* This is commonly implemented withtools like Sigstore/cosign, Kyverno, or OPA Gatekeeper.
* PodSecurityPolicy (PSP):deprecated and never supported image signature validation.
* Pod Security Standards (PSS):only apply to pod security fields (privilege, users, host access), not image signatures.
* CRI:while runtimes (containerd, CRI-O) may integrate with signature verification tools, enforcement in Kubernetes is generally done viaAdmission Controllersat the API layer.
Exact extract (Admission Controllers docs):
* "Admission webhooks can be used to enforce custom policies on the objects being admitted." (e.g., validating signatures).
References:
Kubernetes Docs - Admission Controllers: https://kubernetes.io/docs/reference/access-authn-authz
/admission-controllers/
Sigstore Project (cosign): https://sigstore.dev/
Kyverno ImageVerify Policy: https://kyverno.io/policies/pod-security/require-image-verification/


NEW QUESTION # 44
On a client machine, what directory (by default) contains sensitive credential information?

  • A. $HOME/.config/kubernetes/
  • B. /etc/kubernetes/
  • C. /opt/kubernetes/secrets/
  • D. $HOME/.kube

Answer: D

Explanation:
* Thekubectlclient uses configuration from$HOME/.kube/configby default.
* This file contains: cluster API server endpoint, user certificates, tokens, or kubeconfigs #sensitive credentials.
* Exact extract (Kubernetes Docs - Configure Access to Clusters):
* "By default, kubectl looks for a file named config in the $HOME/.kube directory. This file contains configuration information including user credentials."
* Other options clarified:
* A: /etc/kubernetes/ exists on nodes (control plane) not client machines.
* C: /opt/kubernetes/secrets/ is not a standard path.
* D: $HOME/.config/kubernetes/ is not where kubeconfig is stored by default.
References:
Kubernetes Docs - Configure Access to Clusters: https://kubernetes.io/docs/concepts/configuration/organize- cluster-access-kubeconfig/


NEW QUESTION # 45
A cluster is failing to pull more recent versions of images from k8s.gcr.io. Why may this be?

  • A. There is a bug in the container runtime or the image pull process.
  • B. There is a network connectivity issue between the cluster and k8s.gcr.io.
  • C. The container image registry k8s.gcr.io has been deprecated.
  • D. The authentication credentials for accessing k8s.gcr.io are incorrectly scoped.

Answer: C

Explanation:
* k8s.gcr.iowas the historic Kubernetes image registry.
* It has beendeprecatedand replaced withregistry.k8s.io.
* Exact extract (Kubernetes Blog):
* "The k8s.gcr.io image registry will be frozen from April 3, 2023 and fully deprecated. All Kubernetes project images are now served from registry.k8s.io."
* Pulling newer versions from k8s.gcr.io fails because the registry no longer receives updates.
References:
Kubernetes Blog - Image Registry Update: https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze- announcement/


NEW QUESTION # 46
You are responsible for securing thekubeletcomponent in a Kubernetes cluster.
Which of the following statements about kubelet security is correct?

  • A. Kubelet runs as a privileged container by default.
  • B. Kubelet does not have any built-in security features.
  • C. Kubelet supports TLS authentication and encryption for secure communication with the API server.
  • D. Kubelet requires root access to interact with the host system.

Answer: C

Explanation:
* Thekubeletis the primary agent that runs on each node in a Kubernetes cluster and communicates with the control plane.
* Kubeletsupports TLS (Transport Layer Security)for both authentication and encryption when interacting with the API server. This is a core security feature that ensures secure node-to-control-plane communication.
* Incorrect options:
* (A) Kubelet does not run as a privileged container by default; it runs as a system process (typically systemd-managed) on the host.
* (B) Kubelet does include built-in security features such asTLS authentication, authorization modes, and read-only vs secured ports.
* (D) While kubelet interacts with the host system (e.g., cgroups, container runtimes), it does not inherently require root access for communication security; RBAC and TLS handle authentication.
References:
Kubernetes Documentation - Kubelet authentication/authorization
CNCF Security Whitepaper - Cluster Component Security (discusses TLS and mutual authentication between kubelet and API server).


NEW QUESTION # 47
You want to minimize security issues in running Kubernetes Pods. Which of the following actions can help achieve this goal?

  • A. Running Pods with elevated privileges to maximize their capabilities.
  • B. Implement Pod Security standards in the Pod's YAML configuration.
  • C. Deploying Pods with randomly generated names to obfuscate their identities.
  • D. Sharing sensitive data among Pods in the same cluster to improve collaboration.

