Practice CKA Services and Networking questions with full explanations on every answer.
Start practicing
Services and Networking — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
Which of the following service types exposes a service on a static port on each node's IP address?
2You run 'kubectl get svc my-service -o yaml' and see 'type: ClusterIP'. The service has no endpoints. What is the most likely cause?
3An administrator runs 'kubectl run nginx --image=nginx --port=80' and then 'kubectl expose pod nginx --port=80 --type=NodePort'. Later, they run 'kubectl get svc nginx' and see that the NodePort is set to 0. What is the most likely reason?
4You have a Service named 'my-service' in namespace 'ns1'. Another pod in namespace 'ns2' needs to resolve 'my-service' using DNS. What FQDN should the pod use?
5An Ingress resource is created with the following spec: spec: rules: - host: example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-service port: number: 80 The backend service 'api-service' is in the same namespace as the Ingress. What must be true for the Ingress to route traffic to the service?
6A cluster has a NetworkPolicy that denies all ingress traffic by default. An administrator wants to allow TCP traffic on port 8080 from pods with label 'app: web' in the same namespace. Which NetworkPolicy egress rule is needed?
7What is the default DNS name for a service named 'my-svc' in namespace 'default'?
8A developer runs 'kubectl port-forward service/my-service 8080:80'. What does this command do?
9A pod cannot resolve a service DNS name. The cluster uses CoreDNS. Which of the following is the most likely cause if the pod's /etc/resolv.conf contains 'nameserver 10.96.0.10' and the CoreDNS pod is running?
10Which of the following commands can be used to check the endpoints of a service named 'my-service'?
11What is the default kube-proxy mode in Kubernetes v1.29?
12You have a headless service named 'my-headless' with clusterIP: None. A pod in the same namespace queries the DNS name 'my-headless'. What will the DNS response contain?
13Which TWO of the following are valid ways to expose a Deployment named 'web' as a service?
14Which THREE of the following are requirements for an Ingress resource to work?
15Which TWO of the following statements about NetworkPolicy are true?
16Which kubectl command creates a service of type NodePort that exposes a deployment named 'web' on port 80?
17A developer runs 'kubectl run nginx --image=nginx --expose --port=80'. What Kubernetes resources are created?
18You have a NetworkPolicy that selects pods with label 'role: db' in the 'default' namespace. The policy has no ingress rules defined. What is the effect on traffic to the selected pods?
19An ingress resource is defined with the following snippet: ```yaml spec: tls: - hosts: - app.example.com secretName: app-tls rules: - host: app.example.com http: paths: - path: / pathType: Prefix backend: service: name: app-service port: number: 80 ``` The secret 'app-tls' exists and contains a valid certificate. However, accessing https://app.example.com returns a certificate warning in the browser. What is the most likely cause?
20Which of the following is a valid ClusterIP service definition that exposes port 80 and targets container port 8080?
21A pod 'my-pod' in the 'default' namespace cannot resolve the service 'db-service' in the 'production' namespace. Which DNS name should be used to reach the service from 'my-pod'?
22You apply the following NetworkPolicy: ```yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress - Egress ``` What is the result?
23Which kube-proxy mode uses IP Virtual Server (IPVS) for load balancing and supports more algorithms than the default mode?
24You need to temporarily access a pod's HTTP endpoint on port 8080 from your local machine on port 8080. Which kubectl command should you use?
25An Ingress resource uses 'networking.k8s.io/v1' API. Which field specifies the hostname and path rules for routing traffic?
26You have three pods selected by a service. One pod is in 'CrashLoopBackOff' state. How does the service's endpoints behave?
27Which annotation is commonly used with the ExternalDNS project to manage DNS records for a Kubernetes service?
28Which TWO statements about Headless services are correct? (Select TWO)
29Which THREE components are part of the Gateway API resource model? (Select THREE)
30Which TWO network plugins (CNI) are commonly used in Kubernetes clusters? (Select TWO)
31Which of the following Service types exposes a Service on a static port on each node's IP address?
