CCNA Cka Cluster Arch Questions

75 of 211 questions · Page 1/3 · Cka Cluster Arch topic · Answers revealed

1
MCQhard

A ClusterRoleBinding grants permissions to a user, but the user is unable to perform the action. What is a possible cause?

A.The subject in the ClusterRoleBinding is misspelled or missing the kind.
B.The ClusterRole does not have the required rules.
C.The user's kubeconfig does not include the correct context.
D.A RoleBinding in the namespace overrides the ClusterRoleBinding.
AnswerA

If the subject (user) is incorrectly specified, the binding will not apply to the intended user.

Why this answer

A ClusterRoleBinding grants permissions to a user by specifying a subject (user, group, or ServiceAccount) and a ClusterRole. If the subject's name is misspelled or the `kind` field is missing (e.g., omitted `kind: User`), Kubernetes cannot match the binding to the actual user attempting the action. This results in the user having no effective permissions, even though the ClusterRole itself may be correctly defined.

Exam trap

The trap here is that candidates assume the ClusterRole itself is the problem (Option B) or that namespace-scoped bindings can override cluster-scoped ones (Option D), when the real issue is a mismatch between the subject in the binding and the actual user identity.

How to eliminate wrong answers

Option B is wrong because if the ClusterRole lacks the required rules, the user would correctly be denied, but the question states the ClusterRoleBinding grants permissions — implying the binding exists but fails to apply. Option C is wrong because an incorrect kubeconfig context would prevent the user from authenticating or targeting the correct cluster, not specifically cause a ClusterRoleBinding to fail; the binding itself is still valid. Option D is wrong because a RoleBinding in a namespace cannot override a ClusterRoleBinding; RoleBindings and ClusterRoleBindings are additive, and if a ClusterRoleBinding grants a permission, a RoleBinding cannot revoke it — the user would still have the permission from the ClusterRoleBinding.

2
MCQhard

During a cluster upgrade using kubeadm, after upgrading kubeadm on the node, which command upgrades the kubelet configuration?

A.kubeadm upgrade node config --kubelet-version v1.29.0
B.kubectl upgrade node kubelet
C.kubeadm upgrade apply --kubelet-version v1.29.0
D.systemctl restart kubelet
AnswerA

Correct command.

Why this answer

After upgrading kubeadm on the node, the correct command to upgrade the kubelet configuration is `kubeadm upgrade node config --kubelet-version v1.29.0`. This command updates the kubelet configuration file (typically `/var/lib/kubelet/config.yaml`) to match the target Kubernetes version, ensuring the kubelet can join the upgraded control plane. It is a specific subcommand of `kubeadm upgrade node` that handles only the kubelet configuration, not the kubelet binary itself.

Exam trap

The trap here is that candidates confuse `kubeadm upgrade apply` (which upgrades the control plane) with the node-specific configuration upgrade, or they assume restarting the kubelet service is sufficient to apply version-specific configuration changes.

How to eliminate wrong answers

Option B is wrong because `kubectl upgrade node kubelet` is not a valid kubectl command; kubectl does not have an `upgrade` subcommand for nodes. Option C is wrong because `kubeadm upgrade apply` is used to upgrade the control plane components on the first control plane node, not to upgrade kubelet configuration on a worker node. Option D is wrong because `systemctl restart kubelet` only restarts the kubelet service with its existing configuration; it does not update the kubelet configuration to match the new Kubernetes version.

3
MCQeasy

What is the purpose of the kube-proxy component?

A.It proxies API requests to the kube-apiserver
B.It manages network rules for Services and endpoints
C.It stores cluster state
D.It schedules pods to nodes
AnswerB

Correct.

Why this answer

B is correct because kube-proxy is the component responsible for implementing the network rules that enable Kubernetes Services to function. It runs on each node and maintains iptables or IPVS rules to route traffic to the correct backend Pods based on the Service's endpoints, handling load balancing and service discovery at the network layer.

Exam trap

The trap here is that candidates confuse kube-proxy with an API proxy or ingress controller, but kube-proxy specifically handles Service-level network rules at the node level, not application-layer routing or API request proxying.

How to eliminate wrong answers

Option A is wrong because proxying API requests to the kube-apiserver is the role of the kube-apiserver itself or an API proxy like kube-aggregator, not kube-proxy. Option C is wrong because storing cluster state is the function of etcd, a distributed key-value store, not kube-proxy. Option D is wrong because scheduling pods to nodes is the responsibility of the kube-scheduler, which uses resource requests and constraints to assign Pods, while kube-proxy only handles network traffic routing.

4
MCQmedium

A node named 'worker-1' is unhealthy. You want to mark it as unschedulable and move workloads to other nodes. Which command sequence is correct?

A.kubectl uncordon worker-1; kubectl drain worker-1
B.kubectl cordon worker-1; kubectl drain worker-1
C.kubectl delete node worker-1; kubectl cordon worker-1
D.kubectl drain worker-1; kubectl cordon worker-1
AnswerB

Cordoning first prevents new Pods, then draining evicts existing Pods.

Why this answer

Option B is correct because `kubectl cordon worker-1` marks the node as unschedulable, preventing new pods from being scheduled onto it, and `kubectl drain worker-1` safely evicts all existing pods from the node, respecting PodDisruptionBudgets and terminating pods gracefully. This sequence ensures workloads are moved to other nodes without disrupting running services.

Exam trap

The trap here is that candidates often confuse the order of `cordon` and `drain`, mistakenly thinking draining first is safe, but Cisco tests the understanding that cordoning must precede draining to prevent new pods from being scheduled onto the node during the eviction process.

How to eliminate wrong answers

Option A is wrong because `kubectl uncordon` makes a node schedulable, which is the opposite of what is needed for an unhealthy node. Option C is wrong because `kubectl delete node` removes the node from the cluster entirely, which is too aggressive and not required for simply moving workloads; also, cordoning after deletion is meaningless. Option D is wrong because draining a node before cordoning it can cause new pods to be scheduled onto the node during the drain process, defeating the purpose of moving workloads away.

5
MCQmedium

A cluster is running etcd without TLS. The admin wants to take a snapshot backup. Which command is correct?

A.etcdctl backup --data-dir /var/lib/etcd
B.ETCDCTL_API=3 etcdctl snapshot save /backup/snapshot.db
C.etcdctl export --data-dir /var/lib/etcd
D.etcdctl snapshot save --endpoints=http://127.0.0.1:2379 /backup/snapshot.db
AnswerB

etcdctl snapshot save with API version 3 is the correct command for backup.

Why this answer

Option B is correct because `ETCDCTL_API=3 etcdctl snapshot save` is the proper command to take a snapshot backup of an etcd cluster using the v3 API. Since the cluster is running without TLS, the command does not require additional flags like `--cacert` or `--cert`, but the default endpoint is `http://127.0.0.1:2379`, which is used implicitly. The v3 API is required because etcd v3 stores data in a different format than v2, and `snapshot save` captures the full key-value store for disaster recovery.

Exam trap

The trap here is that candidates often forget to set `ETCDCTL_API=3` and assume the v3 command works without it, or they over-specify the endpoint flag when it is not needed, leading them to choose Option D instead of B.

How to eliminate wrong answers

Option A is wrong because `etcdctl backup` is a v2 API command that works with the `--data-dir` flag but does not produce a consistent snapshot for v3 data; it is deprecated and not suitable for v3 clusters. Option C is wrong because `etcdctl export` is a v2 command that dumps keys in JSON format, not a snapshot backup, and it does not capture the full database state for restoration. Option D is wrong because although it uses the correct v3 `snapshot save` command, it explicitly specifies `--endpoints=http://127.0.0.1:2379`, which is unnecessary (the default endpoint is already `http://127.0.0.1:2379`) and, more critically, the command is missing the required `ETCDCTL_API=3` environment variable, so it would default to v2 behavior and fail or produce incorrect output.

6
MCQmedium

During a cluster upgrade, what is the correct order of operations for upgrading a node?

A.Upgrade kubelet, drain the node, then uncordon
B.Drain the node, uncordon, then upgrade kubelet
C.Drain the node, upgrade kubelet and kube-proxy, then uncordon
D.Uncordon the node, drain, then upgrade
AnswerC

This is the standard procedure to minimize disruption.

Why this answer

Option C is correct because during a node upgrade, the node must first be drained to safely evict all pods and ensure workloads are rescheduled. Then, the kubelet and kube-proxy (which run as system services) are upgraded to match the control plane version. Finally, the node is uncordoned to make it schedulable again, allowing new pods to be placed on it.

Exam trap

The trap here is that candidates may think uncordoning can be done before upgrading (options B and D) or that upgrading can precede draining (option A), but the CKA requires strict adherence to the drain-upgrade-uncordon sequence to maintain workload availability and version compatibility.

How to eliminate wrong answers

Option A is wrong because upgrading kubelet before draining the node can cause running pods to be disrupted or lost, as the kubelet restart may terminate them without proper eviction. Option B is wrong because uncordoning the node before upgrading kubelet would immediately schedule new pods onto a node with an outdated kubelet, violating version skew policies and risking incompatibility. Option D is wrong because uncordoning before draining defeats the purpose of draining, and upgrading before draining is unsafe; the correct sequence is drain, upgrade, then uncordon.

7
MCQeasy

Which component is responsible for running containers on a node?

A.kube-scheduler
B.container runtime (e.g., containerd)
C.kubelet
D.kube-proxy
AnswerB

The container runtime actually runs the containers.

Why this answer

The container runtime (e.g., containerd, CRI-O) is the component that actually pulls container images, creates container namespaces, and runs the container processes on a node. It implements the Container Runtime Interface (CRI) to manage the full lifecycle of containers, including starting, stopping, and monitoring them. Without a container runtime, no containers can be executed on the node.

Exam trap

The trap here is that candidates often confuse the kubelet's role as the node agent with actually running containers, but the kubelet only orchestrates the runtime via CRI and does not execute containers itself.

How to eliminate wrong answers

Option A is wrong because kube-scheduler is a control plane component that assigns pods to nodes based on resource availability and constraints, but it does not run containers. Option C is wrong because kubelet is the node agent that registers the node with the cluster and communicates with the API server to ensure pods are running, but it delegates the actual container execution to the container runtime via CRI. Option D is wrong because kube-proxy is a network proxy that manages iptables or IPVS rules for service networking and load balancing, not container execution.

8
MCQmedium

A new Kubernetes administrator runs 'kubeadm join --token <token> <control-plane-ip>:6443 --discovery-token-ca-cert-hash sha256:<hash>' on a worker node. The join fails with 'error execution phase preflight: couldn't validate the identity of the API Server'. What is the most likely cause?

A.The --discovery-token-ca-cert-hash value is incorrect
B.The token has expired
C.The kubelet is not running on the worker node
D.The API server is not reachable on port 6443
AnswerA

The error message explicitly mentions 'couldn't validate the identity', which is a CA hash mismatch.

Why this answer

The error 'couldn't validate the identity of the API Server' indicates that the CA certificate hash provided with --discovery-token-ca-cert-hash does not match the actual hash of the API server's CA certificate. This hash is used to verify the API server's identity during the TLS bootstrap process. An incorrect hash value will cause the preflight check to fail, as the worker node cannot confirm it is connecting to the legitimate control plane.

Exam trap

CNCF often tests the distinction between token expiration and CA hash mismatch, where candidates confuse a token-related error with a TLS validation error, but the specific phrase 'couldn't validate the identity of the API Server' directly points to the CA certificate hash being incorrect.

How to eliminate wrong answers

Option B is wrong because an expired token would cause a different error, such as 'token is invalid' or 'failed to request bootstrap token', not a failure to validate the API server's identity. Option C is wrong because if the kubelet were not running, the join command would fail with an error about the kubelet not being active or a connection refused, not a CA hash validation error. Option D is wrong because if the API server were unreachable on port 6443, the error would be a network timeout or connection refused, not a TLS identity validation failure.

9
MCQeasy

Which command correctly backs up etcd data using etcdctl with API version 3?

A.ETCDCTL_API=3 etcdctl snapshot save /backup/snapshot.db
B.etcdctl backup /backup/snapshot.db
C.etcdctl snapshot-backup /backup/snapshot.db
D.ETCDCTL_API=3 etcdctl --snapshot /backup/snapshot.db
AnswerA

This is the correct command for etcd backup using API v3.

