Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCKADDomainsApplication Environment, Configuration and Security
CKADFree — No Signup

Application Environment, Configuration and Security

Practice CKAD Application Environment, Configuration and Security questions with full explanations on every answer.

233questions

Start practicing

Application Environment, Configuration and Security — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CKAD Domains

Application Design and BuildApplication DeploymentApplication Environment, Configuration and SecurityApplication Observability and MaintenanceServices and Networking

Practice Application Environment, Configuration and Security questions

10Q20Q30Q50Q

All CKAD Application Environment, Configuration and Security questions (233)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A pod named 'web-app' is running but has no environment variables. The developer wants to inject a variable 'DB_URL=postgres://db:5432' from a ConfigMap named 'db-config'. Which pod spec snippet correctly achieves this?

2

A deployment runs a container that needs to read a file from a host path '/var/log/app' on the node. The file must be available to all pods on that node. Which volume type should be used?

3

A pod uses a service account 'my-sa' with a RoleBinding that grants get and list on pods in namespace 'app'. The pod runs a process that calls the Kubernetes API to list pods. However, the API call returns 403. What is the most likely cause?

4

A developer wants to restrict network traffic so that only pods with label 'app: frontend' can communicate with pods labeled 'app: backend' on port 8080. Which Kubernetes resource should be used?

5

A container runs as root (UID 0) but the security policy requires the container to run as non-root user 1000. Which pod security context setting should be added?

6

Which TWO of the following are valid ways to mount a Secret into a pod as environment variables? (Select exactly 2)

7

Which THREE of the following are valid fields in a PodSecurityPolicy (PSP) that control Linux capabilities? (Select exactly 3)

8

You are designing a Pod that runs a legacy application requiring a specific configuration file mounted at /etc/config/app.conf. The configuration is stored in a Kubernetes ConfigMap named 'app-config' with key 'config.yaml'. Which approach ensures the configuration is mounted correctly and the container automatically receives updates when the ConfigMap changes?

9

A developer creates a Secret named 'db-secret' with key 'password'. They want to expose the password as an environment variable DB_PASSWORD in a Pod. Which of the following is the correct way to achieve this?

10

Which TWO of the following are valid ways to inject configuration data into a Kubernetes Pod?

11

Refer to the exhibit. A Pod is defined with security contexts at both the container and Pod level. Which of the following statements accurately describes the effective security configuration?

12

You are a Kubernetes administrator responsible for a production cluster. A development team has deployed a Pod named 'app-pod' that runs a container with a PostgreSQL database. The team reports that the Pod is failing to start with an error: 'Error: container has runAsNonRoot and image will run as root (runtime error)'. The Pod YAML is as follows: ```yaml apiVersion: v1 kind: Pod metadata: name: app-pod spec: containers: - name: db image: postgres:latest securityContext: runAsNonRoot: true ``` The team wants to ensure the container runs securely without running as root. What is the BEST course of action?

13

Arrange the steps to create a ConfigMap from a file and mount it as a volume in a Pod.

14

Sequence the steps to scale a Deployment to 5 replicas and verify.

15

Match each Kubernetes concept to its definition.

16

Match each Kubernetes probe to its check behavior.

17

You need to create a ConfigMap named 'app-config' with key 'APP_COLOR' and value 'blue'. Which command creates this ConfigMap?

18

A pod is running with the following SecurityContext: securityContext: runAsUser: 1000 runAsGroup: 2000 fsGroup: 3000 What UID and GID does the process inside the container use?

19

You need to create a Pod that mounts a Secret named 'mysecret' as an environment variable 'SECRET_DATA'. The secret has a key 'password'. Which YAML snippet correctly achieves this?

20

Which of the following is the correct way to set a CPU request of 250 millicores and a memory limit of 512 Mi in a container?

21

A developer wants to ensure that a pod runs with a non-root user and cannot gain root privileges. Which SecurityContext settings should be used?

22

Which command creates a generic secret named 'db-secret' with key 'password' and value 'p@ss'?

23

A pod named 'test-pod' in namespace 'test' has a service account 'my-sa' attached. The service account has a RoleBinding to a Role that allows get/list pods. However, the pod cannot list pods. What is the most likely issue?

24

You want to enforce that all pods in a namespace have a minimum memory request of 100Mi and a maximum memory limit of 1Gi. Which resource should you create?

