Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Application Environment, Configuration and Security practice sets

CKAD Application Environment, Configuration and Security • Complete Question Bank

CKAD Application Environment, Configuration and Security — All Questions With Answers

Complete CKAD Application Environment, Configuration and Security question bank — all 0 questions with answers and detailed explanations.

233
Questions
Free
No signup
Certifications/CKAD/Practice Test/Application Environment, Configuration and Security/All Questions
Question 1easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod named 'web-app' is running but has no environment variables. The developer wants to inject a variable 'DB_URL=postgres://db:5432' from a ConfigMap named 'db-config'. Which pod spec snippet correctly achieves this?

Question 2mediummultiple choice
Read the full NAT/PAT explanation →

A deployment runs a container that needs to read a file from a host path '/var/log/app' on the node. The file must be available to all pods on that node. Which volume type should be used?

Question 3hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod uses a service account 'my-sa' with a RoleBinding that grants get and list on pods in namespace 'app'. The pod runs a process that calls the Kubernetes API to list pods. However, the API call returns 403. What is the most likely cause?

Question 4mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A developer wants to restrict network traffic so that only pods with label 'app: frontend' can communicate with pods labeled 'app: backend' on port 8080. Which Kubernetes resource should be used?

Question 5easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

A container runs as root (UID 0) but the security policy requires the container to run as non-root user 1000. Which pod security context setting should be added?

Question 6hardmulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO of the following are valid ways to mount a Secret into a pod as environment variables? (Select exactly 2)

Question 7mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which THREE of the following are valid fields in a PodSecurityPolicy (PSP) that control Linux capabilities? (Select exactly 3)

Question 8mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

You are designing a Pod that runs a legacy application requiring a specific configuration file mounted at /etc/config/app.conf. The configuration is stored in a Kubernetes ConfigMap named 'app-config' with key 'config.yaml'. Which approach ensures the configuration is mounted correctly and the container automatically receives updates when the ConfigMap changes?

Question 9easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

A developer creates a Secret named 'db-secret' with key 'password'. They want to expose the password as an environment variable DB_PASSWORD in a Pod. Which of the following is the correct way to achieve this?

Question 10mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO of the following are valid ways to inject configuration data into a Kubernetes Pod?

Question 11hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

Refer to the exhibit. A Pod is defined with security contexts at both the container and Pod level. Which of the following statements accurately describes the effective security configuration?

Exhibit

Refer to the exhibit.

```
apiVersion: v1
kind: Pod
metadata:
  name: secured-pod
spec:
  containers:
  - name: app
    image: nginx
    securityContext:
      runAsUser: 1000
      runAsGroup: 2000
      capabilities:
        add: ["NET_ADMIN"]
        drop: ["ALL"]
  securityContext:
    runAsNonRoot: true
```
Question 12easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

