Certified Kubernetes Application Developer CKAD (CKAD) — Questions 901975

991 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
Multi-Selecteasy

Which TWO are valid port names in a Service definition?

Select 2 answers
A.my_port
B.Port-1
C.123
D.grpc
E.http
AnswersD, E

Valid lowercase name.

Why this answer

Port names must follow IANA service names; they can contain lowercase letters, numbers, and hyphens. 'http' and 'grpc' are valid. 'my_port' is invalid due to underscore. '123' is invalid (must start with letter). 'Port-1' contains uppercase P.

902
MCQeasy

A developer wants to view the resource usage of all containers in a specific pod. Which command should they use?

A.kubectl top pods --all-namespaces
B.kubectl top pods
C.kubectl top pod <pod>
D.kubectl top pod <pod> --containers
AnswerD

Shows per-container CPU and memory.

Why this answer

Option D is correct because `kubectl top pod <pod> --containers` displays per-container CPU and memory metrics for a specific pod, which is exactly what the developer needs to view resource usage of all containers within that pod. The `--containers` flag is essential to break down the pod-level metrics into individual container-level metrics.

Exam trap

The trap here is that candidates often assume `kubectl top pod <pod>` alone shows container-level details, but without the `--containers` flag it only shows pod-level aggregates, leading them to choose option C instead of D.

How to eliminate wrong answers

Option A is wrong because `kubectl top pods --all-namespaces` shows pod-level resource usage across all namespaces, not per-container metrics for a specific pod. Option B is wrong because `kubectl top pods` shows pod-level resource usage in the current namespace, but does not break down usage by individual containers. Option C is wrong because `kubectl top pod <pod>` shows aggregate resource usage for the entire pod, not per-container details, which fails to meet the requirement of viewing all containers' usage.

903
MCQmedium

You need to mount a Secret 'db-secret' as a volume in a pod, making its keys appear as individual files. Which volume definition is correct?

A.volumes: - name: secret-vol emptyDir: medium: Secret
B.volumes: - name: secret-vol secret: secretName: db-secret items: - key: password path: credentials.txt
C.volumes: - name: secret-vol configMap: name: db-secret
D.volumes: - name: secret-vol secret: secretName: db-secret
AnswerD

Correct. This creates a Secret volume from db-secret.

Why this answer

Option D is correct because it defines a volume of type `secret` with the `secretName` field set to `db-secret`, which mounts the entire Secret as a volume. By default, each key in the Secret becomes a file named after the key, satisfying the requirement that keys appear as individual files.

Exam trap

The trap here is that candidates often confuse the `items` field (which projects specific keys into custom filenames) with the default behavior (which mounts all keys as individual files), leading them to pick Option B even though it does not meet the requirement of making all keys appear as individual files.

How to eliminate wrong answers

Option A is wrong because `emptyDir` volumes are ephemeral storage directories, not Secret mounts; the `medium` field accepts values like `Memory`, not `Secret`. Option B is wrong because it uses the `items` field to project only a single key (`password`) into a file named `credentials.txt`, which does not make all keys appear as individual files. Option C is wrong because `configMap` references a ConfigMap, not a Secret; Secrets and ConfigMaps are separate resource types with different handling (e.g., Secrets are base64-encoded).

904
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Delete the namespace and redeploy all workloads
B.Delete and recreate the pod to clear the crash loop
C.Increase the CPU request for the container
D.Increase the memory limit in the pod's container resource specification
AnswerD

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

The OOMKilled status indicates the container exceeded its memory limit and was terminated by the Linux kernel's Out-Of-Memory (OOM) killer. Since the pod ran successfully for days, the issue is likely a memory leak or increased workload demand, not a configuration error. Increasing the memory limit in the container's resource specification allows the pod to handle the higher memory usage without being killed.

Exam trap

The trap here is that candidates confuse CPU and memory resource constraints, thinking increasing CPU requests will solve an OOM issue, or they assume a simple pod restart is sufficient without addressing the underlying resource limit.

How to eliminate wrong answers

Option A is wrong because deleting the namespace and redeploying all workloads is an extreme, disruptive action that does not address the root cause (memory exhaustion) and would cause unnecessary downtime. Option B is wrong because deleting and recreating the pod will only restart it with the same memory limit, leading to the same OOMKilled crash loop. Option C is wrong because increasing the CPU request does not affect memory allocation; the OOM killer is triggered by memory usage exceeding the limit, not CPU.

905
Multi-Selecthard

Which THREE of the following are valid ways to view the rollout history of a Deployment named 'myapp'? (Select three.)

Select 3 answers
A.kubectl get replicasets -l app=myapp
B.kubectl rollout history deployment myapp
C.kubectl describe deployment myapp
D.kubectl rollout status deployment myapp
E.kubectl get deployment myapp -o yaml
AnswersA, B, C

Each revision of a Deployment creates a new ReplicaSet. Listing ReplicaSets with the app label shows all previous revisions.

Why this answer

Options A, C, and D are correct. A: 'kubectl rollout history deployment myapp' shows all revisions. C: 'kubectl describe deployment myapp' includes annotations like 'deployment.kubernetes.io/revision' showing the current revision.

D: 'kubectl get replicasets -l app=myapp' shows all ReplicaSets, which correspond to revisions. Option B is not a valid command; Option E shows only the current status, not the history.

906
Multi-Selectmedium

Which THREE of the following are valid patterns for multi-container pods?

Select 3 answers
A.Init
B.Ambassador
C.Adapter
D.Sidecar
E.Daemon
AnswersB, C, D

Ambassador proxies network traffic to external services.

Why this answer

Sidecar, ambassador, and adapter are well-known multi-container patterns.

907
MCQeasy

Which Dockerfile instruction sets a default command that can be overridden by arguments passed to 'docker run'?

