CNCF · Free Practice Questions · Last reviewed May 2026
30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A developer deploys a pod that continuously restarts. 'kubectl describe pod' shows the container exits with code 137. What is the most likely cause?
The container is exceeding its memory limit and being OOM-killed.
Exit code 137 indicates SIGKILL, often from OOM.
The liveness probe is failing and restarting the container.
The init container is failing and blocking the main container.
The pod is hitting a resource quota limit at the namespace level.
An application requires a unique identifier per replica, stored in an environment variable. Which Kubernetes resource should be used to inject this identifier into each pod without manual updates?
Deployment with pod anti-affinity to schedule each pod on a different node.
StatefulSet with an environment variable derived from the pod name.
StatefulSet pods have stable, unique names (e.g., myapp-0).
DaemonSet with a node name environment variable.
Job with a completion index environment variable.
A pod is stuck in 'Pending' state. 'kubectl describe pod' shows '0/4 nodes are available: 4 node(s) had taint {node.kubernetes.io/unreachable: }, that the pod didn't tolerate.' What is the most likely cause?
All nodes have disk pressure.
All nodes are unreachable or have been cordoned.
The taint indicates nodes are unreachable.
The pod has a toleration that matches the taint.
The nodes do not have enough CPU or memory.
A team wants to minimize downtime during a Deployment rollout. Which strategy ensures that new pods are created before old pods are terminated?
Set strategy type to 'Recreate'.
Set strategy type to 'RollingUpdate' with maxSurge=0, maxUnavailable=1.
Set strategy type to 'RollingUpdate' with maxSurge=1, maxUnavailable=0.
New pods are created first, ensuring zero downtime.
Set strategy type to 'RollingUpdate' with maxSurge=1, maxUnavailable=1.
A pod in a ReplicaSet is failing with 'CrashLoopBackOff'. 'kubectl logs pod' shows 'Error: listen tcp :8080: bind: address already in use'. What is the most likely cause?
The readiness probe is misconfigured.
The container image is missing the application binary.
The container's process is not terminating quickly enough on SIGTERM, causing a port conflict on restart.
Old process still holds the port.
The pod is using hostPort and two pods on the same node conflict.
Which TWO of the following are valid ways to expose a set of pods as a network service within a Kubernetes cluster?
Create a StatefulSet with pod hostnames.
Create a Service of type ExternalName.
Create a ConfigMap with pod IPs.
Create a Service of type ClusterIP.
ClusterIP exposes pods internally.
Create an Ingress resource that routes to a Service.
Ingress exposes HTTP/HTTPS to Services.
Want more Kubernetes Fundamentals practice?
Practice this domainA team deploys a microservice that requires sticky sessions. The service runs on Kubernetes with multiple replicas. Which Kubernetes resource should be used to ensure requests from a client are consistently routed to the same pod?
Headless Service
Service with sessionAffinity: ClientIP
This configuration ensures requests from the same client IP go to the same pod.
Ingress with default settings
Deployment with hostNetwork: true
A Kubernetes cluster is experiencing network latency. The team suspects that the number of services and endpoints is causing iptables performance degradation. Which CNI plugin or network policy approach is most likely to improve performance?
Switch to Flannel with host-gw backend
Use Calico with iptables mode
Use an eBPF-based CNI plugin like Cilium
eBPF bypasses iptables, reducing latency and improving scalability.
Apply a default-deny NetworkPolicy
A developer wants to ensure that a pod runs only on nodes with SSDs. Which mechanism should be used?
Apply a taint to nodes without SSDs and add tolerations to the pod
Use pod anti-affinity
Add a nodeSelector with disktype: ssd
nodeSelector ensures pods are scheduled on nodes with the specified label.
Define a ResourceQuota
An application running in a Kubernetes pod needs to access a database that is deployed on a VM outside the cluster. The database IP is stable. Which is the best way to expose the database to the pod?
Expose the database via Ingress
Create a Service of type ExternalName pointing to the database hostname
ExternalName service provides a DNS alias to an external resource.
Use a Headless Service
Create an EndpointSlice manually with the pod IP
A team notices that a ReplicaSet is not creating the desired number of pods. The ReplicaSet YAML is correctly configured with replicas: 3. The cluster has sufficient resources. What is the most likely cause?
