Certified Kubernetes Application Developer CKAD (CKAD) — Questions 751825

991 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
MCQhard

You have a multi-container pod with two containers: container-A and container-B. container-B needs to access the network of container-A. Which configuration is required?

A.Define a ServiceAccount for container-B to access container-A
B.No additional configuration is needed; they share the same network namespace
C.Set hostNetwork: true in the pod spec
D.Expose the port in container-A and map it in container-B
AnswerB

Containers in a pod share the same network namespace, so they can communicate via localhost.

Why this answer

Option C is correct. By default, containers in the same pod share the same network namespace, so container-B can access container-A via localhost. Option A (hostNetwork) uses the host's network, not needed.

Option B (ports) exposes ports but doesn't affect network namespace sharing. Option D (service account) is for authentication, not networking.

752
MCQhard

A Pod is running but not responding to requests. The liveness probe is a TCP check on port 8080. What is the most likely issue?

A.The application is listening on port 8080 but not processing requests correctly.
B.The container is being throttled due to CPU limits.
C.The probe's initial delay is too short.
D.The liveness probe is misconfigured and should be an HTTP GET.
AnswerA

A TCP probe only checks if the port is open, not if the application is healthy.

Why this answer

A is correct because a TCP liveness probe only checks if the port is open and accepting connections, not whether the application is actually processing requests. If the application is listening on port 8080 but is stuck or not handling HTTP traffic correctly, the TCP probe will still succeed, and Kubernetes will not restart the container. This is a common scenario where the application is 'alive' at the socket level but not 'healthy' at the application layer.

Exam trap

The trap here is that candidates assume a successful TCP probe means the application is healthy, but Kubernetes only checks port availability, not application responsiveness, leading to a false sense of health.

How to eliminate wrong answers

Option B is wrong because CPU throttling does not prevent a TCP port from being open; the application can still accept connections even if it is throttled, and the liveness probe would succeed. Option C is wrong because a short initial delay would cause the probe to fail early, but the question states the Pod is running and not responding to requests, implying the probe is succeeding (port is open) but the app is unresponsive. Option D is wrong because a TCP check on port 8080 is a valid liveness probe configuration; an HTTP GET probe would be more appropriate for application-level health, but the probe itself is not misconfigured—it's the application's behavior that is the issue.

753
MCQeasy

You want to update a Deployment's image to a new version, ensuring that at most 2 pods are unavailable during the rollout. Which field in the Deployment spec should you set?

A.spec.replicas
B.spec.strategy.rollingUpdate.maxUnavailable
C.spec.strategy.rollingUpdate.maxSurge
D.spec.minReadySeconds
AnswerB

Correct field to limit unavailable pods during rolling update.

Why this answer

The maxUnavailable field in the rolling update strategy specifies the maximum number of pods that can be unavailable during the update. Setting it to 2 ensures at most 2 pods are unavailable.

754
Multi-Selecthard

Which THREE of the following are correct about init containers? (Select THREE.)

Select 3 answers
A.They run to completion before the main application containers start
B.They cannot have resource limits set
C.If an init container fails, the pod restarts according to the pod's restartPolicy
D.They run after the main application containers have started
E.They are defined in the spec.initContainers field of a Pod
AnswersA, C, E

Init containers run sequentially and must complete successfully before main containers start.

Why this answer

Options A, C, and E are correct. Init containers run sequentially (not in parallel) and must complete successfully before app containers start. They are specified under spec.initContainers.

Option B is wrong: init containers run before app containers. Option D is wrong: init containers support the same securityContext as regular containers.

755
MCQeasy

An init container in a pod runs a database migration script. The init container fails and exits with a non-zero exit code. What will happen to the pod?

A.The main containers will start anyway
B.The pod will enter CrashLoopBackOff
C.The init container will be restarted until it succeeds
D.The pod will be deleted and recreated
AnswerC

Correct: init containers are restarted on failure until they succeed.

Why this answer

Init containers must run successfully (exit 0) before the main containers start. If an init container fails, Kubernetes restarts it (if restartPolicy is Always or OnFailure) until it succeeds. The pod will remain in Init:Error state until the init container succeeds.

756
MCQmedium

A pod is stuck in 'Pending' state. You run 'kubectl describe pod pending-pod' and see the following condition: 'Status: False, Type: PodScheduled, Reason: Unschedulable, Message: 0/4 nodes are available: 1 node(s) had taint {node.kubernetes.io/disk-pressure: }, 1 node(s) had taint {node.kubernetes.io/memory-pressure: }, 2 node(s) didn't match Pod's node affinity/selector.' What is the most specific reason the pod cannot be scheduled?

A.Node taints and/or affinity rules prevent scheduling
B.Container image pull failure
C.Pod is in CrashLoopBackOff
D.Insufficient CPU resources
AnswerA

Correct. Both taints and node affinity are reported as reasons.

Why this answer

The message indicates multiple issues: taints and node affinity. The pod cannot be scheduled due to taints not being tolerated AND node affinity not matching.

757
MCQmedium

You have a Pod with two containers: a main application and a sidecar that handles logging. The sidecar needs access to the same log files as the main application. Which volume type allows both containers to share files?

A.persistentVolumeClaim
B.hostPath
C.configMap
D.emptyDir
AnswerD

emptyDir is created when a pod is assigned to a node and exists as long as the pod runs, allowing containers in the same pod to share files.

Why this answer

Option B is correct. An emptyDir volume is shared between containers in the same pod and is useful for sharing files. HostPath mounts a host directory, but it's not specifically for sharing between containers.

ConfigMap is for configuration data, not for sharing dynamic files. PersistentVolumeClaim is for persistent storage, but not necessary for sharing within a pod.

758
MCQeasy

Which of the following is a valid method to perform a blue-green deployment in Kubernetes?

A.Create two Deployments and a Service, then change the Service's selector to point to the new version.
B.Use kubectl rollout undo to switch between revisions.
C.Set spec.strategy.type: BlueGreen in the Deployment.
D.Use a DaemonSet to run both versions.
AnswerA

This is the classic blue-green pattern.

Why this answer

Blue-green deployment involves running two versions (blue and green) and switching traffic by updating the Service's selector.

759
MCQmedium

Which of the following is true about Istio as a service mesh?

A.It replaces kube-proxy for service routing
B.It injects a sidecar proxy into each pod
C.It only works with HTTP traffic
D.It requires all services to be of type LoadBalancer
AnswerB

Istio injects an Envoy proxy sidecar to intercept traffic.

Why this answer

Istio uses sidecar proxies (Envoy) injected into pods to manage traffic, enforce policies, and collect telemetry. It does not replace kube-proxy but works alongside it.

760
MCQmedium

A developer needs to expose a deployment named 'web-app' running in the 'default' namespace on port 8080 internally within the cluster. Which kubectl command creates a ClusterIP service that selects pods with label 'app: web'?

A.kubectl expose deployment web-app --port=8080 --target-port=8080 --selector=app=web
B.kubectl expose deployment web-app --port=8080 --target-port=8080 --type=ClusterIP
C.kubectl run web-app --image=nginx --port=8080 --expose
D.kubectl create service clusterip web-app --tcp=8080:8080 --selector=app=web
AnswerA

Correctly specifies the selector 'app=web' and exposes port 8080.

Why this answer

The correct command uses 'kubectl expose' with the appropriate flags to create a ClusterIP service targeting port 8080 and selecting pods with label 'app=web'.

761
MCQmedium

You are using Kustomize to manage configurations. Your project structure is: 'base/kustomization.yaml', 'overlays/prod/kustomization.yaml'. The base defines a Deployment with image 'nginx:1.18'. The overlay wants to patch the image to 'nginx:1.19'. Which is the correct way to define the patch in the overlay?

