CCNA Cka Services Networking Questions

19 of 169 questions · Page 3/3 · Cka Services Networking topic · Answers revealed

151
Multi-Selectmedium

Which of the following can be used to expose a set of pods externally to the internet in a Kubernetes cluster? (Select THREE.)

Select 3 answers
A.Ingress resource
B.Service of type NodePort
C.Service of type LoadBalancer
D.Service of type Headless
E.Service of type ClusterIP
AnswersA, B, C

Ingress provides external access to services based on rules.

Why this answer

Option A: NodePort exposes a service on each node's IP at a static port. Option C: Ingress provides HTTP/HTTPS routing to services. Option D: LoadBalancer provisions a cloud load balancer to expose the service.

Option B: ClusterIP is only reachable within the cluster. Option E: Headless service is for discovering individual pods, not external exposure.

152
MCQeasy

What is the purpose of a headless Service (clusterIP: None)?

A.To expose the Service externally via a cloud load balancer
B.To provide load balancing across pods
C.To map the Service to an external DNS name
D.To allow direct DNS resolution to pod IPs
AnswerD

Headless Services return pod IPs for DNS A/AAAA records.

Why this answer

A headless Service does not have a cluster IP; instead, DNS returns the IPs of the backing pods directly. This is used for stateful applications like databases where each pod needs a unique identity.

153
MCQmedium

Which Ingress resource field is used to specify the hostname for which traffic should be routed?

A.spec.tls[].hosts
B.spec.defaultBackend
C.spec.host
D.spec.rules[].host
AnswerD

The host field is part of each rule.

Why this answer

The 'host' field under spec.rules specifies the hostname.

154
Multi-Selectmedium

Which TWO statements about Ingress in Kubernetes are correct?

Select 2 answers
A.Setting spec.ingressClassName to 'nginx' disables the default Ingress controller.
B.Ingress can terminate TLS connections for backend Services.
C.Ingress natively supports gRPC services without any additional configuration.
D.Ingress can provide Layer 4 (TCP/UDP) load balancing.
E.Ingress can route traffic to different Services based on the hostname in the HTTP Host header.
AnswersB, E

Correct. Ingress can terminate TLS if a secret with certificate is provided.

Why this answer

Options A and D are correct. Ingress can provide name-based virtual hosting and TLS termination. Option B is false: Ingress does not provide Layer 4 load balancing; it operates at Layer 7.

Option C is false: Ingress does not support gRPC directly without additional configuration. Option E is false: IngressClass is used to specify which controller to use, not to enable or disable.

155
MCQeasy

You need to expose a Deployment named 'web' on port 80 inside the cluster. Which kubectl command creates a ClusterIP service?

A.kubectl expose deployment web --type=NodePort --port=80
B.kubectl expose deployment web --port=80
C.kubectl create service clusterip web --tcp=80
D.kubectl port-forward deployment/web 80:80
AnswerB

Correct. 'kubectl expose' with a deployment and --port creates a ClusterIP service by default.

Why this answer

Option B is correct. 'kubectl expose deployment web --port=80' creates a ClusterIP service by default. Option A exposes via NodePort. Option C is for port forwarding.

Option D would create a NodePort service.

156
Multi-Selecthard

Which three of the following are features of EndpointSlices compared to Endpoints? (Select THREE.)

Select 3 answers
A.Direct support for NetworkPolicy
B.Smaller slices with up to 100 endpoints per slice
C.Automatic scaling based on the number of endpoints
D.Support for dual-stack addresses (IPv4 and IPv6)
E.Topology-aware routing hints
AnswersB, D, E

Each EndpointSlice can contain up to 100 endpoints, improving scalability.

157
Multi-Selecteasy

Which two of the following are valid service discovery methods in Kubernetes? (Choose two.)

Select 2 answers
A.Environment variables injected into pods
B.DNS resolution via CoreDNS
C.Manual /etc/hosts entries
D.Consul agent running as a sidecar
E.Using kubectl get endpoints
AnswersA, B

Each pod gets environment variables for Services that exist before the pod is created.