25

A cluster administrator wants to enforce that all pods in a namespace run with the 'restricted' Pod Security Standard. Which of the following is the correct way to label the namespace?

26

A pod needs to mount a ConfigMap as a volume so that when the ConfigMap is updated, the pod automatically gets the updates. Which volume type should be used?

27

Which command lists all the secrets in the current namespace?

28

A pod is running with a service account that has been granted a Role to get pods. The pod's code uses the Kubernetes API from within the container. However, the API call fails with a 403 Forbidden error. Which file should the pod read to obtain the authentication token?

29

Which TWO of the following are valid types of Secrets in Kubernetes?

30

Which THREE of the following are valid fields in a PodSecurityContext?

31

Which TWO of the following are valid ways to consume environment variables from a ConfigMap in a pod?

32

You need to create a ConfigMap named 'app-config' from a file 'config.properties'. Which kubectl command should you use?

33

Which of the following YAML fields can be used to mount a Secret as a volume in a Pod?

34

A developer wants to ensure a container runs as a non-root user with user ID 1000 and group ID 2000. Which SecurityContext fields should be set?

35

What is the primary purpose of a Kubernetes ServiceAccount?

36

A pod is stuck in Pending state. You run 'kubectl describe pod my-pod' and see the event: '0/4 nodes are available: 1 Insufficient cpu, 3 Insufficient memory'. What is the most likely cause?

37

You want to restrict a Pod to only run with a seccomp profile of 'RuntimeDefault'. Which SecurityContext field should you set?

38

Which of the following is a valid way to expose a Secret as an environment variable in a Pod?

39

You have a Secret of type 'kubernetes.io/tls' named 'tls-secret'. What keys are required in the Secret data?

40

A Pod in a namespace with a ResourceQuota that sets 'limits.cpu: 4' and 'limits.memory: 8Gi' is being created with the following container resources: requests: cpu: 2, memory: 4Gi; limits: cpu: 4, memory: 8Gi. The namespace also has a LimitRange with default limits of cpu: 500m, memory: 512Mi. Which statement is true about this resource configuration?

41

Which kubectl command creates a Secret named 'db-secret' with key 'password' and value 'mypwd'?

42

You need to grant a ServiceAccount named 'app-sa' in namespace 'default' read-only access to Pods in that namespace. Which RBAC resources should you create?

43

You create a Pod with a securityContext set to 'runAsNonRoot: true' and a container image that runs as root (user 0). What will happen when you create the Pod?

44

Which TWO of the following are valid ways to consume a ConfigMap in a Pod? (Select TWO)

45

Which THREE of the following are benefits of using a ResourceQuota in a namespace? (Select THREE)

46

You want to apply a Pod Security Admission (PSA) policy that enforces the 'restricted' profile in the 'dev' namespace, but only for Pods that are not exempt. Which TWO steps are required? (Select TWO)

47

Which kubectl command creates a ConfigMap named 'app-config' from a file named 'config.properties'?

48

A pod needs to run as a non-root user with UID 1000. Which SecurityContext field should be set?

49

A developer creates a Secret using the command: 'kubectl create secret generic db-secret --from-literal=password=myPass'. Which way to consume this Secret in a pod is CORRECT?

50

A cluster administrator wants to prevent all pods in a namespace from running with privileged escalation. Which Pod Security Admission standard enforces this?

51

A pod has a container with 'readOnlyRootFilesystem: true' in its securityContext. The container writes to /tmp. What is the expected outcome?

52

You create a ServiceAccount 'my-sa' with automountServiceAccountToken: false. A pod that references this ServiceAccount also sets automountServiceAccountToken: true in its spec. Will the service account token be mounted?

53

A user wants to create a Kubernetes Secret for storing Docker registry credentials (username and password). Which type of Secret should they use?

54

What is the purpose of a ResourceQuota in Kubernetes?

55

A developer runs 'kubectl create secret generic tls-secret --cert=cert.crt --key=key.pem'. What type of Secret is created?

56

A pod is configured with 'securityContext.seccompProfile.type: RuntimeDefault' but the container still attempts to use a syscall that is blocked by the default seccomp profile. What happens?

57

Which command correctly creates a Role named 'pod-reader' that allows get, list, and watch on pods?