A.ENTRYPOINT
B.EXPOSE
C.CMD
D.RUN
AnswerC

CMD provides defaults that can be overridden.

Why this answer

Option B is correct: CMD sets a default command that can be overridden. ENTRYPOINT sets a command that cannot be easily overridden without --entrypoint flag. RUN executes during build.

EXPOSE documents ports.

908
MCQeasy

Which kubectl command streams logs from a pod named 'web-pod' in real-time?

A.kubectl logs --since=5m web-pod
B.kubectl logs --tail=100 web-pod
C.kubectl logs -f web-pod
D.kubectl logs web-pod
AnswerC

The -f flag streams logs in real-time.

Why this answer

Option C is correct because the `-f` flag (short for `--follow`) tells kubectl to stream logs from the pod in real-time, similar to `tail -f` on a file. This is essential for live monitoring of application output as it is generated.

Exam trap

The trap here is that candidates may confuse flags like `--tail` or `--since` with real-time streaming, not realizing that only `-f` (or `--follow`) provides continuous log output.

How to eliminate wrong answers

Option A is wrong because `--since=5m` retrieves logs from the last 5 minutes but does not stream them; it prints the logs and exits. Option B is wrong because `--tail=100` shows only the last 100 lines of logs and then exits, without following new output. Option D is wrong because `kubectl logs web-pod` prints all available logs from the pod and exits, providing no real-time streaming capability.

909
Multi-Selectmedium

You need to check the resource usage of nodes and pods in your cluster. Which TWO commands should you use? (Choose two)

Select 2 answers
A.kubectl top nodes
B.kubectl logs
C.kubectl cluster-info
D.kubectl describe pod
E.kubectl top pods
AnswersA, E

Displays resource (CPU/memory) usage of nodes.

Why this answer

Options A and B are correct. 'kubectl top nodes' shows CPU and memory usage for nodes, and 'kubectl top pods' shows usage for pods. Option C shows pod logs, not resource usage. Option D shows pod details but not resource usage.

Option E shows cluster info.

910
MCQhard

A NetworkPolicy with the following spec is applied to a namespace. What is the effect? spec: podSelector: {} policyTypes: - Ingress - Egress ingress: - from: - ipBlock: cidr: 10.0.0.0/8 except: - 10.0.1.0/24 egress: - to: - ipBlock: cidr: 0.0.0.0/0

A.Deny all ingress and egress traffic
B.Allow all ingress and egress traffic
C.Deny all ingress traffic except from 10.0.0.0/8 excluding 10.0.1.0/24; allow all egress
D.Allow ingress from 10.0.1.0/24 only
AnswerC

This matches the policy rules.

Why this answer

The empty podSelector applies to all pods in the namespace. Ingress allows traffic from 10.0.0.0/8 except 10.0.1.0/24. Egress allows all traffic.

No default deny because ingress and egress rules are present.

911
MCQeasy

You need to forward a local port to port 8080 on a pod named 'my-pod' in the 'default' namespace. Which kubectl command should you use?

A.kubectl port-forward pod/my-pod 8080:80
B.kubectl port-forward pod/my-pod 8080:8080
C.kubectl forward pod/my-pod 8080:8080
D.kubectl port-forward my-pod 8080
AnswerB

Forwards local port 8080 to pod port 8080.

Why this answer

The kubectl port-forward command is used to forward local ports to a pod.

912
MCQmedium

You want to debug a pod that has no shell or debugging tools installed. Which feature allows you to temporarily add a sidecar container with debugging tools to a running pod?

A.kubectl exec -it my-pod -- /bin/bash
B.kubectl cp /tmp/debug-tool my-pod:/tmp/
C.kubectl debug -it my-pod --image=busybox --target=my-container
D.kubectl port-forward my-pod 8080:80
AnswerC

Correct. This adds an ephemeral container to the pod.

Why this answer

Ephemeral containers are designed for debugging running pods without restarting them.

913
MCQhard

During a security audit, it is discovered that a pod running a database is accessible from any other pod in the cluster. The database should only be accessible by pods with label 'role: backend'. Which resource should be applied to enforce this restriction?

A.An Ingress resource with TLS
B.A Service of type ClusterIP with a firewall rule
C.A NetworkPolicy with an ingress rule selecting pods with label 'role: backend'
D.A PodSecurityPolicy
AnswerC

NetworkPolicy controls pod-to-pod traffic based on labels.

Why this answer

Option C is correct because a NetworkPolicy with an ingress rule that selects pods with label 'role: backend' explicitly restricts inbound traffic to the database pod to only those pods that match that label. NetworkPolicies are Kubernetes-native resources that enforce firewall rules at the IP address or port level (OSI layer 3 or 4) using the pod's labels as selectors, and they are the standard mechanism for controlling pod-to-pod traffic within a cluster.

Exam trap

The trap here is that candidates often confuse NetworkPolicies with Services or Ingress, assuming that a Service's ClusterIP or an Ingress rule can control internal pod access, but NetworkPolicies are the only native Kubernetes resource that enforces pod-level network segmentation within the cluster.

How to eliminate wrong answers

Option A is wrong because an Ingress resource operates at layer 7 (HTTP/HTTPS) and is designed to manage external traffic into the cluster, not internal pod-to-pod communication; it cannot restrict access between pods inside the cluster. Option B is wrong because a Service of type ClusterIP provides a stable virtual IP for load balancing but does not enforce traffic filtering; firewall rules are not a native Kubernetes resource and would require external tools (e.g., cloud provider firewalls) that operate at the cluster boundary, not between pods. Option D is wrong because a PodSecurityPolicy (deprecated in Kubernetes 1.21 and removed in 1.25) controls security-sensitive aspects of pod specs (e.g., privileged containers, host namespaces), not network traffic between pods.

914
Matchingmedium

Match each kubectl command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Create or update resources from a file

Rollback a deployment to a previous revision

Execute a command inside a container

Forward local port to a pod port

Show detailed state of a resource

Why these pairings

These are commonly used kubectl commands for managing applications.

