Practice CKAD Services and Networking questions with full explanations on every answer.
Start practicing
Services and Networking — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A developer deploys a set of Pods labeled app=frontend and wants to expose them internally within the cluster on a stable IP. Which resource should be used?
2A team uses a Service named 'backend' in namespace 'prod' to reach Pods in namespace 'staging'. The Service in 'prod' has no endpoints. What is the most likely cause?
3An application requires Pods to communicate using hostNetwork: true. Which Kubernetes resource is still necessary for stable DNS names?
4A Pod needs to access an external database at db.example.com:3306. Which Service type allows Pods to resolve a cluster-local name to this external address?
5A Service of type LoadBalancer is created but the external IP remains <pending>. What is the most likely reason?
6A developer wants to expose a set of Pods on a specific port on each node's IP. Which Service type should be used?
7An Ingress resource routes traffic to a Service 'web' on port 80. The Service has multiple endpoints but all return 503. What should be checked first?
8A Pod needs to communicate with another Pod in the same cluster but in a different namespace. What is the correct DNS name to use?
9A Service uses a selector to target Pods. After updating the Pod labels, you notice the endpoints list is empty. What is the most likely reason?
10Which TWO of the following are valid ways to expose a Service externally in a Kubernetes cluster?
11Which THREE of the following are valid use cases for a Headless Service (clusterIP: None)?
12Which TWO of the following are required for Ingress to route HTTP traffic to a backend Service?
13You are responsible for a multi-tier application running in a Kubernetes cluster. The frontend Pods communicate with backend Pods via a Service named 'backend' in the same namespace. Recently, the frontend team reported that the backend Service is intermittently unreachable. You inspect the backend Pods and notice that they are all running and ready, but the Endpoints object for the 'backend' Service shows only a subset of the Pod IPs. You also notice that the backend Pods have a readiness probe configured that checks an HTTP endpoint '/healthz'. The readiness probe has a periodSeconds of 5 and failureThreshold of 3. The application logs show occasional spikes in response time on the /healthz endpoint, sometimes exceeding 15 seconds. You need to resolve the intermittent unavailability without removing the readiness probe. Which action should you take?
14You have deployed a microservices application in a Kubernetes cluster. One of the services, 'payment-service', needs to be accessed by other services within the cluster via a stable DNS name. You create a Service of type ClusterIP named 'payment' with selector app=payment. However, when you try to curl http://payment from another Pod, the connection times out. You verify that the Pods backing 'payment-service' are running and ready, and the Endpoints object lists the correct Pod IPs. You also confirm that the Pods are listening on port 8080, and the Service defines targetPort: 8080. The cluster uses a standard CNI plugin (Calico) and DNS is provided by CoreDNS. What is the most likely cause of the timeout?
15A company runs a web application in a Kubernetes cluster. The application consists of a frontend service and a backend service. The frontend needs to communicate with the backend using a DNS name that does not change even if the backend pods are recreated. Which Kubernetes resource should the frontend use to reach the backend?
16A DevOps engineer notices that traffic to a Service named 'api' is not being forwarded to newly created pods. The Service selects pods with label 'app: api'. The pods are running and have the correct label. However, the Service's endpoints list does not include the new pods. What is the most likely cause?
17A user creates a Deployment with 3 replicas and a Service of type ClusterIP. The Service selects pods with label 'app: web'. The user wants external clients to access the application via a stable IP address. Which additional resource is required?
18During a security audit, it is discovered that a pod running a database is accessible from any other pod in the cluster. The database should only be accessible by pods with label 'role: backend'. Which resource should be applied to enforce this restriction?
19A developer creates a headless Service named 'db' to discover all database pod IPs. The Service selects pods with label 'app: db'. The pods are assigned IPs 10.0.0.1, 10.0.0.2, and 10.0.0.3. When a client performs a DNS lookup for 'db', what will it receive?
