Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Services and Networking practice sets

CKAD Services and Networking • Complete Question Bank

CKAD Services and Networking — All Questions With Answers

Complete CKAD Services and Networking question bank — all 0 questions with answers and detailed explanations.

204
Questions
Free
No signup
Certifications/CKAD/Practice Test/Services and Networking/All Questions
Question 1mediummultiple choice
Read the full Services and Networking explanation →

A developer deploys a set of Pods labeled app=frontend and wants to expose them internally within the cluster on a stable IP. Which resource should be used?

Question 2hardmultiple choice
Read the full Services and Networking explanation →

A team uses a Service named 'backend' in namespace 'prod' to reach Pods in namespace 'staging'. The Service in 'prod' has no endpoints. What is the most likely cause?

Question 3easymultiple choice
Read the full DNS explanation →

An application requires Pods to communicate using hostNetwork: true. Which Kubernetes resource is still necessary for stable DNS names?

Question 4mediummultiple choice
Read the full Services and Networking explanation →

A Pod needs to access an external database at db.example.com:3306. Which Service type allows Pods to resolve a cluster-local name to this external address?

Question 5hardmultiple choice
Read the full Services and Networking explanation →

A Service of type LoadBalancer is created but the external IP remains <pending>. What is the most likely reason?

Question 6easymultiple choice
Read the full Services and Networking explanation →

A developer wants to expose a set of Pods on a specific port on each node's IP. Which Service type should be used?

Question 7hardmultiple choice
Review the full routing breakdown →

An Ingress resource routes traffic to a Service 'web' on port 80. The Service has multiple endpoints but all return 503. What should be checked first?

Question 8mediummultiple choice
Read the full DNS explanation →

A Pod needs to communicate with another Pod in the same cluster but in a different namespace. What is the correct DNS name to use?

Question 9easymultiple choice
Read the full Services and Networking explanation →

A Service uses a selector to target Pods. After updating the Pod labels, you notice the endpoints list is empty. What is the most likely reason?

Question 10mediummulti select
Read the full Services and Networking explanation →

Which TWO of the following are valid ways to expose a Service externally in a Kubernetes cluster?

Question 11hardmulti select
Read the full Services and Networking explanation →

Which THREE of the following are valid use cases for a Headless Service (clusterIP: None)?

Question 12easymulti select
Review the full routing breakdown →

Which TWO of the following are required for Ingress to route HTTP traffic to a backend Service?

Question 13hardmultiple choice
Read the full Services and Networking explanation →

You are responsible for a multi-tier application running in a Kubernetes cluster. The frontend Pods communicate with backend Pods via a Service named 'backend' in the same namespace. Recently, the frontend team reported that the backend Service is intermittently unreachable. You inspect the backend Pods and notice that they are all running and ready, but the Endpoints object for the 'backend' Service shows only a subset of the Pod IPs. You also notice that the backend Pods have a readiness probe configured that checks an HTTP endpoint '/healthz'. The readiness probe has a periodSeconds of 5 and failureThreshold of 3. The application logs show occasional spikes in response time on the /healthz endpoint, sometimes exceeding 15 seconds. You need to resolve the intermittent unavailability without removing the readiness probe. Which action should you take?

Question 14mediummultiple choice
Read the full DNS explanation →

You have deployed a microservices application in a Kubernetes cluster. One of the services, 'payment-service', needs to be accessed by other services within the cluster via a stable DNS name. You create a Service of type ClusterIP named 'payment' with selector app=payment. However, when you try to curl http://payment from another Pod, the connection times out. You verify that the Pods backing 'payment-service' are running and ready, and the Endpoints object lists the correct Pod IPs. You also confirm that the Pods are listening on port 8080, and the Service defines targetPort: 8080. The cluster uses a standard CNI plugin (Calico) and DNS is provided by CoreDNS. What is the most likely cause of the timeout?

Question 15mediummultiple choice
Read the full DNS explanation →

A company runs a web application in a Kubernetes cluster. The application consists of a frontend service and a backend service. The frontend needs to communicate with the backend using a DNS name that does not change even if the backend pods are recreated. Which Kubernetes resource should the frontend use to reach the backend?

Question 16hardmultiple choice
Read the full Services and Networking explanation →

A DevOps engineer notices that traffic to a Service named 'api' is not being forwarded to newly created pods. The Service selects pods with label 'app: api'. The pods are running and have the correct label. However, the Service's endpoints list does not include the new pods. What is the most likely cause?

Question 17easymultiple choice
Read the full Services and Networking explanation →

A user creates a Deployment with 3 replicas and a Service of type ClusterIP. The Service selects pods with label 'app: web'. The user wants external clients to access the application via a stable IP address. Which additional resource is required?

Question 18hardmultiple choice
Read the full Services and Networking explanation →

During a security audit, it is discovered that a pod running a database is accessible from any other pod in the cluster. The database should only be accessible by pods with label 'role: backend'. Which resource should be applied to enforce this restriction?

Question 19mediummultiple choice
Read the full DNS explanation →

A developer creates a headless Service named 'db' to discover all database pod IPs. The Service selects pods with label 'app: db'. The pods are assigned IPs 10.0.0.1, 10.0.0.2, and 10.0.0.3. When a client performs a DNS lookup for 'db', what will it receive?