915
MCQmedium

A pod is stuck in Pending state. You run 'kubectl describe pod my-pod' and see the event: '0/4 nodes are available: 1 Insufficient cpu, 3 Insufficient memory'. What is the most likely cause?

A.The pod's resource requests exceed the available node resources
B.The pod uses too many secrets
C.The pod's resource limits are too low
D.The pod's container is failing health checks
AnswerA

The scheduler cannot place the pod because no node has enough free resources to satisfy the requests.

Why this answer

The event '0/4 nodes are available: 1 Insufficient cpu, 3 Insufficient memory' indicates that the Kubernetes scheduler could not find any node that satisfies the pod's resource requests. The pod's resource requests (spec.containers[].resources.requests) define the minimum CPU and memory the pod requires to run. If the sum of requests across all pods on a node exceeds the node's allocatable resources, the scheduler marks the node as unschedulable for that pod, leaving it in Pending state.

Exam trap

The trap here is that candidates often confuse resource requests with resource limits, thinking that low limits cause scheduling failures, but Kubernetes only uses requests for scheduling decisions, not limits.

How to eliminate wrong answers

Option B is wrong because using too many secrets does not affect pod scheduling; secrets are mounted as files or environment variables and do not consume node resources like CPU or memory. Option C is wrong because resource limits (spec.containers[].resources.limits) are not used for scheduling decisions; limits only control how much a container can use after it starts, and low limits would not cause a Pending state. Option D is wrong because failing health checks (liveness/readiness probes) cause the pod to be restarted or marked as Unhealthy after it is already running, not while it is still in Pending state before any container starts.

916
MCQhard

The Pod 'myapp' is in CrashLoopBackOff. Based on the exhibit, what is the most likely cause?

A.The init container failed to complete.
B.The readiness probe is misconfigured.
C.The container is trying to bind to a port already used by a sidecar or previous instance.
D.The liveness probe is failing and restarting the container.
AnswerC

The error indicates port conflict.

Why this answer

The Pod is in CrashLoopBackOff, which indicates the container repeatedly crashes. The most likely cause is that the container is trying to bind to a port already in use by a sidecar or a previous instance of the same container that hasn't fully terminated. This is a common scenario when a sidecar container (e.g., a logging proxy) binds to the same port, or when the container's port is not released quickly enough after a restart, leading to an immediate crash on startup.

Exam trap

The trap here is that candidates often assume CrashLoopBackOff is always caused by a failing liveness probe (Option D), but they overlook that the container must actually start and run for the liveness probe to be checked; if the container crashes immediately on startup (e.g., due to port conflict), the liveness probe never even runs, and the root cause is a startup failure, not a probe failure.

How to eliminate wrong answers

Option A is wrong because if the init container had failed to complete, the Pod would remain in Init:CrashLoopBackOff or Init:Error, not in CrashLoopBackOff for the main container. Option B is wrong because a misconfigured readiness probe would cause the container to be marked as not ready (removed from service endpoints), but it would not cause the container to crash or enter CrashLoopBackOff; the container would continue running. Option D is wrong because a failing liveness probe would cause the container to be restarted, but the Pod would show a restart count and potentially a CrashLoopBackOff only if the container crashes immediately after restart; however, the question asks for the 'most likely cause' given the exhibit (not provided here), and port binding conflicts are a classic cause of immediate crash on startup, whereas liveness probe failures typically occur after the container has started and run for a short time.

917
MCQeasy

The exhibit shows a Deployment manifest. When applied, the pods are created but show 'CrashLoopBackOff'. What is the most likely cause?

A.The selector does not match the pod labels
B.The liveness probe targets port 8080, but the container only listens on port 80
C.The initialDelaySeconds is too short, starting probes before the app is ready
D.The container image nginx:1.21 does not exist
AnswerB

The probe will fail because there is no service on port 8080.

Why this answer

The liveness probe is configured to check port 8080, but the container (nginx) only listens on port 80 by default. Since the probe never receives a successful HTTP response, Kubernetes restarts the container repeatedly, causing the CrashLoopBackOff state. The probe must target the same port the application is serving on.

Exam trap

CNCF often tests the distinction between probe misconfiguration (wrong port/path) and other failure modes like image errors or selector mismatches, tempting candidates to overthink with options like initialDelaySeconds.

How to eliminate wrong answers

Option A is wrong because if the selector did not match pod labels, the Deployment would not manage the pods at all; pods would be created but not controlled, and they would not enter CrashLoopBackOff. Option C is wrong because a short initialDelaySeconds might cause temporary failures, but the pod would eventually succeed once the app is ready; CrashLoopBackOff indicates persistent failure, not just early probes. Option D is wrong because if the image nginx:1.21 did not exist, the pods would fail with ImagePullBackOff, not CrashLoopBackOff.

918
MCQmedium

You have a Kustomize overlay that sets 'replicas: 5' in a patch, but the base Deployment has 'replicas: 3'. What is the final number of replicas after applying 'kubectl apply -k overlay/'?

A.3
B.8
C.It depends on the strategy
D.5
AnswerD

Correct; overlays take precedence.

Why this answer

In Kustomize, overlays override base values. The patch will set replicas to 5, so the final Deployment will have 5 replicas.

919
MCQeasy

You want to expose a Deployment named 'nginx' on port 80 using a LoadBalancer service. Which YAML snippet is correct?

A.apiVersion: v1 kind: Service metadata: name: nginx-svc spec: type: NodePort ports: - port: 80 selector: app: nginx
B.apiVersion: v1 kind: Service metadata: name: nginx-svc spec: type: LoadBalancer ports: - port: 80 targetPort: 80 selector: app: nginx
C.apiVersion: v1 kind: Service metadata: name: nginx-svc spec: type: LoadBalancer ports: - port: 80 selector: app: nginx
D.apiVersion: apps/v1 kind: Service metadata: name: nginx-svc spec: type: LoadBalancer ports: - port: 80 selector: app: nginx
AnswerC

Correct syntax for a LoadBalancer service.

