CCNA Devnet App Deployment Questions

75 of 99 questions · Page 1/2 · Devnet App Deployment topic · Answers revealed

1
Multi-Selectmedium

Which TWO practices help prevent hardcoded credentials in application code? (Choose TWO.)

Select 2 answers
A.Use a secrets management tool like HashiCorp Vault to retrieve credentials at runtime
B.Share secrets via email and paste them into the code during deployment
C.Store secrets in environment variables from a .env file that is not committed to version control
D.Commit a .env file with placeholder values to the repository
E.Embed secrets directly in the source code with comments
AnswersA, C

Vault dynamically provides secrets without hardcoding.

Why this answer

Using environment variables (from .env or secret managers) and using a dedicated secrets management tool like Vault are best practices. Committing .env files exposes secrets.

2
MCQmedium

A CI/CD pipeline has a stage that runs security vulnerability scans on dependencies. Which tool is specifically designed to scan Python packages for known vulnerabilities?

A.pip audit
B.Snyk
C.Dependabot
D.npm audit
AnswerA

pip audit scans Python packages for vulnerabilities.

Why this answer

pip audit checks Python packages for vulnerabilities. npm audit is for Node.js, Snyk is a third-party tool, Dependabot automates dependency updates.

3
Multi-Selectmedium

Which TWO Docker network drivers allow a container to communicate with the host's network stack directly?

Select 1 answer
A.bridge
B.none
C.overlay
D.host
E.macvlan
AnswersD

Host network shares host's networking.

Why this answer

Host mode shares host network stack. Overlay is for multi-host communication. Bridge is default isolated network.

None provides no networking. Macvlan assigns MAC addresses.

4
MCQhard

A Kubernetes pod has two containers: a main application and a sidecar proxy. They need to communicate via localhost. Which pod networking model allows this?

A.Host network
B.Bridge network
C.Overlay network
D.Pod network (containers share the same IP)
AnswerD

All containers in a pod share the same network namespace, allowing localhost communication.

Why this answer

Containers in the same pod share the same network namespace, so they can communicate via localhost.

5
MCQeasy

You are writing a Dockerfile for a Python application. Which instruction should you use to install the dependencies from a requirements.txt file?

A.ENTRYPOINT pip install -r requirements.txt
B.CMD pip install -r requirements.txt
C.RUN pip install -r requirements.txt
AnswerC

This command installs all dependencies listed in requirements.txt.

Why this answer

The RUN instruction executes commands in a new layer on top of the current image and commits the results. Using RUN pip install -r requirements.txt ensures that the Python dependencies are installed during the image build process, making them part of the final image. This is the correct approach because dependencies should be installed at build time, not at container runtime.

Exam trap

Cisco often tests the distinction between build-time instructions (RUN) and runtime instructions (CMD, ENTRYPOINT), and the trap here is that candidates confuse CMD or ENTRYPOINT with RUN, thinking they can install dependencies at container startup instead of during the image build.

How to eliminate wrong answers

Option A is wrong because ENTRYPOINT configures a container to run as an executable, not to execute commands during the build; using ENTRYPOINT for pip install would cause the installation to run every time the container starts, which is inefficient and may fail if the filesystem is read-only. Option B is wrong because CMD provides defaults for an executing container, but it can be overridden; using CMD for pip install would also run the installation at container runtime rather than during the build, leading to unnecessary delays and potential permission issues.

6
MCQeasy

A developer needs to share a Docker image with a colleague. They decide to push the image to a registry. Which Docker command pushes an image to a registry?

A.docker export my-image:latest
B.docker commit my-image:latest
C.docker push my-image:latest
D.docker pull my-image:latest
AnswerC

Correct command to push.

Why this answer

docker push uploads a local image to a registry. docker pull downloads. docker push requires the image to be tagged with the registry URL.

7
MCQeasy

Which Docker network driver allows a container to share the host's network stack, giving it direct access to host interfaces?

A.none
B.overlay
C.bridge
D.host
AnswerD

Host mode shares the host's network stack.

Why this answer

The 'host' network driver in Docker removes network isolation between the container and the host, allowing the container to use the host's network stack directly. This means the container binds to host interfaces and ports without NAT or port mapping, giving it direct access to the host's IP address and network configuration.

Exam trap

Cisco often tests the misconception that 'bridge' is the default and most common driver, leading candidates to choose it when the question specifically asks for sharing the host's network stack, which only the 'host' driver provides.

How to eliminate wrong answers

Option A is wrong because the 'none' driver disables all networking for the container, leaving it with only a loopback interface and no external connectivity. Option B is wrong because the 'overlay' driver creates a distributed network across multiple Docker hosts, enabling multi-host communication but not sharing the host's own network stack. Option C is wrong because the 'bridge' driver creates an isolated, private network on the host using NAT and port forwarding, preventing direct access to host interfaces.

8
Multi-Selecthard

Which THREE steps are essential in a typical CI/CD pipeline for a containerized application? (Choose THREE.)

Select 3 answers
A.Perform code review
B.Build the Docker image
C.Push the image to a container registry
D.Run unit and integration tests
E.Deploy directly to production without testing
AnswersB, C, D

Building is the first step to create the artifact.

Why this answer

Building the Docker image is essential because it packages the application code, dependencies, and runtime into a portable container. Without this step, there is no deployable artifact for the CI/CD pipeline to promote through stages.

Exam trap

Cisco often tests the distinction between development practices (like code review) and automated pipeline steps, so candidates mistakenly include code review as a CI/CD step when it is actually a prerequisite.

9
MCQhard

A CI/CD pipeline uses GitHub Actions. The workflow should trigger only when a pull request is opened against the 'main' branch. Which 'on' trigger configuration is correct?

A.on: pull_request: branches: [main]
B.on: [pull_request, push]
C.on: push: branches: [main]
D.on: pull_request_target: branches: [main]
AnswerA

This triggers when a pull request targets the main branch.

Why this answer

The correct syntax uses pull_request with branches filter.

10
MCQmedium

A Docker container running a web application needs to be accessible on the host's port 8080. The application inside the container listens on port 80. Which docker run command achieves this?

A.docker run -d --expose 80 -p 8080 myapp
B.docker run -d -p 80:8080 myapp
C.docker run -d -P 8080:80 myapp
D.docker run -d -p 8080:80 myapp
AnswerD

This maps host port 8080 to container port 80, as required.

Why this answer

The -p flag maps host ports to container ports. The correct syntax is -p <host-port>:<container-port>.

11
MCQmedium

A developer wants to run a Docker container in detached mode, mapping host port 8080 to container port 80, and mounting a host directory for persistent data. Which command accomplishes this?

A.docker run -it -p 8080:80 -v /host/data:/container/data myapp
B.docker run -d -p 8080:80 -v /host/data:/container/data myapp
C.docker start -d -p 8080:80 -v /host/data:/container/data myapp
D.docker compose up -d -p 8080:80 -v /host/data:/container/data myapp
AnswerB

This command runs the container detached with port mapping and volume mount.

