KCSA Exam: a Free Study Guide with 326 Practice Questions and Flashcards

What the KCSA exam actually tests

The KCSA is a multiple-choice, conceptual exam (no hands-on labs, unlike the CKS). It has 60 questions, a 90-minute time limit, a pass mark around 75%, one free retake, and the certification is valid for three years. The questions are spread across six domains, each with a fixed weight:

• Overview of Cloud Native Security — 14%
• Kubernetes Cluster Component Security — 22%
• Kubernetes Security Fundamentals — 22%
• Kubernetes Threat Model — 16%
• Platform Security — 16%
• Compliance and Security Frameworks — 10%

Why a separate study site

The official curriculum tells you the topics, but not the nuance the exam tests. Many questions hinge on named frameworks — the OWASP Top 10 for Kubernetes, STRIDE, the NSA/CISA Kubernetes Hardening Guidance — and on subtle distinctions like the difference between control-plane and data-plane isolation. I wanted notes that follow one consistent template per topic, plus enough practice questions to actually measure readiness against the 75% bar.

What is on kcsa.webforged.nl

The site is free, needs no account, and has three parts:

• Study docs — one page per topic, each following the same structure: the essence in one paragraph, what you must know, how it works, hardening measures, and exam-focus pitfalls.
• Practice exams — a bank of 326 questions with three modes: fixed exam sets, a randomised scored mock, and a practice mode with instant feedback and per-domain filtering. Everything is scored against the 75% pass mark with a per-domain breakdown and an explanation for every question.
• Flashcards — 310 cards you flip to reveal the answer, filterable by domain, with keyboard shortcuts for fast review.

A practical study plan

The three heaviest domains — Cluster Component Security, Security Fundamentals and the Threat Model — together make up 60% of the exam, so weight your time accordingly. A plan that works:

• Read each topic page once and mark it as read (the site tracks your progress).
• Run the flashcards per domain until recall is automatic.
• Take a fixed mock exam, then use the per-domain score to find your weak spots.
• Re-read only the weak domains, then take a fresh randomised mock to confirm you are above 75%.

Topics candidates underestimate

From comparing real exam-style questions against my notes, these themes come up more than people expect:

• The OWASP Top 10 for Kubernetes — recognising a risk category from a pod manifest, especially Insecure Workload Configurations (privileged, hostPath, running as root).
• Specific NSA/CISA Hardening Guidance recommendations — default-deny network policies, non-root and read-only containers, keeping user pods out of kube-system.
• STRIDE letter-to-category mapping and which control counters each threat.
• Kubernetes audit policy levels (None, Metadata, Request, RequestResponse) and when to use each.
• Multi-tenancy isolation — the difference between soft (namespace/RBAC) and data-plane (dedicated nodes) isolation.