32You want to debug a Service that is not reachable. Which kubectl command can you use to forward a local port to a pod in the Service?
33A NetworkPolicy named 'deny-all' has only a podSelector matching all pods and no rules. What is the effect?
34You create a Deployment with 3 replicas and a ClusterIP Service. You notice that some pods are not receiving traffic. What is the most likely cause?
35You want to expose an application running in the cluster on a public IP address. Which Service type should you use?
36You run `kubectl get endpoints my-service` and see no endpoints listed. The Service's selector matches labels on pods that are running. What is the most likely cause?
37You have an Ingress resource with the following spec: spec: rules: - host: example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-service port: number: 80 A client sends a request to http://example.com/api/v1/users. Which path is matched?
38You want to configure NetworkPolicy to allow ingress traffic only from pods with label 'role: frontend' in the same namespace. Which podSelector should be in the ingress rule?
39What is the default DNS name for a Service named 'my-svc' in namespace 'my-ns'?
40You update a NetworkPolicy to add an egress rule. After applying, pods affected by the policy can no longer reach external IPs. What is the most likely reason?
41A developer asks you to create a Service that resolves to an external database at 'db.example.com'. Which Service type should you use?
42You have a Service with endpoints for pods in different zones. You want kube-proxy to use a mode that provides better performance for large clusters and supports scheduling algorithms like least-connection. Which mode should you use?
43Which TWO of the following are valid ways to expose a Service externally? (Select TWO.)
44Which THREE of the following are true about NetworkPolicy? (Select THREE.)
45Which TWO of the following are components of the Ingress API? (Select TWO.)
46Which of the following Service types exposes a Service on a static port on each node's IP?
47A developer runs `kubectl run nginx --image=nginx --port=80` and then `kubectl expose pod nginx --port=80 --target-port=80 --type=NodePort`. What is the name of the created Service?
48A NetworkPolicy named 'deny-all' is created with an empty podSelector and no rules. What does this policy accomplish?
49Which of the following is the default DNS name for a Service named 'my-svc' in namespace 'my-ns'?
50What is the purpose of a headless Service (clusterIP: None)?
51An administrator runs `kubectl port-forward service/my-svc 8080:80`. What does this command do?
52Which of the following CNI plugins typically uses BGP to distribute routing information across nodes?
53What is the default kube-proxy mode in modern Kubernetes clusters?
54Which resource type is used to configure HTTP/HTTPS routing to Services?
55A pod cannot resolve a Service name 'my-svc' in the same namespace. The DNS pod is running. What is a likely cause?
56Which of the following is true about IngressClass resources?
57A NetworkPolicy allows ingress from pods with label 'role: frontend'. Which field is used to select those pods?
58Which two statements are true about EndpointSlices? (Choose two.)
59Which three components are part of the Gateway API? (Choose three.)
60Which two of the following are valid service discovery methods in Kubernetes? (Choose two.)
61Which of the following Service types does NOT assign a ClusterIP to the Service?
62You run `kubectl expose deployment web --port=80 --target-port=8080 --type=NodePort` and the Service is created. What is the effect of this command?
63A NetworkPolicy named 'deny-all' is applied to a namespace with podSelector: {}. The policy has no ingress rules. What is the effect?
64What is the DNS name for a Service named 'api' in the 'default' namespace?
65You want to temporarily access a pod's HTTP endpoint on port 8080 from your local machine on port 9090. Which command should you use?
66Which Ingress resource field is used to specify the hostname for which traffic should be routed?
67You have a kube-proxy running in ipvs mode. Which of the following is true about IPVS?
68You deploy a pod named 'app' that listens on port 3000. You create a Service named 'app-svc' with selector 'app: app'. From another pod in the same namespace, which command will successfully reach the service?
69Which DNS record type does Kubernetes use to resolve a Service's ClusterIP?
