[Oct-2025] Use Real KCSA Dumps Free Sample Questions and Practice Test Engine [Q23-Q47]

Share

[Oct-2025] Use Real KCSA Dumps Free Sample Questions and Practice Test Engine

Pass Linux Foundation KCSA exam - questions - convert Tets Engine to PDF

NEW QUESTION # 23
A container image istrojanizedby an attacker by compromising the build server. Based on the STRIDE threat modeling framework, which threat category best defines this threat?

  • A. Tampering
  • B. Repudiation
  • C. Spoofing
  • D. Denial of Service

Answer: A

Explanation:
* In STRIDE,Tamperingis the threat category forunauthorized modification of data or code/artifacts. A trojanized container image is, by definition, an attacker'smodificationof the build output (the image) after compromising the CI/build system-i.e., tampering with the artifact in the software supply chain.
* Why not the others?
* Spoofingis about identity/authentication (e.g., pretending to be someone/something).
* Repudiationis about denying having performed an action without sufficient audit evidence.
* Denial of Servicetargets availability (exhausting resources or making a service unavailable).The scenario explicitly focuses on analtered imageresulting from a compromised build server-this squarely maps toTampering.
Authoritative references (for verification and deeper reading):
* Kubernetes (official docs)- Supply Chain Security (discusses risks such as compromised CI/CD pipelines leading to modified/poisoned images and emphasizes verifying image integrity/signatures).
* Kubernetes Docs#Security#Supply chain securityandSecuring a cluster(sections on image provenance, signing, and verifying artifacts).
* CNCF TAG Security - Cloud Native Security Whitepaper (v2)- Threat modeling in cloud-native and software supply chain risks; describes attackers modifying build outputs (images/artifacts) via CI
/CD compromise as a form oftamperingand prescribes controls (signing, provenance, policy).
* CNCF TAG Security - Software Supply Chain Security Best Practices- Explicitly covers CI/CD compromise leading tomaliciously modified imagesand recommends SLSA, provenance attestation, and signature verification (policy enforcement via admission controls).
* Microsoft STRIDE (canonical reference)- DefinesTamperingasmodifying data or code, which directly fits a trojanized image produced by a compromised build system.


NEW QUESTION # 24
What was the name of the precursor to Pod Security Standards?

  • A. Container Security Standards
  • B. Kubernetes Security Context
  • C. Container Runtime Security
  • D. Pod Security Policy

Answer: D

Explanation:
* Kubernetes originally had a feature calledPodSecurityPolicy (PSP), which provided controls to restrict pod behavior.
* Official docs:
* "PodSecurityPolicy was deprecated in Kubernetes v1.21 and removed in v1.25."
* "Pod Security Standards (PSS) replace PodSecurityPolicy (PSP) with a simpler, policy- driven approach."
* PSP was often complex and hard to manage, so it was replaced by Pod Security Admission (PSA) which enforcesPod Security Standards.
References:
Kubernetes Docs - PodSecurityPolicy (deprecated): https://kubernetes.io/docs/concepts/security/pod- security-policy/ Kubernetes Blog - PodSecurityPolicy Deprecation: https://kubernetes.io/blog/2021/04/06/podsecuritypolicy- deprecation-past-present-and-future/


NEW QUESTION # 25
Which of the following statements regarding a container run with privileged: true is correct?

  • A. A container run with privileged: true has no additional access to Secrets than if it were run with privileged: false.
  • B. A container run with privileged: true within a Namespace can access all Secrets used within that Namespace.
  • C. A container run with privileged: true on a node can access all Secrets used on that node.
  • D. A container run with privileged: true within a cluster can access all Secrets used within that cluster.

Answer: A

Explanation:
* Setting privileged: true grants a containerelevated access to the host node, including access to host devices, kernel capabilities, and the ability to modify the host.
* However, Secrets in Kubernetes are not automatically exposedto privileged containers. Secrets are mounted into Pods only if explicitly referenced.
* Thus, being privilegeddoes not grant additional access to Kubernetes Secretscompared to a non- privileged Pod.
* The risk lies in node compromise: if a privileged container can take over the node, it could then indirectly gain access to Secrets (e.g., by reading kubelet credentials).
References:
Kubernetes Documentation - Security Context
CNCF Security Whitepaper - Pod security context and privileged container risks.


