Certified Kubernetes Administrator CKA (CKA) — Questions 826900

1005 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
MCQmedium

You are troubleshooting DNS resolution from within a pod. You exec into the pod and run 'nslookup kubernetes.default.svc.cluster.local'. The command fails with 'connection timed out; no servers could be reached'. However, 'kubectl get svc -n kube-system' shows the kube-dns service with a ClusterIP. What is the MOST likely cause?

A.The CoreDNS pods are not running or are crashing
B.The pod's /etc/resolv.conf has incorrect search domains
C.A network policy is blocking traffic to the kube-dns service
D.The DNS name does not exist
AnswerA

If CoreDNS pods are down, the DNS service has no endpoints, causing connection timeouts. Check with 'kubectl get pods -n kube-system'.

Why this answer

Option A is correct. The failure to reach any DNS server suggests that the CoreDNS pod(s) may not be running or are not accessible. Option B would cause a different error (NXDOMAIN).

Option C would not cause a timeout; the pod would still be able to reach the DNS server but get no answer. Option D is a connectivity issue to the ClusterIP, but the timeout suggests the DNS server is not reachable, which points to the pods not running.

827
MCQeasy

During a 'kubeadm init', the administrator sees the message 'Your Kubernetes control-plane has been initialized successfully!' but the 'kubectl get nodes' shows the control plane node as 'NotReady'. What is the most likely missing step?

A.Generate a join token for worker nodes.
B.Install a CNI plugin such as Calico or Flannel.
C.Copy the kubeconfig to the user's home directory.
D.Check that the kubelet is running on the control plane node.
AnswerB

Without a CNI plugin, node condition stays NotReady.

Why this answer

The 'NotReady' status indicates that the kubelet on the control plane node is running but cannot report readiness because the node's network is not configured. A CNI plugin (e.g., Calico, Flannel, Weave) must be installed to set up the pod network, which is required for the kubelet to register the node as 'Ready'. Without a CNI plugin, the node's network conditions remain unmet, and the control plane cannot function properly.

Exam trap

The trap here is that candidates often assume 'kubeadm init' success means the cluster is fully functional, but they overlook the mandatory post-init step of installing a CNI plugin to make the node 'Ready'.

How to eliminate wrong answers

Option A is wrong because generating a join token for worker nodes is only needed after the control plane is fully operational and ready to accept worker nodes; it does not affect the control plane node's own readiness. Option C is wrong because copying the kubeconfig to the user's home directory enables 'kubectl' access but does not resolve the underlying network issue causing the node to be 'NotReady'. Option D is wrong because the 'kubeadm init' success message implies the kubelet is running; if it were not, the initialization would have failed or the node would show a different status (e.g., 'Unknown').

828
MCQmedium

You initialize a cluster with 'kubeadm init' and want to join a worker node. What is the correct command to generate the join command?

A.kubeadm token create --print-join-command
B.kubeadm join --token <token> <control-plane>:6443
C.kubeadm init phase upload-config kubelet
D.kubeadm token list
AnswerA

This generates and prints the full join command with token and CA hash.

Why this answer

Option A is correct because `kubeadm token create --print-join-command` generates a new bootstrap token and immediately outputs the full `kubeadm join` command, including the token, control-plane endpoint, and discovery token CA cert hash. This is the recommended way to obtain a ready-to-use join command after initializing the cluster with `kubeadm init`.

Exam trap

The trap here is that candidates often assume `kubeadm token list` (Option D) is sufficient to get the join command, but it only shows existing tokens without the required CA cert hash, leading to an incomplete or insecure join attempt.

How to eliminate wrong answers

Option B is wrong because it is an incomplete join command — it lacks the `--discovery-token-ca-cert-hash` flag, which is required for secure discovery of the control plane's CA certificate. Option C is wrong because `kubeadm init phase upload-config kubelet` only uploads the kubelet configuration to a ConfigMap; it does not generate or print a join command. Option D is wrong because `kubeadm token list` only displays existing tokens without printing the full join command, and it does not create a new token if none exist.

829
MCQmedium

Which kubeconfig context is currently active?

A.kubectl config view
B.kubectl cluster-info
C.kubectl config get-contexts
D.kubectl config current-context
AnswerD

Directly shows current context.

Why this answer

Option D is correct because `kubectl config current-context` is the dedicated kubectl command that displays the name of the currently active context from the kubeconfig file. The active context determines which cluster, user, and namespace are used by default for kubectl commands, making this the precise way to identify the active context.

Exam trap

The trap here is that candidates often confuse `kubectl config get-contexts` (which shows all contexts with an asterisk on the active one) with a command that directly outputs only the active context, leading them to choose option C instead of the more precise D.

How to eliminate wrong answers

Option A is wrong because `kubectl config view` displays the entire kubeconfig file contents (clusters, users, contexts) but does not explicitly indicate which context is currently active; it requires manual inspection to find the `current-context` field. Option B is wrong because `kubectl cluster-info` shows information about the cluster the current context points to (e.g., control plane endpoints), not the name of the active context itself. Option C is wrong because `kubectl config get-contexts` lists all available contexts and marks the active one with an asterisk (*) in the output, but it does not directly output just the active context name; it requires parsing the list.

830
Multi-Selecthard

Which THREE are correct ways to configure a default deny all ingress traffic NetworkPolicy? (Choose 3)

Select 3 answers
A.A NetworkPolicy with podSelector: {} and an ingress rule with from: []
B.A NetworkPolicy with podSelector: {} and an ingress rule with from: [{}]
C.A NetworkPolicy with podSelector: {} and ingress: []
D.A NetworkPolicy with podSelector: {} and no rules at all (only metadata and spec)
E.A NetworkPolicy with podSelector: {} and no ingress rules
AnswersC, D, E

Setting ingress to an empty list is equivalent to having no ingress rules.

Why this answer

A policy with an empty podSelector that allows no ingress. Options with rules allow some traffic. Correct ways are those with no ingress rules.

831
MCQeasy

Which command shows the logs of a pod that has crashed and restarted?

A.kubectl logs pod-name --previous
B.kubectl logs pod-name
C.kubectl logs pod-name -c container-name
D.kubectl describe pod pod-name
AnswerA

Displays logs from the previous terminated container.

Why this answer

kubectl logs --previous shows logs from the previous container instance.

832
MCQmedium

A cluster uses Flannel as the CNI plugin. Which of the following best describes Flannel's networking model?

A.It requires an external etcd to store network state.
B.It uses BGP to distribute routes across the cluster.
C.It provides network policies with full support for ingress and egress rules.
D.It assigns a /24 subnet to each node and uses VXLAN encapsulation.
AnswerD

Flannel typically assigns a subnet per node and uses VXLAN or host-gw for overlay.

833
Multi-Selectmedium

Which TWO of the following are components of the Ingress API? (Select TWO.)

Select 2 answers
A.rules
B.IngressClass
C.Service
D.Endpoints
E.tls
AnswersA, E

Ingress rules define how to route traffic based on host and path.

Why this answer

Ingress has rules (host, paths, backend) and optionally TLS configuration. IngressClass defines which controller serves the Ingress. Service and Endpoints are separate resources.

834
MCQmedium

A Kubernetes cluster has a Service of type ClusterIP named 'my-svc' in the 'default' namespace. You deploy a pod and want it to resolve the service's cluster IP using DNS. What FQDN should the pod use?

A.my-svc.default.pods.cluster.local
B.my-svc.cluster.local
C.my-svc.default.svc.cluster.local
D.my-svc.default.svc.cluster.com
AnswerC

This is the standard FQDN for a service in Kubernetes.

Why this answer

The correct FQDN for a service in Kubernetes is <service>.<namespace>.svc.cluster.local. Option A is correct. Option B uses the wrong namespace suffix.

Option C uses svc.cluster.com, which is incorrect. Option D uses pods.cluster.local, which is for pod DNS, not services.

835
MCQmedium

You need to back up etcd data for a cluster running Kubernetes v1.29. Which command correctly creates a snapshot?

A.kubectl etcd snapshot save /backup/snapshot.db
B.etcdctl backup /backup/snapshot.db
C.ETCDCTL_API=2 etcdctl snapshot save /backup/snapshot.db
D.ETCDCTL_API=3 etcdctl snapshot save /backup/snapshot.db
AnswerD

Correct API version and command.