Question 20mediummulti select
Read the full Services and Networking explanation →

Which TWO statements about Kubernetes Services are correct? (Choose two.)

Question 21hardmulti select
Review the full routing breakdown →

Which THREE components are required for a basic Ingress to route HTTP traffic to a Service? (Choose three.)

Question 22easymultiple choice
Read the full Services and Networking explanation →

Refer to the exhibit. A user has created the Service shown. The application pods listen on port 8080. Which port should an external client use to access the application from outside the cluster?

Exhibit

Refer to the exhibit.
```yaml
apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  type: NodePort
  selector:
    app: my-app
  ports:
    - port: 80
      targetPort: 8080
      nodePort: 30007
```
Question 23hardmultiple choice
Read the full DNS explanation →

You are a platform engineer managing a Kubernetes cluster version 1.28. A development team has deployed a microservice application called 'order-processor' in the 'prod' namespace. The application consists of a frontend Pod 'frontend' and a backend Pod 'backend', each with a single container. The frontend needs to communicate with the backend using a headless Service named 'backend-svc' that selects Pods with label 'app:backend'. The backend Pods are expected to scale horizontally, and the frontend uses a DNS lookup to discover all backend Pod IPs for client-side load balancing. However, after deploying, the frontend is unable to resolve 'backend-svc' to any IP addresses. The backend Pod is running and has the correct label 'app:backend'. The Service 'backend-svc' is defined as a ClusterIP with clusterIP: None. The frontend container has the 'default' DNS policy. What is the most likely cause of the failure?

Question 24easymultiple choice
Read the full Services and Networking explanation →

A developer deploys a web application as a Deployment named 'web-app' with 3 replicas. The application listens on port 8080 and should be accessible from within the cluster via the service name 'web-svc' on port 80. Which Service YAML correctly exposes the application?

Question 25mediummulti select
Read the full Services and Networking explanation →

A DevOps engineer is setting up network policies in a Kubernetes cluster. The goal is to allow traffic from pods with label 'role=frontend' to pods with label 'role=backend' on TCP port 8080, and deny all other ingress to backend pods. Which two components are necessary to implement this? (Choose two.)

Question 26mediumdrag order
Read the full Services and Networking explanation →

Order the steps to perform a rolling rollback of a Deployment to a previous revision.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 27mediumdrag order
Read the full Services and Networking explanation →

Arrange the steps to create a multi-container Pod with a shared volume.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 28mediummatching
Read the full Services and Networking explanation →

Match each YAML key in a Deployment manifest to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

API version of the resource (e.g., apps/v1)

Desired number of pod instances

Labels used to identify pods managed by the deployment

Labels assigned to pods created by the template

Container image to run

Question 29mediummatching
Read the full Services and Networking explanation →

Match each Kubernetes term to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Runs before app containers; for setup tasks

Helper container that runs alongside the main container

Pod managed directly by the kubelet without API server

Temporary container for debugging running pods

Pod with multiple containers sharing the same network and storage

Question 30easymultiple choice
Read the full Services and Networking explanation →

Which of the following Service types exposes a pod on a static port on each node's IP address?

Question 31mediummultiple choice
Read the full DNS explanation →

You have a Service named 'web' in namespace 'default'. Which DNS name resolves to the Service's ClusterIP?

Question 32mediummultiple choice
Read the full Services and Networking explanation →

You need to create a NetworkPolicy that denies all ingress traffic to pods with label 'app: db' in namespace 'prod'. Which YAML snippet correctly implements this?

Question 33hardmultiple choice
Read the full DNS explanation →

A StatefulSet named 'mysql' is deployed with 3 replicas. The administrator wants to create a headless Service so that each pod gets a unique DNS entry. Which Service specification should be used?

Question 34easymultiple choice
Read the full Services and Networking explanation →

Which command creates a Service named 'my-svc' that exposes a deployment named 'my-deploy' on port 80?

Question 35mediummultiple choice
Review the full routing breakdown →

You have an Ingress resource that routes traffic to two services: 'app1' and 'app2'. The requirement is that traffic for 'app.example.com' goes to app1, and traffic for any other host goes to app2. Which Ingress specification correctly achieves this?

Question 36mediummultiple choice
Read the full DNS explanation →

A pod is unable to resolve the DNS name of a Service in the same namespace. The pod's /etc/resolv.conf shows 'nameserver 10.96.0.10'. What is the most likely cause?

Question 37mediummulti select
Read the full Services and Networking explanation →

Which TWO statements about Services are true? (Choose two.)

Question 38hardmultiple choice
Read the full Services and Networking explanation →

You want to restrict ingress traffic to pods with label 'app: web' in namespace 'frontend' to only come from pods in namespace 'backend'. Which NetworkPolicy YAML is correct?

Question 39mediummultiple choice
Review the full routing breakdown →

You need to debug a Service that is not routing traffic to its endpoints. Which command shows the current endpoints of a Service?

Question 40hardmultiple choice
Read the full NAT/PAT explanation →

An Ingress resource has the following spec. What is the effect?

spec: tls: - hosts: - myapp.example.com secretName: myapp-tls rules: - host: myapp.example.com http: paths: - path: / pathType: Prefix backend: service: name: myapp port: number: 80

Question 41easymultiple choice
Read the full Services and Networking explanation →

Which command forwards port 8080 on the local machine to port 80 on a pod named 'web-pod'?