NEW QUESTION # 26
A cluster administrator wants to enforce the use of a different container runtime depending on the application a workload belongs to.

  • A. By configuring avalidating admission controllerwebhook that verifies the container runtime based on the application label and rejects requests that do not comply.
  • B. By modifying the kube-apiserver configuration file to specify the desired container runtime for each application.
  • C. By manually modifying the container runtime for each workload after it has been created.
  • D. By configuring amutating admission controllerwebhook that intercepts new workload creation requests and modifies the container runtime based on the application label.

Answer: D

Explanation:
* Kubernetes supports workload-specific runtimes viaRuntimeClass.
* Amutating admission controllercan enforce this automatically by:
* Intercepting workload creation requests.
* Modifying the Pod spec to set runtimeClassName based on labels or policies.
* Incorrect options:
* (A) Manual modification is not scalable or secure.
* (B) kube-apiserver cannot enforce per-application runtime policies.
* (C) A validating webhook can onlyreject, not modify, the runtime.
References:
Kubernetes Documentation - RuntimeClass
CNCF Security Whitepaper - Admission controllers for enforcing runtime policies.


NEW QUESTION # 27
What kind of organization would need to be compliant with PCI DSS?

  • A. Non-profit organizations that handle sensitive customer data.
  • B. Merchants that process credit card payments.
  • C. Retail stores that only accept cash payments.
  • D. Government agencies that collect personally identifiable information.

Answer: B

Explanation:
* PCI DSS (Payment Card Industry Data Security Standard):applies to any entity thatstores, processes, or transmits cardholder data.
* Exact extract (PCI DSS official summary):
* "PCI DSS applies to all entities that store, process or transmit cardholder data (CHD) and
/or sensitive authentication data (SAD)."
* Therefore,merchants who process credit card paymentsmust comply.
* Why others are wrong:
* A: No card payments, so no PCI scope.
* B: This falls underFISMA / NIST 800-53, not PCI DSS.
* C: Non-profits may handle sensitive data, but PCI only applies if they processcredit cards.
References:
PCI Security Standards Council - PCI DSS Summary: https://www.pcisecuritystandards.org/pci_security/


NEW QUESTION # 28
Which information does a user need to verify a signed container image?

  • A. The image's digital signature and the public key of the signing authority.
  • B. The image's SHA-256 hash and the private key of the signing authority.
  • C. The image's digital signature and the private key of the signing authority.
  • D. The image's SHA-256 hash and the public key of the signing authority.

Answer: A

Explanation:
* Container image signing (e.g., withcosign, Notary v2) uses asymmetric cryptography.
* Verification process:
* Retrieve theimage's digital signature.
* Validate the signature with thepublic keyof the signer.
* Exact extract (Sigstore Cosign Docs):
* "Verification of an image requires the signature and the signer's public key. The signature proves authenticity and integrity."
* Why others are wrong:
* A & B: The private key is only used by the signer, never shared.
* C: The hash alone cannot prove authenticity without the digital signature.
References:
Sigstore Cosign Docs: https://docs.sigstore.dev/cosign/overview


NEW QUESTION # 29
Which of the following represents a baseline security measure for containers?

  • A. Run containers as the root user.
  • B. Configuring persistent storage for containers.
  • C. Implementing access control to restrict container access.
  • D. Configuring a static IP for each container.

Answer: C

Explanation:
* Access control (RBAC, least privilege, user restrictions)is abaseline container security best practice.
* Exact extract (Kubernetes Pod Security Standards - Baseline):
* "The baseline profile is designed to prevent known privilege escalations. It prohibits running privileged containers or containers as root."
* Other options clarified:
* B: Static IPs not a security measure.
* C: Persistent storage is functionality, not security.
* D: Running as root is explicitlyinsecure.
References:
Kubernetes Docs - Pod Security Standards (Baseline): https://kubernetes.io/docs/concepts/security/pod- security-standards/


NEW QUESTION # 30
In a Kubernetes environment, what kind of Admission Controller can modify resource manifests when applied to the Kubernetes API to fix misconfigurations automatically?

