Certified Kubernetes Administrator CKA (CKA) — Questions 451525

1005 questions total · 14pages · All types, answers revealed

Page 6

Page 7 of 14

Page 8
451
MCQhard

A StatefulSet named 'db' manages 3 pods. The pods are named db-0, db-1, db-2. What is the expected behavior when the StatefulSet's pod management policy is set to OrderedReady and you scale down from 3 to 1 replica?

A.All pods are deleted simultaneously.
B.Pod db-2 is deleted, then db-1, and db-0 remains.
C.Only pod db-2 is deleted; db-1 and db-0 remain.
D.Pod db-0 is deleted first, then db-1, and db-2 remains.
AnswerB

Correct: deletion in reverse order, one at a time.

Why this answer

With OrderedReady pod management, StatefulSet deletion proceeds in reverse ordinal order, waiting for each pod to terminate before moving to the next. So it deletes db-2, then db-1, and stops at 1 replica (db-0 remains).

452
MCQhard

You create a PriorityClass named 'high-priority' with value 1000000 (one million). A pod uses this PriorityClass. The cluster has limited resources. What scheduling behavior is most likely?

A.The pod will never be preempted by other pods
B.The pod will be scheduled only after all lower-priority pods have been scheduled
C.The pod may preempt lower-priority pods to be scheduled
D.The pod will be assigned a higher CPU priority in the kernel
AnswerC

Correct. Pod priority enables preemption; higher priority pods can evict lower priority pods.

Why this answer

PriorityClass with value 1000000 is extremely high (the default max is 1 billion). When a pod with this PriorityClass is submitted and the cluster has limited resources, the Kubernetes scheduler may preempt (evict) lower-priority pods to free resources and schedule this high-priority pod. This is the core behavior of PriorityClass and preemption in Kubernetes.

Exam trap

CNCF often tests the misconception that PriorityClass affects kernel-level CPU priority or that a high-priority pod is scheduled before all lower-priority pods, when in reality it only enables preemption and does not guarantee scheduling order.

How to eliminate wrong answers

Option A is wrong because even a pod with a very high priority can be preempted by a pod with an even higher priority (up to 1 billion), so it is not immune to preemption. Option B is wrong because scheduling order is not strictly based on priority; lower-priority pods can be scheduled first if resources are available, and high-priority pods may preempt them later. Option D is wrong because Kubernetes PriorityClass does not affect the kernel's CPU priority (nice value); it only controls scheduling and preemption within the Kubernetes scheduler.

453
Multi-Selecthard

You have a pod that is 'CrashLoopBackOff'. 'kubectl logs --previous mypod' shows: 'Liveness probe failed: HTTP probe failed with statuscode: 503'. Which THREE actions could potentially fix the issue? (Choose three)

Select 4 answers
A.Change the liveness probe to a readiness probe.
B.Increase the initialDelaySeconds to give the app more time to start.
C.Change the liveness probe path to a valid endpoint that returns 200.
D.Increase the failureThreshold.
E.Remove the liveness probe entirely.
AnswersB, C, D, E

If the app takes longer to start, increasing initialDelaySeconds prevents premature failures.

Why this answer

The liveness probe is failing with 503, meaning the application is not ready or healthy. Fixes include correcting the probe endpoint, adjusting probe parameters, or fixing the application.

454
MCQmedium

A Pod is in CrashLoopBackOff. You run 'kubectl describe pod' and see that the container fails with 'Error: container command not found'. What is the most likely cause?

A.The container is running out of memory
B.The image pull is failing
C.The container image does not contain the specified command
D.The container command is not in the PATH
AnswerC

If the command is not present in the image, the container fails to start.

Why this answer

Option A is correct. The container image may not have the command specified in the Pod spec. Option B would also cause a failure but typically results in 'executable file not found in $PATH' if not using full path.

Option C would cause OOMKilled. Option D would cause ImagePullBackOff.

455
MCQeasy

Which command shows events sorted by timestamp for troubleshooting recent issues?

A.kubectl logs --events
B.kubectl get events --sort-by=.lastTimestamp
C.kubectl describe events
D.kubectl get events
AnswerB

Sorts events by last timestamp, useful for chronological view.

Why this answer

kubectl get events with --watch or sorting by lastTimestamp. The simplest is 'kubectl get events --sort-by=.metadata.creationTimestamp'.

456
MCQmedium

After deploying a new Deployment, you notice that the pods are stuck in ImagePullBackOff. What is the most common cause?

A.The liveness probe is misconfigured
B.The node has insufficient resources
C.The container image name or tag is incorrect
D.The container command fails on startup
AnswerC

An incorrect image name or tag prevents the image from being pulled, resulting in ImagePullBackOff.

Why this answer

Option D is correct. ImagePullBackOff indicates Kubernetes cannot pull the container image. The most common cause is a wrong image name or tag.

Option A would cause CrashLoopBackOff. Option B would cause Pending (Unschedulable). Option C would cause CrashLoopBackOff.

457
Multi-Selecteasy

Which TWO commands are used to manage node schedulability? (Select TWO.)

Select 2 answers
A.kubectl label
B.kubectl drain
C.kubectl uncordon
D.kubectl taint
E.kubectl cordon
AnswersC, E

Marks node schedulable.

Why this answer

Option C (kubectl uncordon) is correct because it marks a node as schedulable, allowing new pods to be placed on it. Option E (kubectl cordon) is correct because it marks a node as unschedulable, preventing new pods from being scheduled while leaving existing pods running. Both commands directly manage the node's schedulability status by toggling the `spec.unschedulable` field.

Exam trap

The trap here is that candidates confuse `kubectl drain` (which includes cordoning and pod eviction) with a command that solely manages schedulability, or they mistakenly think `kubectl taint` directly controls node schedulability rather than influencing pod placement through tolerations.

458
Multi-Selecthard

Which THREE are valid methods to authenticate a user to the Kubernetes API server? (Select 3)

Select 3 answers
A.Bearer tokens (e.g., service account tokens)
B.Username/password via HTTP Basic Auth
C.Client certificates
D.Static password file
E.OpenID Connect (OIDC) tokens
AnswersA, C, E

Bearer tokens are used for service accounts and can also be used for users via static tokens.

Why this answer

Bearer tokens, such as those used by service accounts, are a valid authentication method for the Kubernetes API server. The API server validates the token against the token authentication file or, for service accounts, against the TokenReview API, which verifies the token's validity and associated identity.

Exam trap

The trap here is that candidates often confuse HTTP Basic Auth with bearer token authentication, or mistakenly think a static password file is a valid method, when Kubernetes only supports token-based (including OIDC) and certificate-based authentication.

459
MCQmedium

You have a Deployment with 3 replicas. You run 'kubectl rollout history deployment web-app' and see revision 2 is current. You want to roll back to revision 1. Which command should you use?

A.kubectl set image deployment/web-app web-app=image:v1
B.kubectl rollout history deployment/web-app --revision=1
C.kubectl rollout undo deployment/web-app --to-revision=1
D.kubectl rollout undo deployment/web-app
AnswerC

Correct command to roll back to revision 1.

Why this answer

Option C is correct because `kubectl rollout undo deployment/web-app --to-revision=1` explicitly rolls back the Deployment to revision 1, which is the desired state. The `--to-revision` flag targets a specific revision from the rollout history, ensuring the Deployment's Pod template is reverted to the exact configuration of revision 1.

Exam trap

The trap here is that candidates often confuse `kubectl rollout undo` (which defaults to the previous revision) with the need to specify `--to-revision` to target an arbitrary revision, or they mistakenly use `kubectl set image` to 'revert' the image, which instead creates a new revision rather than rolling back.

How to eliminate wrong answers

Option A is wrong because `kubectl set image deployment/web-app web-app=image:v1` changes the container image to `image:v1` but does not perform a rollback; it creates a new revision (revision 3) rather than reverting to revision 1. Option B is wrong because `kubectl rollout history deployment/web-app --revision=1` only displays the details of revision 1 (e.g., annotations, template) without actually rolling back the Deployment. Option D is wrong because `kubectl rollout undo deployment/web-app` rolls back to the previous revision (revision 1 only if revision 2 is current and revision 1 is the immediate predecessor), but it does not guarantee targeting revision 1 if there are multiple revisions; the `--to-revision` flag is required to specify revision 1 explicitly.

460
MCQmedium

You run 'kubectl get svc my-service -o yaml' and see 'type: ClusterIP'. The service has no endpoints. What is the most likely cause?

A.The service type is ClusterIP, which does not support endpoints.
B.The service's port does not match the container port.
C.The service is misconfigured and needs to be deleted and recreated.
D.No pods with labels matching the service selector are running and ready.
AnswerD

Endpoints are created from pods that match the selector and are in the Ready state.

Why this answer

If a service has no endpoints, it means no pods matching the service's selector are running and ready.

461
MCQmedium

What is the DNS name for a Service named 'api' in the 'default' namespace?