58

A namespace 'dev' has a ResourceQuota that sets 'requests.cpu: 4' and 'limits.cpu: 8'. A pod is created with a container that has 'resources.requests.cpu: 1' and 'resources.limits.cpu: 3'. However, the pod remains in Pending state. The output of 'kubectl describe quota -n dev' shows 'used requests.cpu: 3.5' and 'used limits.cpu: 7'. What is the most likely reason the pod is pending?

59

Which TWO of the following are valid ways to consume a ConfigMap in a pod?

60

Which THREE of the following are capabilities that can be added to a container's securityContext?

61

Which TWO of the following are valid sources for creating a ConfigMap?

62

A developer wants to use a ConfigMap named 'app-config' to set environment variables for a pod. The ConfigMap has keys 'DEBUG' and 'DATABASE_URL'. Which annotation should be added to the pod spec to inject all keys from the ConfigMap as environment variables?

63

Which kubectl command correctly creates a ConfigMap from a file named 'app.properties'?

64

A pod is using a Secret to authenticate to a private registry. The Secret type must be 'kubernetes.io/dockerconfigjson'. Which of the following is the correct way to create such a Secret using kubectl?

65

A security requirement states that a container must run with a read-only root filesystem. Which field must be set in the container's securityContext?

66

A pod needs to run as a non-root user. Which securityContext field should be set to enforce this?

67

A developer creates a ServiceAccount 'my-sa' in namespace 'default'. They want to prevent pods from automatically mounting the ServiceAccount token. Which field should be set to false in the pod spec?

68

An administrator wants to grant a ServiceAccount 'app-sa' in namespace 'dev' read-only access to pods in the same namespace. Which YAML snippet correctly defines the required RBAC resources?

69

A pod is stuck in Pending state. You run 'kubectl describe pod mypod' and see the event: '0/3 nodes are available: 1 Insufficient memory, 2 Insufficient cpu'. The pod has resource requests defined. Which action would allow the pod to be scheduled?

70

Which of the following is a valid Pod Security Admission standard?

71

A namespace 'test' has a LimitRange that sets default memory request to 256Mi and default memory limit to 512Mi. A pod in that namespace does not specify any resources. What memory request and limit will the pod get?

72

A cluster administrator wants to enforce that no pod in namespace 'prod' uses more than 4Gi of memory. Which Kubernetes resource should be created?

73

A container needs to run with the NET_ADMIN capability. Which securityContext field should be used?

74

Which TWO of the following are valid ways to expose a Secret as an environment variable in a pod? (Select two.)

75

Which THREE of the following are valid fields in a SecurityContext at the container level? (Select three.)

76

Which TWO of the following are valid Kubernetes Secret types? (Select two.)

77

You have a ConfigMap named 'app-config' with key 'database.url'. Which environment variable definition correctly injects this value into a pod using a configMapKeyRef?

78

Which kubectl command creates a Secret from literal username and password values?

79

A pod's container needs to run as non-root user with UID 1000 and ensure its filesystem is read-only. Which SecurityContext settings achieve this?

80

You have a service account 'my-sa' in the default namespace. You want a pod to use this service account and also prevent the pod from mounting the service account token. Which pod spec configuration is correct?

81

A developer creates a Role and RoleBinding in the namespace 'development' to grant list pods permission to a service account. Which manifest snippet correctly defines the Role?

82

You apply a ResourceQuota to a namespace that limits memory requests to 2Gi. You then try to create a pod that requests 3Gi memory. What happens?

83

A pod must run with a seccomp profile that only allows specific syscalls. Which SecurityContext field is used to specify the seccomp profile type?

84

You need to create a TLS secret for an ingress with certificate and key. Which command correctly creates the secret?

85

A pod in the 'staging' namespace is in a CrashLoopBackOff state. You run 'kubectl logs pod -n staging' and see: 'Error: container has been OOMKilled'. The pod YAML has resources: requests: memory: 256Mi, limits: memory: 256Mi. Which change should you make first?

86

You have a pod that needs to mount a Secret as a volume. The Secret has keys 'username' and 'password'. How should the volumes and volumeMounts be configured to mount the secret at /etc/secret with each key as a file?

87

A PodSecurityPolicy (PSP) has been replaced by Pod Security Admission. Which of the following commands applies a baseline pod security standard to the namespace 'dev'?

88

You have a ConfigMap created from an env file. Which command creates the ConfigMap from the file 'app.env' containing key=value pairs?

89

Which TWO are valid ways to expose a Secret's data as environment variables in a pod?