20Which TWO statements about Kubernetes Services are correct? (Choose two.)
21Which THREE components are required for a basic Ingress to route HTTP traffic to a Service? (Choose three.)
22Refer to the exhibit. A user has created the Service shown. The application pods listen on port 8080. Which port should an external client use to access the application from outside the cluster?
23You are a platform engineer managing a Kubernetes cluster version 1.28. A development team has deployed a microservice application called 'order-processor' in the 'prod' namespace. The application consists of a frontend Pod 'frontend' and a backend Pod 'backend', each with a single container. The frontend needs to communicate with the backend using a headless Service named 'backend-svc' that selects Pods with label 'app:backend'. The backend Pods are expected to scale horizontally, and the frontend uses a DNS lookup to discover all backend Pod IPs for client-side load balancing. However, after deploying, the frontend is unable to resolve 'backend-svc' to any IP addresses. The backend Pod is running and has the correct label 'app:backend'. The Service 'backend-svc' is defined as a ClusterIP with clusterIP: None. The frontend container has the 'default' DNS policy. What is the most likely cause of the failure?
24A developer deploys a web application as a Deployment named 'web-app' with 3 replicas. The application listens on port 8080 and should be accessible from within the cluster via the service name 'web-svc' on port 80. Which Service YAML correctly exposes the application?
25A DevOps engineer is setting up network policies in a Kubernetes cluster. The goal is to allow traffic from pods with label 'role=frontend' to pods with label 'role=backend' on TCP port 8080, and deny all other ingress to backend pods. Which two components are necessary to implement this? (Choose two.)
26Order the steps to perform a rolling rollback of a Deployment to a previous revision.
27Arrange the steps to create a multi-container Pod with a shared volume.
28Match each YAML key in a Deployment manifest to its purpose.
29Match each Kubernetes term to its description.
30Which of the following Service types exposes a pod on a static port on each node's IP address?
31You have a Service named 'web' in namespace 'default'. Which DNS name resolves to the Service's ClusterIP?
32You need to create a NetworkPolicy that denies all ingress traffic to pods with label 'app: db' in namespace 'prod'. Which YAML snippet correctly implements this?
33A StatefulSet named 'mysql' is deployed with 3 replicas. The administrator wants to create a headless Service so that each pod gets a unique DNS entry. Which Service specification should be used?
34Which command creates a Service named 'my-svc' that exposes a deployment named 'my-deploy' on port 80?
35You have an Ingress resource that routes traffic to two services: 'app1' and 'app2'. The requirement is that traffic for 'app.example.com' goes to app1, and traffic for any other host goes to app2. Which Ingress specification correctly achieves this?
36A pod is unable to resolve the DNS name of a Service in the same namespace. The pod's /etc/resolv.conf shows 'nameserver 10.96.0.10'. What is the most likely cause?
37Which TWO statements about Services are true? (Choose two.)
38You want to restrict ingress traffic to pods with label 'app: web' in namespace 'frontend' to only come from pods in namespace 'backend'. Which NetworkPolicy YAML is correct?
39You need to debug a Service that is not routing traffic to its endpoints. Which command shows the current endpoints of a Service?
40An Ingress resource has the following spec. What is the effect? spec: tls: - hosts: - myapp.example.com secretName: myapp-tls rules: - host: myapp.example.com http: paths: - path: / pathType: Prefix backend: service: name: myapp port: number: 80
41Which command forwards port 8080 on the local machine to port 80 on a pod named 'web-pod'?
42Which THREE statements about Ingress are correct? (Choose three.)
43A Service named 'api' has no endpoints. 'kubectl describe svc api' shows the selector 'app: api', but no pods have that label. What is the most likely reason for missing endpoints?
44Which TWO are valid ways to create a Service from a deployment named 'frontend'? (Choose two.)
45Which command exposes a deployment named 'web' as a ClusterIP service on port 80?
