Certified Kubernetes Administrator CKA (CKA) — Questions 9761005

1005 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
MCQeasy

Which command creates a kubeconfig file that can be used to authenticate as a specific user?

A.kubectl config set-context
B.kubectl config set-credentials
C.kubectl config create-user
D.kubectl config set-cluster
AnswerB

set-credentials adds a user with authentication details.

Why this answer

The `kubectl config set-credentials` command creates or updates a user entry in a kubeconfig file, allowing you to specify authentication credentials such as a client certificate, token, or username/password for a specific user. This is the correct way to define a user identity that can later be associated with a context via `kubectl config set-context`.

Exam trap

The trap here is that candidates confuse `set-credentials` with `set-context`, thinking that creating a context automatically includes user credentials, when in fact the user must be defined separately before being referenced in a context.

How to eliminate wrong answers

Option A is wrong because `kubectl config set-context` only defines a context (cluster, namespace, and user association) but does not create or store user credentials. Option C is wrong because `kubectl config create-user` is not a valid kubectl command; kubectl does not have a `create-user` subcommand. Option D is wrong because `kubectl config set-cluster` only configures cluster details (e.g., server URL, CA certificate) and has nothing to do with user authentication.

977
MCQeasy

Which component is responsible for running containers on a node?

A.kubelet
B.kube-scheduler
C.container runtime
D.kube-proxy
AnswerC

The container runtime actually runs the containers.

Why this answer

The container runtime is the software responsible for actually running containers on a node. It pulls container images, creates container namespaces, and manages the container lifecycle (start, stop, delete). In Kubernetes, the kubelet delegates container execution to the container runtime via the CRI (Container Runtime Interface), but the runtime itself performs the low-level operations using technologies like runc or containerd.

Exam trap

The trap here is that candidates often confuse the kubelet's role as the node agent with the actual execution of containers, but the kubelet only orchestrates the runtime — it does not run containers itself.

How to eliminate wrong answers

Option A is wrong because the kubelet is the node agent that communicates with the control plane and manages pod lifecycle, but it does not directly run containers — it instructs the container runtime to do so. Option B is wrong because the kube-scheduler is a control plane component that assigns pods to nodes based on resource availability and constraints, not a component that runs containers on a node. Option D is wrong because kube-proxy is a network proxy that maintains network rules and handles service-to-pod traffic routing on each node, not container execution.

978
Multi-Selecthard

Which THREE are valid methods to restore an etcd cluster from a snapshot? (Select 3)

Select 3 answers
A.Restore snapshot on a new node and add it as a member, then remove old
B.kubeadm reset and re-init
C.etcdctl snapshot restore snapshot.db --data-dir=/var/lib/etcd-restore
D.Stop etcd, replace data directory with restored snapshot, start etcd
E.kubectl apply -f snapshot.yaml
AnswersA, C, D

Common procedure.

Why this answer

Option A is correct because it describes the standard procedure for replacing a failed etcd member using a snapshot: you restore the snapshot on a new node (using `etcdctl snapshot restore`), start the new etcd instance, add it as a member to the existing cluster, and then remove the old, failed member. This ensures the new node joins with the correct data and the cluster quorum is maintained.

Exam trap

The trap here is that candidates often think `kubeadm reset` followed by `kubeadm init` can restore an etcd snapshot, but this actually creates a brand-new cluster with no prior data, while the correct method involves restoring the snapshot into a separate directory and then adding the node as a new member.

979
Multi-Selectmedium

Which THREE of the following are requirements for an Ingress resource to work?

Select 3 answers
A.The Ingress resource must specify a host.
B.An Ingress controller must be deployed in the cluster.
C.The Ingress resource must have a TLS section.
D.The backend services must be running and have endpoints.
E.The Ingress must have at least one path rule.
AnswersB, D, E

Without a controller, Ingress resources have no effect.

Why this answer

An Ingress controller must be running, the Ingress must have rules, and the backend services must exist.

980
Multi-Selecthard

Which THREE of the following are true about pod lifecycle phases?

Select 3 answers
A.Running phase means all containers are running.
B.CrashLoopBackOff is a pod phase.
C.Terminating is a pod phase during graceful shutdown.
D.Failed phase indicates all containers have terminated with a non-zero exit code.
E.A pod in Pending phase may have init containers still running.
AnswersA, D, E

Running phase requires at least one container running, but all containers are expected to be running.