Why this answer

Option D is correct because etcd v3 is the default and supported version in Kubernetes v1.29, and the `ETCDCTL_API=3` environment variable ensures the etcdctl client uses the v3 API, which provides the `snapshot save` command for creating consistent backups. The command `ETCDCTL_API=3 etcdctl snapshot save /backup/snapshot.db` correctly captures a point-in-time snapshot of the etcd data store, which is essential for disaster recovery.

Exam trap

The trap here is that candidates confuse the deprecated etcd v2 API (which uses `etcdctl backup`) with the v3 API (which uses `etcdctl snapshot save`), and they may forget to set `ETCDCTL_API=3` or incorrectly assume `kubectl` can manage etcd snapshots.

How to eliminate wrong answers

Option A is wrong because `kubectl etcd snapshot save` is not a valid kubectl command; kubectl does not have an `etcd` subcommand—etcd operations must be performed using the etcdctl binary directly. Option B is wrong because `etcdctl backup` is not a valid command in either etcd v2 or v3; the correct command for creating a snapshot is `etcdctl snapshot save`, and the `backup` subcommand does not exist. Option C is wrong because `ETCDCTL_API=2` forces the use of the deprecated etcd v2 API, which does not support the `snapshot save` command—the v2 API only offers `etcdctl backup` (which is a different, less reliable mechanism) and is not compatible with Kubernetes v1.29 clusters that use etcd v3.

836
MCQhard

Which of the following CNI plugins typically uses BGP to distribute routing information across nodes?

A.Calico
B.Flannel
C.Weave
D.Cilium
AnswerA

Calico uses BGP for routing pod IPs across the network.

Why this answer

Calico uses BGP to announce pod IP routes to the network, enabling direct routing between pods across nodes without overlays.

837
Multi-Selectmedium

Which TWO statements about Kubernetes pod lifecycle and scheduling are correct? (Select two.)

Select 2 answers
A.Init containers always run before app containers and must complete successfully for the pod to start.
B.A pod with a nodeSelector that does not match any node will be evicted from the cluster.
C.If a pod with higher priority is pending and there are no resources, it will preempt pods with equal or lower priority.
D.Static pods are created by the API server based on a manifest file in the kubelet's manifest directory.
E.DaemonSet pods are scheduled on all nodes, including nodes that are tainted, as long as the pod tolerates the taint.
AnswersA, E

Init containers run sequentially and must finish before app containers start.

Why this answer

Init containers are specialized containers that run before any app containers in a pod. They must complete successfully (exit with code 0) before the pod's app containers are started. If an init container fails, Kubernetes restarts it until it succeeds, and the pod will not enter the Running phase until all init containers have succeeded.

This is defined in the pod spec under `initContainers` and is a core mechanism for setup tasks like waiting for a service or database to be ready.

Exam trap

CNCF often tests the distinction between static pods (kubelet-created) and regular pods (API server-created), and the trap here is that candidates confuse the kubelet's manifest directory with the API server's pod creation mechanism.

838
MCQmedium

To check the expiration date of all certificates managed by kubeadm, which command should you run?

A.kubectl get certificates
B.kubeadm certs check-expiration
C.kubeadm certs renew
D.kubeadm alpha certs check-expiration
AnswerB

Correct: displays expiration dates of kubeadm-managed certificates.

Why this answer

Option B is correct because `kubeadm certs check-expiration` is the dedicated kubeadm command to display expiration dates for all certificates managed by kubeadm in the cluster. This command reads the certificate files from the default kubeadm certificate directory (typically `/etc/kubernetes/pki`) and parses their `NotAfter` field to show remaining validity.

Exam trap

The trap here is that candidates confuse `kubeadm certs check-expiration` with `kubeadm alpha certs check-expiration` (option D) from older kubeadm versions, or mistakenly think `kubectl` can inspect filesystem certificates (option A), when in fact only the `kubeadm` CLI with the correct subcommand can perform this check.

How to eliminate wrong answers

Option A is wrong because `kubectl get certificates` does not exist; `kubectl` manages Kubernetes API resources, not filesystem certificates, and there is no built-in resource named 'certificates' for this purpose. Option C is wrong because `kubeadm certs renew` is used to renew certificates, not to check their expiration dates; it performs the renewal action but does not display current expiration information. Option D is wrong because `kubeadm alpha certs check-expiration` was a legacy command from older kubeadm versions (pre-1.15) that used the `alpha` subcommand, but the `alpha` prefix was removed in later releases; the correct command is `kubeadm certs check-expiration` without `alpha`.

839
MCQeasy

Which command shows resource usage (CPU/memory) of all pods in the default namespace?

A.kubectl describe pods
B.kubectl logs pods
C.kubectl top pods
D.kubectl get pods -o wide
AnswerC

Correct. kubectl top pods shows pod resource usage.

Why this answer

kubectl top pod shows CPU and memory metrics for pods.

840
MCQhard

A team is configuring etcd for a multi-node Kubernetes cluster. They want to ensure that etcd data is encrypted at rest. Which approach should they use?

A.Use LUKS to encrypt the disk partition where etcd data is stored.
B.Create an EncryptionConfiguration resource specifying a provider like 'aescbc' and configure the kube-apiserver with --encryption-provider-config.
C.Use TLS certificates to encrypt communication between etcd and the API server.
D.Configure etcd to use encryption at rest by setting --experimental-encryption-provider.
AnswerB

This is the standard Kubernetes method for encrypting secrets at rest.

Why this answer

Option B is correct because Kubernetes supports encrypting secrets and other resources at rest via an EncryptionConfiguration object, which is passed to the kube-apiserver using the --encryption-provider-config flag. This mechanism encrypts data before it is written to etcd, ensuring that even if the etcd storage is compromised, the data remains unreadable without the encryption key.

Exam trap

The trap here is confusing encryption at rest (data on disk) with encryption in transit (TLS), leading candidates to select TLS-based options, or assuming that etcd itself handles encryption at rest when it is actually the kube-apiserver that performs the encryption before writing to etcd.

How to eliminate wrong answers

Option A is wrong because LUKS encrypts the entire disk partition at the filesystem level, which is a valid approach for encrypting etcd data at rest, but the question asks which approach the team should use in the context of a Kubernetes cluster; the recommended and Kubernetes-native method is to use the EncryptionConfiguration resource, not an OS-level disk encryption tool. Option C is wrong because TLS certificates encrypt data in transit between etcd and the API server, not at rest; encryption at rest protects data when it is stored on disk, not during network communication. Option D is wrong because etcd does not have an --experimental-encryption-provider flag; encryption at rest is configured on the kube-apiserver side, not on etcd itself.

841
Multi-Selecthard

An administrator wants to configure a StatefulSet with persistent storage using volumeClaimTemplates. Which THREE statements are correct?

Select 3 answers
A.The PVC names are generated as '<volumeClaimTemplate-name>-<statefulset-name>-<ordinal>'.
B.All replicas share the same PVC if volumeClaimTemplates is used.
C.When the StatefulSet is scaled down, the PVCs are not automatically deleted.
D.Each replica of the StatefulSet gets its own PVC created from the template.
E.The reclaim policy for the volumes is defined in the volumeClaimTemplates.
AnswersA, C, D

Kubernetes uses this naming convention for StatefulSet PVCs.

Why this answer

volumeClaimTemplates generate unique PVCs for each replica (A). The PVs are retained when scaling down (B). StatefulSet uses ordinal naming, and PVC names include the pod name (C). volumeClaimTemplates does not create a single shared PVC (D), and the reclaim policy is specified in the StorageClass or PV, not in the StatefulSet (E).

842
MCQeasy

Which of the following is a valid use case for a Headless Service?

A.To provide a stable IP address for a deployment
B.To enable DNS-based service discovery for stateful applications like StatefulSets
C.To load balance traffic across pods using iptables
D.To allow external traffic to reach pods without a load balancer
AnswerB

Headless Services allow each pod to have a DNS name, useful for StatefulSets.

Why this answer

Headless Services are used for stateful applications like databases where each pod needs a unique network identity, often used with StatefulSets.

843
MCQmedium

A node in your cluster is marked as NotReady. You SSH into the node and run 'systemctl status kubelet'. The output shows the kubelet is inactive (dead). What should you do FIRST to restore the node?

A.Reboot the node
B.Delete the node object from the cluster
C.Run 'systemctl start kubelet'
D.Reinstall the kubelet package
AnswerC

Starting the kubelet service will bring the node back to Ready.