46A developer creates a Service named 'backend' in namespace 'default'. The service targets pods with label 'app: backend'. From within a pod in the same namespace, which DNS name resolves to the service's ClusterIP?
47An ingress resource is created with the following spec. Which request will be routed to the 'green' service? ```yaml spec: rules: - host: example.com http: paths: - path: /api pathType: Prefix backend: service: name: blue port: number: 80 - path: /api/v1 pathType: Exact backend: service: name: green port: number: 80 ```
48A NetworkPolicy named 'default-deny-ingress' is applied to a namespace but contains no rules. What is the effect on pods in that namespace?
49To create a service that will be accessible from outside the cluster using a cloud provider's load balancer, what type should be used?
50A pod in namespace 'default' cannot resolve the service name 'db' in namespace 'data'. Which DNS name should the pod use to reach the service?
51A NetworkPolicy allows ingress traffic from pods with label 'role: frontend' in the same namespace. Which podSelector is correct?
52A developer wants to test a service locally using kubectl. Which command forwards local port 8080 to the service's port 80?
53Which service type is used to expose a service using an external DNS name, such as a database hosted outside Kubernetes?
54A headless service is created with 'clusterIP: None'. What is the primary use case for such a service?
55An Ingress resource uses the annotation 'kubernetes.io/ingress.class: nginx'. However, traffic is not being routed. The cluster has multiple ingress controllers. What is the most likely cause?
56A NetworkPolicy allows egress traffic to pods with label 'db: mysql' in the same namespace. Which egress rule is correct?
57Which TWO statements about Kubernetes Services are correct?
58Which THREE components are typically involved when using Ingress to expose a service?
59Which TWO are valid ways to create a Service in Kubernetes?
60Which kubectl command creates a Service of type ClusterIP named 'my-service' that exposes port 80 on a set of pods selected by label 'app: web'?
61A developer creates a headless Service with 'clusterIP: None' for a StatefulSet. What is the primary purpose of using a headless Service?
62You create a Service named 'backend' in namespace 'prod'. A pod in namespace 'dev' tries to reach the service using the DNS name 'backend.prod.svc.cluster.local'. The pod cannot resolve the name. What is the most likely cause?
63You apply the following Ingress manifest: apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: app-ingress spec: ingressClassName: nginx rules: - host: example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-service port: number: 80 The Ingress controller logs show a 404 error when accessing 'http://example.com/api'. The service 'api-service' exists and is reachable via ClusterIP. What is the most likely cause?
64You are tasked with creating a NetworkPolicy that denies all ingress traffic to pods in the 'db' namespace by default. Which YAML snippet correctly implements this?
65Which Service type is used to expose a service externally on a static port on each worker node?
66You run 'kubectl port-forward pod/my-pod 8080:80' and try to access 'http://localhost:8080', but the connection is refused. The pod is running and port 80 is open. What is the most likely issue?
67You have a NetworkPolicy that allows ingress from pods with label 'app: frontend' in any namespace, and also allows ingress from the IP range '10.0.0.0/8'. The policy is not working as expected. Which YAML snippet correctly implements both requirements?
68A user runs 'kubectl get endpoints my-service' and sees no endpoints listed. The service has a selector 'app: my-app'. Pods with that label exist and are running. What is the most likely cause?
69You have an Ingress with TLS configured. The Ingress controller returns a certificate error when accessing via HTTPS. The secret 'my-tls' exists in the same namespace. Which of the following is the most likely cause?
70Which command creates a Service named 'web' of type ClusterIP that selects pods with label 'tier: frontend' and exposes port 80?
71You need to allow ingress traffic to pods in namespace 'api' only from pods in namespace 'frontend' that have label 'role: proxy'. Which NetworkPolicy ingress rule correctly implements this?