The ReplicaSet is paused
The pod template references an invalid image pull secret
Invalid image pull secret would cause pods to fail with ImagePullBackOff, reducing the ready count.
The nodeSelector does not match any node
A ResourceQuota in the namespace limits the number of pods
Which TWO of the following are valid ways to expose a set of pods as a network service in Kubernetes?
Service of type NodePort
NodePort exposes the service on each node's IP at a static port.
NetworkPolicy
Service of type ClusterIP
ClusterIP exposes the service on a cluster-internal IP.
Ingress resource
Deployment with replicas
Want more Container Orchestration practice?
Practice this domainA company wants to migrate its monolithic application to a cloud-native architecture on Kubernetes. The application currently uses a shared database and communicates via internal HTTP calls. Which design pattern should be applied first to increase resilience and enable independent scaling of components?
Adopt CQRS pattern to separate reads and writes
Use the strangler fig pattern to gradually replace monolith functionality
Allows incremental migration with minimal risk.
Implement database-per-service pattern
Deploy a sidecar container for each service
A cloud-native application is designed with multiple microservices that need to handle a sudden spike in traffic without manual intervention. Which Kubernetes feature best enables this?
VerticalPodAutoscaler
Cluster Autoscaler
HorizontalPodAutoscaler
Automatically scales pod replicas based on CPU/memory or custom metrics.
PodDisruptionBudget
A team is designing a cloud-native system that must maintain high availability across multiple cloud regions. The application uses Kubernetes clusters in each region. Which approach best ensures that the system can tolerate a full region failure while minimizing complexity?
Deploy a single Kubernetes cluster spanning all regions
Use a global load balancer with active-passive regional failover
Simpler to implement and manage while ensuring failover.
Run active-active in all regions with synchronous data replication
Implement manual failover procedures documented in runbooks
A microservice logs errors when connecting to the database. The logs show 'connection refused'. Which troubleshooting step should be taken first?
Verify the database Service and Endpoints in Kubernetes
Directly checks if the database service is available.
Scale up the microservice deployment
Restart the microservice pod
Check the logs of other microservices
Which practice is a key principle of cloud-native architecture?
Automated CI/CD pipelines
Enables rapid and reliable deployments.
Manual configuration management
Tight coupling of services
Preferring stateful applications over stateless
A cloud-native application uses a service mesh (Istio) for traffic management. The team notices increased latency in inter-service communication. Which likely cause should be investigated first?
Kubernetes Network Policies blocking traffic
Misconfigured sidecar proxy settings
Can cause significant latency.
Application code is not optimized for the mesh
mTLS encryption overhead
Want more Cloud Native Architecture practice?
Practice this domainA DevOps team notices that a microservice is returning 503 errors intermittently. The service runs in Kubernetes and uses a liveness probe. The team wants to understand the root cause without restarting the pod. Which observability approach should they use first?
Use kubectl describe pod to check recent events
Query Prometheus for kubelet metrics on probe successes and failures
Metrics like 'probe_success' from kubelet can show probe status over time, helping identify intermittent failures.
Increase log verbosity in the application to capture all requests
Enable distributed tracing across the service mesh
A platform team is designing a monitoring strategy for a multi-tenant Kubernetes cluster. Each tenant runs workloads in separate namespaces. The team needs to ensure tenant isolation while providing aggregated cluster-wide dashboards. Which approach best meets these requirements?
Deploy a single Prometheus instance with namespace labels on all metrics
Use a global Prometheus with recording rules to aggregate per-namespace metrics
Have each tenant deploy their own monitoring stack and view separately
Deploy a Prometheus instance per tenant and use Thanos to aggregate metrics globally
Per-tenant Prometheus ensures isolation, and Thanos sidecar allows secure global aggregation with proper RBAC.
A Kubernetes administrator is troubleshooting a pod that is stuck in CrashLoopBackOff. The pod's restart count is increasing. Which initial step should the administrator take to diagnose the issue?
Run 'kubectl describe pod <pod-name>' to check events
Check the Prometheus metrics for the pod's CPU usage
Run 'kubectl exec -it <pod-name> -- /bin/sh' to inspect the container
Run 'kubectl logs <pod-name>' to view the application logs
Logs often contain error messages that explain why the application is crashing.