Why this answer

The -d flag runs detached, -p maps ports, and -v mounts a volume from host to container.

12
MCQmedium

In a Kubernetes deployment, a developer needs to expose a set of pods internally within the cluster on a stable IP address. The pods are stateless and serve HTTP traffic. Which Service type should be used?

A.LoadBalancer
B.ExternalName
C.NodePort
D.ClusterIP
AnswerD

ClusterIP provides an internal stable IP.

Why this answer

ClusterIP exposes the service on a cluster-internal IP, making it reachable only within the cluster. NodePort and LoadBalancer expose externally. ExternalName maps to an external DNS name.

13
MCQmedium

A company deploys a microservice using Kubernetes. The service must be accessible externally via a stable IP address and load-balanced across pods. Which Service type should be used?

A.NodePort
B.ClusterIP
C.LoadBalancer
D.ExternalName
AnswerC

LoadBalancer provides an external IP and load balancing.

Why this answer

LoadBalancer exposes the service externally using a cloud provider's load balancer. ClusterIP is internal only, NodePort exposes on each node's IP, ExternalName maps to external DNS.

14
MCQhard

A Kubernetes deployment is configured with replicas: 3. During a rolling update, the deployment strategy is set to RollingUpdate with maxSurge: 1 and maxUnavailable: 0. What is the maximum number of pods that will be running during the update?

A.4
B.6
C.5
D.3
AnswerA

Correct. Desired 3 + maxSurge 1 = 4 maximum pods.

Why this answer

With maxSurge=1, one extra pod can be created above the desired 3, and maxUnavailable=0 ensures no pods are taken down before new ones are ready. So the maximum is 4 pods.

15
MCQmedium

A team is deploying a microservice that must scale independently. The service uses environment variables for configuration. Which Kubernetes resource should be used to store non-sensitive configuration data separate from the container image?

A.Secret
B.Service
C.ConfigMap
D.Deployment
AnswerC

ConfigMap stores non-sensitive key-value pairs for configuration.

Why this answer

ConfigMap is the correct Kubernetes resource for storing non-sensitive configuration data (like environment variables) separately from the container image. This allows the microservice to scale independently because configuration changes can be applied without rebuilding or redeploying the image, enabling stateless, horizontally scalable pods.

Exam trap

Cisco often tests the distinction between ConfigMap and Secret, trapping candidates who confuse 'configuration data' with 'sensitive data' or who think a Deployment itself stores configuration.

How to eliminate wrong answers

Option A is wrong because Secret is designed for sensitive data (e.g., passwords, tokens) and stores values base64-encoded, not for general non-sensitive configuration. Option B is wrong because Service is a network abstraction that exposes a set of pods as a stable endpoint, not a storage mechanism for configuration data. Option D is wrong because Deployment manages the desired state of replica sets and rolling updates, but it does not store configuration data; it references ConfigMaps or Secrets for that purpose.

16
MCQhard

In a Kubernetes cluster, you need to store non-sensitive configuration data (e.g., database hostname) that can be consumed by pods as environment variables. Which resource should you use?

A.ConfigMap
B.PersistentVolume
C.Secret
AnswerA

ConfigMap is the correct resource for non-sensitive configuration data.

Why this answer

A ConfigMap is the correct Kubernetes resource for storing non-sensitive configuration data like a database hostname. It is designed to decouple configuration artifacts from image content, allowing pods to consume this data as environment variables or mounted files without hardcoding values into container images.

Exam trap

Cisco often tests the distinction between ConfigMaps and Secrets, where the trap is that candidates confuse 'non-sensitive' with 'sensitive' and incorrectly choose Secrets for all configuration data, or they pick PersistentVolume because they think any data storage requires persistent volumes.

How to eliminate wrong answers

Option B (PersistentVolume) is wrong because PersistentVolumes are used for persistent storage of data (e.g., files, databases) across pod restarts, not for storing small configuration key-value pairs as environment variables. Option C (Secret) is wrong because Secrets are intended for sensitive data (e.g., passwords, tokens, SSH keys) and are base64-encoded; using a Secret for non-sensitive data like a hostname is unnecessary and violates the principle of least privilege.

17
MCQmedium

A CI/CD pipeline for a Python project should run unit tests and check for known vulnerabilities in dependencies. Which tool can be integrated into the pipeline to perform dependency scanning?

A.Docker
B.Kubernetes
C.Jenkins
D.Snyk
AnswerD

Snyk scans dependencies for vulnerabilities.

Why this answer

Snyk is a popular dependency scanning tool that integrates with CI/CD pipelines. pip audit and npm audit are similar but for specific ecosystems. Snyk supports multiple languages.

18
MCQeasy

A developer creates a Dockerfile for a Python web application. Which instruction should be used to define the working directory inside the container for subsequent commands?

A.ENV
B.RUN
C.COPY
D.WORKDIR
AnswerD

WORKDIR sets the working directory for all subsequent Dockerfile instructions.

Why this answer

The WORKDIR instruction in a Dockerfile sets the working directory for any RUN, CMD, ENTRYPOINT, COPY, and ADD instructions that follow it in the Dockerfile. For a Python web application, using WORKDIR /app ensures that subsequent commands like COPY and RUN operate inside the /app directory, keeping the container filesystem organized and avoiding path errors.

Exam trap

Cisco often tests the distinction between WORKDIR and RUN cd, where candidates mistakenly think RUN cd sets a persistent working directory, but in Docker each RUN command runs in a new shell with the working directory reset unless WORKDIR is used.

How to eliminate wrong answers

Option A is wrong because ENV sets environment variables, not the working directory. Option B is wrong because RUN executes commands in a new layer on top of the current image but does not persist a working directory for subsequent instructions. Option C is wrong because COPY copies files from the host into the container at a specified path, but it does not define or change the working directory for later commands.

19
MCQhard

In a Kubernetes cluster, you need to expose a set of pods running a web application to external traffic on a specific port. Which Service type should you use to provide a stable external IP address?

A.ClusterIP
B.LoadBalancer
C.NodePort
AnswerB

LoadBalancer provides a stable external IP and is the correct choice for external exposure in cloud environments.

Why this answer

LoadBalancer provisions a cloud load balancer and assigns a stable external IP, making the service accessible from outside the cluster.

20
Multi-Selecthard

A Kubernetes administrator wants to use kubectl to troubleshoot a pod named 'my-pod' that is not starting. Which TWO commands are useful? (Choose two.)

Select 2 answers
A.kubectl get deployment my-deployment
B.kubectl rollout status deployment my-deployment
C.kubectl describe pod my-pod
D.kubectl delete pod my-pod
E.kubectl logs my-pod
AnswersC, E

Correct. Shows events and status details.