  • A. ResourceQuota
  • B. ValidatingAdmissionController
  • C. PodSecurityPolicy
  • D. MutatingAdmissionController

Answer: D

Explanation:
* Kubernetes Admission Controllers can eithervalidateormutateincoming requests.
* MutatingAdmissionWebhook (Mutating Admission Controller):
* Canmodify or mutate resource manifestsbefore they are persisted in etcd.
* Used for automatic injection of sidecars (e.g., Istio Envoy proxy), setting default values, or fixing misconfigurations.
* ValidatingAdmissionWebhook (Validating Admission Controller):only allows/denies but doesnot change requests.
* PodSecurityPolicy:deprecated; cannot mutate requests.
* ResourceQuota:enforces resource usage, but does not mutate manifests.
Exact Extract:
* "Mutating admission webhooks are invoked first, and can modify objects to enforce defaults.
Validating admission webhooks are invoked second, and can reject requests to enforce invariants.
"
References:
Kubernetes Docs - Admission Controllers: https://kubernetes.io/docs/reference/access-authn-authz
/admission-controllers/
Kubernetes Docs - Admission Webhooks: https://kubernetes.io/docs/reference/access-authn-authz
/extensible-admission-controllers/


NEW QUESTION # 31
Which of the following statements correctly describes a container breakout?

  • A. A container breakout is the process of escaping a container when it reaches its resource limits.
  • B. A container breakout is the process of escaping the container and gaining access to the Pod's network traffic.
  • C. A container breakout is the process of escaping the container and gaining access to the cloud provider's infrastructure.
  • D. A container breakout is the process of escaping the container and gaining access to the host operating system.

Answer: D

Explanation:
* Container breakoutrefers to an attacker escaping container isolation and reaching thehost OS.
* Once the host is compromised, the attacker can accessother containers, Kubernetes nodes, or escalate further.
* Exact extract (Kubernetes Security Docs):
* "If an attacker gains access to a container, they may attempt a container breakout to gain access to the host system."
* Other options clarified:
* A: Network access inside a Pod # breakout.
* B: Resource exhaustion is aDoS, not a breakout.
* C: Cloud infrastructure compromise is possibleafterhost compromise, but not the definition of breakout.
References:
Kubernetes Security Concepts: https://kubernetes.io/docs/concepts/security/ CNCF Security Whitepaper (Threats section):https://github.com/cncf/tag-security


NEW QUESTION # 32
When using a cloud provider's managed Kubernetes service, who is responsible for maintaining the etcd cluster?

  • A. Application developer
  • B. Kubernetes administrator
  • C. Namespace administrator
  • D. Cloud provider

Answer: D

Explanation:
* Inmanaged Kubernetes services(EKS, GKE, AKS), the control plane is operated by thecloud provider
.
* This includesetcd, API server, controller manager, scheduler.
* Users manageworker nodes(in some models) and workloads, but not the control plane.
* Exact extract (GKE Docs):
* "The control plane, including the API server and etcd database, is managed and maintained by Google."
* Similarly forEKSandAKS, etcd is fully managed by the provider.
References:
GKE Architecture: https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-architecture EKS Architecture: https://docs.aws.amazon.com/eks/latest/userguide/eks-architecture.html AKS Docs: https://learn.microsoft.com/en-us/azure/aks/concepts-clusters-workloads


NEW QUESTION # 33
What information is stored in etcd?

  • A. Application logs and monitoring data for auditing and troubleshooting purposes.
  • B. Etcd manages the configuration data, state data, and metadata for Kubernetes.
  • C. Sensitive user data such as usernames and passwords.
  • D. Pod data contained in Persistent Volume Claims (e.g. hostPath).

Answer: B

Explanation:
* etcdis Kubernetes'key-value storeforcluster state.
* Stores: ConfigMaps, Secrets, Pod definitions, Deployments, RBAC policies, and metadata.
* Exact extract (Kubernetes Docs - etcd):
* "etcd is a consistent and highly-available key-value store used as Kubernetes' backing store for all cluster data."
* Clarifications:
* B: Logs/metrics are handled by logging/monitoring solutions, not etcd.
* C: Secrets may be stored here but encoded in base64, not specifically "usernames/passwords" as primary use.
* D: Persistent Volumes are external storage, not stored in etcd.
References:
Kubernetes Docs - etcd: https://kubernetes.io/docs/concepts/overview/components/#etcd


NEW QUESTION # 34
To restrict the kubelet's rights to the Kubernetes API, whatauthorization modeshould be set on the Kubernetes API server?