A.api.default.svc.cluster.local
B.default.api.svc.cluster.local
C.api.svc.default.cluster.local
D.api.default.cluster.local
AnswerA

Correct format: <service>.<namespace>.svc.cluster.local

Why this answer

Kubernetes DNS names follow the format <service>.<namespace>.svc.cluster.local.

462
MCQeasy

You have a pod that is in 'Pending' state because it requires a PersistentVolumeClaim that is not bound. Which event would you see in 'kubectl describe pod'?

A.0/1 nodes are available: 1 node(s) didn't match node selector
B.Failed to pull image "myimage:latest"
C.0/1 nodes are available: 1 Insufficient memory
D.0/1 nodes are available: 1 pod has unbound immediate PersistentVolumeClaims
AnswerD

This is the typical event when a PVC is not bound.

Why this answer

Option A is correct. When a pod is pending due to an unbound PVC, the event will mention 'persistentvolumeclaim' not found. Option B is for image pull issues.

Option C is for resource constraints. Option D is for node selector mismatch.

463
MCQmedium

A pod is in Pending state. You see the event: '0/2 nodes are available: 2 node(s) had taint {node-role.kubernetes.io/control-plane: }, that the pod didn't tolerate'. What should you do to schedule the pod on one of the control-plane nodes?

A.Increase the pod's resource requests
B.Remove the taint from the control-plane node
C.Use a different namespace
D.Add a toleration to the pod spec matching the taint
AnswerD

Correct. Tolerations allow scheduling on tainted nodes.

Why this answer

Tolerations allow pods to be scheduled on tainted nodes. Adding a toleration that matches the taint permits scheduling.

464
MCQmedium

You create a Service of type LoadBalancer in a Kubernetes cluster that does not have an external load balancer provider (e.g., bare-metal). What will be the state of the EXTERNAL-IP field when you run 'kubectl get svc'?

A.The ClusterIP
B.The node's IP address
C.<pending>
D.<none>
AnswerC

The external IP stays <pending> until a load balancer provisions one.

Why this answer

When no external load balancer is provisioned, the EXTERNAL-IP remains <pending> indefinitely.

465
MCQeasy

Which kubectl command is used to drain a node before performing maintenance?

A.kubectl cordon node01
B.kubectl drain node01
C.kubectl taint node node01 key=value:NoExecute
D.kubectl delete node node01
AnswerB

Drain evicts pods and marks the node unschedulable.

Why this answer

The `kubectl drain` command is the correct tool for safely evicting all pods from a node before maintenance. It marks the node as unschedulable (similar to `cordon`) and then gracefully terminates pods, respecting PodDisruptionBudgets, ensuring workloads are rescheduled to other nodes without disruption.

Exam trap

CNCF often tests the distinction between `cordon` (only prevents new pods) and `drain` (evicts existing pods), leading candidates to mistakenly choose `cordon` when the question explicitly requires draining for maintenance.

How to eliminate wrong answers

Option A is wrong because `kubectl cordon` only marks the node as unschedulable (SchedulingDisabled) but does not evict existing pods, so maintenance would still leave running workloads on the node. Option C is wrong because `kubectl taint` with `NoExecute` evicts pods that do not tolerate the taint, but it does not gracefully drain all pods or respect PodDisruptionBudgets, and it is not the standard command for node maintenance preparation. Option D is wrong because `kubectl delete node` removes the node object from the cluster entirely, which is destructive and not intended for maintenance; it does not evict pods or cordon the node first, potentially causing workload disruption.

466
MCQeasy

What is the purpose of a PriorityClass in Kubernetes?

A.To define which nodes a pod can be scheduled on based on priority
B.To set the order in which pods are started
C.To ensure that high-priority pods can preempt lower-priority pods
D.To give a pod a higher share of CPU cycles
AnswerC

That is the core function of PriorityClass with preemption.

Why this answer

PriorityClass in Kubernetes is used to assign a priority value to pods, which the scheduler uses to determine scheduling order and, critically, to enable preemption. When the cluster is under resource pressure, the scheduler can preempt (evict) lower-priority pods to make room for higher-priority pods that cannot be scheduled. This ensures that critical workloads can run even when resources are scarce, which is the core purpose of PriorityClass.

Exam trap

CNCF often tests the misconception that PriorityClass controls CPU or memory resource allocation (like QoS classes), whereas it strictly controls scheduling priority and preemption behavior, not runtime resource guarantees.

How to eliminate wrong answers

Option A is wrong because node selection based on priority is handled by node affinity, node selectors, or taints/tolerations, not by PriorityClass. Option B is wrong because the order in which pods are started is influenced by PriorityClass only in the context of scheduling and preemption, but there is no guaranteed startup order; Kubernetes does not provide a sequential startup mechanism. Option D is wrong because CPU cycles are allocated based on resource requests and limits, not priority; priority does not affect CPU shares or scheduling fairness within the node's cgroups.

467
MCQmedium

A user tries to create a pod with the YAML file that requests 2 CPUs as a limit. The cluster has a ResourceQuota named 'compute-quota' with limits.cpu: 2. The user sees the above error. What is the likely issue?

A.The pod is requesting 2 CPUs as a request, but the quota limits requests.
B.The pod is being created in the wrong namespace.
C.The pod is trying to use more CPU than the node capacity.
D.The current total CPU limit usage in the namespace is 1, and adding a pod with limit 2 would exceed the quota of 2.
AnswerD

The quota allows a total of 2, and 1 is already used, leaving only 1 available.

Why this answer

Option D is correct because the ResourceQuota 'compute-quota' sets a hard limit of 2 CPUs for all pods in the namespace. If the current total CPU limit usage is already 1, adding a new pod with a limit of 2 would bring the total to 3, exceeding the quota. Kubernetes enforces ResourceQuota at admission time, rejecting the pod creation to prevent the namespace from exceeding its configured limits.

Exam trap

The trap here is that candidates confuse ResourceQuota enforcement with node capacity or scheduling constraints, but the error is specifically an admission-level quota violation, not a resource shortage on any node.

How to eliminate wrong answers

Option A is wrong because the error is about CPU limits, not requests; the quota specifically restricts limits.cpu, and the pod is requesting a limit of 2 CPUs, not a request. Option B is wrong because the error message does not indicate a namespace mismatch; ResourceQuota is namespace-scoped, but the pod is likely being created in the same namespace as the quota, and the error is about exceeding the quota, not a wrong namespace. Option C is wrong because the error is not about node capacity; node capacity is a scheduling concern handled by the kube-scheduler, while ResourceQuota is an admission control mechanism that rejects the pod before scheduling even considers node resources.

468
MCQmedium

A pod named 'web-app' is crashing repeatedly. You run 'kubectl describe pod web-app' and see that the container exited with code 137. What does this indicate?

A.The container's entrypoint command failed
B.The container's readiness probe failed
C.The container image was not found
D.The container was killed because it exceeded its memory limit
AnswerD

Exit code 137 (128+9) indicates SIGKILL, commonly from OOM kill.

Why this answer

Exit code 137 means the container was killed by SIGKILL (128 + 9). This is often due to being OOM-killed when it exceeds its memory limit.

469
MCQmedium

A company wants to install Kubernetes on a set of bare-metal servers with no existing orchestration tools. They need a solution that supports high availability for the control plane and uses etcd operators for cluster management. Which tool should they use?

A.kube-spray
B.kubeadm
C.minikube
D.kops
AnswerB

kubeadm can bootstrap HA clusters and integrates with etcd operators.

Why this answer

kubeadm is the correct choice because it is the official Kubernetes tool for bootstrapping production-grade clusters on bare-metal servers, supporting high availability (HA) for the control plane via stacked or external etcd topologies. It integrates with etcd operators (e.g., etcdadm or the etcd-operator project) for cluster management, allowing automated etcd cluster lifecycle operations. Other tools either lack HA control plane support, are not designed for bare-metal, or do not use etcd operators.

Exam trap

The trap here is that candidates often confuse kubeadm as only a 'simple bootstrapper' and overlook its HA and operator integration capabilities, or they assume kops is suitable for bare-metal because it supports multiple cloud providers, but kops requires cloud-specific infrastructure APIs and does not manage etcd via operators.

How to eliminate wrong answers

Option A (kube-spray) is wrong because it is a deployment tool that uses Ansible to install Kubernetes, but it does not natively integrate etcd operators for cluster management; it manages etcd as a static pod or systemd service, not via operators. Option C (minikube) is wrong because it is designed for local development and testing on a single node, not for production bare-metal servers with HA control plane or etcd operator support. Option D (kops) is wrong because it is primarily for cloud-based Kubernetes deployments (e.g., AWS, GCP) and relies on cloud provider APIs for infrastructure, not for bare-metal servers; it also does not use etcd operators for cluster management.

470
Multi-Selecthard

Which THREE of the following are valid steps in a Kubernetes cluster upgrade procedure using kubeadm?

Select 3 answers
A.Drain the control plane node before upgrading it
B.Downgrade the kubelet on worker nodes to match the control plane version
C.Upgrade the kubeadm binary on the node before upgrading the cluster
D.Run 'kubeadm upgrade plan' to check versions and available upgrades
E.Uncordon the node before draining it
AnswersA, C, D

Draining evicts workloads so the node can be upgraded safely.