Why this answer

LoadBalancer services have type: LoadBalancer and a selector pointing to the Deployment's pods.

920
MCQeasy

Which of the following Service types exposes a pod on a static port on each node's IP address?

A.LoadBalancer
B.ExternalName
C.ClusterIP
D.NodePort
AnswerD

NodePort exposes the Service on each Node's IP at a static port.

Why this answer

NodePort Service exposes the Service on each Node's IP at a static port (the NodePort). A NodePort Service is accessible from outside the cluster by requesting <NodeIP>:<NodePort>.

921
MCQmedium

A pod named 'db-backup' is in CrashLoopBackOff. The team needs to understand why it keeps crashing. Which approach should be taken first to diagnose the issue?

A.Increase the restart policy to Always
B.Run kubectl describe pod
C.View the logs of the pod using kubectl logs
D.Check the pod's events with kubectl get events
AnswerC

Logs show the error that causes the crash.

Why this answer

C is correct because `kubectl logs` directly shows the stdout/stderr output from the container's main process, which typically contains the error message or stack trace explaining why the application crashed. Since the pod is in CrashLoopBackOff, the container is repeatedly starting and failing, so viewing the logs from the last (or previous) attempt is the fastest way to identify the root cause, such as a missing configuration file, a failed dependency, or an unhandled exception.

Exam trap

The trap here is that candidates often choose `kubectl describe pod` (Option B) because it shows events and exit codes, but they overlook that `kubectl logs` directly reveals the application's error message, which is the most efficient first step for debugging a crash.

How to eliminate wrong answers

Option A is wrong because changing the restart policy to Always does not diagnose the crash; it only changes the behavior after a crash, and the pod already has a restart policy (default Always) that is causing the CrashLoopBackOff. Option B is wrong because `kubectl describe pod` provides metadata, events, and status but does not show the application's stdout/stderr logs; it can show why the container exited (e.g., exit code) but not the specific error message from the application. Option D is wrong because `kubectl get events` shows cluster-level events (e.g., pulling images, scheduling) but not the application's internal error output; it may show the container restart count but not the crash reason.

922
MCQmedium

A user runs 'kubectl get endpoints my-service' and sees no endpoints listed. The service has a selector 'app: my-app'. Pods with that label exist and are running. What is the most likely cause?

A.The service selector does not match the pod labels
B.The pods are not assigned an IP address
C.The service name is incorrect
D.The pods are not ready (readiness probe failing)
AnswerA

The endpoints controller watches for pods matching the service's selector. If labels don't match, no endpoints are added.

Why this answer

If the service selector does not match the pod labels, the endpoints controller will not populate endpoints. Option B is correct. Option A is incorrect because pod IPs are assigned.

Option C is incorrect because the service exists. Option D is incorrect because readiness probes affect whether a pod is included in endpoints, but if no pods match the selector, that's the primary issue.

923
MCQmedium

You have a Deployment with 3 replicas. You create a Service with 'clusterIP: None'. What is the effect on pod DNS?

A.Each pod gets its own DNS record in the form <pod-ip>.<service>.<namespace>.svc.cluster.local
B.DNS returns the IPs of all matching pods.
C.The Service name does not resolve to any IP; DNS fails.
D.The Service name resolves to a single virtual IP that load balances across pods.
AnswerB

Headless Service returns pod IPs directly.

Why this answer

Option B is correct. A headless Service (clusterIP: None) causes DNS to return the IP addresses of all pods that match the selector, enabling DNS-based pod discovery.

924
MCQhard

You are asked to implement a blue-green deployment using Kubernetes Deployments and Services. You have a blue Deployment with label 'version: blue' and a green Deployment with label 'version: green'. Both have selector 'app: myapp'. You need a Service that initially points to blue. How should you configure the Service to switch to green without downtime?

A.Change the blue Deployment's pod label to 'version: green' and delete green Deployment
B.Update the Service's label selector to 'app: myapp, version: green'
C.Delete the Service and recreate it with the new selector
D.Update the Service's cluster IP to point to green pods
AnswerB

Changing the selector to match green pods will route traffic to green, causing a switch with minimal delay.

Why this answer

The correct approach is to use a Service with a selector that matches only one version at a time. By including a label like 'release: stable' in the pod template of the blue Deployment and setting the Service's selector to match that label, you can switch by updating the green Deployment's pods to have the same label and removing it from blue, or by updating the Service's selector. Option A describes updating the Service's selector to match green pods, which is a common method.

However, it requires that green pods have a unique label that you can switch to. Option B is similar but uses a different approach. Option C is risky.

Option D is wrong because cluster IP doesn't change.

925
MCQmedium

You have a Deployment running three replicas of a web application. You need to expose the application on port 80 of all cluster nodes. Which Service type should you use?

A.LoadBalancer
B.NodePort
C.ExternalName
D.ClusterIP
AnswerB

NodePort exposes the service on each node's IP at a static port.

Why this answer

NodePort exposes a service on a static port on each node's IP address, making the service accessible from outside the cluster via nodeIP:nodePort.

926
MCQmedium

A developer wants to enforce that containers in a namespace cannot run as privileged. Which Pod Security Standard profile should they apply to the namespace?

A.privileged
B.restricted
C.baseline
D.custom
AnswerC

baseline prevents privileged containers among other things.

Why this answer

Option C (baseline) is correct because the baseline Pod Security Standard (PSS) profile enforces the minimum restrictions necessary to prevent known privilege escalations, including the prohibition of privileged containers (i.e., `privileged: true` in the security context). This profile is designed to be applied to namespaces where most workloads run, blocking the most common security issues without breaking typical applications. The restricted profile would also block privileged containers but imposes additional constraints (e.g., dropping all capabilities, read-only root filesystem) that are not required by the question's specific goal.