You are a Kubernetes administrator responsible for a production cluster. A development team has deployed a Pod named 'app-pod' that runs a container with a PostgreSQL database. The team reports that the Pod is failing to start with an error: 'Error: container has runAsNonRoot and image will run as root (runtime error)'. The Pod YAML is as follows:

```yaml apiVersion: v1 kind: Pod metadata: name: app-pod spec: containers: - name: db image: postgres:latest securityContext: runAsNonRoot: true ```

The team wants to ensure the container runs securely without running as root. What is the BEST course of action?

Question 13mediumdrag order
Read the full Application Environment, Configuration and Security explanation →

Arrange the steps to create a ConfigMap from a file and mount it as a volume in a Pod.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 14mediumdrag order
Read the full Application Environment, Configuration and Security explanation →

Sequence the steps to scale a Deployment to 5 replicas and verify.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 15mediummatching
Read the full Application Environment, Configuration and Security explanation →

Match each Kubernetes concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Virtual cluster for resource isolation

Runs one pod per node for system services

Runs a pod to completion; for batch processing

Automatically scales pods based on CPU/memory

Controls traffic flow between pods

Question 16mediummatching
Read the full Application Environment, Configuration and Security explanation →

Match each Kubernetes probe to its check behavior.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Runs a command inside the container; success if exit 0

Performs an HTTP GET request; success if 2xx-3xx

Attempts to open a TCP socket; success if connection established

Performs a gRPC health check (alpha)

Indicates whether the application has started successfully

Question 17easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

You need to create a ConfigMap named 'app-config' with key 'APP_COLOR' and value 'blue'. Which command creates this ConfigMap?

Question 18mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod is running with the following SecurityContext: securityContext: runAsUser: 1000 runAsGroup: 2000 fsGroup: 3000 What UID and GID does the process inside the container use?

Question 19hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

You need to create a Pod that mounts a Secret named 'mysecret' as an environment variable 'SECRET_DATA'. The secret has a key 'password'. Which YAML snippet correctly achieves this?

Question 20easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which of the following is the correct way to set a CPU request of 250 millicores and a memory limit of 512 Mi in a container?

Question 21mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A developer wants to ensure that a pod runs with a non-root user and cannot gain root privileges. Which SecurityContext settings should be used?

Question 22easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which command creates a generic secret named 'db-secret' with key 'password' and value 'p@ss'?

Question 23mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod named 'test-pod' in namespace 'test' has a service account 'my-sa' attached. The service account has a RoleBinding to a Role that allows get/list pods. However, the pod cannot list pods. What is the most likely issue?

Question 24mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

You want to enforce that all pods in a namespace have a minimum memory request of 100Mi and a maximum memory limit of 1Gi. Which resource should you create?

Question 25hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A cluster administrator wants to enforce that all pods in a namespace run with the 'restricted' Pod Security Standard. Which of the following is the correct way to label the namespace?

Question 26mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod needs to mount a ConfigMap as a volume so that when the ConfigMap is updated, the pod automatically gets the updates. Which volume type should be used?

Question 27easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which command lists all the secrets in the current namespace?

Question 28hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod is running with a service account that has been granted a Role to get pods. The pod's code uses the Kubernetes API from within the container. However, the API call fails with a 403 Forbidden error. Which file should the pod read to obtain the authentication token?

Question 29mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO of the following are valid types of Secrets in Kubernetes?

Question 30hardmulti select
Read the full Application Environment, Configuration and Security explanation →

Which THREE of the following are valid fields in a PodSecurityContext?

Question 31mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO of the following are valid ways to consume environment variables from a ConfigMap in a pod?

Question 32easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

You need to create a ConfigMap named 'app-config' from a file 'config.properties'. Which kubectl command should you use?

Question 33easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which of the following YAML fields can be used to mount a Secret as a volume in a Pod?

Question 34mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A developer wants to ensure a container runs as a non-root user with user ID 1000 and group ID 2000. Which SecurityContext fields should be set?

Question 35easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

What is the primary purpose of a Kubernetes ServiceAccount?

Question 36mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod is stuck in Pending state. You run 'kubectl describe pod my-pod' and see the event: '0/4 nodes are available: 1 Insufficient cpu, 3 Insufficient memory'. What is the most likely cause?

Question 37hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

You want to restrict a Pod to only run with a seccomp profile of 'RuntimeDefault'. Which SecurityContext field should you set?

Question 38easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which of the following is a valid way to expose a Secret as an environment variable in a Pod?

Question 39mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

You have a Secret of type 'kubernetes.io/tls' named 'tls-secret'. What keys are required in the Secret data?

Question 40hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A Pod in a namespace with a ResourceQuota that sets 'limits.cpu: 4' and 'limits.memory: 8Gi' is being created with the following container resources: requests: cpu: 2, memory: 4Gi; limits: cpu: 4, memory: 8Gi. The namespace also has a LimitRange with default limits of cpu: 500m, memory: 512Mi. Which statement is true about this resource configuration?

Question 41easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which kubectl command creates a Secret named 'db-secret' with key 'password' and value 'mypwd'?

Question 42mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