Why this answer

The kubelet service is stopped. The first step is to start it with 'systemctl start kubelet'. If it fails to start, further investigation with journalctl is needed.

844
MCQmedium

In a Kubernetes cluster using CoreDNS, what is the DNS name for a Service named 'api' in namespace 'backend'?

A.backend.api.svc.cluster.local
B.api.backend.svc.cluster.local
C.api.backend.cluster.local
D.api.svc.backend.cluster.local
AnswerB

Correct format: <service>.<namespace>.svc.cluster.local.

Why this answer

The FQDN format is <service>.<namespace>.svc.cluster.local.

845
MCQmedium

You need to view the logs of the previous instance of a container in a pod. Which command is correct?

A.kubectl describe pod <pod-name>
B.kubectl exec <pod-name> -- cat /var/log/previous.log
C.kubectl logs <pod-name> -c <container-name> --previous
D.kubectl logs <pod-name> --all-containers --previous
AnswerC

The --previous flag combined with -c shows logs of the previous instance of a specific container.

Why this answer

Option A is correct. kubectl logs with --previous retrieves logs from the previous container instance. Option B is also plausible but the question expects the most direct command with container name.

846
MCQeasy

Which command lists all events in the cluster sorted by timestamp?

A.kubectl get events --watch
B.kubectl logs --events
C.kubectl describe events
D.kubectl get events --sort-by=.metadata.creationTimestamp
AnswerD

This sorts events by creation timestamp.

Why this answer

'kubectl get events --sort-by=.metadata.creationTimestamp' shows events sorted by creation time. Alternatively, 'kubectl get events -w' watches events but does not sort.

847
Multi-Selectmedium

Which TWO of the following are valid fields in a PodSpec for defining init containers?

Select 1 answer
A.initContainers
B.volumes
C.imagePullSecrets
D.restartPolicy
E.containers
AnswersA

This field defines init containers.

Why this answer

Init containers are defined under spec.initContainers (not spec.containers which is for regular containers). The field spec.initContainers is a list of container objects. Option B is correct (initContainers).

Option A (containers) is for regular containers. Option C (volumes) is for volumes. Option D (imagePullSecrets) is for pulling images.

Option E (restartPolicy) is a pod-level field.

848
MCQeasy

Which of the following is NOT a control plane component?

A.kube-apiserver
B.kube-controller-manager
C.kube-scheduler
D.kubelet
AnswerD

kubelet runs on each node, not the control plane.

Why this answer

The kubelet is the primary node agent that runs on each worker node, not on the control plane. It is responsible for ensuring that containers are running in a Pod as expected by interacting with the container runtime (e.g., containerd or CRI-O). Control plane components are those that manage the cluster's state and scheduling decisions, which run on the control plane nodes.

Exam trap

The trap here is that candidates confuse the kubelet's presence on control plane nodes (since it runs there too) with being a control plane component, but the kubelet is a node agent, not a control plane service.

How to eliminate wrong answers

Option A is wrong because kube-apiserver is the front-end for the Kubernetes control plane, exposing the Kubernetes API and handling all RESTful requests to validate and configure cluster objects. Option B is wrong because kube-controller-manager runs controller processes (e.g., Node Controller, Replication Controller) that regulate cluster state by watching the API server for changes. Option C is wrong because kube-scheduler is responsible for assigning newly created Pods to nodes based on resource availability, policies, and constraints, making it a core control plane component.

849
MCQeasy

You want to temporarily access a pod's HTTP endpoint on port 8080 from your local machine on port 9090. Which command should you use?

A.kubectl exec -it my-pod -- /bin/bash
B.kubectl proxy --port=9090
C.kubectl expose pod my-pod --port=9090 --target-port=8080
D.kubectl port-forward pod/my-pod 9090:8080
AnswerD

This forwards local port 9090 to pod port 8080.

Why this answer

kubectl port-forward forwards a local port to a pod port.

850
Multi-Selectmedium

Which TWO of the following will cause a pod to be rescheduled to a different node? (Select TWO.)

Select 2 answers
A.Node has a taint with effect NoExecute
B.The pod's resource requests are increased
C.The pod's node affinity is updated
D.Node has a taint with effect NoSchedule
E.A higher-priority pod preempts the current pod
AnswersA, E

NoExecute evicts pods that do not tolerate the taint, causing rescheduling.

Why this answer

Option A is correct because a taint with effect NoExecute evicts existing pods that do not tolerate the taint, causing them to be rescheduled to a different node. This is a core Kubernetes scheduling behavior where the kubelet on the tainted node terminates the pod, and the scheduler then places it on a suitable node.

Exam trap

The trap here is confusing NoExecute (which evicts existing pods) with NoSchedule (which only blocks new pods), leading candidates to incorrectly select NoSchedule as a cause for rescheduling.

851
MCQhard

A Job named 'pi' runs a container that computes pi to 2000 digits. The Job's spec has completions=3 and parallelism=2. After some time, you observe that two pods completed successfully, and the third pod is still running. What is the expected behavior when the third pod completes?

A.The Job will be marked as Complete
B.The Job will restart the completed pods
C.The Job will continue to run new pods indefinitely
D.The Job will be marked as Failed because parallelism is not fully utilized
AnswerA

Correct. Once the required number of completions is reached, the Job completes.

Why this answer

Option A is correct because a Job with `completions=3` and `parallelism=2` is considered complete when the required number of successful pod completions (3) is reached. Since two pods have already completed and the third is still running, once it finishes successfully, the total successful completions will equal the `completions` value, and the Job controller will mark the Job as Complete. The Job does not require all pods to run concurrently or finish simultaneously.

Exam trap

The trap here is that candidates often confuse `parallelism` with a requirement for all parallel pods to finish, or think that a Job must have all pods running concurrently to succeed, leading them to incorrectly select Option D.

How to eliminate wrong answers

Option B is wrong because completed pods in a Job are not restarted; the Job controller only creates new pods to meet the `completions` count, and once the count is met, no further pods are created or restarted. Option C is wrong because a Job does not run new pods indefinitely; it stops creating pods once the `completions` threshold is reached, unless the `backoffLimit` is exhausted or the Job is configured with `spec.ttlSecondsAfterFinished`. Option D is wrong because the Job is not marked as Failed due to partial parallelism utilization; parallelism only controls the maximum number of pods running concurrently, and the Job can succeed even if parallelism is not fully used at all times.

852
MCQmedium

You run 'kubectl get nodes' and one node shows 'NotReady'. Which command should you run first to check the kubelet status on that node?

A.journalctl -u kubelet
B.kubectl describe node <node-name>
C.cat /var/log/syslog | grep kubelet
D.systemctl status kube-apiserver
AnswerA

Correct. This shows kubelet logs.

Why this answer

The kubelet is responsible for node status. On the node, you can check its logs with journalctl.

853
MCQhard

A pod is not able to communicate with another pod in the same namespace. Both pods are running and have IP addresses. Which command can you use to test connectivity from the first pod to the second pod's IP?

A.kubectl exec first-pod -- ping <second-pod-ip>
B.kubectl logs first-pod
C.kubectl top pod first-pod
D.kubectl exec second-pod -- ping <first-pod-ip>
AnswerA

This runs ping from inside the first pod to the IP of the second pod, testing layer 3 connectivity.

Why this answer

'kubectl exec' allows running commands inside a container, such as ping or curl to test connectivity.

854
MCQhard

A user reports that they can't authenticate to the cluster using a kubeconfig file. Running 'kubectl config view' shows the current context points to a user with client certificate and key. Which command checks the expiration date of the client certificate?

A.kubeadm upgrade plan --certificate-expiration
B.kubectl config view --raw | grep client-certificate
C.openssl x509 -in /etc/kubernetes/admin.conf -text -noout
D.kubeadm certs check-expiration
AnswerD

This command displays expiration dates for all certificates managed by kubeadm.

Why this answer

Option D is correct because `kubeadm certs check-expiration` is the dedicated kubeadm command to display expiration dates for all PKI certificates in the cluster, including the client certificate used by the user's kubeconfig. This command parses the certificates directly from the `/etc/kubernetes/pki` directory and shows remaining validity, making it the precise tool for this scenario.

Exam trap

The trap here is that candidates confuse the kubeconfig file (a YAML configuration) with a certificate file, leading them to incorrectly use `openssl` directly on the kubeconfig or grep for the certificate data without parsing its expiration.

