CNCF · Free Practice Questions · Last reviewed May 2026
30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A team is deploying a microservice that requires initialization of a database schema before the main application starts. The init container must run a script that writes to a shared volume. Which configuration correctly ensures the init container completes before the main container runs?
Run the script as a sidecar container that shares the volume with the main container.
Use a postStart lifecycle hook on the main container to run the script.
Define an init container with the script and mount the shared volume to both init and main containers.
Init containers run to completion before app containers start, and shared volumes persist data.
Add a readiness probe to the main container that checks the shared volume.
A developer needs to expose a deployment named 'web-app' running on port 8080 to external traffic. The cluster is on-premises with no cloud load balancer. Which service type should be used?
ExternalName
ClusterIP
LoadBalancer
NodePort
NodePort exposes a port on each node's IP address for external access.
A developer is creating a ConfigMap from a file named 'app.properties'. The file contains key-value pairs. Which command correctly creates the ConfigMap with keys matching the file content?
kubectl create configmap my-config --from-file=app.properties
--from-file creates a configmap with a key named 'app.properties' containing file content.
kubectl create configmap my-config --from-literal=app.properties
cat app.properties | kubectl create configmap my-config --from-file=-
kubectl create configmap my-config --from-env-file=app.properties
Which TWO statements are true about Kubernetes Secrets?
Secret data is base64 encoded in YAML manifests.
Secret values are base64 encoded, not plaintext.
Secrets cannot be used as environment variables.
Secrets are always encrypted at rest by default.
Secrets can be mounted as volumes in a Pod.
Secrets can be mounted as files using volumes.
Secrets are limited to 1KB in size.
Which THREE are valid reasons to use a StatefulSet instead of a Deployment?
The application requires rolling updates.
Each pod requires a stable, unique network identity.
StatefulSets assign stable hostnames based on ordinal index.
Each pod needs its own persistent volume that persists across rescheduling.
StatefulSets can use volumeClaimTemplates to give each pod a unique PVC.
The application cannot be scaled down.
Pods must be terminated in reverse order during shutdown.
StatefulSets terminate pods from highest to lowest ordinal.
A developer is designing a Job that should run exactly once and then stop. The Job runs a batch process that is expected to complete within one hour. Which restartPolicy and backoffLimit are appropriate?
restartPolicy: Always, backoffLimit: 6
restartPolicy: OnFailure, backoffLimit: 4
OnFailure retries within the backoff limit; Job completes when pod succeeds.
restartPolicy: Never, backoffLimit: 0
restartPolicy: Always, backoffLimit: 0
Want more Application Design and Build practice?
Practice this domainA developer wants to deploy a stateless application as a set of identical pods. They need the pods to be distributed across nodes and have stable network identities. Which resource should they use?
Job
Deployment
Deployments manage stateless pods with rolling updates and scale.
DaemonSet
StatefulSet
A team is deploying a microservice that must be reachable within the cluster via a stable DNS name. They also need to distribute traffic among pods. Which Kubernetes resource provides both service discovery and load balancing?
Service
Service assigns a stable IP and DNS name, and load balances across pods.
ConfigMap
Secret
Ingress
During a deployment update, the rollout is stuck and new pods are not becoming ready. The developer checks the events and sees 'Back-off restarting failed container'. What is the most likely cause?
The liveness probe is failing
The container's entrypoint command fails immediately after start
If the command exits, the container crashes, leading to restart back-off.
The image pull secret is missing
The pod exceeds its memory limit and is OOMKilled
A developer needs to run a one-time batch job to process data. After completion, the pod should be retained for logs inspection. Which Job configuration parameter should be set?
backoffLimit: 0
Leave ttlSecondsAfterFinished unset
If not set, the job and pods are retained until manually deleted.
ttlSecondsAfterFinished: -1
activeDeadlineSeconds: 3600
A company wants to deploy a stateful database cluster where each pod has its own persistent storage. They need stable network identities and ordered pod creation. Which resource should they use?
Deployment
StatefulSet
StatefulSet is designed for stateful apps with stable identities and persistent storage.
CronJob
DaemonSet
A Deployment has replicas: 5. During a rolling update, the developer sets maxSurge: 2 and maxUnavailable: 1. What is the maximum number of pods that can be running during the update?
7
With maxSurge=2 up to 7 pods can be running simultaneously.
5
8
6
Want more Application Deployment practice?
Practice this domainA pod named 'web-app' is running but has no environment variables. The developer wants to inject a variable 'DB_URL=postgres://db:5432' from a ConfigMap named 'db-config'. Which pod spec snippet correctly achieves this?
env: - name: DB_URL value: "postgres://db:5432"
envFrom: - configMapRef: name: db-config key: DB_URL
env: - name: DB_URL valueFrom: secretKeyRef: name: db-config key: DB_URL
env: - name: DB_URL valueFrom: configMapKeyRef: name: db-config key: DB_URL
Correctly references ConfigMap key.
A deployment runs a container that needs to read a file from a host path '/var/log/app' on the node. The file must be available to all pods on that node. Which volume type should be used?
emptyDir
hostPath
Correctly mounts host node path.
persistentVolumeClaim
configMap
A pod uses a service account 'my-sa' with a RoleBinding that grants get and list on pods in namespace 'app'. The pod runs a process that calls the Kubernetes API to list pods. However, the API call returns 403. What is the most likely cause?
The API server is not running.
The RoleBinding is in the wrong namespace.
The pod does not have the service account token mounted.
If automountServiceAccountToken is false, no token is available.
The Role does not include list permission.
A developer wants to restrict network traffic so that only pods with label 'app: frontend' can communicate with pods labeled 'app: backend' on port 8080. Which Kubernetes resource should be used?
