Kubescape Quiz
Test your understanding of Kubescape security posture management with the following questions.
Questions
1. What is Kubescape's project status in the CNCF?
- A) Graduated project
- B) Incubating project
- C) Sandbox project
- D) Not a CNCF project
Show Answer
Answer: C) Sandbox project
Explanation: Kubescape was accepted as a CNCF Sandbox project in 2022. It was originally developed by ARMO and donated to the CNCF. As a Sandbox project, it is an early-stage project that the CNCF believes has potential for growth.
2. Which security frameworks does Kubescape support for compliance scanning?
- A) NSA-CISA only
- B) CIS Benchmarks only
- C) NSA-CISA, CIS Benchmarks, and MITRE ATT&CK
- D) OWASP and PCI-DSS only
Show Answer
Answer: C) NSA-CISA, CIS Benchmarks, and MITRE ATT&CK
Explanation: Kubescape supports multiple security frameworks:
# Scan with NSA-CISA framework
kubescape scan framework nsa
# Scan with CIS Kubernetes Benchmark
kubescape scan framework cis-v1.23-t1.0.1
# Scan with MITRE ATT&CK
kubescape scan framework mitre- NSA-CISA: Kubernetes Hardening Guide from US government agencies
- CIS: Center for Internet Security Kubernetes Benchmarks
- MITRE ATT&CK: Threat-based security framework mapping attack techniques
3. What is the correct CLI syntax to scan a Kubernetes cluster with Kubescape?
- A) kubescape check cluster
- B) kubescape scan
- C) kubescape audit cluster
- D) kubescape analyze
Show Answer
Answer: B) kubescape scan
Explanation: Kubescape CLI scan commands:
# Scan current cluster
kubescape scan
# Scan specific namespace
kubescape scan --include-namespaces production
# Scan YAML files before deployment
kubescape scan *.yaml
# Scan with specific framework
kubescape scan framework nsa
# Scan specific control
kubescape scan control C-0034The scan subcommand is the primary interface for all scanning operations.
4. What is the key difference between Kubescape Operator and CLI modes?
- A) Operator mode only scans nodes
- B) CLI mode provides continuous monitoring, Operator is one-time
- C) Operator provides continuous monitoring with in-cluster components, CLI is one-time scans
- D) There is no difference
Show Answer
Answer: C) Operator provides continuous monitoring with in-cluster components, CLI is one-time scans
Explanation: Kubescape deployment modes:
CLI Mode:
# One-time scan from local machine
kubescape scan- Ad-hoc scanning
- CI/CD integration
- Local development
Operator Mode:
# Install in-cluster operator
helm repo add kubescape https://kubescape.github.io/helm-charts
helm install kubescape kubescape/kubescape-operator- Continuous monitoring
- Scheduled scans
- In-cluster vulnerability scanning
- Integration with ARMO platform for visualization
5. How does Kubescape calculate risk scores for controls?
- A) Binary pass/fail only
- B) Based on severity multiplied by affected resources count
- C) Random assignment
- D) Based on namespace priority
Show Answer
Answer: B) Based on severity multiplied by affected resources count
Explanation: Kubescape risk scoring:
Risk Score = Severity Score x (Failed Resources / Total Resources)Example output:
┌──────────────────────────────────────────────────┬────────────────┬───────┐
│ Control Name │ Failed Resources│ Score │
├──────────────────────────────────────────────────┼────────────────┼───────┤
│ Privileged container │ 3/50 │ 18% │
│ Resource limits │ 25/50 │ 35% │
│ Non-root containers │ 10/50 │ 42% │
└──────────────────────────────────────────────────┴────────────────┴───────┘Higher scores indicate greater risk requiring immediate attention.
6. Which flag enforces a compliance threshold in CI/CD pipelines?
- A) --min-score
- B) --compliance-threshold
- C) --fail-threshold
- D) --severity-threshold
Show Answer
Answer: B) --compliance-threshold
Explanation: Using Kubescape in CI/CD pipelines:
# Fail pipeline if compliance drops below 80%
kubescape scan --compliance-threshold 80
# Example GitLab CI
kubescape-scan:
script:
- kubescape scan framework nsa --compliance-threshold 75
- kubescape scan framework cis --compliance-threshold 80The threshold is a percentage (0-100). The scan fails (non-zero exit) if the overall compliance score falls below the threshold.