How to eliminate wrong answers

Option A is wrong because `kubeadm upgrade plan --certificate-expiration` is not a valid flag; `kubeadm upgrade plan` shows upgrade options, not certificate expiration. Option B is wrong because `kubectl config view --raw | grep client-certificate` only outputs the path or base64-encoded certificate data, not the expiration date; it does not decode or parse the certificate. Option C is wrong because `openssl x509 -in /etc/kubernetes/admin.conf -text -noout` attempts to read a kubeconfig file as a certificate, but `admin.conf` is a YAML file, not a PEM-encoded certificate; the command would fail or produce garbage.

855
Multi-Selectmedium

Your cluster has three control plane nodes. You suspect the etcd cluster has a leader election issue. Which TWO commands can help diagnose the etcd cluster health and membership? (Choose TWO.)

Select 2 answers
A.etcdctl cluster-status
B.etcdctl version
C.etcdctl endpoint health --cluster
D.etcdctl snapshot save snapshot.db
E.etcdctl member list
AnswersC, E

Checks health of all endpoints in the cluster.

Why this answer

Option C is correct because `etcdctl endpoint health --cluster` queries the health status of all etcd endpoints in the cluster, which directly reveals if any node is unreachable or unhealthy—a common symptom of leader election issues. Option E is correct because `etcdctl member list` displays the current cluster membership, including each member's ID, name, peer URLs, and client URLs, allowing you to verify that all expected control plane nodes are properly joined and that no split-brain or quorum loss has occurred.

Exam trap

The trap here is that candidates may confuse `etcdctl cluster-status` (which does not exist) with the valid `etcdctl endpoint status` command, or they may think snapshot commands are diagnostic tools rather than backup utilities.

856
MCQhard

You cannot reach a service by its DNS name from within a pod. Running 'kubectl exec -it dnsutils -- nslookup myservice' returns 'server can't find myservice: NXDOMAIN'. Which of the following is the MOST probable cause?

A.The service is in a different namespace and you are not using the fully qualified name
B.The pod's resolv.conf is missing the cluster domain
C.CoreDNS is configured with a custom upstream DNS server
D.The kube-dns pod is not running
AnswerA

DNS names are namespace-scoped. Use 'myservice.namespace.svc.cluster.local'.

Why this answer

The service exists but DNS resolution fails, often because the service is in a different namespace and the DNS query uses only the bare name.

857
MCQmedium

You have two Pods in different namespaces. Pod A (namespace: frontend) cannot reach Pod B (namespace: backend) via the ClusterIP service 'backend-svc' in the backend namespace. Which command should you use from within Pod A to test connectivity?

A.kubectl exec pod-a -n frontend -- curl http://backend-svc.backend.svc.cluster.local:80
B.kubectl exec pod-a -n frontend -- ping backend-svc.backend.svc.cluster.local
C.kubectl exec pod-a -n frontend -- curl http://backend-svc:80
D.kubectl exec pod-a -n frontend -- curl http://backend-svc.backend:80
AnswerA

This uses the full DNS name to access the service via HTTP.

Why this answer

Option C is correct. To test connectivity to a service, use the full DNS name including namespace: <service>.<namespace>.svc.cluster.local. Option A uses incorrect format.

Option B uses ping which tests ICMP, not TCP/UDP. Option D uses the service name without namespace, which may not resolve across namespaces.

858
MCQmedium

Which kubectl command correctly retrieves the list of EndpointSlices for a Service named 'my-svc' in the 'default' namespace?

A.kubectl get endpoints my-svc -n default
B.kubectl describe svc my-svc -n default
C.kubectl get endpointslice -n default --selector=kubernetes.io/service-name=my-svc
D.kubectl get endpointslices my-svc -n default
AnswerC

Correct: use label selector to filter EndpointSlices by Service name.

Why this answer

The command 'kubectl get endpointslices -l kubernetes.io/service-name=my-svc -n default' lists EndpointSlices for that Service. EndpointSlices are labeled with the Service name.

859
Multi-Selecteasy

Which TWO of the following are valid methods to troubleshoot a pod that is stuck in 'Pending' state?

Select 2 answers
A.Run 'kubectl describe pod <pod-name>' and check the Events section.
B.Run 'kubectl logs <pod-name>' to view application logs.
C.Run 'kubectl exec -it <pod-name> -- /bin/sh' to inspect the container.
D.Run 'kubectl top pod <pod-name>' to check resource usage.
E.Run 'kubectl get events --sort-by=.metadata.creationTimestamp' to see recent cluster events.
AnswersA, E

Events show scheduling failures.

Why this answer

A is correct because 'kubectl describe pod <pod-name>' displays the Events section, which includes detailed reasons for a pod being stuck in Pending state, such as insufficient CPU/memory, persistent volume claims not binding, or node selector mismatches. This is the primary diagnostic command for understanding scheduling failures.

Exam trap

CNCF often tests the misconception that 'kubectl logs' or 'kubectl exec' can be used on any pod regardless of its lifecycle phase, but these commands require a running container, which does not exist in a Pending pod.

860
MCQmedium

You run 'kubectl get pods' and see a pod in 'CrashLoopBackOff'. You want to see the logs of the last crashed instance. Which command should you run?

A.kubectl logs pod-name --previous
B.kubectl logs pod-name --all-containers
C.kubectl logs pod-name -p
D.kubectl logs pod-name
AnswerA

Correct. The --previous flag retrieves logs from the previous instance.

Why this answer

Correct answer is A. 'kubectl logs pod-name --previous' shows logs of the previous container instance. Option B shows current logs. Option C is incorrect flag.

Option D shows logs of all containers, not previous.

861
MCQmedium

Refer to the exhibit. A pod named nginx-pod is stuck in Pending state. Based on the describe output, what is the most likely cause?

A.The pod's resource requests exceed available capacity.
B.All nodes have taints that the pod does not tolerate.
C.The pod has a node selector that doesn't match any node.
D.The scheduler is not running properly.
AnswerB

Correct. The event message explicitly states that all nodes have untolerated taints, preventing scheduling.

Why this answer

The pod cannot be scheduled because all nodes have taints that the pod does not tolerate. The events show both 'not-ready' and 'unreachable' taints. However, 'kubectl get nodes' shows all nodes as Ready.

This suggests a mismatch: the node conditions may have changed after the pod was created, or the scheduler's cache is stale. But the immediate reason is the taints.

862
MCQhard

You have a Deployment with three replicas. After a rolling update, all pods are in 'CrashLoopBackOff'. You want to revert to the previous revision. Which command accomplishes this?

A.kubectl rollout undo deployment/myapp --to-revision=1
B.kubectl delete deployment/myapp --cascade=foreground
C.kubectl rollout undo deployment/myapp
D.kubectl rollout status deployment/myapp --revision=2
AnswerC

This rolls back to the previous revision by default.

Why this answer

Option C is correct. 'kubectl rollout undo deployment myapp' reverts to the previous revision. Option A is incorrect because --to-revision=1 would roll back to the first revision, not the previous one.

863
MCQeasy

What is the default DNS name for a Service named 'my-svc' in namespace 'my-ns'?

A.my-svc.my-ns.svc.cluster.local
B.my-svc.svc.cluster.local
C.my-svc.my-ns.cluster.local
D.my-svc.cluster.local
AnswerA

Standard Kubernetes Service DNS naming.

Why this answer

The DNS name for a Service is <service>.<namespace>.svc.cluster.local. So my-svc.my-ns.svc.cluster.local.

864
Multi-Selectmedium

Which two of the following are valid Ingress path types in networking.k8s.io/v1? (Select TWO.)

Select 2 answers
A.Exact
B.Glob
C.Prefix
D.Regex
E.Wildcard
AnswersA, C

Matches the exact URL path.

865
MCQhard

You are asked to backup the etcd database on a control plane node. The etcd is running as a static pod. Which command sequence will create a consistent snapshot?

A.kubectl exec -n kube-system etcd-controlplane -- etcdctl snapshot save /backup/etcd-snapshot.db
B.ETCDCTL_API=3 etcdctl snapshot save /backup/etcd-snapshot.db
C.ETCDCTL_API=3 etcdctl --endpoints=https://127.0.0.1:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key snapshot save /backup/etcd-snapshot.db
D.etcdctl --endpoints=http://localhost:2379 snapshot save /backup/etcd-snapshot.db
AnswerC

This uses the correct API version, endpoint, and certificates to create a snapshot.