  • A. Webhook
  • B. kubelet
  • C. AlwaysAllow
  • D. Node

Answer: D

Explanation:
* TheNode authorization modeis designed to specifically limit what kubelets can do when they connect to the Kubernetes API server.
* It authorizes requests from kubelets based on the Pods scheduled to run on their nodes, ensuring kubelets cannot interact with resources beyond their scope.
* Incorrect options:
* (B)AlwaysAllowallows unrestricted access (insecure).
* (C) No kubelet authorization mode exists.
* (D)Webhookmode delegates authorization decisions to an external service, not specifically for kubelets.
References:
Kubernetes Documentation - Node Authorization
CNCF Security Whitepaper - Access control: kubelet authorization and Node authorizer.


NEW QUESTION # 35
Is it possible to restrict permissions so that a controller can only change the image of a deployment (without changing anything else about it, e.g., environment variables, commands, replicas, secrets)?

  • A. No, because granting access to the spec.containers.image field always grants access to the rest of the spec object.
  • B. Yes, with a 'managed fields' annotation.
  • C. Yes, by granting permission to the /image subresource.
  • D. Not with RBAC, but it is possible with an admission webhook.

Answer: D

Explanation:
* RBAC in Kubernetesis coarse-grained: it controlsverbs(get, update, patch, delete) onresources(e.g., deployments), butnot individual fieldswithin a resource.
* There isno /image subresource for deployments(there is one for pods but only for ephemeral containers).
* Therefore,RBAC cannot restrict changes only to the image field.
* Admission Webhooks(mutating/validating)canenforce fine-grained policies (e.g., deny updates that change anything other than spec.containers[*].image).
* Exact extract (Kubernetes Docs - Admission Webhooks):
* "Admission webhooks can be used to enforce custom policies on objects being admitted." References:
Kubernetes Docs - RBAC: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ Kubernetes Docs - Admission Webhooks: https://kubernetes.io/docs/reference/access-authn-authz
/extensible-admission-controllers/


NEW QUESTION # 36
On a client machine, what directory (by default) contains sensitive credential information?

  • A. $HOME/.config/kubernetes/
  • B. /opt/kubernetes/secrets/
  • C. /etc/kubernetes/
  • D. $HOME/.kube

Answer: D

Explanation:
* Thekubectlclient uses configuration from$HOME/.kube/configby default.
* This file contains: cluster API server endpoint, user certificates, tokens, or kubeconfigs #sensitive credentials.
* Exact extract (Kubernetes Docs - Configure Access to Clusters):
* "By default, kubectl looks for a file named config in the $HOME/.kube directory. This file contains configuration information including user credentials."
* Other options clarified:
* A: /etc/kubernetes/ exists on nodes (control plane) not client machines.
* C: /opt/kubernetes/secrets/ is not a standard path.
* D: $HOME/.config/kubernetes/ is not where kubeconfig is stored by default.
References:
Kubernetes Docs - Configure Access to Clusters: https://kubernetes.io/docs/concepts/configuration/organize- cluster-access-kubeconfig/


NEW QUESTION # 37
Given a standard Kubernetes cluster architecture comprising a single control plane node (hosting bothetcdand the control plane as Pods) and three worker nodes, which of the following data flows crosses atrust boundary
?

  • A. From kubelet to Container Runtime
  • B. From kubelet to API Server
  • C. From API Server to Container Runtime
  • D. From kubelet to Controller Manager

Answer: B

Explanation:
* Trust boundariesexist where data flows between different security domains.
* In Kubernetes:
* Communication between thekubelet (node agent)and theAPI Server (control plane)crosses the node-to-control-plane trust boundary.
* (A) Kubelet to container runtime is local, no boundary crossing.
* (C) Kubelet does not communicate directly with the controller manager.
* (D) API server does not talk directly to the container runtime; it delegates to kubelet.
* Therefore, (B) is the correct trust boundary crossing flow.
References:
CNCF Security Whitepaper - Kubernetes Threat Model: identifies node-to-control-plane communications (kubelet # API Server) as crossing trust boundaries.
Kubernetes Documentation - Cluster Architecture


NEW QUESTION # 38
What is Grafana?

  • A. A cloud-native distributed tracing system for monitoring microservices architectures.
  • B. A platform for monitoring and visualizing time-series data.
  • C. A container orchestration platform for managing and scaling applications.
  • D. A cloud-native security tool for scanning and detecting vulnerabilities in Kubernetes clusters.