Question 42mediummulti select
Read the full Services and Networking explanation →

Which THREE statements about Ingress are correct? (Choose three.)

Question 43hardmultiple choice
Read the full Services and Networking explanation →

A Service named 'api' has no endpoints. 'kubectl describe svc api' shows the selector 'app: api', but no pods have that label. What is the most likely reason for missing endpoints?

Question 44hardmulti select
Read the full Services and Networking explanation →

Which TWO are valid ways to create a Service from a deployment named 'frontend'? (Choose two.)

Question 45easymultiple choice
Read the full Services and Networking explanation →

Which command exposes a deployment named 'web' as a ClusterIP service on port 80?

Question 46mediummultiple choice
Read the full DNS explanation →

A developer creates a Service named 'backend' in namespace 'default'. The service targets pods with label 'app: backend'. From within a pod in the same namespace, which DNS name resolves to the service's ClusterIP?

Question 47hardmultiple choice
Read the full NAT/PAT explanation →

An ingress resource is created with the following spec. Which request will be routed to the 'green' service?

```yaml spec: rules: - host: example.com http: paths: - path: /api pathType: Prefix backend: service: name: blue port: number: 80 - path: /api/v1 pathType: Exact backend: service: name: green port: number: 80 ```

Question 48mediummultiple choice
Read the full Services and Networking explanation →

A NetworkPolicy named 'default-deny-ingress' is applied to a namespace but contains no rules. What is the effect on pods in that namespace?

Question 49easymultiple choice
Read the full Services and Networking explanation →

To create a service that will be accessible from outside the cluster using a cloud provider's load balancer, what type should be used?

Question 50mediummultiple choice
Read the full DNS explanation →

A pod in namespace 'default' cannot resolve the service name 'db' in namespace 'data'. Which DNS name should the pod use to reach the service?

Question 51hardmultiple choice
Read the full Services and Networking explanation →

A NetworkPolicy allows ingress traffic from pods with label 'role: frontend' in the same namespace. Which podSelector is correct?

Question 52mediummultiple choice
Read the full Services and Networking explanation →

A developer wants to test a service locally using kubectl. Which command forwards local port 8080 to the service's port 80?

Question 53easymultiple choice
Read the full DNS explanation →

Which service type is used to expose a service using an external DNS name, such as a database hosted outside Kubernetes?

Question 54mediummultiple choice
Read the full Services and Networking explanation →

A headless service is created with 'clusterIP: None'. What is the primary use case for such a service?

Question 55hardmultiple choice
Review the full routing breakdown →

An Ingress resource uses the annotation 'kubernetes.io/ingress.class: nginx'. However, traffic is not being routed. The cluster has multiple ingress controllers. What is the most likely cause?

Question 56mediummultiple choice
Read the full Services and Networking explanation →

A NetworkPolicy allows egress traffic to pods with label 'db: mysql' in the same namespace. Which egress rule is correct?

Question 57mediummulti select
Read the full Services and Networking explanation →

Which TWO statements about Kubernetes Services are correct?

Question 58hardmulti select
Read the full Services and Networking explanation →

Which THREE components are typically involved when using Ingress to expose a service?

Question 59easymulti select
Read the full Services and Networking explanation →

Which TWO are valid ways to create a Service in Kubernetes?

Question 60easymultiple choice
Read the full Services and Networking explanation →

Which kubectl command creates a Service of type ClusterIP named 'my-service' that exposes port 80 on a set of pods selected by label 'app: web'?

Question 61mediummultiple choice
Read the full Services and Networking explanation →

A developer creates a headless Service with 'clusterIP: None' for a StatefulSet. What is the primary purpose of using a headless Service?

Question 62mediummultiple choice
Read the full DNS explanation →

You create a Service named 'backend' in namespace 'prod'. A pod in namespace 'dev' tries to reach the service using the DNS name 'backend.prod.svc.cluster.local'. The pod cannot resolve the name. What is the most likely cause?

Question 63hardmultiple choice
Read the full NAT/PAT explanation →

You apply the following Ingress manifest:

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: app-ingress spec: ingressClassName: nginx rules: - host: example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-service port: number: 80

The Ingress controller logs show a 404 error when accessing 'http://example.com/api'. The service 'api-service' exists and is reachable via ClusterIP. What is the most likely cause?

Question 64mediummultiple choice
Read the full Services and Networking explanation →

You are tasked with creating a NetworkPolicy that denies all ingress traffic to pods in the 'db' namespace by default. Which YAML snippet correctly implements this?

Question 65easymultiple choice
Read the full Services and Networking explanation →

Which Service type is used to expose a service externally on a static port on each worker node?

Question 66mediummultiple choice
Read the full Services and Networking explanation →

You run 'kubectl port-forward pod/my-pod 8080:80' and try to access 'http://localhost:8080', but the connection is refused. The pod is running and port 80 is open. What is the most likely issue?

Question 67hardmultiple choice
Read the full Services and Networking explanation →

You have a NetworkPolicy that allows ingress from pods with label 'app: frontend' in any namespace, and also allows ingress from the IP range '10.0.0.0/8'. The policy is not working as expected. Which YAML snippet correctly implements both requirements?

