Certified Kubernetes Application Developer CKAD (CKAD) — Questions 826900

991 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
MCQeasy

You need to view metrics from a Pod running a web server. Which approach follows Kubernetes best practices?

A.Configure a Prometheus server to scrape the Pod's /metrics endpoint.
B.Use kubectl top pod to view CPU and memory metrics.
C.Exec into the container and run curl to check health.
D.Create a ServiceMonitor resource to expose metrics.
AnswerA

Prometheus is the de facto monitoring solution for Kubernetes.

Why this answer

Option A is correct because Prometheus is the de facto standard for monitoring in Kubernetes, and scraping a Pod's /metrics endpoint is the recommended approach for collecting application-level metrics. This follows the Kubernetes best practice of exposing metrics via an HTTP endpoint that a monitoring system can scrape, rather than relying on ephemeral commands or resource-level metrics.

Exam trap

The trap here is that candidates confuse resource-level metrics (CPU/memory) with application-level metrics, or assume that kubectl top pod or exec commands are sufficient for observability, when Kubernetes best practices emphasize using a dedicated monitoring system like Prometheus for application metrics.

How to eliminate wrong answers

Option B is wrong because kubectl top pod only shows CPU and memory usage from the resource metrics pipeline, not application-level metrics like request latency or error rates. Option C is wrong because execing into a container and running curl is an ad-hoc debugging method, not a scalable or best-practice approach for ongoing observability. Option D is wrong because a ServiceMonitor is a Prometheus Operator custom resource that requires the Operator to be installed and is not a native Kubernetes resource; it is not a general best practice for all clusters.

827
Multi-Selectmedium

Which TWO of the following are valid ways to expose a Service externally in a Kubernetes cluster?

Select 2 answers
A.Service type ClusterIP
B.Service type ExternalName
C.Service type LoadBalancer
D.Service type NodePort
E.Ingress resource with ClusterIP Service
AnswersC, D

LoadBalancer provisions external LB.

Why this answer

Service type LoadBalancer (C) exposes the Service externally by provisioning a cloud load balancer (e.g., AWS ELB, GCP L7) that routes external traffic to the Service's ClusterIP. Service type NodePort (D) exposes the Service on a static port (30000-32767) on every node's IP, allowing external access via <NodeIP>:<NodePort>. Both are valid methods for external exposure in Kubernetes.

Exam trap

The trap here is that candidates often think Ingress alone can expose a Service externally, but Ingress is only a routing layer that requires an underlying Service of type NodePort or LoadBalancer to actually receive external traffic.

828
MCQmedium

You want to perform a blue-green deployment using Deployments and Services. You have two Deployments: 'app-blue' (current) and 'app-green' (new). The Service 'app-service' currently selects pods with label 'version: blue'. What kubectl command should you run to switch traffic to the green deployment?

A.kubectl patch service app-service -p '{"spec":{"selector":{"version":"green"}}}'
B.kubectl delete service app-service --ignore-not-found && kubectl create service app-service --selector version=green
C.kubectl set selector service/app-service version=green
D.kubectl apply -f service.yaml where service.yaml has the new selector
AnswerA

This patches the Service to select green pods.

Why this answer

To switch traffic, update the Service's selector to point to the green deployment's pods, which have label 'version: green'. kubectl patch is a direct way to update the selector.

829
Multi-Selectmedium

Which TWO of the following commands create a ConfigMap named 'my-config' from a file named 'app.properties'? (Choose two.)

Select 3 answers
A.kubectl create configmap my-config --from-file=app.properties --from-literal=extra=value
B.kubectl create configmap my-config --from-file=app.properties=app.properties
C.kubectl create configmap my-config --from-env-file=app.properties
D.kubectl create configmap my-config --from-literal=app.properties
E.kubectl create configmap my-config --from-file=app.properties
AnswersB, C, E

Correct: explicitly sets the key to 'app.properties'.

Why this answer

Option B is correct because `--from-file` can take a key-value pair in the form `--from-file=<key>=<source>`, which creates a ConfigMap entry with the key `app.properties` and the value from the file `app.properties`. Option C is correct because `--from-env-file` reads a file containing key=value lines and creates a ConfigMap with each line as a separate entry. Option E is also correct because `--from-file=app.properties` creates a ConfigMap with a single entry whose key is the filename and value is the file content.

Exam trap

The trap here is that candidates often confuse `--from-file` with `--from-env-file` and think `--from-literal` can read a file, or they miss that `--from-file=app.properties=app.properties` is a valid key=source syntax that overrides the default key.

830
MCQeasy

A Secret named 'db-secret' of type Opaque contains a key 'password'. How do you reference this key as an environment variable named 'DB_PASSWORD' in a pod spec?

A.env: - name: DB_PASSWORD valueFrom: configMapKeyRef: name: db-secret key: password
B.env: - name: DB_PASSWORD valueFrom: secretKeyRef: name: db-secret key: password
C.envFrom: - secretRef: name: db-secret key: password
D.env: - name: DB_PASSWORD value: "db-secret.password"
AnswerB

Correct. secretKeyRef references the key from the named Secret.

Why this answer

Option B is correct because it uses the `secretKeyRef` field under `valueFrom` to reference a specific key from a Kubernetes Secret of type Opaque. The `secretKeyRef` is the proper mechanism to inject a single key from a Secret as an environment variable, mapping the key 'password' to the environment variable name 'DB_PASSWORD'.

Exam trap

The trap here is confusing `configMapKeyRef` with `secretKeyRef` — CNCF often tests whether candidates know that Secrets require `secretKeyRef` while ConfigMaps use `configMapKeyRef`, and that `envFrom` with `secretRef` injects all keys, not a single key.

How to eliminate wrong answers

Option A is wrong because it uses `configMapKeyRef`, which is used to reference keys from a ConfigMap, not a Secret; Secrets require `secretKeyRef`. Option C is wrong because `envFrom` with `secretRef` injects all keys from the Secret as environment variables, not a single key, and the syntax shown incorrectly includes a `key` field which is not valid under `secretRef`. Option D is wrong because it uses a static `value` string, which does not dynamically reference the Secret's key; Kubernetes will treat the string literally as 'db-secret.password' rather than fetching the actual password value.

831
MCQmedium

Which command correctly creates a Role named 'pod-reader' that allows get, list, and watch on pods?

A.kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods
B.kubectl create role pod-reader --verb=get,list,watch --resource=Pod
C.kubectl create role pod-reader --verb=get,list,watch --resource=pods
D.kubectl create role pod-reader --verbs=get,list,watch --resources=pods
AnswerC

This correctly uses comma-separated verbs and specifies the resource.

Why this answer

Option C is correct because the `kubectl create role` command uses the `--verb` flag (singular) with comma-separated values and the `--resource` flag (singular) with the lowercase plural resource name 'pods'. This matches the Kubernetes API convention where resources are specified as lowercase plurals (e.g., 'pods', 'deployments') and verbs are comma-separated.

Exam trap

The trap here is that candidates often confuse the singular `--verb`/`--resource` flags with the plural `--verbs`/`--resources` or incorrectly use repeated `--verb` flags, leading to syntax errors or incorrect RBAC rule generation.

How to eliminate wrong answers

Option A is wrong because it uses multiple `--verb` flags, which is not the correct syntax; `kubectl create role` expects a single `--verb` flag with comma-separated values, not repeated flags. Option B is wrong because it uses 'Pod' with a capital P, but Kubernetes resource names must be lowercase plural (e.g., 'pods'). Option D is wrong because it uses `--verbs` (plural) and `--resources` (plural), but the correct flags are the singular forms `--verb` and `--resource`.

832
MCQmedium

You have a Dockerfile that uses a multi-stage build. Which of the following statements about multi-stage builds is correct?

A.Multi-stage builds require a single FROM statement
B.Multi-stage builds increase the final image size
C.Each stage must have a unique name
D.Artifacts from earlier stages can be copied to later stages using COPY --from
AnswerD

Correct: COPY --from copies files from a previous stage.

Why this answer

Multi-stage builds allow you to copy artifacts from one stage to another using COPY --from. This reduces the final image size by discarding build dependencies.

833
MCQhard

You want to restrict ingress traffic to pods with label 'app: web' in namespace 'frontend' to only come from pods in namespace 'backend'. Which NetworkPolicy YAML is correct?

A.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-backend namespace: frontend spec: podSelector: matchLabels: app: web policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: backend
B.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-backend namespace: backend spec: podSelector: matchLabels: app: web ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: frontend
C.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-backend namespace: frontend spec: podSelector: matchLabels: app: web ingress: - from: - ipBlock: cidr: 0.0.0.0/0
D.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-backend namespace: frontend spec: podSelector: matchLabels: app: web policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: backend
AnswerA

This selects pods with label 'app: web' in 'frontend' and allows ingress from any pod in namespace 'backend'.