A.Use 'patches: [path: deployment-patch.yaml]'
B.Use 'resources: [../base]' and then define a new Deployment with the same name to override.
C.Use 'patchesStrategicMerge: [deployment-patch.yaml]' where deployment-patch.yaml contains the image override.
D.Use 'patchesJson6902: [target: ..., patch: ...]'
AnswerC

patchesStrategicMerge applies a strategic merge patch to the base resources. This is the standard way to overlay changes.

Why this answer

Option B is correct: patchesStrategicMerge is used for strategic merge patches. Option A is a valid field but for JSON patches, not for this simple image change. Option C is incorrect because patchesJson6902 is for JSON patches.

Option D is a valid field but not the standard way; patchesStrategicMerge is more common for such patches.

762
MCQeasy

Which command is used to scale a Deployment named 'web' to 5 replicas?

A.kubectl scale deployment web --replicas=5
B.kubectl autoscale deployment web --min=5 --max=5
C.kubectl set replicas deployment/web 5
D.kubectl edit deployment web --replicas=5
AnswerA

This is the correct syntax to scale the deployment to 5 replicas.

Why this answer

The 'kubectl scale' command is used to change the number of replicas of a Deployment, ReplicaSet, or StatefulSet.

763
Multi-Selectmedium

Which TWO of the following are true about .dockerignore files?

Select 2 answers
A.They are optional and have no effect on the build
B.They are placed in the root of the build context
C.They can exclude files from being sent to the Docker daemon during build
D.They can be used to ignore files only for specific build stages
E.They can include files that are in parent directories
AnswersB, C

.dockerignore must be in the root of the build context.

Why this answer

.dockerignore files exclude files from the build context, improving build performance and security by preventing unwanted files from being copied into the image.

764
Multi-Selectmedium

Which TWO are valid ways to expose a Secret's data as environment variables in a pod?

Select 2 answers
A.envFrom: - secretRef: name: my-secret prefix: SECRET_
B.- name: PASSWORD valueFrom: secretKeyRef: name: my-secret key: password
C.envFrom: - fieldRef: fieldPath: metadata.namespace
D.envFrom: - literal: key: value
E.envFrom: - configMapRef: name: my-secret
AnswersA, B

envFrom with secretRef imports all keys as env vars.

Why this answer

Option A is correct because the `envFrom` field in a pod spec can reference a Secret using `secretRef`, and the optional `prefix` field prepends a string to each key from the Secret when exposing them as environment variables. This allows all key-value pairs from the Secret to be injected as environment variables with a common prefix, which is a concise and valid method.

Exam trap

The trap here is that candidates confuse `envFrom` with `env` and assume `fieldRef` or `literal` are valid subfields of `envFrom`, when in fact `envFrom` only supports `configMapRef`, `secretRef`, and `prefix`.

765
MCQeasy

How can you set the environment variable 'DATABASE_URL' in a pod to the value stored in a Kubernetes Secret named 'db-secret' under the key 'url'?

A.env: - name: DATABASE_URL valueFrom: configMapKeyRef: name: db-secret key: url
B.env: - name: DATABASE_URL valueFrom: secretRef: name: db-secret
C.env: - name: DATABASE_URL valueFrom: secretKeyRef: name: db-secret key: url
D.env: - name: DATABASE_URL value: secretKeyRef: name: db-secret key: url
AnswerC

secretKeyRef references a specific key from a Secret.

Why this answer

Option C is correct because the `env.valueFrom.secretKeyRef` field in a Pod spec is the proper mechanism to inject a specific key from a Kubernetes Secret as an environment variable. The `name` field identifies the Secret (`db-secret`), and the `key` field specifies which key within that Secret (`url`) to use. This is defined in the Kubernetes API for exposing Secret data as environment variables.

Exam trap

The trap here is that candidates confuse `secretKeyRef` with `configMapKeyRef` or misremember the syntax as `secretRef` (which is used for volume mounts), leading them to pick options that either reference the wrong resource type or use the wrong field structure.

How to eliminate wrong answers

Option A is wrong because it uses `configMapKeyRef`, which references a ConfigMap, not a Secret; ConfigMaps store non-sensitive data, while Secrets store sensitive data like database URLs, and the syntax for referencing a Secret key is `secretKeyRef`. Option B is wrong because `secretRef` is not a valid field under `valueFrom` for environment variables; `secretRef` is used in `volumes` to mount an entire Secret as a volume, not to expose a single key as an env var. Option D is wrong because it uses `value:` with a nested object `secretKeyRef`, but `value` expects a literal string, not a reference; the correct syntax requires `valueFrom` to indicate the value is sourced from an external reference.

766
MCQmedium

An administrator wants to allow ingress traffic to pods with label 'app: database' only from pods with label 'app: api' in the same namespace. Which NetworkPolicy rule is correct?

A.podSelector: { matchLabels: { app: database } } ingress: - from: - ipBlock: { cidr: 10.0.0.0/8 }
B.podSelector: { matchLabels: { app: api } } ingress: - from: - podSelector: { matchLabels: { app: database } }
C.podSelector: { matchLabels: { app: database } } ingress: - from: - podSelector: { matchLabels: { app: api } }
D.podSelector: { matchLabels: { app: database } } ingress: - from: - namespaceSelector: { matchLabels: { name: default } }
AnswerC

Correct.

Why this answer

The ingress rule should select pods with label 'app: database' as the podSelector, and allow from pods with label 'app: api' via a podSelector in the from block. Option A is correct. Option B selects the wrong pods.

Option C uses namespaceSelector, which is not needed. Option D uses ipBlock, which is not appropriate.

767
MCQmedium

An admin applies the following NetworkPolicy: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress - Egress What effect does this policy have?

A.Allows all traffic because no rules are specified.
B.Denies all ingress and egress traffic to all pods in the namespace.
C.Only denies egress traffic; ingress is allowed.
D.Only denies ingress traffic; egress is allowed.
AnswerB

Default deny-all policy.

Why this answer

An empty podSelector selects all pods. With no rules, both ingress and egress traffic are denied by default.

768
MCQeasy

Which of the following is the correct way to set a CPU request of 250 millicores and a memory limit of 512 Mi in a container?

A.resources: requests: cpu: 250 limits: memory: 512M
B.resources: requests: cpu: 250 limits: memory: 512MB
C.resources: requests: cpu: 0.25 limits: memory: 512MB
D.resources: requests: cpu: 250m limits: memory: 512Mi
AnswerD

Correct. '250m' means 250 millicores, and '512Mi' means 512 mebibytes.

Why this answer

Option D is correct because in Kubernetes, CPU requests are specified in millicores (e.g., 250m) and memory limits use binary units like Mi (Mebibytes). The value '250m' equals 0.25 CPU cores, and '512Mi' is 512 Mebibytes (512 * 1024^2 bytes), which is the standard unit for memory limits.

Exam trap

The trap here is that candidates confuse the 'M' (Megabyte, decimal) and 'Mi' (Mebibyte, binary) suffixes, or forget that CPU values without 'm' are interpreted as whole cores, leading to accidentally requesting 250 CPUs instead of 0.25.

How to eliminate wrong answers

Option A is wrong because it uses 'cpu: 250' without the 'm' suffix, which would be interpreted as 250 full CPU cores, not 250 millicores; also 'memory: 512M' uses the ambiguous 'M' suffix, which Kubernetes interprets as 512 Megabytes (decimal), not Mebibytes. Option B is wrong because it uses 'cpu: 250' (again 250 cores) and 'memory: 512MB' with 'MB' suffix, which Kubernetes interprets as 512 Megabytes (decimal), not the intended 512 Mebibytes. Option C is wrong because while 'cpu: 0.25' is valid for 250 millicores, 'memory: 512MB' uses the decimal 'MB' suffix instead of the binary 'Mi' suffix, which is the standard for memory limits in Kubernetes.

