How to Pass KCSA (Kubernetes and Cloud Native Security Associate) in 2026: Complete Study Guide
KCSA is CNCF's security-focused entry-level Kubernetes certification — 6 domains covering Pod Security Standards, RBAC, supply chain security, compliance frameworks, and the Kubernetes threat model. This guide covers everything you need to pass on the first attempt.
The KCSA (Kubernetes and Cloud Native Security Associate) is CNCF's entry-level security certification for professionals who work with Kubernetes and cloud native environments. It sits between the KCNA (foundational Kubernetes knowledge) and the CKS (Certified Kubernetes Security Specialist) — and it is the fastest way to prove you understand cloud native security principles without needing to spin up a live cluster for an exam. If you are a DevSecOps engineer, a developer moving into security, or a cloud security practitioner entering the Kubernetes world, this certification signals that you understand the security model from the ground up.
Exam Facts and Format
| Detail | Value |
|---|---|
| Full Name | Kubernetes and Cloud Native Security Associate (KCSA) |
| Vendor | CNCF (Cloud Native Computing Foundation) / Linux Foundation |
| Format | Multiple choice, online proctored |
| Questions | 60 questions |
| Duration | 90 minutes |
| Passing Score | 75% |
| Cost | $250 USD (includes one free retake) |
| Prerequisites | None formally required; KCNA or basic Kubernetes knowledge strongly recommended |
| Validity | 2 years |
All 6 Domains Explained
Domain 1: Overview of Cloud Native Security (14%)
This domain introduces the security mindset for cloud native environments. Key topics include the 4Cs of Cloud Native Security (Cloud, Cluster, Container, Code), shared responsibility model in cloud environments, and how security is layered across infrastructure and application stacks. You need to understand that each "C" builds on the one below it — a vulnerability at the Cloud layer undermines every other control above it.
Domain 2: Kubernetes Cluster Component Security (22%)
The heaviest domain by weight. Covers how each Kubernetes component exposes an attack surface: the API server (authentication, authorization, admission control), etcd (encryption at rest, access restrictions), kubelet (anonymous auth disabled, read-only port), kube-scheduler and kube-controller-manager (hardened flags), and the container runtime. You need to know what each component does, where its configuration lives, and what a misconfiguration looks like.
Domain 3: Kubernetes Security Fundamentals (22%)
Tied for heaviest domain. Covers Pod Security Standards (privileged, baseline, restricted profiles), RBAC (Role, ClusterRole, RoleBinding, ClusterRoleBinding, ServiceAccounts), Secrets management, NetworkPolicy, and security contexts (runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation). These are the day-to-day controls every Kubernetes operator uses. Expect scenario questions: "which PSS profile allows X?" and "which RBAC object grants access across all namespaces?"
Domain 4: Kubernetes Threat Model (16%)
Covers the main attack vectors: compromised containers, lateral movement, privilege escalation to node, etcd compromise, API server attacks, and supply chain injection. You also need to know the STRIDE model (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) applied to Kubernetes components, and what controls mitigate each threat.
Domain 5: Platform Security (16%)
Focuses on runtime security, supply chain security, and observability. Key tools: Falco (runtime threat detection), OPA Gatekeeper and Kyverno (admission controllers / policy engines), Cosign (image signing), SLSA framework (supply chain security levels), audit logging, and service mesh mTLS. Understand the difference between admission control (before workload creation) and runtime detection (during execution).
Domain 6: Compliance and Security Frameworks (10%)
Lightest domain but not ignorable. Covers CIS Kubernetes Benchmark (configuration hardening checklist), NIST SP 800-190 (application container security guide), SOC 2, PCI-DSS relevance to containerized applications, and SBOM (Software Bill of Materials) as a compliance artifact. You do not need to memorize specific CIS Benchmark rule numbers — focus on what categories of controls each framework addresses.
KCSA vs CKS — What is the Difference?