You need to grant a ServiceAccount named 'app-sa' in namespace 'default' read-only access to Pods in that namespace. Which RBAC resources should you create?

Question 43hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

You create a Pod with a securityContext set to 'runAsNonRoot: true' and a container image that runs as root (user 0). What will happen when you create the Pod?

Question 44mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO of the following are valid ways to consume a ConfigMap in a Pod? (Select TWO)

Question 45mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which THREE of the following are benefits of using a ResourceQuota in a namespace? (Select THREE)

Question 46hardmulti select
Read the full Application Environment, Configuration and Security explanation →

You want to apply a Pod Security Admission (PSA) policy that enforces the 'restricted' profile in the 'dev' namespace, but only for Pods that are not exempt. Which TWO steps are required? (Select TWO)

Question 47easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which kubectl command creates a ConfigMap named 'app-config' from a file named 'config.properties'?

Question 48easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod needs to run as a non-root user with UID 1000. Which SecurityContext field should be set?

Question 49mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A developer creates a Secret using the command: 'kubectl create secret generic db-secret --from-literal=password=myPass'. Which way to consume this Secret in a pod is CORRECT?

Question 50mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A cluster administrator wants to prevent all pods in a namespace from running with privileged escalation. Which Pod Security Admission standard enforces this?

Question 51mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod has a container with 'readOnlyRootFilesystem: true' in its securityContext. The container writes to /tmp. What is the expected outcome?

Question 52hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

You create a ServiceAccount 'my-sa' with automountServiceAccountToken: false. A pod that references this ServiceAccount also sets automountServiceAccountToken: true in its spec. Will the service account token be mounted?

Question 53mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A user wants to create a Kubernetes Secret for storing Docker registry credentials (username and password). Which type of Secret should they use?

Question 54easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

What is the purpose of a ResourceQuota in Kubernetes?

Question 55mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A developer runs 'kubectl create secret generic tls-secret --cert=cert.crt --key=key.pem'. What type of Secret is created?

Question 56hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod is configured with 'securityContext.seccompProfile.type: RuntimeDefault' but the container still attempts to use a syscall that is blocked by the default seccomp profile. What happens?

Question 57mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which command correctly creates a Role named 'pod-reader' that allows get, list, and watch on pods?

Question 58hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A namespace 'dev' has a ResourceQuota that sets 'requests.cpu: 4' and 'limits.cpu: 8'. A pod is created with a container that has 'resources.requests.cpu: 1' and 'resources.limits.cpu: 3'. However, the pod remains in Pending state. The output of 'kubectl describe quota -n dev' shows 'used requests.cpu: 3.5' and 'used limits.cpu: 7'. What is the most likely reason the pod is pending?

Question 59mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO of the following are valid ways to consume a ConfigMap in a pod?

Question 60hardmulti select
Read the full Application Environment, Configuration and Security explanation →

Which THREE of the following are capabilities that can be added to a container's securityContext?

Question 61easymulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO of the following are valid sources for creating a ConfigMap?

Question 62mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A developer wants to use a ConfigMap named 'app-config' to set environment variables for a pod. The ConfigMap has keys 'DEBUG' and 'DATABASE_URL'. Which annotation should be added to the pod spec to inject all keys from the ConfigMap as environment variables?

Question 63easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which kubectl command correctly creates a ConfigMap from a file named 'app.properties'?

Question 64mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod is using a Secret to authenticate to a private registry. The Secret type must be 'kubernetes.io/dockerconfigjson'. Which of the following is the correct way to create such a Secret using kubectl?

Question 65hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A security requirement states that a container must run with a read-only root filesystem. Which field must be set in the container's securityContext?

Question 66easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod needs to run as a non-root user. Which securityContext field should be set to enforce this?

Question 67mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A developer creates a ServiceAccount 'my-sa' in namespace 'default'. They want to prevent pods from automatically mounting the ServiceAccount token. Which field should be set to false in the pod spec?

Question 68mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

An administrator wants to grant a ServiceAccount 'app-sa' in namespace 'dev' read-only access to pods in the same namespace. Which YAML snippet correctly defines the required RBAC resources?

Question 69hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod is stuck in Pending state. You run 'kubectl describe pod mypod' and see the event: '0/3 nodes are available: 1 Insufficient memory, 2 Insufficient cpu'. The pod has resource requests defined. Which action would allow the pod to be scheduled?

Question 70easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which of the following is a valid Pod Security Admission standard?

Question 71mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A namespace 'test' has a LimitRange that sets default memory request to 256Mi and default memory limit to 512Mi. A pod in that namespace does not specify any resources. What memory request and limit will the pod get?

Question 72hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A cluster administrator wants to enforce that no pod in namespace 'prod' uses more than 4Gi of memory. Which Kubernetes resource should be created?

Question 73mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A container needs to run with the NET_ADMIN capability. Which securityContext field should be used?

Question 74mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO of the following are valid ways to expose a Secret as an environment variable in a pod? (Select two.)

Question 75hardmulti select
Read the full Application Environment, Configuration and Security explanation →

Which THREE of the following are valid fields in a SecurityContext at the container level? (Select three.)

Question 76easymulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO of the following are valid Kubernetes Secret types? (Select two.)