769
MCQhard

The exhibit shows a Deployment configuration. The application's /health endpoint returns HTTP 200 only after 30 seconds, while /ready returns 200 immediately. After applying this Deployment, what is the expected behavior?

A.Pods will become ready after 30 seconds when both probes pass.
B.Pods will never become ready because the liveness probe fails initially.
C.Pods will never become ready because the readiness probe fails initially.
D.Pods will become ready quickly but will be restarted repeatedly until the liveness probe starts succeeding after 30 seconds.
AnswerD

Readiness probe passes, but liveness fails and causes restarts.

Why this answer

Option D is correct because the readiness probe passes immediately (since /ready returns 200), so the Pod is marked Ready and added to the Service. However, the liveness probe fails initially (since /health returns non-200 for the first 30 seconds), causing the kubelet to restart the container repeatedly until the liveness probe starts succeeding after 30 seconds. This behavior is defined by Kubernetes: a failing liveness probe triggers container restarts, while a failing readiness probe only removes the Pod from Service endpoints.

Exam trap

The trap here is that candidates confuse the roles of liveness and readiness probes: a failing liveness probe causes restarts, not a failure to become ready, while a failing readiness probe prevents the Pod from receiving traffic but does not trigger restarts.

How to eliminate wrong answers

Option A is wrong because the Pod becomes ready immediately when the readiness probe passes, not after 30 seconds; the liveness probe does not affect readiness. Option B is wrong because the liveness probe failing does not prevent the Pod from becoming ready; readiness is determined solely by the readiness probe, which passes immediately. Option C is wrong because the readiness probe passes immediately (HTTP 200 on /ready), so the Pod becomes ready quickly, not never.

770
MCQhard

You apply a Pod Security Admission label 'pod-security.kubernetes.io/enforce: restricted' to a namespace. A pod with the following securityContext is created: securityContext: runAsUser: 1000 runAsNonRoot: true capabilities: drop: ["ALL"] seccompProfile: type: RuntimeDefault allowPrivilegeEscalation: false readOnlyRootFilesystem: true Will the pod be admitted?

A.Yes, the pod satisfies all restricted profile requirements
B.No, because runAsUser must not be set
C.No, because seccompProfile type must be 'Localhost'
D.No, because the pod must not set capabilities at all
AnswerA

All required fields are set correctly.

Why this answer

The Pod Security Admission (PSA) restricted profile requires that pods drop all capabilities, set `runAsNonRoot: true`, set `seccompProfile.type` to `RuntimeDefault` or `Localhost`, set `allowPrivilegeEscalation: false`, and restrict `runAsUser` to a non-root user (which is satisfied by `runAsUser: 1000`). The provided pod meets all these requirements, so it will be admitted. The `runAsUser` field is allowed as long as the user ID is not 0 (root), and the `seccompProfile.type` is correctly set to `RuntimeDefault`, which is one of the permitted values.

Exam trap

The trap here is that candidates often think the restricted profile forbids setting `runAsUser` entirely or requires `seccompProfile.type` to be `Localhost`, but the actual requirement is that `runAsUser` must not be root and `seccompProfile.type` can be either `RuntimeDefault` or `Localhost`.

How to eliminate wrong answers

Option B is wrong because the restricted profile does not forbid setting `runAsUser`; it only requires that the user is not root (UID 0), and `runAsUser: 1000` is a non-root user. Option C is wrong because the restricted profile allows `seccompProfile.type` to be either `RuntimeDefault` or `Localhost`, not exclusively `Localhost`. Option D is wrong because the restricted profile requires that all capabilities are dropped (via `capabilities.drop: ["ALL"]`), not that the `capabilities` field is absent entirely.

771
Multi-Selectmedium

Which TWO of the following are valid ways to consume a ConfigMap in a Pod? (Select TWO)

Select 3 answers
A.Using envFrom with secretRef
B.Using env with valueFrom.configMapKeyRef to inject a specific key
C.Mounting the ConfigMap as a volume using volumes and volumeMounts
D.Using env with value directly set to a key name
E.Using envFrom to inject all keys as environment variables
AnswersB, C, E

This is also a valid way to consume a specific key from a ConfigMap as an environment variable.

Why this answer

Option B is correct because `env.valueFrom.configMapKeyRef` allows you to inject a specific key from a ConfigMap as an environment variable into a container. This is a standard Kubernetes API pattern for selective key injection, where you reference the ConfigMap name and the desired key, and the value is set at pod creation time.

Exam trap

The trap here is that candidates often confuse `envFrom` with `configMapRef` (which injects all keys) with `env.valueFrom.configMapKeyRef` (which injects a single key), or mistakenly think `secretRef` works with ConfigMaps, leading them to select option A or miss that option E is also correct.

772
MCQmedium

A deployment runs a container that needs to read a file from a host path '/var/log/app' on the node. The file must be available to all pods on that node. Which volume type should be used?

A.emptyDir
B.hostPath
C.persistentVolumeClaim
D.configMap
AnswerB

Correctly mounts host node path.

Why this answer

B is correct because hostPath mounts a file or directory from the host node's filesystem into the pod, making it available to all pods scheduled on that node. This is the only volume type that directly accesses a specific host path like '/var/log/app', ensuring the file is shared across all pods on the same node.

Exam trap

CNCF often tests hostPath vs. emptyDir by emphasizing 'available to all pods on that node' — candidates mistakenly choose emptyDir because it is shared among containers in the same pod, but it is not shared across different pods on the same node.

How to eliminate wrong answers

Option A is wrong because emptyDir creates an empty directory that is tied to the pod's lifecycle and is not backed by a host path; it is ephemeral and not shared across pods on the same node. Option C is wrong because persistentVolumeClaim abstracts storage from the node's filesystem and is typically used for persistent, cluster-wide storage, not for accessing a specific host path. Option D is wrong because configMap is used to inject configuration data (key-value pairs or files) from Kubernetes resources, not to mount arbitrary host filesystem paths.

773
Multi-Selectmedium

Which THREE of the following are valid reasons to use an annotation in Kubernetes?

Select 3 answers
A.To enable a Service to select Pods based on the annotation value
B.To store the name of the CI/CD tool that deployed the resource
C.To record the build version or commit hash for auditing
D.To set resource limits for a container
E.To attach arbitrary non-identifying metadata to an object
AnswersB, C, E

Annotations can hold deployment tool metadata.

Why this answer

Annotations are key-value metadata used for non-identifying information. Option A is correct for tooling. Option C is correct for build/release info.

Option E is correct for non-unique metadata. Option B is incorrect because labels should be used for selection. Option D is incorrect because resource limits are set in spec, not annotations.

774
MCQmedium

You want to ensure your application shuts down gracefully when a pod is terminated. The application needs 30 seconds to clean up. Which field should you set in the pod spec?

A.spec.containers[].livenessProbe.initialDelaySeconds: 30
B.spec.containers[].lifecycle.preStop.exec.command: ["sleep", "30"]
C.spec.containers[].readinessProbe.periodSeconds: 30
D.terminationGracePeriodSeconds: 30
AnswerD

This gives the container 30 seconds after SIGTERM before SIGKILL is sent.

Why this answer

Option D is correct because `terminationGracePeriodSeconds` defines the time Kubernetes waits for a pod to shut down gracefully after sending a SIGTERM signal. Setting it to 30 seconds gives the application the required cleanup window before a SIGKILL is forced.

Exam trap

CNCF often tests the misconception that a `preStop` hook alone guarantees graceful shutdown, but without adjusting `terminationGracePeriodSeconds`, the hook's execution time is counted against the default 30-second grace period, potentially causing a SIGKILL before cleanup completes.