Why this answer

kubectl describe pod my-pod shows detailed information including events and container statuses. kubectl logs my-pod shows container logs. The other commands are for different resources or abstract actions.

21
MCQmedium

A Kubernetes pod runs two containers that need to share a filesystem. Which volume type should be used to enable file sharing between the containers within the same pod?

A.configMap
B.hostPath
C.persistentVolumeClaim
D.emptyDir
AnswerD

Correct. emptyDir provides a shared volume for containers in the same pod.

Why this answer

An emptyDir volume is created empty when a pod is scheduled and can be mounted by multiple containers in the same pod, allowing them to share files.

22
MCQmedium

A developer is writing a web application and needs to prevent SQL injection attacks. Which coding practice is most effective?

A.Validate input with regex to allow only alphanumeric characters
B.Use parameterized queries with prepared statements
C.Use stored procedures exclusively
D.Escape all user input with htmlspecialchars
AnswerB

Correct. Parameterized queries prevent SQL injection by treating input as data, not code.

Why this answer

Parameterized queries separate SQL logic from data, preventing attackers from injecting malicious SQL. Input validation is also important but not a direct prevention of SQL injection.

23
MCQhard

A company uses GitHub Actions for CI/CD. They want to automatically scan dependencies for known vulnerabilities on every push. Which action should be added to the workflow?

A.CodeQL
B.ESLint
C.GitHub Secret Scanning
D.Dependabot
AnswerD

Dependabot checks for vulnerable dependencies and can create pull requests to update them.

Why this answer

Dependabot is the correct GitHub-native tool for automatically scanning dependencies for known vulnerabilities on every push. It monitors the dependency manifest files (e.g., package.json, requirements.txt) against the GitHub Advisory Database and opens pull requests to update vulnerable packages. This directly meets the requirement of scanning dependencies for known vulnerabilities in a CI/CD workflow.

Exam trap

Cisco often tests the distinction between tools that scan custom code (CodeQL) versus tools that scan dependencies (Dependabot), leading candidates to confuse CodeQL's security scanning capability with dependency vulnerability scanning.

How to eliminate wrong answers

Option A is wrong because CodeQL is a semantic code analysis engine used for custom code security vulnerabilities (e.g., SQL injection, XSS), not for scanning third-party dependencies for known CVEs. Option B is wrong because ESLint is a static analysis tool for JavaScript/TypeScript code style and quality issues, not a dependency vulnerability scanner. Option C is wrong because GitHub Secret Scanning detects hardcoded secrets (e.g., API keys, tokens) in repositories, not vulnerabilities in dependencies.

24
MCQhard

A CI/CD pipeline is configured to build a Docker image, run unit tests, and push the image to a registry. To ensure that only successfully tested images are pushed, which stage order is correct?

A.Run tests -> Build image -> Push image
B.Build image -> Push image -> Run tests
C.Push image -> Build image -> Run tests
D.Build image -> Run tests -> Push image
AnswerD

Build first, then test, then push only if tests pass.

Why this answer

The correct order is: build the image, run tests, then push only if tests pass. Pushing before tests could push a broken image.

25
MCQmedium

A web application is vulnerable to SQL injection. Which secure coding practice should the developer implement in the code to prevent this?

A.Use parameterised queries for database access.
B.Escape all user input with htmlspecialchars.
C.Use a CAPTCHA on the login form.
AnswerA

Parameterised queries separate SQL logic from data, preventing injection.

Why this answer

Using parameterised queries (prepared statements) ensures that user input is treated as data, not executable SQL code, preventing SQL injection.

26
MCQeasy

Which Docker networking mode provides the most isolation by not connecting the container to any network?

A.overlay
B.bridge
C.none
D.host
AnswerC

Correct. none disables all networking.

Why this answer

The `none` networking mode in Docker creates a container with no network interfaces except the loopback device, providing the highest level of network isolation. This means the container cannot send or receive any external traffic, making it ideal for security-sensitive workloads that require complete network disconnection.

Exam trap

Cisco often tests the misconception that 'none' means no network at all (including loopback), but the container still has a loopback interface; the trap is that candidates confuse 'none' with 'host' or assume bridge provides stronger isolation than it actually does.

How to eliminate wrong answers

Option A is wrong because the overlay network mode creates a distributed network across multiple Docker hosts, enabling container-to-container communication across nodes, which does not provide isolation from external networks. Option B is wrong because the bridge network mode (default) connects containers to a private internal network and provides NAT-based outbound connectivity, allowing external traffic through port mapping. Option D is wrong because the host network mode removes network isolation entirely by sharing the host's network stack, giving the container direct access to all host network interfaces.

27
MCQhard

A Kubernetes cluster runs a microservice that needs to read configuration values from a ConfigMap and sensitive database credentials from a Secret. The pod manifest references both resources. How should the Secret be mounted to avoid exposing sensitive data in logs or environment variables?

A.Hardcoding the credentials in the ConfigMap
B.Using a sidecar container to fetch secrets via API
C.Using envFrom with secretRef
D.Using a volume mount with a secret volume
AnswerD

Correct. Mounting as files avoids exposing values in environment.

Why this answer

Option D is correct because mounting a Secret as a volume stores the data in the tmpfs (RAM-backed filesystem) of the pod, which is not written to disk and is not exposed via environment variables that could be logged or printed by the application. This approach prevents accidental leakage of sensitive data through log outputs or environment variable dumps, as the application must explicitly read the file from the mount point.

Exam trap

Cisco often tests the distinction between environment variable injection and volume mounts for Secrets, trapping candidates who assume envFrom is secure because it avoids file I/O, when in fact it exposes secrets to logging and debugging tools.

How to eliminate wrong answers

Option A is wrong because hardcoding credentials in a ConfigMap defeats the purpose of using Secrets, as ConfigMap data is stored in plaintext and can be easily exposed through logs or API access. Option B is wrong because using a sidecar container to fetch secrets via the Kubernetes API introduces unnecessary complexity and still requires the sidecar to handle the secret data, potentially exposing it in logs or environment variables if not carefully managed. Option C is wrong because using envFrom with secretRef injects secret values as environment variables, which are often logged by applications or debugging tools (e.g., 'env' command) and can be exposed in error messages or process listings.

28
MCQhard

A developer has a Docker container running a database. They need to inspect the database logs to debug a connection issue. Which command will show the logs in real-time?

A.docker exec my-db tail -f /var/log/mysql
B.docker logs --tail 100 my-db
C.docker logs my-db
D.docker logs -f my-db
AnswerD

Follow mode shows logs in real-time.

Why this answer

The `docker logs -f` command attaches to the container's stdout/stderr streams and follows new output in real-time, which is exactly what is needed to debug a live connection issue. The `-f` flag (short for `--follow`) continuously prints log lines as they are written, allowing the developer to observe database connection attempts and errors as they occur.

