Stage 7 · Master
KCSA — Kubernetes & Cloud Native Security Associate
Overview of Cloud Native Security (14%)
The 4Cs security model, isolation strategies, and defense in depth for Kubernetes.
The 4Cs of Cloud Native Security
The 4Cs model is a layered security framework for cloud native systems. Each layer builds on the one below it, creating a defense-in-depth strategy. Security must be addressed at every layer — a vulnerability in any layer compromises the layers above.
- Cloud — Physical infrastructure, data centers, network, hardware.
- Cluster — Kubernetes components, RBAC, network policies, etcd encryption.
- Container — Image scanning, runtime security, minimal base images.
- Code — Application security, dependency scanning, secrets management.
You do not need perfect security at every layer. The goal is to reduce attack surface progressively. Securing the cloud layer lets you focus on the cluster layer, and so on. Each layer buys you time and limits blast radius.
Defense in Depth
Defense in depth means using multiple security controls so that if one fails, another catches the threat. No single control is sufficient. The layers work together to protect the system.
- Network policies — Restrict Pod-to-Pod communication.
- RBAC — Limit who can do what in the cluster.
- Pod Security Standards — Restrict what containers can do.
- Image scanning — Catch known vulnerabilities before deployment.
- Runtime security — Detect and respond to anomalous behavior at runtime.
Shared Responsibility Model
In cloud environments, security is shared between the cloud provider and the customer. The provider secures the infrastructure. The customer secures what they put on the infrastructure.
| Model | Provider Handles | Customer Handles |
|---|---|---|
| IaaS | Physical security, network, hypervisor | OS, runtime, application, data |
| PaaS | Physical through runtime | Application, data, access management |
| SaaS | Everything | Data, user access, configuration |
Isolation Strategies
Isolation limits the blast radius of a security breach. Kubernetes provides multiple isolation mechanisms at the namespace, node, and container level.
- Namespaces — Logical isolation for RBAC and network policies.
- Network Policies — Firewall rules between Pods.
- Pod Security Standards — Restrict privileged operations.
- Node isolation — Dedicated node pools for sensitive workloads.
- Sandbox runtimes — gVisor or Kata for workload-level isolation.
CNCF Security Projects
The CNCF hosts a growing ecosystem of security tools. Knowing the major projects and their purpose is essential for the KCSA exam.
| Project | Category | Purpose |
|---|---|---|
| Falco | Runtime security | Detect anomalous behavior in real-time |
| OPA/Gatekeeper | Admission control | Policy enforcement at deployment time |
| Kyverno | Admission control | Kubernetes-native policy engine |
| Trivy | Image scanning | Vulnerability scanning for containers |
| Cert-Manager | PKI | TLS certificate management |
| Vault | Secrets management | Dynamic secrets and encryption |
Security Mindset for KCNA
The KCSA exam tests your understanding of security concepts, not just tool names. You need to understand why security matters and how to think like an attacker. Every misconfiguration is a potential entry point.
The exam asks about principles and concepts more than specific tool commands. Know the 4Cs model, understand shared responsibility, and be able to identify which security layer a control addresses.
Key Commands
kubectl auth can-i --list # Current user permissions
kubectl auth can-i create pods # Specific permission check
kubectl get clusterrolebindings -o wide # Who has cluster-level access
kubectl get networkpolicies -A # All network policies
kubectl get podsecuritypolicies # Pod security policies (legacy)
kubectl get validatingwebhookconfigurations # Admission webhooksThe kubectl auth can-i command is the fastest way to check if a user or service account has a specific permission. Use it during the exam to verify RBAC changes.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.