Why this answer

Option A is correct because the Running phase in Kubernetes indicates that all containers in the pod are running and at least one container is in the running state. This phase is part of the pod lifecycle as defined in the Kubernetes API, where the pod has been bound to a node and all containers have been started successfully.

Exam trap

The trap here is that candidates confuse container states (like CrashLoopBackOff or Terminating) with pod phases, leading them to select options that describe container behavior rather than the official pod lifecycle phases defined in the Kubernetes API.

981
MCQeasy

Which of the following is a valid way to mount a Secret as a volume in a Pod?

A.spec.volumes[].secret.secretName
B.spec.containers[].volumeMounts[].secretName
C.spec.volumes[].configMap.name
D.spec.containers[].envFrom[].secretRef
AnswerA

This defines a volume backed by a Secret. The correct field is 'secretName' under 'secret'.

Why this answer

Option D is correct. Secrets can be mounted as volumes by referencing the secret name under volumes and then mounting the volume in containers. Option A is for environment variables, not volumes.

Option B uses incorrect syntax: secretName should be secretName inside a secret volume source. Option C is missing the volume definition.

982
MCQmedium

You are debugging a DNS issue in the cluster. Which of the following tools is commonly used to test DNS resolution from within a Pod?

A.ping
B.tcpdump
C.curl
D.nslookup
AnswerD

nslookup queries DNS servers and is commonly used for DNS troubleshooting.

Why this answer

Option B is correct. nslookup and dig are DNS troubleshooting tools. Option A is for network debugging but not DNS-specific. Option C is for HTTP requests.

Option D is for network connectivity.

983
MCQmedium

You deploy a pod with the following YAML: apiVersion: v1 kind: Pod metadata: name: test-pod spec: containers: - name: test image: nginx resources: requests: memory: "64Mi" cpu: "250m" limits: memory: "128Mi" cpu: "500m" The pod starts, but after a few minutes it is killed with OOMKilled. What is the MOST likely reason?

A.The memory limit is lower than the memory request
B.The node has swap enabled
C.The container's memory usage exceeds the configured limit
D.The container is using too much CPU
AnswerC

The container is using more than 128Mi of memory, causing the OOM killer to terminate it.

Why this answer

Option D is correct. OOMKilled occurs when the container exceeds its memory limit. The limit is 128Mi, so if the nginx container uses more than 128Mi of memory, it will be killed.

Option A is incorrect because CPU limits cause throttling, not OOM. Option B is incorrect because swap is typically disabled in Kubernetes. Option C is incorrect because the request is lower than the limit, which is allowed.

984
Multi-Selectmedium

Which TWO statements are true about Ingress in Kubernetes?

Select 2 answers
A.Ingress can terminate TLS connections
B.Ingress can expose multiple Services under the same IP address
C.IngressClass is a mandatory field in Ingress spec
D.Ingress is the only way to expose Services externally
E.Ingress works without an Ingress controller
AnswersA, B

True: Ingress supports TLS termination via secrets.

Why this answer

Ingress can expose multiple services under the same IP (A) and can terminate TLS (B). Ingress is not the only way to expose services (NodePort and LoadBalancer exist) (C). Ingress requires an Ingress controller (D).

IngressClass is a separate resource (E).

985
MCQmedium

You run 'kubectl get pods' and see a pod in 'CrashLoopBackOff'. What command would you run to see the reason for the crash?

A.kubectl top pod <pod-name>
B.kubectl describe pod <pod-name>
C.kubectl rollout status deployment <deployment-name>
D.kubectl get events --field-selector involvedObject.name=<pod-name>
AnswerB

Describe shows the last container state and exit code, plus events.

Why this answer

kubectl describe pod shows the last state and exit code, and kubectl logs shows application output; but for a crash loop, describe gives the last state details.

986
MCQeasy

Which of the following is a core control plane component responsible for persisting cluster state?

A.kube-apiserver
B.kube-scheduler
C.kube-controller-manager
D.etcd
AnswerD

etcd is the consistent and highly-available key-value store for cluster data.

Why this answer

etcd is the core control plane component responsible for persisting cluster state. It is a distributed, consistent key-value store that stores all cluster data, including configuration, state, and metadata. The kube-apiserver is the only component that interacts directly with etcd, ensuring that all state changes are recorded durably.