Exam trap

Cisco often tests the distinction between `docker exec` (for running commands inside a container) and `docker logs` (for retrieving container output streams), and the trap here is that candidates may mistakenly think they need to exec into the container and use a Linux command like `tail -f` instead of using the native Docker log-following feature.

How to eliminate wrong answers

Option A is wrong because `docker exec` runs a command inside the container, but it does not access the container's log stream; it would require the database to be configured to write logs to a file at that path, and it does not provide the real-time follow behavior of `docker logs -f`. Option B is wrong because `docker logs --tail 100 my-db` shows only the last 100 lines of the log and then exits; it does not follow new log entries in real-time. Option C is wrong because `docker logs my-db` dumps the entire current log buffer to stdout and exits, providing no real-time monitoring capability.

29
MCQeasy

A developer is creating a Dockerfile for a Python Flask application. The application runs on port 5000. Which directive should be used to document that the container listens on this port?

A.EXPOSE 5000
B.PORT 5000
C.PUBLISH 5000
D.LISTEN 5000
AnswerA

Correct. EXPOSE documents the port the container listens on.

Why this answer

The EXPOSE directive informs Docker that the container listens on specified ports at runtime. It does not actually publish the port but serves as documentation.

30
MCQeasy

A Docker container needs to be started in detached mode with port mapping from host port 8080 to container port 80. Which command accomplishes this?

A.docker start -d -p 8080:80 myapp
B.docker run -d -p 8080:80 myapp
C.docker run -it -p 8080:80 myapp
D.docker run -d -p 80:8080 myapp
AnswerB

Correct detached mode and port mapping.

Why this answer

The -d flag runs container in detached mode, -p maps host port to container port.

31
Multi-Selecthard

Which THREE options are valid methods to expose a Kubernetes service to external traffic?

Select 3 answers
A.ExternalName
B.NodePort
C.ClusterIP
D.Ingress
E.LoadBalancer
AnswersB, D, E

NodePort exposes on node port.

Why this answer

NodePort exposes on each node's IP, LoadBalancer creates external load balancer, Ingress provides HTTP routing. ClusterIP is internal only, ExternalName maps to DNS record.

32
Multi-Selectmedium

A developer is writing a Dockerfile for a Node.js application. Which TWO instructions are commonly used to define the command that runs when the container starts?

Select 2 answers
A.CMD
B.RUN
C.START
D.ENTRYPOINT
E.EXPOSE
AnswersA, D

CMD specifies the command to run when the container starts.

Why this answer

The CMD instruction in a Dockerfile provides default arguments for the container's entrypoint or defines the command to execute when the container starts. For a Node.js application, CMD is commonly used to specify the startup command, such as `CMD ["node", "app.js"]`, which runs the Node.js process. This instruction can be overridden at runtime by providing a command after `docker run`.

Exam trap

Cisco often tests the distinction between build-time instructions (RUN) and runtime instructions (CMD/ENTRYPOINT), and the trap here is that candidates confuse RUN (which executes during `docker build`) with CMD (which executes during `docker run`).

33
MCQeasy

Which Docker command is used to view the logs of a running container in real-time?

A.docker inspect
B.docker ps -a
C.docker logs -f
D.docker exec -it
AnswerC

The -f flag follows log output in real-time.

Why this answer

docker logs -f follows the log output of a container, similar to tail -f.

34
Multi-Selecteasy

Which TWO practices help prevent sensitive data exposure in a CI/CD pipeline? (Select two.)

Select 2 answers
A.Run dependency scanning tools (e.g., Snyk) in the pipeline.
B.Use environment variables to inject secrets at runtime.
C.Hardcode credentials in the source code for simplicity.
D.Commit .env files to the repository with dummy values.
E.Disable HTTPS to avoid certificate management overhead.
AnswersA, B

Dependency scanning identifies known vulnerabilities in libraries.

Why this answer

Using environment variables for secrets (not hardcoding) and scanning dependencies for vulnerabilities help prevent exposure.

35
MCQhard

A Kubernetes Service must expose a pod running a database to other pods in the same cluster, but not externally. Which Service type should be used?

A.ClusterIP
B.LoadBalancer
C.ExternalName
D.NodePort
AnswerA

ClusterIP is the default and only accessible from within the cluster.

Why this answer

ClusterIP exposes the service on a cluster-internal IP, making it accessible only within the cluster.

36
MCQeasy

A developer runs the command: docker run -d -p 8080:80 --name web nginx. Which of the following best describes what happens?

A.The container runs in interactive mode, and port 8080 is exposed but not published.
B.The container is removed after stopping, and port mapping is automatic.
C.The container runs in the foreground, and port 80 on the host is mapped to port 8080 in the container.
D.The container runs in detached mode, and host port 8080 is mapped to container port 80.
AnswerD

Correct interpretation of flags.

Why this answer

-d runs container detached, -p maps host port 8080 to container port 80, --name assigns name 'web', and nginx is the image.

37
MCQmedium

A CI/CD pipeline for a microservice application includes stages: code commit, build Docker image, push to registry, deploy to staging, run integration tests, and deploy to production. The team wants to ensure that if integration tests fail, the pipeline stops and does not proceed to production. Which CI/CD concept is used to enforce this behavior?

A.Stage gates
B.Rolling update
C.Container orchestration
D.Artifact management
AnswerA

Stage gates control progression based on conditions.

Why this answer

Stage gates are conditional checkpoints in a CI/CD pipeline that evaluate predefined criteria before allowing the pipeline to proceed to the next stage. In this scenario, the integration test stage acts as a gate: if the tests fail, the gate blocks the pipeline from advancing to the production deployment stage, ensuring only validated code reaches production.

Exam trap

Cisco often tests the distinction between pipeline control mechanisms (stage gates) and deployment strategies (rolling updates), so candidates mistakenly choose a deployment method when the question is about conditional pipeline flow.

How to eliminate wrong answers

Option B (Rolling update) is wrong because it is a deployment strategy that gradually replaces instances of an application with a new version, not a mechanism to halt a pipeline based on test results. Option C (Container orchestration) is wrong because it refers to managing container lifecycles (e.g., scaling, scheduling) using tools like Kubernetes, not to pipeline conditional logic. Option D (Artifact management) is wrong because it involves storing and versioning build outputs (e.g., Docker images) in a registry like Docker Hub or Nexus, not enforcing pipeline flow control.

38
MCQmedium

A Kubernetes pod needs to read configuration data such as database hostname, which is non-sensitive and may change across environments. Which resource should be used to store this data and inject it into the pod?

A.Deployment
B.Secret
C.Service
D.ConfigMap
AnswerD

ConfigMap is designed for non-sensitive configuration.

Why this answer

ConfigMap stores non-sensitive configuration data. Secret stores sensitive data. Deployment and Service are for workload and networking.

39
MCQmedium

In a Docker Compose file, you want to ensure that the 'web' service starts only after the 'db' service is healthy. Which key should you use under the 'web' service?