A common question for candidates entering the CNCF security track: should you take KCSA or go straight to CKS?
| Dimension | KCSA | CKS |
|---|---|---|
| Format | Multiple choice | Hands-on performance-based (live cluster) |
| Prerequisite | None (KCNA recommended) | Active CKA certification required |
| Depth | Breadth — knows what controls exist and why | Depth — can implement and troubleshoot live |
| Cost | $250 | $395 |
| Audience | Developers, DevOps, security analysts new to Kubernetes security | Experienced Kubernetes administrators |
| Study time | 4–6 weeks | 2–3 months of hands-on practice |
KCSA is the right choice if you want to validate your understanding of the cloud native security landscape before committing to the hands-on work required for CKS. Many practitioners use KCSA as a structured way to build the conceptual foundation, then pursue CKS once they have CKA experience.
Best Study Resources
- Kubernetes Official Documentation — Security Section: The primary source. Read the Pod Security Standards page, RBAC page, Secrets encryption at rest guide, and Network Policies page. CNCF exam questions stay close to the official docs.
- CNCF Cloud Native Security Whitepaper: The official CNCF document that defines the 4Cs model and outlines security recommendations for cloud native workloads. Available free at cncf.io. Essential for Domain 1 and Domain 4.
- CIS Kubernetes Benchmark: Free download from the Center for Internet Security. Read the section headings and rationale statements — you do not need every configuration value, but you need to know what categories it covers.
- NIST SP 800-190: "Application Container Security Guide" — free from nist.gov. Skim the threat table and control recommendations for Domain 6.
- Killer.sh KCSA practice simulator: Included with exam purchase. Harder than the real exam intentionally — use it in the final week.
- CertLand KCSA Practice Exam: 340 scenario-based multiple choice questions covering all 6 domains with detailed explanations for every answer.
5-Week Study Plan
| Week | Focus | Tasks |
|---|---|---|
| Week 1 | Foundations | Read CNCF Cloud Native Security Whitepaper; study the 4Cs model; review Kubernetes architecture and component roles (Domain 1 + start Domain 2) |
| Week 2 | Cluster Component Security | Study API server flags, etcd encryption, kubelet hardening, and container runtime security (Domain 2); read the Kubernetes Hardening Guide from NSA/CISA |
| Week 3 | Security Fundamentals | Master RBAC objects, Pod Security Standards profiles, NetworkPolicy, Secrets management, security contexts (Domain 3); create your own RBAC reference table |
| Week 4 | Threat Model + Platform Security | Study attack vectors and STRIDE model (Domain 4); learn Falco, OPA Gatekeeper, Cosign, SLSA, audit logging, and mTLS (Domain 5) |
| Week 5 | Compliance + Full Review | Study CIS Benchmark, NIST 800-190, SBOM (Domain 6); take full practice exam; review every wrong answer; focus on weak domains |
Exam Day Strategy
Time management: 90 minutes for 60 questions gives you 90 seconds per question. The questions are scenario-based but multiple choice, so they read faster than CKS tasks. Flag and skip any question that requires more than 60 seconds on the first pass — return to them after answering everything else.
Elimination strategy: KCSA questions frequently include one clearly wrong distractor (a tool that solves a completely different problem) and one plausible-but-inferior option. Eliminate the obviously wrong answers first, then focus your reasoning on the two remaining options.
Know the tool-to-function mapping: A large share of Domain 4 and 5 questions ask you to match a security requirement to the right tool. Memorize: Falco = runtime detection, OPA Gatekeeper / Kyverno = admission control (pre-creation), Cosign = image signing, Trivy = vulnerability scanning, Falco = behavioral anomaly detection at runtime.
Read domain percentages as a triage guide: If you run short on study time, prioritize Domains 2 and 3 (22% each) and Domain 4 (16%). Domain 6 at 10% should be studied last and skimmed if time is extremely tight.
Ready to Practice?
Test your knowledge with our full KCSA practice exam on CertLand — 340 scenario-based questions covering all 6 domains with detailed explanations.
Practice KCSA Now →
Comments
No comments yet. Be the first!
Comments are reviewed before publication.