Why this answer

To allow ingress only from pods in namespace 'backend', you need to use namespaceSelector under from, and also select the pod (optional if any pod). The correct YAML has a namespaceSelector matching the namespace label for 'backend'.

834
MCQmedium

A pod in namespace 'default' cannot resolve the service name 'db' in namespace 'data'. Which DNS name should the pod use to reach the service?

A.db.default.svc.cluster.local
B.data.db.svc.cluster.local
C.db.data.svc.cluster.local
D.db.svc.data.cluster.local
AnswerC

Correct. The format is <service>.<namespace>.svc.cluster.local.

Why this answer

Cross-namespace DNS requires the full service name: 'service.namespace.svc.cluster.local'.

835
MCQmedium

You apply the following Ingress manifest: ``` apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: my-ingress spec: ingressClassName: nginx rules: - host: app.example.com http: paths: - pathType: Prefix path: / backend: service: name: app-svc port: number: 80 ``` What is missing to enable TLS termination for this Ingress?

A.Create a ConfigMap with the TLS certificate
B.Set `service.beta.kubernetes.io/load-balancer-source-ranges` annotation on the Service
C.Change the Ingress API version to extensions/v1beta1
D.Add `tls` section under spec with hosts and secretName
AnswerD

The tls section is required to configure TLS termination.

Why this answer

To enable TLS, you must specify a `tls` block with hosts and a secret name containing the certificate.

836
Multi-Selecthard

You are tasked with improving the observability of a microservices application running in Kubernetes. The application is deployed with multiple replicas and experiences occasional high latency. Which TWO actions should you take to gain better insight into the application's performance?

Select 2 answers
A.Increase the replica count for each deployment to reduce latency.
B.Enable Prometheus metrics endpoints on each pod and configure a Prometheus server to scrape them.
C.Configure readiness probes to ensure only healthy pods receive traffic.
D.Add liveness probes to all containers to detect when they are unresponsive.
E.Implement distributed tracing using Jaeger to trace requests across services.
AnswersB, E

Prometheus metrics provide detailed performance data.

Why this answer

Option B is correct because Prometheus is the standard open-source monitoring and alerting toolkit in the Kubernetes ecosystem. By exposing metrics endpoints on each pod (typically at /metrics) and configuring a Prometheus server to scrape them, you can collect detailed performance data such as request latency, error rates, and resource utilization, which directly helps diagnose high-latency issues.

Exam trap

CNCF often tests the distinction between observability (monitoring, metrics, tracing) and reliability mechanisms (probes, scaling), so candidates mistakenly choose readiness or liveness probes as tools for performance insight instead of recognizing they only ensure basic health and traffic routing.

837
MCQeasy

Which of the following is true about headless services?

A.It performs round-robin load balancing across pods
B.It has no cluster IP; DNS returns the IPs of the pods
C.It provides a single DNS record for the service
D.It must not have a selector
AnswerB

Correct. The clusterIP is set to None, and DNS returns pod IPs.

Why this answer

A headless service is created by setting clusterIP: None. It does not have a cluster IP; instead, DNS returns the IP addresses of the pods matching the selector. This is useful for StatefulSets.

Option C is correct. Option A is false because it does have a DNS record. Option B is false because it does not perform load balancing.

Option D is false because it can have a selector.

838
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Increase the memory limit in the pod's container resource specification
B.Increase the CPU request for the container
C.Delete and recreate the pod to clear the crash loop
D.Delete the namespace and redeploy all workloads
AnswerA

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

The pod is in CrashLoopBackOff with an OOMKilled message, which indicates the container is being terminated by the Linux kernel's Out-Of-Memory (OOM) killer because it has exceeded its memory limit. Increasing the memory limit in the pod's container resource specification allows the container to use more memory without being killed, directly addressing the root cause.

Exam trap

The trap here is that candidates may confuse CPU and memory resource management or think that restarting the pod will fix the issue, but OOMKilled is a persistent resource constraint problem that requires adjusting the memory limit.

How to eliminate wrong answers

Option B is wrong because increasing the CPU request does not affect memory usage or prevent OOM kills; CPU and memory are independent resources in Kubernetes. Option C is wrong because deleting and recreating the pod will not resolve the underlying memory limit issue; the pod will crash again with the same OOMKilled error. Option D is wrong because deleting the entire namespace and redeploying all workloads is an extreme, unnecessary action that does not fix the memory limit configuration and would disrupt all other workloads in the namespace.

839
MCQmedium

A developer creates a Dockerfile with the following content: FROM alpine:3.18 COPY app.sh /app.sh RUN chmod +x /app.sh CMD ["/app.sh"] They want to override the command to run '/app.sh --debug' when deploying the container in Kubernetes. Which of the following pod spec fields should they use?

A.spec.containers[].entrypoint
B.spec.containers[].command
C.spec.containers[].args
D.spec.command
AnswerC

args overrides the CMD instruction in the Dockerfile. Setting args to ['--debug'] will append to the entrypoint, resulting in '/app.sh --debug'.

Why this answer

Option B is correct. The command field in the pod spec overrides the ENTRYPOINT in the Dockerfile, while args overrides CMD. To override CMD, you set args.

If they wanted to override both, they'd use command.

840
MCQmedium

You run 'kubectl get pods' and see that a pod is in 'Pending' state. What is the most likely cause?

A.The readiness probe is failing
B.The container command exited with an error
C.The pod's imagePullPolicy is set to Never
D.The node has insufficient resources to run the pod
AnswerD

If no node can satisfy the pod's resource requests, the pod remains unschedulable and shows Pending.

Why this answer

A Pending state typically means the pod cannot be scheduled, often due to insufficient resources or node selector issues. Other options like container crash or readiness failure would result in different states.

841
Multi-Selecthard

You are troubleshooting a Pod that cannot start because it fails with 'Error: container has runAsNonRoot and image will run as root'. The Pod's SecurityContext has 'runAsNonRoot: true' and no explicit 'runAsUser'. Which three actions could resolve this? (Choose three.)

Select 3 answers
A.Remove 'runAsNonRoot: true' from the SecurityContext.
B.Set 'readOnlyRootFilesystem: true' in the SecurityContext.
C.Use a container image that runs as a non-root user by default.
D.Set 'runAsGroup: 3000' in the SecurityContext.
E.Set 'runAsUser: 1000' in the SecurityContext.
AnswersA, C, E

Disables the requirement; the container can run as root.

Why this answer

Option A is correct because removing 'runAsNonRoot: true' eliminates the constraint that the container image must run as a non-root user. Since the image runs as root by default and no 'runAsUser' is set, the Pod fails. Removing the flag allows the container to start with its default root user.

Exam trap

The trap here is that candidates may think setting 'runAsGroup' or 'readOnlyRootFilesystem' can indirectly fix the user mismatch, but neither changes the effective UID, so they do not resolve the runAsNonRoot violation.

842
MCQmedium

A pod named 'webapp' is stuck in 'Pending' state. 'kubectl describe pod webapp' shows '0/1 nodes are available: 1 Insufficient memory'. What is the most likely cause?

A.The node has insufficient CPU
B.The container was killed due to out-of-memory
C.The pod's memory request exceeds available node memory
D.The container image does not exist
AnswerC

The pod is pending because no node can satisfy the memory request.

Why this answer

Option D is correct. The error indicates no node has enough memory to schedule the pod. Option A (image pull) would show ImagePullBackOff.

Option B (CPU) would show CPU insufficiency. Option C (OOMKilled) would only occur after the pod runs.

843
MCQmedium

You have a pod with two containers: one runs a web server, and the other is a sidecar that logs the web server's output to a central logging system. Which pattern does this represent?

A.Sidecar pattern
B.Decorator pattern
C.Ambassador pattern
D.Adapter pattern
AnswerA

A sidecar container enhances or extends the functionality of the main container, such as logging, monitoring, or proxying.

Why this answer

Option A is correct. The sidecar pattern adds a helper container alongside the main container to extend its functionality (e.g., logging). Option B (adapter) normalizes output.

Option C (ambassador) proxies connections to external services. Option D (decorator) is not a standard Kubernetes pattern.

844
MCQmedium

A Pod is stuck in CrashLoopBackOff. You run 'kubectl logs mypod' and get no output. What is the most likely cause?

A.The Pod is not ready yet.
B.The application crashes before writing any logs.
C.The liveness probe is failing.
D.The container never started due to a missing image.
AnswerB

If the application crashes immediately, it may not output any logs before exiting.

Why this answer

When a Pod is in CrashLoopBackOff and `kubectl logs mypod` returns no output, the most likely cause is that the application crashes before it can write any logs to stdout/stderr. The container starts, runs briefly, and exits before the logging framework initializes, so no log data is captured by the container runtime.

Exam trap

CNCF often tests the distinction between a container that never starts (image pull failure) and one that starts but crashes immediately, with the key clue being the Pod status (CrashLoopBackOff vs ImagePullBackOff) and the absence of log output indicating a pre-log crash.