90

Which THREE capabilities are commonly dropped in a pod's securityContext to adhere to restricted pod security standards?

91

Which TWO are true about LimitRange objects?

92

Which kubectl command creates a ConfigMap named 'app-config' with key 'color' and value 'blue'?

93

A pod uses a ServiceAccount 'my-sa' but the pod's container needs to list pods in the namespace. Which RBAC resources are necessary?

94

Given the following partial pod spec: ```yaml securityContext: runAsUser: 1000 runAsGroup: 3000 fsGroup: 2000 ``` Which combination correctly describes the resulting permissions on a mounted volume?

95

To prevent a container from running as root, which field should be set in the securityContext?

96

A pod uses a Secret 'db-secret' with keys 'username' and 'password'. Which environment variable definition correctly exposes the 'password' as an env var named 'DB_PASSWORD'?

97

A namespace 'team-a' has a ResourceQuota with 'pods: 10' and a LimitRange with default memory request '256Mi'. A user creates a pod with no resource requests. What happens?

98

Which command creates a TLS secret named 'tls-secret' using certificate file 'tls.crt' and key file 'tls.key'?

99

A pod's securityContext has 'allowPrivilegeEscalation: false' and 'capabilities: { drop: ["ALL"] }'. Which statement is true?

100

To mount a ConfigMap as a volume, which field type must be used in the pod spec's volumes and volumeMounts?

101

A Pod Security Admission policy is set to 'restricted' for a namespace. Which of the following pod specs is ALLOWED?

102

You need to set environment variables in a pod from a ConfigMap 'app-config' that has keys 'APP_ENV' and 'APP_DEBUG'. Which approach exposes all keys as environment variables?

103

A pod is in Pending state. 'kubectl describe pod' shows '0/1 nodes are available: 1 Insufficient cpu'. Which action would resolve this?

104

Which TWO statements about Kubernetes Secrets are correct? (Select 2)

105

Which THREE of the following are valid fields in a PodSecurityContext that affect container security? (Select 3)

106

Which TWO methods can be used to expose a Secret's data as environment variables inside a container? (Select 2)

107

A developer wants to inject database credentials into a pod as environment variables. The credentials are stored in a Kubernetes Secret named 'db-creds' with keys 'username' and 'password'. Which pod spec snippet correctly injects both values as environment variables?

108

An administrator needs to create a ConfigMap named 'app-config' from a file called 'config.properties'. Which kubectl command accomplishes this?

109

A pod fails to start with a 'CreateContainerConfigError'. Running 'kubectl describe pod my-pod' reveals: 'Error: container has runAsNonRoot and image will run as root'. The pod definition includes 'securityContext.runAsNonRoot: true'. What is the most likely cause?

110

A security requirement states: 'The container must drop all capabilities and add only NET_BIND_SERVICE'. Which YAML snippet correctly implements this in the securityContext?

111

A pod is running with the default service account. An administrator wants to prevent the pod from automatically mounting the service account token. Which field in the pod spec accomplishes this?

112

A ClusterRole named 'pod-reader' allows get, list, and watch on pods. A RoleBinding 'read-pods' in namespace 'default' binds this ClusterRole to user 'jane'. Which statement is true?

113

A namespace 'team-a' has a ResourceQuota that sets 'requests.cpu: 4' and 'limits.cpu: 8'. A developer tries to create a pod with 'resources.requests.cpu: 2' and 'resources.limits.cpu: 10'. What happens?

114

An administrator wants to enforce that all pods in namespace 'secured' must run with a seccomp profile set to 'RuntimeDefault' at the container level. Which Pod Security Admission policy standard achieves this?

115

Which kubectl command creates a Secret named 'tls-secret' from a TLS certificate file 'cert.pem' and private key file 'key.pem'?

116

A pod is in 'CrashLoopBackOff' state. 'kubectl logs pod' shows: 'Error: listen tcp :8080: bind: permission denied'. The container runs as user '1000'. Which securityContext setting is missing?

117

A ConfigMap named 'env-config' has keys 'DB_HOST' and 'DB_PORT'. A pod needs to set the environment variable 'DATABASE_HOST' to the value of 'DB_HOST' from the ConfigMap, and 'DB_PORT' directly as 'DB_PORT'. Which YAML snippet correctly achieves this?

118

A LimitRange in namespace 'limits' sets default memory request to 256Mi and default memory limit to 512Mi. A pod is created without specifying any resources. What are the pod's effective memory request and limit?