Question 77easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

You have a ConfigMap named 'app-config' with key 'database.url'. Which environment variable definition correctly injects this value into a pod using a configMapKeyRef?

Question 78easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which kubectl command creates a Secret from literal username and password values?

Question 79mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod's container needs to run as non-root user with UID 1000 and ensure its filesystem is read-only. Which SecurityContext settings achieve this?

Question 80mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

You have a service account 'my-sa' in the default namespace. You want a pod to use this service account and also prevent the pod from mounting the service account token. Which pod spec configuration is correct?

Question 81mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A developer creates a Role and RoleBinding in the namespace 'development' to grant list pods permission to a service account. Which manifest snippet correctly defines the Role?

Question 82mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

You apply a ResourceQuota to a namespace that limits memory requests to 2Gi. You then try to create a pod that requests 3Gi memory. What happens?

Question 83hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod must run with a seccomp profile that only allows specific syscalls. Which SecurityContext field is used to specify the seccomp profile type?

Question 84hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

You need to create a TLS secret for an ingress with certificate and key. Which command correctly creates the secret?

Question 85mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod in the 'staging' namespace is in a CrashLoopBackOff state. You run 'kubectl logs pod -n staging' and see: 'Error: container has been OOMKilled'. The pod YAML has resources: requests: memory: 256Mi, limits: memory: 256Mi. Which change should you make first?

Question 86hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

You have a pod that needs to mount a Secret as a volume. The Secret has keys 'username' and 'password'. How should the volumes and volumeMounts be configured to mount the secret at /etc/secret with each key as a file?

Question 87mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A PodSecurityPolicy (PSP) has been replaced by Pod Security Admission. Which of the following commands applies a baseline pod security standard to the namespace 'dev'?

Question 88easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

You have a ConfigMap created from an env file. Which command creates the ConfigMap from the file 'app.env' containing key=value pairs?

Question 89mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO are valid ways to expose a Secret's data as environment variables in a pod?

Question 90hardmulti select
Read the full Application Environment, Configuration and Security explanation →

Which THREE capabilities are commonly dropped in a pod's securityContext to adhere to restricted pod security standards?

Question 91mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO are true about LimitRange objects?

Question 92easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which kubectl command creates a ConfigMap named 'app-config' with key 'color' and value 'blue'?

Question 93mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod uses a ServiceAccount 'my-sa' but the pod's container needs to list pods in the namespace. Which RBAC resources are necessary?

Question 94hardmultiple choice
Read the full NAT/PAT explanation →

Given the following partial pod spec: ```yaml securityContext: runAsUser: 1000 runAsGroup: 3000 fsGroup: 2000 ``` Which combination correctly describes the resulting permissions on a mounted volume?

Question 95easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

To prevent a container from running as root, which field should be set in the securityContext?

Question 96mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod uses a Secret 'db-secret' with keys 'username' and 'password'. Which environment variable definition correctly exposes the 'password' as an env var named 'DB_PASSWORD'?

Question 97hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A namespace 'team-a' has a ResourceQuota with 'pods: 10' and a LimitRange with default memory request '256Mi'. A user creates a pod with no resource requests. What happens?

Question 98mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which command creates a TLS secret named 'tls-secret' using certificate file 'tls.crt' and key file 'tls.key'?

Question 99mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod's securityContext has 'allowPrivilegeEscalation: false' and 'capabilities: { drop: ["ALL"] }'. Which statement is true?

Question 100easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

To mount a ConfigMap as a volume, which field type must be used in the pod spec's volumes and volumeMounts?

Question 101hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A Pod Security Admission policy is set to 'restricted' for a namespace. Which of the following pod specs is ALLOWED?

Question 102mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

You need to set environment variables in a pod from a ConfigMap 'app-config' that has keys 'APP_ENV' and 'APP_DEBUG'. Which approach exposes all keys as environment variables?

Question 103mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod is in Pending state. 'kubectl describe pod' shows '0/1 nodes are available: 1 Insufficient cpu'. Which action would resolve this?

Question 104mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO statements about Kubernetes Secrets are correct? (Select 2)

Question 105hardmulti select
Read the full Application Environment, Configuration and Security explanation →

Which THREE of the following are valid fields in a PodSecurityContext that affect container security? (Select 3)

Question 106mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO methods can be used to expose a Secret's data as environment variables inside a container? (Select 2)

Question 107easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

A developer wants to inject database credentials into a pod as environment variables. The credentials are stored in a Kubernetes Secret named 'db-creds' with keys 'username' and 'password'. Which pod spec snippet correctly injects both values as environment variables?

Question 108mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

An administrator needs to create a ConfigMap named 'app-config' from a file called 'config.properties'. Which kubectl command accomplishes this?

Question 109mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod fails to start with a 'CreateContainerConfigError'. Running 'kubectl describe pod my-pod' reveals: 'Error: container has runAsNonRoot and image will run as root'. The pod definition includes 'securityContext.runAsNonRoot: true'. What is the most likely cause?

Question 110hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A security requirement states: 'The container must drop all capabilities and add only NET_BIND_SERVICE'. Which YAML snippet correctly implements this in the securityContext?