Exam trap

The trap here is that candidates often confuse the kube-apiserver as the storage component because it is the only component that talks to etcd, but the actual persistence layer is etcd itself.

How to eliminate wrong answers

Option A is wrong because kube-apiserver is the front-end for the Kubernetes control plane that exposes the API and validates requests, but it does not persist data itself; it reads from and writes to etcd. Option B is wrong because kube-scheduler is responsible for assigning pods to nodes based on resource availability and constraints, not for storing cluster state. Option C is wrong because kube-controller-manager runs controller processes that regulate cluster state (e.g., ensuring desired replicas), but it relies on the API server to read/write state from etcd and does not persist data directly.

987
MCQmedium

A developer runs 'kubectl run nginx --image=nginx --expose --port=80'. What Kubernetes resources are created?

A.Only a pod named 'nginx'
B.A pod named 'nginx' and a ClusterIP service named 'nginx'
C.A pod named 'nginx' and a LoadBalancer service named 'nginx'
D.A deployment named 'nginx' and a NodePort service named 'nginx'
AnswerB

kubectl run with --expose creates a pod and a ClusterIP service with the same name.

Why this answer

The --expose flag creates a ClusterIP service in addition to the pod. Option A correctly states both a pod and a ClusterIP service are created. Options B-D misstate the service type or omit resources.

988
MCQeasy

Which DNS record type does Kubernetes use to resolve a Service's ClusterIP?

A.PTR record
B.SRV record
C.CNAME record
D.A record
AnswerD

A records map hostnames to IP addresses.

Why this answer

Services resolve to A (IPv4) or AAAA (IPv6) records.

989
Multi-Selectmedium

Which TWO of the following are valid methods to add a worker node to an existing Kubernetes cluster that was initialized with kubeadm?

Select 2 answers
A.Use kubeadm token create and then kubeadm join with the token
B.Use kubectl create node command from the control plane
C.Copy the kubeconfig file and manually configure kubelet with the cluster CA and bootstrap token
D.Install kubelet on the worker node and it will automatically join the cluster
E.Run kubeadm init on the worker node and then join
AnswersA, C

This is the standard method to join a worker node.

Why this answer

Option A is correct because `kubeadm token create` generates a bootstrap token that is used by `kubeadm join` to authenticate the new node with the control plane. This is the standard, documented method for adding worker nodes to a cluster initialized with kubeadm, leveraging TLS bootstrap and the Bootstrap Token Authentication protocol.

Exam trap

The trap here is that candidates often confuse `kubeadm init` (for control plane nodes) with `kubeadm join` (for worker nodes), and assume that simply installing kubelet is sufficient for automatic cluster discovery without any authentication configuration.

990
MCQeasy

You need to verify if the kube-apiserver is running on the control plane node. Which command should you use?

A.kubectl describe node controlplane
B.kubectl get services -n default
C.systemctl status kube-apiserver
D.kubectl get pods -n kube-system
AnswerD

The kube-apiserver typically runs as a pod in the kube-system namespace (e.g., in kubeadm clusters). Checking this namespace shows its status.

Why this answer

'kubectl get pods -n kube-system' lists system pods including the kube-apiserver, if it runs as a static pod or deployed by kubeadm.

991
Multi-Selectmedium

A worker node is marked NotReady. Which two checks are most relevant to diagnose the node's kubelet health? (Choose two.)

Select 2 answers
A.systemctl status kubelet
B.kubectl get nodes
C.journalctl -u kubelet -n 50
D.Check API server logs
AnswersA, C

Why this answer

A is correct because `systemctl status kubelet` directly queries the systemd service manager to report whether the kubelet process is running, its current state (active/inactive/failed), and recent log entries. Since the kubelet is the primary node agent responsible for registering the node and reporting status to the control plane, checking its service status is the most immediate step when a node is NotReady.

Exam trap

CNCF often tests the misconception that `kubectl get nodes` is a diagnostic tool for node-level issues, when in fact it only reflects the symptom, not the cause; candidates must remember that local service inspection (systemctl/journalctl) is required for kubelet troubleshooting.

Why the other options are wrong

B

Shows status but not kubelet health directly.

D

Not specific to node kubelet.

992
MCQmedium

You have a Deployment that is failing to update. You run 'kubectl rollout status deployment/myapp' and it hangs. Which command should you run to see the status of individual ReplicaSets and pods?