Question 68mediummultiple choice
Read the full Services and Networking explanation →

A user runs 'kubectl get endpoints my-service' and sees no endpoints listed. The service has a selector 'app: my-app'. Pods with that label exist and are running. What is the most likely cause?

Question 69hardmultiple choice
Read the full Services and Networking explanation →

You have an Ingress with TLS configured. The Ingress controller returns a certificate error when accessing via HTTPS. The secret 'my-tls' exists in the same namespace. Which of the following is the most likely cause?

Question 70easymultiple choice
Read the full Services and Networking explanation →

Which command creates a Service named 'web' of type ClusterIP that selects pods with label 'tier: frontend' and exposes port 80?

Question 71mediummultiple choice
Read the full Services and Networking explanation →

You need to allow ingress traffic to pods in namespace 'api' only from pods in namespace 'frontend' that have label 'role: proxy'. Which NetworkPolicy ingress rule correctly implements this?

Question 72mediummulti select
Read the full Services and Networking explanation →

Which TWO of the following are valid ways to expose a service externally on a Kubernetes cluster? (Select 2)

Question 73hardmulti select
Read the full Services and Networking explanation →

Which THREE of the following are valid rules for a NetworkPolicy that allows egress traffic from pods with label 'app: worker' to the external IP range '192.168.0.0/16' on port 53 UDP? (Select 3)

Question 74easymulti select
Read the full Services and Networking explanation →

Which TWO of the following are true about headless services? (Select 2)

Question 75easymultiple choice
Read the full Services and Networking explanation →

Which Service type is used to expose a Service on a static port on each node's IP address, allowing external traffic to reach the Service?

Question 76mediummultiple choice
Read the full Services and Networking explanation →

A developer runs `kubectl expose deployment web-deploy --port=80 --target-port=8080 --type=NodePort` and later wants to access the Service from outside the cluster. What is the correct way to find the external port?

Question 77hardmultiple choice
Read the full Services and Networking explanation →

An admin creates a Service without a selector. Which of the following is true about such a Service?

Question 78mediummultiple choice
Read the full Services and Networking explanation →

What is the primary purpose of a headless Service (clusterIP: None) in Kubernetes?

Question 79easymultiple choice
Read the full Services and Networking explanation →

Which of the following Ingress controllers is commonly used in Kubernetes?

Question 80mediummultiple choice
Read the full Services and Networking explanation →

An admin applies the following NetworkPolicy:

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress - Egress

What effect does this policy have?

Question 81hardmultiple choice
Read the full DNS explanation →

A pod in namespace 'app' needs to resolve the DNS name 'db-service.data.svc.cluster.local'. What is the likely namespace of the 'db-service' Service?

Question 82mediummultiple choice
Read the full Services and Networking explanation →

An admin wants to expose a Service only for internal cluster communication, without external access. Which Service type should they use?

Question 83easymultiple choice
Read the full Services and Networking explanation →

What is the correct command to forward a local port to a pod for debugging?

Question 84mediummultiple choice
Read the full NAT/PAT explanation →

An Ingress resource has the following spec:

spec: rules: - host: example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-service port: number: 80

What will the Ingress controller do for a request to http://example.com/api/v1/users?

Question 85hardmultiple choice
Read the full Services and Networking explanation →

Which of the following is a valid NetworkPolicy that allows ingress traffic only from pods with label 'role: frontend' in any namespace?

Question 86mediummultiple choice
Read the full Services and Networking explanation →

What is the purpose of the `IngressClass` resource in Kubernetes?

Question 87mediummulti select
Read the full Services and Networking explanation →

Which TWO of the following are valid methods to create a Service in Kubernetes? (Select 2)

Question 88hardmulti select
Read the full Services and Networking explanation →

Which THREE of the following are true about Kubernetes Services? (Select 3)

Question 89easymulti select
Read the full NAT/PAT explanation →

Which TWO of the following are valid Ingress path types? (Select 2)

Question 90easymultiple choice
Read the full Services and Networking explanation →

A developer wants to expose a Deployment named 'web-app' (with label 'app: web') as a ClusterIP service on port 80. Which command achieves this?

Question 91mediummultiple choice
Read the full DNS explanation →

You have a headless service 'db' in namespace 'data'. Pods in that namespace can resolve 'db.data.svc.cluster.local'. What is the effect of a headless service on DNS resolution?

Question 92hardmultiple choice
Read the full NAT/PAT explanation →

An Ingress resource is defined as: apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: test-ingress spec: rules: - host: example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-service port: number: 80 tls: - hosts: - example.com secretName: tls-secret What must exist in the cluster for TLS termination to work?

Question 93mediummultiple choice
Read the full Services and Networking explanation →

A NetworkPolicy with the following spec is applied: spec: podSelector: {} policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: role: frontend What does this policy do?

Question 94mediummultiple choice
Read the full Services and Networking explanation →

You need to access a database pod 'db-pod' on port 5432 from your local machine. Which command forwards local port 15432 to the pod's port 5432?