How to eliminate wrong answers

Option A is wrong because a Pod not being ready yet would typically show a status like 'ContainerCreating' or 'Init:0/1', not CrashLoopBackOff, and logs would still be available if the container had run. Option C is wrong because a failing liveness probe would cause the container to be restarted, but logs would still contain output from the application before the probe failure, unless the crash happens before any log output. Option D is wrong because if the container never started due to a missing image, the Pod would be in 'ImagePullBackOff' or 'ErrImagePull' status, not CrashLoopBackOff, and `kubectl logs` would return an error like 'container is waiting to start'.

845
MCQeasy

Which kubectl command shows detailed information about a pod, including events, labels, and container state?

A.kubectl logs my-pod
B.kubectl describe pod my-pod
C.kubectl get pod my-pod -o yaml
D.kubectl top pod my-pod
AnswerB

Correct. Shows detailed info including events.

Why this answer

kubectl describe pod provides detailed information about a pod.

846
MCQhard

A ConfigMap named 'env-config' has keys 'DB_HOST' and 'DB_PORT'. A pod needs to set the environment variable 'DATABASE_HOST' to the value of 'DB_HOST' from the ConfigMap, and 'DB_PORT' directly as 'DB_PORT'. Which YAML snippet correctly achieves this?

A.env: - name: DB_PORT valueFrom: configMapKeyRef: name: env-config key: DB_PORT envFrom: - configMapRef: name: env-config
B.env: - name: DATABASE_HOST valueFrom: configMapKeyRef: name: env-config key: DB_HOST envFrom: - configMapRef: name: env-config
C.envFrom: - configMapRef: name: env-config env: - name: DATABASE_HOST value: DB_HOST
D.envFrom: - configMapRef: name: env-config prefix: DATABASE_
AnswerB

This sets DATABASE_HOST from the ConfigMap key DB_HOST, and then loads all keys (DB_HOST and DB_PORT) as env vars, but note that envFrom might overwrite DATABASE_HOST if the key DB_HOST is also loaded. Actually, the order: env is processed first, then envFrom. So DATABASE_HOST will be set, then envFrom will set DB_HOST as an env var, but since DATABASE_HOST is already set, it remains. However, there would be both DATABASE_HOST and DB_HOST env vars. That's acceptable.

Why this answer

Option B is correct: for 'DATABASE_HOST', it uses valueFrom with configMapKeyRef mapping key 'DB_HOST' to the env var. For 'DB_PORT', it uses envFrom with configMapRef to load all keys. Option A uses envFrom for both, but that would not rename 'DB_HOST'.

Option C uses envFrom for DATABASE_HOST, which won't rename. Option D uses env with configMapKeyRef for DB_PORT, but then envFrom overrides it? Actually, order matters: envFrom is processed after env, so env would be overwritten. But the correct approach is to use env for the renamed variable and envFrom for the rest.

847
MCQhard

You have a Deployment that must run a legacy application that takes up to 5 minutes to start. You need to ensure the liveness probe does not kill the container prematurely. Which probe configuration should you use?

A.Use a HTTP GET liveness probe with path /healthz and port 8080
B.Set livenessProbe.initialDelaySeconds to 300
C.Configure a startup probe with a high failureThreshold and appropriate initialDelaySeconds
D.Set livenessProbe.periodSeconds to a high value, like 300
AnswerC

A startup probe delays liveness and readiness checks until the container has started successfully, preventing premature restarts.

Why this answer

Option C is correct because a startup probe is specifically designed for slow-starting containers. It runs before the liveness probe and allows the container extra time to initialize without being killed. By setting a high failureThreshold (e.g., 30) and an appropriate initialDelaySeconds, the probe can wait up to 5 minutes for the application to start, after which the liveness probe takes over.

Exam trap

The trap here is that candidates often confuse initialDelaySeconds with a solution for slow starts, but it only delays the first probe and does not prevent the liveness probe from killing the container if the app takes longer than the sum of initialDelaySeconds and the failure threshold interval.

How to eliminate wrong answers

Option A is wrong because a simple HTTP GET liveness probe without any delay or threshold adjustments would start immediately and kill the container after the default failure threshold (3 failures) within seconds, not allowing the 5-minute startup time. Option B is wrong because setting livenessProbe.initialDelaySeconds to 300 only delays the first liveness check but does not prevent the probe from failing quickly after that; the container could still be killed if the application takes the full 5 minutes to respond, as the probe would fail after the initial delay and hit the failure threshold. Option D is wrong because setting livenessProbe.periodSeconds to a high value like 300 reduces the frequency of checks but does not prevent the probe from failing on its first check after the initial delay; the container could still be killed before the application starts if the probe fails immediately.

848
MCQmedium

A pod uses a ServiceAccount 'my-sa' but the pod's container needs to list pods in the namespace. Which RBAC resources are necessary?

A.Role and RoleBinding
B.Role and ClusterRoleBinding
C.ServiceAccount and RoleBinding only
D.ClusterRole and ClusterRoleBinding
AnswerA

A Role defines permissions within a namespace, and a RoleBinding binds it to a user, group, or ServiceAccount.

Why this answer

A Role and RoleBinding are necessary because the pod's ServiceAccount 'my-sa' needs permissions to list pods within a specific namespace. A Role defines the allowed API operations (e.g., 'list pods') scoped to a namespace, and a RoleBinding binds that Role to the ServiceAccount, granting those permissions within that namespace. This is the standard RBAC pattern for namespace-scoped access in Kubernetes.

Exam trap

CNCF often tests the distinction between namespace-scoped and cluster-scoped RBAC resources, trapping candidates who assume that any 'list pods' operation requires a ClusterRole, when in fact a Role and RoleBinding are sufficient for a single namespace.

How to eliminate wrong answers

Option B is wrong because a ClusterRoleBinding would grant cluster-wide permissions, which is excessive and unnecessary for listing pods in a single namespace; a RoleBinding is sufficient. Option C is wrong because a ServiceAccount alone does not grant permissions; it requires a Role (or ClusterRole) to define the allowed actions, and a RoleBinding to associate them. Option D is wrong because a ClusterRole and ClusterRoleBinding grant permissions across all namespaces, which is overkill and violates the principle of least privilege for a namespace-scoped operation.

849
MCQeasy

Which of the following commands creates a LoadBalancer Service named `web-svc` for a Deployment named `web` on port 80?

A.kubectl create service web-svc --port=80 --type=LoadBalancer
B.kubectl expose deployment web --name=web-svc --port=80 --type=LoadBalancer
C.kubectl create deployment web --expose --port=80 --type=LoadBalancer
D.kubectl expose pod web --port=80 --type=LoadBalancer
AnswerB

Correct syntax.

Why this answer

The `kubectl expose` command with `--type=LoadBalancer` creates a LoadBalancer Service.

850
MCQhard

A Service of type LoadBalancer is created but the external IP remains <pending>. What is the most likely reason?

A.The Service port is already in use
B.The Service selector does not match any Pods
C.The cluster does not have a cloud provider configured
D.The Pods are not listening on the container port
AnswerC

Without a cloud controller, no LB is provisioned.

Why this answer

A LoadBalancer Service in Kubernetes relies on an external cloud provider (e.g., AWS, GCP, Azure) to provision a real load balancer and assign its external IP. If no cloud provider is configured (e.g., in a bare-metal or Minikube cluster), the external IP will remain <pending> indefinitely because there is no controller to allocate the IP.

Exam trap

The trap here is that candidates often confuse a LoadBalancer's external IP assignment with Pod readiness or port availability, but the core requirement is a functioning cloud provider integration to allocate the external IP.

How to eliminate wrong answers

Option A is wrong because a port conflict would cause the Service creation to fail or the NodePort assignment to error, not leave the external IP as <pending>. Option B is wrong because mismatched selectors would result in no endpoints for the Service, but the external IP would still be assigned by the cloud provider if one were configured. Option D is wrong because Pods not listening on the container port would cause connection failures, but the LoadBalancer external IP assignment is independent of Pod readiness.

851
Multi-Selecthard

You need to perform a canary deployment using a Service and two Deployments (stable and canary). Which TWO resources or configurations are typically used to route a percentage of traffic to the canary? (Select TWO)

Select 2 answers
A.Service Mesh (e.g., Istio VirtualService)
B.A single Service with multiple label selectors
C.NetworkPolicy
D.Ingress with canary annotation
E.HorizontalPodAutoscaler
AnswersA, D

Service Mesh provides fine-grained traffic splitting.

Why this answer

An Ingress with canary annotations or a Service Mesh such as Istio are commonly used. A single Service with multiple selectors does not split traffic. NetworkPolicy controls access, not routing.

852
MCQhard

You have a Helm chart for an application. After running 'helm install my-release ./mychart', you realize you forgot to set a required value. Which command can you use to update the release with the correct value while keeping the same chart version?