Question 111easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod is running with the default service account. An administrator wants to prevent the pod from automatically mounting the service account token. Which field in the pod spec accomplishes this?

Question 112mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A ClusterRole named 'pod-reader' allows get, list, and watch on pods. A RoleBinding 'read-pods' in namespace 'default' binds this ClusterRole to user 'jane'. Which statement is true?

Question 113mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A namespace 'team-a' has a ResourceQuota that sets 'requests.cpu: 4' and 'limits.cpu: 8'. A developer tries to create a pod with 'resources.requests.cpu: 2' and 'resources.limits.cpu: 10'. What happens?

Question 114hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

An administrator wants to enforce that all pods in namespace 'secured' must run with a seccomp profile set to 'RuntimeDefault' at the container level. Which Pod Security Admission policy standard achieves this?

Question 115easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which kubectl command creates a Secret named 'tls-secret' from a TLS certificate file 'cert.pem' and private key file 'key.pem'?

Question 116mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod is in 'CrashLoopBackOff' state. 'kubectl logs pod' shows: 'Error: listen tcp :8080: bind: permission denied'. The container runs as user '1000'. Which securityContext setting is missing?

Question 117hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A ConfigMap named 'env-config' has keys 'DB_HOST' and 'DB_PORT'. A pod needs to set the environment variable 'DATABASE_HOST' to the value of 'DB_HOST' from the ConfigMap, and 'DB_PORT' directly as 'DB_PORT'. Which YAML snippet correctly achieves this?

Question 118mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A LimitRange in namespace 'limits' sets default memory request to 256Mi and default memory limit to 512Mi. A pod is created without specifying any resources. What are the pod's effective memory request and limit?

Question 119easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

A developer needs to create a Kubernetes Secret for Docker registry authentication. The registry URL is 'myregistry.io', username 'user', password 'pass', email 'user@example.com'. Which command creates this Secret?

Question 120mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod uses a ServiceAccount 'my-sa' with a RoleBinding that grants get and list on pods. The pod makes an API call to list pods in its own namespace. Which RBAC resource is necessary?

Question 121hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod is running with 'securityContext: { runAsUser: 1000, fsGroup: 2000, runAsNonRoot: true }'. The container image has USER root set in Dockerfile. What happens when the pod is created?

Question 122mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which two statements about ConfigMaps and Secrets are correct? (Select TWO.)

Question 123hardmulti select
Read the full Application Environment, Configuration and Security explanation →

Which three security contexts can be set at the pod level (as opposed to container level)? (Select THREE.)

Question 124easymulti select
Read the full Application Environment, Configuration and Security explanation →

Which two commands can create a ConfigMap from an environment file? (Select TWO.)

Question 125easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which kubectl command creates a ConfigMap named 'app-config' from a file 'config.properties'?

Question 126easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod needs to mount a Secret named 'db-secret' as a volume at /etc/secret. Which volume mount definition is correct?

Question 127mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod runs as user ID 1000. The container image includes a binary that expects to run as root. Which SecurityContext setting can allow the binary to run with root-like privileges while still running the container as non-root?

Question 128mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

You create a Role named 'pod-reader' in the 'default' namespace with rules to get, list, and watch pods. A ServiceAccount 'app-sa' in the same namespace needs to be bound to this role. Which YAML snippet correctly creates the RoleBinding?

Question 129mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

You want to restrict total memory usage in a namespace to 10 Gi. Which resource should you create?

Question 130mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod uses a ServiceAccount with automountServiceAccountToken set to false. The pod still needs to access the Kubernetes API. How can you mount the service account token in this pod?

Question 131hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

You want to enforce that all pods in a namespace run with the 'restricted' Pod Security Standard (Pod Security Admission). Which label should you set on the namespace?

Question 132hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod's container has securityContext with runAsNonRoot: true but no runAsUser set. The container image has a user 'appuser' with UID 1001. Will the pod run successfully?

Question 133easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which command creates an Opaque Secret named 'my-secret' with key 'password' and value 'p@ssw0rd'?

Question 134mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

You deploy a pod with resource requests: cpu: 500m, memory: 256Mi and limits: cpu: 1, memory: 512Mi. The container tries to allocate 600Mi of memory. What happens?

Question 135hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod has securityContext with capabilities.add: ['NET_ADMIN'] and capabilities.drop: ['ALL']. What effective capabilities does the container have?

Question 136mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

You want to set environment variable 'DB_URL' in a pod from the key 'url' in ConfigMap 'db-config'. Which YAML snippet is correct?

Question 137hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod is failing to start with error 'container has runAsNonRoot and image will run as root'. The container image runs as root. Which change allows the pod to run?

Question 138mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO of the following are valid ways to consume a ConfigMap in a pod? (Select 2)

Question 139hardmulti select
Read the full Application Environment, Configuration and Security explanation →

Which THREE of the following are valid fields in a PodSecurityContext (pod-level securityContext)? (Select 3)

Question 140easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which kubectl command creates a ConfigMap named 'app-config' from a file called 'config.properties'?

Question 141easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

A Secret named 'db-secret' of type Opaque contains a key 'password'. How do you reference this key as an environment variable named 'DB_PASSWORD' in a pod spec?

