CertLabProCNCF Kubernetes and Cloud Native Security Associate
265 практических вопросов
Последняя проверка: April 2026
Личные заметки и ссылки на ресурсы для вашего учебного пути
Фильтр по сертификации
The Kubernetes and Cloud Native Security Associate (KCSA) is a foundational-level credential introduced by CNCF in late 2022 to validate conceptual understanding of cloud-native security. It is a 60-question multiple-choice exam — not hands-on like CKS — and it targets engineers, security analysts, and SREs who need to talk credibly about Kubernetes threat models, RBAC, network policies, supply-chain security, and the 4Cs (Cloud, Cluster, Container, Code) without yet operating hardened production clusters. KCSA is the natural second step on the Kubestronaut path after KCNA, and it lays the conceptual groundwork that makes the hands-on CKS exam noticeably more approachable.
The 4Cs of cloud-native security (Cloud, Cluster, Container, Code), shared-responsibility models, and how cloud-native security differs from traditional perimeter security. Conceptual scene-setting for the rest of the exam.
API server, etcd, kubelet, controller-manager, scheduler — what each component exposes and how it should be hardened. Tied for the largest domain at 22%.
RBAC, service accounts, secrets management, pod security standards (replacing PodSecurityPolicies), and network policies. Tied for largest at 22% — expect heavy coverage.
STRIDE-style threat modeling applied to Kubernetes, plus the CNCF-specific threat catalog (persistence, privilege escalation, lateral movement). Maps directly to MITRE ATT&CK for Containers.
Supply-chain security (SBOMs, image signing with Sigstore / cosign), admission control (OPA Gatekeeper, Kyverno), and runtime defense (Falco). Increasingly emphasized in 2024–2026 refreshes.
CIS Benchmarks for Kubernetes, NIST SP 800-190, PCI-DSS in containerized environments, and the CNCF security TAG. Smallest domain (10%) but high-density questions.
$105k–$145k–$200k USD annual
Range reflects US-based mid-to-senior cloud-security roles where Kubernetes literacy is expected. Senior DevSecOps and cloud-security architect roles at FAANG and unicorns trend significantly higher (often $250k+ TC). KCSA alone does not unlock these salaries — it complements a security or platform background.
Source: levels.fyi 2025–2026 (security / cloud security roles), U.S. BLS OEWS May 2024 (15-1212 information security analysts), (ISC)² Cybersecurity Workforce Study 2024. Figures are approximate; actual compensation depends on role, region, and experience.
Cloud-native security is one of the persistent talent gaps highlighted in the (ISC)² Cybersecurity Workforce Study, and Kubernetes-specific security skills are scarcer still. KCSA functions as a screening signal for DevSecOps and cloud-security pipelines — it tells recruiters that a candidate can talk credibly about RBAC, network policies, image signing, and the CNCF threat model without yet operating hardened clusters. The credential carries less weight than CKS in senior pipelines, but it is increasingly used as a baseline filter for security-adjacent platform roles. For candidates pursuing the Kubestronaut bundle, KCSA is a meaningful intermediate step that materially de-risks the CKS attempt.
There are no formal prerequisites for KCSA, but CNCF strongly recommends prior KCNA-level Kubernetes literacy. Candidates without any Kubernetes background should sit KCNA first — KCSA assumes you already know what a pod, service, and namespace are, and it builds security context on top of that scaffolding.
The sensible CNCF security progression is KCNA → KCSA → CKA → CKS. KCSA does not satisfy any formal prerequisite for CKS (CKS requires an active CKA), but it is the cleanest way to absorb the conceptual material — threat modeling, the 4Cs, supply-chain security — that CKS then tests under hands-on time pressure. Candidates with strong general security backgrounds (CISSP, OSCP) and Kubernetes operational experience can reasonably skip KCSA and go straight to CKS, but most engineers benefit from the intermediate step.
KCSA is rated foundational and sits squarely between KCNA and the hands-on CKS in difficulty. Expect 30–60 hours of study over 4–6 weeks if you have KCNA-level Kubernetes literacy but limited security background; 15–30 hours if you have both. The exam is 60 multiple-choice questions in 90 minutes, online-only via PSI Bridge, with one free retake bundled. Pass mark is 750 / 1000.
The most common stumbling block is breadth across security frameworks — candidates who know Kubernetes but not CIS Benchmarks, NIST SP 800-190, or MITRE ATT&CK for Containers can lose points on the threat-model and compliance domains. Sigstore / cosign and admission controllers (OPA Gatekeeper, Kyverno) are also frequent gaps. Time management is rarely an issue at 90 seconds per question.
General availability. Current version as of April 2026; 2024 curriculum refresh expanded supply-chain security (Sigstore, SBOMs) and added MITRE ATT&CK for Containers coverage. Validity is 2 years.
KCSA (CNCF Kubernetes and Cloud Native Security Associate) is a considered an entry-level exam testing breadth of conceptual understanding rather than hands-on depth Foundational-level exam. Most candidates need 30–80 hours of study spread over 3–6 weeks for foundational-level exams. Most candidates who score consistently above the passing threshold on practice exams pass on their first attempt.