Answer: B

Explanation:
* Pod Security Standards (PSS):
* Kubernetes providesPod Security Admission (PSA)to enforce security controls based on policies.
* Official extract: "Pod Security Standards define different isolation levels for Pods. The standards focus on restricting what Pods can do and what they can access."
* The three standard profiles are:
* Privileged: unrestricted (not recommended).
* Baseline: minimal restrictions.
* Restricted: highly restricted, enforcing least privilege.
* Why option C is correct:
* Applying Pod Security Standards in YAML ensures Pods adhere tobest practiceslike:
* No root user.
* Restricted host access.
* No privilege escalation.
* Seccomp/AppArmor profiles.
* This directly minimizes security risks.
* Why others are wrong:
* A:Sharing sensitive data increases risk of exposure.
* B:Running with elevated privileges contradicts least privilege principle.
* D:Random Pod names donotcontribute to security.
References:
Kubernetes Docs - Pod Security Standards: https://kubernetes.io/docs/concepts/security/pod-security- standards/ Kubernetes Docs - Pod Security Admission: https://kubernetes.io/docs/concepts/security/pod-security- admission/


NEW QUESTION # 48
In a Kubernetes cluster, what are the security risks associated with using ConfigMaps for storing secrets?

  • A. ConfigMaps store sensitive information in etcd encoded in base64 format automatically, which does not ensure confidentiality of data.
  • B. Storing secrets in ConfigMaps can expose sensitive information as they are stored in plaintext and can be accessed by unauthorized users.
  • C. Storing secrets in ConfigMaps does not allow for fine-grained access control via RBAC.
  • D. Using ConfigMaps for storing secrets might make applications incompatible with the Kubernetes cluster.

Answer: B

Explanation:
* ConfigMaps are explicitly not for confidential data.
* Exact extract (ConfigMap concept):"A ConfigMap is an API object used to store non- confidential data in key-value pairs."
* Exact extract (ConfigMap concept):"ConfigMaps are not intended to hold confidential data. Use a Secret for confidential data."
* Why this is risky:data placed into a ConfigMap is stored as regular (plaintext) string values in the API and etcd (unless you deliberately use binaryData for base64 content you supply). That means if someone has read access to the namespace or to etcd/APIServer storage, they can view the values.
* Secrets vs ConfigMaps (to clarify distractor D):
* Exact extract (Secret concept):"By default, secret data is stored as unencrypted base64- encoded strings.You canenable encryption at restto protect Secrets stored in etcd."
* This base64 behavior applies toSecrets, not to ConfigMap data. Thus optionDis incorrect for ConfigMaps.
* About RBAC (to clarify distractor A):Kubernetesdoessupport fine-grained RBAC forboth ConfigMaps and Secrets; the issue isn't lack of RBAC but that ConfigMaps arenotdesigned for confidential material.
* About compatibility (to clarify distractor C):Using ConfigMaps for secrets doesn't make apps
"incompatible"; it's simplyinsecureand against guidance.
References:
Kubernetes Docs -ConfigMaps: https://kubernetes.io/docs/concepts/configuration/configmap/ Kubernetes Docs -Secrets: https://kubernetes.io/docs/concepts/configuration/secret/ Kubernetes Docs -Encrypting Secret Data at Rest: https://kubernetes.io/docs/tasks/administer-cluster
/encrypt-data/
Note: The citations above are from the official Kubernetes documentation and reflect the stated guidance that ConfigMaps are fornon-confidentialdata, while Secrets (with encryption at rest enabled) are forconfidential data, and that the 4C's map todefense in depth.


NEW QUESTION # 49
What kind of organization would need to be compliant with PCI DSS?

  • A. Non-profit organizations that handle sensitive customer data.
  • B. Retail stores that only accept cash payments.
  • C. Merchants that process credit card payments.
  • D. Government agencies that collect personally identifiable information.

Answer: C

Explanation:
* PCI DSS (Payment Card Industry Data Security Standard):applies to any entity thatstores, processes, or transmits cardholder data.
* Exact extract (PCI DSS official summary):
* "PCI DSS applies to all entities that store, process or transmit cardholder data (CHD) and
/or sensitive authentication data (SAD)."
* Therefore,merchants who process credit card paymentsmust comply.
* Why others are wrong:
* A: No card payments, so no PCI scope.
* B: This falls underFISMA / NIST 800-53, not PCI DSS.
* C: Non-profits may handle sensitive data, but PCI only applies if they processcredit cards.
References:
PCI Security Standards Council - PCI DSS Summary: https://www.pcisecuritystandards.org/pci_security/


NEW QUESTION # 50
What is the difference between gVisor and Firecracker?