Why this answer

DNS-based discovery via CoreDNS and environment variables (e.g., `MY_SERVICE_SERVICE_HOST` and `MY_SERVICE_SERVICE_PORT`) are the two built-in methods.

158
MCQhard

A cluster has kube-proxy running in ipvs mode. An administrator creates a Service of type ClusterIP. Which of the following is true about how traffic is forwarded to the pods?

A.kube-proxy uses userspace mode to proxy traffic
B.kube-proxy uses iptables rules to randomly select a pod
C.kube-proxy does nothing; the cluster DNS does the load balancing
D.kube-proxy creates IPVS virtual servers that use scheduling algorithms like round-robin
AnswerD

IPVS supports multiple scheduling algorithms for load balancing.

Why this answer

In ipvs mode, kube-proxy creates IPVS rules that perform load balancing using various scheduling algorithms (e.g., round-robin). It does not rely on iptables for per-packet load balancing.

159
Multi-Selecthard

Which THREE of the following are true about NetworkPolicy in Kubernetes? (Select 3)

Select 3 answers
A.NetworkPolicy can define rules based on DNS names
B.NetworkPolicy supports both ingress and egress rules
C.NetworkPolicy can select pods from other namespaces using namespaceSelector
D.NetworkPolicy is a cluster-scoped resource
E.By default, if no NetworkPolicy applies to a pod, all traffic to that pod is allowed
AnswersB, C, E

NetworkPolicy can control both inbound and outbound traffic.

Why this answer

NetworkPolicy is a namespaced resource. It can be used to allow traffic from pods in other namespaces using namespaceSelector. By default, if no NetworkPolicy selects a pod, traffic is allowed (all open).

When a NetworkPolicy applies, it only allows the traffic specified in its rules; all other traffic is denied (default deny). It supports both ingress and egress rules. It does not support DNS-based rules.

160
MCQmedium

An admin runs `kubectl run nginx --image=nginx --restart=Never` and then runs `kubectl expose pod nginx --port=80 --target-port=80`. Another pod in the same namespace tries to curl http://nginx:80 but gets connection refused. What is the most likely cause?

A.The Service port is incorrectly set to 80 but the container listens on 8080.
B.The Service type defaults to ClusterIP, so it cannot be accessed from inside the cluster.
C.The Service selector does not match the pod's labels.
D.The pod is not running because it was created with --restart=Never and may have completed.
AnswerD

Without a controller, the pod may have exited. Check pod status; if not running, the target port is unreachable.

161
MCQhard

You have a Deployment with 3 replicas. You create a headless service (clusterIP: None) with a label selector. Which of the following is true about DNS resolution for this service?

A.DNS returns the IP addresses of all pods that match the selector.
B.DNS does not resolve the service name at all.
C.DNS returns the service name as a CNAME to the pod names.
D.DNS resolves the service name to a single ClusterIP.
AnswerA

Correct behavior.

Why this answer

A headless service returns DNS A/AAAA records for the individual pod IPs, not a single ClusterIP. This is used for stateful applications where each pod needs a stable network identity.

162
Multi-Selectmedium

Which THREE of the following are requirements for an Ingress resource to work?

Select 3 answers
A.The Ingress resource must specify a host.
B.An Ingress controller must be deployed in the cluster.
C.The Ingress resource must have a TLS section.
D.The backend services must be running and have endpoints.
E.The Ingress must have at least one path rule.
AnswersB, D, E

Without a controller, Ingress resources have no effect.

Why this answer

An Ingress controller must be running, the Ingress must have rules, and the backend services must exist.

163
Multi-Selectmedium

Which TWO statements are true about Ingress in Kubernetes?

Select 2 answers
A.Ingress can terminate TLS connections
B.Ingress can expose multiple Services under the same IP address
C.IngressClass is a mandatory field in Ingress spec
D.Ingress is the only way to expose Services externally
E.Ingress works without an Ingress controller
AnswersA, B

True: Ingress supports TLS termination via secrets.