Why this answer

Option C is correct because it uses the etcdctl v3 API with the required authentication flags (--cacert, --cert, --key) and the correct endpoint (https://127.0.0.1:2379) to connect to the etcd server running as a static pod. This ensures a consistent snapshot is taken over the secure gRPC connection, which is mandatory when etcd is configured with TLS.

Exam trap

The trap here is that candidates assume 'kubectl exec' into the etcd pod (Option A) is sufficient, but they forget that etcdctl inside the pod still needs explicit TLS flags and endpoint specification, or they mistakenly use an insecure HTTP endpoint (Option D) without realizing that production etcd requires HTTPS.

How to eliminate wrong answers

Option A is wrong because 'kubectl exec' into the etcd container runs etcdctl inside the pod, but it does not automatically provide the necessary TLS certificates or endpoint, and the command lacks the required --cacert, --cert, --key flags, so it will fail to authenticate. Option B is wrong because it runs etcdctl on the host without specifying an endpoint or TLS credentials, so it defaults to the local unix socket or insecure connection, which will not reach the etcd server running as a static pod with TLS enabled. Option D is wrong because it uses an HTTP endpoint (http://localhost:2379) instead of HTTPS, and etcd in a production cluster (including static pods) requires TLS encryption; the connection will be refused or fail authentication.

866
MCQmedium

You run 'kubectl get pods' and see a pod in 'ImagePullBackOff' state. Which of the following is NOT a common cause?

A.The image tag does not exist
B.The image registry requires authentication
C.The image name is misspelled
D.The node has a taint that tolerates the pod
AnswerD

Taints affect scheduling, not image pulling. This would cause a Pending state, not ImagePullBackOff.

Why this answer

Node taints affect scheduling, not image pulling. ImagePullBackOff is related to the container image.

867
MCQmedium

You have a kubeconfig file with multiple contexts. How do you switch to the context named 'prod-cluster'?

A.kubectl config set-cluster prod-cluster
B.kubectl config set-context prod-cluster
C.kubectl config view prod-cluster
D.kubectl config use-context prod-cluster
AnswerD

This command sets the current context to prod-cluster.

Why this answer

Option D is correct because `kubectl config use-context` is the command specifically designed to switch the current context in a kubeconfig file. It updates the `current-context` field in the kubeconfig to point to the specified context, which then determines which cluster, user, and namespace are used by default for subsequent `kubectl` commands.

Exam trap

The trap here is that candidates confuse `set-context` (which defines a context) with `use-context` (which activates it), leading them to pick option B instead of D.

How to eliminate wrong answers

Option A is wrong because `kubectl config set-cluster` only modifies or adds a cluster definition (e.g., server URL, certificate authority) in the kubeconfig, it does not change the active context. Option B is wrong because `kubectl config set-context` creates or modifies a context entry (associating a cluster, user, and namespace) but does not switch to it; it only defines the context. Option C is wrong because `kubectl config view` displays the contents of the kubeconfig file (or a merged view) and does not alter the current context.

868
MCQhard

You are troubleshooting a pod that is in 'CrashLoopBackOff' state. You run 'kubectl logs mypod' and get no output. You then run 'kubectl logs mypod --previous' and see an error: 'Error: failed to start container: context deadline exceeded'. What is the MOST likely cause?

A.The container image is missing the entrypoint
B.The application inside the container is crashing immediately
C.The container command is incorrectly specified
D.The container runtime is unable to start the container due to a timeout
AnswerD

The error 'context deadline exceeded' indicates a timeout in the container runtime when trying to start the container. This could be due to a slow image pull or container runtime issue.

Why this answer

Option B is correct. 'context deadline exceeded' indicates that the container runtime timed out while trying to start the container. This is often due to the container image being large and the pull taking too long, or the container runtime being slow. Option A would show a different error.

Option C would show an application error in the logs. Option D would show a different error like 'executable file not found'.

869
MCQmedium

A pod is unable to resolve DNS names. You exec into the pod and run 'nslookup kubernetes.default.svc.cluster.local'. The command hangs. What is the MOST likely cause?

A.The CoreDNS service is not running or is misconfigured
B.The pod's /etc/resolv.conf is missing
C.The kubelet is not running on the node
D.The pod's network policy blocks DNS traffic
AnswerA

Why this answer

If nslookup hangs, it suggests the DNS server is not responding, typically a CoreDNS issue.

870
Multi-Selectmedium

A CKA candidate is troubleshooting a control plane node that was upgraded using kubeadm from v1.28 to v1.29. After the upgrade, the kube-apiserver pod fails to start. Which TWO actions should the candidate take to diagnose and resolve the issue? (Select TWO.)

Select 2 answers
A.Run 'kubeadm upgrade apply v1.29.0' again after resetting the node with 'kubeadm reset'
B.Downgrade etcd to a version compatible with Kubernetes 1.28
C.Immediately upgrade the worker nodes to match the control plane version
D.Check the kubelet logs on the control plane node using 'journalctl -u kubelet'
E.Run 'kubeadm upgrade plan' to verify the target version
AnswersA, D

Resetting the node cleans up previous state and allows a fresh upgrade application.

Why this answer

Option A is correct because if the kube-apiserver pod fails to start after a kubeadm upgrade, a clean re-application of the upgrade using 'kubeadm upgrade apply v1.29.0' after resetting the node with 'kubeadm reset' can resolve corrupted or mismatched configuration files, certificates, or static pod manifests. This process reinitializes the control plane components from scratch while preserving the target version, ensuring all manifests and certificates are regenerated correctly.

Exam trap

The trap here is that candidates may think 'kubeadm upgrade plan' (Option E) is a diagnostic step for a failed upgrade, but it only validates the upgrade path before execution and does not troubleshoot a post-upgrade failure.

871
MCQmedium

You have a Deployment with spec.replicas=3. You update the container image. The rollout gets stuck because the new ReplicaSet cannot create pods due to an image pull error. Which command would you use to roll back to the previous revision?

A.kubectl rollout undo deployment/<name>
B.kubectl rollout undo deployment/<name> --to-revision=1
C.kubectl rollout revert deployment/<name>
D.kubectl rollout rollback deployment/<name>
AnswerA

Correct. Undoes the last rollout.

Why this answer

Option A is correct because `kubectl rollout undo deployment/<name>` reverts the Deployment to the previous revision by default. This command uses the rollout history stored in the Deployment's annotations (specifically `deployment.kubernetes.io/revision`) to restore the prior ReplicaSet's pod template, effectively undoing the failed image update.

Exam trap

The trap here is that candidates confuse the `undo` command with non-existent verbs like `revert` or `rollback`, or incorrectly assume `--to-revision=1` is required to go back one step, when the default behavior already targets the previous revision.

How to eliminate wrong answers

Option B is wrong because `--to-revision=1` would roll back to revision 1, not the immediately previous revision; the question asks to roll back to the previous revision, which is the default behavior of `undo` without `--to-revision`. Option C is wrong because `kubectl rollout revert` is not a valid kubectl command; the correct verb is `undo`. Option D is wrong because `kubectl rollout rollback` is not a valid kubectl command; the correct verb is `undo`.

872
MCQmedium

A pod is in Pending state. You run 'kubectl describe pod' and see the event: '0/4 nodes are available: 1 node(s) had taint {node-role.kubernetes.io/master: }, that the pod didn't tolerate, 3 node(s) had taint {node.kubernetes.io/not-ready: }.'. What is the most likely reason?

A.The pod's container image pull failed
B.The cluster is out of CPU capacity
C.The pod's resource requests are too high for any node
D.The pod does not have tolerations for the taints on the available nodes
AnswerD

The events show that nodes have taints and the pod does not tolerate them. Adding appropriate tolerations would allow scheduling.

Why this answer

Option A is correct. The error indicates that no nodes are available due to taints. The master node taint is typical for control-plane nodes, and the not-ready taint indicates nodes are not ready.

The pod does not have tolerations for these taints. Option B is possible but less likely because the error explicitly mentions taints. Option C is incorrect because the error does not mention insufficient CPU.

Option D is incorrect because the pod was created (it is pending, not failed).

873
MCQmedium

An Ingress resource uses 'networking.k8s.io/v1' API. Which field specifies the hostname and path rules for routing traffic?

A.spec.ingress
B.spec.tls
C.spec.rules
D.spec.backend
AnswerC

rules contains host and path definitions for routing.

Why this answer

The 'rules' field in an Ingress spec contains host and path definitions. Option B is correct. Option A is for TLS.

Option C is a top-level field but not for host/path. Option D is not a field.