119

A developer needs to create a Kubernetes Secret for Docker registry authentication. The registry URL is 'myregistry.io', username 'user', password 'pass', email 'user@example.com'. Which command creates this Secret?

120

A pod uses a ServiceAccount 'my-sa' with a RoleBinding that grants get and list on pods. The pod makes an API call to list pods in its own namespace. Which RBAC resource is necessary?

121

A pod is running with 'securityContext: { runAsUser: 1000, fsGroup: 2000, runAsNonRoot: true }'. The container image has USER root set in Dockerfile. What happens when the pod is created?

122

Which two statements about ConfigMaps and Secrets are correct? (Select TWO.)

123

Which three security contexts can be set at the pod level (as opposed to container level)? (Select THREE.)

124

Which two commands can create a ConfigMap from an environment file? (Select TWO.)

125

Which kubectl command creates a ConfigMap named 'app-config' from a file 'config.properties'?

126

A pod needs to mount a Secret named 'db-secret' as a volume at /etc/secret. Which volume mount definition is correct?

127

A pod runs as user ID 1000. The container image includes a binary that expects to run as root. Which SecurityContext setting can allow the binary to run with root-like privileges while still running the container as non-root?

128

You create a Role named 'pod-reader' in the 'default' namespace with rules to get, list, and watch pods. A ServiceAccount 'app-sa' in the same namespace needs to be bound to this role. Which YAML snippet correctly creates the RoleBinding?

129

You want to restrict total memory usage in a namespace to 10 Gi. Which resource should you create?

130

A pod uses a ServiceAccount with automountServiceAccountToken set to false. The pod still needs to access the Kubernetes API. How can you mount the service account token in this pod?

131

You want to enforce that all pods in a namespace run with the 'restricted' Pod Security Standard (Pod Security Admission). Which label should you set on the namespace?

132

A pod's container has securityContext with runAsNonRoot: true but no runAsUser set. The container image has a user 'appuser' with UID 1001. Will the pod run successfully?

133

Which command creates an Opaque Secret named 'my-secret' with key 'password' and value 'p@ssw0rd'?

134

You deploy a pod with resource requests: cpu: 500m, memory: 256Mi and limits: cpu: 1, memory: 512Mi. The container tries to allocate 600Mi of memory. What happens?

135

A pod has securityContext with capabilities.add: ['NET_ADMIN'] and capabilities.drop: ['ALL']. What effective capabilities does the container have?

136

You want to set environment variable 'DB_URL' in a pod from the key 'url' in ConfigMap 'db-config'. Which YAML snippet is correct?

137

A pod is failing to start with error 'container has runAsNonRoot and image will run as root'. The container image runs as root. Which change allows the pod to run?

138

Which TWO of the following are valid ways to consume a ConfigMap in a pod? (Select 2)

139

Which THREE of the following are valid fields in a PodSecurityContext (pod-level securityContext)? (Select 3)

140

Which kubectl command creates a ConfigMap named 'app-config' from a file called 'config.properties'?

141

A Secret named 'db-secret' of type Opaque contains a key 'password'. How do you reference this key as an environment variable named 'DB_PASSWORD' in a pod spec?

142

A Pod spec includes 'securityContext' with 'runAsUser: 1000' and 'runAsGroup: 3000'. The container process inside the pod is expected to write to a mounted volume. Which securityContext field should be set to ensure the volume's group ownership is 3000?

143

You have created a ServiceAccount named 'my-sa' in namespace 'default'. You want a Pod to use this ServiceAccount. Which Pod spec field is correct?

144

A developer created a Role named 'pod-reader' in namespace 'ns1' that allows 'get', 'list', and 'watch' on pods. They created a RoleBinding binding this Role to a ServiceAccount 'sa1' in the same namespace. However, a pod using 'sa1' cannot list pods in namespace 'ns2'. What is the most likely cause?

145

A Pod is running in a namespace with a ResourceQuota that sets 'limits.memory: 2Gi'. The pod's container spec has 'resources.limits.memory: 1Gi' and 'resources.requests.memory: 512Mi'. The pod is in 'Running' state but consumes 1.5Gi of memory. What happens?

146

You need to create a Secret of type kubernetes.io/tls for use with an Ingress. Which kubectl command should you use?