A.kubectl edit deployment my-release
B.helm install my-release ./mychart --set key=value
C.helm upgrade my-release ./mychart --set key=value
D.helm rollback my-release 1
AnswerC

This updates the release with the new value.

Why this answer

Helm upgrade modifies a release with new values or chart changes. The --set flag overrides values inline.

853
MCQmedium

You have a Deployment named 'web-app' with 3 replicas. You want to expose the pods on port 80 internally within the cluster using a ClusterIP service. Which kubectl command should you use?

A.kubectl expose deployment web-app --port=80 --target-port=8080
B.kubectl create service clusterip web-app --tcp=80:8080
C.kubectl create service nodeport web-app --tcp=80:8080
D.kubectl expose pod web-app --port=80 --target-port=8080
AnswerA

This creates a ClusterIP service targeting the Deployment's pods on port 80.

Why this answer

The 'kubectl expose' command with appropriate flags creates a ClusterIP service by default. Option B is the correct command.

854
MCQmedium

A Deployment named 'app' has the following strategy: type: RollingUpdate with maxSurge=1 and maxUnavailable=0. You have 5 replicas. During a rolling update, how many pods will be running at any given time?

A.Between 5 and 6
B.Between 4 and 5
C.Between 5 and 10
D.Exactly 5
AnswerA

With maxUnavailable=0 and maxSurge=1, the deployment ensures at least 5 pods are available, but can have up to 6 while the update is in progress.

Why this answer

With maxUnavailable=0, no pods can be unavailable during the update. With maxSurge=1, one extra pod can be created above the desired 5, so total running pods can be 6. The new pod is created first, then the old pod is terminated, ensuring 5 pods are always available.

855
MCQeasy

A pod is scheduled but remains in 'Pending' state. Running 'kubectl describe pod mypod' shows: '0/1 nodes are available: 1 Insufficient memory'. What is the most likely cause?

A.The pod's memory request exceeds the available memory on any node
B.The pod is using too many CPU resources
C.The pod's memory limit is too low
D.The pod's container is crashing due to a bug
AnswerA

Insufficient memory means the pod's request cannot be met by any node.

Why this answer

The '0/1 nodes are available: 1 Insufficient memory' message indicates that the Kubernetes scheduler attempted to place the pod on a node but found that the node's allocatable memory is less than the pod's memory request. The pod's memory request must be satisfied by at least one node for scheduling to succeed; if no node has enough unallocated memory, the pod remains Pending. This is a resource request, not a limit, that gates scheduling.

Exam trap

The trap here is that candidates confuse memory requests with memory limits, assuming that setting a low limit (or no limit) would fix scheduling, when in fact the scheduler only evaluates requests, not limits.

How to eliminate wrong answers

Option B is wrong because the error message explicitly mentions 'Insufficient memory', not CPU; insufficient CPU would produce a different message like 'Insufficient cpu'. Option C is wrong because a low memory limit does not prevent scheduling—limits are enforced at runtime by the kubelet, not by the scheduler; the scheduler only considers requests. Option D is wrong because a crashing container would result in a CrashLoopBackOff or Error state, not a Pending state; Pending means the pod has not been scheduled to a node yet.

856
MCQmedium

You have a service account 'my-sa' in the default namespace. You want a pod to use this service account and also prevent the pod from mounting the service account token. Which pod spec configuration is correct?

A.spec: serviceAccountName: my-sa automountServiceAccountToken: true
B.spec: serviceAccount: my-sa automountServiceAccountToken: true
C.spec: serviceAccountName: my-sa automountServiceAccountToken: false
D.spec: serviceAccountName: default automountServiceAccountToken: false
AnswerC

Correctly sets SA and disables token mount.

Why this answer

Option C is correct because setting `automountServiceAccountToken: false` in the pod spec prevents the automatic mounting of the service account token, while `serviceAccountName: my-sa` specifies the desired service account. This satisfies both requirements: using the custom service account and disabling token mounting.

Exam trap

CNCF often tests the distinction between the deprecated `serviceAccount` field and the current `serviceAccountName` field, as well as the default `true` value of `automountServiceAccountToken`, leading candidates to overlook the need to explicitly set it to `false` when token mounting must be prevented.

How to eliminate wrong answers

Option A is wrong because `automountServiceAccountToken: true` explicitly mounts the token, which contradicts the requirement to prevent token mounting. Option B is wrong because it uses the deprecated `serviceAccount` field (instead of `serviceAccountName`) and sets `automountServiceAccountToken: true`, which again mounts the token. Option D is wrong because it specifies the `default` service account instead of `my-sa`, failing to use the required service account.

857
MCQeasy

Which command creates a Service named 'my-svc' that exposes a deployment named 'my-deploy' on port 80?

A.kubectl create service my-svc --port=80 --target-port=80
B.kubectl run my-svc --expose --port=80 --image=my-image
C.kubectl create svc clusterip my-svc --tcp=80:80
D.kubectl expose deployment my-deploy --name=my-svc --port=80
AnswerD

Correct command to create a Service from a deployment.

Why this answer

The 'kubectl expose' command is used to create a Service from a resource. The correct syntax is 'kubectl expose deployment my-deploy --name=my-svc --port=80'.

858
MCQeasy

What is the purpose of an init container in a pod?

A.To check the health of the main container and restart it if necessary
B.To run alongside the main container and provide additional services
C.To run to completion before the main containers start, often for initialization tasks
D.To run a command after the main container starts
AnswerC

Init containers run sequentially and must complete successfully before main containers start.

Why this answer

Option B is correct. Init containers run before the main application containers and typically perform setup tasks (e.g., waiting for a service, initializing data). Option A describes a sidecar.

Option C describes a liveness probe. Option D describes a postStart lifecycle hook.

859
MCQeasy

Which field in a CronJob spec specifies the maximum number of successful jobs that should be retained?

A..spec.jobTemplate.spec.backoffLimit
B..spec.successfulJobsHistoryLimit
C..spec.jobHistory.succeeded
D..spec.history.successfulJobsLimit
AnswerB

Correct field: 'successfulJobsHistoryLimit' in the CronJob spec.

Why this answer

Option C is correct. 'successfulJobsHistoryLimit' controls how many successful job runs are retained. Option A is for failed jobs. Option B and D are not valid fields.

860
Multi-Selecthard

Which THREE options are valid fields in a CronJob spec? (Select 3)

Select 3 answers
A..spec.jobTemplate.spec.template.spec.restartPolicy
B..spec.successfulJobsHistoryLimit
C..spec.schedule
D..spec.concurrencyPolicy
E..spec.jobTemplate.spec.parallelism
AnswersB, C, D

Valid CronJob field to limit history.

Why this answer

Option B is correct because `.spec.successfulJobsHistoryLimit` is a valid field in a CronJob spec that controls how many completed jobs are retained for inspection. This field defaults to 3 and helps manage cluster resource usage by limiting the number of successful job records kept in the history.

Exam trap

The trap here is that candidates confuse fields that belong to the CronJob spec with fields that belong to the underlying Job spec, such as `parallelism` or `restartPolicy`, which are valid in a Job but not directly in the CronJob spec's top-level fields.

861
Multi-Selectmedium

Which TWO statements about Kubernetes Services are correct? (Choose two.)

Select 2 answers
A.Services can only route traffic based on named ports.
B.A Service provides a stable endpoint for a set of pods.
C.A Service uses label selectors to identify the target pods.
D.Services can only route traffic to pods in the same namespace.
E.Every Service must have a cluster IP assigned.
AnswersB, C

Services provide a stable IP and DNS name.

Why this answer

Option B is correct because a Kubernetes Service provides a stable virtual IP and DNS name that remains constant even as the underlying pods are created, destroyed, or rescheduled. This decouples clients from the ephemeral nature of pod IPs, ensuring reliable connectivity to the pod group.

Exam trap

The trap here is that candidates often assume Services require a cluster IP or can only use named ports, but the CKAD exam tests knowledge of headless Services and the flexibility of port definitions.

862
MCQhard

You are deploying a Pod that contains two containers: a web server and a file sync agent. The file sync agent needs to run as long as the web server is running and should share the same network namespace. Which design pattern does this represent?

A.Adapter pattern
B.Ambassador pattern
C.Init container pattern
D.Sidecar pattern
AnswerD

The sidecar pattern adds auxiliary functionality to a main container within the same Pod.

Why this answer

Option A is correct. A sidecar container runs alongside the main container, sharing the same Pod lifecycle and network namespace. Option B is an adapter pattern for normalizing output.

Option C is an ambassador pattern for proxying. Option D is not a standard pattern.

863
MCQhard

You are using Helm to manage an application. After running 'helm install myapp ./mychart', you notice that the application is running but you need to change a configuration value. Which command should you use to update the release?