A.networks
B.links
C.depends_on
AnswerC

depends_on with condition: service_healthy ensures the dependent service is healthy before starting.

Why this answer

In Docker Compose, the `depends_on` key with the `condition: service_healthy` option ensures that the `web` service starts only after the `db` service has passed its health check. This is defined in the `db` service using a `healthcheck` directive, and Compose waits for the healthy state before starting dependent services.

Exam trap

The trap here is that candidates often assume `depends_on` alone (without `condition: service_healthy`) guarantees the dependent service is ready, but it only waits for the container to start, not for it to be healthy.

How to eliminate wrong answers

Option A is wrong because `networks` defines which Docker networks a service connects to, not startup ordering or dependency health. Option B is wrong because `links` is a legacy feature for network connectivity between containers (like an alias) and does not control startup order or health status; it has been superseded by user-defined networks.

40
Multi-Selectmedium

Which TWO commands are used to view information about Docker containers? (Select two.)

Select 2 answers
A.docker build
B.docker logs -f
C.docker images
D.docker volume ls
E.docker ps -a
AnswersB, E

Streams container logs for monitoring.

Why this answer

docker ps -a lists all containers (including stopped), and docker logs -f shows logs of a container.

41
MCQeasy

In a docker-compose.yaml file, which key is used to define the container image to be built from a Dockerfile in the current directory?

A.dockerfile
B.image
C.context
D.build
AnswerD

'build' specifies the build context for creating an image.

Why this answer

The 'build' key specifies the path to the Dockerfile context; 'image' specifies a pre-built image from a registry.

42
MCQeasy

In a Dockerfile, which instruction is used to set an environment variable that will be available at runtime?

A.RUN export VAR=value
B.ENV
C.LABEL
D.ARG
AnswerB

ENV sets environment variables for the container runtime.

Why this answer

ENV sets environment variables in the image that persist when the container runs.

43
MCQhard

A Kubernetes Deployment manages a set of identical pods. You update the container image to a new version. The rollout gets stuck. Which kubectl command should you use to view the rollout status and determine the cause?

A.kubectl rollout status deployment/my-deployment
B.kubectl get pods
C.kubectl describe deployment my-deployment
AnswerA

This command specifically reports the rollout status.

Why this answer

The `kubectl rollout status deployment/my-deployment` command is specifically designed to track the progress of a rollout and report its current state, including whether it is stuck or progressing. It provides real-time status updates and can surface underlying issues like image pull errors or resource constraints that cause the rollout to hang, making it the correct tool for diagnosing a stuck rollout.

Exam trap

Cisco often tests the distinction between commands that show static state (like `describe` or `get pods`) versus commands that monitor dynamic processes (like `rollout status`), trapping candidates who confuse a snapshot of resources with a live status check.

How to eliminate wrong answers

Option B is wrong because `kubectl get pods` only lists pods and their basic status (e.g., Running, Pending), but it does not show the rollout-specific progress, history, or the reason why the rollout is stuck; it lacks the context of the Deployment's rollout strategy. Option C is wrong because `kubectl describe deployment my-deployment` provides detailed configuration and event information about the Deployment, but it does not actively track or report the rollout status in real-time; it shows a snapshot of the current state rather than the progression or blockage of the rollout process.

44
MCQmedium

A developer writes a web application that accepts user input and displays it on a page. To prevent cross-site scripting (XSS), what is the most effective defense?

A.Implement output encoding when rendering user input in HTML.
B.Use parameterized queries for all database access.
C.Store user input in a secure cookie.
D.Disable JavaScript in the browser.
AnswerA

Output encoding neutralizes script injection.

Why this answer

Output encoding converts special characters (e.g., < >) to HTML entities, so the browser does not interpret them as code. Input validation alone is insufficient for XSS.

45
MCQeasy

A developer needs to enforce HTTPS for a web application. Which security measure should be implemented in the application or reverse proxy?

A.SSL/TLS termination and HTTP redirect
B.Parameterized queries
C.CORS configuration
D.Input validation
AnswerA

This ensures all HTTP traffic is redirected to HTTPS and encrypted.

Why this answer

Option A is correct because enforcing HTTPS requires the reverse proxy or application to terminate incoming SSL/TLS connections (decrypting traffic at the proxy) and then redirect any HTTP requests to HTTPS using a 301 or 302 redirect. This ensures all client traffic is encrypted in transit, meeting security best practices and compliance requirements like PCI DSS.

Exam trap

Cisco often tests the distinction between security measures that protect data in transit (HTTPS/SSL termination) versus those that protect data at rest or during processing (input validation, parameterized queries), leading candidates to confuse application-layer defenses with transport-layer encryption.

How to eliminate wrong answers

Option B is wrong because parameterized queries prevent SQL injection attacks, not enforce HTTPS encryption. Option C is wrong because CORS (Cross-Origin Resource Sharing) configuration controls which domains can access resources via browser cross-origin requests, not transport-layer encryption. Option D is wrong because input validation sanitizes user-supplied data to prevent injection or malformed input, but does not enforce encrypted communication between client and server.

46
Multi-Selectmedium

A CI/CD pipeline includes stages for security scanning. Which TWO tools or services are specifically designed for dependency vulnerability scanning?

Select 2 answers
A.Snyk
B.Kubernetes
C.Jenkins
D.Dependabot
E.Docker
AnswersA, D

Snyk is a popular dependency scanning tool.

Why this answer

Snyk is a dedicated security tool that integrates into CI/CD pipelines to scan dependencies for known vulnerabilities using databases like the National Vulnerability Database (NVD) and its own proprietary intelligence. It continuously monitors open-source libraries and container images, providing automated fix pull requests and blocking builds when critical vulnerabilities are found.

Exam trap

Cisco often tests the distinction between tools that perform a specific security function (like dependency scanning) versus general-purpose CI/CD or container tools that can only facilitate security scanning through external integrations.

47
MCQmedium

A Kubernetes environment has multiple teams sharing the same cluster. One team wants to deploy applications without interfering with other teams' resources. Which Kubernetes resource should be used to isolate the team's resources?

A.ServiceAccount
B.NodePort
C.ConfigMap
D.Namespace
AnswerD

Namespaces isolate resources.

Why this answer

Namespaces provide logical isolation within a cluster. Each team can have its own namespace with separate policies and resource quotas.

48
MCQhard

In a Docker Compose file with multiple services, one service depends on another to be healthy before starting. Which key should be used to express this dependency and ensure the dependent service is started first?

A.depends_on
B.volumes
C.networks
D.links
AnswerA

depends_on ensures services start in order.

Why this answer

depends_on in Docker Compose controls startup order. 'links' is legacy, 'networks' defines networks, 'volumes' mounts volumes.

49
MCQhard

A developer uses Kubernetes and wants to expose a deployment named 'web-app' externally via a cloud load balancer. Which Service type should be used?