147

A Pod is configured with securityContext: { runAsUser: 1000, runAsGroup: 2000, fsGroup: 3000 }. The container's image runs a process that must listen on a TCP port below 1024 (e.g., port 80). The process is currently failing to start. What should you modify to allow the process to bind to a privileged port?

148

A ClusterRole named 'secret-reader' grants get, list, watch on secrets in all namespaces. A RoleBinding in namespace 'app' binds this ClusterRole to a ServiceAccount 'app-sa'. Which of the following is true about the effective permissions of 'app-sa'?

149

Which of the following is the correct way to set an environment variable 'APP_COLOR' from a ConfigMap key 'color'?

150

You have a LimitRange in namespace 'ns' that sets default limits.cpu to 500m and default requests.cpu to 200m. You create a pod without specifying any CPU resources. What CPU values will be applied to the container?

151

A container image requires a seccomp profile that is not the default. The cluster supports the RuntimeDefault seccomp profile. Which Pod securityContext field should be configured to use the RuntimeDefault seccomp profile?

152

Which TWO resources are used to enforce resource quotas at the namespace level? (Select TWO.)

153

Which THREE configurations are part of Pod Security Admission's 'restricted' profile? (Select THREE.)

154

Which TWO commands can be used to create a Secret named 'db-creds' with keys 'username' and 'password'? (Select TWO.)

155

You create a ConfigMap named 'app-config' with the command 'kubectl create configmap app-config --from-literal=key1=value1'. Which of the following correctly mounts this ConfigMap as environment variables in a pod?

156

A pod is running with a SecurityContext that sets 'runAsUser: 1000' and 'runAsGroup: 3000'. The container process is running as user 1000. However, the container needs to access a file on a mounted volume that is owned by user 1000 and group 2000. Which SecurityContext setting should be added to ensure the container can read the file?

157

You need to create a Role and RoleBinding to allow a ServiceAccount 'monitor' in namespace 'app' to list pods in that namespace. Which YAML snippet correctly achieves this?

158

Which command creates a Secret named 'db-secret' with two keys, 'username' and 'password', from literal values?

159

A developer creates a pod with the following YAML snippet: securityContext: runAsUser: 1000 runAsGroup: 3000 fsGroup: 2000 The pod mounts an emptyDir volume. What is the owner and group of the mounted directory inside the container?

160

A pod is failing to start. The 'kubectl describe pod' output shows: 'container has runAsNonRoot and image will run as root'. The Dockerfile of the container image does not specify a USER directive. Which action will fix the issue?

161

You need to ensure that a pod in namespace 'dev' cannot consume more than 256Mi of memory. Which approach should you take?

162

A pod has 'automountServiceAccountToken: false' in its spec. What is the effect?

163

Which of the following correctly describes the purpose of a PodSecurityPolicy (PSP) in Kubernetes? (Note: PSP is deprecated in v1.21+ and removed in v1.25; Pod Security Admission is the replacement.)

164

A Deployment is configured with 'resources.requests.memory: 256Mi' and 'resources.limits.memory: 512Mi'. The node runs out of memory. Which pods will be the first to be evicted?

165

How can you set the environment variable 'DATABASE_URL' in a pod to the value stored in a Kubernetes Secret named 'db-secret' under the key 'url'?

166

You need to create a Secret of type 'kubernetes.io/tls' for ingress. Which command is correct?

167

Which TWO of the following are valid ways to create a ConfigMap from a file named 'app.properties'? (Select two.)

168

Which THREE of the following are characteristics of Pod Security Admission (PSA) standards? (Select three.)

169

Which TWO of the following are valid fields in a container's SecurityContext to restrict privilege escalation? (Select two.)

170

A developer wants to create a ConfigMap named 'app-config' with two key-value pairs: 'color=blue' and 'size=large'. Which kubectl command should they use?

171

A pod is scheduled but remains in 'Pending' state. Running 'kubectl describe pod mypod' shows: '0/1 nodes are available: 1 Insufficient memory'. What is the most likely cause?

172

A Pod specification includes: securityContext: { runAsNonRoot: true }. The container image runs as root by default. What will happen when the Pod is created?

173

An administrator creates a Role and RoleBinding in the 'dev' namespace to allow a ServiceAccount 'sa-dev' to list Pods. Which YAML snippet correctly defines the Role?

174

A developer needs to expose a database password to a Pod as an environment variable, securely. What should they do?