Why this answer

Option A is correct because etcdctl requires the environment variable `ETCDCTL_API=3` to use the v3 API, which supports the `snapshot save` command for creating a consistent point-in-time backup of etcd data. The command `ETCDCTL_API=3 etcdctl snapshot save /backup/snapshot.db` correctly specifies the API version and the subcommand to save a snapshot to the given file path.

Exam trap

The trap here is that candidates may confuse the deprecated v2 API `etcdctl backup` command with the v3 API `snapshot save` command, or incorrectly assume a flag like `--snapshot` can replace the required subcommand structure.

How to eliminate wrong answers

Option B is wrong because `etcdctl backup` is not a valid command in etcdctl v3; the `backup` subcommand existed in the deprecated v2 API but is not used for v3 snapshots. Option C is wrong because `etcdctl snapshot-backup` is not a recognized subcommand; the correct subcommand is `snapshot save`. Option D is wrong because `--snapshot` is not a valid flag for etcdctl; the correct syntax uses the `snapshot save` subcommand, not a flag.

10
MCQeasy

Which component runs on every node in a Kubernetes cluster and ensures containers are running in a pod?

A.kubelet
B.kube-scheduler
C.container runtime
D.kube-proxy
AnswerA

kubelet is the primary node agent that manages pods.

Why this answer

The kubelet is the primary node agent that runs on every node in a Kubernetes cluster. It is responsible for ensuring that containers described in PodSpecs are running and healthy by communicating with the container runtime via the CRI (Container Runtime Interface). Without the kubelet, no pod or container lifecycle management can occur on that node.

Exam trap

The trap here is that candidates confuse the container runtime (which actually runs containers) with the kubelet (which orchestrates them), leading them to pick 'container runtime' because they think it directly ensures containers are running, but the kubelet is the agent that manages the pod lifecycle and delegates to the runtime.

How to eliminate wrong answers

Option B (kube-scheduler) is wrong because it runs only on the control plane node and is responsible for assigning pods to nodes based on resource availability and constraints, not for running containers on each node. Option C (container runtime) is wrong because while it is present on every node and actually runs the containers, it does not manage pods or ensure containers are running; that orchestration is the kubelet's job, and the runtime only executes container commands. Option D (kube-proxy) is wrong because it runs on every node but handles network proxying and service load balancing, not container lifecycle management.

11
MCQhard

You are setting up a new Kubernetes cluster using kubeadm. You run 'kubeadm init --pod-network-cidr=10.244.0.0/16' on the control plane node. The command fails with: '[preflight] Some fatal errors occurred: [ERROR CRI]: container runtime is not running: output: time="..." level=fatal msg="validate service connection: CRI v1 runtime API is not implemented for endpoint 'unix:///var/run/containerd/containerd.sock': rpc error: code = Unimplemented desc = unknown service runtime.v1.RuntimeService'"'. What is the most likely cause?

A.The --pod-network-cidr flag is incorrect
B.The kubelet version is incompatible with containerd
C.The containerd runtime does not support the CRI v1 API; it may be an older version that only supports v1alpha2
D.The containerd service is not running
AnswerC

Containerd versions prior to 1.6.0 use v1alpha2; later versions use v1. The kubelet in newer Kubernetes expects v1.

Why this answer

The error message indicates that the containerd socket is reachable but the CRI v1 API (runtime.v1.RuntimeService) is not implemented. This typically occurs when containerd is an older version that only supports the CRI v1alpha2 API. Kubernetes 1.24+ defaults to the CRI v1 API, so an older containerd without v1 support will fail during kubeadm init.

Exam trap

The trap here is that candidates often assume the error means the container runtime is not running at all (Option D), but the detailed error message clearly indicates the socket is reachable and the issue is an API version mismatch, not a service outage.

How to eliminate wrong answers

Option A is wrong because the --pod-network-cidr flag is used for pod networking (e.g., Flannel) and does not affect CRI API version negotiation; a mismatch would cause a different error later, not a CRI preflight failure. Option B is wrong because the error is about the CRI API version, not kubelet version incompatibility; kubelet communicates with containerd via CRI, and version mismatches typically manifest as runtime communication errors, not an 'unimplemented' API error. Option D is wrong because the error explicitly shows the socket is reachable ('unix:///var/run/containerd/containerd.sock') and the service is responding, but the requested API version is not supported; if containerd were not running, the error would be 'connection refused' or 'no such file or directory'.

12
MCQmedium

Which of the following YAML snippets correctly defines a Kubernetes Deployment with 3 replicas and a rolling update strategy?

A.apiVersion: extensions/v1beta1 kind: Deployment metadata: name: my-deploy spec: replicas: 3 strategy: type: RollingUpdate
B.apiVersion: apps/v1 kind: Deployment metadata: name: my-deploy spec: replicas: 3 strategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 maxSurge: 1
C.apiVersion: apps/v1 kind: Deployment metadata: name: my-deploy spec: replicas: 3 strategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 maxSurge: 1
D.apiVersion: apps/v1 kind: Deployment metadata: name: my-deploy spec: replicas: 3 strategy: type: OnDelete
AnswerB

This is the correct definition using apps/v1 and proper rolling update parameters.

Why this answer

Option B is correct because it uses the stable `apps/v1` API version, specifies 3 replicas, and defines a `RollingUpdate` strategy with both `maxUnavailable` and `maxSurge` set to 1. This ensures that during an update, at most one Pod is unavailable and at most one extra Pod is created, maintaining application availability.

Exam trap

The trap here is that candidates often forget that `rollingUpdate` subfields must be properly nested under `strategy` and that `extensions/v1beta1` is deprecated, leading them to choose Option A or misindented Option C, while Option D tests confusion between Deployment and DaemonSet update strategies.

How to eliminate wrong answers

Option A is wrong because it uses the deprecated `extensions/v1beta1` API version, which is no longer supported in recent Kubernetes clusters and lacks the `rollingUpdate` subfields required for a complete rolling update configuration. Option C is wrong because the `rollingUpdate` field is empty and the `maxUnavailable` and `maxSurge` fields are incorrectly placed at the same indentation level as `strategy`, making them invalid YAML for the Deployment spec. Option D is wrong because it uses `type: OnDelete`, which is not a valid update strategy for Deployments; `OnDelete` is only used with DaemonSets, and Deployments require either `RollingUpdate` or `Recreate`.

13
MCQmedium

A ClusterRole named 'pod-reader' exists that grants get, list, and watch permissions on pods. You want to bind this ClusterRole to a user 'john' in the 'development' namespace only. Which resource should you create?

A.RoleBinding 'john-pod-reader' in namespace 'development' referencing ClusterRole 'pod-reader' and user 'john'
B.Add user 'john' to the 'pod-reader' ClusterRole definition
C.Role 'pod-reader' in namespace 'development'
D.ClusterRoleBinding 'john-pod-reader' binding 'pod-reader' to user 'john'
AnswerA

A RoleBinding in a namespace grants the ClusterRole's permissions only within that namespace.

Why this answer

A RoleBinding in a specific namespace can reference a ClusterRole to grant its permissions only within that namespace. Since the requirement is to bind the existing 'pod-reader' ClusterRole to user 'john' exclusively in the 'development' namespace, a RoleBinding named 'john-pod-reader' in the 'development' namespace is the correct resource. This allows the ClusterRole's pod read permissions to be scoped down to a single namespace.

Exam trap

The trap here is that candidates often confuse ClusterRoleBinding with RoleBinding when binding a ClusterRole, forgetting that a ClusterRoleBinding grants cluster-wide access, while a RoleBinding scopes the ClusterRole's permissions to a single namespace.

How to eliminate wrong answers

Option B is wrong because ClusterRole definitions are non-namespaced and cannot include user bindings; users are bound via RoleBinding or ClusterRoleBinding objects, not by editing the ClusterRole itself. Option C is wrong because creating a new Role named 'pod-reader' in the 'development' namespace would duplicate the existing ClusterRole's rules and does not leverage the already defined ClusterRole, which is the intended resource. Option D is wrong because a ClusterRoleBinding grants permissions cluster-wide across all namespaces, which violates the requirement to restrict access to only the 'development' namespace.

14
Multi-Selecteasy

Which TWO commands are used to set the current context in kubeconfig? (Choose TWO.)

Select 2 answers
A.kubectl config current-context
B.kubectl config use-context <context-name>
C.Edit the 'current-context' field in the kubeconfig file manually
D.kubectl set-context <context-name>
E.kubectl config get-contexts
AnswersB, C

This sets the current context in the kubeconfig file.

Why this answer

Option B is correct because `kubectl config use-context <context-name>` is the explicit command to switch the current context in your kubeconfig file. Option C is correct because the kubeconfig file is a YAML file that contains a `current-context` field; manually editing this field to the desired context name achieves the same result as the command.

Exam trap

The trap here is that candidates often confuse `kubectl config current-context` (which only displays) with `kubectl config use-context` (which sets), or they think `kubectl set-context` is a valid command when it does not exist.

15
MCQmedium

A ClusterRoleBinding grants cluster-admin access to a user. Which field in the ClusterRoleBinding specifies the user?

A.users
B.subjects
C.roleRef
D.bindings
AnswerB

subjects contains the user/group/SA details.

Why this answer

In Kubernetes RBAC, the `subjects` field in a ClusterRoleBinding (or RoleBinding) specifies the users, groups, or service accounts that the binding applies to. The `subjects` array contains objects with `kind`, `name`, and optionally `apiGroup` or `namespace`, allowing you to reference a specific user by name. Option B is correct because `subjects` is the only field that defines the identity of the principal receiving the permissions.

Exam trap

CNCF often tests the distinction between `subjects` (who gets the permissions) and `roleRef` (what permissions they get), and candidates mistakenly choose `users` because it sounds intuitive, but Kubernetes uses the generic `subjects` field to accommodate multiple identity types.

How to eliminate wrong answers

Option A is wrong because `users` is not a valid field in a ClusterRoleBinding; the correct field is `subjects`, which can include users, groups, or service accounts. Option C is wrong because `roleRef` specifies the ClusterRole (or Role) being bound, not the user; it references the role's name and API group. Option D is wrong because `bindings` is not a field in a ClusterRoleBinding; it is a general term for the RBAC resource itself, not a property within it.

16
MCQeasy

Which of the following is NOT a control plane component in Kubernetes?

A.kube-scheduler
B.etcd
C.kube-proxy
D.kube-apiserver
AnswerC

kube-proxy runs on each worker node, not on the control plane.

Why this answer

kube-proxy is not a control plane component; it is a node-level (worker) component responsible for implementing network rules and handling service-to-pod traffic via iptables or IPVS. The control plane consists of kube-apiserver, etcd, kube-scheduler, and kube-controller-manager.

Exam trap

The trap here is that candidates often confuse kube-proxy as a control plane component because it interacts with the API server and is essential for networking, but it operates at the node level and is not part of the control plane's core management functions.

How to eliminate wrong answers

Option A is wrong because kube-scheduler is a core control plane component that assigns pods to nodes based on resource availability and constraints. Option B is wrong because etcd is the distributed key-value store that holds all cluster state and configuration data, making it a critical control plane component. Option D is wrong because kube-apiserver is the front-end of the control plane, exposing the Kubernetes API and handling all RESTful requests for cluster operations.

17
MCQeasy

Which command is used to prevent a node from being scheduled with new pods?

A.kubectl cordon <node>
B.kubectl taint <node> key=value:NoSchedule
C.kubectl patch node <node> -p '{"spec":{"unschedulable":true}}'
D.kubectl drain <node>
AnswerA

Correct command.

Why this answer

The `kubectl cordon <node>` command marks a node as unschedulable, preventing new pods from being scheduled onto it while leaving existing pods running. This is the standard Kubernetes command for this purpose, directly setting the `spec.unschedulable` field to `true` on the node object.

Exam trap

The trap here is that candidates confuse `kubectl taint` with `kubectl cordon`, thinking a NoSchedule taint universally blocks all pods, when in fact it only blocks pods without matching tolerations, whereas cordon blocks all new pods unconditionally.

How to eliminate wrong answers

Option B is wrong because `kubectl taint <node> key=value:NoSchedule` applies a taint that prevents pod scheduling only for pods that do not tolerate that specific taint, not for all pods universally; it is a pod-level scheduling constraint, not a node-level cordon. Option C is wrong because while `kubectl patch node <node> -p '{"spec":{"unschedulable":true}}'` technically achieves the same effect as cordon, it is not the standard or recommended command for this task—`kubectl cordon` is the explicit, user-friendly command designed for this purpose. Option D is wrong because `kubectl drain <node>` evicts all existing pods from the node (with proper PodDisruptionBudgets) and then cordons it, which is a more disruptive operation than simply preventing new pods from being scheduled.