A.ClusterIP
B.ExternalName
C.NodePort
D.LoadBalancer
AnswerD

Correct. LoadBalancer creates an external load balancer.

Why this answer

The LoadBalancer Service type provisions an external cloud load balancer (e.g., AWS ELB, GCP TCP/UDP Load Balancer) that routes external traffic to the 'web-app' deployment's pods. This is the only Service type that directly integrates with a cloud provider's load balancing infrastructure to expose the service externally.

Exam trap

Cisco often tests the misconception that NodePort alone provides external cloud load balancing, but NodePort only exposes the service on node IPs without cloud integration, requiring additional infrastructure for true load balancing.

How to eliminate wrong answers

Option A (ClusterIP) is wrong because it exposes the Service only on a cluster-internal IP, making it unreachable from outside the cluster. Option B (ExternalName) is wrong because it maps a Service to a DNS name (via CNAME) and does not expose any ports or pods externally. Option C (NodePort) is wrong because it exposes the Service on a static port on each node's IP, but it does not provision a cloud load balancer; it requires manual configuration and does not provide cloud-native load balancing features like health checks or auto-scaling.

50
MCQmedium

In a Kubernetes cluster, a developer needs to ensure that a set of pods can be accessed by other pods using a stable IP address and DNS name, even if pods are recreated. Which resource should be created?

A.ConfigMap
B.Namespace
C.Service
D.Deployment
AnswerC

A Service provides a stable IP and DNS name for a set of pods, abstracting pod IP changes.

Why this answer

A Service in Kubernetes provides a stable virtual IP (ClusterIP) and a DNS name (via CoreDNS) that persists across pod restarts and rescheduling. This allows other pods to reliably discover and communicate with the set of pods behind the Service, regardless of individual pod IP changes.

Exam trap

Cisco often tests the misconception that a Deployment alone provides stable networking, but a Deployment only ensures desired pod count and updates, not a fixed network identity — the Service resource is required for that.

How to eliminate wrong answers

Option A is wrong because a ConfigMap is used to inject configuration data (e.g., environment variables, files) into pods, not to provide a stable network endpoint. Option B is wrong because a Namespace is a logical isolation boundary for resources, not a mechanism for stable pod addressing or DNS. Option D is wrong because a Deployment manages pod replicas and updates but does not assign a stable IP or DNS name; pods created by a Deployment get ephemeral IPs that change on recreation.

51
MCQeasy

A developer wants to run a container in the background with port mapping and a named volume. Which command accomplishes this?

A.docker run -d -p 8080:80 -v myvol:/data --name myapp nginx
B.docker start -d -p 8080:80 -v myvol:/data --name myapp nginx
C.docker run -d -p 8080:80 --mount source=myvol,target=/data --name myapp nginx
AnswerA

All flags are correct: -d for detached, -p for port mapping, -v for volume, --name for container name.

Why this answer

Option A is correct because `docker run` creates and starts a new container, `-d` runs it in detached (background) mode, `-p 8080:80` maps host port 8080 to container port 80, `-v myvol:/data` creates or uses a named volume `myvol` mounted at `/data`, and `--name myapp` assigns a custom name. This combination fulfills all requirements: background execution, port mapping, and a named volume.

Exam trap

Cisco often tests the distinction between `docker run` (creates + starts) and `docker start` (starts existing container), and the correct syntax for `--mount` versus `-v`, tricking candidates who confuse container lifecycle commands or omit the required `type=volume` parameter.

How to eliminate wrong answers

Option B is wrong because `docker start` is used to start an existing stopped container, not to create a new one; it does not accept `-p`, `-v`, or `--name` flags for initial configuration, so it cannot set up port mapping or named volumes. Option C is wrong because while `--mount` can achieve volume mounting, the syntax `source=myvol,target=/data` is incorrect — the correct `--mount` syntax requires `type=volume` (e.g., `--mount type=volume,source=myvol,target=/data`); omitting `type=volume` causes Docker to treat the source as a bind mount path, not a named volume.

52
MCQhard

A Kubernetes pod needs to run a database that requires persistent storage. Which volume type should be used to store data that persists beyond the pod lifecycle?

A.emptyDir
B.PersistentVolumeClaim
C.configMap
D.hostPath
AnswerB

PVC provides durable storage that persists beyond pod.

Why this answer

PersistentVolumeClaim requests persistent storage that survives pod restarts. emptyDir is ephemeral, hostPath ties to a node, configMap is for configuration.

53
MCQmedium

A developer is writing a Dockerfile for a Node.js application. The application uses environment variables for configuration. Which Dockerfile instruction should be used to set a default value for the NODE_ENV variable?

A.RUN export NODE_ENV=production
B.ARG NODE_ENV=production
C.ENV NODE_ENV=production
D.CMD NODE_ENV=production
AnswerC

Correct. ENV sets environment variables that persist in the container.

Why this answer

Option C is correct because the ENV instruction sets environment variables that persist in the container at runtime, making it the appropriate way to define a default value for NODE_ENV that can be overridden later with `docker run -e`. Unlike shell-level exports or build-time-only ARGs, ENV ensures the variable is available to the Node.js process when the container starts.

Exam trap

Cisco often tests the distinction between build-time (ARG) and runtime (ENV) instructions, and the trap here is that candidates confuse ARG with ENV because both can set default values, but only ENV persists into the running container.

How to eliminate wrong answers

Option A is wrong because `RUN export` sets the variable only during the build step and does not persist into the final container image or runtime environment. Option B is wrong because ARG defines build-time variables that are not available to the running container unless explicitly passed via `--build-arg`, and they are not inherited by the runtime environment. Option D is wrong because CMD is used to provide default command arguments or an executable, not to set environment variables; it would be interpreted as a command string, not a key-value pair.

54
MCQmedium

A developer needs to store a database password securely in a Kubernetes cluster. Which resource should be used?

A.Secret
B.PersistentVolume
C.ConfigMap
D.ServiceAccount
AnswerA

Secret is the appropriate resource for storing sensitive data like passwords.

Why this answer

Secrets are designed to store sensitive information like passwords, encoded in base64 but intended for secrets. ConfigMaps are for non-sensitive data.

55
MCQmedium

A Kubernetes pod contains two containers that need to share a local filesystem. Which volume type should be used to enable this?

A.hostPath
B.emptyDir
C.configMap
D.persistentVolumeClaim
AnswerB

emptyDir provides a shared volume for containers within the same pod.

Why this answer

An emptyDir volume is created empty when a pod is assigned to a node and exists as long as the pod runs; it can be mounted by multiple containers within the same pod.

56
MCQmedium

A CI/CD pipeline uses GitLab CI. The pipeline must build a Docker image and then run security scans on the image before pushing. Which GitLab CI keyword allows defining a sequence of jobs that must run in order?

A.before_script
B.stages
C.only
D.image
AnswerB

Correct. stages define the sequential pipeline order.