Exam trap

The trap here is that candidates often confuse the 'restricted' profile as the only option to block privileged containers, not realizing that 'baseline' also blocks them and is the appropriate choice when the goal is simply to prevent privileged escalation without imposing the full set of restricted constraints.

How to eliminate wrong answers

Option A is wrong because the privileged profile allows all known privilege escalations, including running containers as privileged, which is the opposite of what the developer wants to enforce. Option B is wrong because the restricted profile, while also blocking privileged containers, goes beyond the requirement by enforcing additional restrictions like dropping all capabilities, setting `runAsNonRoot: true`, and requiring a read-only root filesystem, which may break workloads that do not need such strictness. Option D is wrong because 'custom' is not a valid Pod Security Standard profile; the three standard profiles defined by Kubernetes are privileged, baseline, and restricted.

927
MCQeasy

Which command scales a Deployment named 'frontend' to 5 replicas?

A.kubectl scale deployment frontend --replicas 5
B.kubectl scale deployment frontend --replicas=5
C.kubectl scale deploy frontend --replicas=5
D.kubectl scale deployment/frontend --replicas=5
AnswerB, C

Correct command.

Why this answer

Option A is correct: 'kubectl scale deployment frontend --replicas=5'. Option B has incorrect flag syntax. Options C and D use incorrect resource type or flag.

928
Multi-Selectmedium

Which TWO commands can be used to create a resource from a YAML file?

Select 2 answers
A.kubectl create -f pod.yaml
B.kubectl delete -f pod.yaml
C.kubectl get -f pod.yaml
D.kubectl run -f pod.yaml
E.kubectl apply -f pod.yaml
AnswersA, E

kubectl create -f creates resources from a YAML file.

Why this answer

Options B and C are correct. kubectl create -f and kubectl apply -f both create resources from YAML files. kubectl run creates a pod from command-line arguments. kubectl get retrieves resources. kubectl delete deletes resources.

929
Matchingmedium

Match each Kubernetes term to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Runs before app containers; for setup tasks

Helper container that runs alongside the main container

Pod managed directly by the kubelet without API server

Temporary container for debugging running pods

Pod with multiple containers sharing the same network and storage

Why these pairings

These are special container patterns in Kubernetes.

930
MCQmedium

A developer runs 'kubectl create secret generic tls-secret --cert=cert.crt --key=key.pem'. What type of Secret is created?

A.kubernetes.io/tls
B.Opaque
C.kubernetes.io/dockerconfigjson
D.kubernetes.io/ssh-auth
AnswerA

The --cert and --key flags are specifically for creating TLS secrets.

Why this answer

The command `kubectl create secret generic tls-secret --cert=cert.crt --key=key.pem` creates a Secret of type `kubernetes.io/tls`. This is because the `--cert` and `--key` flags automatically set the type to TLS, which is used to store TLS certificates and private keys for ingress or other TLS termination. The `generic` subcommand is a misnomer here; it does not create an Opaque secret when these specific flags are provided.

Exam trap

The trap here is that candidates assume `kubectl create secret generic` always creates an Opaque secret, but the `--cert` and `--key` flags automatically change the type to `kubernetes.io/tls`, which is a common point of confusion in CKAD exams.

How to eliminate wrong answers

Option B is wrong because Opaque secrets are created with `kubectl create secret generic` without the `--cert` and `--key` flags, or with `--from-literal`/`--from-file`; the presence of `--cert` and `--key` overrides the default type to `kubernetes.io/tls`. Option C is wrong because `kubernetes.io/dockerconfigjson` is created using `kubectl create secret docker-registry` or by manually specifying the type with a `.dockerconfigjson` data field, not via `--cert` and `--key`. Option D is wrong because `kubernetes.io/ssh-auth` is created using `kubectl create secret generic --from-file=ssh-privatekey=...` with the type explicitly set, or via `kubectl create secret ssh-auth`, and does not involve TLS certificate and key files.

931
MCQeasy

You want to see all events in the default namespace sorted by timestamp. Which command should you use?

A.kubectl get events
B.kubectl logs --all-containers
C.kubectl top events
D.kubectl describe pods
AnswerA

This command lists events in the current namespace, sorted by last timestamp.

Why this answer

kubectl get events shows events sorted by last timestamp by default.

932
Multi-Selecthard

Which THREE of the following are valid fields in a NetworkPolicy spec?

Select 3 answers
A.podSelector
B.ingress
C.policyTypes
D.namespaceSelector
E.ipBlock
AnswersA, B, C

Required field to select pods.

Why this answer

Options B, C, and E are correct. A NetworkPolicy spec includes 'podSelector', 'policyTypes', 'ingress', and 'egress'. Option A 'namespaceSelector' is a field within ingress/egress rules, not directly in spec.

Option D 'ipBlock' is within ingress/egress rules. So B, C, E are top-level fields.

933
Multi-Selecthard

Which THREE conditions must be met for a NetworkPolicy to effectively isolate a set of pods?

Select 3 answers
A.The NetworkPolicy must have a non-empty podSelector that matches the target pods
B.The namespace must have a default deny-all NetworkPolicy
C.The pods must have the label 'networking/allow-external'
D.The policy must include 'policyTypes: - Ingress' to deny by default
E.The NetworkPolicy must be in the same namespace as the pods
AnswersA, D, E

Otherwise it may apply to all pods or none.

Why this answer

NetworkPolicy must have a podSelector that selects the target pods, the policyTypes must include Ingress and/or Egress, and the rules must define allowed traffic. By default, if no NetworkPolicy applies, all traffic is allowed.

934
MCQmedium

A container in a pod is crashing repeatedly. You want to see the logs from the previous (crashed) instance of the container. Which command should you use?