Answer: B

Explanation:
* Grafana:An open-source analytics and visualization platform widely used with Prometheus, Loki, etc.
* Exact extract (Grafana Docs):"Grafana is the open-source analytics and monitoring solution for every database. It allows you to query, visualize, alert on, and understand your metrics no matter where they are stored."
* A is wrong:That describesJaeger(distributed tracing).
* B is wrong:That'sKubernetesitself.
* D is wrong:That'sTrivy/Aqua/Prismatype tools.
References:
Grafana Docs: https://grafana.com/docs/grafana/latest/


NEW QUESTION # 39
In which order are thevalidating and mutating admission controllersrun while the Kubernetes API server processes a request?

  • A. Validating and mutating admission controllers run simultaneously.
  • B. Validating admission controllers run before mutating admission controllers.
  • C. The order of execution varies and is determined by the cluster configuration.
  • D. Mutating admission controllers run before validating admission controllers.

Answer: D

Explanation:
* Theadmission control flowin Kubernetes:
* Mutating admission controllersrun first and can modify incoming requests.
* Validating admission controllersrun after mutations to ensure the final object complies with policies.
* This ensures policies validate thefinal, mutated object.
References:
Kubernetes Documentation - Admission Controllers
CNCF Security Whitepaper - Admission control workflow.


NEW QUESTION # 40
Which of the following statements best describe container image signing and verification in the cloud environment?

  • A. Container image signatures are concerned with defining developer ownership of applications within multi-tenant environments.
  • B. Container image signatures are mandatory in cloud environments, as cloud providers would deny the execution of unsigned container images.
  • C. Container image signatures and their verification ensure their authenticity and integrity against tampering.
  • D. Container image signatures affect the performance of containerized applications, as they increase the size of images with additional metadata.

Answer: C

Explanation:
* Image signing (withNotary, cosign, or similar tools) ensures that images are from a trusted source and have not been modified.
* Exact extract (Sigstore cosign docs):"Cosign allows you to sign and verify container images to ensure authenticity and integrity."
* Why others are wrong:
* B:Ownership can be inferred but it's aboutauthenticity & integritynot tenancy.
* C:Not mandatory; enforcement requiresadmission controllers.
* D:Metadata size is negligible and has no runtime performance impact.
References:
Sigstore Project: https://docs.sigstore.dev/cosign/overview
CNCF Security Whitepaper


NEW QUESTION # 41
A cluster is failing to pull more recent versions of images from k8s.gcr.io. Why may this be?

  • A. There is a bug in the container runtime or the image pull process.
  • B. There is a network connectivity issue between the cluster and k8s.gcr.io.
  • C. The authentication credentials for accessing k8s.gcr.io are incorrectly scoped.
  • D. The container image registry k8s.gcr.io has been deprecated.

Answer: D

Explanation:
* k8s.gcr.iowas the historic Kubernetes image registry.
* It has beendeprecatedand replaced withregistry.k8s.io.
* Exact extract (Kubernetes Blog):
* "The k8s.gcr.io image registry will be frozen from April 3, 2023 and fully deprecated. All Kubernetes project images are now served from registry.k8s.io."
* Pulling newer versions from k8s.gcr.io fails because the registry no longer receives updates.
References:
Kubernetes Blog - Image Registry Update: https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze- announcement/


NEW QUESTION # 42
How can a user enforce thePod Security Standardwithout third-party tools?

  • A. Use the PodSecurity admission controller.
  • B. It is only possible to enforce the Pod Security Standard with additional tools within the cloud native ecosystem.
  • C. Through implementing Kyverno or OPA Policies.
  • D. No additional measures have to be taken to enforce the Pod Security Standard.

Answer: A

Explanation:
* ThePodSecurity admission controller(built-in as of Kubernetes v1.23+) enforces the Pod Security Standards (Privileged, Baseline, Restricted).
* Enforcement is namespace-scoped and configured throughnamespace labels.
* Incorrect options:
* (A) Kyverno/OPA are external policy tools (useful but not required).
* (C) Not true, PodSecurity admission provides native enforcement.
* (D) Enforcement requires explicit configuration, not automatic.
References:
Kubernetes Documentation - Pod Security Admission
CNCF Security Whitepaper - Policy enforcement and admission control.


NEW QUESTION # 43
Which step would give an attacker a foothold in a cluster butno long-term persistence?

