KCSA

I’ve passed the Kubernetes and Cloud Native Security Associate (KCSA) exam.

The exam is online, proctored, multiple-choice (60 questions / 90 minutes). The certification is valid for 2 years.

Domains

#

The KCSA blueprint is split into six domains. Here is the weight distribution:

%%{init: {"theme":"base","themeVariables":{"pie1":"#ff6b6b","pie2":"#feca57","pie3":"#48dbfb","pie4":"#1dd1a1","pie5":"#5f27cd","pie6":"#576574"}}}%%
pie showData
  title KCSA domains (weights)
  "Overview of Cloud Native Security" : 14
  "Kubernetes Cluster Component Security" : 22
  "Kubernetes Security Fundamentals" : 22
  "Kubernetes Threat Model" : 16
  "Platform Security" : 16
  "Compliance and Security Frameworks" : 10

A quick breakdown of what typically sits inside each bucket:

• Overview of Cloud Native Security (14%)

  • The “4Cs” model (Cloud, Cluster, Container, Code)
  • Shared responsibility and common controls

• Kubernetes Cluster Component Security (22%)

  • Control plane + etcd basics (what to protect and why)
  • Node components (kubelet, runtime) and cluster networking

• Kubernetes Security Fundamentals (22%)

  • AuthN/AuthZ and RBAC fundamentals
  • Pod Security Standards / Pod Security Admission, NetworkPolicy, Secrets, audit logs

• Kubernetes Threat Model (16%)

  • Trust boundaries and common attack paths (privilege escalation, sensitive data access, DoS)

• Platform Security (16%)

  • Supply-chain basics (images, registries, signatures) and platform controls (admission, observability)

• Compliance and Security Frameworks (10%)

  • What compliance frameworks look like in practice (controls, evidence, automation)

Preparation

#

My prep was intentionally boring:

• Official exam pages

  • CNCF KCSA
  • Linux Foundation KCSA

• Curriculum

  • Curriculum
  • Curriculum KCSA

• Kubernetes docs(not available during exam)

  • Pod Security Standards
  • Pod Security Admission
  • Auditing
  • Admission Controllers

• Hardening guidance

  • NSA/CISA announcement