Why this answer

Option A is correct because draining the control plane node before upgrading it ensures that all workloads are evicted and rescheduled to other nodes, preventing service disruption. This is a standard Kubernetes procedure where 'kubectl drain' marks the node as unschedulable and evicts pods, respecting PodDisruptionBudgets.

Exam trap

The trap here is that candidates may confuse the upgrade order (e.g., thinking you can upgrade kubelet before kubeadm) or incorrectly assume that downgrading the kubelet is acceptable, when in fact the kubelet must be at the same or newer version as the control plane, not older.

471
MCQhard

You are tasked with troubleshooting a web application that is deployed in a Kubernetes cluster. The application consists of a Deployment named 'web-app' with 3 replicas, each running a container that listens on port 3000. A Service named 'web-service' of type ClusterIP with selector 'app: web' and port 80 targeting port 3000 has been created. Additionally, an Ingress resource named 'web-ingress' is configured with a host rule for 'example.com' and backend service 'web-service' on port 80. Users report that accessing http://example.com results in a 503 Service Unavailable error. You verify that all pods are running and ready (kubectl get pods shows 3/3 ready). The Ingress controller logs show 'upstream connect error or disconnect/reset before headers'. You check the endpoints: 'kubectl get endpoints web-service' shows no endpoints. The pods have the label 'app: web'. What should you do to resolve the issue?

A.Change the Service type to NodePort to bypass the Ingress.
B.Update the Ingress to use a different backend service.
C.Check the container port and readiness probe configuration; the pods may not be listening on the expected port or the readiness probe is failing.
D.Modify the Service selector to match the pod labels exactly.
AnswerC

Empty endpoints indicate no ready pods matching the selector; despite 'Ready' status, the readiness probe might be failing if not configured, or the container might not be listening on 3000.

Why this answer

Option C is correct because the absence of endpoints for the Service indicates that the Service's selector is not matching any pods, or the pods are not listening on the correct port. Since the pods have the label 'app: web' and the Service uses 'app: web', the issue is likely that the container port (3000) is misconfigured or the readiness probe is failing, causing the pods to be removed from the Service's endpoints. The Ingress controller's 'upstream connect error' confirms that traffic cannot reach the pods, which aligns with the missing endpoints.

Exam trap

The trap here is that candidates assume the Service selector is wrong when endpoints are missing, but the real issue is often a readiness probe failure or a port mismatch, which the question subtly hints at by stating pods are 'running and ready' but not necessarily passing readiness checks.

How to eliminate wrong answers

Option A is wrong because changing the Service type to NodePort does not fix the underlying issue of missing endpoints; it only exposes the Service on a node port, but the Ingress still relies on the Service's endpoints to route traffic. Option B is wrong because updating the Ingress to use a different backend service does not address the root cause—the current Service has no endpoints, and any backend service would face the same problem if its selector doesn't match pods. Option D is wrong because the Service selector 'app: web' already matches the pod labels 'app: web', so modifying the selector is unnecessary and would not resolve the missing endpoints if the pods are not listening on port 3000 or readiness probes are failing.

472
Multi-Selecthard

Which THREE of the following are true about Network Policies in Kubernetes?

Select 3 answers
A.They can block traffic at the node level.
B.They are namespaced resources.
C.They are enforced by the network plugin (CNI).
D.They can allow ingress traffic from pods with specific labels.
E.They can modify packet contents.
AnswersB, C, D

Network Policies are defined within a namespace and apply to pods in that namespace.

Why this answer

Network Policies are namespaced resources in Kubernetes, meaning they are defined within a specific namespace and only apply to pods in that namespace. This is confirmed by the Kubernetes API, where NetworkPolicy is a namespaced resource under the networking.k8s.io/v1 API group, and it cannot be applied cluster-wide without additional tooling like a cluster-scoped policy engine.

Exam trap

The trap here is that candidates often confuse node-level firewalls (like hostNetwork policies or iptables rules on the node) with Kubernetes Network Policies, which are purely pod-level and enforced by the CNI plugin, not by kubelet or the node's OS.

473
MCQhard

A Deployment is configured with replicas: 3, but only 2 pods are running. 'kubectl describe deployment' shows 'Replicas: 3 desired | 2 current | 2 available'. What could be the reason for the missing pod?

A.The ReplicaSet is not created
B.The Deployment's selector does not match the pod template labels
C.A PersistentVolumeClaim used by the pod is not bound
D.The node has a disk pressure condition
AnswerC

Correct. If a PVC is not bound, the pod stays Pending.

Why this answer

A persistent volume claim in Pending state can prevent a pod from starting if the pod uses a PVC that is not bound.

474
MCQeasy

Which of the following is a valid way to mount a Secret as a volume in a Pod?

A.volumes: - name: secret-volume secret: secretName: my-secret
B.volumes: - name: secret-volume secretName: my-secret
C.volumes: - name: secret-volume configMap: name: my-secret
D.volumes: - name: secret-volume hostPath: path: /etc/secret
AnswerA

Correct format for mounting a Secret as a volume.

Why this answer

Option A is correct because it uses the `secret` volume type with the `secretName` field to reference a Kubernetes Secret object. This is the standard syntax for mounting a Secret as a volume in a Pod, allowing the Secret's data to be exposed as files in the container's filesystem.

Exam trap

The trap here is that candidates confuse the syntax for mounting a Secret with that of a ConfigMap, or incorrectly assume that `secretName` can be used as a top-level field without the `secret` key, leading them to pick option B.

How to eliminate wrong answers

Option B is wrong because it omits the `secret` key under the volume source; the `secretName` field must be nested under a `secret` key, not placed directly under the volume name. Option C is wrong because it uses the `configMap` volume type with a `name` field, which is for ConfigMaps, not Secrets; Secrets require the `secret` volume type. Option D is wrong because it uses `hostPath` to mount a directory from the node's filesystem, which does not mount a Kubernetes Secret object and bypasses Secret management and encryption.

475
MCQhard

During a cluster upgrade from v1.28 to v1.29, which component should be upgraded first on the control plane node?

A.kube-apiserver
B.kube-scheduler
C.kube-controller-manager
D.etcd
AnswerD

etcd should be upgraded first to ensure data store compatibility.

Why this answer

During a Kubernetes cluster upgrade, the control plane components must be upgraded in a specific order to maintain cluster stability and API availability. etcd, as the cluster's backing store, should be upgraded first because all other control plane components (kube-apiserver, kube-scheduler, kube-controller-manager) depend on it for reading and writing cluster state. Upgrading etcd first ensures that the data store is compatible with the new version before the API server and other controllers are updated.

Exam trap

CNCF often tests the misconception that the kube-apiserver should be upgraded first because it is the central component, but the correct order requires etcd to be upgraded first due to its role as the underlying data store.

How to eliminate wrong answers

Option A is wrong because kube-apiserver is the next component to upgrade after etcd, but it cannot be upgraded first as it relies on etcd for storing and retrieving cluster state; upgrading it before etcd could lead to API version mismatches or data corruption. Option B is wrong because kube-scheduler depends on the kube-apiserver to watch for unscheduled pods and bind them to nodes; upgrading it before the API server would break its communication with the cluster. Option C is wrong because kube-controller-manager also depends on the kube-apiserver to watch and reconcile controller loops; upgrading it before the API server would cause it to fail to interact with the cluster state.

476
MCQmedium

A company deploys a web application with multiple replicas in a Kubernetes cluster. Users report intermittent connectivity issues. The application pods are exposed via a ClusterIP Service. To ensure stable connectivity, which action should be taken?

A.Change the Service type to NodePort
B.Set service.spec.sessionAffinity to ClientIP
C.Remove the ClusterIP Service and use headless service
D.Add a readiness probe to the pods
AnswerB

ClientIP session affinity ensures requests from the same client are routed to the same pod, resolving intermittent connectivity due to session state.

Why this answer

Intermittent connectivity issues with multiple replicas often stem from requests being distributed across different pods, which can break session state if the application is not stateless. Setting `service.spec.sessionAffinity` to `ClientIP` ensures that all requests from a given client IP are routed to the same pod, providing stable connectivity for stateful sessions without changing the service type or removing the ClusterIP.

Exam trap

The trap here is that candidates often confuse readiness probes (which ensure pods are healthy) with session affinity (which ensures client requests stick to the same pod), leading them to select the readiness probe option despite it not solving the session persistence problem.

How to eliminate wrong answers

Option A is wrong because changing the Service type to NodePort exposes the service on a static port on each node's IP, which does not address session persistence and may introduce additional network complexity without solving the intermittent connectivity issue. Option C is wrong because removing the ClusterIP Service and using a headless service disables load balancing and DNS-based round-robin, which would break the stable connectivity goal by requiring clients to manage pod IPs directly. Option D is wrong because adding a readiness probe only controls whether a pod receives traffic based on its health, but does not ensure that requests from the same client are consistently routed to the same pod, which is the root cause of intermittent connectivity for stateful applications.