NetworkPolicy
NetworkPolicy defines ingress/egress rules based on pod labels.
ResourceQuota
PodSecurityPolicy
RoleBinding
A container runs as root (UID 0) but the security policy requires the container to run as non-root user 1000. Which pod security context setting should be added?
runAsNonRoot: true
runAsUser: 1000
Directly sets the container's user ID to 1000.
fsGroup: 1000
privileged: false
Which TWO of the following are valid ways to mount a Secret into a pod as environment variables? (Select exactly 2)
env: - name: SECRET_KEY valueFrom: configMapKeyRef: name: my-secret key: key
env: - name: SECRET_KEY valueFrom: secretEnvRef: name: my-secret key: key
envFrom: - configMapRef: name: my-secret
env: - name: SECRET_KEY valueFrom: secretKeyRef: name: my-secret key: key
Correct: references a specific key from a Secret.
envFrom: - secretRef: name: my-secret
Correct: imports all keys as env vars.
Want more Application Environment, Configuration and Security practice?
Practice this domainA pod named 'web-app' is experiencing high CPU usage. You want to investigate which process inside the container is consuming the most CPU. Which command should you run?
kubectl logs -f web-app
kubectl exec web-app -- top
Executes 'top' inside the container, showing per-process CPU usage.
kubectl describe node
kubectl top pod web-app
A deployment 'api-deploy' has resource limits set but is frequently being OOMKilled. The team suspects the memory limit is too low. Which approach should be taken to confirm this without causing downtime?
Create a new pod with a higher memory limit and delete the old pods manually.
Set the memory limit to unlimited by removing the limit section and restart the pod.
Use 'kubectl set resources' to increase the limit on the running pod dynamically.
Increase the memory limit in the deployment spec and apply the change; the rollout will automatically restart pods.
Rolling update applies changes without downtime.
A pod is in CrashLoopBackOff state. You need to view the last few lines of its logs to understand why it is crashing. Which command is most appropriate?
kubectl logs -f my-pod
kubectl logs my-pod
kubectl logs my-pod --tail=20
Shows only the last 20 lines, ideal for recent errors.
kubectl get events --field-selector involvedObject.name=my-pod
You are debugging a network issue: a pod 'frontend' cannot reach a service 'backend' in the same namespace. The service endpoints are empty. What is the most likely cause?
The pod 'frontend' is not in the same namespace as the service 'backend'.
The service selector does not match the labels of any running pod.
Endpoints are populated by pods matching the selector; if none match, endpoints remain empty.
The pod's container port is different from the service port.
The kube-proxy is misconfigured and not updating iptables rules.
A deployment is configured with a liveness probe that checks an HTTP endpoint. The probe fails intermittently, causing pod restarts. What is the best first step to diagnose the issue?
Check the liveness probe events via 'kubectl describe pod' to see the exact probe responses.
Run 'kubectl exec' to curl the endpoint from another pod to test network connectivity.
Review the liveness probe parameters in the deployment YAML and increase the failureThreshold.
Examine the container logs via 'kubectl logs' for error messages around the time of the failures.
Logs provide insight into application behavior during probe failures.
A pod is stuck in 'Pending' state. You run 'kubectl describe pod my-pod' and see the event: '0/3 nodes are available: 3 Insufficient cpu.' Which action should you take?
Increase the CPU limits on the pod to give it more resources.
Reduce the CPU request of the pod and reapply the manifest.
Lowering CPU request may allow the pod to fit on a node with available CPU.
Add another node to the cluster to increase overall CPU capacity.
Add a nodeSelector to the pod to target a specific node.
Want more Application Observability and Maintenance practice?
Practice this domainA developer deploys a set of Pods labeled app=frontend and wants to expose them internally within the cluster on a stable IP. Which resource should be used?
Service of type NodePort
Service of type LoadBalancer
Service of type ClusterIP
Correct: ClusterIP provides a stable internal IP.
Ingress resource
A team uses a Service named 'backend' in namespace 'prod' to reach Pods in namespace 'staging'. The Service in 'prod' has no endpoints. What is the most likely cause?
The Service port name does not match the container port
The Service selector does not match any Pods in the same namespace
Service selects Pods only within its own namespace; no matching Pods in prod means no endpoints.
The Service type is ClusterIP but should be NodePort
DNS resolution is broken in the staging namespace
An application requires Pods to communicate using hostNetwork: true. Which Kubernetes resource is still necessary for stable DNS names?
Headless Service
Endpoints resource
Regular Service (ClusterIP)
Regular Service provides stable DNS and IP; works with hostNetwork.
Ingress
A Pod needs to access an external database at db.example.com:3306. Which Service type allows Pods to resolve a cluster-local name to this external address?
ExternalName
ExternalName returns CNAME to external DNS name.
LoadBalancer
NodePort
ClusterIP
A Service of type LoadBalancer is created but the external IP remains <pending>. What is the most likely reason?
The Service port is already in use
The Service selector does not match any Pods
The cluster does not have a cloud provider configured
Without a cloud controller, no LB is provisioned.
The Pods are not listening on the container port
A developer wants to expose a set of Pods on a specific port on each node's IP. Which Service type should be used?
LoadBalancer
ClusterIP
NodePort
NodePort exposes on each node's IP at a static port.
ExternalName
Want more Services and Networking practice?
Practice this domainThe CKAD exam is performance-based — there are no multiple-choice questions. It is a hands-on lab exam completed within 120 minutes. You complete practical tasks in a live or simulated environment. Courseiva practice questions cover the underlying concepts.
Hands-on application deployment and management tasks in a live Kubernetes cluster.
The exam covers 5 domains: Application Design and Build, Application Deployment, Application Environment, Configuration and Security, Application Observability and Maintenance, Services and Networking. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official CNCF CKAD exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.