874
MCQhard

You are managing a production Kubernetes cluster with 10 worker nodes. A critical application runs as a Deployment with 5 replicas. The application requires low latency inter-Pod communication, so you want to ensure that all replicas are scheduled on the same node to avoid network overhead. You have created a podAntiAffinity rule with requiredDuringSchedulingIgnoredDuringExecution for the app label, but the scheduler only places 1 replica per node, resulting in Pods being distributed across multiple nodes. You need to modify the configuration so that all replicas are placed on a single node, if possible. Which action should you take?

A.Replace podAntiAffinity with podAffinity using requiredDuringSchedulingIgnoredDuringExecution for the app label.
B.Create a ResourceQuota to limit the number of Pods per namespace.
C.Add a toleration for a taint that is present on only one node.
D.Add a nodeSelector to the Pod spec to select a specific node.
AnswerA

PodAffinity attracts Pods to nodes that already have Pods with matching labels, ensuring all replicas on the same node.

Why this answer

Option A is correct because podAffinity with requiredDuringSchedulingIgnoredDuringExecution forces the scheduler to co-locate all Pods with the same app label on the same node. This directly overrides the default anti-affinity behavior that spreads Pods across nodes, ensuring low-latency inter-Pod communication by placing all replicas on a single node if possible.

Exam trap

The trap here is that candidates confuse podAntiAffinity (which spreads Pods) with podAffinity (which co-locates Pods), and mistakenly think modifying the anti-affinity rule or using nodeSelector will achieve co-location, when only podAffinity with requiredDuringSchedulingIgnoredDuringExecution enforces the desired behavior.

How to eliminate wrong answers

Option B is wrong because a ResourceQuota limits the total number of Pods in a namespace but does not influence scheduling placement or co-location of Pods on a single node. Option C is wrong because adding a toleration for a taint on only one node would allow Pods to be scheduled there, but it does not prevent the scheduler from placing Pods on other nodes; it also does not enforce co-location of all replicas on that single node. Option D is wrong because a nodeSelector pins Pods to a specific node, but it does not ensure all replicas are scheduled on the same node if the selected node cannot accommodate all replicas; it also lacks the flexibility of affinity rules to handle node failures or resource constraints.

875
Multi-Selectmedium

Which TWO network plugins (CNI) are commonly used in Kubernetes clusters? (Select TWO)

Select 2 answers
A.Calico
B.Flannel
C.CoreDNS
D.kube-proxy
E.Docker
AnswersA, B

Calico is a widely used CNI plugin that provides networking and network policy.

Why this answer

Calico and Flannel are popular CNI plugins. Option A and C are correct. Option B is not a CNI; it's a container runtime.

Option D is not a CNI. Option E is not a CNI.

876
MCQhard

You want to allow ingress traffic from pods with label 'app: frontend' in namespace 'web' to pods with label 'app: backend' in namespace 'api'. Which NetworkPolicy matches this requirement?

A.PodSelector: app: backend, Ingress rule with from: - namespaceSelector: matchLabels: name: web - podSelector: matchLabels: app: frontend
B.PodSelector: app: frontend, Egress rule with to: - namespaceSelector: matchLabels: name: api - podSelector: matchLabels: app: backend
C.PodSelector: {}, Ingress rule with from: - podSelector: matchLabels: app: frontend
D.PodSelector: app: backend, Ingress rule with from: - namespaceSelector: matchLabels: name: api - podSelector: matchLabels: app: frontend
AnswerA

Correctly selects backend pods and allows ingress from frontend pods in web namespace.

877
MCQhard

A NetworkPolicy allows ingress traffic from pods with label 'app: frontend' in any namespace. Which selector is used?

A.spec.ingress[0].from[0].podSelector: { matchLabels: { app: frontend } }
B.spec.ingress[0].from[0].namespaceSelector: {} and spec.ingress[0].from[0].podSelector: { matchLabels: { app: frontend } }
C.spec.ingress[0].from[0].ipBlock: { cidr: 0.0.0.0/0 }
D.spec.ingress[0].from[0].namespaceSelector: { matchLabels: { app: frontend } }
AnswerB

Empty namespaceSelector matches all namespaces; podSelector selects pods.

Why this answer

To allow ingress from pods in any namespace, use a namespaceSelector: {} (empty) to select all namespaces, and a podSelector to select pods with label 'app: frontend'.

878
MCQmedium

A company wants to expose a web application running as a Deployment with 3 replicas to external users. They need a stable IP address that does not change and the ability to terminate TLS. Which resource should they use?

A.LoadBalancer Service
B.ClusterIP Service
C.Ingress resource with a TLS certificate
D.NodePort Service
AnswerC

Ingress provides a stable IP and can terminate TLS.

Why this answer

An Ingress resource with a TLS certificate is the correct choice because it provides a stable IP address (via the underlying LoadBalancer or NodePort Service) and terminates TLS at the ingress controller, allowing the web application to serve HTTPS traffic without modifying the Deployment. This meets the requirements of exposing the application externally with a fixed IP and TLS termination.

Exam trap

CNCF often tests the misconception that a LoadBalancer Service alone can terminate TLS, but in Kubernetes, TLS termination is not a built-in feature of Services; it requires an Ingress or a custom proxy, making the Ingress resource the correct choice for this requirement.

How to eliminate wrong answers

Option A is wrong because a LoadBalancer Service exposes the application directly via a cloud load balancer, but it does not terminate TLS natively; TLS termination would require additional configuration (e.g., an external load balancer with TLS support) and the IP may change if the Service is recreated. Option B is wrong because a ClusterIP Service is only accessible within the cluster and cannot expose the application to external users. Option D is wrong because a NodePort Service exposes the application on a static port on each node's IP, but it does not provide a stable IP address (node IPs can change) and does not terminate TLS; TLS termination would require additional components like an Ingress or a reverse proxy.

879
Multi-Selecthard

Which THREE of the following are valid considerations when using resource requests and limits? (Select 3)

Select 3 answers
A.Limits must be equal to requests for a Pod to be scheduled.
B.Requests are used by the scheduler to decide which node can accommodate the Pod.
C.CPU limits guarantee the Pod will get that amount of CPU.
D.The QoS class is determined based on requests and limits.
E.Memory limits can cause the Pod to be OOMKilled if exceeded.
AnswersB, D, E

Scheduler uses requests to calculate node capacity.

Why this answer

Option B is correct because the Kubernetes scheduler uses resource requests (CPU and memory) to determine node suitability for a Pod. The scheduler checks if the sum of requests for all Pods on a node, plus the new Pod's requests, is less than or equal to the node's allocatable capacity. Limits are not used for scheduling decisions.

Exam trap

The trap here is that candidates often confuse CPU limits as a guarantee of CPU allocation, when in fact CPU is compressible and limits only throttle usage, while memory limits are hard and can cause OOM kills.

880
MCQeasy

Which command creates a temporary pod and forwards port 8080 from your local machine to port 80 of an existing pod named 'web-pod'?

A.kubectl port-forward pod/web-pod 8080:80
B.kubectl exec -it web-pod -- nc -l -p 8080
C.kubectl proxy --port=8080
D.kubectl expose pod web-pod --port=8080 --target-port=80
AnswerA

This is the correct syntax for port-forwarding to a pod.

Why this answer

kubectl port-forward pod/web-pod 8080:80 forwards local port 8080 to pod port 80.

881
MCQmedium

You run 'kubectl get nodes' and see that a node is 'NotReady'. You SSH into the node and run 'systemctl status kubelet'. The output shows 'Active: inactive (dead)'. What is the most likely cause?

A.The network plugin is misconfigured
B.The node has been cordoned
C.The kubelet service is stopped
D.The container runtime is not installed
AnswerC

The status 'inactive (dead)' means the kubelet service is not running. Starting the service may resolve the issue.

Why this answer

The kubelet service is stopped or dead, which would cause the node to be NotReady.

882
MCQhard

A ServiceAccount 'monitor-sa' needs to be able to list Pods in namespace 'monitoring'. Which RBAC configuration is appropriate?