How to eliminate wrong answers

Option A is wrong because `livenessProbe.initialDelaySeconds` controls how long to wait before starting the liveness probe, not the shutdown behavior. Option B is wrong because `preStop` hooks run before the SIGTERM is sent, but they do not extend the total grace period; the `terminationGracePeriodSeconds` must be set to accommodate both the hook and the application's cleanup. Option C is wrong because `readinessProbe.periodSeconds` sets the interval for readiness checks, which is unrelated to graceful termination.

775
MCQeasy

In a Deployment YAML, which field defines the number of pods to run?

A.spec.strategy.replicas
B.spec.template.replicas
C.spec.replicas
D.metadata.replicas
AnswerC

Correct field.

Why this answer

The 'replicas' field sets the desired number of pods. Option A is correct.

776
MCQmedium

You are performing a blue-green deployment for an application. You have two Deployments: 'app-blue' (current production) and 'app-green' (new version). Both have label 'app: myapp' and are exposed by a Service 'myapp-svc'. How do you switch traffic from blue to green?

A.Delete the Service and recreate it with the selector pointing to app-green.
B.Update the Service's selector to match the labels of the green Deployment's pods (e.g., 'version: green').
C.Delete the blue Deployment after ensuring green is ready.
D.Update the blue Deployment's image to the new version.
AnswerB

Changing the selector immediately routes traffic to the pods matching the new selector. If the green pods are ready, traffic switches seamlessly.

Why this answer

Option B is correct: updating the Service's selector to match the green Deployment's pod label routes traffic to green. Option A is incorrect because the Service cannot be deleted and recreated without downtime if done incorrectly. Option C is incorrect because changing the image in the same Deployment would perform a rolling update, not a blue-green switch.

Option D is incorrect because deleting blue would cause downtime.

777
MCQmedium

Based on the exhibit, what should you do to determine why the container is failing?

A.Run 'kubectl describe pod backend' to see the pod's status.
B.Run 'kubectl get events' with a different filter to capture more details.
C.Check if the image tag '1.0' exists in the registry.
D.Run 'kubectl logs backend' to view the container's stdout/stderr.
AnswerD

Logs may show the application error causing the crash.

Why this answer

Option D is correct because the container is failing, and the most direct way to determine why is to inspect its stdout/stderr logs using 'kubectl logs backend'. This command retrieves the container's log output, which typically contains error messages, stack traces, or application-level failure reasons. In CKAD scenarios, when a pod is in CrashLoopBackOff or Error state, logs are the first diagnostic step to identify the root cause.

Exam trap

CNCF often tests the distinction between pod-level metadata (describe/events) and application-level output (logs), and the trap here is that candidates may choose 'kubectl describe pod' thinking it shows all failure details, but it does not include the container's stdout/stderr logs.

How to eliminate wrong answers

Option A is wrong because 'kubectl describe pod backend' shows the pod's status and events, but it does not show the container's stdout/stderr logs; it only provides metadata and conditions, not the application's error output. Option B is wrong because 'kubectl get events' with a different filter may show cluster-level events but does not capture the container's application logs; events are for infrastructure-level issues, not application errors. Option C is wrong because checking if the image tag '1.0' exists in the registry is a valid step only if the issue is an ImagePullBackOff, but the question states the container is failing (likely running then crashing), not failing to pull the image.

778
MCQmedium

You have a Deployment that uses the 'Recreate' strategy. What happens when you update the pod template (e.g., change the image)?

A.The update is not allowed; you must delete the Deployment first
B.All existing pods are terminated before new pods are created
C.New pods are created gradually while old pods are terminated
D.Pods are updated in-place without restart
AnswerB

Correct.

Why this answer

With the Recreate strategy, all existing pods are killed before new ones are created. This can cause downtime.

779
MCQhard

You are debugging a network issue: a pod 'frontend' cannot reach a service 'backend' in the same namespace. The service endpoints are empty. What is the most likely cause?

A.The pod 'frontend' is not in the same namespace as the service 'backend'.
B.The service selector does not match the labels of any running pod.
C.The pod's container port is different from the service port.
D.The kube-proxy is misconfigured and not updating iptables rules.
AnswerB

Endpoints are populated by pods matching the selector; if none match, endpoints remain empty.

Why this answer

B is correct because the most common reason for empty endpoints in a Kubernetes service is that the service's selector does not match the labels of any running pod. The service controller continuously monitors pods and updates the Endpoints object to include only those pods whose labels match the service's selector. If no pods match, the endpoints list remains empty, causing the frontend pod to fail to reach the backend service.

Exam trap

The trap here is that candidates often confuse the cause of empty endpoints with other networking issues like port mismatches or kube-proxy problems, but the CKAD exam specifically tests the understanding that endpoints are directly tied to label selector matching, not to port configuration or proxy behavior.

How to eliminate wrong answers

Option A is wrong because the question explicitly states that both the pod and service are in the same namespace, so namespace mismatch is not the cause. Option C is wrong because a mismatch between the container port and the service port would cause connection failures but would not result in empty endpoints; the endpoints would still be populated with the pod's IP and the container port. Option D is wrong because a misconfigured kube-proxy would affect traffic routing (e.g., iptables rules not being updated) but would not cause the service's endpoints to be empty; endpoints are managed by the endpoint controller, not kube-proxy.

780
MCQmedium

You have a multi-stage Dockerfile. The first stage builds a binary using a large build image. The second stage copies the binary from the first stage into a minimal runtime image. Which Dockerfile instruction is used to copy artifacts from a previous stage?

A.ADD --from=builder /app/artifact /app/
B.ENTRYPOINT --from=builder /app/artifact /app/
C.CMD --from=builder /app/artifact /app/
D.COPY --from=builder /app/artifact /app/
AnswerD

COPY --from copies files from a named stage in a multi-stage build.

Why this answer

Option A is correct. COPY --from=<stage-name> copies files from a named stage in a multi-stage build. ADD can also copy files but is more feature-rich (supports URLs, tar extraction).

However, for copying build artifacts from a previous stage, COPY --from is the standard and recommended approach. CMD and ENTRYPOINT are for runtime commands, not for copying files.

781
Multi-Selectmedium

Which TWO statements about NetworkPolicy are correct? (Choose two.)

Select 2 answers
A.If no NetworkPolicy selects a pod, then that pod is isolated and traffic is denied
B.NetworkPolicy is only applicable to Services
C.NetworkPolicy is a cluster-scoped resource
D.NetworkPolicy uses labels to select pods within a namespace
E.NetworkPolicy can specify both ingress and egress rules
AnswersD, E

Correct.

Why this answer

NetworkPolicy is a namespaced resource, and if no policies select a pod, it allows all traffic by default.

782
MCQhard

An Ingress resource has the following annotation: 'kubernetes.io/ingress.class: nginx'. What is the purpose of this annotation?

A.It sets a default backend for the Ingress
B.It enables session affinity (sticky sessions)
C.It enables TLS for the Ingress
D.It specifies the Ingress controller to use (e.g., nginx)
AnswerD

Correct. It tells the cluster which ingress controller should handle this resource.

Why this answer

The annotation 'kubernetes.io/ingress.class' specifies which Ingress controller should process this Ingress resource. In Kubernetes 1.18+, this is replaced by the 'ingressClassName' field, but the annotation is still supported. Option B is correct.

Option A is wrong because it does not set the type of TLS. Option C is wrong because it does not create a default backend. Option D is wrong because it does not enable sticky sessions.

783
MCQmedium

An Ingress is configured for host-based routing with two hosts: 'app1.example.com' and 'app2.example.com'. A request to 'app1.example.com' should go to service 'svc1'. Which field in the Ingress spec specifies the host?

A.spec.rules.http.paths.host
B.spec.rules.http.host
C.spec.tls.hosts
D.spec.rules.host
AnswerD

The host field under rules.

Why this answer

In an Ingress rule, the 'host' field specifies the hostname for routing.