A.kubectl describe deployment myapp
B.kubectl rollout history deployment/myapp
C.kubectl logs deployment/myapp
D.kubectl get replicasets -l app=myapp
AnswerB

This command lists revisions and the ReplicaSets associated with each revision.

Why this answer

'kubectl rollout history' shows revision history and details of each ReplicaSet, which helps in troubleshooting rollout issues.

993
MCQhard

A NetworkPolicy with podSelector: {} and policyTypes: [Ingress] is applied to a namespace. What is the effect on pods in that namespace?

A.All ingress traffic is denied unless explicitly allowed by another policy.
B.The policy has no effect because no rules are defined.
C.All ingress traffic is allowed.
D.All egress traffic is denied.
AnswerA

When a NetworkPolicy selects pods, any traffic not explicitly allowed is denied. This policy selects all pods and has no ingress rules, so all ingress is denied.

994
MCQhard

A Pod is stuck in Pending state. Running 'kubectl describe pod' shows '0/3 nodes are available: 1 node(s) had taint {node-role.kubernetes.io/control-plane: }, 2 node(s) had taint {node-role.kubernetes.io/master: }'. The Pod does not have tolerations. What is the most likely cause?

A.The scheduler is not running.
B.The Pod requests more CPU than any node can provide.
C.The Pod has a node selector that doesn't match any node.
D.The Pod does not have tolerations for the control-plane or master taints.
AnswerD

The nodes have taints that repel Pods without matching tolerations.

Why this answer

The Pod is stuck in Pending state because it does not have tolerations for the taints present on the nodes. The error message explicitly states that 1 node has the control-plane taint and 2 nodes have the master taint. By default, Pods without matching tolerations cannot be scheduled onto tainted nodes.

Since all available nodes are tainted, the scheduler has no eligible node to place the Pod, leaving it in Pending.

Exam trap

The trap here is that candidates may confuse taints/tolerations with node selectors or resource constraints, but the error message explicitly lists taints as the reason, making it a direct match to the toleration requirement.

How to eliminate wrong answers

Option A is wrong because if the scheduler were not running, the Pod would remain in Pending with a different error message (e.g., 'no matching node' or 'scheduler error'), not the specific taint-based message shown. Option B is wrong because the error message does not mention insufficient CPU or memory; it explicitly lists taints as the reason for node unavailability. Option C is wrong because the error message does not mention a node selector mismatch; if a node selector were the issue, the message would indicate '0/3 nodes are available: 3 node(s) didn't match node selector', not taint-related messages.

995
Matchingmedium

Match each storage concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Request for storage by a user

Describes storage provisioner and parameters

Mounts a file or directory from the host Node

Temporary storage that shares a Pod's lifecycle

Standard interface for storage plugins

Why these pairings

Storage in Kubernetes is managed through volumes, claims, and classes.

996
MCQmedium

You deploy a pod named 'app' that listens on port 3000. You create a Service named 'app-svc' with selector 'app: app'. From another pod in the same namespace, which command will successfully reach the service?

A.curl app-svc:80
B.curl app-svc.default.svc.cluster.local:3000
C.curl app-svc:3000
D.curl app:3000
AnswerC

Service name resolves to ClusterIP, and the port is the service port (default same as target).

Why this answer

Within the same namespace, the service can be reached by its name.

997
MCQeasy

A developer deployed a Pod that is stuck in Pending state. The cluster has one worker node with taint 'node.kubernetes.io/disk-pressure:NoSchedule'. The Pod does not specify any tolerations. What is the most likely cause?

A.The Pod was evicted due to resource pressure.
B.The Pod requests more CPU than available on the node.
C.The scheduler failed to communicate with the API server.
D.The node has a taint that the Pod does not tolerate.
AnswerD

The Pod lacks toleration for the disk-pressure taint.

Why this answer

A Pod stuck in Pending state indicates the scheduler cannot find a suitable node. The cluster has a worker node with the taint 'node.kubernetes.io/disk-pressure:NoSchedule', and the Pod has no tolerations. Since taints with effect NoSchedule prevent scheduling of Pods that do not tolerate them, the Pod cannot be placed on that node, leaving it in Pending.

Exam trap

CNCF often tests the distinction between taints/tolerations and resource constraints, so the trap here is that candidates may confuse a taint-based scheduling block with a resource shortage, especially when the taint name includes 'disk-pressure' which sounds like a resource issue.