A.helm update myapp ./mychart
B.helm install myapp ./mychart --replace
C.kubectl edit deployment myapp
D.helm upgrade myapp ./mychart --set key=value
AnswerD

This upgrades the release 'myapp' with the new value.

Why this answer

In Helm, to upgrade an existing release with new values, you use 'helm upgrade' with the release name and chart. You can pass new values via --set or --values.

864
Multi-Selectmedium

Which TWO of the following are valid ways to consume environment variables from a ConfigMap in a pod?

Select 2 answers
A.envFrom: - configMapRef: name: myconfig
B.env: - name: VAR configMapRef: name: myconfig key: mykey
C.volumeMounts: - name: config-volume mountPath: /etc/config volumes: - name: config-volume configMap: name: myconfig
D.env: - name: VAR valueFrom: configMapKeyRef: name: myconfig key: mykey
E.env: - name: VAR valueFrom: configMapRef: name: myconfig key: mykey
AnswersA, D

envFrom loads all keys from the ConfigMap as environment variables.

Why this answer

Option A is correct because `envFrom` with a `configMapRef` injects all key-value pairs from the named ConfigMap as environment variables into the container. This is a concise way to consume multiple variables without specifying each key individually, as defined in the Kubernetes API for Pods.

Exam trap

The trap here is confusing `envFrom` with `env` syntax: candidates often misremember that `configMapRef` can be used directly under `env` (like in Option B), or they confuse `configMapKeyRef` with `configMapRef` (Option E), which is only valid under `envFrom`.

865
MCQmedium

You need to run a batch job that processes 100 items. The job should be considered complete when all items are processed successfully. You want to run up to 10 pods concurrently. Which job configuration is correct?

A..spec.completions: 10, .spec.parallelism: 100
B..spec.backoffLimit: 100, .spec.parallelism: 10
C..spec.completions: 100, .spec.parallelism: 1
D..spec.completions: 100, .spec.parallelism: 10
AnswerD

completions defines the desired number of successfully finished pods; parallelism controls concurrency. This configuration runs 100 pods with up to 10 at a time.

Why this answer

Option A is correct. With .spec.completions=100, the job is complete when 100 successful pods finish. .spec.parallelism=10 allows up to 10 pods running concurrently. Option B would run 10 pods total, not 100 completions.

Option C would run 10 pods sequentially (parallelism=1). Option D is not valid for batch/v1.

866
MCQeasy

Which of the following commands creates a ClusterIP service named 'my-service' that exposes port 80 on the pod with label 'app=web'?

A.kubectl expose deployment my-deployment --port=80 --name=my-service
B.kubectl expose pod my-pod --port=80 --target-port=8080 --name=my-service
C.kubectl create service clusterip my-service --tcp=80:8080 --cluster-ip=10.0.0.1
D.kubectl expose deployment my-deployment --type=NodePort --port=80 --name=my-service
AnswerA

Assumes 'my-deployment' has label 'app=web' and creates a ClusterIP service by default.

Why this answer

Option B is correct. 'kubectl expose pod my-pod --port=80 --name=my-service' creates a service. However, to use a label selector, the correct command is 'kubectl expose deployment my-deployment --port=80 --name=my-service'. Option A uses '--target-port' which is incorrect for initial exposure; Option C incorrectly specifies '--cluster-ip' without value; Option D creates a NodePort service.

So B is the best match.

867
MCQeasy

You need to scale a Deployment named 'api' to 10 replicas instantly. Which command should you use?

A.kubectl autoscale deployment api --min=10 --max=10
B.kubectl patch deployment api -p '{"spec":{"replicas":10}}'
C.kubectl resize deployment api --replicas=10
D.kubectl scale deployment api --replicas=10
AnswerD

Correct command to scale a Deployment.

Why this answer

The 'kubectl scale' command is used to set the desired number of replicas for a Deployment.

868
MCQeasy

Which kubectl command creates a Secret named 'db-secret' with key 'password' and value 'mypwd'?

A.kubectl create secret generic db-secret password=mypwd
B.kubectl create secret generic db-secret --from-file=password=mypwd
C.kubectl create secret generic db-secret --from-literal=password=mypwd
D.kubectl create secret generic db-secret --from-env-file=password=mypwd
AnswerC

Correct syntax for creating a secret from a literal key-value pair.

Why this answer

Option C is correct because `kubectl create secret generic` with `--from-literal` allows you to specify key-value pairs directly on the command line. The syntax `--from-literal=password=mypwd` creates a secret with key 'password' and value 'mypwd', which is the exact requirement.

Exam trap

The trap here is that candidates confuse `--from-literal` with `--from-file` or the bare `key=value` syntax, mistakenly thinking any `key=value` format works without the correct flag.

How to eliminate wrong answers

Option A is wrong because `kubectl create secret generic` does not accept a bare `key=value` syntax; it requires a flag like `--from-literal` to specify literal key-value pairs. Option B is wrong because `--from-file` expects a file path, not a literal key-value pair; using `--from-file=password=mypwd` would try to read a file named 'password=mypwd', which does not exist. Option D is wrong because `--from-env-file` expects a file containing environment variables in key=value format, not a single literal key-value pair on the command line.

869
MCQhard

A Pod with an init container and a main container is created. The init container runs a script that takes 10 seconds. The main container's startupProbe has initialDelaySeconds: 5. When does the startupProbe begin?

A.5 seconds after the pod is created
B.10 seconds after the pod is created
C.Immediately after the pod is created
D.After the init container completes, then plus 5 seconds
AnswerD

Init containers must finish before main containers start. Then startupProbe waits initialDelaySeconds.

Why this answer

Option C is correct: Init containers run to completion before any main container starts. The startupProbe begins after the main container starts, which is after the init container completes. So the startupProbe begins after 10 seconds (init) plus the initialDelaySeconds (5) = 15 seconds.

870
MCQhard

A pod is running with 'securityContext: { runAsUser: 1000, fsGroup: 2000, runAsNonRoot: true }'. The container image has USER root set in Dockerfile. What happens when the pod is created?

A.The pod runs as user 1000 but group remains root
B.The pod runs successfully as user 1000 with group 2000
C.The pod runs as root because the image's USER directive takes precedence
D.The pod fails with 'container has runAsNonRoot and image will run as root'
AnswerB

The securityContext sets runAsUser: 1000, which overrides the image's USER, and fsGroup sets the group. runAsNonRoot is satisfied.

Why this answer

Option B is correct because the pod's securityContext settings override the USER directive in the container image. The runAsUser: 1000 sets the container process to run as user 1000, and fsGroup: 2000 sets the group ownership of any mounted volumes to group 2000. The runAsNonRoot: true ensures the container does not run as root, but since the securityContext explicitly sets a non-root user, the check passes and the pod runs successfully.

Exam trap

The trap here is that candidates assume the image's USER directive is immutable or that runAsNonRoot checks the image's USER before securityContext is applied, when in fact Kubernetes applies the securityContext first and then validates runAsNonRoot against the resulting effective user.

How to eliminate wrong answers

Option A is wrong because the fsGroup: 2000 in the securityContext sets the group for the container process and any volume mounts, not just the image's default group; the group is changed to 2000, not left as root. Option C is wrong because the pod's securityContext takes precedence over the image's USER directive; Kubernetes applies the securityContext at runtime, overriding the Dockerfile's USER instruction. Option D is wrong because the runAsNonRoot: true check evaluates the effective user after securityContext is applied, not the image's USER; since runAsUser: 1000 is set, the container runs as a non-root user, so the check passes and the pod does not fail.

871
MCQhard

Consider the following partial Dockerfile: FROM alpine:3.18 AS builder RUN apk add --no-cache curl COPY src /app/src RUN make /app/bin FROM alpine:3.18 COPY --from=builder /app/bin /app/bin CMD ["/app/bin"] What is the primary benefit of this multi-stage build?

A.Faster builds because the builder stage runs in parallel
B.Reduced final image size by excluding build dependencies
C.Automatic caching of the builder stage
D.Improved security by running the builder as a non-root user
AnswerB

Only the final stage is used; build tools from builder are not included.

Why this answer

Multi-stage builds allow copying only the compiled binary from the builder stage, leaving behind build tools and intermediate files, resulting in a smaller final image.

872
MCQmedium

Which field in a Deployment's rolling update strategy controls the maximum number of pods that can be created above the desired replicas during a rolling update?

A.maxUnavailable
B.maxSurge
C.revisionHistoryLimit
D.minReadySeconds
AnswerB

Correct.

Why this answer

The 'maxSurge' field specifies the maximum number of pods that can be created above the desired number during a rolling update.

873
MCQhard

You have a pod that takes 2 minutes to start its application. You want to avoid the liveness probe from killing the pod during startup, but still have it active afterward. Which probe should you add to the pod spec?