Question 142mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A Pod spec includes 'securityContext' with 'runAsUser: 1000' and 'runAsGroup: 3000'. The container process inside the pod is expected to write to a mounted volume. Which securityContext field should be set to ensure the volume's group ownership is 3000?

Question 143mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

You have created a ServiceAccount named 'my-sa' in namespace 'default'. You want a Pod to use this ServiceAccount. Which Pod spec field is correct?

Question 144mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A developer created a Role named 'pod-reader' in namespace 'ns1' that allows 'get', 'list', and 'watch' on pods. They created a RoleBinding binding this Role to a ServiceAccount 'sa1' in the same namespace. However, a pod using 'sa1' cannot list pods in namespace 'ns2'. What is the most likely cause?

Question 145mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A Pod is running in a namespace with a ResourceQuota that sets 'limits.memory: 2Gi'. The pod's container spec has 'resources.limits.memory: 1Gi' and 'resources.requests.memory: 512Mi'. The pod is in 'Running' state but consumes 1.5Gi of memory. What happens?

Question 146mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

You need to create a Secret of type kubernetes.io/tls for use with an Ingress. Which kubectl command should you use?

Question 147hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A Pod is configured with securityContext: { runAsUser: 1000, runAsGroup: 2000, fsGroup: 3000 }. The container's image runs a process that must listen on a TCP port below 1024 (e.g., port 80). The process is currently failing to start. What should you modify to allow the process to bind to a privileged port?

Question 148hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A ClusterRole named 'secret-reader' grants get, list, watch on secrets in all namespaces. A RoleBinding in namespace 'app' binds this ClusterRole to a ServiceAccount 'app-sa'. Which of the following is true about the effective permissions of 'app-sa'?

Question 149easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which of the following is the correct way to set an environment variable 'APP_COLOR' from a ConfigMap key 'color'?

Question 150mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

You have a LimitRange in namespace 'ns' that sets default limits.cpu to 500m and default requests.cpu to 200m. You create a pod without specifying any CPU resources. What CPU values will be applied to the container?

Question 151hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A container image requires a seccomp profile that is not the default. The cluster supports the RuntimeDefault seccomp profile. Which Pod securityContext field should be configured to use the RuntimeDefault seccomp profile?

Question 152mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO resources are used to enforce resource quotas at the namespace level? (Select TWO.)

Question 153hardmulti select
Read the full Application Environment, Configuration and Security explanation →

Which THREE configurations are part of Pod Security Admission's 'restricted' profile? (Select THREE.)

Question 154mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO commands can be used to create a Secret named 'db-creds' with keys 'username' and 'password'? (Select TWO.)

Question 155easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

You create a ConfigMap named 'app-config' with the command 'kubectl create configmap app-config --from-literal=key1=value1'. Which of the following correctly mounts this ConfigMap as environment variables in a pod?

Question 156mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod is running with a SecurityContext that sets 'runAsUser: 1000' and 'runAsGroup: 3000'. The container process is running as user 1000. However, the container needs to access a file on a mounted volume that is owned by user 1000 and group 2000. Which SecurityContext setting should be added to ensure the container can read the file?

Question 157hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

You need to create a Role and RoleBinding to allow a ServiceAccount 'monitor' in namespace 'app' to list pods in that namespace. Which YAML snippet correctly achieves this?

Question 158easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which command creates a Secret named 'db-secret' with two keys, 'username' and 'password', from literal values?

Question 159mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A developer creates a pod with the following YAML snippet:

securityContext: runAsUser: 1000 runAsGroup: 3000 fsGroup: 2000

The pod mounts an emptyDir volume. What is the owner and group of the mounted directory inside the container?

Question 160hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod is failing to start. The 'kubectl describe pod' output shows: 'container has runAsNonRoot and image will run as root'. The Dockerfile of the container image does not specify a USER directive. Which action will fix the issue?

Question 161mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

You need to ensure that a pod in namespace 'dev' cannot consume more than 256Mi of memory. Which approach should you take?

Question 162mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod has 'automountServiceAccountToken: false' in its spec. What is the effect?

Question 163easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which of the following correctly describes the purpose of a PodSecurityPolicy (PSP) in Kubernetes? (Note: PSP is deprecated in v1.21+ and removed in v1.25; Pod Security Admission is the replacement.)

Question 164mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A Deployment is configured with 'resources.requests.memory: 256Mi' and 'resources.limits.memory: 512Mi'. The node runs out of memory. Which pods will be the first to be evicted?

Question 165easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

How can you set the environment variable 'DATABASE_URL' in a pod to the value stored in a Kubernetes Secret named 'db-secret' under the key 'url'?

Question 166hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

You need to create a Secret of type 'kubernetes.io/tls' for ingress. Which command is correct?

Question 167mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO of the following are valid ways to create a ConfigMap from a file named 'app.properties'? (Select two.)

Question 168hardmulti select
Read the full Application Environment, Configuration and Security explanation →

Which THREE of the following are characteristics of Pod Security Admission (PSA) standards? (Select three.)

Question 169mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO of the following are valid fields in a container's SecurityContext to restrict privilege escalation? (Select two.)

Question 170mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A developer wants to create a ConfigMap named 'app-config' with two key-value pairs: 'color=blue' and 'size=large'. Which kubectl command should they use?

Question 171easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod is scheduled but remains in 'Pending' state. Running 'kubectl describe pod mypod' shows: '0/1 nodes are available: 1 Insufficient memory'. What is the most likely cause?