Why this answer

The 'stages' keyword defines the order of jobs. Jobs are grouped by stage, and stages run sequentially.

57
MCQeasy

A developer creates a Dockerfile for a Python web application. Which instruction should be used to copy the application source code into the container image?

A.CMD
B.COPY
C.RUN
D.EXPOSE
AnswerB

COPY is the correct instruction to copy files into the image.

Why this answer

The COPY instruction copies files or directories from the build context into the container filesystem. RUN executes commands, EXPOSE documents ports, and CMD sets default command.

58
Multi-Selectmedium

A Kubernetes cluster has a deployment named 'frontend' that needs to be updated to a new image version. The update should be performed with zero downtime. Which three kubectl commands or approaches can achieve this? (Choose three.)

Select 3 answers
A.kubectl set image deployment/frontend frontend=myimage:v2
B.kubectl delete deployment frontend and then create a new deployment.
C.kubectl edit deployment frontend and change the image.
D.kubectl rollout undo deployment/frontend
E.kubectl apply -f updated-frontend.yaml with the new image.
AnswersA, C, E

Directly updates the image, triggers rolling update.

Why this answer

Rolling updates can be done by editing the deployment, applying a new YAML, or using set image. kubectl edit deployment updates the live config. kubectl apply -f update.yaml applies a new manifest. kubectl set image updates the image directly. kubectl delete and create would cause downtime.

59
MCQmedium

In a Docker Compose file, a service 'web' depends on 'db'. The 'db' service uses a volume to persist data. Which compose key ensures that the database starts before the web service?

A.volumes
B.depends_on
C.links
D.networks
AnswerB

depends_on ensures startup order.

Why this answer

depends_on creates a startup order: Docker Compose starts 'db' before 'web'. It does not wait for 'db' to be ready; that requires healthchecks.

60
MCQmedium

A developer needs to view the logs of a running Docker container with ID 'abc123'. Which command should be used?

A.docker inspect abc123
B.docker exec -it abc123 logs
C.docker logs -f abc123
D.docker attach abc123
AnswerC

logs -f streams logs from the container.

Why this answer

docker logs -f follows the log output. docker exec runs a command inside container, docker attach attaches to a running container's I/O, docker inspect shows detailed info.

61
Multi-Selectmedium

A developer is building a web application and wants to implement security best practices. Which TWO actions should be taken? (Choose two.)

Select 2 answers
A.Use parameterized queries for SQL
B.Use CSRF tokens in forms
C.Store passwords in plaintext
D.Disable HTTPS to improve performance
E.Apply output encoding to prevent XSS
AnswersB, E

Correct. CSRF tokens prevent cross-site request forgery.

Why this answer

B is correct because CSRF tokens are a standard defense against Cross-Site Request Forgery attacks. By embedding a unique, unpredictable token in each form and validating it on the server, the application ensures that requests originate from the legitimate user session, not from a malicious third-party site. This is a fundamental security best practice for web applications handling state-changing requests.

Exam trap

Cisco often tests the distinction between multiple valid security practices and forces you to select the two that are explicitly listed as correct in the answer options; the trap here is that parameterized queries (option A) are a real best practice, but the question's correct pair is B and E, so candidates who pick A instead of one of those will be wrong.

62
MCQhard

In a Jenkins declarative pipeline, a stage named 'Deploy to Production' should only run after manual approval. Which directive should be used to achieve this?

A.input
B.post
C.parallel
D.when
AnswerA

The 'input' directive pauses the pipeline and waits for user input or approval.

Why this answer

The `input` directive in a Jenkins declarative pipeline is specifically designed to pause a stage and wait for human approval before proceeding. When placed inside a stage block, it presents a message and optional parameters (like a 'Proceed' or 'Abort' button) to a user, effectively implementing a manual gate. This is the correct way to enforce manual approval before a 'Deploy to Production' stage runs.

Exam trap

Cisco often tests the distinction between `when` (which only evaluates a condition to skip a stage) and `input` (which actively pauses for human interaction), leading candidates to mistakenly choose `when` because they think 'conditional approval' is the same as 'manual approval'.

How to eliminate wrong answers

Option B is wrong because `post` defines actions to run after a stage or pipeline completes (e.g., always, success, failure), not to pause for manual approval. Option C is wrong because `parallel` is used to run multiple stages or branches concurrently, not to introduce a manual approval step. Option D is wrong because `when` controls conditional execution based on expressions or built-in conditions (like branch name), but it cannot pause the pipeline for human input; it only decides whether to skip or run the stage automatically.

63
MCQmedium

A developer needs to ensure that environment variables containing database credentials are not hardcoded in the application code. Which approach is most secure for managing secrets in a CI/CD pipeline?

A.Encrypt the .env file and commit it.
B.Store the credentials in a .env file committed to the repository.
C.Use a secrets management tool like Vault to inject secrets during deployment.
AnswerC

Vault securely manages secrets and injects them only at runtime.

Why this answer

Option C is correct because secrets management tools like HashiCorp Vault provide a centralized, encrypted store for sensitive data such as database credentials, and they inject secrets into the CI/CD pipeline at deployment time via secure APIs (e.g., Vault's HTTP API with TLS). This approach avoids storing secrets in version control, eliminates hardcoding, and supports dynamic secrets, rotation, and audit logging, which aligns with security best practices for CI/CD.

Exam trap

Cisco often tests the misconception that encrypting and committing secrets is secure, but the trap is that any encryption key stored alongside or in the pipeline can be compromised, and the encrypted file remains in version control history forever.

How to eliminate wrong answers

Option A is wrong because encrypting the .env file and committing it still stores the encrypted file in the repository, which exposes it to anyone with repository access; the encryption key must be managed separately, and if compromised, all secrets are exposed. Option B is wrong because committing a .env file with credentials to the repository directly exposes secrets in version control history, violating the principle of never storing secrets in code repositories, and any developer with access can read them.

64
MCQhard

A CI/CD pipeline using GitHub Actions needs to build a Docker image and push it to Docker Hub. Which event trigger should be used to run the workflow only when code is pushed to the main branch?

A.on: workflow_dispatch
B.on: push: branches: [ main ]
C.on: release: types: [ published ]
D.on: pull_request: branches: [ main ]
AnswerB

Correct syntax to trigger on push to main branch.

Why this answer

The 'push' event with branch filter triggers on pushes to main. 'pull_request' triggers on PRs, 'release' on releases, 'workflow_dispatch' manual trigger.

65
MCQmedium

A developer needs to share a Docker image built from a Dockerfile with team members. Which command correctly builds the image and tags it as 'myapp:v1'?

A.docker build --tag myapp:v1 .
B.docker build -t myapp:v1 .
C.docker build . --name myapp:v1
AnswerB

The -t flag specifies the tag name:tag.

Why this answer

docker build -t myapp:v1 . builds the Docker image from the current directory and tags it as myapp:v1.