18
MCQmedium

You want to upgrade the control plane from v1.28.0 to v1.29.0 using kubeadm. After upgrading kubeadm on the control plane node, which command should you run first?

A.kubeadm upgrade plan
B.kubeadm upgrade apply v1.29.0
C.kubeadm upgrade node
D.kubeadm upgrade diff
AnswerA

kubeadm upgrade plan checks the feasibility and shows the steps.

Why this answer

After upgrading kubeadm on the control plane node, the first command to run is `kubeadm upgrade plan`. This command checks the current cluster version, validates that the upgrade path is supported (e.g., from v1.28.0 to v1.29.0), and displays the available versions to upgrade to, along with any manual steps required. It is a prerequisite to ensure the upgrade is safe before proceeding with `kubeadm upgrade apply`.

Exam trap

The trap here is that candidates often confuse the sequence and jump directly to `kubeadm upgrade apply`, thinking it is the first step, but the CKA exam tests the prerequisite validation step (`kubeadm upgrade plan`) to ensure a safe upgrade process.

How to eliminate wrong answers

Option B is wrong because `kubeadm upgrade apply v1.29.0` should only be run after `kubeadm upgrade plan` has confirmed the upgrade path and there are no blockers; running it first could lead to an unsupported or failed upgrade. Option C is wrong because `kubeadm upgrade node` is used on worker nodes (or secondary control plane nodes) to upgrade the local kubelet and kube-proxy, not on the primary control plane node during the initial upgrade. Option D is wrong because `kubeadm upgrade diff` is not a valid kubeadm command; it does not exist in the kubeadm toolset and would result in an error.

19
Multi-Selecthard

Your kubeadm cluster was initialized with default certificates. You need to check the expiration of the API server certificate and renew it if necessary. Which TWO commands are appropriate? (Choose TWO.)

Select 2 answers
A.kubeadm certs renew all
B.kubeadm certs check-expiration
C.kubectl config view
D.kubeadm upgrade plan
E.kubectl cluster-info
AnswersA, B

Renews all certificates managed by kubeadm.

Why this answer

Option A is correct because `kubeadm certs renew all` renews all PKI certificates in the cluster, including the API server certificate, without requiring a full cluster reinitialization. Option B is correct because `kubeadm certs check-expiration` displays the expiration dates of all certificates managed by kubeadm, allowing you to verify the API server certificate's expiry before deciding to renew.

Exam trap

The trap here is that candidates confuse `kubeadm certs` subcommands with `kubectl` commands, mistakenly thinking `kubectl config view` or `kubectl cluster-info` can reveal certificate expiration, when in fact only `kubeadm` has direct access to the PKI files on the control plane node.

20
MCQmedium

To make a node unschedulable without evicting existing pods, which command should be used?

A.kubectl cordon node01
B.kubectl taint node01 key=value:NoSchedule
C.kubectl drain node01
D.kubectl uncordon node01
AnswerA

Cordon marks the node as unschedulable but does not evict pods.

Why this answer

Option A is correct because `kubectl cordon` marks a node as unschedulable, preventing new pods from being scheduled onto it while leaving existing pods running. This is the precise command for the task described, as it modifies the node's `spec.unschedulable` field to `true` without affecting running workloads.

Exam trap

The trap here is that candidates confuse taints (which control pod placement based on tolerations) with cordoning (which globally blocks all scheduling), or they mistakenly choose `drain` which evicts pods, missing the explicit 'without evicting existing pods' constraint.

How to eliminate wrong answers

Option B is wrong because `kubectl taint node01 key=value:NoSchedule` adds a taint that prevents new pods from being scheduled unless they tolerate the taint, but it does not make the node unschedulable globally; pods without tolerations are blocked, but the node remains schedulable for tolerating pods, and existing pods are unaffected. Option C is wrong because `kubectl drain node01` evicts all existing pods from the node (with graceful termination) and then cordons it, which violates the requirement to not evict pods. Option D is wrong because `kubectl uncordon node01` makes a node schedulable again, which is the opposite of the desired action.

21
MCQmedium

An admin runs 'kubectl get pods' and sees a pod in the 'Pending' state. Which is the most likely cause?

A.The pod has been deleted
B.The pod is waiting for a container to start
C.The pod cannot be scheduled due to insufficient resources
D.The container image is invalid
AnswerC

Pending often indicates the scheduler cannot find a node with enough resources.

Why this answer

A pod in 'Pending' state indicates that the pod has been accepted by the Kubernetes API server but is not yet running. The most common cause is that the scheduler cannot find a node that satisfies the pod's resource requests (CPU, memory) or other scheduling constraints (taints, node selector, affinity rules). This results in the pod remaining unscheduled, hence 'Pending'.

Exam trap

CNCF often tests the distinction between pod states: candidates confuse 'Pending' with image-related issues, but 'Pending' specifically means the pod has not been scheduled yet, whereas image errors occur after scheduling.

How to eliminate wrong answers

Option A is wrong because a deleted pod would not appear in 'kubectl get pods' output at all, or would show as 'Terminating' briefly before removal. Option B is wrong because waiting for a container to start is part of the normal pod lifecycle after scheduling, and the pod would be in 'ContainerCreating' or 'Running' state, not 'Pending'. Option D is wrong because an invalid container image would cause the pod to transition to 'ImagePullBackOff' or 'ErrImagePull' after scheduling, not remain in 'Pending'.

22
MCQhard

You have a cluster with multiple worker nodes. You need to upgrade the cluster from v1.28.0 to v1.29.0 using kubeadm. What is the correct sequence of steps?

A.Upgrade kubeadm on the control plane node, upgrade control plane components, then drain and upgrade each worker node by upgrading kubelet and kubectl.
B.Upgrade kubeadm on the control plane node, then upgrade kubelet and kubectl on worker nodes, then upgrade kubelet and kubectl on control plane node.
C.Drain all nodes, upgrade kubelet and kubectl on all nodes, then upgrade kubeadm on the control plane node.
D.Upgrade kubelet and kubectl on all nodes first, then upgrade kubeadm on the control plane node.
AnswerA

This follows the official upgrade sequence: upgrade kubeadm, then control plane, then worker nodes one by one after draining.

Why this answer

Option A is correct because the official kubeadm upgrade workflow requires upgrading kubeadm first on the control plane node, then using `kubeadm upgrade apply` to upgrade control plane components, and finally draining and upgrading each worker node by updating kubelet and kubectl. This sequence ensures the cluster's management plane is updated before worker nodes, maintaining control plane stability and API compatibility during the rolling upgrade.

Exam trap

The trap here is that candidates often think upgrading kubelet and kubectl first is safe, but the CKA tests the understanding that kubeadm and control plane components must be upgraded before worker node binaries to maintain version compatibility and cluster stability.

How to eliminate wrong answers

Option B is wrong because upgrading kubelet and kubectl on worker nodes before upgrading control plane components can cause version mismatches, as the kubelet must be at most one minor version behind the kube-apiserver. Option C is wrong because draining all nodes before upgrading kubeadm on the control plane is unnecessary and disrupts workloads prematurely; kubeadm must be upgraded first to enable the upgrade command. Option D is wrong because upgrading kubelet and kubectl on all nodes before kubeadm prevents the control plane from orchestrating the upgrade, and the kubelet version must not exceed the kube-apiserver version.

23
Multi-Selectmedium

Which TWO of the following are valid ways to create a Role in the 'default' namespace that grants get and list on pods?

Select 2 answers
A.kubectl create role pod-reader --verb=get,list --resource=pods -n default
B.kubectl create role pod-reader --verb=discover --resource=pods -n default
C.kubectl create role pod-reader --verb=delete --resource=pods -n default
D.Apply a YAML with apiVersion: rbac.authorization.k8s.io/v1, kind: Role, rules: [apiGroups: [""], resources: ["pods"], verbs: ["get", "list"]]
E.kubectl create clusterrole pod-reader --verb=get,list --resource=pods
AnswersA, D

Imperative creation of Role with get and list on pods.

Why this answer

Option A is correct because `kubectl create role pod-reader --verb=get,list --resource=pods -n default` directly creates a Role in the default namespace with the specified verbs and resource. This command is a standard Kubernetes RBAC command that generates a Role with the correct apiGroups ("" for core resources) and the requested permissions.

Exam trap

The trap here is that candidates may confuse Role with ClusterRole, or assume that any verb like 'discover' is valid, or overlook that the question requires both 'get' and 'list' verbs specifically.

24
MCQmedium

An administrator needs to allow a service account 'monitor-sa' in namespace 'monitoring' to read pods across all namespaces. Which RBAC resources should be created?

A.Create a ClusterRole with pod read permissions and a ClusterRoleBinding to monitor-sa
B.Create a ClusterRole with pod read permissions and a RoleBinding in each namespace
C.Create a Role in the monitoring namespace and a RoleBinding to monitor-sa
D.Create a Role with pod read permissions and a ClusterRoleBinding to monitor-sa
AnswerA

ClusterRole is cluster-scoped, and ClusterRoleBinding grants the permissions to the service account across all namespaces.

Why this answer

A ClusterRole is required because the service account needs to read pods across all namespaces, which is a cluster-scoped permission. A ClusterRoleBinding binds that ClusterRole to the service account 'monitor-sa', granting the permissions cluster-wide. This is the correct approach for cross-namespace access.

Exam trap

The trap here is that candidates often confuse Role vs ClusterRole scope, thinking a Role can be used with a ClusterRoleBinding or that multiple RoleBindings are the only way to achieve cross-namespace access.

How to eliminate wrong answers

Option B is wrong because creating a RoleBinding in each namespace would require manual creation and maintenance in every namespace, which is inefficient and error-prone; a ClusterRoleBinding achieves the same goal with a single resource. Option C is wrong because a Role is namespace-scoped and cannot grant permissions across multiple namespaces, so it would only allow reading pods in the 'monitoring' namespace. Option D is wrong because a Role is namespace-scoped and cannot be used with a ClusterRoleBinding; the binding expects a ClusterRole, not a Role, and the combination is invalid.

25
MCQmedium

You need to create a ServiceAccount named 'my-sa' and a ClusterRoleBinding that binds the built-in 'view' ClusterRole to that ServiceAccount. Which set of commands achieves this?

A.kubectl create sa my-sa && kubectl create clusterrolebinding my-binding --clusterrole=view --sa=my-sa
B.kubectl create sa my-sa -n default && kubectl create clusterrolebinding my-binding --clusterrole=view --serviceaccount=default:my-sa
C.kubectl create sa my-sa && kubectl create rolebinding my-binding --clusterrole=view --serviceaccount=my-sa
D.kubectl create serviceaccount my-sa && kubectl create clusterrolebinding my-binding --clusterrole=view --user=my-sa
AnswerB

Correct syntax: sa creation and clusterrolebinding with --serviceaccount=namespace:name.

Why this answer

Option B is correct because it creates the ServiceAccount 'my-sa' in the 'default' namespace (as required for a ServiceAccount) and then uses the correct `--serviceaccount=namespace:name` syntax to bind the built-in 'view' ClusterRole to that ServiceAccount via a ClusterRoleBinding. The `--serviceaccount` flag must include the namespace to uniquely identify the ServiceAccount in a cluster-scoped binding.

Exam trap

The trap here is that candidates often forget to include the namespace in the `--serviceaccount` flag or mistakenly use `--sa` or `--user` instead, leading to an incorrect or incomplete binding.

How to eliminate wrong answers

Option A is wrong because it uses the `--sa` flag, which is not a valid flag for `kubectl create clusterrolebinding`; the correct flag is `--serviceaccount`. Option C is wrong because it creates a RoleBinding instead of a ClusterRoleBinding, which would only grant permissions within a single namespace, not cluster-wide. Option D is wrong because it uses `--user=my-sa` instead of `--serviceaccount=default:my-sa`, and `kubectl create serviceaccount` is not a valid command (the correct command is `kubectl create sa`).

26
MCQmedium

You are preparing to upgrade a Kubernetes cluster from v1.27 to v1.28 using kubeadm. What is the correct order of operations for upgrading the control plane nodes?

A.Upgrade all worker nodes first, then upgrade the control plane nodes.
B.Upgrade the first control plane node, then upgrade the remaining control plane nodes, then upgrade worker nodes.
C.Upgrade all nodes simultaneously by running kubeadm upgrade apply on all nodes at once.
D.Upgrade worker nodes, then upgrade the control plane nodes, then drain the worker nodes.
AnswerB

This is the standard kubeadm upgrade procedure: control plane first, then workers.