A.Create a ClusterRole with 'get' and 'list' verbs on pods, then a ClusterRoleBinding to monitor-sa
B.Add the ServiceAccount to the cluster-admin group
C.Create a Role in default namespace with 'get' and 'list' verbs on pods, then a RoleBinding in 'monitoring' to monitor-sa
D.Create a Role in namespace 'monitoring' with 'get' and 'list' verbs on pods, then a RoleBinding in 'monitoring' to monitor-sa
AnswerD

Why this answer

Option D is correct because a Role in the 'monitoring' namespace with 'get' and 'list' verbs on pods, combined with a RoleBinding in the same namespace to the 'monitor-sa' ServiceAccount, grants the exact permissions required within the scope of that namespace. This follows the principle of least privilege by scoping permissions to the specific namespace where the pods reside.

Exam trap

The trap here is that candidates often confuse the scope of Roles versus ClusterRoles, mistakenly using a ClusterRole when a namespace-scoped Role is sufficient, or creating a Role in the wrong namespace and assuming a RoleBinding can bridge namespaces.

How to eliminate wrong answers

Option A is wrong because a ClusterRole with 'get' and 'list' verbs on pods, bound via a ClusterRoleBinding, would grant these permissions cluster-wide (across all namespaces), which is excessive for a requirement limited to the 'monitoring' namespace. Option B is wrong because adding the ServiceAccount to the 'cluster-admin' group grants full cluster-wide administrative privileges, violating the principle of least privilege and far exceeding the need to only list pods. Option C is wrong because a Role created in the 'default' namespace cannot grant permissions in the 'monitoring' namespace; RoleBindings only apply within the namespace of the Role, so the binding in 'monitoring' would have no effect.

883
MCQmedium

A cluster administrator runs the following command to create a PersistentVolumeClaim: kubectl create pvc mypvc --storage-class=fast --access-modes=ReadWriteOnce --storage=1Gi However, the PVC is created but remains in Pending state. The StorageClass 'fast' uses provisioner 'kubernetes.io/no-provisioner' (a static provisioner). What is the most likely reason?

A.The StorageClass 'fast' is not annotated as the default storage class.
B.No PersistentVolume with storage class 'fast' exists in the cluster.
C.The access mode must be ReadWriteMany to bind.
D.The PVC must specify volumeMode: Block to bind.
AnswerB

The 'no-provisioner' provisioner does not create volumes automatically. A matching PV must be manually created for the PVC to bind.

Why this answer

The provisioner 'kubernetes.io/no-provisioner' is used for static provisioning, meaning no dynamic provisioning occurs. The StorageClass is used only to match PVs with the same storage class name. Since no PV with storage class 'fast' exists, the PVC will remain Pending until a matching PV is created manually.

884
MCQeasy

Which of the following is a valid ClusterIP service definition that exposes port 80 and targets container port 8080?

A.kind: Service\napiVersion: v1\nmetadata:\n name: my-service\nspec:\n selector:\n app: my-app\n ports:\n - protocol: TCP\n port: 80\n targetPort: 8080\ntype: ClusterIP
B.kind: Service\napiVersion: v1\nmetadata:\n name: my-service\nspec:\n selector:\n app: my-app\n ports:\n - protocol: TCP\n port: 80\n targetPort: 8080
C.kind: Service\napiVersion: v1\nmetadata:\n name: my-service\nspec:\n selector:\n app: my-app\n type: NodePort\n ports:\n - protocol: TCP\n port: 80\n targetPort: 8080
D.kind: Service\napiVersion: v1\nmetadata:\n name: my-service\nspec:\n selector:\n app: my-app\n ports:\n - protocol: TCP\n port: 80\n targetPort: 8080\n type: LoadBalancer
E.kind: Service\napiVersion: v1\nmetadata:\n name: my-service\nspec:\n ports:\n - protocol: TCP\n port: 80\n targetPort: 8080
AnswerB

This is a valid ClusterIP service definition.

Why this answer

Option A is correct. Option B has wrong selector. Option C has wrong syntax (targetPort should be integer or string, but the mapping is off).

Option D uses targetPort as string incorrectly.

885
MCQeasy

Which command would you use to check the status of the kube-apiserver on a control plane node managed by systemd?

A.kubectl get apiservice
B.service kube-apiserver status
C.journalctl -u kubelet
D.systemctl status kube-apiserver
AnswerD

Standard way to check the service status.

Why this answer

systemctl status shows the current state of a systemd service.

886
MCQmedium

You have a Deployment that should have a rolling update with no downtime. You set maxSurge to 25% and maxUnavailable to 0%. With 4 replicas, how many pods will be created above the desired count during the update?

A.2
B.1
C.4
D.0
AnswerB

25% of 4 replicas results in 1 extra pod (ceiling).

Why this answer

Option C is correct. maxSurge of 25% on 4 replicas means 1 extra pod (25% of 4 = 1). The ceiling is used, so 1 extra pod can be created. Option A is incorrect because 25% of 4 is 1.

Option B is incorrect because 2 would be 50%. Option D is incorrect because 0 would mean no surge.

887
MCQmedium

You run 'kubectl run nginx --image=nginx --expose --port=80'. What resources are created?

A.A Pod named nginx and a Service named nginx
B.A Deployment named nginx and a Service named nginx
C.A Pod named nginx and an Endpoints resource named nginx
D.A ReplicaSet named nginx and a Service named nginx
AnswerB

The command creates a Deployment and a Service both named nginx.

Why this answer

kubectl run with --expose creates a Deployment (or Pod depending on version) and a Service.

888
MCQmedium

A DaemonSet named 'fluentd' is configured to run on all nodes. After adding a new node to the cluster, you notice that the DaemonSet pod is not running on the new node. What could be the cause?

A.The new node has a taint that the DaemonSet pod does not tolerate
B.The new node does not have enough resources to run the DaemonSet pod
C.The DaemonSet has a nodeSelector that does not match the new node's labels
D.The DaemonSet's update strategy is set to OnDelete
AnswerA

DaemonSet pods are created on all nodes unless the node has a taint that the pod does not tolerate. Adding a toleration to the DaemonSet pod template would fix this.

Why this answer

A DaemonSet ensures that a copy of a pod runs on all (or a subset of) nodes. When a new node is added, the DaemonSet controller automatically schedules a pod on it unless the node has a taint that the pod does not tolerate. By default, the new node may have a taint (e.g., `node.kubernetes.io/unschedulable` or a custom taint) that prevents the DaemonSet pod from being scheduled unless the pod's spec includes a matching toleration.

Exam trap

The trap here is that candidates often confuse taints/tolerations with nodeSelector or resource constraints, assuming a new node would automatically accept all DaemonSet pods, when in fact taints are a common reason for scheduling failures on new nodes.

How to eliminate wrong answers

Option B is wrong because insufficient resources would cause the pod to remain in a Pending state (not fail to be scheduled entirely), and the DaemonSet controller would still attempt to schedule it; the question states the pod is 'not running,' which could be due to scheduling failure, but resource insufficiency is a less common cause for a new node unless it's explicitly resource-starved. Option C is wrong because a nodeSelector mismatch would prevent scheduling on any node that doesn't match the labels, but the question specifies the DaemonSet is 'configured to run on all nodes,' implying no nodeSelector is set, or if it were, it would affect all nodes equally, not just the new one. Option D is wrong because the update strategy (OnDelete) controls how pods are updated when the DaemonSet template changes, not whether pods are scheduled on new nodes; scheduling is independent of the update strategy.

889
Multi-Selectmedium

Which TWO of the following are valid modes for kube-proxy? (Select 2)

Select 2 answers
A.iptables
B.nftables
C.ipvs
D.userspace
E.ebpf
AnswersA, C

iptables mode is the default and widely used.

Why this answer

kube-proxy supports userspace (deprecated), iptables, and ipvs modes. userspace is deprecated, but still a mode. The question asks for TWO valid modes. iptables and ipvs are both currently supported. userspace is deprecated but still valid? Typically in exam context, they consider iptables and ipvs as the main modes. I'll go with iptables and ipvs.

890
MCQeasy

A node in your cluster is reporting a DiskPressure condition. Which kubectl command would you use to get details about the node's condition?

A.kubectl get nodes
B.kubectl describe node <node-name>
C.kubectl logs <node-name>
D.kubectl get events --field-selector involvedObject.kind=Node
AnswerB

Why this answer

The `kubectl describe node <node-name>` command provides detailed information about a node, including its status, capacity, allocatable resources, and a list of conditions (e.g., DiskPressure, MemoryPressure, PIDPressure, Ready). This is the standard way to inspect the exact reason and timestamps for a DiskPressure condition, as well as related metrics like disk usage and inode consumption.