A.kubectl logs --tail=10 <pod>
B.kubectl logs <pod> --previous
C.kubectl logs -c <container> <pod>
D.kubectl logs -f <pod>
AnswerB

Shows logs from the previous crashed container.

Why this answer

Option B is correct because the `--previous` flag in `kubectl logs` retrieves logs from the previous instance of a container that has crashed and restarted. This allows you to inspect the logs of the terminated container to diagnose the crash, even though the current container instance is running or has restarted.

Exam trap

The trap here is that candidates often confuse `--previous` with `--tail` or `-f`, thinking they need to limit output or follow logs, when the key requirement is accessing logs from a terminated container instance.

How to eliminate wrong answers

Option A is wrong because `--tail=10` only limits the output to the last 10 lines of the current container's logs, not the logs from the previous (crashed) instance. Option C is wrong because `-c <container>` specifies a container name within a multi-container pod, but does not retrieve logs from a previous crashed instance. Option D is wrong because `-f` follows (streams) the current container's logs in real time, which is irrelevant for viewing logs from a previous crash.

935
MCQmedium

Which command forwards local port 8080 to port 80 of a pod named 'web-pod'?

A.kubectl port-forward service/web-service 8080:80
B.kubectl port-forward pod/web-pod 8080:80
C.kubectl port-forward deployment/web-deployment 8080:80
D.kubectl port-forward pod/web-pod 80:8080
AnswerB

Correct syntax: local_port:pod_port.

Why this answer

Option C is correct. 'kubectl port-forward pod/web-pod 8080:80' forwards local port 8080 to pod port 80. Option A incorrectly places local port after colon. Option B uses deployment.

Option D uses service, not pod.

936
MCQeasy

You need to view resource usage (CPU and memory) for all pods in the 'default' namespace. Which command should you use?

A.kubectl top pods
B.kubectl logs pods
C.kubectl describe pods
D.kubectl top nodes
AnswerA

This command shows CPU and memory usage for pods in the current namespace.

Why this answer

Option A is correct because `kubectl top pods` is the command specifically designed to display real-time CPU and memory usage metrics for pods in a Kubernetes cluster. It relies on the metrics server to collect resource usage data and presents it in a concise table format, making it the appropriate tool for viewing resource consumption in the 'default' namespace.

Exam trap

The trap here is that candidates often confuse `kubectl top pods` with `kubectl describe pods` or `kubectl logs`, mistakenly thinking that descriptive or log commands provide resource usage data, but only `kubectl top` accesses the metrics server for real-time utilization.

How to eliminate wrong answers

Option B is wrong because `kubectl logs pods` is used to retrieve log output from containers in a pod, not to view CPU or memory usage metrics. Option C is wrong because `kubectl describe pods` provides detailed metadata and status information about pods, including resource requests and limits, but does not show real-time CPU and memory usage. Option D is wrong because `kubectl top nodes` displays resource usage at the node level (aggregate CPU and memory for all pods on a node), not per-pod metrics in the 'default' namespace.

937
MCQhard

Based on the exhibit, why is the container being killed and restarted?

A.The readiness probe is failing, causing the pod to be considered not ready and restarted.
B.The liveness probe is failing, causing the container to be restarted.
C.The container is running out of memory (OOM).
D.The container image is being pulled repeatedly.
AnswerA

Readiness probe failure leads to killing the container.

Why this answer

Option A is correct because the exhibit shows the container being killed and restarted, which is the default behavior when a readiness probe fails. In Kubernetes, a failing readiness probe removes the pod from service endpoints but does not trigger a restart; however, the question's context implies that the pod is being restarted due to a readiness probe failure combined with a restart policy (e.g., `Always`), which can cause the container to be recreated if the pod is considered unhealthy and the kubelet decides to restart it. The readiness probe failure leads to the pod being marked as not ready, and with a restart policy of `Always`, the container is killed and restarted to attempt recovery.

Exam trap

CNCF often tests the misconception that a failing readiness probe directly restarts the container, when in fact it only removes the pod from service, and the restart is triggered by the restart policy combined with the probe failure.

How to eliminate wrong answers

Option B is wrong because a failing liveness probe directly causes the container to be restarted by the kubelet, but the exhibit indicates the container is being killed and restarted due to a readiness probe failure, not a liveness probe failure. Option C is wrong because an OOM kill would result in a `CrashLoopBackOff` state with an `OOMKilled` reason in the pod status, not a readiness probe failure. Option D is wrong because repeated image pulls would cause `ErrImagePull` or `ImagePullBackOff` errors, not a readiness probe failure leading to container restarts.

938
MCQhard

You are a platform engineer at a company that runs a microservices architecture on Kubernetes. The application consists of a frontend service (Node.js), a backend API (Go), and a PostgreSQL database. All components are deployed in the same namespace 'production'. Recently, the backend API has been experiencing intermittent 503 errors from the frontend. The backend API Pods have CPU limits set to 500m and memory limits to 256Mi. The backend API exposes metrics at /metrics and has a liveness probe (HTTP GET /healthz) and a readiness probe (HTTP GET /ready). You notice that during traffic spikes, the backend API Pods are restarted frequently. You examine the metrics and see that memory usage spikes to 250Mi during high load. What is the most likely cause of the restarts and 503 errors?

A.The liveness probe is misconfigured and should use a TCP check instead.
B.The memory limit is set too low; the container is being OOMKilled during traffic spikes.
C.The readiness probe is failing because the application is not ready, but the liveness probe keeps it alive.
D.The CPU limit is too low, causing the container to be throttled and timeout.
AnswerB

Memory spikes to 250Mi exceed the 256Mi limit, leading to OOM kills.