70After creating a NetworkPolicy that selects pods with label 'role: db' and allows ingress on TCP port 3306 from pods with label 'role: api', you notice that pods with label 'role: db' are still reachable on port 3306 from pods without 'role: api' label. What is the most likely cause?
71You are designing an Ingress to expose multiple services on the same hostname based on path. Which Ingress specification is valid?
72Which component is responsible for implementing the NetworkPolicy rules?
73Which TWO of the following are valid ways to expose a Service externally in a Kubernetes cluster running on-premises (no cloud provider)?
74Which THREE of the following statements about Kubernetes DNS are correct?
75Which TWO of the following are valid IngressClass annotations or fields?
76You create a ClusterIP service named 'my-svc' in the 'default' namespace. A pod in the same namespace tries to reach the service using the DNS name 'my-svc'. Which fully qualified domain name (FQDN) should the pod use to resolve the service?
77Which kubectl command will expose a deployment named 'web-app' as a NodePort service on port 80?
78A developer runs 'kubectl port-forward service/my-svc 8080:80' and reports that connections to localhost:8080 fail. The service is a ClusterIP service that selects pods with label 'app: my-app'. What is the most likely cause?
79Which NetworkPolicy rule will allow ingress traffic from pods with label 'role: frontend' in the same namespace?
80You have a service 'my-svc' of type ClusterIP with no selector defined. You manually create an Endpoints object with the same name. Which statement is true?
81Which of the following is a correct Ingress resource snippet that routes traffic to service 'web-svc' on port 80 for the host 'example.com'?
82You apply the following NetworkPolicy to namespace 'ns1': apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-ingress spec: podSelector: {} policyTypes: - Ingress ingress: [] What effect does this policy have?
83A pod is unable to resolve DNS names of services in other namespaces. Which DNS configuration is most likely missing?
84Which kube-proxy mode uses iptables rules to handle service traffic?
85You need to expose a service named 'my-svc' on a static port 30080 on every node. Which service type should you use?
86You have a Deployment with 3 replicas. You create a headless service (clusterIP: None) with a label selector. Which of the following is true about DNS resolution for this service?
87Which of the following is a valid CNI plugin for Kubernetes networking?
88Which two of the following are valid methods for service discovery in Kubernetes?
89Which three of the following are true about IngressClass?
90Which two of the following are correct statements about EndpointSlices?
91Which Kubernetes Service type exposes the Service on a static port on each Node's IP address, allowing external access without a LoadBalancer?
92An administrator creates a Service of type ClusterIP named 'my-svc' in the namespace 'default'. A pod in the same namespace tries to resolve the hostname 'my-svc' but fails. The pod's resolv.conf shows 'search default.svc.cluster.local svc.cluster.local cluster.local'. What is the most likely cause?
93A cluster administrator applies the following NetworkPolicy. What is the effect on pods matching the podSelector?
94Which command forwards local port 8080 to port 80 of a pod named 'web-pod'?
95A cluster has kube-proxy running in ipvs mode. An administrator creates a Service of type ClusterIP. Which of the following is true about how traffic is forwarded to the pods?
96An Ingress resource is defined with the following spec snippet. What is the minimal requirement for this Ingress to work correctly?
97Which kubectl command correctly retrieves the list of EndpointSlices for a Service named 'my-svc' in the 'default' namespace?
98Which DNS record does CoreDNS create for a headless Service named 'headless-svc' in the namespace 'default'?
99A NetworkPolicy allows ingress traffic from pods with label 'app: frontend' in any namespace. Which selector is used?
100An administrator wants to expose an application running in a pod on port 3000 using a Service of type LoadBalancer. Which command creates the Service?
101Which of the following is a valid use case for a Headless Service?
102A pod is unable to communicate with a Service in the same namespace. The administrator checks kube-proxy logs and finds no errors. Which command would help diagnose whether the iptables rules for the Service are correctly programmed?
103Which TWO statements are true about Ingress in Kubernetes?