784
MCQmedium

A developer runs 'kubectl run nginx --image=nginx --port=80' and then creates a Service with the following YAML: apiVersion: v1 kind: Service metadata: name: nginx-svc spec: selector: app: nginx ports: - protocol: TCP port: 80 targetPort: 80 However, the Service has no endpoints. What is the most likely cause?

A.The Service selector 'app: nginx' does not match the pod's label 'run: nginx'
B.The Service and pod are in different namespaces
C.The Service must have a selector defined in order to have endpoints
D.The pod is not listening on port 80
AnswerA

Correct. The pod created by 'kubectl run' gets label 'run: nginx', not 'app: nginx'.

Why this answer

'kubectl run nginx --image=nginx --port=80' creates a pod with label 'run: nginx', not 'app: nginx'. The Service selects pods with 'app: nginx', so there is no match. The fix is to correct the selector.

Option A is correct. Option B is wrong because the pod is running and has ports. Option C is wrong because a Service does not need a selector to have endpoints if created manually.

Option D is wrong because the namespace is consistent.

785
Multi-Selectmedium

Which TWO parameters can be configured for a probe to control its behavior? (Choose two.)

Select 2 answers
A.maxRetries
B.backoffSeconds
C.retryIntervalSeconds
D.timeoutSeconds
E.initialDelaySeconds
AnswersD, E

This defines the timeout for each probe.

Why this answer

Option D is correct because `timeoutSeconds` defines the maximum time a probe waits for a response before considering the probe failed. Option E is correct because `initialDelaySeconds` configures the delay before the probe starts after the container starts, allowing the application to initialize. Both are standard fields in the Kubernetes probe specification (liveness, readiness, startup).

Exam trap

CNCF often tests the distinction between probe parameters and unrelated concepts like retry logic or backoff strategies, leading candidates to confuse fields from other systems (e.g., Spring Boot retry) with Kubernetes probe configuration.

786
MCQeasy

You have a Helm release named 'myapp' that was installed. You need to see all the releases in the current namespace. Which command do you run?

A.helm list
B.helm repo list
C.helm status myapp
D.helm get all myapp
AnswerA

Lists releases.

Why this answer

helm list lists all releases in the current namespace. Option B is correct.

787
MCQhard

A NetworkPolicy allows ingress traffic from pods with label 'role: frontend' in the same namespace. Which podSelector is correct?

A.ingress: - from: - podSelector: matchExpressions: - key: role operator: In values: - frontend
B.ingress: - from: - namespaceSelector: matchLabels: role: frontend
C.ingress: - from: - podSelector: matchLabels: role: frontend
D.ingress: - from: - ipBlock: cidr: 0.0.0.0/0
AnswerC

Correct. podSelector selects pods with that label.

Why this answer

The ingress 'from' rule uses podSelector to select source pods within the namespace. Option D uses namespaceSelector, which selects namespaces, not pods.

788
MCQhard

A pod has securityContext with capabilities.add: ['NET_ADMIN'] and capabilities.drop: ['ALL']. What effective capabilities does the container have?

A.No capabilities
B.All capabilities
C.Only NET_ADMIN
D.All capabilities except NET_ADMIN
AnswerC

Drop ALL removes all capabilities, then add NET_ADMIN grants only that capability.

Why this answer

Option C is correct because when a container's securityContext specifies both `capabilities.drop: ['ALL']` and `capabilities.add: ['NET_ADMIN']`, the `drop: ['ALL']` first removes all capabilities, and then `add: ['NET_ADMIN']` adds back only the NET_ADMIN capability. The final effective set is exactly `[NET_ADMIN]`. This is the intended Kubernetes behavior: `drop` is processed before `add` within the same container spec.

Exam trap

The trap here is that candidates mistakenly think `drop: ['ALL']` overrides any `add` directives, or that the order of `drop` and `add` in the YAML matters, when in fact Kubernetes always processes `drop` first regardless of the order they are listed.

How to eliminate wrong answers

Option A is wrong because it ignores the `add: ['NET_ADMIN']` directive, which explicitly adds the NET_ADMIN capability after dropping all others. Option B is wrong because dropping all capabilities and then adding only one does not result in 'all capabilities'; it results in only the added one. Option D is wrong because it reverses the logic: NET_ADMIN is added, not dropped, so the container has NET_ADMIN, not 'all except NET_ADMIN'.

789
MCQeasy

Which of the following YAML fields can be used to mount a Secret as a volume in a Pod?

A.volumes
B.imagePullSecrets
C.annotations
D.envFrom
AnswerA

In the pod spec, you define a volume with 'secret' type and then mount it using volumeMounts in the container.

Why this answer

Option A is correct because the `volumes` field in a Pod spec allows you to define a volume of type `secret`, which can then be mounted into a container using the `volumeMounts` field. This is the standard Kubernetes mechanism for exposing Secret data as files in the container's filesystem.

Exam trap

The trap here is that candidates confuse `envFrom` (which injects Secret data as environment variables) with volume mounting, or they mistakenly think `imagePullSecrets` or `annotations` can serve as volume sources, when in fact only the `volumes` field supports the `secret` volume type.

How to eliminate wrong answers

Option B is wrong because `imagePullSecrets` is used to specify credentials for pulling container images from private registries, not for mounting Secrets as volumes. Option C is wrong because `annotations` are metadata key-value pairs attached to objects for non-identifying information, and they cannot be used to mount Secrets as volumes. Option D is wrong because `envFrom` is used to populate environment variables from a ConfigMap or Secret, but it does not mount the Secret as a volume; it injects data as environment variables instead.

790
MCQeasy

You want to deploy an application with zero downtime by using a blue-green deployment pattern. Which Kubernetes resources are essential for implementing this strategy?

A.A single Deployment with a RollingUpdate strategy
B.A StatefulSet and a Headless Service
C.A Deployment with a Recreate strategy and an Ingress
D.Two Deployments (blue and green) and a Service that can switch its selector
AnswerD

Blue-green uses two separate Deployments and a Service to route traffic to the active one.

Why this answer

Blue-green deployments require two Deployments (one for blue, one for green) and a Service that switches selector labels to point to the active deployment. Option C is correct.

791
MCQhard

You have a Service that exposes a Deployment. Some pods are not receiving traffic. 'kubectl get endpoints my-service' shows only 2 out of 3 pod IPs. What is the most likely cause?

A.The Deployment has a wrong targetPort
B.The Service type is NodePort
C.One pod has a different label than the Service selector
D.One pod is not ready (readiness probe failing)
AnswerD

Only ready pods are included as endpoints.

Why this answer

Endpoints only include ready pods. One pod may not be passing readiness probes.

792
MCQmedium

You want to view the events related to a specific pod named 'my-pod' in the 'default' namespace. Which command filters events to show only those pertaining to this pod?

A.kubectl get events --field-selector involvedObject.name=my-pod
B.kubectl describe pod my-pod
C.kubectl get events | grep my-pod
D.kubectl logs my-pod
AnswerA

Correct. Field selector filters events by the object name.

Why this answer

kubectl get events --field-selector involvedObject.name=my-pod shows events for that pod.

793
Multi-Selecthard

Which THREE of the following are correct about Kustomize?

Select 3 answers
A.A 'kustomization.yaml' file is required in each Kustomize directory.
B.A 'patches' field in kustomization.yaml can be used to override fields in resources.
C.The command 'kustomize apply' deploys resources to the cluster.
D.Kustomize uses Helm-style templates to generate resources.
E.A base can be a local directory or a remote URL.
AnswersA, B, E

kustomization.yaml defines resources and transformations.

Why this answer

Option A is correct: kustomization.yaml is the main config. Option B is correct: bases are referenced in kustomization.yaml. Option C is correct: patches can override resource fields.

Option D is false: Kustomize does not use templates; it uses overlays. Option E is false: 'kustomize build' outputs YAML to stdout; it does not apply directly.