477
MCQmedium

A pod is in ImagePullBackOff state. Which command can you run to get more details about the underlying error?

A.kubectl logs pod
B.kubectl get events --field-selector involvedObject.name=pod
C.kubectl describe pod
D.kubectl top pod
AnswerC

Events in the pod description include the reason for ImagePullBackOff.

Why this answer

kubectl describe pod shows events including the exact error message from the kubelet when pulling the image.

478
Multi-Selectmedium

A pod is in 'Pending' state. Which TWO of the following are possible causes? (Select 2)

Select 2 answers
A.Node has insufficient CPU or memory resources
B.Container exited with non-zero exit code
C.PersistentVolumeClaim is not bound
D.Container was killed due to OOM
E.Image name is misspelled
AnswersA, C

If nodes lack resources, pods stay pending until resources become available.

Why this answer

Options A and D are correct. Insufficient CPU/memory resources and an unbound PVC are common reasons for a pod to remain pending. Option B (container exited) would cause CrashLoopBackOff or error state, not Pending.

Option C (image pull) would cause ImagePullBackOff. Option E (OOMKilled) would cause crash loop, not Pending.

479
MCQeasy

Which command initializes a new Kubernetes cluster using kubeadm?

A.kubeadm create cluster
B.kubeadm setup
C.kubeadm init
D.kubeadm start
AnswerC

Correct.

Why this answer

Option C is correct because `kubeadm init` is the official Kubernetes command to bootstrap a control-plane node and initialize a new cluster. It performs preflight checks, generates certificates, creates the static Pod manifests for core components (etcd, API server, controller manager, scheduler), and configures the admin kubeconfig file.

Exam trap

The trap here is that candidates confuse `kubeadm init` with generic system commands like `create` or `start`, or assume a `setup` subcommand exists, when in fact `kubeadm init` is the only correct command for initializing a cluster.

How to eliminate wrong answers

Option A is wrong because `kubeadm create cluster` is not a valid kubeadm subcommand; kubeadm uses `init` for control-plane initialization and `join` for worker nodes. Option B is wrong because `kubeadm setup` does not exist in the kubeadm CLI; the correct command for initializing a cluster is `kubeadm init`. Option D is wrong because `kubeadm start` is not a valid kubeadm subcommand; kubeadm does not manage the lifecycle of running processes—it only bootstraps the cluster, after which kubelet and container runtime handle the Pods.

480
MCQeasy

Which command retrieves the rollout history of a Deployment named 'web'?

A.kubectl describe deployment web
B.kubectl get events --field-selector involvedObject.name=web
C.kubectl rollout history deployment web
D.kubectl rollout status deployment web
AnswerC

Correct command to view rollout history.

Why this answer

kubectl rollout history deployment web shows the revision history of the deployment.

481
MCQmedium

You apply the following NetworkPolicy: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress What effect does this policy have?

A.Ingress traffic from pods with label 'app: allowed' is allowed.
B.All ingress and egress traffic to/from pods in the namespace is denied.
C.The policy has no effect because no rules are specified.
D.All ingress traffic to any pod in the namespace is denied.
AnswerD

Correct. The policy selects all pods and denies ingress by default.

Why this answer

Option A is correct. A podSelector with '{}' selects all pods in the namespace. With only Ingress in policyTypes, it denies all incoming traffic to all pods in the namespace.

Egress is not affected.

482
MCQmedium

A pod has been in Pending state for a long time. 'kubectl describe pod' shows the event: '0/3 nodes are available: 1 node(s) had taint {node.kubernetes.io/not-ready: }, that the pod didn't tolerate, 2 node(s) had taint {node.kubernetes.io/unreachable: }, that the pod didn't tolerate.' What is the most likely cause?

A.The pod's image is incorrect
B.The kubelet on each node is not running
C.The pod has resource requests that exceed node capacity
D.The nodes are all cordoned
AnswerB

When kubelet is down, nodes become NotReady and taint themselves, causing scheduling failures.

Why this answer

The event indicates that all nodes have taints that the pod does not tolerate. This can happen if the nodes are NotReady or unreachable, often due to a network plugin issue or kubelet failure.

483
MCQeasy

Which control plane component is responsible for storing the cluster state and configuration?

A.etcd
B.kube-controller-manager
C.kube-apiserver
D.kube-scheduler
AnswerA

etcd is the store for all cluster state and configuration.

Why this answer

etcd is the distributed key-value store that serves as the single source of truth for the entire cluster, storing all cluster state data such as configurations, secrets, service endpoints, and resource specifications. The kube-apiserver reads from and writes to etcd exclusively, making it the only component that directly persists the cluster's desired and current state.

Exam trap

The trap here is that candidates often confuse the kube-apiserver as the storage component because it is the primary interface for all cluster operations, but it is actually a stateless API gateway that relies entirely on etcd for persistence.

How to eliminate wrong answers

Option B (kube-controller-manager) is wrong because it runs controller loops that reconcile the current state with the desired state stored in etcd, but it does not store any data itself. Option C (kube-apiserver) is wrong because it is the front-end API gateway that validates and processes requests, but it delegates all persistent storage to etcd and does not maintain its own database. Option D (kube-scheduler) is wrong because it only assigns pods to nodes based on resource availability and policies, and it reads cluster state from the API server without storing any state or configuration.

484
MCQhard

You apply a LimitRange that sets default CPU request to 0.5 and default CPU limit to 1. You create a pod without specifying any CPU resources. What are the effective CPU request and limit for the pod?

A.request: 0.5, limit: 1
B.request: 0.5, limit: 0 (no limit)
C.request: 0, limit: 0 (no defaults applied)
D.request: 1, limit: 0.5
AnswerA

The LimitRange default values are applied.

Why this answer

LimitRange applies default resource requests and limits to pods that do not specify them. The pod gets request=0.5, limit=1.

485
MCQmedium

A pod has an init container that downloads a large file. The init container uses the 'busybox' image and runs the command 'wget http://example.com/data.zip'. The pod's status shows 'Init:0/1' and then 'PodInitializing'. After a few minutes, the pod enters 'Init:Error'. What is the most likely cause?

A.The init container image was not found
B.The init container's command failed
C.The pod's main container failed to start
D.The init container exceeded a resource limit
AnswerB

Init:Error indicates the init container exited with an error. Probably wget failed or is not available.

Why this answer

The init container runs a `wget` command to download a file. The pod transitions from `Init:0/1` to `PodInitializing` (indicating the init container started) and then to `Init:Error`, which means the init container exited with a non-zero exit code. Since the image is `busybox` (which includes `wget`), the most likely cause is that the `wget` command itself failed — e.g., due to a network issue, a bad URL, or a timeout — not an image pull failure or resource limit.

Exam trap

The trap here is that candidates see `Init:Error` and immediately assume a resource limit or image pull issue, but the progression from `Init:0/1` to `PodInitializing` proves the container started and ran, so the error must be from the command itself failing.

How to eliminate wrong answers

Option A is wrong because if the init container image were not found, the pod would show `ErrImagePull` or `ImagePullBackOff`, not `Init:Error` after having started. Option C is wrong because the pod never reached the main container stage; the error is specifically in the init container phase, as indicated by `Init:Error`. Option D is wrong because exceeding a resource limit (e.g., CPU or memory) would typically result in an `OOMKilled` or `CrashLoopBackOff` status, not a generic `Init:Error` from a command failure.

486
MCQhard

You have an Ingress resource with the following spec: spec: rules: - host: example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-service port: number: 80 A client sends a request to http://example.com/api/v1/users. Which path is matched?

A./api/v1/users
B.ImplementationSpecific: depends on the Ingress controller
C./api
D.No match, returns 404
AnswerC

Prefix matching: /api matches /api/v1/users.

Why this answer

PathType Prefix matches URLs that have the path as a prefix. /api matches /api, /api/v1, /api/v1/users, etc. ImplementationSpecific is not standard; Exact would require exact match.

487
MCQhard

You want to test network connectivity from pod A to pod B in the same namespace. Which command would you run from within pod A?

A.kubectl logs pod-a | curl pod-b
B.kubectl port-forward pod-a 8080:8080 & curl localhost:8080
C.kubectl exec pod-a -- curl http://pod-b:8080
D.kubectl attach pod-a -- curl pod-b
AnswerC

Exec into pod A and use curl to reach pod B's IP or service.

Why this answer

kubectl exec allows running commands inside a container; curl is a common tool to test HTTP connectivity.

488
MCQhard

A cluster has multiple namespaces: 'frontend', 'backend', and 'monitoring'. A pod in the 'frontend' namespace needs to reach a Service named 'db-service' in the 'backend' namespace. The 'db-service' Service is of type ClusterIP. Which DNS name should the pod use?

A.db-service.svc.cluster.local
B.db-service
C.db-service.backend.cluster.local
D.db-service.backend.svc.cluster.local
AnswerD

This is the correct FQDN for cross-namespace access.