175

A Pod is in 'CrashLoopBackOff' state. 'kubectl logs mypod' shows: 'Error: listen tcp :8080: bind: address already in use'. What is the most likely cause?

176

An administrator wants to enforce that all Pods in a namespace run with a read-only root filesystem. Which admission controller should be configured?

177

A Pod specification includes: securityContext: { seccompProfile: { type: RuntimeDefault } }. What does this configuration do?

178

Which command creates a generic Secret with username=admin and password=secret123?

179

A Pod has the following environment variable definition: - name: DB_HOST valueFrom: configMapKeyRef: name: db-config key: host The ConfigMap 'db-config' exists in the same namespace but does not have a key 'host'. What will happen when the Pod starts?

180

A Pod is configured with automountServiceAccountToken: false. The application inside the pod needs to access the Kubernetes API. What should be done?

181

A developer wants to enforce that containers in a namespace cannot run as privileged. Which Pod Security Standard profile should they apply to the namespace?

182

Which TWO actions can help prevent a container from being compromised if an attacker gains access? (Select 2)

183

Which THREE statements about ResourceQuota are correct? (Select 3)

184

Which TWO commands can be used to create a Secret from a file? (Select 2)

185

Which kubectl command creates a ConfigMap named 'app-config' from a file 'app.properties'?

186

A pod manifest includes the following securityContext: securityContext: { runAsUser: 1000, runAsGroup: 3000, fsGroup: 2000 }. What UID will be used for processes in the container?

187

A pod in a namespace with a ResourceQuota that sets 'requests.cpu: 2' is failing to schedule. The pod manifest specifies 'resources: { requests: { cpu: "500m" } }'. What is the likely cause?

188

Which annotation is used to enforce Pod Security Admission at the 'restricted' level on a namespace?

189

A Secret of type kubernetes.io/tls requires two data keys. What are they?

190

You need to mount a Secret 'db-secret' as a volume in a pod, making its keys appear as individual files. Which volume definition is correct?

191

A container image requires running as UID 0 but you need to comply with a 'restricted' Pod Security Admission policy. Which SecurityContext setting allows this while still passing the policy?

192

A Role named 'pod-reader' in namespace 'ns1' grants get, list, and watch on pods. Which RoleBinding correctly binds this role to a ServiceAccount 'sa1' in the same namespace?

193

Which flag in a kubectl run command sets environment variables from a ConfigMap?

194

A pod has 'automountServiceAccountToken: false' in its spec. What is the effect?

195

Which of the following is a valid YAML snippet for a container that sets the seccomp profile to 'RuntimeDefault' in a PodSecurityContext?

196

What is the effect of setting 'readOnlyRootFilesystem: true' in a container's securityContext?

197

Which command creates a ConfigMap named 'app-config' from a file named 'config.properties'?

198

A pod with the following security context is in CrashLoopBackOff. The container image runs as user 1000. securityContext: runAsUser: 2000 runAsGroup: 3000 fsGroup: 4000 What is the most likely cause?

199

You need to grant a ServiceAccount 'my-sa' read-only access to pods in the 'test' namespace. Which RBAC YAML should you create?

200

You create a Secret with 'kubectl create secret generic db-secret --from-literal=password=myPass'. Later, you mount it as a volume in a pod. When you exec into the container and cat the file, what will you see?

201

Which API version is correct for a Deployment in Kubernetes v1.29?

202

You create a ResourceQuota in a namespace that sets requests.cpu: '1' and limits.cpu: '2'. A pod spec has no resource limits or requests. What happens when you try to create this pod?

203

A developer wants to ensure that a container runs as a non-root user and the filesystem is read-only except for a tmpfs volume. Which fields should be set in the container's securityContext?

204

You have a Secret of type kubernetes.io/tls. The pod mounting it as a volume expects the files 'tls.crt' and 'tls.key'. What keys must the Secret data contain?

205

Which command creates a Docker registry secret from an existing Docker config file?

206

A pod has a container with envFrom referencing a ConfigMap. The ConfigMap has keys 'APP_DEBUG=true' and 'APP_NAME=myapp'. The pod also has an env entry with name 'APP_DEBUG' set to 'false'. What is the value of APP_DEBUG in the container?