Why this answer

The backend API Pods are being restarted frequently because the memory limit of 256Mi is too close to the observed memory usage of 250Mi during traffic spikes. When memory usage hits the limit, the Linux kernel's OOM killer terminates the container (OOMKilled), causing the Pod to restart. This restart leads to temporary unavailability, which the frontend sees as 503 errors.

Exam trap

The trap here is that candidates often confuse CPU throttling (which causes slowness and timeouts) with OOM kills (which cause restarts), and they may overlook that memory limits are a hard cap enforced by the kernel, while CPU limits are a soft cap enforced by the scheduler.

How to eliminate wrong answers

Option A is wrong because the liveness probe is already an HTTP GET check, which is appropriate for an application that exposes an HTTP endpoint; switching to a TCP check would not prevent OOM kills and would only verify the port is open, not application health. Option C is wrong because the readiness probe failing would prevent traffic from being sent to the Pod, but the Pod would not be restarted; restarts are caused by liveness probe failures or OOM kills, not readiness probe failures. Option D is wrong because CPU throttling (due to low CPU limits) causes performance degradation and timeouts, not container restarts; the kernel does not kill containers for exceeding CPU limits—it only throttles them.

939
MCQhard

A Deployment has replicas: 5. During a rolling update, the developer sets maxSurge: 2 and maxUnavailable: 1. What is the maximum number of pods that can be running during the update?

A.7
B.5
C.8
D.6
AnswerA

With maxSurge=2 up to 7 pods can be running simultaneously.

Why this answer

Option A is correct because during a rolling update, the total number of pods running is the sum of the desired replicas (5) plus the maxSurge (2), which equals 7. The maxUnavailable setting (1) controls how many pods can be down, not the upper limit of running pods. Kubernetes ensures that the number of pods above the desired count does not exceed maxSurge, so the maximum running pods is 5 + 2 = 7.

Exam trap

The trap here is that candidates often confuse maxSurge and maxUnavailable, mistakenly adding both to the desired replicas or thinking maxUnavailable increases the maximum running pods, when in fact maxSurge alone determines the upper limit of running pods during the update.

How to eliminate wrong answers

Option B is wrong because it assumes no surge is allowed, ignoring the maxSurge setting of 2, which permits additional pods beyond the desired replicas. Option C is wrong because it incorrectly adds both maxSurge and maxUnavailable to the desired replicas (5+2+1=8), but maxUnavailable does not increase the running pod count; it limits how many can be unavailable. Option D is wrong because it suggests a total of 6, which might come from adding only maxUnavailable (5+1=6) or misinterpreting maxSurge as 1, but the correct calculation is replicas + maxSurge = 5+2=7.

940
MCQmedium

A developer has a Dockerfile that builds a Go application. The final image size is 800MB. Which improvement would MOST reduce the image size?

A.Combine all RUN commands into a single layer
B.Add a .dockerignore file to exclude unnecessary files
C.Use a smaller base image like alpine:3.19
D.Use multi-stage builds with a scratch final stage
AnswerD

Multi-stage builds allow copying only the compiled binary to a minimal final image, removing all build tools.

Why this answer

Multi-stage builds allow copying only the binary from the build stage to a minimal base image, drastically reducing final image size.

941
MCQmedium

You run the following command: 'kubectl run nginx --image=nginx --restart=Never'. What Kubernetes resource is created?

A.CronJob
B.Deployment
C.Job
D.Pod
AnswerD

When --restart=Never is specified, kubectl run creates a Pod.

Why this answer

The --restart=Never flag creates a Pod. The default behavior of kubectl run without --restart=Never creates a Deployment, but with --restart=Never it creates a Pod.

942
MCQhard

A pod must run with a seccomp profile that only allows specific syscalls. Which SecurityContext field is used to specify the seccomp profile type?

A.appArmorProfile
B.seLinuxOptions
C.seccomp
D.seccompProfile
AnswerD

The seccompProfile field in securityContext specifies the seccomp profile to use.

Why this answer

Option D is correct because `seccompProfile` is the field within the Pod or container `SecurityContext` that specifies the seccomp profile type (e.g., `RuntimeDefault`, `Localhost`, or `Unconfined`). This field was introduced in Kubernetes v1.19 (beta) and replaces the older annotation-based seccomp configuration, allowing you to define the profile type directly in the pod spec.

Exam trap

The trap here is that candidates confuse the older annotation-based approach (`seccomp.security.alpha.kubernetes.io/pod`) with the newer native `seccompProfile` field, or they mistakenly think the field is simply named `seccomp` instead of `seccompProfile`.

How to eliminate wrong answers

Option A is wrong because `appArmorProfile` is not a valid field in the Kubernetes SecurityContext; AppArmor profiles are configured via annotations (e.g., `container.apparmor.security.beta.kubernetes.io`), not a dedicated field. Option B is wrong because `seLinuxOptions` is used to set SELinux labels (e.g., user, role, type, level) for a container, not to specify seccomp profiles. Option C is wrong because `seccomp` is not a field in the SecurityContext; the correct field name is `seccompProfile`, which contains the `type` and optionally `localhostProfile` subfields.

943
MCQhard

An Ingress resource uses host-based routing. Which field in the Ingress YAML specifies the host header to match?

A.metadata.annotations['nginx.ingress.kubernetes.io/rewrite-target']
B.spec.rules[].host
C.spec.tls[].hosts
D.spec.rules[].http.paths[].host
AnswerB

Correct: host field under rules.

Why this answer

Option A is correct. In an Ingress rule, the 'host' field under 'spec.rules[].host' specifies the fully qualified domain name to match.

944
Multi-Selectmedium

Which THREE of the following are valid probe handlers in Kubernetes?

Select 3 answers
A.exec
B.gRPC
C.httpGet
D.tcpSocket
E.udpSocket
AnswersA, C, D

Executes a command inside the container.