794
MCQeasy

Which Service type is used to expose a service externally on a static port on each worker node?

A.NodePort
B.ExternalName
C.ClusterIP
D.LoadBalancer
AnswerA

NodePort exposes the service on a static port on each node's IP.

Why this answer

NodePort services expose a port on each node's IP address, allowing external access. Option B is correct.

795
MCQmedium

You need to debug a Service that is not routing traffic to its endpoints. Which command shows the current endpoints of a Service?

A.kubectl describe service my-service
B.kubectl get svc my-service -o wide
C.kubectl get pods -l app=my-app
D.kubectl get endpoints my-service
AnswerD

Shows the endpoints for the Service.

Why this answer

The 'kubectl get endpoints' command shows the endpoints (pods) that a Service is routing to. The shorthand is 'ep'.

796
MCQmedium

You are troubleshooting a service connectivity issue. You have a pod named 'client' and a service named 'server'. You want to check if the service's endpoints are populated. Which command should you run?

A.kubectl describe pod client
B.kubectl get pods -l app=server
C.kubectl get svc server
D.kubectl get endpoints server
AnswerD

This shows the IP addresses of pods backing the service.

Why this answer

Option D is correct because `kubectl get endpoints server` directly retrieves the Endpoints object associated with the service named 'server'. Endpoints are automatically managed by Kubernetes and list the IP addresses and ports of pods that match the service's selector. If the endpoints list is empty, it indicates that no pods are matching the service's selector, which is a common cause of connectivity issues.

Exam trap

The trap here is that candidates often confuse checking the service itself (which shows the selector) with checking the actual endpoints (which shows the resolved pod IPs), leading them to pick Option C when they need to verify if pods are actually backing the service.

How to eliminate wrong answers

Option A is wrong because `kubectl describe pod client` shows details of the client pod, not the service's endpoints; it does not reveal whether the server service has any backing pods. Option B is wrong because `kubectl get pods -l app=server` lists pods with the label 'app=server', but it does not confirm whether those pods are actually registered as endpoints for the 'server' service; a mismatch in selectors or pod readiness could prevent endpoint population. Option C is wrong because `kubectl get svc server` shows the service's cluster IP, ports, and selector, but does not display the actual endpoint IPs; it only indicates the desired state, not the actual backing pods.

797
MCQmedium

You run 'kubectl apply -f deployment.yaml' and later 'kubectl replace -f deployment.yaml' on the same file. What is the difference?

A.apply merges changes, replace replaces the entire resource
B.apply is used for Deployments only, replace for any resource
C.apply requires --record flag, replace does not
D.apply creates, replace updates
AnswerA

Correct distinction.

Why this answer

kubectl apply creates or updates resources using declarative configuration, preserving changes made by others. kubectl replace replaces the existing resource with the provided spec, which can overwrite fields not managed by the user. Option C correctly describes this.

798
Multi-Selectmedium

You are designing a health check strategy for a web application. Which TWO probe types should you configure to ensure that traffic is only sent to pods that are ready to serve?

Select 2 answers
A.Readiness probe
B.TCP socket probe
C.Startup probe
D.HTTP GET probe
E.Liveness probe
AnswersA, C

Controls whether a pod is included in service endpoints.

Why this answer

A Readiness probe (Option A) is specifically designed to determine whether a pod is ready to serve traffic. If the probe fails, the pod is removed from the Service's endpoints, ensuring traffic is only sent to pods that are ready. This directly fulfills the requirement of controlling traffic routing based on pod readiness.

Exam trap

The trap here is that candidates confuse probe handlers (like HTTP GET or TCP socket) with probe types (like readiness, liveness, startup), leading them to select handlers instead of the correct probe types that control traffic routing.

799
MCQmedium

You need to access a database pod 'db-pod' on port 5432 from your local machine. Which command forwards local port 15432 to the pod's port 5432?

A.kubectl proxy --port=15432 db-pod:5432
B.kubectl port-forward pod/db-pod 15432:5432
C.kubectl expose pod db-pod --port=15432 --target-port=5432
D.kubectl port-forward db-pod 5432:15432
AnswerB

Correct syntax and port mapping.

Why this answer

The correct command is 'kubectl port-forward pod/db-pod 15432:5432'. This forwards local port 15432 to the pod's port 5432.

800
Multi-Selectmedium

You need to create a Secret to store a TLS certificate and private key for use by an Ingress resource. Which two statements are correct? (Choose two.)

Select 2 answers
A.kubectl create secret tls my-tls --cert=cert.pem --key=key.pem
B.The Secret type should be 'kubernetes.io/tls' and the data keys must be 'tls.crt' and 'tls.key'.
C.Use 'kubectl create secret generic tls-secret --from-file=cert.pem --from-file=key.pem' with type Opaque.
D.The keys in the data section must be 'cert' and 'key'.
E.The Ingress resource references the Secret's data keys directly.
AnswersA, B

Correct command to create a TLS secret.

Why this answer

Option A is correct because `kubectl create secret tls my-tls --cert=cert.pem --key=key.pem` is the dedicated command to create a TLS secret, which automatically sets the type to `kubernetes.io/tls` and stores the certificate under the key `tls.crt` and the private key under `tls.key`. This is the standard method for creating secrets intended for use with Ingress resources.

Exam trap

The trap here is that candidates often think any secret containing a certificate and key will work with an Ingress, but the Ingress controller strictly requires the secret type to be `kubernetes.io/tls` and the data keys to be exactly `tls.crt` and `tls.key`, not generic Opaque secrets or custom key names.

801
MCQeasy

A pod named 'debug' is running. Which command forwards local port 4000 to port 80 on the pod?

A.kubectl exec debug -- socat TCP-LISTEN:4000 TCP:localhost:80
B.kubectl port-forward pod debug 4000:80
C.kubectl port-forward pod/debug 4000:80
D.kubectl proxy --port=4000 --target=80
AnswerC

Correct syntax.

Why this answer

'kubectl port-forward' is used to forward a local port to a pod port. The correct syntax is 'kubectl port-forward pod/debug 4000:80'.

802
Multi-Selectmedium

Which TWO of the following commands can be used to view events related to a specific pod? (Select TWO.)

Select 2 answers
A.kubectl get events --field-selector involvedObject.name=<pod>
B.kubectl events --pod=<pod>
C.kubectl describe pod <pod>
D.kubectl logs <pod>
E.kubectl get events
AnswersA, C

Filters events by the pod name.

Why this answer

Correct answers: B and D. kubectl describe pod shows events for that pod. kubectl get events --field-selector involvedObject.name=<pod> filters events by pod name. Option A shows all events without filtering. Option C does not show events.

Option E is not a valid command.

803
MCQhard

A developer reports that a container in a pod is not responding correctly. You need to get an interactive shell in the container to investigate. Which command should you run?

A.kubectl run -it --rm debug --image=busybox
B.kubectl exec -it <pod> -- /bin/bash
C.kubectl exec <pod> -- /bin/bash
D.kubectl debug -it <pod> --image=busybox --target=<container>
AnswerB

-it provides interactive terminal access.

Why this answer

Option A is correct. kubectl exec with -it flags gives an interactive terminal. Option B does not allocate a TTY. Option C is for ephemeral containers, which is unnecessary.

Option D is incorrect syntax.

804
MCQhard

An administrator creates a Pod with an ephemeral container using 'kubectl debug my-pod -it --image=busybox --target=my-container'. The ephemeral container shares the same process namespace as the target container. Which flag enables this?

A.--target
B.--container
C.--namespace
D.--share-process-namespace
AnswerA

The --target flag designates the target container for namespace sharing.

Why this answer

The '--target' flag in kubectl debug specifies the target container for sharing namespaces, including process namespace.

805
Multi-Selecthard

Which THREE are valid patterns for multi-container Pods?