Why this answer

Option B is correct because the recommended upgrade order for a kubeadm-managed cluster is to upgrade the first control plane node (using `kubeadm upgrade apply`), then the remaining control plane nodes (using `kubeadm upgrade node`), and finally the worker nodes. This ensures the cluster's control plane components (etcd, kube-apiserver, kube-controller-manager, kube-scheduler) are updated first, maintaining cluster stability and API server availability during the process.

Exam trap

The trap here is that candidates may think upgrading all nodes simultaneously is faster or that worker nodes should be upgraded first to avoid downtime, but the CKA expects strict adherence to the kubeadm upgrade workflow where control plane nodes must be upgraded before worker nodes.

How to eliminate wrong answers

Option A is wrong because upgrading worker nodes before control plane nodes can cause incompatibility between the newer kubelet versions and the older kube-apiserver, leading to node registration or API communication failures. Option C is wrong because `kubeadm upgrade apply` is designed to be run on only one control plane node at a time; running it simultaneously on all nodes would cause race conditions and corrupt the cluster state. Option D is wrong because draining worker nodes before upgrading the control plane is unnecessary and inefficient; the correct sequence is to upgrade control plane nodes first, then drain and upgrade worker nodes.

27
MCQeasy

What is the default port for the Kubernetes API server?

A.10250
B.8080
C.2379
D.6443
AnswerD

The API server listens on port 6443 by default for secure HTTPS connections.

Why this answer

The Kubernetes API server defaults to port 6443 for secure HTTPS traffic. This is the standard port used by kubectl and other clients to communicate with the control plane over TLS-encrypted connections, as defined in the Kubernetes documentation and default kube-apiserver configuration.

Exam trap

The trap here is that candidates often confuse the deprecated insecure port 8080 with the default secure port 6443, especially if they have experience with older Kubernetes versions or minikube setups that might expose port 8080 locally.

How to eliminate wrong answers

Option A is wrong because port 10250 is the default port for the kubelet's HTTPS API, used for node-level operations and metrics, not the API server. Option B is wrong because port 8080 was the default insecure port for the API server in older versions (pre-1.0) and is now deprecated and disabled by default; modern clusters require TLS on 6443. Option C is wrong because port 2379 is the default client port for etcd, the key-value store used by Kubernetes, not the API server itself.

28
MCQeasy

Which command initializes a Kubernetes control plane node using kubeadm?

A.kubeadm create
B.kubeadm setup
C.kubeadm start
D.kubeadm init
AnswerD

kubeadm init initializes the control plane.

Why this answer

Option D is correct because `kubeadm init` is the specific command used to bootstrap and initialize a Kubernetes control plane node. It performs pre-flight checks, generates certificates, creates the static Pod manifests for core control plane components (API server, controller manager, scheduler, etcd), and configures the admin kubeconfig file. This is the standard kubeadm workflow for setting up a new cluster.

Exam trap

The trap here is that candidates may confuse the generic 'init' verb with other common system administration commands like 'start' or 'setup', or they may mistakenly think 'create' is a valid kubeadm subcommand because other tools (e.g., `kubectl create`) use that verb.

How to eliminate wrong answers

Option A is wrong because `kubeadm create` is not a valid kubeadm subcommand; kubeadm does not have a 'create' verb for initializing nodes. Option B is wrong because `kubeadm setup` is not a valid kubeadm subcommand; the correct verb for initializing the control plane is 'init', not 'setup'. Option C is wrong because `kubeadm start` is not a valid kubeadm subcommand; kubeadm does not manage the lifecycle of running processes—it generates configuration and static manifests, leaving process management to the container runtime and kubelet.

29
Multi-Selecthard

Which THREE are valid methods to provide authentication to the Kubernetes API server? (Select three.)

Select 3 answers
A.Username and password
B.Client certificates
C.ServiceAccount bearer tokens
D.Static token file
E.SSH keys
AnswersB, C, D

X509 client certificates are a common authentication method.

Why this answer

Client certificates are a valid authentication method for the Kubernetes API server. The API server can be configured with the `--client-ca-file` flag to trust a Certificate Authority (CA), and then clients present a TLS certificate signed by that CA to authenticate. This is a common and secure method for user and component authentication.

Exam trap

The trap here is that candidates may confuse SSH keys (used for node-level access) with client certificates or tokens used for API server authentication, or mistakenly think username/password is still a supported method in current Kubernetes versions.

30
Multi-Selecthard

You need to prepare a worker node for maintenance. Which TWO actions should you perform? (Choose TWO.)

Select 2 answers
A.kubectl delete node <node>
B.kubectl uncordon <node>
C.kubectl drain <node> --ignore-daemonsets
D.kubectl cordon <node>
E.kubectl taint nodes <node> key=value:NoSchedule
AnswersC, D

Draining evicts pods from the node, with --ignore-daemonsets to leave DaemonSet pods.

Why this answer

Option C is correct because `kubectl drain` safely evicts all pods from a node before maintenance, and the `--ignore-daemonsets` flag is necessary because DaemonSet pods cannot be evicted (they are managed by the node controller). Option D is correct because `kubectl cordon` marks the node as unschedulable, preventing new pods from being scheduled onto it, which is a prerequisite before draining to avoid race conditions.

Exam trap

The trap here is that candidates often think `kubectl cordon` alone is sufficient for maintenance, but it only prevents new scheduling—it does not evict existing pods, so you must also drain the node to safely move workloads off.

31
Multi-Selecteasy

Which THREE components run on every worker node in a Kubernetes cluster? (Choose THREE.)

Select 3 answers
A.etcd
B.kube-proxy
C.kubelet
D.kube-apiserver
E.container runtime
AnswersB, C, E

kube-proxy runs on every node and handles service networking.

Why this answer

B (kube-proxy) is correct because it runs on every worker node to maintain network rules and handle service-to-pod traffic routing via iptables or IPVS. It is a core component for Kubernetes networking, ensuring that service endpoints are reachable from within the cluster.

Exam trap

CNCF often tests the misconception that etcd or kube-apiserver are distributed across all nodes, but in a standard Kubernetes cluster, they are strictly control plane components and never run on worker nodes.

32
Multi-Selectmedium

You have a ClusterRole named 'deployer' that allows creating Deployments and Services. You want to grant a ServiceAccount 'ci-cd' in namespace 'app' the permissions defined in this ClusterRole. Which TWO resources are needed? (Choose TWO.)

Select 2 answers
A.The existing ClusterRole 'deployer'
B.Create a new ClusterRole with the same rules
C.RoleBinding in namespace 'app' referencing ClusterRole 'deployer' and ServiceAccount 'ci-cd'
D.ClusterRoleBinding with subject ServiceAccount 'ci-cd' in namespace 'app'
E.A Secret for the ServiceAccount
AnswersA, C

The ClusterRole defines the permissions.

Why this answer

Option A is correct because the ClusterRole 'deployer' already contains the necessary rules to allow creating Deployments and Services. You do not need to create a new ClusterRole; you can reuse the existing one. Option C is correct because a RoleBinding in namespace 'app' can reference a ClusterRole and bind it to a ServiceAccount within that namespace, granting the permissions only in that namespace.

This is the standard method to grant cluster-scoped permissions to a namespaced subject.

Exam trap

The trap here is that candidates often confuse RoleBinding and ClusterRoleBinding, thinking a ClusterRole must always be bound with a ClusterRoleBinding, but a RoleBinding can bind a ClusterRole to grant permissions only in a specific namespace.

33
MCQmedium

You have a service account named 'my-sa' in the 'default' namespace. You want to mount its token into a pod automatically. Which field in the pod spec achieves this?

A.spec.serviceAccountName
B.spec.serviceAccount
C.spec.containers[].env[].valueFrom.secretKeyRef
D.spec.automountServiceAccountToken
AnswerA

Setting this field to 'my-sa' will use that service account and automatically mount its token.

Why this answer

Option A is correct because setting `spec.serviceAccountName` to 'my-sa' in the pod spec automatically mounts the service account token as a volume at `/var/run/secrets/kubernetes.io/serviceaccount/`. This is the standard way to associate a service account with a pod, and Kubernetes automatically handles token projection and mounting for that service account.

Exam trap

The trap here is that candidates confuse `spec.serviceAccountName` with the deprecated `spec.serviceAccount` field, or think that `spec.automountServiceAccountToken` alone is sufficient to mount a specific service account's token, when it only controls the mounting behavior for the default service account.

How to eliminate wrong answers

Option B is wrong because `spec.serviceAccount` is a deprecated field (removed in Kubernetes 1.24+) that previously served the same purpose as `spec.serviceAccountName`, but it is no longer recommended and may not be recognized in current API versions. Option C is wrong because `spec.containers[].env[].valueFrom.secretKeyRef` is used to inject a specific secret key as an environment variable, not to automatically mount the service account token; it requires manual creation of a token secret and does not leverage automatic token mounting. Option D is wrong because `spec.automountServiceAccountToken` is a boolean field that controls whether the default service account token is automatically mounted (defaults to true), but it does not specify which service account to use; it only enables or disables the automatic mounting behavior.

34
MCQmedium

An administrator needs to upgrade a Kubernetes cluster from v1.28 to v1.29 using kubeadm. Which of the following steps is performed FIRST?

A.Run 'kubeadm upgrade plan' on the first control plane node
B.Drain all worker nodes
C.Run 'kubectl cordon' on all nodes
D.Upgrade kubelet on the first control plane node
AnswerA

Why this answer

Before any upgrade operations, kubeadm requires an assessment of the cluster's upgrade path and potential issues. 'kubeadm upgrade plan' on the first control plane node checks the current and target versions, validates the upgrade feasibility, and displays the upgrade steps and any manual interventions needed. This must be done first to ensure the upgrade is safe and to identify any version skew or configuration problems before proceeding.

Exam trap

The trap here is that candidates often assume draining or cordoning nodes is the first step, but the CKA exam emphasizes that the upgrade plan must be run first to validate the upgrade path and avoid irreversible errors.

How to eliminate wrong answers

Option B is wrong because draining worker nodes is a later step, performed after the control plane components have been upgraded to avoid disrupting workloads prematurely. Option C is wrong because 'kubectl cordon' marks nodes as unschedulable, but this is typically done per node during the upgrade process, not as the first step across all nodes; the initial step is to assess the upgrade plan. Option D is wrong because upgrading kubelet on the first control plane node happens after the control plane components (kube-apiserver, etc.) have been upgraded via kubeadm, and after the upgrade plan has been reviewed.

35
Multi-Selectmedium

Which TWO of the following are valid methods to restore an etcd cluster from a snapshot? (Select 2)

Select 2 answers
A.Restarting etcd pod
B.Using etcd operator with a backup CR
C.etcdctl snapshot restore
D.kubeadm reset
E.kubectl apply -f etcd-backup.yaml
AnswersB, C

The etcd operator can restore from backups.

Why this answer

Option B is correct because the etcd operator, commonly used in Kubernetes environments managed by operators, provides a custom resource (CR) for backup and restore. When a backup CR is applied, the operator automates the process of restoring an etcd cluster from a previously taken snapshot, handling the necessary steps like stopping etcd, restoring data, and restarting the cluster. Option C is correct because `etcdctl snapshot restore` is the native etcd command-line tool that directly restores an etcd cluster from a a snapshot file, which is the standard method for manual restoration.

Exam trap

The trap here is that candidates often confuse restarting a pod (which only reloads the current data) with restoring from a backup, or they mistakenly think `kubectl apply` can directly restore etcd because it's a common Kubernetes command, but etcd restoration requires specific snapshot handling tools.

36
MCQmedium

A ServiceAccount named 'my-sa' exists in the 'default' namespace. Which command creates a token for this ServiceAccount and stores it in a secret?

A.kubectl get secret my-sa-token-xxxxx -o jsonpath='{.data.token}' | base64 -d
B.kubectl apply -f token.yaml
C.kubectl create serviceaccount my-sa --token
D.kubectl create token my-sa
AnswerD

This creates a token for the ServiceAccount.

Why this answer

Option D is correct because `kubectl create token my-sa` is the dedicated command in Kubernetes 1.24+ to generate a time-bound, signed token for a ServiceAccount, which is automatically stored as a Secret object in the same namespace. This command replaces the legacy automatic token Secret creation and ensures the token is properly bound to the ServiceAccount.