Why this answer

Ingress can expose multiple services under the same IP (A) and can terminate TLS (B). Ingress is not the only way to expose services (NodePort and LoadBalancer exist) (C). Ingress requires an Ingress controller (D).

IngressClass is a separate resource (E).

164
MCQmedium

A developer runs 'kubectl run nginx --image=nginx --expose --port=80'. What Kubernetes resources are created?

A.Only a pod named 'nginx'
B.A pod named 'nginx' and a ClusterIP service named 'nginx'
C.A pod named 'nginx' and a LoadBalancer service named 'nginx'
D.A deployment named 'nginx' and a NodePort service named 'nginx'
AnswerB

kubectl run with --expose creates a pod and a ClusterIP service with the same name.

Why this answer

The --expose flag creates a ClusterIP service in addition to the pod. Option A correctly states both a pod and a ClusterIP service are created. Options B-D misstate the service type or omit resources.

165
MCQeasy

Which DNS record type does Kubernetes use to resolve a Service's ClusterIP?

A.PTR record
B.SRV record
C.CNAME record
D.A record
AnswerD

A records map hostnames to IP addresses.

Why this answer

Services resolve to A (IPv4) or AAAA (IPv6) records.

166
MCQhard

A NetworkPolicy with podSelector: {} and policyTypes: [Ingress] is applied to a namespace. What is the effect on pods in that namespace?

A.All ingress traffic is denied unless explicitly allowed by another policy.
B.The policy has no effect because no rules are defined.
C.All ingress traffic is allowed.
D.All egress traffic is denied.
AnswerA

When a NetworkPolicy selects pods, any traffic not explicitly allowed is denied. This policy selects all pods and has no ingress rules, so all ingress is denied.

167
MCQmedium

You deploy a pod named 'app' that listens on port 3000. You create a Service named 'app-svc' with selector 'app: app'. From another pod in the same namespace, which command will successfully reach the service?

A.curl app-svc:80
B.curl app-svc.default.svc.cluster.local:3000
C.curl app-svc:3000
D.curl app:3000
AnswerC

Service name resolves to ClusterIP, and the port is the service port (default same as target).

Why this answer

Within the same namespace, the service can be reached by its name.

168
MCQeasy

Which kubectl command will expose a deployment named 'web-app' as a NodePort service on port 80?

A.kubectl expose pod web-app --type=NodePort --port=80
B.kubectl create deployment web-app --expose --port=80
C.kubectl create service nodeport web-app --port=80
D.kubectl expose deployment web-app --type=NodePort --port=80
AnswerD

Correct command syntax.

Why this answer

The 'kubectl expose' command with '--type=NodePort' and '--port=80' creates a service. The '--target-port' can specify the container port.

169
Multi-Selecthard

Which TWO statements about NetworkPolicy are correct?

Select 2 answers
A.To allow traffic from a specific namespace, you can use a namespaceSelector in the ingress rule.
B.If no NetworkPolicy exists, all traffic is denied by default.
C.A NetworkPolicy with podSelector: {} selects all pods in the namespace.
D.The field 'podSelector.matchLabels' is used to select pods based on labels.
E.NetworkPolicy is a cluster-scoped resource.
AnswersA, C

Correct. namespaceSelector selects namespaces by labels.

Why this answer

Options B and D are correct. A podSelector with '{}' selects all pods in the namespace. To allow traffic from another namespace, you use namespaceSelector combined with podSelector.

Option A is false: NetworkPolicy is cluster-scoped? No, it's namespaced. Option C is false: NetworkPolicy defaults to deny if a policy with that policyType is present. Option E is false: The field is 'podSelector', not 'podSelector.matchLabels'.

← PreviousPage 3 of 3 · 169 questions total

Ready to test yourself?

Try a timed practice session using only Cka Services Networking questions.