  • A. gVisor and Firecracker are two names for the same technology, which provides isolation and security for containers.
  • B. gVisor is a user-space kernel that provides isolation and security for containers. At the same time, Firecracker is a lightweight virtualization technology for creating and managing secure, multi-tenant container and function-as-a-service (FaaS) workloads.
  • C. gVisor is a lightweight virtualization technology for creating and managing secure, multi-tenant container and function-as-a-service (FaaS) workloads. At the same time, Firecracker is a user-space kernel that provides isolation and security for containers.
  • D. gVisor and Firecracker are both container runtimes that can be used interchangeably.

Answer: B

Explanation:
* gVisor:
* Google-developed, implemented as auser-space kernelthat intercepts and emulates syscalls made by containers.
* Providesstrong isolationwithout requiring a full VM.
* Official docs: "gVisor is a user-space kernel, written in Go, that implements a substantial portion of the Linux system call interface."
* Source: https://gvisor.dev/docs/
* Firecracker:
* AWS-developed,lightweight virtualization technologybuilt on KVM, used in AWS Lambda and Fargate.
* Optimized for running secure, multi-tenant microVMs (MicroVMs) for containers and FaaS.
* Official docs: "Firecracker is an open-source virtualization technology that is purpose-built for creating and managing secure, multi-tenant container and function-based services."
* Source: https://firecracker-microvm.github.io/
* Key difference:gVisor # syscall interception in userspace kernel (container isolation). Firecracker # lightweight virtualization with microVMs (multi-tenant security).
* Therefore, optionAis correct.
References:
gVisor Docs: https://gvisor.dev/docs/
Firecracker Docs: https://firecracker-microvm.github.io/


NEW QUESTION # 51
Which of the following snippets from a RoleBinding correctly associates user bob with Role pod-reader ?

  • A. subjects:
    - kind: User
    name: bob
    apiGroup: rbac.authorization.k8s.io
    roleRef:
    kind: Role
    name: pod-reader
    apiGroup: rbac.authorization.k8s.io
  • B. subjects:
    - kind: User
    name: bob
    apiGroup: rbac.authorization.k8s.io
    roleRef:
    kind: ClusterRole
    name: pod-reader
    apiGroup: rbac.authorization.k8s.io
  • C. subjects:
    - kind: Group
    name: bob
    apiGroup: rbac.authorization.k8s.io
    roleRef:
    kind: Role
    name: pod-reader
    apiGroup: rbac.authorization.k8s.io
  • D. subjects:
    - kind: User
    name: pod-reader
    apiGroup: rbac.authorization.k8s.io
    roleRef:
    kind: Role
    name: bob
    apiGroup: rbac.authorization.k8s.io

Answer: A

Explanation:
Kubernetes RBAC usesRoleBindingto grant permissions defined in aRoleto asubject(user, group, or service account) within a namespace. The official example shows binding user jane to Role pod-reader:
"A RoleBinding grants the permissions defined in a Role to a user or set of users...." Example:
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
- Kubernetes docs, RBAC: RoleBinding and ClusterRoleBinding
OptionBmatches this pattern exactly, with name: bob as theUsersubject and roleRef pointing to theRole named pod-reader.
* Aswaps the names (subject is pod-reader, role is bob) # incorrect.
* Creferences aClusterRole, not aRole(the question asks for Role).
* Duses kind: Group even though we need theUserbob.
References:
Kubernetes Docs - Using RBAC Authorization #RoleBinding and ClusterRoleBinding: https://kubernetes.io
/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding


NEW QUESTION # 52
In a cluster that contains Nodes withmultiple container runtimesinstalled, how can a Pod be configured to be created on a specific runtime?

  • A. By setting the container runtime as an environment variable in the Pod.
  • B. By using a command-line flag when creating the Pod.
  • C. By modifying the Docker daemon configuration.
  • D. By specifying the container runtime in the Pod's YAML file.

Answer: D

Explanation:
* Kubernetes supportsmultiple container runtimeson a node via theRuntimeClassresource.
* To select a runtime, you specify the runtimeClassName field in thePod's YAML manifest. Example:
* apiVersion: v1
* kind: Pod
* metadata:
* name: example
* spec:
* runtimeClassName: gvisor
* containers:
* - name: app
* image: nginx
* Incorrect options:
* (A) You cannot specify container runtime through a kubectl command-line flag.
* (B) Modifying the Docker daemon config does not direct Kubernetes Pods to a runtime.
* (C) Environment variables inside a Pod spec do not control container runtimes.
References:
Kubernetes Documentation - RuntimeClass
CNCF Security Whitepaper - Workload isolation via different runtimes (e.g., gVisor, Kata) for enhanced security.


NEW QUESTION # 53
......

Correct and Up-to-date Linux Foundation KCSA BrainDumps: https://www.dumpsfree.com/KCSA-valid-exam.html

Current KCSA dumps Preparation through Our Practice Test: https://drive.google.com/open?id=1tYz0kYiZq32ILwrgGFz6TGNBDX4P83zJ