72Which TWO of the following are valid ways to expose a service externally on a Kubernetes cluster? (Select 2)
73Which THREE of the following are valid rules for a NetworkPolicy that allows egress traffic from pods with label 'app: worker' to the external IP range '192.168.0.0/16' on port 53 UDP? (Select 3)
74Which TWO of the following are true about headless services? (Select 2)
75Which Service type is used to expose a Service on a static port on each node's IP address, allowing external traffic to reach the Service?
76A developer runs `kubectl expose deployment web-deploy --port=80 --target-port=8080 --type=NodePort` and later wants to access the Service from outside the cluster. What is the correct way to find the external port?
77An admin creates a Service without a selector. Which of the following is true about such a Service?
78What is the primary purpose of a headless Service (clusterIP: None) in Kubernetes?
79Which of the following Ingress controllers is commonly used in Kubernetes?
80An admin applies the following NetworkPolicy: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress - Egress What effect does this policy have?
81A pod in namespace 'app' needs to resolve the DNS name 'db-service.data.svc.cluster.local'. What is the likely namespace of the 'db-service' Service?
82An admin wants to expose a Service only for internal cluster communication, without external access. Which Service type should they use?
83What is the correct command to forward a local port to a pod for debugging?
84An Ingress resource has the following spec: spec: rules: - host: example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-service port: number: 80 What will the Ingress controller do for a request to http://example.com/api/v1/users?
85Which of the following is a valid NetworkPolicy that allows ingress traffic only from pods with label 'role: frontend' in any namespace?
86What is the purpose of the `IngressClass` resource in Kubernetes?
87Which TWO of the following are valid methods to create a Service in Kubernetes? (Select 2)
88Which THREE of the following are true about Kubernetes Services? (Select 3)
89Which TWO of the following are valid Ingress path types? (Select 2)
90A developer wants to expose a Deployment named 'web-app' (with label 'app: web') as a ClusterIP service on port 80. Which command achieves this?
91You have a headless service 'db' in namespace 'data'. Pods in that namespace can resolve 'db.data.svc.cluster.local'. What is the effect of a headless service on DNS resolution?
92An Ingress resource is defined as: apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: test-ingress spec: rules: - host: example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-service port: number: 80 tls: - hosts: - example.com secretName: tls-secret What must exist in the cluster for TLS termination to work?
93A NetworkPolicy with the following spec is applied: spec: podSelector: {} policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: role: frontend What does this policy do?
94You need to access a database pod 'db-pod' on port 5432 from your local machine. Which command forwards local port 15432 to the pod's port 5432?
95What is the default service type in Kubernetes?
96A ClusterIP service named 'svc' has no endpoints. Which command can you use to debug why the service is not routing traffic?
97What annotation is required on an Ingress resource to use a specific IngressClass (e.g., 'nginx')?
98A NetworkPolicy denies all ingress traffic to a namespace. Which rule would allow traffic only from pods in the same namespace?
99You want to expose a Deployment 'app' externally on port 30080 on each node. What service type should you use?
100A pod 'app' has an init container that fails. The pod status is Init:Error. What is the first step to diagnose?
101Which of the following is true about Istio as a service mesh?
102Which TWO of the following are valid ways to create a Service named 'web' that targets pods with label 'app: web' on port 80?
103Which THREE statements about NetworkPolicy are correct?
104Which TWO of the following are valid service types in Kubernetes?
105Which of the following commands creates a Service named 'my-svc' of type ClusterIP that exposes TCP port 80 on a set of pods selected by the label 'app: web'?
106A developer runs 'kubectl run nginx --image=nginx --port=80' and then creates a Service with the following YAML: apiVersion: v1 kind: Service metadata: name: nginx-svc spec: selector: app: nginx ports: - protocol: TCP port: 80 targetPort: 80 However, the Service has no endpoints. What is the most likely cause?
107Given the following NetworkPolicy YAML: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress - Egress What is the effect of this policy?
108What is the DNS name for a Service named 'backend' in the 'default' namespace?