Why this answer

Option D is correct because Kubernetes DNS resolves services using the format `<service>.<namespace>.svc.cluster.local`. Since the pod is in the 'frontend' namespace and needs to reach 'db-service' in the 'backend' namespace, the fully qualified domain name (FQDN) must include the namespace and the 'svc' subdomain to be resolved by the cluster DNS (CoreDNS).

Exam trap

The trap here is that candidates often forget the 'svc' subdomain or assume that omitting the namespace works across namespaces, leading them to pick Option A or C, while the correct FQDN must include both namespace and 'svc' for reliable resolution.

How to eliminate wrong answers

Option A is wrong because it omits the namespace, so it would only resolve if the pod and service were in the same namespace; cross-namespace access requires the namespace. Option B is wrong because a bare service name without a domain suffix is only valid within the same namespace and relies on search domains, which are not guaranteed to resolve across namespaces. Option C is wrong because it uses 'backend.cluster.local' instead of 'backend.svc.cluster.local', missing the mandatory 'svc' subdomain that Kubernetes DNS expects for service records.

489
Multi-Selectmedium

Which TWO of the following commands are useful for debugging network connectivity between pods?

Select 2 answers
A.kubectl top pod <pod-name>
B.kubectl run test-pod --image=busybox --rm -it -- wget -O- http://service:port
C.kubectl edit deployment <deployment-name>
D.kubectl logs <pod-name>
E.kubectl exec <pod-name> -- ping <target-ip>
AnswersB, E

Run a temporary pod to test connectivity.

Why this answer

kubectl exec lets you run commands inside a pod (e.g., ping, curl). kubectl run creates a temporary pod for testing. kubectl logs and edit are not network debugging tools.

490
MCQmedium

You are using kubeadm to initialize a Kubernetes cluster. After running 'kubeadm init', the control-plane node is not ready. You run 'kubectl get nodes' and see the node status as 'NotReady'. Which component is most likely not functioning correctly?

A.kube-scheduler
B.etcd
C.kube-apiserver
D.kubelet
AnswerD

The kubelet is responsible for node status. If it is not running or cannot communicate with the API server, the node will be NotReady.

Why this answer

The kubelet is the primary node agent that runs on every node and is responsible for registering the node with the cluster and maintaining pod lifecycle. After 'kubeadm init', if the control-plane node shows 'NotReady', it almost always indicates that the kubelet is not running or is failing to communicate with the control plane, often due to missing or misconfigured container runtime (e.g., containerd, CRI-O) or network plugin (CNI).

Exam trap

The trap here is that candidates often confuse control-plane component failures (like scheduler or API server) with node-level agent failures, but the 'NotReady' status is specifically a kubelet-driven condition, not a control-plane component status.

How to eliminate wrong answers

Option A is wrong because the kube-scheduler is responsible for assigning pods to nodes, not for node readiness; a non-functional scheduler would cause pods to remain Pending, not a node to be NotReady. Option B is wrong because etcd is the cluster's key-value store; while etcd failure would cause widespread issues, node readiness is determined by the kubelet's heartbeat to the API server, not directly by etcd. Option C is wrong because the kube-apiserver is the front-end for the control plane; if it were down, 'kubectl get nodes' would fail entirely, rather than showing a node as NotReady.

491
MCQmedium

To back up etcd, which command should be used with etcdctl?

A.etcdctl export
B.etcdctl backup
C.etcdctl dump
D.etcdctl snapshot save
AnswerD

This command saves a snapshot of etcd data to a file.

Why this answer

The correct command to back up etcd is `etcdctl snapshot save`, which creates a point-in-time snapshot of the etcd key-value store. This is the officially recommended method for backing up etcd data in Kubernetes clusters, as it captures the entire database state consistently.

Exam trap

The trap here is that candidates may confuse `etcdctl` subcommands with similar-sounding Linux backup commands (like `dump` or `export`) or assume a generic `backup` subcommand exists, when the CKA exam specifically tests knowledge of the exact `snapshot save` syntax.

How to eliminate wrong answers

Option A is wrong because `etcdctl export` is not a valid command; the correct command for exporting data is `etcdctl snapshot save`. Option B is wrong because `etcdctl backup` is not a valid subcommand; etcdctl uses `snapshot save` for backups. Option C is wrong because `etcdctl dump` is not a valid command; the closest valid command is `etcdctl snapshot save` for backups or `etcdctl get` for retrieving specific keys.

492
MCQmedium

You suspect a DNS issue inside a pod. Which command can you run to test DNS resolution from within a pod?

A.kubectl logs coredns -n kube-system
B.kubectl describe svc kubernetes
C.kubectl run test --image=busybox -- nslookup kubernetes.default
D.kubectl exec <pod-name> -- nslookup kubernetes.default
AnswerD

nslookup from within a pod tests DNS resolution against the cluster's DNS service.

Why this answer

Option A is correct. Using kubectl exec to run nslookup inside an existing pod tests DNS resolution. Option B is for logs.

Option C shows service info. Option D creates a new pod, not using the existing one.

493
Multi-Selecthard

Which THREE of the following are steps required when restoring an etcd cluster from a snapshot?

Select 3 answers
A.Run 'etcdctl snapshot restore' specifying a new data directory
B.Update the etcd configuration to point to the new data directory
C.Restore the snapshot on every etcd member in the cluster
D.Stop the etcd service on the node
E.Run 'kubeadm init' to reinitialize the control plane
AnswersA, B, D

Restore command creates a new data directory from snapshot.

Why this answer

Option A is correct because 'etcdctl snapshot restore' is the command used to restore an etcd cluster from a snapshot. You must specify a new data directory (e.g., --data-dir=/var/lib/etcd-restored) to avoid overwriting existing data and to allow the restored snapshot to be used as a fresh data source for the etcd member.

Exam trap

The trap here is that candidates assume the snapshot must be restored on every member, but in practice you restore on one member and let the cluster rebuild itself, or you restore individually with unique data directories and cluster tokens.

494
MCQeasy

You need to create a ConfigMap named 'app-config' from a file named 'config.properties' located in the current directory. Which command should you use?

A.kubectl create configmap app-config --from-file config.properties
B.kubectl create configmap app-config --from-literal=config.properties
C.kubectl apply configmap app-config --from-file=config.properties
D.kubectl create configmap app-config --from-file=config.properties
AnswerD

Correct syntax.

Why this answer

Option C is correct. The command 'kubectl create configmap app-config --from-file=config.properties' creates a ConfigMap from the file. Option A is incorrect because the syntax uses --from-literal for key-value pairs.

Option B uses 'create configmap' but with wrong flag syntax. Option D is incorrect because 'apply' requires a manifest file.

495
MCQhard

A pod is running but cannot be accessed via its ClusterIP service from another pod in the same namespace. The service endpoints list shows the pod's IP. What is the most likely cause?

A.The kube-proxy is not running on the node
B.A NetworkPolicy is blocking the traffic
C.The service's targetPort is incorrect
D.The pod is running on a different node without proper routing
AnswerB

Why this answer

Option B is correct because a NetworkPolicy can explicitly deny ingress traffic to a pod even when the service endpoints are correctly populated. Since the endpoints list shows the pod's IP, the service and pod are communicating at the network layer, but a NetworkPolicy with an ingress rule that does not allow traffic from the source pod's labels or CIDR will cause the packet to be dropped by the node's iptables or eBPF rules, resulting in a connection timeout or reset from the client pod.

Exam trap

The trap here is that candidates assume a populated endpoints list guarantees connectivity, but they overlook that NetworkPolicies operate at a lower layer (L3/L4) and can block traffic even when the service and pod are correctly configured.

Why the other options are wrong

A

kube-proxy issues would affect all services cluster-wide, not just one service with correct endpoints.

C

If targetPort were wrong, endpoints might still show but traffic would not reach the container; but endpoints are based on the container port, so if endpoints exist, targetPort matches.

D

ClusterIP services work across nodes; no extra routing needed.

496
Multi-Selecthard

You need to test network connectivity between two pods in different namespaces. Which TWO approaches are valid?

Select 2 answers
A.Run 'kubectl logs pod-a -n ns1' to see if it received packets
B.Run 'kubectl port-forward pod-a 8080:80' and test locally
C.Run 'kubectl run test-pod --image=busybox --rm -it --restart=Never -- nslookup pod-b'
D.Run 'kubectl exec pod-a -n ns1 -- curl <service-b-name.ns2.svc.cluster.local>'
E.Run 'kubectl exec pod-a -n ns1 -- curl <pod-b-IP>'
AnswersD, E

Tests connectivity to the service in another namespace.

Why this answer

Using kubectl exec to curl the other pod's IP (B) or service name (D) are direct methods. 'kubectl logs' (A) shows logs but does not test connectivity. 'kubectl port-forward' (C) is for local access. 'kubectl run' (E) can be used to create a temporary pod for testing, but the question asks for approaches to test connectivity between existing pods, so exec is more direct.