Question 95easymultiple choice
Read the full Services and Networking explanation →

What is the default service type in Kubernetes?

Question 96hardmultiple choice
Review the full routing breakdown →

A ClusterIP service named 'svc' has no endpoints. Which command can you use to debug why the service is not routing traffic?

Question 97easymultiple choice
Read the full Services and Networking explanation →

What annotation is required on an Ingress resource to use a specific IngressClass (e.g., 'nginx')?

Question 98mediummultiple choice
Read the full Services and Networking explanation →

A NetworkPolicy denies all ingress traffic to a namespace. Which rule would allow traffic only from pods in the same namespace?

Question 99mediummultiple choice
Read the full Services and Networking explanation →

You want to expose a Deployment 'app' externally on port 30080 on each node. What service type should you use?

Question 100hardmultiple choice
Read the full Services and Networking explanation →

A pod 'app' has an init container that fails. The pod status is Init:Error. What is the first step to diagnose?

Question 101mediummultiple choice
Read the full Services and Networking explanation →

Which of the following is true about Istio as a service mesh?

Question 102mediummulti select
Read the full Services and Networking explanation →

Which TWO of the following are valid ways to create a Service named 'web' that targets pods with label 'app: web' on port 80?

Question 103hardmulti select
Read the full Services and Networking explanation →

Which THREE statements about NetworkPolicy are correct?

Question 104easymulti select
Read the full Services and Networking explanation →

Which TWO of the following are valid service types in Kubernetes?

Question 105easymultiple choice
Read the full Services and Networking explanation →

Which of the following commands creates a Service named 'my-svc' of type ClusterIP that exposes TCP port 80 on a set of pods selected by the label 'app: web'?

Question 106mediummultiple choice
Read the full Services and Networking explanation →

A developer runs 'kubectl run nginx --image=nginx --port=80' and then creates a Service with the following YAML:

apiVersion: v1 kind: Service metadata: name: nginx-svc spec: selector: app: nginx ports: - protocol: TCP port: 80 targetPort: 80

However, the Service has no endpoints. What is the most likely cause?

Question 107hardmultiple choice
Read the full Services and Networking explanation →

Given the following NetworkPolicy YAML:

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress - Egress

What is the effect of this policy?

Question 108easymultiple choice
Read the full DNS explanation →

What is the DNS name for a Service named 'backend' in the 'default' namespace?

Question 109mediummultiple choice
Read the full NAT/PAT explanation →

An Ingress resource is created with the following YAML:

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: my-ingress spec: rules: - host: example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-svc port: number: 80

Which of the following requests will be routed to the api-svc Service?

Question 110mediummultiple choice
Read the full DNS explanation →

A StatefulSet named 'web' is created with 3 replicas. What is the DNS name for the second pod (index 1)?

Question 111hardmultiple choice
Read the full Services and Networking explanation →

You have a Deployment with multiple replicas. You want to expose it via a Service that has a stable IP address and is accessible from outside the cluster on a static port on each node. Which Service type should you use?

Question 112easymultiple choice
Read the full Services and Networking explanation →

Which of the following is true about headless services?

Question 113mediummultiple choice
Read the full Services and Networking explanation →

An administrator wants to allow ingress traffic to pods with label 'app: database' only from pods with label 'app: api' in the same namespace. Which NetworkPolicy rule is correct?

Question 114mediummultiple choice
Read the full Services and Networking explanation →

You run 'kubectl port-forward pod/my-pod 8080:80'. What does this command do?

Question 115hardmultiple choice
Read the full Services and Networking explanation →

An Ingress resource has the following annotation: 'kubernetes.io/ingress.class: nginx'. What is the purpose of this annotation?

Question 116easymultiple choice
Read the full Services and Networking explanation →

What is the default Service type when creating a Service via 'kubectl create service' or YAML without specifying type?

Question 117mediummulti select
Read the full Services and Networking explanation →

Which TWO of the following are valid ways to expose a Deployment named 'web' as a Service?

Question 118hardmulti select
Read the full Services and Networking explanation →

Which THREE of the following are true regarding NetworkPolicy in Kubernetes?

Question 119mediummulti select
Read the full Services and Networking explanation →

Which TWO of the following are correct about the ExternalName Service type?

Question 120easymultiple choice
Read the full Services and Networking explanation →

You create a Service with `kubectl expose deployment web --port=80 --target-port=8080`. What type of Service is created by default?

Question 121mediummultiple choice
Read the full Services and Networking explanation →

A developer creates a Deployment with 3 replicas and a Service with `clusterIP: None`. What is the primary use case for this headless Service?

Question 122hardmultiple choice
Read the full DNS explanation →

A Pod named `my-pod` in namespace `ns1` tries to resolve `svc-a.ns2.svc.cluster.local`. The DNS query fails. The Service `svc-a` exists in namespace `ns2`. What is the most likely cause?

Question 123mediummultiple choice
Read the full NAT/PAT explanation →