How to eliminate wrong answers

Option A is wrong because eviction occurs when a Pod is already running and the node experiences resource pressure, not when a Pod is stuck in Pending; eviction would move the Pod to a different state (e.g., Failed or Evicted). Option B is wrong because insufficient CPU would cause the scheduler to report a '0/1 nodes are available: insufficient cpu' event, but the question explicitly states the node has a disk-pressure taint, and the Pod has no tolerations, making the taint the primary blocking factor. Option C is wrong because scheduler-to-API-server communication failures typically result in scheduler errors or 'no persistent volumes available' messages, not a simple Pending state; the scheduler communicates via the API server to list nodes and bind Pods, and a failure would produce different symptoms.

998
MCQmedium

You need to upgrade a Kubernetes cluster from v1.28 to v1.29 using kubeadm. After upgrading the control plane, what should you do on each worker node?

A.kubeadm upgrade node config --kubelet-version v1.29.0
B.kubectl delete node <node>; kubeadm upgrade node
C.kubectl drain <node>; kubeadm upgrade node; kubectl uncordon <node>
D.kubeadm upgrade node; kubectl uncordon <node>
AnswerC

Drain the node, upgrade, then uncordon.

Why this answer

Option C is correct because the standard kubeadm upgrade workflow for worker nodes requires first draining the node to safely evict all pods, then running 'kubeadm upgrade node' to upgrade the kubelet and kube-proxy configuration, and finally uncordoning the node to make it schedulable again. This sequence ensures minimal disruption to workloads and follows the official Kubernetes upgrade documentation.

Exam trap

The trap here is that candidates may assume 'kubeadm upgrade node' alone handles pod eviction, but it only upgrades the node's components and does not automatically drain pods, making the drain step essential to avoid workload disruption.

How to eliminate wrong answers

Option A is wrong because 'kubeadm upgrade node config --kubelet-version v1.29.0' is not a valid command; kubeadm does not support a --kubelet-version flag for the upgrade node subcommand, and the correct approach is to use 'kubeadm upgrade node' which automatically handles the kubelet configuration. Option B is wrong because deleting the node object with 'kubectl delete node' is unnecessary and disruptive; it removes the node from the cluster's control plane, requiring re-registration, whereas the correct process uses drain and uncordon to maintain node membership. Option D is wrong because it omits the critical 'kubectl drain' step before upgrading the node; upgrading without draining can cause running pods to be terminated abruptly, leading to service disruption and potential data loss.

999
Multi-Selectmedium

You need to create a Kubernetes ServiceAccount named 'build-bot' and ensure that pods using this ServiceAccount can authenticate to the Kubernetes API using a long-lived token. Which TWO steps are necessary? (Choose TWO.)

Select 2 answers
A.Create a Secret of type 'Opaque' with the token data
B.Run 'kubectl create token build-bot'
C.Use the TokenRequest API to generate a token
D.Create a ServiceAccount object named 'build-bot'
E.Create a Secret with type 'kubernetes.io/service-account-token' and reference the ServiceAccount via annotation
AnswersD, E

The ServiceAccount must exist first.

Why this answer

Option D is correct because creating a ServiceAccount named 'build-bot' is the foundational step; without the ServiceAccount object, no pods can be assigned a service account identity. Option E is correct because a Secret of type 'kubernetes.io/service-account-token' with an annotation referencing the ServiceAccount causes the Kubernetes controller manager to automatically generate and populate a long-lived token, which pods can mount and use to authenticate to the API server.

Exam trap

CNCF often tests the distinction between long-lived tokens (created via the legacy Secret-based mechanism) and short-lived tokens (generated via the TokenRequest API or 'kubectl create token'), leading candidates to incorrectly select options that produce ephemeral credentials.

1000
MCQeasy

Which kubectl command will expose a deployment named 'web-app' as a NodePort service on port 80?

A.kubectl expose pod web-app --type=NodePort --port=80
B.kubectl create deployment web-app --expose --port=80
C.kubectl create service nodeport web-app --port=80
D.kubectl expose deployment web-app --type=NodePort --port=80
AnswerD

Correct command syntax.

Why this answer

The 'kubectl expose' command with '--type=NodePort' and '--port=80' creates a service. The '--target-port' can specify the container port.