109An Ingress resource is created with the following YAML: apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: my-ingress spec: rules: - host: example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-svc port: number: 80 Which of the following requests will be routed to the api-svc Service?
110A StatefulSet named 'web' is created with 3 replicas. What is the DNS name for the second pod (index 1)?
111You have a Deployment with multiple replicas. You want to expose it via a Service that has a stable IP address and is accessible from outside the cluster on a static port on each node. Which Service type should you use?
112Which of the following is true about headless services?
113An administrator wants to allow ingress traffic to pods with label 'app: database' only from pods with label 'app: api' in the same namespace. Which NetworkPolicy rule is correct?
114You run 'kubectl port-forward pod/my-pod 8080:80'. What does this command do?
115An Ingress resource has the following annotation: 'kubernetes.io/ingress.class: nginx'. What is the purpose of this annotation?
116What is the default Service type when creating a Service via 'kubectl create service' or YAML without specifying type?
117Which TWO of the following are valid ways to expose a Deployment named 'web' as a Service?
118Which THREE of the following are true regarding NetworkPolicy in Kubernetes?
119Which TWO of the following are correct about the ExternalName Service type?
120You create a Service with `kubectl expose deployment web --port=80 --target-port=8080`. What type of Service is created by default?
121A developer creates a Deployment with 3 replicas and a Service with `clusterIP: None`. What is the primary use case for this headless Service?
122A Pod named `my-pod` in namespace `ns1` tries to resolve `svc-a.ns2.svc.cluster.local`. The DNS query fails. The Service `svc-a` exists in namespace `ns2`. What is the most likely cause?
123You apply the following Ingress manifest: ``` apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: my-ingress spec: ingressClassName: nginx rules: - host: app.example.com http: paths: - pathType: Prefix path: / backend: service: name: app-svc port: number: 80 ``` What is missing to enable TLS termination for this Ingress?
124Which of the following commands creates a LoadBalancer Service named `web-svc` for a Deployment named `web` on port 80?
125A NetworkPolicy is applied to a namespace with the following rules: ``` apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress ``` What is the effect on pods in that namespace?
126You need to temporarily access a pod's HTTP endpoint on port 8080 from your local machine. Which command should you use?
127A Service named `api` in namespace `default` has multiple endpoints. You run `kubectl get endpoints api` and see no IPs. What is the most likely cause?
128Which Service type is used to expose a Service on a static port on each node in the cluster?
129You create a Service with the following YAML: ``` apiVersion: v1 kind: Service metadata: name: my-service spec: ports: - name: http port: 80 targetPort: 8080 selector: app: my-app ``` What is the default Service type?
130An Ingress has two rules: - host: app.example.com, path: /api -> service-a:80 - host: api.example.com, path: / -> service-b:80 A request to `app.example.com/api/v1` reaches which service?
131What is the DNS name for a Service named `svc` in namespace `ns`?
132Which TWO statements about NetworkPolicy are correct? (Choose two.)
133Which THREE are valid fields in a NetworkPolicy spec? (Choose three.)
134Which TWO are valid Service types? (Choose two.)
135You have a Deployment named 'web' with label 'app: web'. You want to create a Service that exposes the Deployment on port 80 internally within the cluster. Which kubectl command achieves this?
136A Service of type NodePort is created with 'spec.ports[0].nodePort: 30080'. The cluster nodes have IPs 10.0.0.1, 10.0.0.2. Which command can be used to test connectivity to the Service from outside the cluster?
137A NetworkPolicy named 'deny-all' is applied in a namespace. Which YAML snippet correctly implements a default-deny-all ingress policy?
138You have a Service named 'app-service' in namespace 'default'. You want a pod in namespace 'monitoring' to resolve the service DNS name. What is the correct fully qualified domain name (FQDN)?
139You have a headless Service for a StatefulSet. What is the DNS resolution behavior for the StatefulSet pods?