A.Add a startup probe with a failureThreshold high enough to cover the startup time
B.Increase the timeoutSeconds on the liveness probe
C.Set periodSeconds on the liveness probe to 120
D.Set initialDelaySeconds on the liveness probe to 120
AnswerA

A startup probe allows the container extra time to start by disabling other probes until it succeeds. This is the recommended approach for slow-starting containers.

Why this answer

A startup probe is designed for slow-starting containers. It runs only during startup and disables liveness and readiness probes until it succeeds.

874
MCQeasy

What is the purpose of a HorizontalPodAutoscaler (HPA)?

A.To update the application version without downtime
B.To restart pods automatically when they fail
C.To distribute incoming traffic across multiple pods
D.To automatically adjust the number of pods based on resource metrics
AnswerD

HPA scales pods horizontally based on metrics like CPU or memory.

Why this answer

A HorizontalPodAutoscaler automatically scales the number of pods in a Deployment, ReplicaSet, or StatefulSet based on observed CPU utilization (or other custom metrics).

875
MCQhard

A developer configures a liveness probe for a container that takes a long time to start (about 120 seconds). The probe uses httpGet on port 8080 with a path '/healthz'. The probe is configured with initialDelaySeconds=10, periodSeconds=10, failureThreshold=3. The pod enters CrashLoopBackOff. What is the MOST likely cause?

A.The failureThreshold should be increased to 10
B.The httpGet path '/healthz' is incorrect and should be '/ready'
C.The readiness probe is misconfigured and should be used instead of a liveness probe
D.The liveness probe is failing too early because initialDelaySeconds is too low for the slow-starting container
AnswerD

The container needs 120 seconds to start, but the liveness probe starts after only 10 seconds. It fails quickly and triggers restarts before the container can fully start.

Why this answer

The liveness probe starts after 10 seconds and will fail repeatedly because the application is not ready. After 3 failures (30 seconds total), the container is restarted, but it still needs ~120 seconds to start, causing a loop. A startup probe should be used to give the container time to start before liveness probes begin.

876
MCQhard

A pod uses a service account 'my-sa' with a RoleBinding that grants get and list on pods in namespace 'app'. The pod runs a process that calls the Kubernetes API to list pods. However, the API call returns 403. What is the most likely cause?

A.The API server is not running.
B.The RoleBinding is in the wrong namespace.
C.The pod does not have the service account token mounted.
D.The Role does not include list permission.
AnswerC

If automountServiceAccountToken is false, no token is available.

Why this answer

Option C is correct because the pod must have the service account token mounted to authenticate to the Kubernetes API server. By default, Kubernetes automatically mounts the service account token into pods via a projected volume at /var/run/secrets/kubernetes.io/serviceaccount/token. If the pod is configured with automountServiceAccountToken: false or the token is not mounted, the API client cannot authenticate, resulting in a 403 Forbidden error even if the RoleBinding grants the correct permissions.

Exam trap

CNCF often tests the distinction between authentication (who you are) and authorization (what you can do); the trap here is that candidates assume a 403 always means a missing RBAC permission, when in fact it can also result from a missing or invalid service account token causing authentication failure.

How to eliminate wrong answers

Option A is wrong because if the API server were not running, the API call would fail with a connection error (e.g., connection refused or timeout), not a 403 HTTP status code. Option B is wrong because RoleBindings are namespace-scoped and must exist in the same namespace as the service account; the question states the RoleBinding is in namespace 'app', which matches the service account's namespace, so this is not the issue. Option D is wrong because the RoleBinding grants 'get' and 'list' on pods, which includes the list permission; the error is not due to missing permissions but due to authentication failure.

877
MCQeasy

You need to create a Job that runs a single task to completion. Which kubectl command correctly creates a Job named 'data-processor' that runs the image 'myapp/processor:1.0'?

A.kubectl create deployment data-processor --image=myapp/processor:1.0
B.kubectl create job data-processor --image=myapp/processor:1.0
C.kubectl run data-processor --image=myapp/processor:1.0 --restart=Never
D.kubectl create cronjob data-processor --image=myapp/processor:1.0
AnswerB

kubectl create job creates a Job resource with the specified image.

Why this answer

Option A is correct. The 'kubectl create job' command creates a Job. Option B is for creating a CronJob.

Option C is for a Deployment. Option D has incorrect syntax.

878
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Delete and recreate the pod to clear the crash loop
B.Increase the memory limit in the pod's container resource specification
C.Increase the CPU request for the container
D.Delete the namespace and redeploy all workloads
AnswerB

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

Option B is correct. OOMKilled means the container exceeded its memory limit and was killed by the kernel OOM killer. The solution is to increase the memory limit in the container's resource specification.

Option A would not help — restarting the pod without addressing the root cause will result in the same failure. Option C addresses CPU, not memory. Option D (deleting the namespace) is destructive and unnecessary.

879
Multi-Selecthard

Which THREE of the following are true regarding NetworkPolicy in Kubernetes?

Select 3 answers
A.By default, all traffic is allowed unless a NetworkPolicy selects the pod
B.You can allow traffic from pods in another namespace using namespaceSelector and podSelector
C.NetworkPolicy can block traffic to a specific port on the node's IP
D.NetworkPolicy can restrict egress traffic from pods
E.NetworkPolicy resources can be applied to the kube-system namespace to restrict system pods
AnswersA, B, D

Correct. NetworkPolicy is additive; default allow.

Why this answer

Option A is true: NetworkPolicy is an additive rule; if no policy selects a pod, traffic is allowed by default. Option C is true: you can allow traffic from specific pods in other namespaces using namespaceSelector combined with podSelector. Option D is true: egress rules can restrict outbound traffic.

Option B is false: NetworkPolicy cannot block traffic to a specific port on the node; it works at the pod level. Option E is false: NetworkPolicy cannot enforce rules for the kube-system namespace unless explicitly created there.

880
MCQhard

You want to enforce that all pods in a namespace run with the 'restricted' Pod Security Standard (Pod Security Admission). Which label should you set on the namespace?

A.pod-security.kubernetes.io/warn=restricted
B.pod-security.kubernetes.io/enforce=baseline
C.pod-security.kubernetes.io/enforce=restricted
D.pod-security.kubernetes.io/audit=restricted
AnswerC

This enforces the restricted policy, rejecting pods that violate it.

Why this answer

Option C is correct because the `pod-security.kubernetes.io/enforce=restricted` label enforces the 'restricted' Pod Security Standard on the namespace, preventing any pod that violates the restricted policy from being created. This label directly activates Pod Security Admission (PSA) enforcement mode, which blocks non-compliant pods at admission time.

Exam trap

The trap here is that candidates often confuse the three PSA modes (enforce, warn, audit) and select a 'warn' or 'audit' label thinking it blocks non-compliant pods, when only 'enforce' actually prevents pod creation.

How to eliminate wrong answers

Option A is wrong because `pod-security.kubernetes.io/warn=restricted` only generates a warning for non-compliant pods but does not enforce the policy, so pods violating the restricted standard would still be created. Option B is wrong because `pod-security.kubernetes.io/enforce=baseline` enforces the 'baseline' standard, which is less restrictive than 'restricted' and allows some privileged configurations that the restricted standard would block. Option D is wrong because `pod-security.kubernetes.io/audit=restricted` only logs violations to the audit log without blocking or warning, so pods violating the restricted standard would still be admitted.

881
Multi-Selecthard

Which THREE statements about Dockerfile CMD and ENTRYPOINT are correct?

Select 4 answers
A.CMD is always ignored if ENTRYPOINT is defined.
B.CMD can be overridden at container runtime by specifying a command after the image name.
C.ENTRYPOINT can be overridden at container runtime using the --entrypoint flag.
D.If both CMD and ENTRYPOINT are specified, CMD provides default arguments to ENTRYPOINT.
E.If neither CMD nor ENTRYPOINT is specified, the container will run but exit immediately.
AnswersB, C, D, E

For example, docker run image command overrides CMD. However, note that this actually overrides CMD when used in exec form, but the statement is generally true.

Why this answer

Options A, C, and D are correct. If both CMD and ENTRYPOINT are defined, CMD provides default arguments to ENTRYPOINT. CMD can be overridden by providing command-line arguments at container run.

ENTRYPOINT can be overridden using --entrypoint flag. If neither is defined, the container starts but exits immediately because there is no command (unless image has default). CMD is not always ignored when ENTRYPOINT is defined; it provides defaults.

882
MCQmedium

A developer creates a Service named 'backend' in namespace 'default'. The service targets pods with label 'app: backend'. From within a pod in the same namespace, which DNS name resolves to the service's ClusterIP?

A.backend
B.backend.default.svc.cluster.local
C.backend.svc.cluster.local
D.backend.default.cluster.local
AnswerA

Correct. Within the same namespace, the service can be reached by its name only.

Why this answer

The short form 'backend' works for services in the same namespace. The full DNS name is 'backend.default.svc.cluster.local', but within same namespace, just 'backend' is sufficient.

