KCSA Curriculum

Kubernetes and Cloud Native Security Associate - Entry-level certification for cloud native security fundamentals

About KCSA

The KCSA is a multiple-choice exam (not hands-on) that validates foundational knowledge of Kubernetes security and cloud native security concepts. It bridges the gap between general Kubernetes knowledge (KCNA/CKA) and specialist security skills (CKS).

Aspect	Details
Format	Multiple choice
Duration	90 minutes
Questions	~60 questions
Passing Score	75%
Validity	3 years
Prerequisites	None (CKA knowledge helpful)

Curriculum Structure

Part	Topic	Weight	Modules
Part 0	Introduction	-	2
Part 1	Overview of Cloud Native Security	14%	3
Part 2	Kubernetes Cluster Component Security	22%	4
Part 3	Kubernetes Security Fundamentals	22%	5
Part 4	Kubernetes Threat Model	16%	4
Part 5	Platform Security	16%	4
Part 6	Compliance and Security Frameworks	10%	3
Total		100%	25

Module Overview

Part 0: Introduction (2 modules)

0.1 KCSA Overview - Exam format and domains
0.2 Security Mindset - Thinking like a security professional

Part 1: Overview of Cloud Native Security - 14% (3 modules)

1.1 The 4 Cs of Cloud Native Security - Cloud, Cluster, Container, Code
1.2 Cloud Provider Security - Shared responsibility model
1.3 Security Principles - Defense in depth, least privilege

Part 2: Kubernetes Cluster Component Security - 22% (4 modules)

2.1 Control Plane Security - API server, etcd, scheduler
2.2 Node Security - kubelet, container runtime
2.3 Network Security - CNI, service mesh basics
2.4 PKI and Certificates - Certificate management

Part 3: Kubernetes Security Fundamentals - 22% (5 modules)

3.1 Pod Security - SecurityContext, Pod Security Standards
3.2 RBAC Fundamentals - Roles, bindings, best practices
3.3 Secrets Management - Secret types and handling
3.4 ServiceAccount Security - Identity and tokens
3.5 Network Policies - Traffic control

Part 4: Kubernetes Threat Model - 16% (4 modules)

4.1 Attack Surfaces - Where vulnerabilities exist
4.2 Common Vulnerabilities - CVEs and misconfigurations
4.3 Container Escape - Breakout scenarios
4.4 Supply Chain Threats - Image and dependency risks

Part 5: Platform Security - 16% (4 modules)

5.1 Image Security - Scanning and signing
5.2 Observability - Security monitoring
5.3 Runtime Security - Detection and response
5.4 Security Tooling - Tools ecosystem

Part 6: Compliance and Security Frameworks - 10% (3 modules)

6.1 Compliance Frameworks - PCI-DSS, HIPAA, SOC 2
6.2 CIS Benchmarks - Kubernetes CIS benchmark
6.3 Security Assessments - Audits and testing

How to Use This Curriculum

Follow the order - Modules build on security concepts progressively
Think “defense in depth” - Layer security at every level
Understand threats first - Know what you’re defending against
Take quizzes - Each module has quiz questions
Connect to CKS - This prepares you for hands-on security skills

KCSA vs Other Certifications

Aspect	KCSA	KCNA	CKS
Focus	Security concepts	General K8s concepts	Security implementation
Format	Multiple choice	Multiple choice	Hands-on
Difficulty	Associate	Associate	Specialist
Prerequisites	None	None	Active CKA

Key Study Tips

Master the 4 Cs - Cloud, Cluster, Container, Code frame everything
Think like an attacker - Understand threats to defend against them
Know security principles - Defense in depth, least privilege, zero trust
Understand components - Know what each K8s component does and its risks
Focus on Part 2 & 3 - They’re 44% of the exam combined

Relationship to CKS

KCSA is the conceptual foundation for CKS:

KCSA (Concepts)          CKS (Implementation)
──────────────           ────────────────────
"What is RBAC?"     →    "Configure RBAC for service X"
"Why use PSS?"      →    "Apply restricted PSS to namespace"
"What is Falco?"    →    "Write Falco rules for detection"

If you pass KCSA and CKA, you’re well-prepared to tackle CKS.

Start Learning

Begin with Part 0: Introduction to understand the exam format and security mindset, then proceed through each part in order.

Good luck on your KCSA journey!