Select 3 answers
A.Init
B.Ambassador
C.Replicator
D.Adapter
E.Sidecar
AnswersB, D, E

An ambassador container proxies network connections to external services.

Why this answer

Options A, B, and C are correct: sidecar (adds helper container), adapter (normalizes output), and ambassador (proxies external access). Option D (replicator) is not a standard pattern. Option E (init) is a special container type, not a pattern for multi-container design.

806
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Increase the CPU request for the container
B.Delete and recreate the pod to clear the crash loop
C.Delete the namespace and redeploy all workloads
D.Increase the memory limit in the pod's container resource specification
AnswerD

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

Option B is correct. OOMKilled means the container exceeded its memory limit and was killed by the kernel OOM killer. The solution is to increase the memory limit in the container's resource specification.

Option A would not help — restarting the pod without addressing the root cause will result in the same failure. Option C addresses CPU, not memory. Option D (deleting the namespace) is destructive and unnecessary.

807
MCQmedium

You have a headless Service for a StatefulSet. What is the DNS resolution behavior for the StatefulSet pods?

A.DNS is disabled for headless Services.
B.The Service name resolves to the IP of the first pod only.
C.All pods share a single cluster IP via the Service.
D.Each pod gets a DNS A record pointing to its individual IP.
AnswerD

Headless Service returns pod IPs, not a single cluster IP.

Why this answer

Option A is correct. Headless Services (clusterIP: None) enable DNS to return pod IPs directly, allowing each pod to be reachable via its own DNS name (pod-name.service-name.namespace.svc.cluster.local).

808
MCQhard

A namespace 'dev' has a ResourceQuota that sets 'requests.cpu: 4' and 'limits.cpu: 8'. A pod is created with a container that has 'resources.requests.cpu: 1' and 'resources.limits.cpu: 3'. However, the pod remains in Pending state. The output of 'kubectl describe quota -n dev' shows 'used requests.cpu: 3.5' and 'used limits.cpu: 7'. What is the most likely reason the pod is pending?

A.The pod's CPU limit exceeds the remaining quota.
B.The pod's CPU request exceeds the remaining quota.
C.The pod's memory request is not set.
D.The namespace does not have a LimitRange set.
AnswerA

Adding 3 to the used 7 would exceed the 8 limit quota.

Why this answer

The ResourceQuota in namespace 'dev' has a limit of 8 CPUs for limits.cpu, with 7 already used, leaving only 1 CPU remaining. The pod's container requests a limit of 3 CPUs, which exceeds the available 1 CPU, causing the scheduler to reject the pod and leave it in Pending state. ResourceQuota enforcement occurs at admission time, and the scheduler will not schedule a pod that would cause the namespace to exceed its quota limits.

Exam trap

The trap here is that candidates often focus on the request (1 CPU) being within the remaining quota (0.5 CPU) and overlook that the limit (3 CPUs) exceeds the remaining limit quota (1 CPU), which is the actual blocking constraint.

How to eliminate wrong answers

Option B is wrong because the pod's CPU request is 1, and the remaining quota for requests.cpu is 0.5 (4 - 3.5), so the request does not exceed the remaining quota. Option C is wrong because memory request is not required for scheduling; the pod can be pending due to CPU quota exhaustion even if memory is not set. Option D is wrong because a LimitRange is not required for ResourceQuota enforcement; the pod's resource limits are explicitly set, so the quota can be evaluated without a LimitRange.

809
MCQeasy

What is the primary purpose of an init container in a pod?

A.To provide a debugging shell into the pod
B.To handle traffic routing between services
C.To run a long-running process alongside the main container
D.To perform initialization tasks such as waiting for a database to be ready
AnswerD

Init containers run sequentially and complete before app containers start, making them ideal for setup tasks.

Why this answer

Init containers run to completion before the main containers start, typically used for setup tasks like waiting for a service or preparing data.

810
MCQeasy

Which kubectl command streams logs from a pod named 'web-pod' in real-time?

A.kubectl logs -f web-pod
B.kubectl logs --previous web-pod
C.kubectl logs --tail web-pod
D.kubectl logs web-pod --all-containers
AnswerA

The -f flag streams logs in real-time.

Why this answer

Option A is correct because `kubectl logs -f web-pod` uses the `-f` (follow) flag to stream logs from the pod in real-time, similar to `tail -f` in Linux. This flag keeps the connection open and continuously outputs new log lines as they are written by the container.

Exam trap

The trap here is that candidates confuse the `--tail` flag (which limits output to recent lines) with the `-f` flag (which streams logs), or assume `--all-containers` implies real-time streaming without the `-f` flag.

How to eliminate wrong answers

Option B is wrong because `kubectl logs --previous web-pod` retrieves logs from the previous instance of a crashed or restarted container, not real-time streaming. Option C is wrong because `kubectl logs --tail web-pod` is incomplete; `--tail` requires an integer (e.g., `--tail=10`) to specify the number of recent log lines to display, and it does not enable streaming. Option D is wrong because `kubectl logs web-pod --all-containers` shows logs from all containers in the pod but does not include the `-f` flag for real-time streaming.

811
MCQmedium

Which of the following is the correct way to set a memory limit of 512Mi for a container in a pod spec?

A.resources.requests.memory: 512Mi
B.resources.limits.memory: 512Mi
C.resources.requests.limits.memory: 512Mi
D.resources.limits.cpu: 512Mi
AnswerB

Correct: 'resources.limits.memory' sets the maximum memory the container can use.

Why this answer

Option C is correct. 'resources.limits.memory' sets the memory limit. Option A uses requests, which is the minimum, not limit. Option B is invalid syntax.

Option D sets limits under requests incorrectly.

812
MCQhard

You run 'kubectl get pods -o wide' and see that a pod 'worker-pod' is in 'Completed' state with 'Restart Count: 5'. The pod's restart policy is 'OnFailure'. What is the most likely reason the pod has restarted 5 times?

A.The liveness probe failed and restarted the container
B.The container exited with non-zero exit code multiple times before succeeding
C.The pod's node was rebooted
D.The pod was evicted due to node pressure
AnswerB

Correct. OnFailure restarts on non-zero exit. After multiple failures, it finally succeeded and pod is Completed.

Why this answer

A pod with restartPolicy: OnFailure will restart the container if it exits with a non-zero exit code. The pod is Completed, meaning the container exited with 0 eventually, but previous runs exited with non-zero.

813
MCQeasy

What is the primary purpose of a Kubernetes ServiceAccount?

A.To provide an identity for processes running in a Pod
B.To grant permissions to users
C.To define network policies for Pods
D.To store Docker registry credentials
AnswerA

ServiceAccount is used to identify the Pod when it interacts with the Kubernetes API or other services.

Why this answer

A ServiceAccount provides an identity for processes running in a Pod. Option B is partially correct but too narrow; option C is about NetworkPolicy; option D is about RBAC, but ServiceAccount itself is the identity, not the rules.

814
MCQeasy

You want to see detailed information about a node's resource usage. Which command should you run?

A.kubectl describe node
B.kubectl logs node
C.kubectl get nodes -o wide
D.kubectl top node
AnswerD

This command displays CPU and memory usage for nodes, provided metrics-server is installed.

Why this answer

kubectl top node shows resource usage (CPU and memory) for nodes.

815
MCQmedium

You run 'kubectl run nginx --image=nginx --restart=Never --dry-run=client -o yaml'. What is the output?

A.A Pod manifest with apiVersion: v1beta1
B.A Pod manifest with apiVersion: v1
C.A Job manifest with apiVersion: batch/v1
D.A Deployment manifest with apiVersion: apps/v1
AnswerB

--restart=Never creates a Pod.

Why this answer

Option A is correct: The command generates a Pod manifest with apiVersion v1, kind Pod. Option B is a Deployment. Option C is a Job.