497
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Delete the namespace and redeploy all workloads
B.Increase the CPU request for the container
C.Delete and recreate the pod to clear the crash loop
D.Increase the memory limit in the pod's container resource specification
AnswerD

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

OOMKilled means the container exceeded its memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

498
MCQeasy

You have a Deployment named 'web-app' in the 'default' namespace. You run the following command: kubectl rollout history deployment web-app. The output shows: revision 1, revision 2, revision 3. You want to roll back to revision 1. Which command achieves this?

A.kubectl rollout undo deployment web-app --revision=1
B.kubectl rollout undo deployment web-app --to-revision=1
C.kubectl rollback deployment web-app --to-revision=1
D.kubectl rollout undo deployment web-app
AnswerB

Correct flag to specify target revision.

Why this answer

Option A is correct. 'kubectl rollout undo deployment web-app --to-revision=1' rolls back to revision 1. Option B rolls back to the previous revision (2). Option C is incorrect because --revision flag does not exist.

Option D uses 'rollback' which is not a valid kubectl command.

499
MCQhard

A pod is stuck in Pending state. 'kubectl describe pod' shows the event: '0/3 nodes are available: 3 node(s) didn't match pod anti-affinity rules'. What is the most likely cause?

A.The nodes have insufficient resources
B.The pod has a requiredDuringSchedulingIgnoredDuringExecution anti-affinity rule that is too restrictive
C.The pod has a taint tolerance issue
D.The nodes are all cordoned
AnswerB

Required anti-affinity must be satisfied for scheduling. If no node meets the constraint, the pod stays pending.

Why this answer

Pod anti-affinity rules prevent the pod from being scheduled on nodes that already have pods matching certain labels. The error indicates that all nodes are excluded due to anti-affinity constraints.

500
MCQmedium

A pod is stuck in 'Pending' state. Which command would you run FIRST to diagnose the issue?

A.kubectl logs <pod-name>
B.kubectl describe pod <pod-name>
C.kubectl top pod <pod-name>
D.kubectl exec -it <pod-name> -- sh
AnswerB

Describes the pod with events and conditions.

Why this answer

A pod stuck in 'Pending' state means it has not been scheduled to a node yet. The `kubectl describe pod` command provides detailed event logs, scheduler decisions, and resource constraints (e.g., insufficient CPU/memory, persistent volume claims not bound, node selector mismatches) that reveal why scheduling failed. This is the first diagnostic step because it surfaces the root cause without requiring the pod to be running.

Exam trap

The trap here is that candidates often jump to `kubectl logs` or `kubectl exec` out of habit, forgetting that these commands only work for running pods, while 'Pending' indicates a pre-scheduling failure that requires inspecting events and conditions via `kubectl describe`.

How to eliminate wrong answers

Option A is wrong because `kubectl logs` retrieves container logs, but a pod in 'Pending' has no running containers yet, so there are no logs to fetch. Option C is wrong because `kubectl top pod` shows real-time resource usage metrics, which require the pod to be running on a node; a pending pod has no metrics. Option D is wrong because `kubectl exec` requires a running container to execute commands, which is impossible when the pod is still pending.

501
MCQmedium

A node has been cordoned. Which statement about the node is true?

A.All pods on the node are immediately terminated
B.The kubelet on the node is stopped
C.The node is removed from the cluster
D.The node is marked as unschedulable, but existing pods continue to run
AnswerD

Cordoning sets the node's status to Unschedulable, preventing new pods from being scheduled while existing pods keep running.

Why this answer

When a node is cordoned using `kubectl cordon <node>`, it is marked as unschedulable by setting the `spec.unschedulable` field to `true`. This prevents new pods from being scheduled onto the node, but existing pods continue to run normally. The kubelet remains active, and the node stays in the cluster.

Exam trap

The trap here is confusing `cordon` with `drain` — candidates often think cordoning also evicts pods, but it only prevents new scheduling, leaving existing pods untouched.

How to eliminate wrong answers

Option A is wrong because cordoning does not terminate pods; only `kubectl drain` evicts or deletes pods. Option B is wrong because the kubelet continues to run and manage existing pods; cordoning only affects the scheduler. Option C is wrong because the node remains a member of the cluster and is still visible via `kubectl get nodes`; it is not removed.

502
MCQhard

A cluster was upgraded from version 1.28 to 1.29. After the upgrade, you notice that a custom controller using the 'batch/v2alpha1' API for CronJobs no longer works. What is the most likely reason?

A.The API server was not restarted after the upgrade
B.The CronJob resource has been renamed to ScheduledJob
C.The batch/v2alpha1 API version is deprecated and removed in 1.29
D.The custom controller uses an incorrect kubeconfig
AnswerC

batch/v2alpha1 was removed in 1.29. Must use batch/v1.

Why this answer

The batch/v2alpha1 API version for CronJobs was deprecated in Kubernetes 1.21 and removed entirely in 1.29. Since the cluster was upgraded from 1.28 to 1.29, the custom controller can no longer use this API version because the API server no longer serves it. Controllers must migrate to the stable batch/v1 API version to function correctly.

Exam trap

The trap here is that candidates may assume the API server needs a manual restart (Option A) or confuse the resource name change (Option B), but the real issue is Kubernetes' strict API version lifecycle and removal policy.

How to eliminate wrong answers

Option A is wrong because the API server is automatically restarted as part of the upgrade process (e.g., via kubeadm upgrade), and a missing restart would cause broader failures, not just a single API version. Option B is wrong because the CronJob resource has never been renamed to ScheduledJob; that was a pre-release name in very early Kubernetes versions and is not relevant here. Option D is wrong because an incorrect kubeconfig would cause authentication or connection failures for all API calls, not specifically for the batch/v2alpha1 API version.

503
Multi-Selecthard

Which three components are part of the Gateway API? (Choose three.)

Select 3 answers
A.Ingress
B.GatewayClass
C.Gateway
D.HTTPRoute
E.Service
AnswersB, C, D

GatewayClass defines a class of gateways.

Why this answer

The Gateway API includes GatewayClass, Gateway, HTTPRoute, and other route types. Service and Ingress are not part of the Gateway API; Ingress is a separate API.

504
MCQmedium

A container requests 256Mi memory and has a limit of 512Mi. The container tries to allocate 600Mi. What happens?

A.The container is allowed to use up to 600Mi if the node has free memory
B.The kernel throttles the container's memory usage
C.The container is killed with OOMKilled and restarted
D.The container is evicted from the node
AnswerC

Exceeding memory limit triggers OOM kill. With default restartPolicy, it restarts.

Why this answer

When a container exceeds its memory limit, the kernel OOM killer terminates it. The container will be restarted (depending on restartPolicy).

505
Multi-Selecteasy

Which TWO of the following are valid reasons to use a Headless Service?

Select 2 answers
A.To provide a single stable IP address for the service.
B.To expose a service externally via a cloud load balancer.
C.To enable a client to discover all pod IPs for a StatefulSet.
D.To enable DNS to return individual pod IPs for stateful applications.
E.To provide load-balanced access to a set of pods.
AnswersC, D

Headless Service is used with StatefulSets for pod identity.

Why this answer

Option C is correct because a Headless Service (with `clusterIP: None`) does not provide a single stable IP or load balancing. Instead, it returns DNS A/AAAA records for all pod IPs that match the service's selector. This is essential for StatefulSets, where each pod has a unique identity and clients need to discover and connect to specific pods directly, such as in a database cluster.

Exam trap

The trap here is that candidates confuse a Headless Service's DNS-based pod discovery with load balancing or external exposure, when in fact it is designed to give clients direct access to individual pod IPs for stateful workloads.

506
MCQmedium

What is the purpose of 'kubeadm reset'?

A.To restart the Kubernetes services on a node.
B.To reinitialize the cluster with new configuration.
C.To remove the node from the cluster and clean up.
D.To rollback the last upgrade.
AnswerC

reset cleans up the node so it can be rejoined or used for other purposes.

Why this answer

`kubeadm reset` is designed to revert any changes made by `kubeadm init` or `kubeadm join` on a node, effectively cleaning up the node's local state (e.g., removing CNI configurations, etcd member data, and kubelet certificates) so it can be safely removed from the cluster or reinitialized. Option C correctly identifies this as removing the node from the cluster and cleaning up, which is the primary purpose of the command.

Exam trap

CNCF often tests the misconception that `kubeadm reset` is a general-purpose reset or rollback tool, when in fact it is a destructive cleanup command that only prepares a node for re-joining or re-initialization, not for reverting cluster-wide changes or upgrades.

How to eliminate wrong answers

Option A is wrong because `kubeadm reset` does not restart Kubernetes services; it tears down and cleans up the node, whereas `systemctl restart kubelet` or `kubeadm upgrade` commands handle service restarts. Option B is wrong because `kubeadm reset` does not reinitialize the cluster with new configuration; it only cleans up the current state, and reinitialization would require running `kubeadm init` again with a new config. Option D is wrong because `kubeadm reset` is not a rollback mechanism for upgrades; `kubeadm upgrade` has its own rollback procedures (e.g., `kubeadm upgrade apply --etcd-upgrade=false` or manual etcd snapshot restore), and `reset` simply destroys the node's Kubernetes artifacts without preserving upgrade history.