Question 172mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A Pod specification includes: securityContext: { runAsNonRoot: true }. The container image runs as root by default. What will happen when the Pod is created?

Question 173hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

An administrator creates a Role and RoleBinding in the 'dev' namespace to allow a ServiceAccount 'sa-dev' to list Pods. Which YAML snippet correctly defines the Role?

Question 174easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

A developer needs to expose a database password to a Pod as an environment variable, securely. What should they do?

Question 175mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A Pod is in 'CrashLoopBackOff' state. 'kubectl logs mypod' shows: 'Error: listen tcp :8080: bind: address already in use'. What is the most likely cause?

Question 176mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

An administrator wants to enforce that all Pods in a namespace run with a read-only root filesystem. Which admission controller should be configured?

Question 177hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A Pod specification includes: securityContext: { seccompProfile: { type: RuntimeDefault } }. What does this configuration do?

Question 178easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which command creates a generic Secret with username=admin and password=secret123?

Question 179mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A Pod has the following environment variable definition: - name: DB_HOST valueFrom: configMapKeyRef: name: db-config key: host The ConfigMap 'db-config' exists in the same namespace but does not have a key 'host'. What will happen when the Pod starts?

Question 180hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A Pod is configured with automountServiceAccountToken: false. The application inside the pod needs to access the Kubernetes API. What should be done?

Question 181mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A developer wants to enforce that containers in a namespace cannot run as privileged. Which Pod Security Standard profile should they apply to the namespace?

Question 182mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO actions can help prevent a container from being compromised if an attacker gains access? (Select 2)

Question 183hardmulti select
Read the full Application Environment, Configuration and Security explanation →

Which THREE statements about ResourceQuota are correct? (Select 3)

Question 184easymulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO commands can be used to create a Secret from a file? (Select 2)

Question 185easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which kubectl command creates a ConfigMap named 'app-config' from a file 'app.properties'?

Question 186mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod manifest includes the following securityContext: securityContext: { runAsUser: 1000, runAsGroup: 3000, fsGroup: 2000 }. What UID will be used for processes in the container?

Question 187hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod in a namespace with a ResourceQuota that sets 'requests.cpu: 2' is failing to schedule. The pod manifest specifies 'resources: { requests: { cpu: "500m" } }'. What is the likely cause?

Question 188mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which annotation is used to enforce Pod Security Admission at the 'restricted' level on a namespace?

Question 189easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

A Secret of type kubernetes.io/tls requires two data keys. What are they?

Question 190mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

You need to mount a Secret 'db-secret' as a volume in a pod, making its keys appear as individual files. Which volume definition is correct?

Question 191hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

A container image requires running as UID 0 but you need to comply with a 'restricted' Pod Security Admission policy. Which SecurityContext setting allows this while still passing the policy?

Question 192mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A Role named 'pod-reader' in namespace 'ns1' grants get, list, and watch on pods. Which RoleBinding correctly binds this role to a ServiceAccount 'sa1' in the same namespace?

Question 193easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which flag in a kubectl run command sets environment variables from a ConfigMap?

Question 194mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod has 'automountServiceAccountToken: false' in its spec. What is the effect?

Question 195hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which of the following is a valid YAML snippet for a container that sets the seccomp profile to 'RuntimeDefault' in a PodSecurityContext?

Question 196easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

What is the effect of setting 'readOnlyRootFilesystem: true' in a container's securityContext?

Question 197easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which command creates a ConfigMap named 'app-config' from a file named 'config.properties'?

Question 198mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod with the following security context is in CrashLoopBackOff. The container image runs as user 1000.

securityContext: runAsUser: 2000 runAsGroup: 3000 fsGroup: 4000

What is the most likely cause?

Question 199mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

You need to grant a ServiceAccount 'my-sa' read-only access to pods in the 'test' namespace. Which RBAC YAML should you create?

Question 200hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

You create a Secret with 'kubectl create secret generic db-secret --from-literal=password=myPass'. Later, you mount it as a volume in a pod. When you exec into the container and cat the file, what will you see?

Question 201easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which API version is correct for a Deployment in Kubernetes v1.29?

Question 202mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

You create a ResourceQuota in a namespace that sets requests.cpu: '1' and limits.cpu: '2'. A pod spec has no resource limits or requests. What happens when you try to create this pod?

Question 203mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A developer wants to ensure that a container runs as a non-root user and the filesystem is read-only except for a tmpfs volume. Which fields should be set in the container's securityContext?

Question 204hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

You have a Secret of type kubernetes.io/tls. The pod mounting it as a volume expects the files 'tls.crt' and 'tls.key'. What keys must the Secret data contain?

Question 205easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which command creates a Docker registry secret from an existing Docker config file?

Question 206mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod has a container with envFrom referencing a ConfigMap. The ConfigMap has keys 'APP_DEBUG=true' and 'APP_NAME=myapp'. The pod also has an env entry with name 'APP_DEBUG' set to 'false'. What is the value of APP_DEBUG in the container?

Question 207hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