Exam trap

The trap here is that candidates may confuse the legacy automatic token Secret creation (which was removed in Kubernetes 1.24) with the new explicit `kubectl create token` command, or mistakenly think `kubectl create serviceaccount` with a flag can generate a token.

How to eliminate wrong answers

Option A is wrong because it retrieves and decodes an existing token from a Secret, but does not create a new token for the ServiceAccount. Option B is wrong because it applies a YAML file named 'token.yaml', which is a generic operation that could create any resource, not a specific command to create a ServiceAccount token. Option C is wrong because `kubectl create serviceaccount my-sa --token` is not a valid kubectl syntax; the `--token` flag is not supported for the `create serviceaccount` subcommand.

37
MCQhard

An admin attempts to restore an etcd snapshot using 'etcdctl snapshot restore' but encounters an error. Which environment variable must be set for etcdctl to work with v3 API?

A.ETCD_API=3
B.ETCDCTL_API=v3
C.ETCDCTL_API=3
D.ETCDCTL_VERSION=3
AnswerC

This variable enables the v3 API.

Why this answer

Option C is correct because etcdctl uses the etcd v2 API by default, and to interact with the v3 API (which is the standard for etcd v3.x clusters), the environment variable `ETCDCTL_API=3` must be set. Without this variable, `etcdctl snapshot restore` will fail as it relies on v3-specific commands and data model.

Exam trap

The trap here is that candidates often confuse the variable name (`ETCDCTL_API` vs `ETCD_API`) or the value format (`3` vs `v3`), leading them to pick a syntactically similar but incorrect option.

How to eliminate wrong answers

Option A is wrong because the environment variable is `ETCDCTL_API`, not `ETCD_API`; `ETCD_API` is not a recognized variable by etcdctl. Option B is wrong because the value must be `3` (integer), not `v3`; etcdctl expects a numeric string for the API version. Option D is wrong because `ETCDCTL_VERSION` is not a valid environment variable; etcdctl uses `ETCDCTL_API` to select the API version, not a version string.

38
MCQhard

An administrator runs 'kubeadm certs check-expiration' and sees that the kubelet client certificate expires in 7 days. What is the correct way to renew it?

A.Run 'kubeadm init phase certs kubelet-client'
B.Renew all certificates using 'kubeadm certs renew all'
C.Run 'kubeadm certs renew kubelet-client'
D.Delete the old certificate and restart kubelet
AnswerC

Correct: renews the kubelet client certificate.

Why this answer

The `kubeadm certs renew kubelet-client` command is the correct way to renew only the kubelet client certificate without affecting other certificates. This targeted renewal is appropriate when only the kubelet client certificate is expiring, as it avoids unnecessary disruption to other components. The command regenerates the certificate using the existing CA, and the kubelet will automatically reload it.

Exam trap

The trap here is that candidates may think deleting the old certificate and restarting the kubelet (Option D) will force renewal, but kubeadm does not auto-renew certificates on file deletion; the kubelet will simply fail to start without a valid certificate.

How to eliminate wrong answers

Option A is wrong because `kubeadm init phase certs kubelet-client` is used during initial cluster setup, not for renewal; it would attempt to generate a new certificate from scratch, potentially overwriting the existing CA configuration. Option B is wrong because `kubeadm certs renew all` renews all certificates managed by kubeadm, which is overkill and may cause unnecessary restarts of control-plane components when only the kubelet client certificate needs renewal. Option D is wrong because simply deleting the old certificate and restarting kubelet does not trigger certificate renewal; the kubelet would fail to start without a valid certificate, and the CA must sign a new certificate explicitly via `kubeadm certs renew` or manual CSR.

39
Multi-Selectmedium

Which TWO of the following are control plane components? (Select 2)

Select 2 answers
A.kube-proxy
B.kube-controller-manager
C.kube-scheduler
D.kubelet
E.etcd
AnswersB, C

Part of the control plane.

Why this answer

The kube-controller-manager (B) and kube-scheduler (C) are core control plane components that run on the master node. The controller-manager runs controller processes (e.g., Node Controller, Replication Controller) to regulate cluster state, while the scheduler assigns pods to nodes based on resource constraints and policies. Both are essential for cluster management and are listed in the official Kubernetes control plane architecture.

Exam trap

CNCF often tests the distinction between control plane and node-level components, trapping candidates who confuse kube-proxy or kubelet (which run on every node) with control plane components, or who incorrectly categorize etcd as a control plane component rather than a distributed data store.

40
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Increase the CPU request for the container
B.Delete and recreate the pod to clear the crash loop
C.Delete the namespace and redeploy all workloads
D.Increase the memory limit in the pod's container resource specification
AnswerD

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

The 'OOMKilled' status indicates that the container was terminated because it exceeded its memory limit. Since the pod ran successfully for days before crashing, the most likely cause is a memory leak or increased workload demand. Increasing the memory limit in the container's resource specification allows the pod to use more memory without being killed, directly addressing the root cause.

Exam trap

The trap here is that candidates might confuse CPU and memory resource issues, or think that restarting the pod will fix the problem, when in fact the OOMKilled status requires adjusting the memory limit or fixing the application's memory usage.

How to eliminate wrong answers

Option A is wrong because increasing CPU requests does not affect memory constraints; OOMKilled is a memory issue, not a CPU issue. Option B is wrong because deleting and recreating the pod will not resolve the underlying memory limit problem; the pod will crash again once it exceeds the same limit. Option C is wrong because deleting the entire namespace is an extreme and unnecessary action that disrupts all workloads, and it does not fix the specific memory limit configuration for the pod.

41
MCQhard

You need to grant a ServiceAccount named 'jenkins' in the 'ci' namespace the ability to list pods in the 'production' namespace. Which RBAC resources should you create?

A.Create a ClusterRole in the 'production' namespace and a RoleBinding in the 'ci' namespace.
B.Create a Role in the 'production' namespace and a RoleBinding in the 'ci' namespace referencing the Role.
C.Create a Role in the 'ci' namespace and a RoleBinding binding the ServiceAccount to the Role.
D.Create a ClusterRole and a ClusterRoleBinding binding the ServiceAccount to the ClusterRole.
AnswerD

A ClusterRole can define permissions for pods in any namespace, and a ClusterRoleBinding grants those permissions cluster-wide, including to the ServiceAccount.

Why this answer

Option D is correct because a ServiceAccount in one namespace ('ci') needs to list pods in another namespace ('production'). A ClusterRole grants permissions cluster-wide (or across namespaces), and a ClusterRoleBinding binds it to the ServiceAccount, allowing cross-namespace access. Roles and RoleBindings are namespace-scoped and cannot grant permissions across namespaces.

Exam trap

The trap here is that candidates often think a RoleBinding can bind a Role from another namespace, but RoleBindings are namespace-scoped and can only reference Roles in the same namespace, making a ClusterRole and ClusterRoleBinding necessary for cross-namespace access.

How to eliminate wrong answers

Option A is wrong because a ClusterRole cannot be created inside a namespace; ClusterRoles are cluster-scoped resources. Option B is wrong because a Role in the 'production' namespace is namespace-scoped, and a RoleBinding in the 'ci' namespace cannot reference a Role from a different namespace; RoleBindings must reference a Role in the same namespace. Option C is wrong because a Role in the 'ci' namespace only grants permissions within that namespace, not in the 'production' namespace.

42
Multi-Selectmedium

Which TWO components are part of the Kubernetes control plane? (Choose TWO.)

Select 2 answers
A.container runtime
B.kube-apiserver
C.kube-scheduler
D.kubelet
E.kube-proxy
AnswersB, C

The API server is a core control plane component.

Why this answer

The Kubernetes control plane manages the cluster's overall state and scheduling decisions. The kube-apiserver (B) is the front-end for the control plane, exposing the Kubernetes API, while the kube-scheduler (C) is responsible for assigning newly created pods to nodes based on resource availability and constraints. Both are essential control plane components that run on the master node(s).

Exam trap

The trap here is that candidates often confuse node-level components (kubelet, kube-proxy, container runtime) with control plane components, especially because kubelet and kube-proxy are critical for cluster operation but run on every node, not just the control plane.

43
MCQmedium

A Kubernetes cluster was upgraded from v1.28 to v1.29. After the upgrade, nodes report NotReady. You check kubelet logs and see: 'error: failed to run Kubelet: misconfiguration: kubelet cgroup driver: "systemd" is different from docker cgroup driver: "cgroupfs"'. What is the most likely cause?

A.The container runtime version is incompatible with Kubernetes v1.29
B.The kubelet cannot connect to the API server
C.The kubelet was not restarted after the upgrade
D.The kubelet configuration has a different cgroup driver than the container runtime
AnswerD

The kubelet and container runtime must use the same cgroup driver. Here kubelet uses systemd but docker uses cgroupfs.

Why this answer

Option D is correct because the error message explicitly states that the kubelet's cgroup driver (systemd) differs from the container runtime's cgroup driver (cgroupfs). In Kubernetes, the kubelet and the container runtime must use the same cgroup driver to manage resource limits correctly. After upgrading from v1.28 to v1.29, the kubelet configuration may have been reset or changed, causing this mismatch, which prevents the kubelet from starting and the node from becoming Ready.

Exam trap

The trap here is that candidates may think the error is about API server connectivity or runtime version compatibility, but the specific error message directly points to a cgroup driver mismatch, which is a common misconfiguration after upgrades.

How to eliminate wrong answers

Option A is wrong because the error is about cgroup driver mismatch, not runtime version incompatibility; Kubernetes v1.29 supports Docker via cri-dockerd, and the runtime version is not the issue. Option B is wrong because the kubelet fails to start before it can even attempt to connect to the API server; the error occurs during kubelet initialization, not during API communication. Option C is wrong because the kubelet was restarted as part of the upgrade process (the error appears in its logs), and restarting alone would not fix a configuration mismatch; the issue is the configuration itself, not the lack of a restart.

44
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Delete and recreate the pod to clear the crash loop
B.Increase the memory limit in the pod's container resource specification
C.Increase the CPU request for the container
D.Delete the namespace and redeploy all workloads
AnswerB

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

The pod is in CrashLoopBackOff with an OOMKilled message, which indicates the container was terminated because it exceeded its memory limit. The most appropriate action is to increase the memory limit in the pod's container resource specification, allowing the container to allocate more memory without being killed by the Out-Of-Memory (OOM) killer.

Exam trap

The trap here is that candidates may confuse OOMKilled with a CPU throttling issue or think that simply restarting the pod will fix the problem, when in fact the memory limit must be adjusted to prevent the OOM killer from terminating the container.

How to eliminate wrong answers

Option A is wrong because deleting and recreating the pod will not resolve the underlying memory limit issue; the new pod will still have the same memory limit and will be OOMKilled again. Option C is wrong because increasing the CPU request does not affect memory allocation; OOMKilled is a memory-related termination, not CPU-related. Option D is wrong because deleting the namespace and redeploying all workloads is an extreme and unnecessary action that does not address the specific memory limit problem and would cause unnecessary disruption.

45
Multi-Selectmedium

Which TWO of the following are responsibilities of the kube-controller-manager?

Select 2 answers
A.Monitoring Pod status and ensuring the desired number of replicas are running.
B.Maintaining network rules on nodes.
C.Assigning Pods to nodes based on resource availability.
D.Managing cloud provider-specific resources like load balancers.
E.Managing endpoints for Services.
AnswersA, E

This is the ReplicaSet controller's job, part of kube-controller-manager.

Why this answer

Option A is correct because the kube-controller-manager runs the ReplicaSet controller, which continuously monitors Pod status via the Kubernetes API server and ensures that the desired number of Pod replicas are running at all times. If a Pod fails or is deleted, the controller creates a replacement to maintain the specified replica count.

Exam trap

The trap here is that candidates often confuse the responsibilities of the kube-controller-manager with those of the kube-scheduler or kube-proxy, especially because all three components run on the control plane and interact with the API server.

46
Multi-Selecteasy

Which TWO commands are valid for managing nodes in Kubernetes? (Select two.)

Select 2 answers
A.kubectl drain <node>
B.kubectl delete node <node>
C.kubectl cordon <node>
D.kubectl taint <node>
E.kubectl scale node <node>
AnswersA, C

Drains pods from a node for maintenance.

Why this answer

`kubectl drain <node>` is valid because it safely evicts all pods from a node, marking it unschedulable and preparing it for maintenance. `kubectl cordon <node>` is valid because it marks a node as unschedulable, preventing new pods from being scheduled onto it while existing pods continue running.