Exam trap

CNCF often tests the distinction between high-level status commands (`kubectl get nodes`) and detailed diagnostic commands (`kubectl describe node`), trapping candidates who think a simple status list is sufficient to investigate a specific condition like DiskPressure.

Why the other options are wrong

A

This only lists nodes and high-level status, not detailed conditions.

C

Logs are for pods, not nodes.

D

Events may show node issues but the describe command is more comprehensive for conditions.

891
MCQmedium

You have a DaemonSet that should run on all nodes with a label 'disk=ssd'. Which node selector field should you use in the DaemonSet spec?

A.spec.tolerations
B.spec.nodeSelector
C.spec.nodeName
D.spec.affinity.nodeAffinity
AnswerB

nodeSelector directly specifies a label selector to match node labels.

Why this answer

Option B is correct. nodeSelector is the simplest way to constrain pods to nodes with specific labels. Option A (affinity) can also achieve this but is more complex for a simple equality match. Option C (nodeName) is for scheduling to a specific node by name, not by label.

Option D (tolerations) is for taints, not labels.

892
Multi-Selecthard

Which two scheduling constraints can be used to ensure a pod runs on a node that has a specific label?

Select 2 answers
A.topologySpreadConstraints
B.requiredDuringSchedulingIgnoredDuringExecution in nodeAffinity
C.tolerations
D.nodeSelector
E.preferredDuringSchedulingIgnoredDuringExecution
AnswersB, D

Hard requirement for node affinity.

Why this answer

nodeSelector and requiredDuringSchedulingIgnoredDuringExecution node affinity both enforce scheduling on nodes matching label criteria.

893
MCQhard

You have a Deployment with livenessProbe configured. The pod restarts every few minutes. 'kubectl describe pod' shows the liveness probe is failing with 'HTTP probe failed with statuscode: 503'. The application's /healthz endpoint returns 200 from within the pod using 'kubectl exec'. What could be the issue?

A.The readinessProbe is interfering with the livenessProbe
B.The application has a memory leak
C.The kubelet on the node is misconfigured
D.The livenessProbe is configured with the wrong port
AnswerD

If the probe uses a port that the application is not listening on, it will get a non-200 response.

Why this answer

The liveness probe is failing externally but the endpoint works internally. This suggests the probe is hitting the wrong port or the network path is different. The most likely cause is that the livenessProbe is configured with a wrong port number.

894
MCQmedium

You run: kubectl expose deployment web --port=80 --target-port=8080 --type=LoadBalancer --name=web-svc. What is the effect of this command?

A.Creates a Service of type ClusterIP which is later changed to LoadBalancer
B.Creates a Service that selects pods with label 'app=web' and maps port 80 to 8080
C.Creates a Service that selects all pods in the namespace regardless of labels
D.Creates a Service that exposes port 8080 on the node
AnswerB

The 'expose' command uses the deployment's label selector (app=web) and creates the Service accordingly.

Why this answer

The command creates a Service named web-svc of type LoadBalancer that forwards traffic from port 80 on the Service to port 8080 on the selected pods. The Service selects pods based on the labels from the deployment 'web'.

895
MCQhard

You are implementing NetworkPolicies. You have a namespace 'db' with a pod running PostgreSQL. You want to allow only pods with label 'role: frontend' in namespace 'app' to connect to PostgreSQL on TCP port 5432. What is the correct Ingress rule?

A.podSelector: {}; from: - namespaceSelector: matchLabels: role: frontend
B.podSelector: matchLabels: app: postgres; from: - namespaceSelector: matchLabels: name: app
C.podSelector: {}; from: - namespaceSelector: matchLabels: name: app - podSelector: matchLabels: role: frontend
D.podSelector: {}; from: - podSelector: matchLabels: role: frontend
AnswerC

This combination selects pods from namespace 'app' that have label 'role: frontend'.

Why this answer

The Ingress rule must specify the podSelector (or empty to select all pods in the namespace) with a namespaceSelector to match 'app' and a podSelector to match 'role: frontend'.

896
MCQhard

Refer to the exhibit. A pod is defined with an emptyDir volume using memory medium. The pod is scheduled on a node with 4 GB of RAM. The container writes 3 GB of data to /cache. What will happen?

A.The container will be throttled by the kernel's memory management.
B.The pod will be evicted because emptyDir with memory is not allowed to use more than 1 GB.
C.The pod will be OOMKilled because the emptyDir memory usage exceeds the default limit.
D.The pod will run normally because there is no memory limit and the node has sufficient RAM.
AnswerD

EmptyDir with memory uses tmpfs; 3 GB is within 4 GB, so it works.

Why this answer

Option D is correct because an emptyDir volume with `medium: Memory` creates a tmpfs filesystem that uses the node's RAM, but it does not impose any inherent limit on how much memory the container can consume via that volume. Since the pod has no memory limit set (no `resources.limits.memory`), the container can write up to the node's available memory (4 GB) without being throttled or killed, as long as the node has sufficient free RAM.

Exam trap

The trap here is that candidates assume emptyDir with `medium: Memory` has a default limit or triggers OOMKill, when in fact it only uses node memory and is constrained only by explicit `sizeLimit` or node capacity.

How to eliminate wrong answers

Option A is wrong because kernel memory throttling only applies when a cgroup memory limit is configured; without a limit, the container can use memory freely until the node runs out. Option B is wrong because there is no default 1 GB limit for emptyDir with memory; the size is bounded only by the node's memory capacity unless explicitly restricted via `sizeLimit`. Option C is wrong because OOMKilling occurs when a container exceeds its memory limit (set via `resources.limits.memory`) or when the node is under memory pressure; here, no limit is set and the node has sufficient RAM, so no OOMKill will occur.

897
Multi-Selectmedium

Which TWO statements about EndpointSlices are true? (Choose 2)

Select 2 answers
A.EndpointSlices are only used for Services of type ClusterIP
B.EndpointSlices are automatically created and managed by the EndpointSlice controller
C.EndpointSlices replace Endpoints in all Kubernetes versions
D.EndpointSlices support dual-stack networking
E.EndpointSlices can contain up to 100 endpoints each
AnswersB, D

The controller manages EndpointSlice objects based on Services.

Why this answer

EndpointSlices are more scalable and support dual-stack, and are the default since v1.21.

898
MCQmedium

A developer creates a PVC with storageClassName: "" (empty string). What does this mean?

A.The PVC will remain pending indefinitely
B.The PVC will use the default StorageClass
C.The PVC will be dynamically provisioned using the cluster's default StorageClass
D.The PVC will only bind to PVs that also have storageClassName: ""
AnswerD

That is correct: it matches PVs with the same empty string storageClassName.

Why this answer

An empty string for storageClassName means that the PVC will only bind to pre-existing PVs that also have storageClassName: "" (i.e., no StorageClass). It disables dynamic provisioning.

899
Matchingmedium

Match each kubectl command to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Create or update resources from a file

Create a Service for a resource

Manage deployment rollouts

Safely evict Pods from a Node

Display resource usage metrics

Why these pairings

These commands are essential for daily cluster management.

900
MCQmedium

A pod with a resource request of 500m CPU and a limit of 1 CPU is scheduled. The node has a CPU capacity of 2 cores. What does the '500m' represent?

A.500 millicores (0.5 CPU core)
B.500 megabytes of memory
C.50% of the node's CPU capacity
D.A limit of 500,000 CPU seconds per day
AnswerA

CPU requests and limits are defined in millicores; 1000m = 1 core.

Why this answer

In Kubernetes, CPU resources are measured in millicores, where 1000m equals 1 full CPU core (vCPU or hyperthread). The '500m' in a resource request means the pod is guaranteed at least 500 millicores, or 0.5 CPU core, from the node's 2-core capacity. This is a standard unit used by the kubelet for CPU scheduling and the Completely Fair Scheduler (CFS) quota enforcement.

Exam trap

The trap here is that candidates confuse the 'm' suffix with megabytes or a percentage, when in Kubernetes it specifically denotes millicores (1/1000th of a CPU core).

How to eliminate wrong answers

Option B is wrong because '500m' is a CPU unit, not a memory unit; memory is expressed in bytes (e.g., Mi, Gi). Option C is wrong because 500m represents 0.5 cores, not 50% of the node's total capacity (which would be 1 core on a 2-core node). Option D is wrong because CPU limits in Kubernetes are not measured in seconds per day; they are enforced as a maximum usage rate (e.g., via CFS quota) over short intervals, not a daily cap.

Page 11

Page 12 of 14

Page 13