Option D is a Pod but with wrong apiVersion.

816
MCQmedium

A pod uses a ServiceAccount with automountServiceAccountToken set to false. The pod still needs to access the Kubernetes API. How can you mount the service account token in this pod?

A.Set automountServiceAccountToken: true in the pod spec
B.Create a secret with the token and mount it manually
C.Use a ConfigMap to store the token
D.Set serviceAccountName: default and automountServiceAccountToken: true in the pod spec
AnswerA

This overrides the ServiceAccount's setting and mounts the token.

Why this answer

Option A is correct because setting `automountServiceAccountToken: true` in the pod spec overrides the ServiceAccount-level setting of `false`. This allows the pod to mount the service account token automatically, enabling it to authenticate to the Kubernetes API without manual intervention.

Exam trap

The trap here is that candidates may think they need to manually create a Secret or ConfigMap to inject the token, when in fact the pod spec override of `automountServiceAccountToken` is the correct and simplest approach.

How to eliminate wrong answers

Option B is wrong because service account tokens are not stored as Secrets; they are automatically mounted via a projected volume, and manually creating a Secret with the token is unnecessary and insecure. Option C is wrong because ConfigMaps are designed for non-sensitive configuration data and cannot securely store service account tokens, which are sensitive credentials. Option D is wrong because setting `serviceAccountName: default` is irrelevant; the pod already uses a ServiceAccount, and the key issue is overriding `automountServiceAccountToken` to true, which is already covered by Option A.

817
Multi-Selecteasy

Which two commands can create a ConfigMap from an environment file? (Select TWO.)

Select 2 answers
A.kubectl create configmap my-config --from-literal=app.env
B.kubectl create configmap my-config --from-env-file=app.env
C.kubectl create configmap my-config --from-file=app.env
D.kubectl create configmap my-config --from-file=key1=app.env
E.kubectl create configmap my-config --from-env=app.env
AnswersB, C

This creates a ConfigMap by parsing the env file as key-value pairs.

Why this answer

Option B is correct because `--from-env-file=app.env` is the dedicated flag for creating a ConfigMap from an environment file, where each line in the file is parsed as a key=value pair. Option C is also correct because `--from-file=app.env` creates a ConfigMap with the file's entire contents stored under the filename as the key, which is a valid method even though it does not parse the file as environment variables.

Exam trap

The trap here is that candidates often confuse `--from-env-file` (which parses key=value pairs) with `--from-file` (which stores the file as a single entry), and may incorrectly assume that `--from-file` also parses environment files, or that `--from-env` is a valid flag.

818
MCQeasy

Which command shows resource usage (CPU and memory) for pods?

A.kubectl top node
B.kubectl resource pod
C.kubectl top pod
D.kubectl metrics pod
AnswerC

Displays CPU and memory usage of pods.

Why this answer

Option A is correct. kubectl top pod shows resource usage. Option B is for nodes. Option C and D are not valid commands.

819
MCQhard

When using Helm, which command installs a chart from a repository into a namespace, overriding a value?

A.helm install myrelease repo/chart --set key=value --namespace ns
B.helm template myrelease repo/chart --set key=value --namespace ns
C.helm create myrelease repo/chart --set key=value --namespace ns
D.helm upgrade --install --set key=value myrelease repo/chart --namespace ns
AnswerA

Correct. This installs the chart and overrides a value.

Why this answer

helm install with --set and --namespace flags is the correct command.

820
MCQmedium

You are tasked with building a container image for a Node.js application. The Dockerfile must first install system dependencies, then copy application code, and finally run the app. Which of the following Dockerfiles is correct?

A.FROM node:14\nCMD apt-get update && apt-get install -y build-essential\nCOPY . /app\nCMD ["node","app.js"]
B.FROM node:14\nRUN apt-get update && apt-get install -y build-essential\nCOPY . /app\nRUN ["node","app.js"]
C.FROM node:14\nRUN apt-get update && apt-get install -y build-essential\nCOPY . /app\nCMD ["node","app.js"]
D.FROM node:14\nRUN apt-get update && apt-get install -y build-essential\nCOPY . /app\nENTRYPOINT ["node","app.js"]
AnswerC

Correct: RUN installs dependencies, COPY adds code, CMD runs the app.

Why this answer

Option B correctly uses RUN to install dependencies, COPY to add code, and CMD to run the app. Option A uses CMD incorrectly for installation; CMD is only the default command. Option C uses ENTRYPOINT instead of CMD, which would require arguments.

Option D uses RUN with a string form which is less efficient and not recommended.

821
MCQeasy

Which command creates a Docker registry secret from an existing Docker config file?

A.kubectl create secret tls my-reg --cert=... --key=...
B.kubectl create secret generic my-reg --from-file=.dockerconfigjson=config.json
C.kubectl create secret docker-registry my-reg --docker-server=... --docker-username=...
D.kubectl create secret docker-registry my-reg --from-file=.dockerconfigjson=config.json
AnswerB

This creates a generic secret with the required key, which can be used for image pull secrets.

Why this answer

Option B is correct because `kubectl create secret generic` with `--from-file=.dockerconfigjson=config.json` creates a generic secret that stores the contents of an existing Docker config file (typically `~/.docker/config.json`) under the key `.dockerconfigjson`. This is the standard method for importing a pre-existing Docker configuration as a Kubernetes secret, which can then be used for image pull authentication.

Exam trap

CNCF often tests the distinction between `kubectl create secret docker-registry` (which creates a new secret from individual flags) and `kubectl create secret generic` with `--from-file` (which imports an existing config file), leading candidates to incorrectly choose option D because they assume `docker-registry` supports `--from-file`.

How to eliminate wrong answers

Option A is wrong because `kubectl create secret tls` creates a TLS secret for serving certificates, not a Docker registry authentication secret. Option C is wrong because `kubectl create secret docker-registry` with `--docker-server`, `--docker-username`, etc. creates a new secret from individual credentials, not from an existing Docker config file. Option D is wrong because `kubectl create secret docker-registry` does not support the `--from-file` flag; that flag is only valid for `kubectl create secret generic`.

822
MCQeasy

Which YAML snippet correctly defines a CronJob that runs a task every 5 minutes?

A.schedule: "*/5 * * *"
B.schedule: "*/5 * * * *"
C.schedule: "0 */5 * * *"
D.schedule: "* * * * *"
AnswerB

This is the correct cron expression for every 5 minutes.

Why this answer

Option D is correct. The schedule syntax for every 5 minutes is '*/5 * * * *'. Option A is every minute.

Option B is every 5 hours. Option C is not valid.

823
MCQeasy

What is the correct apiVersion for a Kubernetes Job in v1.29?

A.batch/v1beta1
B.apps/v1
C.batch/v1
D.v1
AnswerC

batch/v1 is the current stable version.

Why this answer

Jobs use batch/v1 as of Kubernetes 1.21+.

824
MCQmedium

You have created a HorizontalPodAutoscaler (HPA) for a Deployment. The HPA is configured with targetCPUUtilizationPercentage: 50. The current CPU utilization is 80%. What will the HPA do?

A.It will restart the pods
B.It will do nothing because HPA only scales based on memory
C.It will increase the number of replicas
D.It will decrease the number of replicas
AnswerC

Correct.

Why this answer

The HPA will increase the number of replicas to bring average CPU utilization down to the target.

825
MCQhard

A Deployment has a rolling update strategy with maxSurge: 1 and maxUnavailable: 0. The Deployment has 4 replicas. During a rollout, what is the maximum number of pods that can exist at any point?

A.5
B.6
C.8
D.4
AnswerA

Desired 4 + maxSurge 1 = 5 pods maximum.

Why this answer

With maxSurge: 1, at most one extra pod can be created above the desired 4. So maximum pods = desired + maxSurge = 5.

Page 10

Page 11 of 14

Page 12