507
Multi-Selectmedium

Which TWO commands can be used to view the configuration of a kubeconfig file?

Select 2 answers
A.kubectl describe configmap kubeconfig
B.kubectl config set-context
C.kubectl config current-context
D.kubectl config get-contexts
E.kubectl config view
AnswersD, E

This lists all contexts defined in the kubeconfig.

Why this answer

Option D is correct because `kubectl config get-contexts` lists all contexts defined in the kubeconfig file, showing their names, clusters, and users. Option E is correct because `kubectl config view` displays the entire merged kubeconfig file content, including clusters, users, and contexts, in YAML or JSON format.

Exam trap

The trap here is that candidates may confuse commands that modify the kubeconfig (like `set-context`) with commands that display it, or mistakenly think `current-context` shows the full configuration when it only shows the active context name.

508
MCQmedium

An Ingress resource is created with the following spec: spec: rules: - host: example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-service port: number: 80 The backend service 'api-service' is in the same namespace as the Ingress. What must be true for the Ingress to route traffic to the service?

A.The Ingress controller must be configured to use the NodePort of the service.
B.The service 'api-service' must be of type NodePort.
C.The service 'api-service' must have a valid ClusterIP and at least one endpoint.
D.The Ingress must have an IngressClass annotation.
AnswerC

The Ingress controller forwards traffic to the service's ClusterIP, and endpoints must exist for the service to forward to pods.

Why this answer

The Ingress controller must be running and the IngressClass must be defined, but the most direct requirement is that the backend service exists and has endpoints.

509
MCQmedium

You deploy a pod with image 'nginx:1.21'. It stays in ImagePullBackOff. You run 'kubectl describe pod nginx-pod' and see the event: 'Failed to pull image "nginx:1.21": rpc error: code = Unknown desc = Error response from daemon: manifest for nginx:1.21 not found'. What is the most likely fix?

A.Use a different container runtime
B.Add imagePullSecrets to the pod
C.Restart the kubelet on the node
D.Change the image tag to a valid one, e.g., nginx:1.21.6
AnswerD

The tag does not exist; using a valid tag resolves the issue.

Why this answer

The tag '1.21' does not exist in the registry. Use a valid tag like '1.21.6' or 'latest'.

510
MCQmedium

You want to forward local port 8080 to port 80 of a pod named 'nginx-pod'. Which command should you use?

A.kubectl proxy pod/nginx-pod 8080:80
B.kubectl port-forward pod/nginx-pod 8080:80
C.kubectl forward pod/nginx-pod 8080 80
D.kubectl port-forward service/nginx-pod 8080:80
AnswerB

Correct syntax: resource type/pod-name local-port:remote-port.

Why this answer

kubectl port-forward allows forwarding local ports to pods.

511
Multi-Selectmedium

Which TWO statements about Headless services are correct? (Select TWO)

Select 2 answers
A.A headless service assigns a ClusterIP to the service
B.Headless services provide round-robin load balancing across pods
C.Headless services require a selector that matches at least one pod
D.DNS queries for a headless service return the IP addresses of the backing pods
E.A headless service is created by setting clusterIP to None
AnswersD, E

Instead of a single cluster IP, DNS returns pod IPs.

Why this answer

Headless services (clusterIP: None) do not provide load balancing; instead they return the IP addresses of the pods directly via DNS. Option A is correct. Option C is correct.

Option B is false because headless services do not have a stable cluster IP. Option D is false because headless services do not perform load balancing. Option E is false because headless services can be used with any selector.

512
MCQeasy

Which kubectl command lists all events in the cluster, sorted by timestamp (newest first)?

A.kubectl get events --sort-by='.metadata.creationTimestamp'
B.kubectl get events --watch
C.kubectl get events --all-namespaces --sort-by='.lastTimestamp'
D.kubectl get events --all-namespaces --sort-by='.firstTimestamp'
AnswerC

Correct. This shows all events sorted by lastTimestamp in ascending order; reverse for newest first.

Why this answer

Option C is correct because `kubectl get events --all-namespaces --sort-by='.lastTimestamp'` retrieves events from all namespaces and sorts them by the `lastTimestamp` field in ascending order, which effectively displays the newest events last. To show newest first, you would typically add `--sort-by='.lastTimestamp'` and reverse the output, but among the given options, this is the only one that uses the correct field for sorting by time and includes all namespaces, which is necessary for cluster-wide events.

Exam trap

The trap here is that candidates often confuse `firstTimestamp` with `lastTimestamp`, or forget that `--all-namespaces` is required to see cluster-wide events, leading them to pick Option A or D without considering the correct field for newest-first ordering.

How to eliminate wrong answers

Option A is wrong because `--sort-by='.metadata.creationTimestamp'` sorts by the event object's creation timestamp, which is not the same as the event occurrence time; events can be created after the fact, so this does not reflect the actual event order. Option B is wrong because `--watch` continuously streams new events but does not sort existing events by timestamp; it shows events as they occur, not sorted historically. Option D is wrong because `--sort-by='.firstTimestamp'` sorts by the first occurrence of a recurring event, which may not reflect the most recent event time; for a list of all events sorted by newest first, `lastTimestamp` is the correct field.

513
MCQmedium

A pod uses a PVC with access mode RWO. The pod is scheduled on node A. You want to schedule another pod on node B that uses the same PVC. What will happen?

A.The second pod will be stuck in ContainerCreating state until the first pod releases the volume
B.Both pods will mount the volume and share it without issues
C.The second pod will successfully mount the volume as read-only
D.The first pod will be evicted to allow the second pod to use the volume
AnswerA

The volume cannot be attached to two nodes simultaneously with RWO. The second pod will wait indefinitely or fail.

Why this answer

RWO allows only one node to mount the volume as read-write. If a second pod on a different node tries to use the same PVC, it will fail because the volume is already attached to node A.

514
MCQeasy

Which component is responsible for managing the network rules and forwarding on each node?

A.container runtime
B.kubelet
C.kube-proxy
D.kube-scheduler
AnswerC

kube-proxy maintains network rules and performs connection forwarding.

Why this answer

kube-proxy is the component responsible for managing network rules and forwarding traffic on each node. It implements the Kubernetes Service concept by maintaining iptables or IPVS rules that route packets to the correct backend pods, handling load balancing and service discovery at the network layer.

Exam trap

CNCF often tests the misconception that kubelet handles networking, but kubelet only manages pod lifecycle and container runtime interactions, not network rule management.

How to eliminate wrong answers

Option A is wrong because the container runtime (e.g., containerd, CRI-O) is only responsible for pulling images and running containers, not for managing network rules or packet forwarding. Option B is wrong because the kubelet is the primary node agent that registers the node with the API server and manages pod lifecycle, but it does not handle network rule management or forwarding. Option D is wrong because kube-scheduler is a control plane component that assigns pods to nodes based on resource availability and constraints, and it has no role in network traffic forwarding.

515
MCQhard

You need to allow a specific pod running in namespace 'app' to communicate with a database pod in namespace 'db' only. Which NetworkPolicy configuration achieves this?

A.NetworkPolicy in namespace 'db' with podSelector: {} and ingress from namespace 'app' and podSelector: {}
B.NetworkPolicy in namespace 'db' with podSelector: {} and ingress from namespace 'app'
C.NetworkPolicy in namespace 'app' with egress to namespace 'db' and podSelector: {}
D.NetworkPolicy in namespace 'app' allowing ingress from namespace 'db'
AnswerB

This policy allows ingress to all pods in 'db' from any pod in 'app'.

Why this answer

Option B is correct because a NetworkPolicy in the 'db' namespace with an empty podSelector: {} selects all pods in that namespace, and the ingress rule from namespace 'app' with an empty podSelector: {} allows traffic from any pod in the 'app' namespace. This configuration restricts inbound traffic to the database pods exclusively to pods from the 'app' namespace, meeting the requirement.

Exam trap

The trap here is that candidates often think a NetworkPolicy must be placed in the source namespace (e.g., 'app') to control egress, but the correct approach is to place the policy in the destination namespace ('db') to restrict ingress, and they may also overlook that an empty podSelector: {} selects all pods, not a specific one.

How to eliminate wrong answers

Option A is wrong because it includes an ingress rule with podSelector: {} inside the from block, which would allow traffic from all pods in the 'app' namespace (which is fine), but the extra podSelector: {} is redundant and does not break the policy, but the option is not the minimal correct answer; however, the key issue is that the question asks for a configuration that allows communication only from the specific pod in 'app' to the database pod in 'db', and Option A's podSelector: {} in the from block actually selects all pods in the 'app' namespace, not a specific pod, so it is too permissive. Option C is wrong because placing the NetworkPolicy in the 'app' namespace with egress to namespace 'db' and podSelector: {} would control outbound traffic from all pods in 'app' to all pods in 'db', but it does not restrict inbound traffic to the database pod, and it allows all pods in 'app' to egress, not just the specific pod. Option D is wrong because a NetworkPolicy in the 'app' namespace allowing ingress from namespace 'db' would control inbound traffic to pods in 'app', not outbound traffic from 'app' to 'db', and it does not address the requirement of allowing a specific pod in 'app' to communicate with a database pod in 'db'.