207

You apply a Pod Security Admission label 'pod-security.kubernetes.io/enforce: restricted' to a namespace. A pod with the following securityContext is created: securityContext: runAsUser: 1000 runAsNonRoot: true capabilities: drop: ["ALL"] seccompProfile: type: RuntimeDefault allowPrivilegeEscalation: false readOnlyRootFilesystem: true Will the pod be admitted?

208

Which field in a Pod spec specifies which ServiceAccount the pod should use?

209

Which TWO approaches can be used to expose a Secret's value as an environment variable in a pod?

210

Which THREE are valid ways to create a ConfigMap?

211

Which TWO are correct about LimitRange?

212

Which command creates a ConfigMap named 'app-config' with two keys: 'key1=value1' and 'key2=value2'?

213

A pod is scheduled but stays in Pending state. 'kubectl describe pod' shows: '0/1 nodes are available: 1 Insufficient memory'. What is the most likely cause?

214

You need to create a Pod that runs with a specific non-root user (UID 1000), prevents privilege escalation, and mounts the container's filesystem as read-only. Which securityContext field is NOT required to achieve these requirements?

215

A developer wants to expose a Secret named 'db-secret' as environment variables in a Pod. The Secret has keys 'username' and 'password'. Which Pod spec snippet correctly achieves this?

216

Which command creates a TLS secret from an existing certificate and key file?

217

A Pod in a namespace with a ResourceQuota fails to create with the error: 'exceeded quota: compute-quota, requested: pods=1, used: pods=5, limited: pods=5'. What is the issue?

218

You want to enforce a Pod Security Standard of 'restricted' in a namespace. Which command applies the correct label?

219

Which TWO of the following are valid ways to consume a Secret named 'db-secret' in a Pod? (Choose two.)

220

Which THREE of the following fields are part of a Pod's securityContext that can restrict container capabilities? (Choose three.)

221

Which TWO of the following are valid types for a Kubernetes Secret? (Choose two.)

222

Which THREE of the following are true about ServiceAccount token automounting? (Choose three.)

223

Which TWO of the following commands create a ConfigMap named 'my-config' from a file named 'app.properties'? (Choose two.)

224

Which THREE of the following are valid fields in a LimitRange resource to enforce resource constraints at the container level? (Choose three.)

225

Which TWO of the following are required to create a Role and RoleBinding that grants read access to Pods in the 'development' namespace? (Choose two.)

226

Which THREE of the following are valid fields in a Pod's container spec for resource management? (Choose three.)

227

A developer wants to mount a ConfigMap as a volume in a Pod so that updates to the ConfigMap are reflected in the Pod without restarting. Which two statements are correct? (Choose two.)

228

You need to create a Secret to store a TLS certificate and private key for use by an Ingress resource. Which two statements are correct? (Choose two.)

229

An administrator wants to implement Pod Security Admission (PSA) to enforce the 'restricted' policy for pods in the 'secure' namespace, but allow certain pods to use privileged containers by applying an exemption label. Which three steps are required? (Choose three.)

230

Which two fields can be used in a SecurityContext to control a container's access to the host filesystem? (Choose two.)

231

A developer wants to restrict a Pod's resource usage. Which two API resources can be used to enforce limits at the namespace level? (Choose two.)

232

You are troubleshooting a Pod that cannot start because it fails with 'Error: container has runAsNonRoot and image will run as root'. The Pod's SecurityContext has 'runAsNonRoot: true' and no explicit 'runAsUser'. Which three actions could resolve this? (Choose three.)

233

A developer needs to expose database credentials to a Pod as environment variables. The credentials are stored in a Kubernetes Secret named 'db-secret' with keys 'username' and 'password'. Which two methods correctly inject these values? (Choose two.)

Practice all 233 Application Environment, Configuration and Security questions

Other CKAD exam domains

Application Design and BuildApplication DeploymentApplication Observability and MaintenanceServices and Networking

Frequently asked questions

What does the Application Environment, Configuration and Security domain cover on the CKAD exam?

The Application Environment, Configuration and Security domain covers the key concepts tested in this area of the CKAD exam blueprint published by CNCF. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CKAD domains — no account required.

How many Application Environment, Configuration and Security questions are in the CKAD question bank?

The Courseiva CKAD question bank contains 233 questions in the Application Environment, Configuration and Security domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Application Environment, Configuration and Security for CKAD?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Application Environment, Configuration and Security questions for CKAD?

Yes — the session launcher on this page draws questions exclusively from the Application Environment, Configuration and Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CKAD domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CKACKSDVA-C02