# Exit codes
# 0: Passed threshold
# 1: Failed threshold
# 2: Error during scan7. How does Kubescape differ from kube-bench?
- A) kube-bench only scans applications, Kubescape scans infrastructure
- B) Kubescape scans workload configurations, kube-bench focuses on node-level CIS benchmarks
- C) They are identical tools
- D) kube-bench is for cloud providers only
Show Answer
Answer: B) Kubescape scans workload configurations, kube-bench focuses on node-level CIS benchmarks
Explanation: Kubescape vs kube-bench comparison:
| Feature | Kubescape | kube-bench |
|---|---|---|
| Focus | Workload/config security | Node/control plane security |
| Scope | Deployments, Pods, RBAC | kubelet, API server, etcd |
| Frameworks | NSA, CIS, MITRE | CIS Benchmarks only |
| Run Location | Outside cluster (CLI) or in-cluster | Must run on each node |
| Image Scanning | Yes (with Grype) | No |
| RBAC Analysis | Yes | No |
Use both together for comprehensive security:
- kube-bench: Cluster infrastructure hardening
- Kubescape: Workload and configuration security
8. What feature does Kubescape provide for RBAC security analysis?
- A) RBAC policy generation
- B) RBAC visualization showing permissions and risks
- C) Automatic RBAC remediation
- D) RBAC migration tools
Show Answer
Answer: B) RBAC visualization showing permissions and risks
Explanation: Kubescape RBAC analysis capabilities:
# Scan RBAC configurations
kubescape scan control C-0035 # Cluster-admin binding
kubescape scan control C-0036 # Wildcard permissions
kubescape scan control C-0039 # Risky service accountsRBAC visualization features:
- Maps ServiceAccounts to Roles/ClusterRoles
- Identifies overly permissive bindings
- Highlights dangerous permissions (secrets access, pod exec)
- Shows attack paths through RBAC
Example finding:
ServiceAccount 'default' in namespace 'production' has:
- Cluster-admin binding (CRITICAL)
- Secrets list/get permissions (HIGH)
- Pod exec permissions (HIGH)9. Which vulnerability scanner does Kubescape integrate with for image scanning?
- A) Trivy
- B) Clair
- C) Grype
- D) Anchore
Show Answer
Answer: C) Grype
Explanation: Kubescape integrates with Grype (by Anchore) for container image vulnerability scanning:
# Enable image scanning
kubescape scan --enable-host-scan
# Operator mode includes automatic image scanning
helm install kubescape kubescape/kubescape-operator \
--set capabilities.vulnerabilityScan=enableGrype integration provides:
- CVE detection in container images
- SBOM (Software Bill of Materials) generation
- Severity-based prioritization
- Integration with security findings
The results combine configuration issues with vulnerability data for comprehensive risk assessment.
10. How does Kubescape handle control exceptions?
- A) Exceptions are not supported
- B) Using exception YAML files that specify controls and resources to exclude
- C) Through command-line flags only
- D) By modifying source code
Show Answer
Answer: B) Using exception YAML files that specify controls and resources to exclude
Explanation: Kubescape supports exceptions via configuration files:
# exceptions.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: kubescape-exceptions
data:
exceptions: |
- name: "Allow privileged kube-system pods"
policyType: postureExceptionPolicy
actions:
- alertOnly
resources:
- designatorType: Attributes
attributes:
namespace: kube-system
posturePolicies:
- controlID: C-0057 # Privileged containerApply exceptions:
kubescape scan --exceptions exceptions.yamlThis allows:
- Suppressing known false positives
- Accepting risk for specific resources
- Maintaining clean scan reports
Score Calculation
- 9-10 correct: Excellent - You have a deep understanding of Kubescape.
- 7-8 correct: Good - You have a solid grasp of the key concepts.
- 5-6 correct: Fair - There are areas that need additional study.
- 4 or fewer: Please review the documentation again.