You apply the following Ingress manifest: ``` apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: my-ingress spec: ingressClassName: nginx rules: - host: app.example.com http: paths: - pathType: Prefix path: / backend: service: name: app-svc port: number: 80 ``` What is missing to enable TLS termination for this Ingress?

Question 124easymultiple choice
Read the full Services and Networking explanation →

Which of the following commands creates a LoadBalancer Service named `web-svc` for a Deployment named `web` on port 80?

Question 125hardmultiple choice
Read the full Services and Networking explanation →

A NetworkPolicy is applied to a namespace with the following rules: ``` apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress ``` What is the effect on pods in that namespace?

Question 126mediummultiple choice
Read the full Services and Networking explanation →

You need to temporarily access a pod's HTTP endpoint on port 8080 from your local machine. Which command should you use?

Question 127mediummultiple choice
Read the full Services and Networking explanation →

A Service named `api` in namespace `default` has multiple endpoints. You run `kubectl get endpoints api` and see no IPs. What is the most likely cause?

Question 128easymultiple choice
Read the full Services and Networking explanation →

Which Service type is used to expose a Service on a static port on each node in the cluster?

Question 129mediummultiple choice
Read the full Services and Networking explanation →

You create a Service with the following YAML: ``` apiVersion: v1 kind: Service metadata: name: my-service spec: ports: - name: http port: 80 targetPort: 8080 selector: app: my-app ``` What is the default Service type?

Question 130hardmultiple choice
Read the full NAT/PAT explanation →

An Ingress has two rules: - host: app.example.com, path: /api -> service-a:80 - host: api.example.com, path: / -> service-b:80 A request to `app.example.com/api/v1` reaches which service?

Question 131easymultiple choice
Read the full DNS explanation →

What is the DNS name for a Service named `svc` in namespace `ns`?

Question 132mediummulti select
Read the full Services and Networking explanation →

Which TWO statements about NetworkPolicy are correct? (Choose two.)

Question 133hardmulti select
Read the full Services and Networking explanation →

Which THREE are valid fields in a NetworkPolicy spec? (Choose three.)

Question 134mediummulti select
Read the full Services and Networking explanation →

Which TWO are valid Service types? (Choose two.)

Question 135easymultiple choice
Read the full Services and Networking explanation →

You have a Deployment named 'web' with label 'app: web'. You want to create a Service that exposes the Deployment on port 80 internally within the cluster. Which kubectl command achieves this?

Question 136mediummultiple choice
Read the full Services and Networking explanation →

A Service of type NodePort is created with 'spec.ports[0].nodePort: 30080'. The cluster nodes have IPs 10.0.0.1, 10.0.0.2. Which command can be used to test connectivity to the Service from outside the cluster?

Question 137mediummultiple choice
Read the full Services and Networking explanation →

A NetworkPolicy named 'deny-all' is applied in a namespace. Which YAML snippet correctly implements a default-deny-all ingress policy?

Question 138hardmultiple choice
Read the full DNS explanation →

You have a Service named 'app-service' in namespace 'default'. You want a pod in namespace 'monitoring' to resolve the service DNS name. What is the correct fully qualified domain name (FQDN)?

Question 139mediummultiple choice
Read the full DNS explanation →

You have a headless Service for a StatefulSet. What is the DNS resolution behavior for the StatefulSet pods?

Question 140easymultiple choice
Read the full Services and Networking explanation →

Which Service type is used to expose a Service externally using a cloud provider's load balancer?

Question 141mediummultiple choice
Read the full Services and Networking explanation →

An Ingress resource is configured with TLS. Which field in the Ingress YAML specifies the secret containing the TLS certificate and key?

Question 142hardmultiple choice
Read the full Services and Networking explanation →

You need to allow ingress traffic to pods with label 'app: web' from pods with label 'role: frontend' in the same namespace, and also from any pod in namespace 'monitoring'. Which NetworkPolicy egress/ingress rule correctly implements this?

Question 143easymultiple choice
Read the full Services and Networking explanation →

Which kubectl command forwards local port 8080 to port 80 of a pod named 'web-pod'?

Question 144mediummultiple choice
Read the full Services and Networking explanation →

You have a Service named 'api' with selectors that match pods. However, curl to the Service cluster IP times out. 'kubectl get endpoints api' shows no endpoints. What is the most likely cause?

Question 145hardmultiple choice
Review the full routing breakdown →

An Ingress resource uses host-based routing. Which field in the Ingress YAML specifies the host header to match?

Question 146mediummultiple choice
Read the full DNS explanation →

You have a Deployment with 3 replicas. You create a Service with 'clusterIP: None'. What is the effect on pod DNS?

Question 147mediummulti select
Read the full Services and Networking explanation →

Which TWO statements about Ingress are correct? (Select 2)

Question 148hardmulti select
Read the full Services and Networking explanation →

Which THREE statements about NetworkPolicy are correct? (Select 3)

Question 149easymulti select
Read the full Services and Networking explanation →

Which TWO Service types allow external access to pods from outside the Kubernetes cluster? (Select 2)

Question 150mediummultiple choice
Read the full Services and Networking explanation →

You have a Deployment named 'web-app' with 3 replicas. You want to expose the pods on port 80 internally within the cluster using a ClusterIP service. Which kubectl command should you use?

Question 151mediummultiple choice
Read the full DNS explanation →