66
MCQhard

A developer wants to ensure that a containerized application restarts automatically if it exits with a non-zero code. The application is run using Docker. Which flag should be used?

A.--restart on-failure
B.--restart always
C.--restart unless-stopped
D.--restart no
AnswerA

Correct. Restarts only on non-zero exit codes.

Why this answer

The --restart flag with 'on-failure' restarts the container only if it exits with a non-zero code, which indicates an error.

67
MCQhard

A Kubernetes Deployment is configured with rolling update strategy. A new version of the image is pushed, and the deployment is updated. During the rollout, the new pods are failing health checks. Which command can be used to pause the rollout and prevent further updates?

A.kubectl rollout undo deployment/myapp
B.kubectl rollout pause deployment/myapp
C.kubectl delete deployment/myapp
D.kubectl rollout status deployment/myapp
AnswerB

Pauses the rollout, preventing further pod updates.

Why this answer

kubectl rollout pause suspends the rollout. kubectl rollout undo rolls back to previous revision. kubectl rollout status shows status, and kubectl delete does not pause rollout.

68
MCQmedium

A Kubernetes Deployment is updated with a new image tag, but the rollout fails. Which kubectl command should be used to view the rollout status and troubleshoot?

A.kubectl rollout status deployment/myapp
B.kubectl get events
C.kubectl describe deployment
D.kubectl logs deployment
AnswerA

This command shows the status of the rollout, including any failures.

Why this answer

kubectl rollout status shows the progress of a rollout, and kubectl rollout history shows revisions.

69
MCQmedium

A developer is writing a Dockerfile for a Node.js application. They want to set a build-time variable for the application version that can be changed without modifying the Dockerfile. Which instruction should be used?

A.RUN
B.ARG
C.ENV
D.CMD
AnswerB

ARG defines build-time variables that can be overridden.

Why this answer

ARG allows passing build-time variables. ENV sets environment variables that persist in the container. CMD and RUN are not for variable definition.

70
MCQhard

A developer notices that after a new deployment, the application is not receiving traffic. The Service selector does not match the pod labels. Which kubectl command can be used to inspect the Service's selector?

A.kubectl describe service my-service
B.kubectl exec service/my-service -- cat /etc/hosts
C.kubectl get service my-service -o yaml
D.kubectl logs service/my-service
AnswerA

kubectl describe provides detailed information including selector.

Why this answer

The `kubectl describe service my-service` command displays detailed information about the Service, including its selector field, which defines the label key-value pairs used to match pods. This allows the developer to directly compare the selector against the pod labels to identify the mismatch. It is the most straightforward way to inspect the selector without needing to parse raw YAML or execute commands inside the service.

Exam trap

Cisco often tests the distinction between commands that operate on resources (like Services) versus those that operate on pods or containers, leading candidates to mistakenly choose `kubectl exec` or `kubectl logs` for a Service.

How to eliminate wrong answers

Option B is wrong because `kubectl exec` runs a command inside a container, but a Service is not a pod or container; it is an abstract resource, so `kubectl exec service/my-service` is invalid and will fail. Option C is wrong because while `kubectl get service my-service -o yaml` does show the selector in the output, it is not the most direct or recommended command for inspecting the selector alone; `kubectl describe` provides a more human-readable summary. Option D is wrong because `kubectl logs` retrieves logs from a pod or container, not from a Service, and a Service does not generate logs; this command would result in an error.

71
MCQmedium

A team uses a Jenkins declarative pipeline to deploy a microservice. The pipeline includes stages: Checkout, Build Docker Image, Run Unit Tests, Push to Registry, Deploy to Staging, and Deploy to Production. Which stage should run immediately after 'Build Docker Image' to ensure code quality before the image is pushed?

A.Deploy to Staging
B.Run Unit Tests
C.Deploy to Production
D.Push to Registry
AnswerB

Correct. Unit tests should run after the build to validate the code before pushing.

Why this answer

After building the Docker image, the next logical step is to run unit tests to verify code quality before pushing the image to a registry.

72
MCQeasy

You are writing a Dockerfile. Which instruction should you use to set the working directory for subsequent RUN, CMD, ENTRYPOINT, COPY, and ADD instructions?

A.WORKDIR /app
B.RUN cd /app
C.ENV WORKDIR=/app
AnswerA

WORKDIR sets the working directory for all subsequent Dockerfile instructions.

Why this answer

The WORKDIR instruction in a Dockerfile sets the working directory for any subsequent RUN, CMD, ENTRYPOINT, COPY, and ADD instructions. This ensures that commands execute from that directory and that COPY/ADD paths are resolved relative to it. Option A is correct because WORKDIR is the only Dockerfile instruction designed specifically for this purpose.

Exam trap

Cisco often tests the distinction between RUN cd (which is ephemeral) and WORKDIR (which is persistent), leading candidates to mistakenly think a shell cd command can set the working directory for all subsequent instructions.

How to eliminate wrong answers

Option B is wrong because RUN cd /app only changes the directory for that single RUN command; it does not persist for subsequent instructions like COPY, CMD, or ENTRYPOINT. Option C is wrong because ENV sets an environment variable named WORKDIR with the value /app, but it does not change the working directory for Dockerfile instructions; the WORKDIR instruction must be used explicitly.

73
Multi-Selectmedium

Which TWO actions are best practices for managing secrets in a CI/CD pipeline?

Select 2 answers
A.Use long-lived static passwords for service accounts
B.Store secrets as environment variables from a .env file not committed to version control
C.Hardcode secrets directly in application code for ease of access
D.Store secrets in a configuration file stored in the git repository
E.Use a dedicated secrets management tool such as HashiCorp Vault
AnswersB, E

Keeps secrets out of git.

Why this answer

Environment variables from .env files not committed, and using a secret vault (like HashiCorp Vault) are recommended. Hardcoding in code, storing in config files in git, and using long-lived passwords are insecure.

74
Multi-Selectmedium

A developer is using Docker Compose to run a multi-service application. Which THREE keys are valid top-level keys in a docker-compose.yml file? (Choose three.)

Select 3 answers
A.volumes
B.environment
C.ports
D.services
E.networks
AnswersA, D, E

Correct. volumes is a top-level key for defining named volumes.

Why this answer

Services, networks, and volumes are top-level keys in Docker Compose. Ports is a key within a service definition, not top-level.

75
MCQmedium

A developer needs to apply a Kubernetes deployment manifest from a file named 'deployment.yaml'. Which kubectl command should be used?

A.kubectl apply -f deployment.yaml
B.kubectl create deployment.yaml
C.kubectl describe -f deployment.yaml
D.kubectl get -f deployment.yaml
AnswerA

apply creates or updates resources from file.

Why this answer

kubectl apply -f creates or updates resources from a file. get, describe, and create are not used for applying manifests.

Page 1 of 2 · 99 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Devnet App Deployment questions.