An organization uses Prometheus and Grafana for monitoring. They want to alert when the 99th percentile of request latency exceeds 500ms for more than 5 minutes. Which PromQL query should they use in the alert rule?
histogram_quantile(0.99, rate(http_request_duration_seconds_bucket[1m])) > 0.5
histogram_quantile(0.99, rate(http_request_duration_seconds_bucket[5m])) > 0.5
Correctly calculates 99th percentile over 5 minutes, then compares to 0.5 seconds.
avg(rate(http_request_duration_seconds_bucket[5m])) > 0.5
max(rate(http_request_duration_seconds_bucket[5m])) > 0.5
Which TWO of the following are best practices for structuring log output in cloud-native applications to maximize observability?
Include verbose debug-level information in every log line
Use multi-line log entries for detailed error information
Output logs in structured format such as JSON
Structured logs are machine-parseable and easily ingested by log aggregators.
Include a unique request or correlation ID in each log entry
Correlation IDs help trace requests across microservices.
Avoid timestamps to reduce log size
Which THREE of the following are valid use cases for distributed tracing in a microservices architecture?
Monitoring CPU and memory usage of each service instance
Understanding the dependency graph between microservices
Traces reveal service call relationships.
Pinpointing the root cause of an error in a distributed transaction
Tracing shows where errors occur in the flow.
Identifying which service contributes the most latency to an end-user request
Tracing shows time spent in each span.
Capturing detailed error messages and stack traces
Want more Cloud Native Observability practice?
Practice this domainA startup wants to minimize downtime during application updates in Kubernetes. Which deployment strategy should they use?
RollingUpdate
Replaces pods incrementally, maintaining availability.
Canary
Blue/Green
Recreate
A DevOps engineer notices that after a Helm upgrade, the new pods are crash looping with 'ImagePullBackOff'. What is the most likely cause?
The pod's liveness probe is misconfigured
The Helm chart has a wrong image tag
A mistyped or non-existent tag leads to pull failures.
The service account lacks permissions
The deployment's resource requests exceed node capacity
A team wants to implement GitOps for their Kubernetes workloads using Argo CD. They have multiple environments (dev, staging, prod) in separate clusters. What is the best practice for structuring the Git repository?
A single branch with all environment manifests in the same folder
Separate repositories per environment
Store all manifests in a single file with environment labels
A monorepo with a directory per environment and overlays for differences
Standard GitOps pattern; clear separation with shared base and overlays.
A user reports that a ConfigMap update is not reflected in running pods. Which action should be taken to ensure pods receive the updated configuration?
Perform a rollout restart of the deployment
Triggers new pods with updated ConfigMap values.
Delete and recreate the ConfigMap
Edit the deployment and change a label
Restart the kubelet on the nodes
Which TWO of the following are benefits of using Helm for application delivery?
Automatic scaling based on CPU usage
Ability to roll back to previous releases
Helm tracks releases and supports rollback with helm rollback.
Automatic canary deployments
Simplified packaging and templating of Kubernetes resources
Helm charts use Go templates to parameterize manifests.
Built-in monitoring and alerting
Which THREE of the following practices are essential for a secure cloud native CI/CD pipeline?
Sign container images and verify signatures during deployment
Ensures image integrity and authenticity.
Store secrets in plain text in the pipeline configuration
Use a single long-lived service account for all pipeline steps
Scan container images for vulnerabilities before deployment
Identifies known CVEs in images.
Apply least-privilege IAM roles to pipeline components
Minimizes blast radius in case of compromise.
Want more Cloud Native Application Delivery practice?
Practice this domainThe KCNA exam is performance-based — there are no multiple-choice questions. It is a hands-on lab exam completed within 90 minutes. You complete practical tasks in a live or simulated environment. Courseiva practice questions cover the underlying concepts.
Hands-on labs and command-line tasks in a live Kubernetes cluster.
The exam covers 5 domains: Kubernetes Fundamentals, Container Orchestration, Cloud Native Architecture, Cloud Native Observability, Cloud Native Application Delivery. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official CNCF KCNA exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.