  • A. Create restarting container on host using Docker.
  • B. Modify Kubernetes objects stored within etcd.
  • C. Starting a process in a running container.
  • D. Modify file on host filesystem.

Answer: C

Explanation:
* Starting a process in a running containerprovides an attacker withtemporary execution (foothold) inside the cluster, but once the container is stopped or restarted, that malicious process is lost. This means the attacker has nolong-term persistence.
* Incorrect options:
* (A) Modifying objects inetcdgrants persistent access since cluster state is stored in etcd.
* (B) Modifying files on thehost filesystemcan create persistence across reboots or container restarts.
* (D) Creating a restarting container directly on the host via Docker bypasses Kubernetes but persists across pod restarts if Docker restarts it.
References:
CNCF Security Whitepaper - Threat Modeling section: Describes howephemeral processes inside containersprovide attackers short-term control but not durable persistence.
Kubernetes Documentation - Cluster Threat Model emphasizes ephemeral vs. persistent attacker footholds.


NEW QUESTION # 44
What is a multi-stage build?

  • A. A build process that involves multiple stages of image creation, allowing for smaller, optimized images.
  • B. A build process that involves multiple developers collaborating on building an image.
  • C. A build process that involves multiple repositories for storing container images.
  • D. A build process that involves multiple containers running simultaneously to speed up the image creation.

Answer: A

Explanation:
* Multi-stage buildsare a Docker/Kaniko feature that allows building images in multiple stages # final image contains only runtime artifacts, not build tools.
* This reducesimage size, attack surface, and security risks.
* Exact extract (Docker Docs):
* "Multi-stage builds allow you to use multiple FROM statements in a Dockerfile. You can copy artifacts from one stage to another, resulting in smaller, optimized images."
* Clarifications:
* A: Collaboration is not the definition.
* B: Multiple repositories # multi-stage builds.
* C: Build concurrency # multi-stage builds.
References:
Docker Docs - Multi-Stage Builds: https://docs.docker.com/develop/develop-images/multistage-build/


NEW QUESTION # 45
Which other controllers are part of the kube-controller-manager inside the Kubernetes cluster?

  • A. Job controller, CronJob controller, and DaemonSet controller
  • B. Namespace controller, ConfigMap controller, and Secret controller
  • C. Replication controller, Endpoints controller, Namespace controller, and ServiceAccounts controller
  • D. Pod, Service, and Ingress controller

Answer: C

Explanation:
* kube-controller-managerruns a set of controllers that regulate the cluster's state.
* Exact extract (Kubernetes Docs):"The kube-controller-manager runs controllers that are core to Kubernetes. Examples of controllers are: Node controller, Replication controller, Endpoints controller, Namespace controller, and ServiceAccounts controller."
* Why D is correct:All listed are actual controllers within kube-controller-manager.
* Why others are wrong:
* A:Job and CronJob controllers are managed by kube-controller-manager, but DaemonSet controller is managed by the kube-scheduler/deployment logic.
* B:Pod, Service, Ingress controllers are not part of kube-controller-manager.
* C:ConfigMap and Secret do not have dedicated controllers.
References:
Kubernetes Docs - kube-controller-manager: https://kubernetes.io/docs/reference/command-line-tools- reference/kube-controller-manager/


NEW QUESTION # 46
Which technology can be used to apply security policy for internal cluster traffic at the application layer of the network?

  • A. Container Runtime
  • B. Network Policy
  • C. Ingress Controller
  • D. Service Mesh

Answer: D

Explanation:
* Service Mesh (e.g., Istio, Linkerd, Consul):operates atLayer 7 (application layer), enforcing policies like mTLS, authorization, and routing between services.
* NetworkPolicy:works atLayer 3/4 (IP/port), not Layer 7.
* Ingress Controller:handles external traffic ingress, not internal service-to-service traffic.
* Container Runtime:responsible for running containers, not enforcing application-layer security.
Exact extract (Istio docs):
* "Istio provides security by enforcing authentication, authorization, and encryption of service-to- service communication." References:
Kubernetes Docs - Network Policies: https://kubernetes.io/docs/concepts/services-networking/network- policies/ Istio Security Docs: https://istio.io/latest/docs/concepts/security/


NEW QUESTION # 47
......

Pass Your KCSA Exam Easily - Real KCSA Practice Dump Updated Oct 04, 2025: https://examsboost.pass4training.com/KCSA-test-questions.html