516
MCQeasy

Which command is used to create a backup of etcd data using etcdctl?

A.etcdctl endpoint status
B.etcdctl snapshot restore /backup/snapshot.db
C.etcdctl snapshot save /backup/snapshot.db
D.etcdctl member list
AnswerC

This command creates a snapshot backup of etcd data.

Why this answer

Option C is correct because `etcdctl snapshot save` is the command used to create a point-in-time backup of etcd data. This command captures the entire key-value store and writes it to a specified file path, which is essential for disaster recovery in Kubernetes clusters that use etcd as their backing store.

Exam trap

The trap here is that candidates confuse the `save` and `restore` subcommands, often selecting `snapshot restore` (Option B) because they think 'backup' implies 'restore', but `save` is the correct verb for creating a backup.

How to eliminate wrong answers

Option A is wrong because `etcdctl endpoint status` only returns health and version information about the etcd endpoints, not a backup of the data. Option B is wrong because `etcdctl snapshot restore` is used to restore a previously saved snapshot, not to create a new backup. Option D is wrong because `etcdctl member list` lists the members of the etcd cluster and their status, which is unrelated to creating a data backup.

517
MCQmedium

A Node is in NotReady state. Which action should be taken first to diagnose the issue?

A.kubectl describe node <node>
B.Check kubelet logs on the node
C.Restart kubelet
D.Check API server logs
AnswerA

Why this answer

When a node is in NotReady state, the first diagnostic step is to gather information about the node's current status, conditions, and recent events using `kubectl describe node <node>`. This command reveals the node's conditions (e.g., Ready, DiskPressure, MemoryPressure), the last heartbeat timestamp, and any relevant events that may indicate the root cause, such as network issues or kubelet failures. It provides a high-level overview without requiring direct node access, making it the most efficient initial action.

Exam trap

The trap here is that candidates often jump to checking kubelet logs or restarting the kubelet, forgetting that `kubectl describe node` provides immediate visibility into node conditions and events from the control plane, which is the standard first step in the Kubernetes troubleshooting workflow.

Why the other options are wrong

B

Useful but not the first step; describe node gives overview.

C

Recovery action, not diagnosis.

D

Unlikely to show node conditions.

518
Multi-Selectmedium

Which TWO of the following are valid ways to restrict a Pod to run only on nodes with a specific label? (Select 2)

Select 2 answers
A.Adding a toleration for a taint on the node.
B.Specifying spec.nodeSelector in the Pod spec.
C.Using spec.affinity.nodeAffinity with requiredDuringSchedulingIgnoredDuringExecution.
D.Setting spec.nodeName to a node's name.
E.Using spec.affinity.podAffinity with requiredDuringScheduling.
AnswersB, C

NodeSelector constrains Pods to nodes with matching labels.

Why this answer

Option B is correct because `spec.nodeSelector` is a simple, direct field in the Pod spec that constrains which nodes a Pod can be scheduled on based on node labels. When you specify a key-value pair in `nodeSelector`, the scheduler will only place the Pod on nodes that have that exact label, making it a valid method for restricting Pod placement.

Exam trap

The trap here is that candidates often confuse tolerations (which allow scheduling on tainted nodes) with node selectors or node affinity (which restrict scheduling to labeled nodes), leading them to incorrectly select option A as a valid restriction method.

519
MCQmedium

You have a NetworkPolicy that selects pods with label 'role: db' in the 'default' namespace. The policy has no ingress rules defined. What is the effect on traffic to the selected pods?

A.Only traffic from pods with label 'role: frontend' is allowed
B.Both ingress and egress traffic are denied
C.All ingress traffic is denied
D.All ingress traffic is allowed
AnswerC

The policy isolates the pod and without ingress rules, all ingress traffic is denied.

Why this answer

A NetworkPolicy with only podSelector and no ingress rules denies all ingress traffic by default. Option B is correct. Option A is the behavior for pods not selected by any policy.

Option C would require an explicit allow rule. Option D is false because egress is not affected by missing ingress rules.

520
Multi-Selectmedium

Which THREE of the following are valid steps to troubleshoot DNS issues in a Kubernetes cluster?

Select 3 answers
A.Run 'kubectl exec <pod> -- nslookup kubernetes.default'
B.Check the /etc/resolv.conf on the host
C.Restart all nodes in the cluster
D.Verify the kube-dns Service has endpoints
E.Check the logs of the CoreDNS pods
AnswersA, D, E

This tests DNS resolution from within a pod.

Why this answer

To troubleshoot DNS, you can check the DNS pod logs, test resolution from a pod, and verify the DNS service endpoints.

521
MCQmedium

Which of the following is a correct Ingress resource snippet that routes traffic to service 'web-svc' on port 80 for the host 'example.com'?

A.spec: rules: - host: example.com http: paths: - path: / pathType: Prefix backend: service: name: web-svc port: number: 80
B.spec: rules: - http: paths: - backend: service: name: web-svc port: number: 80
C.spec: rules: - host: example.com http: paths: - backend: serviceName: web-svc servicePort: 80
D.spec: rules: - host: example.com backend: serviceName: web-svc servicePort: 80
AnswerA

Correct Ingress rule structure (networking.k8s.io/v1).

Why this answer

An Ingress rule has a 'host' field and a 'http' path with a backend service. The backend specifies the service name and port.

522
MCQhard

You have a Service with endpoints for pods in different zones. You want kube-proxy to use a mode that provides better performance for large clusters and supports scheduling algorithms like least-connection. Which mode should you use?

A.userspace mode
B.ipvs mode
C.iptables mode
D.kernelspace mode
AnswerB

ipvs mode supports multiple scheduling algorithms and better performance.

Why this answer

ipvs mode supports more scheduling algorithms (e.g., rr, lc, dh) and scales better than iptables. iptables is linear, while ipvs uses efficient hash tables.

523
Multi-Selectmedium

Which THREE components are required for a pod to resolve a Service DNS name?

Select 3 answers
A.The Service exists in the cluster
B.CoreDNS is running and has a Service entry for the cluster domain
C.kubelet configures the pod's /etc/resolv.conf
D.kube-proxy is running in iptables mode
E.A CNI plugin is installed
AnswersA, B, C

The Service must exist for a DNS A record to be created.

Why this answer

DNS resolution requires kubelet to configure the pod's DNS (A), CoreDNS to serve DNS records (B), and the Service to exist (C). kube-proxy handles traffic, not DNS (D). CNI plugin handles networking but not DNS resolution (E).

524
MCQeasy

Which resource type is used to configure HTTP/HTTPS routing to Services?

A.EndpointSlice
B.NetworkPolicy
C.Ingress
D.Service
AnswerC

Ingress provides HTTP/HTTPS routing based on rules.

Why this answer

Ingress is the Kubernetes resource that provides HTTP/HTTPS routing, TLS termination, and name-based virtual hosting.

525
MCQhard

You have configured a ServiceAccount with an associated image pull secret. The Pod referencing this ServiceAccount still fails with ImagePullBackOff due to authentication errors. What is the most likely misconfiguration?

A.The secret is not in the same namespace as the Pod.
B.The secret type is wrong; it should be kubernetes.io/dockercfg.
C.The ServiceAccount does not have the imagePullSecrets field configured.
D.The Pod spec must set the secret in imagePullSecrets directly.
AnswerC

To use image pull secrets via a ServiceAccount, the secret must be added to the ServiceAccount's imagePullSecrets field.

Why this answer

Option C is correct because simply associating a ServiceAccount with a Pod does not automatically inject its imagePullSecrets into the Pod's spec. The ServiceAccount must explicitly have the imagePullSecrets field configured (e.g., `imagePullSecrets: - name: my-secret`) for the secret to be used when pulling images. Without this field, the Pod will not inherit the secret, leading to authentication failures and ImagePullBackOff.

Exam trap

The trap here is that candidates assume simply creating a ServiceAccount and associating it with a Pod (via `serviceAccountName`) is enough to inherit image pull secrets, but they forget that the ServiceAccount must explicitly list the secret in its `imagePullSecrets` field for the injection to occur.

How to eliminate wrong answers

Option A is wrong because the secret must be in the same namespace as the Pod and ServiceAccount for the reference to work; if it were in a different namespace, the Pod would fail to mount it entirely, not just with an authentication error. Option B is wrong because the correct secret type for image pull secrets is `kubernetes.io/dockerconfigjson` (not `kubernetes.io/dockercfg`, which is legacy and less common), and using the wrong type would cause a different error (e.g., invalid format) rather than a pure authentication failure. Option D is wrong because while a Pod can directly specify imagePullSecrets in its spec, the question states the Pod references a ServiceAccount, so the expected behavior is that the ServiceAccount's imagePullSecrets are automatically injected; requiring direct Pod spec configuration would defeat the purpose of using a ServiceAccount.

Page 6

Page 7 of 14

Page 8