You apply a Pod Security Admission label 'pod-security.kubernetes.io/enforce: restricted' to a namespace. A pod with the following securityContext is created: securityContext: runAsUser: 1000 runAsNonRoot: true capabilities: drop: ["ALL"] seccompProfile: type: RuntimeDefault allowPrivilegeEscalation: false readOnlyRootFilesystem: true Will the pod be admitted?

Question 208easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which field in a Pod spec specifies which ServiceAccount the pod should use?

Question 209mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO approaches can be used to expose a Secret's value as an environment variable in a pod?

Question 210hardmulti select
Read the full Application Environment, Configuration and Security explanation →

Which THREE are valid ways to create a ConfigMap?

Question 211mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO are correct about LimitRange?

Question 212easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which command creates a ConfigMap named 'app-config' with two keys: 'key1=value1' and 'key2=value2'?

Question 213mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A pod is scheduled but stays in Pending state. 'kubectl describe pod' shows: '0/1 nodes are available: 1 Insufficient memory'. What is the most likely cause?

Question 214hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

You need to create a Pod that runs with a specific non-root user (UID 1000), prevents privilege escalation, and mounts the container's filesystem as read-only. Which securityContext field is NOT required to achieve these requirements?

Question 215mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A developer wants to expose a Secret named 'db-secret' as environment variables in a Pod. The Secret has keys 'username' and 'password'. Which Pod spec snippet correctly achieves this?

Question 216easymultiple choice
Read the full Application Environment, Configuration and Security explanation →

Which command creates a TLS secret from an existing certificate and key file?

Question 217mediummultiple choice
Read the full Application Environment, Configuration and Security explanation →

A Pod in a namespace with a ResourceQuota fails to create with the error: 'exceeded quota: compute-quota, requested: pods=1, used: pods=5, limited: pods=5'. What is the issue?

Question 218hardmultiple choice
Read the full Application Environment, Configuration and Security explanation →

You want to enforce a Pod Security Standard of 'restricted' in a namespace. Which command applies the correct label?

Question 219mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO of the following are valid ways to consume a Secret named 'db-secret' in a Pod? (Choose two.)

Question 220mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which THREE of the following fields are part of a Pod's securityContext that can restrict container capabilities? (Choose three.)

Question 221easymulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO of the following are valid types for a Kubernetes Secret? (Choose two.)

Question 222hardmulti select
Read the full Application Environment, Configuration and Security explanation →

Which THREE of the following are true about ServiceAccount token automounting? (Choose three.)

Question 223mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO of the following commands create a ConfigMap named 'my-config' from a file named 'app.properties'? (Choose two.)

Question 224hardmulti select
Read the full Application Environment, Configuration and Security explanation →

Which THREE of the following are valid fields in a LimitRange resource to enforce resource constraints at the container level? (Choose three.)

Question 225easymulti select
Read the full Application Environment, Configuration and Security explanation →

Which TWO of the following are required to create a Role and RoleBinding that grants read access to Pods in the 'development' namespace? (Choose two.)

Question 226mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which THREE of the following are valid fields in a Pod's container spec for resource management? (Choose three.)

Question 227mediummulti select
Read the full Application Environment, Configuration and Security explanation →

A developer wants to mount a ConfigMap as a volume in a Pod so that updates to the ConfigMap are reflected in the Pod without restarting. Which two statements are correct? (Choose two.)

Question 228mediummulti select
Read the full Application Environment, Configuration and Security explanation →

You need to create a Secret to store a TLS certificate and private key for use by an Ingress resource. Which two statements are correct? (Choose two.)

Question 229hardmulti select
Read the full Application Environment, Configuration and Security explanation →

An administrator wants to implement Pod Security Admission (PSA) to enforce the 'restricted' policy for pods in the 'secure' namespace, but allow certain pods to use privileged containers by applying an exemption label. Which three steps are required? (Choose three.)

Question 230mediummulti select
Read the full Application Environment, Configuration and Security explanation →

Which two fields can be used in a SecurityContext to control a container's access to the host filesystem? (Choose two.)

Question 231easymulti select
Read the full Application Environment, Configuration and Security explanation →

A developer wants to restrict a Pod's resource usage. Which two API resources can be used to enforce limits at the namespace level? (Choose two.)

Question 232hardmulti select
Read the full Application Environment, Configuration and Security explanation →

You are troubleshooting a Pod that cannot start because it fails with 'Error: container has runAsNonRoot and image will run as root'. The Pod's SecurityContext has 'runAsNonRoot: true' and no explicit 'runAsUser'. Which three actions could resolve this? (Choose three.)

Question 233mediummulti select
Read the full Application Environment, Configuration and Security explanation →

A developer needs to expose database credentials to a Pod as environment variables. The credentials are stored in a Kubernetes Secret named 'db-secret' with keys 'username' and 'password'. Which two methods correctly inject these values? (Choose two.)

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CKAD Practice Test 1 — 10 Questions→CKAD Practice Test 2 — 10 Questions→CKAD Practice Test 3 — 10 Questions→CKAD Practice Test 4 — 10 Questions→CKAD Practice Test 5 — 10 Questions→CKAD Practice Exam 1 — 20 Questions→CKAD Practice Exam 2 — 20 Questions→CKAD Practice Exam 3 — 20 Questions→CKAD Practice Exam 4 — 20 Questions→Free CKAD Practice Test 1 — 30 Questions→Free CKAD Practice Test 2 — 30 Questions→Free CKAD Practice Test 3 — 30 Questions→CKAD Practice Questions 1 — 50 Questions→CKAD Practice Questions 2 — 50 Questions→CKAD Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Application Design and BuildApplication DeploymentApplication Environment, Configuration and SecurityApplication Observability and MaintenanceServices and Networking

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Application Environment, Configuration and Security setsAll Application Environment, Configuration and Security questionsCKAD Practice Hub