883
Multi-Selectmedium

Which TWO statements about init containers are correct?

Select 3 answers
A.Init containers cannot have resource limits.
B.Init containers always run to completion.
C.Init containers are run sequentially in the order defined.
D.If an init container fails, it is not restarted.
E.Init containers run before the main application containers start.
AnswersB, C, E

Each init container must complete successfully before the next one starts.

Why this answer

Init containers run sequentially before the main containers start. They can have different images and settings than the main containers. They run to completion and then terminate.

Options A, B, and C are correct. D is false: init containers can have their own resource limits. E is false: the pod restarts if an init container fails, not the container itself.

884
MCQhard

You have a Deployment named 'api' with 3 replicas. You need to ensure that new pods are not added to the Service's endpoints until the application is ready to serve traffic. Which probe configuration should you add to the pod spec?

A.Readiness probe
B.No probe is needed; pods are automatically added when running
C.Startup probe
D.Liveness probe
AnswerA

Readiness probes indicate if a pod is ready to serve traffic; if it fails, the pod is removed from Service endpoints.

Why this answer

A Readiness probe is the correct choice because it controls whether a pod is added to a Service's endpoints. Kubernetes will only mark a pod as Ready when the probe succeeds, and only Ready pods receive traffic from the Service. This ensures new pods are not added until the application is ready to serve traffic.

Exam trap

The trap here is that candidates confuse Liveness probes (which restart pods) with Readiness probes (which control traffic routing), or assume that a running pod is automatically considered ready for Service endpoints.

How to eliminate wrong answers

Option B is wrong because Kubernetes does not automatically add pods to Service endpoints when they are running; it only adds pods that pass their Readiness probe. Option C is wrong because a Startup probe is used to determine when an application has started, not when it is ready to serve traffic; it delays the start of Liveness and Readiness probes but does not control Service endpoint membership. Option D is wrong because a Liveness probe is used to determine if a pod should be restarted, not to control traffic routing; it does not affect whether a pod is added to a Service's endpoints.

885
MCQmedium

When performing a rolling update of a Deployment, which field in the Deployment spec controls the maximum number of Pods that can be created above the desired replicas during the update?

A.spec.strategy.type
B.spec.strategy.rollingUpdate.maxSurge
C.spec.strategy.rollingUpdate.maxUnavailable
D.spec.replicas
AnswerB

Correct. maxSurge defines the maximum number of Pods that can be created above the desired replicas.

Why this answer

maxSurge defines how many Pods can be created above the desired replica count during a rolling update.

886
MCQmedium

You run 'kubectl rollout undo deployment/app'. What happens?

A.It rolls back the Deployment to the previous revision
B.It pauses the rollout
C.It shows the rollout history
D.It deletes the Deployment
AnswerA

Correct, 'kubectl rollout undo' reverts to the previous revision.

Why this answer

The 'kubectl rollout undo' command rolls back a Deployment to the previous revision. By default, it reverts to the immediate prior revision (revision 1 less than current).

887
MCQmedium

You need to set environment variables in a pod from a ConfigMap 'app-config' that has keys 'APP_ENV' and 'APP_DEBUG'. Which approach exposes all keys as environment variables?

A.envFrom: - secretRef: name: app-config
B.env: - name: APP_ENV valueFrom: configMapKeyRef: name: app-config key: APP_ENV - name: APP_DEBUG valueFrom: configMapKeyRef: name: app-config key: APP_DEBUG
C.envFrom: - configMapRef: name: app-config
D.volumeMounts: - name: config mountPath: /etc/config volumes: - name: config configMap: name: app-config
AnswerC

Exposes all keys from the ConfigMap as environment variables.

Why this answer

Option C is correct because `envFrom` with `configMapRef` is the Kubernetes-native way to expose all keys from a ConfigMap as environment variables in a pod. This injects each key-value pair from the ConfigMap 'app-config' as an environment variable, matching the requirement to expose all keys without manual enumeration.

Exam trap

CNCF often tests the distinction between `configMapRef` and `secretRef`, and the trap here is that candidates confuse ConfigMaps with Secrets or assume that mounting a ConfigMap as a volume is equivalent to setting environment variables, leading them to pick Option A or D.

How to eliminate wrong answers

Option A is wrong because it uses `secretRef` which references a Secret, not a ConfigMap; Secrets are for sensitive data (e.g., passwords) and cannot read from a ConfigMap. Option B is wrong because it manually enumerates each key using `configMapKeyRef`, which works but does not expose 'all keys' automatically; it requires explicit listing of each key, violating the requirement. Option D is wrong because it mounts the ConfigMap as a volume at `/etc/config`, creating files named after the keys (e.g., `APP_ENV` and `APP_DEBUG`), not environment variables; this is a different mechanism for injecting configuration.

888
MCQhard

You are deploying a multi-tier application consisting of a frontend web service and a backend API. The frontend is deployed as a Deployment with 3 replicas, exposed via a ClusterIP Service named 'frontend-svc'. The backend is a StatefulSet with 3 replicas, each with its own PersistentVolumeClaim, and exposed via a headless Service named 'backend-svc'. The backend pods need to discover each other via DNS for clustering. After deployment, the backend pods cannot resolve the hostnames of other backend pods. The frontend can reach the backend via the Service name. You verify that the StatefulSet and its Service are correctly named. What is the most likely cause of the issue?

A.The StatefulSet's serviceName does not match the backend Service name
B.The backend pods are not using the correct DNS domain
C.The frontend Service is interfering with the backend DNS
D.The backend Service is not headless
AnswerD

A headless Service is needed for StatefulSet pod DNS.

Why this answer

For a StatefulSet to provide DNS-based pod discovery, its associated Service must be headless (clusterIP: None). A headless Service creates DNS A/AAAA records for each pod's hostname (e.g., backend-svc-0.backend-svc.default.svc.cluster.local), enabling direct pod-to-pod resolution. If the Service is not headless, DNS queries for individual pod hostnames will not resolve, breaking clustering discovery.

Exam trap

CNCF often tests the subtle requirement that a StatefulSet's Service must be explicitly headless (clusterIP: None) for pod DNS resolution, and candidates mistakenly think any Service name match is sufficient.

How to eliminate wrong answers

Option A is wrong because the StatefulSet's serviceName field must match the backend Service name; the question states both are correctly named, so this is not the issue. Option B is wrong because the DNS domain is automatically derived from the namespace and cluster domain (default.svc.cluster.local), and pods use it correctly by default; incorrect domain is not the cause. Option C is wrong because the frontend Service (ClusterIP) operates independently and does not interfere with backend DNS resolution; DNS records for backend pods are unaffected by other Services.

889
MCQeasy

Which of the following is the correct way to set an environment variable 'APP_COLOR' from a ConfigMap key 'color'?

A.env: - name: APP_COLOR valueFrom: configMapRef: name: my-config key: color
B.envFrom: - configMapKeyRef: name: my-config key: color
C.env: - name: APP_COLOR valueFrom: configMapKeyRef: name: my-config key: color
D.env: - name: APP_COLOR value: "configMap.color"
AnswerC

Correct. This correctly references the key from the named ConfigMap.

Why this answer

Option C is correct because it uses the `configMapKeyRef` field under `valueFrom` in the `env` array to inject a specific key from a ConfigMap as an environment variable. This is the standard Kubernetes syntax for referencing a single key from a ConfigMap, where `name` specifies the ConfigMap object and `key` specifies the key within that ConfigMap whose value will be assigned to the environment variable `APP_COLOR`.

Exam trap

The trap here is confusing `configMapRef` (used in `envFrom` to import all keys) with `configMapKeyRef` (used in `env` to import a single key), leading candidates to choose Option A or B due to similar naming.

How to eliminate wrong answers

Option A is wrong because `configMapRef` is not a valid field under `valueFrom`; `configMapRef` is used in `envFrom` to load all keys from a ConfigMap, not a single key. Option B is wrong because `envFrom` uses `configMapRef` (not `configMapKeyRef`) and cannot target a specific key; it imports all key-value pairs from the ConfigMap as environment variables, and the syntax shown (`configMapKeyRef`) is invalid. Option D is wrong because it attempts to set a literal string value `"configMap.color"` rather than referencing the ConfigMap key, which would not resolve to the actual value from the ConfigMap.

890
Matchingmedium

Match each Kubernetes Service type to its behavior.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Exposes service on a cluster-internal IP

Exposes service on each node's IP at a static port

Exposes service externally using a cloud load balancer

Maps service to a DNS name

No cluster IP; used for stateful workloads

Why these pairings

Service types define how traffic reaches pods.

891
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Increase the CPU request for the container
B.Delete the namespace and redeploy all workloads
C.Delete and recreate the pod to clear the crash loop
D.Increase the memory limit in the pod's container resource specification
AnswerD

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

Option B is correct. OOMKilled means the container exceeded its memory limit and was killed by the kernel OOM killer. The solution is to increase the memory limit in the container's resource specification.