140Which Service type is used to expose a Service externally using a cloud provider's load balancer?
141An Ingress resource is configured with TLS. Which field in the Ingress YAML specifies the secret containing the TLS certificate and key?
142You need to allow ingress traffic to pods with label 'app: web' from pods with label 'role: frontend' in the same namespace, and also from any pod in namespace 'monitoring'. Which NetworkPolicy egress/ingress rule correctly implements this?
143Which kubectl command forwards local port 8080 to port 80 of a pod named 'web-pod'?
144You have a Service named 'api' with selectors that match pods. However, curl to the Service cluster IP times out. 'kubectl get endpoints api' shows no endpoints. What is the most likely cause?
145An Ingress resource uses host-based routing. Which field in the Ingress YAML specifies the host header to match?
146You have a Deployment with 3 replicas. You create a Service with 'clusterIP: None'. What is the effect on pod DNS?
147Which TWO statements about Ingress are correct? (Select 2)
148Which THREE statements about NetworkPolicy are correct? (Select 3)
149Which TWO Service types allow external access to pods from outside the Kubernetes cluster? (Select 2)
150You have a Deployment named 'web-app' with 3 replicas. You want to expose the pods on port 80 internally within the cluster using a ClusterIP service. Which kubectl command should you use?
151You have a headless Service for a StatefulSet. The DNS query for the service returns no A records. What is the most likely cause?
152You apply the following NetworkPolicy: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress - Egress After applying, pods in the namespace cannot reach the kube-dns service. What is the most likely reason?
153You have an Ingress resource with TLS configured. The certificate is stored in a Secret named 'my-tls'. Which field in the Ingress YAML specifies the Secret name?
154You need to forward a local port to port 8080 on a pod named 'my-pod' in the 'default' namespace. Which kubectl command should you use?
155You have a Service named 'my-svc' in the 'prod' namespace. What is the fully qualified DNS name for this Service?
156You want to block all ingress traffic to pods labeled 'app=api' except from pods labeled 'app=frontend'. Which NetworkPolicy rule is correct?
157Which Service type exposes a Service externally via each Node's IP on a static port?
158You have a Service that exposes a Deployment. Some pods are not receiving traffic. 'kubectl get endpoints my-service' shows only 2 out of 3 pod IPs. What is the most likely cause?
159You want to expose a Deployment named 'nginx' on port 80 using a LoadBalancer service. Which YAML snippet is correct?
160You have an Ingress that should route requests to 'api.example.com' to a service named 'api-svc' on port 80, and requests to 'www.example.com' to 'web-svc' on port 80. Which host-based routing rule is correct?
161You have a Service named 'myservice' in namespace 'default'. A pod in the same cluster but different namespace 'other' wants to resolve the service's IP. What DNS name should it use?
162Which TWO of the following are valid Service types in Kubernetes? (Select 2)
163Which THREE of the following are true about NetworkPolicy? (Select 3)
164Which TWO of the following are valid methods to create a Service in Kubernetes? (Select 2)
165Which of the following commands creates a ClusterIP service named 'my-service' that exposes port 80 on the pod with label 'app=web'?
166A ClusterIP service named 'db-service' in namespace 'data' is not reachable from a pod in the same namespace. The pod's /etc/resolv.conf shows 'search data.svc.cluster.local svc.cluster.local cluster.local'. Using the pod, which command tests DNS resolution for the service?
167You create a headless service with 'clusterIP: None' for a StatefulSet. How does a client discover the individual pod IPs?
168Which annotation is used to specify the IngressClass for an Ingress resource in Kubernetes v1.18+?
169What is the default type of a Kubernetes Service when no type is specified in the YAML manifest?
170You have an Ingress with the following spec: spec: rules: - host: app.example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-service port: number: 80 How does the Ingress controller route a request to http://app.example.com/api/v1/users?
171A NetworkPolicy named 'default-deny-all' is applied to a namespace. It has no rules. Which statement is true?