You have a headless Service for a StatefulSet. The DNS query for the service returns no A records. What is the most likely cause?

Question 152hardmultiple choice
Read the full DNS explanation →

You apply the following NetworkPolicy:

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress - Egress

After applying, pods in the namespace cannot reach the kube-dns service. What is the most likely reason?

Question 153hardmultiple choice
Read the full Services and Networking explanation →

You have an Ingress resource with TLS configured. The certificate is stored in a Secret named 'my-tls'. Which field in the Ingress YAML specifies the Secret name?

Question 154easymultiple choice
Read the full Services and Networking explanation →

You need to forward a local port to port 8080 on a pod named 'my-pod' in the 'default' namespace. Which kubectl command should you use?

Question 155mediummultiple choice
Read the full DNS explanation →

You have a Service named 'my-svc' in the 'prod' namespace. What is the fully qualified DNS name for this Service?

Question 156mediummultiple choice
Read the full Services and Networking explanation →

You want to block all ingress traffic to pods labeled 'app=api' except from pods labeled 'app=frontend'. Which NetworkPolicy rule is correct?

Question 157easymultiple choice
Read the full Services and Networking explanation →

Which Service type exposes a Service externally via each Node's IP on a static port?

Question 158hardmultiple choice
Read the full Services and Networking explanation →

You have a Service that exposes a Deployment. Some pods are not receiving traffic. 'kubectl get endpoints my-service' shows only 2 out of 3 pod IPs. What is the most likely cause?

Question 159easymultiple choice
Read the full Services and Networking explanation →

You want to expose a Deployment named 'nginx' on port 80 using a LoadBalancer service. Which YAML snippet is correct?

Question 160mediummultiple choice
Review the full routing breakdown →

You have an Ingress that should route requests to 'api.example.com' to a service named 'api-svc' on port 80, and requests to 'www.example.com' to 'web-svc' on port 80. Which host-based routing rule is correct?

Question 161mediummultiple choice
Read the full DNS explanation →

You have a Service named 'myservice' in namespace 'default'. A pod in the same cluster but different namespace 'other' wants to resolve the service's IP. What DNS name should it use?

Question 162mediummulti select
Read the full Services and Networking explanation →

Which TWO of the following are valid Service types in Kubernetes? (Select 2)

Question 163hardmulti select
Read the full Services and Networking explanation →

Which THREE of the following are true about NetworkPolicy? (Select 3)

Question 164mediummulti select
Read the full Services and Networking explanation →

Which TWO of the following are valid methods to create a Service in Kubernetes? (Select 2)

Question 165easymultiple choice
Read the full Services and Networking explanation →

Which of the following commands creates a ClusterIP service named 'my-service' that exposes port 80 on the pod with label 'app=web'?

Question 166mediummultiple choice
Read the full DNS explanation →

A ClusterIP service named 'db-service' in namespace 'data' is not reachable from a pod in the same namespace. The pod's /etc/resolv.conf shows 'search data.svc.cluster.local svc.cluster.local cluster.local'. Using the pod, which command tests DNS resolution for the service?

Question 167hardmultiple choice
Read the full Services and Networking explanation →

You create a headless service with 'clusterIP: None' for a StatefulSet. How does a client discover the individual pod IPs?

Question 168mediummultiple choice
Read the full Services and Networking explanation →

Which annotation is used to specify the IngressClass for an Ingress resource in Kubernetes v1.18+?

Question 169easymultiple choice
Read the full Services and Networking explanation →

What is the default type of a Kubernetes Service when no type is specified in the YAML manifest?

Question 170mediummultiple choice
Read the full NAT/PAT explanation →

You have an Ingress with the following spec:

spec: rules: - host: app.example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-service port: number: 80

How does the Ingress controller route a request to http://app.example.com/api/v1/users?

Question 171hardmultiple choice
Read the full Services and Networking explanation →

A NetworkPolicy named 'default-deny-all' is applied to a namespace. It has no rules. Which statement is true?

Question 172mediummultiple choice
Read the full Services and Networking explanation →

Which command forwards local port 8080 to port 80 of a pod named 'web-pod'?

Question 173easymultiple choice
Read the full Services and Networking explanation →

What is the purpose of the 'spec.externalName' field in a Service of type ExternalName?

Question 174mediummultiple choice
Read the full Services and Networking explanation →

You have a Deployment with pods labeled 'tier: frontend'. You create a Service with selector 'tier: frontend'. However, the Service has no endpoints. What is the MOST likely cause?

Question 175hardmultiple choice
Read the full NAT/PAT explanation →

An Ingress resource specifies TLS termination using a secret. The secret must contain which keys?

Question 176mediummultiple choice
Read the full Services and Networking explanation →

When using 'kubectl expose', which flag creates a NodePort service?

Question 177mediummulti select
Read the full NAT/PAT explanation →

Which TWO of the following are valid Ingress pathTypes in Kubernetes networking.k8s.io/v1?

Question 178hardmulti select
Read the full Services and Networking explanation →

Which THREE of the following are valid fields in a NetworkPolicy spec?

Question 179hardmulti select
Read the full DNS explanation →

Which TWO of the following are correct statements about DNS in Kubernetes?

Question 180mediummultiple choice
Read the full Services and Networking explanation →