104Which THREE components are required for a pod to resolve a Service DNS name?
105Which TWO of the following are valid ways to isolate a set of pods from all ingress traffic except from monitoring pods?
106Which Service type exposes a Service externally via a cloud provider's load balancer?
107An admin runs `kubectl run nginx --image=nginx --restart=Never` and then runs `kubectl expose pod nginx --port=80 --target-port=80`. Another pod in the same namespace tries to curl http://nginx:80 but gets connection refused. What is the most likely cause?
108Which annotation is commonly used with ExternalDNS to specify the DNS hostname for a Service?
109A NetworkPolicy with podSelector: {} and policyTypes: [Ingress] is applied to a namespace. What is the effect on pods in that namespace?
110Which kube-proxy mode supports connection-based load balancing using Linux IPVS?
111You create a Service with clusterIP: None. What is this called and what is its purpose?
112An Ingress resource defines a TLS section with hosts: ["example.com"] and secretName: tls-secret. What must be true for TLS to work correctly?
113What is the default DNS name for a Service named 'my-service' in namespace 'my-ns'?
114A cluster uses Flannel as the CNI plugin. Which of the following best describes Flannel's networking model?
115You run `kubectl port-forward service/my-svc 8080:80`. What does this command do?
116You want to allow ingress traffic from pods with label 'app: frontend' in namespace 'web' to pods with label 'app: backend' in namespace 'api'. Which NetworkPolicy matches this requirement?
117Which of the following is a core component of the Gateway API?
118Which two of the following are valid methods for exposing a Service externally in Kubernetes? (Select TWO.)
119Which three of the following are features of EndpointSlices compared to Endpoints? (Select THREE.)
120Which two of the following are valid Ingress path types in networking.k8s.io/v1? (Select TWO.)
121You create a Service of type LoadBalancer in a Kubernetes cluster that does not have an external load balancer provider (e.g., bare-metal). What will be the state of the EXTERNAL-IP field when you run 'kubectl get svc'?
122Which command creates a temporary pod and forwards port 8080 from your local machine to port 80 of an existing pod named 'web-pod'?
123You have a NetworkPolicy that selects pods with label 'app: db'. The policy has an ingress rule allowing traffic from pods with label 'app: frontend'. A pod with label 'app: frontend' is in a different namespace. No namespaceSelector is specified in the ingress rule. Will traffic from that pod be allowed?
124You run 'kubectl run nginx --image=nginx --expose --port=80'. What resources are created?
125Which Service type exposes a Service on each Node's IP at a static port in the range 30000-32767?
126In a Kubernetes cluster using CoreDNS, what is the DNS name for a Service named 'api' in namespace 'backend'?
127You have an Ingress resource with a TLS section specifying a secret named 'tls-secret'. The certificate in 'tls-secret' is expired. What happens when a client connects via HTTPS to the Ingress host?
128Which kube-proxy mode uses iptables rules to handle service traffic and is the default in many distributions?
129What is the purpose of a Headless Service (clusterIP: None)?
130A NetworkPolicy named 'default-deny-ingress' is applied to all pods in a namespace. The policy has no rules. An administrator then creates a new NetworkPolicy that allows ingress traffic to pods with label 'app: web' from any source using a podSelector with '{}'. Will traffic be allowed to pods labeled 'app: web'?
131You want to expose a Deployment named 'web' on port 80 internally within the cluster. Which command creates a ClusterIP Service?
132Which resource is used to configure TLS termination and path-based routing for HTTP(S) traffic into a cluster?
133Which TWO statements about EndpointSlices are true? (Choose 2)
134Which THREE are correct ways to configure a default deny all ingress traffic NetworkPolicy? (Choose 3)
135Which TWO commands can be used to test DNS resolution for a Service named 'my-svc' in namespace 'default' from within a temporary pod? (Choose 2)
136You need to create a Service that exposes port 80 on each node's IP at a static port (30080). Which Service type should you use?