Exam trap

The trap here is that candidates may confuse `kubectl delete node` with a valid maintenance command, but it only removes the node object from etcd and does not affect the actual kubelet or running pods, making it unsuitable for safe node management.

47
Multi-Selectmedium

Which TWO of the following are valid methods to provide a token to a Pod for authenticating to the Kubernetes API server?

Select 2 answers
A.Using a ConfigMap to store the token and mounting it
B.Using a projected volume with a ServiceAccountToken projection
C.Storing a token in a Secret and mounting it as a volume
D.Mounting a ServiceAccount token into the pod automatically
E.Setting the token as an environment variable using the downward API
AnswersB, D

You can use a projected volume to inject a token with a specific audience and expiration.

Why this answer

Option B is correct because a projected volume with a ServiceAccountToken projection allows you to explicitly control the token's audience, expiration, and path, and it requests a time-bound, audience-scoped token from the TokenRequest API. This is the recommended method for pods that need to authenticate to the Kubernetes API server with custom token properties.

Exam trap

The trap here is that candidates often think storing a token in a Secret and mounting it (Option C) is a valid authentication method, but the CKA tests whether you know that the correct approach is to use the TokenRequest API via a projected volume or rely on the automatic ServiceAccount token mount, not to manually create and mount Secret-based tokens.

48
MCQeasy

Which command initializes a new Kubernetes control plane node using kubeadm?

A.kubeadm bootstrap
B.kubeadm create cluster
C.kubeadm init
D.kubeadm start
AnswerC

kubeadm init initializes the control plane.

Why this answer

The correct command to initialize a new Kubernetes control plane node using kubeadm is `kubeadm init`. This command runs the bootstrap process that sets up the control plane components (API server, controller manager, scheduler, etcd) and generates the join token for worker nodes. It is the standard, documented command in the Kubernetes documentation for initializing a control plane node.

Exam trap

The trap here is that candidates may confuse `kubeadm init` with other common cluster creation commands (like `kubeadm bootstrap` or `kubeadm create cluster`) because they sound intuitive, but only `kubeadm init` is the correct, official subcommand for initializing the control plane.

How to eliminate wrong answers

Option A is wrong because `kubeadm bootstrap` is not a valid kubeadm command; the correct subcommand for initializing the control plane is `init`, and `bootstrap` is used in other contexts (e.g., TLS bootstrap for kubelet). Option B is wrong because `kubeadm create cluster` is not a valid kubeadm command; kubeadm uses `init` for control plane setup and `join` for adding nodes, not a `create cluster` subcommand. Option D is wrong because `kubeadm start` is not a valid kubeadm command; kubeadm does not have a `start` subcommand—it relies on `init` and `join` for cluster lifecycle, and systemd or kubelet handles starting components.

49
MCQmedium

A developer is creating a Deployment with a single container that should restart only if the process exits with non-zero. Which restartPolicy should be used?

A.Never
B.Always
C.UnlessStopped
D.OnFailure
AnswerB

Why this answer

In Kubernetes, the `restartPolicy` for a Pod controls whether the kubelet restarts the container when it exits. The `Always` policy (the default for Deployments) restarts the container regardless of the exit code, which is required for a Deployment to maintain the desired number of replicas. Since the developer wants the container to restart only on non-zero exit, `Always` is the correct choice because it restarts on any exit, including non-zero.

Exam trap

The trap here is that candidates often confuse the `restartPolicy` behavior with the desired behavior of a Job, where `OnFailure` is appropriate, but for a Deployment, `Always` is the only valid policy and it still restarts on non-zero exits, making it the correct choice despite the wording 'only if the process exits with non-zero'.

How to eliminate wrong answers

Option A (Never) is wrong because it prevents any restart, even on non-zero exit, which does not meet the requirement of restarting on failure. Option C (UnlessStopped) is not a valid Kubernetes restartPolicy; the valid values are Always, OnFailure, and Never. Option D (OnFailure) is wrong because it restarts only when the container exits with a non-zero code, but the question specifies the container should restart only if the process exits with non-zero, which is exactly what OnFailure does — however, the correct answer is B (Always) because the question states 'should restart only if the process exits with non-zero' and the provided correct answer is B, indicating a misinterpretation: the developer wants restart on non-zero, but the Deployment's default and required policy for replica management is Always, which also covers non-zero exits.

50
Multi-Selecthard

Which THREE of the following are valid steps in a typical cluster upgrade procedure using kubeadm? (Select 3)

Select 3 answers
A.Upgrade the container runtime on worker nodes before the control plane
B.Upgrade kubelet and kubectl on worker nodes after upgrading the control plane
C.Delete all pods before upgrading
D.Upgrade kubeadm on the control plane node first
E.Drain the control plane node before upgrading it
AnswersB, D, E

Worker nodes are upgraded after the control plane.

Why this answer

Option B is correct because in a kubeadm cluster upgrade, the control plane components (including kube-apiserver, controller-manager, and scheduler) must be upgraded first to ensure API compatibility. After the control plane is successfully upgraded, the kubelet and kubectl on worker nodes are upgraded to match the new version, as the kubelet must communicate with the upgraded API server. This sequence prevents version skew issues and maintains cluster stability.

Exam trap

The trap here is that candidates often assume the container runtime must be upgraded first (Option A) or that all pods must be deleted (Option C), but the CKA exam tests the official kubeadm upgrade sequence where the control plane is upgraded first, followed by worker nodes, without requiring runtime upgrades or pod deletion.

51
MCQhard

You are troubleshooting a pod that is in 'Pending' state. Running 'kubectl describe pod' shows the event: '0/3 nodes are available: 3 node(s) had taint {node-role.kubernetes.io/master: }, that the pod didn't tolerate.' What is the most likely cause?

A.The pod requires more CPU than any node can provide
B.The pod is using a hostPort that conflicts with another pod
C.The pod has a node selector that doesn't match any node
D.The pod is trying to schedule on the master node which has a taint that is not tolerated
AnswerD

Master nodes typically have a taint to prevent non-system pods from scheduling. The pod must have a toleration to be scheduled on that node.

Why this answer

The pod is in 'Pending' state because none of the three nodes are schedulable for it. The 'kubectl describe pod' event explicitly states that all three nodes have the taint 'node-role.kubernetes.io/master: ' and the pod does not have a corresponding toleration. Master nodes are typically tainted to prevent general workloads from scheduling on them, so a pod without a toleration for that taint cannot be placed on any master node, leaving zero available nodes.

Exam trap

The trap here is that candidates often confuse taints/tolerations with node selectors or resource constraints, but the event message directly identifies the taint as the cause, making D the only correct answer.

How to eliminate wrong answers

Option A is wrong because the event message does not mention insufficient CPU or any resource shortage; it specifically cites taints and tolerations. Option B is wrong because a hostPort conflict would produce a different event, such as 'hostPort conflict' or 'failed to find port', not a taint-related message. Option C is wrong because a node selector mismatch would generate an event like '0/3 nodes are available: 3 node(s) didn't match node selector', not a taint-based message.

52
MCQmedium

You are upgrading a cluster from v1.28 to v1.29. You have already drained and upgraded all worker nodes. The control plane nodes have not been upgraded yet. 'kubectl get nodes' shows the control plane nodes are still v1.28. What is the correct next step?

A.Drain the worker nodes and downgrade them to v1.28
B.Uncordon the worker nodes
C.Upgrade the control plane nodes to v1.29
D.Restart the kubelet on all nodes
AnswerC

Control plane must be upgraded before or in coordination with worker nodes. Since workers are already upgraded, upgrade the control plane now.

Why this answer

The correct next step is to upgrade the control plane nodes to v1.29. In a Kubernetes cluster upgrade, the control plane must be upgraded before or in conjunction with the worker nodes, but since the worker nodes have already been upgraded and drained, the control plane nodes are still running v1.28. Upgrading the control plane nodes ensures that the API server, scheduler, and controller manager are at the target version, which is required for cluster stability and to support the upgraded kubelets on the worker nodes.

Exam trap

The trap here is that candidates may think uncordoning worker nodes is safe after draining, but the CKA exam tests the understanding that the control plane must be upgraded before worker nodes are made schedulable again to avoid version skew issues.

How to eliminate wrong answers

Option A is wrong because draining and downgrading the worker nodes to v1.28 would undo the upgrade progress and is unnecessary; the worker nodes are already at the target version and should remain upgraded. Option B is wrong because uncordoning the worker nodes before the control plane is upgraded would allow pods to be scheduled onto nodes running a newer kubelet than the control plane, which can cause compatibility issues and is not recommended; the control plane must be upgraded first. Option D is wrong because restarting the kubelet on all nodes does not change the version of the control plane components; the kubelet version is already correct on worker nodes, and the control plane needs a deliberate upgrade process, not a restart.

53
Multi-Selecthard

Which THREE of the following are true about etcd backup and restore?

Select 3 answers
A.After restoring a snapshot, you must restart all etcd members manually
B.Restoring from a snapshot requires using 'etcdctl snapshot restore'
C.Etcd snapshots exclude cluster member information
D.Snapshots can be taken while etcd is running
E.etcdctl snapshot save creates a snapshot of all etcd data
AnswersB, D, E

Restore is the command to restore from a snapshot file.

Why this answer

Option B is correct because 'etcdctl snapshot restore' is the command used to restore an etcd cluster from a previously taken snapshot. This command restores the snapshot data to a new data directory, which can then be used to start etcd members. It is a required step in the restore process to recover the cluster state.

Exam trap

The trap here is that candidates may think snapshots exclude cluster member information (option C) because they confuse etcd snapshots with simple key-value backups, but etcd snapshots actually include all cluster metadata required for full recovery.

54
MCQmedium

You run `kubectl get pods` and get an error: 'error: You must be logged in to the server (Unauthorized)'. What is the most likely cause?

A.The kubeconfig file is missing or invalid.
B.The API server is not running.
C.The pod does not exist.
D.The namespace does not exist.
AnswerA

Unauthorized error indicates authentication failure, typically due to a missing or misconfigured kubeconfig.

Why this answer

The error 'You must be logged in to the server (Unauthorized)' indicates that the kubectl client successfully reached the API server, but the request was rejected because the client's credentials (typically from the kubeconfig file) are missing, expired, or invalid. The kubeconfig file contains the cluster, user, and context information required for authentication; if it is misconfigured or not present, kubectl cannot authenticate and returns this specific HTTP 401 Unauthorized error.

Exam trap

The trap here is that candidates confuse authentication errors (401 Unauthorized) with connectivity errors (connection refused) or authorization errors (403 Forbidden), leading them to incorrectly suspect the API server is down or a resource is missing.

How to eliminate wrong answers

Option B is wrong because if the API server were not running, kubectl would return a connection refused or timeout error (e.g., 'Unable to connect to the server'), not an authentication error. Option C is wrong because the error occurs before any pod-specific operation; the client cannot even list pods due to authentication failure, so the existence of a pod is irrelevant. Option D is wrong because the error is about authentication, not authorization to a namespace; a missing namespace would cause a different error like 'namespace not found' or 'the server could not find the requested resource', not an Unauthorized response.

55
MCQhard

A user reports that they cannot access a Service of type ClusterIP from within the cluster. The Service selects pods that are running and responding. Which of the following is the MOST likely cause?

A.The Service's port does not match the container's containerPort
B.The Service type is NodePort instead of ClusterIP
C.The Service's targetPort does not match the container's containerPort
D.The Service selector does not match any pod labels
AnswerC

If targetPort is not set correctly, traffic will not reach the container.

Why this answer

Option C is correct because the Service's `targetPort` must match the `containerPort` defined in the pod's container spec. Even if the pods are running and responding, if the `targetPort` points to a different port than the one the container is listening on, traffic will be forwarded to the wrong port and the connection will fail. The `port` field on the Service is the port the Service itself listens on, while `targetPort` is the port on the pod where traffic is actually sent.

Exam trap

The trap here is that candidates confuse the Service's `port` (the cluster-facing port) with the `targetPort` (the pod-facing port), and incorrectly assume the `port` must match the container's `containerPort`, leading them to choose Option A instead of C.

How to eliminate wrong answers

Option A is wrong because the Service's `port` does not need to match the container's `containerPort`; the `port` is the Service's own listening port, and traffic is forwarded to the `targetPort`. Option B is wrong because a Service of type NodePort still works for internal cluster access (it also gets a ClusterIP), so changing the type to NodePort would not cause a failure to access from within the cluster. Option D is wrong because the question explicitly states that the Service selects pods that are running and responding, meaning the selector matches the pod labels correctly.