You have a Deployment running three replicas of a web application. You need to expose the application on port 80 of all cluster nodes. Which Service type should you use?

Question 181easymultiple choice
Read the full Services and Networking explanation →

A developer wants to access a specific pod's port 8080 from their local machine using a temporary connection. Which command should they use?

Question 182hardmultiple choice
Read the full NAT/PAT explanation →

An Ingress resource is configured with TLS termination. The secret referenced in the Ingress is present, but the Ingress controller returns 404. What is the most likely cause?

Question 183mediummultiple choice
Read the full DNS explanation →

A ClusterIP Service named 'db' in namespace 'data' is not reachable from a pod in namespace 'app'. Which DNS name should the pod use to resolve the service?

Question 184easymultiple choice
Read the full Services and Networking explanation →

You want to deny all incoming traffic to a set of pods except from pods with label 'role: frontend'. Which NetworkPolicy spec should you use?

Question 185hardmultiple choice
Read the full DNS explanation →

A StatefulSet is deployed with a headless service (clusterIP: None). The pods are named 'web-0', 'web-1', 'web-2'. What DNS name resolves to the specific IP of 'web-1'?

Question 186mediummultiple choice
Read the full Services and Networking explanation →

You create a Service with the following manifest. What is the effect? service.yaml: apiVersion: v1 kind: Service metadata: name: ext-svc spec: type: ExternalName externalName: db.example.com

Question 187hardmultiple choice
Review the full subnetting walkthrough →

A NetworkPolicy with the following spec is applied to a namespace. What is the effect? spec: podSelector: {} policyTypes: - Ingress - Egress ingress: - from: - ipBlock: cidr: 10.0.0.0/8 except: - 10.0.1.0/24 egress: - to: - ipBlock: cidr: 0.0.0.0/0

Question 188mediummultiple choice
Read the full Services and Networking explanation →

You need to expose a Deployment named 'web' on port 80 internally within the cluster. Which command creates the appropriate Service?

Question 189easymultiple choice
Read the full Services and Networking explanation →

A Service of type LoadBalancer is created but the external IP remains pending. What is the most likely reason?

Question 190mediummultiple choice
Review the full routing breakdown →

An Ingress is configured for host-based routing with two hosts: 'app1.example.com' and 'app2.example.com'. A request to 'app1.example.com' should go to service 'svc1'. Which field in the Ingress spec specifies the host?

Question 191mediummulti select
Read the full Services and Networking explanation →

Which TWO statements about headless services are correct?

Question 192hardmulti select
Read the full Services and Networking explanation →

Which THREE conditions must be met for a NetworkPolicy to effectively isolate a set of pods?

Question 193mediummulti select
Read the full Services and Networking explanation →

Which TWO commands can be used to list the endpoints of a Service named 'my-svc'?

Question 194easymulti select
Read the full Services and Networking explanation →

Which TWO are valid port names in a Service definition?

Question 195mediummultiple choice
Read the full Services and Networking explanation →

A developer needs to expose a deployment named 'web-app' running in the 'default' namespace on port 8080 internally within the cluster. Which kubectl command creates a ClusterIP service that selects pods with label 'app: web'?

Question 196hardmultiple choice
Read the full Services and Networking explanation →

An administrator applies the following NetworkPolicy:

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress - Egress

After applying this policy, which traffic flows are affected?

Question 197easymulti select
Read the full Services and Networking explanation →

Which TWO statements about Kubernetes Services are correct?

Question 198mediummulti select
Read the full Services and Networking explanation →

Which THREE items are required for Ingress to work correctly in a Kubernetes cluster?

Question 199hardmulti select
Read the full DNS explanation →

Which TWO statements about Kubernetes DNS are correct?

Question 200mediummulti select
Read the full Services and Networking explanation →

Which THREE statements about NetworkPolicy are correct?

Question 201easymultiple choice
Read the full Services and Networking explanation →

A pod named 'debug' is running. Which command forwards local port 4000 to port 80 on the pod?

Question 202mediummultiple choice
Read the full Services and Networking explanation →

A StatefulSet named 'mysql' is deployed with 3 replicas. The administrator wants each pod to have a stable network identity. Which service configuration is required?

Question 203mediummulti select
Read the full Services and Networking explanation →

Which TWO statements about Ingress are correct?

Question 204hardmulti select
Read the full Services and Networking explanation →

Which THREE are valid ways to expose a Service externally in Kubernetes?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CKAD Practice Test 1 — 10 Questions→CKAD Practice Test 2 — 10 Questions→CKAD Practice Test 3 — 10 Questions→CKAD Practice Test 4 — 10 Questions→CKAD Practice Test 5 — 10 Questions→CKAD Practice Exam 1 — 20 Questions→CKAD Practice Exam 2 — 20 Questions→CKAD Practice Exam 3 — 20 Questions→CKAD Practice Exam 4 — 20 Questions→Free CKAD Practice Test 1 — 30 Questions→Free CKAD Practice Test 2 — 30 Questions→Free CKAD Practice Test 3 — 30 Questions→CKAD Practice Questions 1 — 50 Questions→CKAD Practice Questions 2 — 50 Questions→CKAD Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Application Design and BuildApplication DeploymentApplication Environment, Configuration and SecurityApplication Observability and MaintenanceServices and Networking

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Services and Networking setsAll Services and Networking questionsCKAD Practice Hub