172Which command forwards local port 8080 to port 80 of a pod named 'web-pod'?
173What is the purpose of the 'spec.externalName' field in a Service of type ExternalName?
174You have a Deployment with pods labeled 'tier: frontend'. You create a Service with selector 'tier: frontend'. However, the Service has no endpoints. What is the MOST likely cause?
175An Ingress resource specifies TLS termination using a secret. The secret must contain which keys?
176When using 'kubectl expose', which flag creates a NodePort service?
177Which TWO of the following are valid Ingress pathTypes in Kubernetes networking.k8s.io/v1?
178Which THREE of the following are valid fields in a NetworkPolicy spec?
179Which TWO of the following are correct statements about DNS in Kubernetes?
180You have a Deployment running three replicas of a web application. You need to expose the application on port 80 of all cluster nodes. Which Service type should you use?
181A developer wants to access a specific pod's port 8080 from their local machine using a temporary connection. Which command should they use?
182An Ingress resource is configured with TLS termination. The secret referenced in the Ingress is present, but the Ingress controller returns 404. What is the most likely cause?
183A ClusterIP Service named 'db' in namespace 'data' is not reachable from a pod in namespace 'app'. Which DNS name should the pod use to resolve the service?
184You want to deny all incoming traffic to a set of pods except from pods with label 'role: frontend'. Which NetworkPolicy spec should you use?
185A StatefulSet is deployed with a headless service (clusterIP: None). The pods are named 'web-0', 'web-1', 'web-2'. What DNS name resolves to the specific IP of 'web-1'?
186You create a Service with the following manifest. What is the effect? service.yaml: apiVersion: v1 kind: Service metadata: name: ext-svc spec: type: ExternalName externalName: db.example.com
187A NetworkPolicy with the following spec is applied to a namespace. What is the effect? spec: podSelector: {} policyTypes: - Ingress - Egress ingress: - from: - ipBlock: cidr: 10.0.0.0/8 except: - 10.0.1.0/24 egress: - to: - ipBlock: cidr: 0.0.0.0/0
188You need to expose a Deployment named 'web' on port 80 internally within the cluster. Which command creates the appropriate Service?
189A Service of type LoadBalancer is created but the external IP remains pending. What is the most likely reason?
190An Ingress is configured for host-based routing with two hosts: 'app1.example.com' and 'app2.example.com'. A request to 'app1.example.com' should go to service 'svc1'. Which field in the Ingress spec specifies the host?
191Which TWO statements about headless services are correct?
192Which THREE conditions must be met for a NetworkPolicy to effectively isolate a set of pods?
193Which TWO commands can be used to list the endpoints of a Service named 'my-svc'?
194Which TWO are valid port names in a Service definition?
195A developer needs to expose a deployment named 'web-app' running in the 'default' namespace on port 8080 internally within the cluster. Which kubectl command creates a ClusterIP service that selects pods with label 'app: web'?
196An administrator applies the following NetworkPolicy: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress - Egress After applying this policy, which traffic flows are affected?
197Which TWO statements about Kubernetes Services are correct?
198Which THREE items are required for Ingress to work correctly in a Kubernetes cluster?
199Which TWO statements about Kubernetes DNS are correct?
200Which THREE statements about NetworkPolicy are correct?
201A pod named 'debug' is running. Which command forwards local port 4000 to port 80 on the pod?
202A StatefulSet named 'mysql' is deployed with 3 replicas. The administrator wants each pod to have a stable network identity. Which service configuration is required?
203Which TWO statements about Ingress are correct?
204Which THREE are valid ways to expose a Service externally in Kubernetes?
The Services and Networking domain covers the key concepts tested in this area of the CKAD exam blueprint published by CNCF. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CKAD domains — no account required.
The Courseiva CKAD question bank contains 204 questions in the Services and Networking domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Services and Networking domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included