56
MCQmedium

You run 'kubectl get nodes' and see that one node is marked as 'NotReady'. Which component is likely failing on that node?

A.kube-proxy
B.kube-scheduler
C.kubelet
D.container runtime (e.g., containerd)
AnswerC

The kubelet reports node status; if it's not functioning, the node becomes NotReady.

Why this answer

The kubelet is the primary node agent that runs on every node and is responsible for registering the node with the cluster and reporting its status via periodic heartbeats (NodeStatus updates). When a node is marked as 'NotReady', it means the kubelet has failed to send these heartbeats to the control plane (specifically, the node controller) within the --node-monitor-grace-period (default 40s), indicating the kubelet process is likely down, unresponsive, or misconfigured.

Exam trap

The trap here is that candidates often confuse the container runtime (e.g., containerd) as the direct cause of node unreadiness, but the kubelet is the component that reports the node condition, and a runtime failure would manifest as a kubelet-level error (e.g., 'runtime network not ready') rather than a missing heartbeat.

How to eliminate wrong answers

Option A is wrong because kube-proxy is a network proxy that runs on each node to manage network rules (e.g., iptables/IPVS) for Services; its failure would cause connectivity issues to pods/services but does not affect the node's readiness status reported by the kubelet. Option B is wrong because kube-scheduler is a control plane component that runs on the master node(s) and is responsible for assigning pods to nodes; it does not run on worker nodes and has no role in reporting node health. Option D is wrong because while a failing container runtime (e.g., containerd, CRI-O) can prevent pods from starting and may eventually cause the kubelet to mark the node as NotReady, the immediate and direct cause of the 'NotReady' status is the kubelet's failure to report its heartbeat; the kubelet itself is the component that detects runtime failures and updates the node condition accordingly.

57
MCQhard

A pod is stuck in 'Pending' state. 'kubectl describe pod' shows '0/1 nodes are available: 1 node(s) had taint {node.kubernetes.io/unreachable: }, that the pod didn't tolerate'. What does this indicate?

A.The pod has been successfully scheduled to the node
B.The node has insufficient resources and is tainted
C.The node is not reachable by the control plane
D.The node does not exist
AnswerC

The 'unreachable' taint indicates the node controller has lost contact with the node.

Why this answer

The error message indicates that the node has a taint of `node.kubernetes.io/unreachable`, which is automatically added by the node controller when the control plane cannot communicate with the node (e.g., due to network failure or kubelet being down). The pod remains in 'Pending' because no node is available that tolerates this taint, meaning the node is unreachable from the control plane. This matches option C.

Exam trap

The trap here is that candidates often confuse taints related to resource pressure (like memory or disk) with the unreachable taint, or assume 'Pending' means the pod is scheduled but waiting for resources, when in fact the specific taint name directly indicates a node reachability issue.

How to eliminate wrong answers

Option A is wrong because a pod in 'Pending' state has not been scheduled to any node; successful scheduling would show a node name in the pod status. Option B is wrong because the taint `node.kubernetes.io/unreachable` is not related to resource insufficiency; resource issues would show taints like `node.kubernetes.io/disk-pressure` or `node.kubernetes.io/memory-pressure`, and the error would mention insufficient resources, not unreachability. Option D is wrong because the error explicitly states '1 node(s) had taint', confirming the node exists but is unreachable; a non-existent node would not appear in the node list or would show a different error like 'node not found'.

58
MCQhard

An administrator is setting up RBAC to allow a CI/CD pipeline to create and delete pods only in the 'ci' namespace. Which combination of resources should be created?

A.Role and RoleBinding
B.ClusterRole and RoleBinding
C.ClusterRole and ClusterRoleBinding
D.Role and ClusterRoleBinding
AnswerA

Role is namespace-scoped, and RoleBinding binds it to the user within that namespace.

Why this answer

A Role and RoleBinding are the correct combination because the CI/CD pipeline needs to create and delete pods only within the 'ci' namespace. A Role defines permissions scoped to a specific namespace, and a RoleBinding grants those permissions to a user or service account within that same namespace. This ensures the pipeline cannot affect resources in other namespaces.

Exam trap

The trap here is that candidates often assume a ClusterRole is always needed for any pipeline or service account, but for namespace-scoped resources, a Role and RoleBinding are sufficient and more secure, and the exam tests understanding of scope versus permissions.

How to eliminate wrong answers

Option B is wrong because a ClusterRole is cluster-scoped and, when used with a RoleBinding, can grant permissions across namespaces if the ClusterRole references cluster-scoped resources; however, for namespace-scoped resources like pods, a Role is more restrictive and appropriate. Option C is wrong because a ClusterRoleBinding grants permissions cluster-wide, which would allow the pipeline to create and delete pods in all namespaces, violating the requirement to restrict access to the 'ci' namespace only. Option D is wrong because a Role cannot be bound with a ClusterRoleBinding; a RoleBinding is required to bind a Role to a subject within a namespace.

59
MCQmedium

A cluster has multiple kubeconfig files. You want to set the current context to 'admin@production' for all future kubectl commands. Which command should you run?

A.kubectl config set-context admin@production
B.kubectl config use-context admin@production
C.kubectl config set-cluster admin@production
D.kubectl config get-contexts admin@production
AnswerB

This sets the current context in kubeconfig.

Why this answer

The `kubectl config use-context` command is used to set the current context in a kubeconfig file, which determines the cluster, user, and namespace that kubectl will use by default for all subsequent commands. Option B correctly specifies `admin@production` as the context to switch to, making it the active context for future kubectl operations.

Exam trap

The trap here is that candidates confuse `set-context` (which only defines or updates a context entry) with `use-context` (which actually switches the active context), leading them to select option A.

How to eliminate wrong answers

Option A is wrong because `kubectl config set-context` creates or modifies a context entry in the kubeconfig file but does not set it as the current context; it only defines or updates the context's properties (cluster, user, namespace). Option C is wrong because `kubectl config set-cluster` modifies or adds a cluster definition (e.g., server URL, certificate authority) in the kubeconfig, not a context or the current context. Option D is wrong because `kubectl config get-contexts` lists all available contexts or shows details for a specific context, but it does not change the active context.

60
MCQeasy

What is the purpose of the kube-proxy component in a Kubernetes cluster?

A.It provides network proxy and load balancing for services
B.It schedules pods to nodes
C.It manages the lifecycle of pods
D.It stores cluster configuration data
AnswerA

kube-proxy implements the service abstraction by maintaining iptables or IPVS rules.

Why this answer

Option A is correct because kube-proxy is the component responsible for implementing the Kubernetes Service concept by maintaining network rules on each node. It performs connection forwarding and load balancing for Service endpoints using either iptables, IPVS, or userspace mode, ensuring that traffic destined for a Service's ClusterIP is correctly routed to healthy Pods.

Exam trap

The trap here is that candidates confuse kube-proxy with the kubelet or kube-scheduler because all three are node-level components, but kube-proxy's sole purpose is network proxying and Service load balancing, not pod management or scheduling.

How to eliminate wrong answers

Option B is wrong because scheduling pods to nodes is the responsibility of the kube-scheduler, not kube-proxy. Option C is wrong because managing the lifecycle of pods (creation, monitoring, restart) is handled by the kubelet, not kube-proxy. Option D is wrong because storing cluster configuration data is the function of etcd, a distributed key-value store; kube-proxy does not persist any state.

61
MCQmedium

An administrator runs 'kubectl drain node01 --ignore-daemonsets --force' to prepare node01 for maintenance. However, a pod running a critical application is evicted and becomes unschedulable. Which flag could prevent eviction of that specific pod?

A.--grace-period=0
B.--pod-selector='app=critical'
C.--delete-local-data=false
D.--evict-unscheduled-pods
AnswerC

Setting --delete-local-data=false prevents eviction of pods with local storage, protecting critical pods that use local data.

Why this answer

Option C is correct because the `--delete-local-data=false` flag prevents the eviction of pods that use emptyDir volumes or local data. By default, `kubectl drain` evicts all pods except those managed by DaemonSets, and the `--force` flag bypasses checks that would normally protect pods with local storage. Setting this flag to false ensures that pods with local data (like the critical application) are not evicted during the drain operation.

Exam trap

The trap here is that candidates often confuse `--delete-local-data` with a flag that deletes data on the node, when in fact it controls whether pods using local storage (like emptyDir) are evicted, and the default behavior with `--force` is to evict them.

How to eliminate wrong answers

Option A is wrong because `--grace-period=0` forces immediate termination of pods without a graceful shutdown period, which does not prevent eviction—it actually makes eviction more aggressive. Option B is wrong because `--pod-selector='app=critical'` is not a valid flag for `kubectl drain`; the command does not support a pod-selector to exclude specific pods from eviction. Option D is wrong because `--evict-unscheduled-pods` is not a valid flag for `kubectl drain`; the correct flag is `--evict-unscheduled-pods` (note the typo in the option), and it would evict pods that have not been scheduled to a node, which is irrelevant to protecting a running critical pod.

62
MCQmedium

A developer created a ServiceAccount named 'app-sa' in the 'dev' namespace. They want a pod to use this ServiceAccount. Which field in the pod spec should be set?

A.spec.serviceAccount
B.spec.authentication.serviceAccount
C.spec.serviceAccountName
D.spec.accountName
AnswerC

Correct field.

Why this answer

Option C is correct because the `spec.serviceAccountName` field in a Pod spec is the standard way to assign a specific ServiceAccount to a Pod. When this field is set, the Pod's containers will use the token of that ServiceAccount for API authentication. If omitted, the Pod defaults to the `default` ServiceAccount in its namespace.

Exam trap

The trap here is that candidates may confuse the deprecated `spec.serviceAccount` field (which still works in older clusters but is removed in recent versions) with the correct `spec.serviceAccountName`, or invent a non-existent field like `spec.accountName` due to similarity with other Kubernetes resource specs.

How to eliminate wrong answers

Option A is wrong because `spec.serviceAccount` is a deprecated field (removed in Kubernetes 1.24) and should not be used; it was replaced by `spec.serviceAccountName`. Option B is wrong because `spec.authentication.serviceAccount` is not a valid Kubernetes Pod spec field—authentication is handled via the ServiceAccount token, not a nested `authentication` object. Option D is wrong because `spec.accountName` is not a recognized field in the Pod spec; the correct field name is `serviceAccountName`.

63
MCQeasy

A CKA candidate runs 'kubectl get nodes' and sees that a worker node is in the 'NotReady' state. Which command should be used to diagnose the node's kubelet health?

A.systemctl status docker
B.kubectl get events --all-namespaces
C.journalctl -u kubelet
D.kubectl logs -n kube-system kubelet-<node>
AnswerC

Why this answer

The kubelet is the primary node agent that registers the node with the cluster and reports its status via periodic heartbeats. When a node is NotReady, the most direct way to diagnose kubelet health is to inspect its systemd unit logs using 'journalctl -u kubelet', which shows startup errors, certificate issues, or resource exhaustion that prevent the kubelet from functioning correctly.

Exam trap

CNCF often tests the misconception that the kubelet runs as a Kubernetes pod (like kube-apiserver) and can be debugged with 'kubectl logs', when in reality it is a systemd service on the node, requiring OS-level commands like 'journalctl' or 'systemctl'.

How to eliminate wrong answers

Option A is wrong because 'systemctl status docker' checks the Docker container runtime, not the kubelet; while a runtime failure can cause node issues, the question specifically asks for diagnosing kubelet health. Option B is wrong because 'kubectl get events --all-namespaces' shows cluster-wide events (e.g., pod scheduling failures) but does not provide the kubelet's own log output or system-level errors. Option D is wrong because 'kubectl logs -n kube-system kubelet-<node>' attempts to access a pod named 'kubelet-<node>', but the kubelet does not run as a pod in the kube-system namespace; it runs as a systemd service on the node, so this command would fail with a 'not found' error.

64
MCQhard

A pod's YAML specifies 'restartPolicy: Never' and the container exits with code 0. What state will the pod be in?

A.Completed
B.Failed
C.Succeeded
D.Running
AnswerC

A completed pod with exit code 0 is Succeeded.

Why this answer

When a pod's restartPolicy is set to 'Never' and its container exits with code 0 (indicating a successful termination), the pod transitions to the 'Succeeded' phase. This is because Kubernetes treats a zero exit code as a successful completion, and with restartPolicy: Never, no restart is attempted, leaving the pod in a terminal Succeeded state.