Option A would not help — restarting the pod without addressing the root cause will result in the same failure. Option C addresses CPU, not memory. Option D (deleting the namespace) is destructive and unnecessary.

892
Multi-Selecthard

You are given a pod YAML that uses an init container to wait for a database. The init container exits with code 0, but the main container crashes. Which TWO fields in the pod spec directly affect the behavior of the main container after it crashes?

Select 2 answers
A.spec.containers[0].readinessProbe
B.spec.restartPolicy
C.spec.initContainers[0].restartPolicy
D.spec.containers[0].command
E.spec.containers[0].livenessProbe
AnswersB, E

restartPolicy determines if the container is restarted on failure.

Why this answer

restartPolicy controls whether the main container is restarted; livenessProbe checks health and can restart the container; readinessProbe does not restart.

893
MCQhard

You have installed a Helm chart for an application named 'myapp' in the namespace 'prod'. You need to upgrade the release to a new chart version, but you want to be able to revert to the current version quickly if the upgrade fails. Which command should you run?

A.helm upgrade myapp ./chart --namespace prod --atomic
B.helm upgrade myapp ./chart --namespace prod --recreate-pods
C.helm upgrade myapp ./chart --namespace prod
D.helm upgrade myapp ./chart --namespace prod --history-max 10
AnswerD

Sets a history max of 10 revisions, allowing rollback to any of the last 10.

Why this answer

The --history-max flag limits the number of revisions kept. Option D keeps 10 revisions, allowing rollback if needed. Option C also keeps history but is less explicit about the number.

However, the question expects a command that preserves history for rollback; the default is 10, but explicitly setting it is good practice.

894
MCQhard

You have a Job that runs a batch process. The Job YAML is as follows: apiVersion: batch/v1 kind: Job metadata: name: batch-job spec: parallelism: 4 completions: 12 backoffLimit: 2 template: spec: containers: - name: worker image: myapp:latest restartPolicy: Never If one pod fails after 3 successful completions, and the Job has already completed 7 successes, how many pods will be running at that point? Assume no other failures.

A.4
B.3
C.7
D.5
AnswerA

The controller maintains up to 4 pods running (parallelism) even after a failure, as long as backoffLimit is not exceeded.

Why this answer

Option B is correct. The Job has parallelism 4, meaning up to 4 pods run concurrently. At the moment, 7 successes have been completed, so the Job still needs 5 more completions.

The Job controller will keep running pods up to parallelism to achieve the remaining completions. When one pod fails, a new pod will be created to replace it because backoffLimit is 2 (meaning up to 2 retries allowed). So there will still be 4 pods running (some may be new).

The answer depends on assuming the Job controller maintains parallelism. With 12 completions needed and 7 already done, 5 remain. The controller will run up to 4 pods concurrently, so 4 pods will be running.

895
MCQmedium

A pod has two containers: a web server and a sidecar that scrapes logs. The sidecar container needs to read log files written by the web server. How should the logs be shared between the containers?

A.Use a ConfigMap to store logs
B.Use a hostPath volume mounted in both containers
C.Use a shared emptyDir volume mounted into both containers at the same path
D.Use a PersistentVolumeClaim
AnswerC

emptyDir volumes are shared across containers in the same pod and are ideal for temporary data sharing.

Why this answer

A shared volume, such as an emptyDir volume mounted into both containers, allows the sidecar to access the web server's log files.

896
MCQeasy

To mount a ConfigMap as a volume, which field type must be used in the pod spec's volumes and volumeMounts?

A.configMap
B.emptyDir
C.secret
D.hostPath
AnswerA

Correct volume type for ConfigMap.

Why this answer

To mount a ConfigMap as a volume in a Pod, the `configMap` field type must be specified in the `volumes` array of the Pod spec, and the corresponding `volumeMounts` entry references that volume by name. This tells Kubernetes to populate the volume with the key-value pairs from the ConfigMap, making them available as files in the container's filesystem.

Exam trap

The trap here is that candidates often confuse `configMap` with `secret` because both are used to inject configuration data, but the question specifically asks for the field type to mount a ConfigMap, not a Secret.

How to eliminate wrong answers

Option B (emptyDir) is wrong because it creates an empty, ephemeral directory that is not backed by any ConfigMap or Secret; it is used for scratch space or sharing data between containers. Option C (secret) is wrong because it mounts a Secret, not a ConfigMap; while both are volume types, they are distinct resources with different data sources and use cases. Option D (hostPath) is wrong because it mounts a file or directory from the host node's filesystem, not from a Kubernetes ConfigMap object.

897
MCQmedium

A pod manifest includes the following securityContext: securityContext: { runAsUser: 1000, runAsGroup: 3000, fsGroup: 2000 }. What UID will be used for processes in the container?

A.0 (root)
B.3000
C.2000
D.1000
AnswerD

runAsUser defines the UID for the container's main process.

Why this answer

Option D is correct because the `runAsUser` field in the pod's securityContext explicitly sets the user ID (UID) for all processes in the container. In this manifest, `runAsUser: 1000` overrides the default UID (usually 0, root) and ensures that the container's main process runs with UID 1000. The `runAsGroup` and `fsGroup` fields affect group IDs and file ownership, not the process UID.

Exam trap

CNCF often tests the distinction between `runAsUser` (process UID), `runAsGroup` (process GID), and `fsGroup` (volume ownership GID), and the trap here is that candidates confuse `fsGroup` or `runAsGroup` with the process UID, leading them to select 2000 or 3000 instead of 1000.

How to eliminate wrong answers

Option A is wrong because `runAsUser: 1000` explicitly overrides the default root UID (0), so processes do not run as root. Option B is wrong because `runAsGroup: 3000` sets the primary group ID (GID) for the process, not the UID. Option C is wrong because `fsGroup: 2000` is used to set the group ownership of mounted volumes and any files created in them, but it does not affect the UID of the container's processes.

898
MCQeasy

Which of the following Ingress controllers is commonly used in Kubernetes?

A.IIS
B.Apache
C.NGINX
D.Tomcat
AnswerC

NGINX Ingress controller is widely used.

Why this answer

NGINX is one of the most common Ingress controllers, along with others like Traefik, HAProxy, and Contour.

899
MCQhard

You are implementing a canary deployment for a microservice named 'api'. The stable version is deployed as 'api-stable' with label 'version: stable'. You create a canary Deployment 'api-canary' with label 'version: canary'. Both Deployments have the same label 'app: api'. You want a Service 'api-svc' to route 90% of traffic to stable and 10% to canary. Which Service configuration achieves this?

A.Add annotation 'traffic-weight: 90' to stable and 'traffic-weight: 10' to canary
B.selector: {app: api} and adjust the number of replicas in each Deployment to achieve the desired ratio (e.g., 9 stable, 1 canary)
C.selector: {app: api, version: stable}
D.Create two separate Services, each targeting one version, and rely on DNS weighting
AnswerB

A common selector includes both sets of pods; the traffic proportion is determined by the ratio of pod counts under the selector.

Why this answer

Option C is correct: use a common label 'app: api' in the selector, then manage traffic proportion by adjusting replica counts (e.g., 9 replicas stable, 1 replica canary). Option A uses a single label selector targeting a specific version, which would not select both. Option B uses separate services, not a single service.

Option D uses an annotation that does not affect traffic routing.

900
MCQeasy

Which kubectl command creates a Secret from literal username and password values?

A.kubectl create secret generic my-secret --literal username=admin password=secret123
B.kubectl create secret generic my-secret --from-literal=username=admin --from-literal=password=secret123
C.kubectl create secret generic my-secret --from-file=username --from-file=password
D.kubectl create secret generic my-secret --from-env-file=creds.txt
AnswerB

This creates a Secret from literal key=value pairs.

Why this answer

Option B is correct because `kubectl create secret generic` with `--from-literal` is the proper syntax for specifying literal key-value pairs directly in the command. Each literal must be prefixed with `--from-literal=key=value`, and multiple literals can be provided to create a Secret containing both the username and password keys.

Exam trap

The trap here is that candidates confuse `--from-literal` with the non-existent `--literal` flag, or assume that multiple key-value pairs can be passed in a single `--from-literal` argument, leading them to choose Option A.

How to eliminate wrong answers

Option A is wrong because it uses `--literal` instead of the correct `--from-literal` flag, and the syntax `--literal username=admin password=secret123` is invalid — kubectl requires each literal to be specified with its own `--from-literal=key=value` flag. Option C is wrong because `--from-file` creates a Secret from file contents, not literal values; it would read the files named 'username' and 'password' from the filesystem, not use inline strings. Option D is wrong because `--from-env-file` imports key-value pairs from a file in the format `KEY=VALUE`, but it does not accept literal values directly on the command line.

Page 11

Page 12 of 14

Page 13