1001
Multi-Selecteasy

Which TWO of the following are valid ways to view the status of the kube-apiserver? (Select 2)

Select 2 answers
A.kubectl describe node
B.journalctl -u kubelet
C.systemctl status kube-apiserver
D.kubectl get pods -n kube-system -l component=kube-apiserver
E.kubectl logs kube-apiserver
AnswersC, D

If kube-apiserver runs as a systemd service.

Why this answer

On static-pod clusters, kubectl get pods -n kube-system shows apiserver status. On systemd systems, systemctl status kube-apiserver works.

1002
MCQhard

You have a Deployment with 3 replicas. Two pods are Running, one is CrashLoopBackOff. You run 'kubectl logs pod-crash -c app' and see: 'Error: failed to connect to database at 10.0.0.5:5432'. The database is a separate Pod with a ClusterIP service. How should you verify network connectivity from the crashing pod to the database service?

A.kubectl exec -it running-pod -- sh -c 'curl http://db-service:5432'
B.kubectl port-forward svc/db-service 5432:5432
C.kubectl exec -it pod-crash -- sh -c 'curl http://db-service:5432'
D.kubectl logs db-pod
AnswerA

Exec into a healthy pod and test connectivity to the db-service.

Why this answer

Using kubectl exec to run a command like curl or telnet from a running pod in the same namespace can test connectivity to the database service.

1003
Multi-Selecteasy

Which TWO commands can be used to check the expiration of certificates managed by kubeadm?

Select 2 answers
A.kubeadm upgrade plan
B.kubectl get certificates
C.openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text | grep -A2 Validity
D.kubeadm certs renew --all
E.kubeadm certs check-expiration
AnswersC, E

Directly inspects certificate file validity period.

Why this answer

Option C is correct because `openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text | grep -A2 Validity` directly reads the X.509 certificate file on disk and displays its validity period (Not Before and Not After dates). This is a manual, low-level method to check certificate expiration without relying on kubeadm utilities. Option E is correct because `kubeadm certs check-expiration` is the dedicated kubeadm command that lists all certificates managed by kubeadm along with their remaining validity, providing a comprehensive and automated check.

Exam trap

The trap here is that candidates confuse `kubeadm certs renew --all` (which performs renewal) with `kubeadm certs check-expiration` (which only checks expiration), or they mistakenly think `kubectl get certificates` is a valid command for checking kubeadm-managed certificates, when in fact Kubernetes has a `CertificateSigningRequest` resource but not a generic `certificates` resource for PKI files.

1004
Multi-Selecthard

Which THREE of the following are true about the interaction between PersistentVolumeClaims and pods?

Select 3 answers
A.A PVC is namespace-scoped and can only be used by pods in the same namespace
B.A PVC can only be used by a single pod at a time
C.When a pod is deleted, its attached PVC is automatically deleted
D.A PVC must be created before a pod that references it can be scheduled
E.Multiple pods can use the same PVC if the access mode allows
AnswersA, D, E

PVCs are namespaced resources.

Why this answer

Options A, B, D are correct. A: Multiple pods can share a PVC if the access mode supports it (e.g., RWX). B: The PVC must exist before the pod that uses it.

D: The PVC and pod must be in the same namespace. C is false because a PVC can be used by multiple pods. E is false because the PVC is not deleted when the pod is deleted.

1005
Multi-Selecthard

Which TWO statements about NetworkPolicy are correct?

Select 2 answers
A.To allow traffic from a specific namespace, you can use a namespaceSelector in the ingress rule.
B.If no NetworkPolicy exists, all traffic is denied by default.
C.A NetworkPolicy with podSelector: {} selects all pods in the namespace.
D.The field 'podSelector.matchLabels' is used to select pods based on labels.
E.NetworkPolicy is a cluster-scoped resource.
AnswersA, C

Correct. namespaceSelector selects namespaces by labels.

Why this answer

Options B and D are correct. A podSelector with '{}' selects all pods in the namespace. To allow traffic from another namespace, you use namespaceSelector combined with podSelector.

Option A is false: NetworkPolicy is cluster-scoped? No, it's namespaced. Option C is false: NetworkPolicy defaults to deny if a policy with that policyType is present. Option E is false: The field is 'podSelector', not 'podSelector.matchLabels'.

Page 13

Page 14 of 14