Exam trap

The trap here is that candidates confuse the 'Completed' status from kubectl get pods output (which is a human-readable shorthand) with the actual pod phase 'Succeeded', or they assume any exit means 'Failed' regardless of the exit code.

How to eliminate wrong answers

Option A is wrong because 'Completed' is not a valid Kubernetes pod phase; the correct phase for a successful termination is 'Succeeded'. Option B is wrong because 'Failed' applies only when the container exits with a non-zero exit code, not code 0. Option D is wrong because 'Running' indicates the container is still executing, but here the container has already exited.

65
Multi-Selectmedium

Which TWO of the following are valid ways to expose a set of pods as a network service in Kubernetes?

Select 2 answers
A.Ingress
B.ConfigMap
C.Deployment
D.NetworkPolicy
E.Service
AnswersA, E

Ingress provides HTTP/HTTPS routing to Services, thus exposing them externally.

Why this answer

Ingress is correct because it provides HTTP/HTTPS routing to services based on hostnames or paths, exposing a set of pods externally via a single entry point. It relies on an Ingress controller (e.g., NGINX, Traefik) to implement the rules defined in the Ingress resource, making it a valid way to expose pods as a network service.

Exam trap

The trap here is that candidates often confuse a Deployment with a Service, thinking a Deployment alone can expose pods externally, but a Deployment only manages pod replicas and requires a Service or Ingress for network exposure.

66
MCQeasy

Which command is used to take a snapshot of etcd using etcdctl?

A.etcdctl dump
B.etcdctl snapshot create
C.etcdctl snapshot save
D.etcdctl backup
AnswerC

This is the correct command to save a snapshot.

Why this answer

Option C is correct because `etcdctl snapshot save` is the official command to create a point-in-time snapshot of an etcd datastore, which is essential for backup and disaster recovery in Kubernetes clusters. This command writes the snapshot to a specified file path, preserving all keys and metadata for later restoration via `etcdctl snapshot restore`.

Exam trap

The trap here is that candidates may confuse the `snapshot save` command with the non-existent `snapshot create` or the deprecated `backup` command from etcd v2, leading them to pick a plausible-sounding but incorrect option.

How to eliminate wrong answers

Option A is wrong because `etcdctl dump` is not a valid etcdctl subcommand; it may be confused with `etcdctl get` or `etcdctl watch` but does not exist for snapshotting. Option B is wrong because `etcdctl snapshot create` is not a valid command; the correct subcommand is `snapshot save`, not `create`. Option D is wrong because `etcdctl backup` is not a valid etcdctl command; the `backup` subcommand was used in older etcd v2 but has been replaced by `snapshot save` in etcd v3, which is the version used in modern CKA environments.

67
MCQmedium

Which component is responsible for maintaining network rules on each node?

A.kube-controller-manager
B.etcd
C.kube-proxy
D.kubelet
AnswerC

kube-proxy maintains network rules on each node to implement Kubernetes Services.

Why this answer

C is correct because kube-proxy is the component responsible for maintaining network rules on each node. It watches the Kubernetes API server for changes to Services and EndpointSlices, then updates iptables, IPVS, or other rules to route traffic to the appropriate Pods. This ensures that network policies and service load balancing are enforced at the node level.

Exam trap

The trap here is confusing kubelet with kube-proxy, as both run on each node, but kubelet manages Pod lifecycle while kube-proxy manages network rules and service routing.

How to eliminate wrong answers

Option A is wrong because kube-controller-manager runs controller loops (e.g., ReplicaSet, Deployment, Node) but does not manage per-node network rules. Option B is wrong because etcd is a distributed key-value store used for cluster state, not for maintaining network rules on nodes. Option D is wrong because kubelet is the primary node agent that manages Pods and containers, but it does not handle network rule enforcement (that is kube-proxy's role).

68
Multi-Selectmedium

Which TWO commands can be used to interact with etcd snapshot operations? (Select TWO.)

Select 2 answers
A.etcdctl import
B.etcdctl snapshot restore
C.etcdctl migrate
D.etcdctl snapshot save
E.etcdctl backup
AnswersB, D

Restores from a snapshot.

Why this answer

The `etcdctl snapshot save` command creates a point-in-time snapshot of the etcd datastore, which is essential for backing up the Kubernetes cluster state. The `etcdctl snapshot restore` command restores a cluster from a previously saved snapshot, typically used for disaster recovery or migrating etcd to a new node. Both commands are part of the official etcdctl snapshot subcommand group.

Exam trap

The trap here is that candidates may confuse `etcdctl snapshot save` with the non-existent `etcdctl backup` command, or think `etcdctl migrate` is related to snapshot operations when it is actually for version migration.

69
MCQmedium

A user needs to deploy a pod that requires access to the Kubernetes API server from within the pod. Which resource should be used to provide authentication credentials automatically?

A.ServiceAccount
B.Secret
C.ConfigMap
D.ClusterRoleBinding
AnswerA

ServiceAccounts are automatically mounted as volumes in pods, providing a token for API authentication.

Why this answer

A ServiceAccount is the correct resource because Kubernetes automatically mounts a projected volume containing a JWT token into pods that use the default or a specified ServiceAccount. This token is used by the pod to authenticate against the Kubernetes API server, enabling secure in-cluster communication without manual credential management.

Exam trap

The trap here is that candidates often confuse authorization resources like ClusterRoleBinding with authentication mechanisms, or think that a generic Secret or ConfigMap can serve as an automatic credential provider, when in fact only a ServiceAccount provides the automated token injection and rotation required for in-cluster API access.

How to eliminate wrong answers

Option B is wrong because a Secret is a generic resource for storing sensitive data like passwords or tokens, but it does not automatically provide authentication credentials to a pod; you must explicitly mount or reference it, and it lacks the automatic token rotation and API server integration of a ServiceAccount. Option C is wrong because a ConfigMap is designed for non-sensitive configuration data (e.g., environment variables or config files) and cannot store or provide authentication credentials. Option D is wrong because a ClusterRoleBinding grants RBAC permissions to a subject (like a ServiceAccount or user) but does not itself provide authentication credentials; it is an authorization resource, not an authentication mechanism.

70
MCQmedium

A node in the cluster has been cordoned. Which of the following is true about the node?

A.The node is removed from the cluster.
B.kubectl drain is automatically performed on the node.
C.The node is marked as unschedulable, but existing pods continue to run.
D.Existing pods on the node are immediately evicted.
AnswerC

Cordoning sets the node status to unschedulable, so no new pods are placed, but existing pods remain.

Why this answer

When a node is cordoned using `kubectl cordon`, it is marked as unschedulable by setting the `node.Spec.Unschedulable` field to true. This prevents new pods from being scheduled onto the node, but existing pods continue to run normally. The node remains part of the cluster and is not removed or drained automatically.

Exam trap

The trap here is that candidates confuse cordoning with draining, assuming cordoning also evicts existing pods or removes the node, when in fact it only prevents new scheduling and leaves running pods untouched.

How to eliminate wrong answers

Option A is wrong because cordoning does not remove the node from the cluster; the node remains a member and can be uncordoned later. Option B is wrong because `kubectl drain` is not automatically performed; draining is a separate, explicit operation that evicts pods, whereas cordon only prevents new scheduling. Option D is wrong because existing pods are not immediately evicted; they continue running until they are terminated or the node is drained manually.

71
Multi-Selectmedium

You need to upgrade a Kubernetes cluster from v1.28 to v1.29 using kubeadm. Which TWO steps are REQUIRED as part of the upgrade process? (Choose TWO.)

Select 2 answers
A.Run 'kubeadm upgrade plan' before upgrading
B.Upgrade the control plane nodes first
C.Drain the node before upgrading it
D.Upgrade kubelet and kubeadm on the node at the same time
E.Upgrade all nodes simultaneously to minimize downtime
AnswersB, C

Control plane must be upgraded before worker nodes.

Why this answer

Option B is correct because the Kubernetes control plane must be upgraded first to ensure the API server, controller manager, and scheduler are running the new version before worker nodes. This prevents version skew issues where newer node components might rely on API features not yet available on an older control plane. The kubeadm upgrade process explicitly requires upgrading the control plane node(s) before any worker nodes.

Exam trap

The trap here is that candidates often think 'kubeadm upgrade plan' is mandatory because it appears in many tutorials, but the CKA exam tests that only draining the node and upgrading control plane first are required steps, while the plan command is optional.

72
Multi-Selecteasy

Which TWO of the following are control plane components?

Select 2 answers
A.cloud-controller-manager
B.kubelet
C.etcd
D.container runtime
E.kube-proxy
AnswersA, C

The cloud controller manager runs controllers that interact with cloud provider APIs.

Why this answer

The cloud-controller-manager is a control plane component that integrates with cloud provider APIs to manage cloud-specific resources such as load balancers, storage volumes, and nodes. It runs as a daemon on the control plane and interacts with the Kubernetes API server to reconcile cloud resources with cluster state.

Exam trap

CNCF often tests the distinction between control plane and node components, and the trap here is that candidates mistakenly classify kube-proxy or kubelet as control plane components because they are essential for cluster operation, but they are not part of the control plane's core management layer.

73
Multi-Selectmedium

Which TWO of the following are valid resources for granting permissions in RBAC?

Select 2 answers
A.Role
B.ServiceAccount
C.ClusterRoleBinding
D.ClusterRole
E.RoleBinding
AnswersA, D

A Role defines permissions within a namespace.

Why this answer

A is correct because a Role defines a set of permissions (rules) within a specific namespace, making it a valid resource for granting RBAC permissions. It specifies which API operations (verbs like get, list, create) are allowed on which resources (e.g., pods, services) within that namespace.

Exam trap

The trap here is that candidates often confuse binding resources (RoleBinding, ClusterRoleBinding) with permission-defining resources (Role, ClusterRole), leading them to select bindings as valid answers for granting permissions.

74
MCQeasy

What is the function of the 'kube-scheduler' in Kubernetes?

A.It runs the container runtime
B.It manages network rules for services
C.It stores cluster state
D.It assigns pods to nodes
AnswerD

The scheduler watches for unscheduled pods and selects a suitable node for them.

Why this answer

The kube-scheduler is a core control plane component that watches for newly created Pods with no assigned node and selects an optimal node for them to run on. It makes scheduling decisions based on resource requirements, constraints like affinity/anti-affinity rules, data locality, and other policies. Option D is correct because the scheduler's primary function is to assign pods to nodes.

Exam trap

The trap here is that candidates often confuse the kube-scheduler with kubelet or kube-proxy, but the scheduler's sole role is node selection for pods, not running containers or managing network rules.

How to eliminate wrong answers

Option A is wrong because the container runtime (e.g., containerd, CRI-O) runs containers, not the kube-scheduler. Option B is wrong because managing network rules for services is the job of the kube-proxy component, which implements Service networking via iptables/IPVS. Option C is wrong because storing cluster state is the responsibility of etcd, a distributed key-value store; the kube-scheduler does not persist any state.

75
MCQhard

You are upgrading a Kubernetes cluster from version 1.28 to 1.29. What is the correct order of steps?

A.Upgrade all worker nodes first, then upgrade control plane nodes.
B.Upgrade control plane nodes first, then upgrade worker nodes without draining them.
C.Upgrade control plane nodes first, then drain each worker node before upgrading it.
D.Upgrade all nodes simultaneously.
AnswerC

This follows the recommended upgrade procedure: control plane first, then drain and upgrade worker nodes.

Why this answer

Option C is correct because the Kubernetes upgrade process requires upgrading the control plane nodes first to ensure the cluster's management layer is running the new version before worker nodes are upgraded. Draining each worker node before upgrading it is essential to safely evict pods and maintain application availability, as the kubelet on the node must be stopped during the upgrade and the node must be cordoned to prevent new pods from being scheduled.

Exam trap

The trap here is that candidates may think upgrading worker nodes without draining is acceptable if they use a rolling update strategy, but the CKA exam specifically tests the requirement to drain nodes before upgrading to avoid pod disruption.

How to eliminate wrong answers

Option A is wrong because upgrading worker nodes before control plane nodes violates the Kubernetes upgrade order; the control plane must be upgraded first to avoid version skew incompatibilities. Option B is wrong because upgrading worker nodes without draining them first can cause pod disruptions and data loss, as the kubelet is stopped during the upgrade and pods are not gracefully terminated. Option D is wrong because upgrading all nodes simultaneously is not supported; Kubernetes requires a sequential upgrade to maintain cluster stability and prevent version mismatch between components.

Page 1 of 3 · 211 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Cka Cluster Arch questions.