137A developer reports that a pod can resolve 'my-service.my-namespace.svc.cluster.local' but not 'my-service'. Both the pod and the Service are in the same namespace. What is the most likely cause?
138You run: kubectl expose deployment web --port=80 --target-port=8080 --type=LoadBalancer --name=web-svc. What is the effect of this command?
139You are implementing NetworkPolicies. You have a namespace 'db' with a pod running PostgreSQL. You want to allow only pods with label 'role: frontend' in namespace 'app' to connect to PostgreSQL on TCP port 5432. What is the correct Ingress rule?
140You need to expose multiple HTTP services on a single IP address with path-based routing. Which resource should you use?
141Which of the following is the default DNS name for a Service named 'api' in namespace 'production'?
142You create a Deployment with replicas=3 and a Service of type ClusterIP. You notice that traffic to the Service is not evenly distributed. What is the most likely cause?
143You want to forward local port 8080 to port 80 of a pod named 'nginx-pod'. Which command should you use?
144You have a NetworkPolicy that denies all ingress traffic by default, and you want to allow traffic only from pods with label 'app: monitoring' in the same namespace. What should the policy spec look like?
145Which of the following is NOT a valid Service type in Kubernetes?
146You need to expose a Service externally using an Ingress. The Ingress controller requires a specific IngressClass. How do you specify the IngressClass in the Ingress resource?
147You have a Service 'my-svc' with ClusterIP None (headless). You create a StatefulSet with 3 replicas and a headless Service. How do you reach individual pods?
148Which TWO of the following are valid CNI plugins used in Kubernetes? (Select 2)
149Which THREE of the following are true about NetworkPolicy in Kubernetes? (Select 3)
150Which TWO of the following are valid modes for kube-proxy? (Select 2)
151You need to expose a Deployment named 'web' on port 80 inside the cluster. Which kubectl command creates a ClusterIP service?
152A ClusterIP service named 'svc' in namespace 'default' is not reachable from a pod in the same namespace. The service selector matches the pod's labels. Which command should you run first to verify the endpoint list?
153You apply the following NetworkPolicy: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress What effect does this policy have?
154You have an Ingress resource with TLS configured. You verify that the TLS secret exists in the same namespace. However, accessing the service via HTTPS returns a certificate error. What is the most likely cause?
155Which Service type is used to expose a service externally with a cloud provider's load balancer?
156A pod in namespace 'ns1' cannot resolve the DNS name 'svc.ns2.svc.cluster.local'. What is the most likely cause?
157You have a NodePort service. Which kube-proxy mode allows for better performance and more sophisticated load balancing algorithms like 'least connection'?
158Which TWO statements about Ingress in Kubernetes are correct?
159Which TWO statements about Headless Services are correct?
160Which TWO statements about NetworkPolicy are correct?
161Which THREE of the following are valid methods for service discovery in Kubernetes?
162Which THREE components are part of the Gateway API?
163Which TWO statements about EndpointSlices are correct?
164Which THREE of the following are CNI plugins?
165Which TWO of the following are valid kube-proxy modes?
166A Kubernetes cluster has a Service of type ClusterIP named 'my-svc' in the 'default' namespace. You deploy a pod and want it to resolve the service's cluster IP using DNS. What FQDN should the pod use?
167An administrator creates a NetworkPolicy in namespace 'app' with the following YAML. Which statement is true about the policy? apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress
168You are troubleshooting a Service connectivity issue. A pod in namespace 'frontend' cannot reach a Service in namespace 'backend' by its DNS name. CoreDNS is running. Which statements are true? (Select TWO.)
169Which of the following can be used to expose a set of pods externally to the internet in a Kubernetes cluster? (Select THREE.)
The Services and Networking domain covers the key concepts tested in this area of the CKA exam blueprint published by CNCF. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CKA domains — no account required.
The Courseiva CKA question bank contains 169 questions in the Services and Networking domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Services and Networking domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included