Why this answer

The three handler types are httpGet, tcpSocket, and exec. gRPC was added in v1.24 as alpha, but it is not yet stable in v1.29 (beta). According to the domain content, it is listed, but the question asks for valid handlers; gRPC is valid but less common. However, to keep it simple, we include httpGet, tcpSocket, exec. gRPC is also valid, but we need exactly three.

Since the domain includes grpc, we can include it as an option, but for the correct answer we choose the standard three. Let's adjust: The domain includes grpc, so we can make it correct as well. But the question asks for THREE, and there are four valid handlers.

We'll choose the three most common: httpGet, tcpSocket, exec. gRPC is still beta, but the question might consider it valid. I'll go with the three classic ones to avoid ambiguity.

945
MCQeasy

A developer wants to ensure that a critical application always runs on every node in the cluster. Which resource should they use?

A.StatefulSet
B.ReplicaSet
C.Deployment
D.DaemonSet
AnswerD

DaemonSet runs a pod on every node automatically.

Why this answer

A DaemonSet ensures that a pod runs on every node in the cluster, or on a subset of nodes based on a node selector. This is the correct resource for deploying a critical application that must be present on all nodes, such as a logging agent or a monitoring daemon.

Exam trap

The trap here is that candidates often confuse DaemonSet with Deployment or ReplicaSet, thinking that setting a high replica count in a Deployment will achieve the same effect, but only DaemonSet guarantees a pod on every node regardless of scaling or scheduling constraints.

How to eliminate wrong answers

Option A is wrong because a StatefulSet is designed for stateful applications that require stable network identities and persistent storage, not for running a pod on every node. Option B is wrong because a ReplicaSet ensures a specified number of pod replicas are running, but it does not guarantee placement on every node; it uses a scheduler to distribute replicas across available nodes. Option C is wrong because a Deployment manages ReplicaSets to provide declarative updates, but like a ReplicaSet, it does not enforce that a pod runs on every node; it only maintains a desired replica count.

946
MCQmedium

A Job must run exactly 3 Pods in parallel. Which Job manifest field achieves this?

A..spec.activeDeadlineSeconds
B..spec.completions
C..spec.parallelism
D..spec.backoffLimit
AnswerC

Sets the number of Pods that run in parallel.

Why this answer

Option A is correct: spec.parallelism controls the number of Pods running concurrently. completions sets the total number of Pods to run. backoffLimit sets retries. activeDeadlineSeconds sets time limit.

947
Multi-Selectmedium

Which TWO of the following are valid ways to expose a Secret as an environment variable in a pod? (Select two.)

Select 2 answers
A.envFrom: - secretRef: name: db-secret
B.volumes: - name: secret-volume secret: secretName: db-secret
C.env: - secretRef: name: db-secret
D.envFrom: - configMapRef: name: db-secret
E.env: - name: DB_PASSWORD valueFrom: secretKeyRef: name: db-secret key: password
AnswersA, E

Injects all keys from the Secret as environment variables.

Why this answer

Option A is correct because `envFrom` with a `secretRef` allows all key-value pairs from a Secret to be injected as environment variables into a container. This is a concise method to expose multiple secret entries without specifying each one individually.

Exam trap

The trap here is that candidates confuse `envFrom` with `env` syntax, or mistakenly think a volume mount (option B) or a ConfigMap reference (option D) can expose Secrets as environment variables.

948
MCQeasy

Which kubectl command forwards local port 8080 to port 80 of a pod named 'web-pod'?

A.kubectl port-forward pod/web-pod 80:8080
B.kubectl expose pod web-pod --port=8080 --target-port=80
C.kubectl proxy pod/web-pod 8080:80
D.kubectl port-forward pod/web-pod 8080:80
AnswerD

Correct: local 8080 to pod 80.

Why this answer

Option B is correct. The format is 'kubectl port-forward <pod-name> <local-port>:<pod-port>'.

949
MCQmedium

You want to enforce that all pods in a namespace have a minimum memory request of 100Mi and a maximum memory limit of 1Gi. Which resource should you create?

A.PodSecurityPolicy
B.LimitRange with limits: - max: memory: 128Mi min: memory: 100Mi
C.ResourceQuota
D.LimitRange
AnswerD

LimitRange allows setting min/max resource constraints for pods/containers in a namespace.

Why this answer

A LimitRange (option D) is the correct resource because it allows you to set default, minimum, and maximum resource constraints (CPU/memory) at the namespace level, which are enforced per pod or container. In this case, you can define a LimitRange with a `min` of 100Mi and a `max` of 1Gi for memory, ensuring every pod in the namespace adheres to these bounds.

Exam trap

The trap here is that candidates confuse ResourceQuota (which sets namespace-wide totals) with LimitRange (which sets per-pod constraints), or they misconfigure the LimitRange with incorrect `max`/`min` values that don't match the requirement.

How to eliminate wrong answers

Option A is wrong because PodSecurityPolicy (PSP) is a deprecated cluster-level resource that controls security-related pod specifications (e.g., privileged containers, host namespaces), not resource requests or limits. Option B is wrong because the `max` value of 128Mi contradicts the requirement of a maximum memory limit of 1Gi, and the `min` value of 100Mi is correct but the `max` is too restrictive; also, the syntax shown is incomplete (missing `default` and `defaultRequest` fields) and does not match the required LimitRange structure. Option C is wrong because ResourceQuota sets aggregate resource consumption limits for the entire namespace (e.g., total memory across all pods), not per-pod minimum or maximum constraints.

950
MCQhard

You need to allow ingress traffic to pods with label 'app: web' from pods with label 'role: frontend' in the same namespace, and also from any pod in namespace 'monitoring'. Which NetworkPolicy egress/ingress rule correctly implements this?

A.spec: podSelector: matchLabels: app: web ingress: - from: - namespaceSelector: matchLabels: name: monitoring - podSelector: matchLabels: role: frontend
B.spec: podSelector: matchLabels: app: web ingress: - from: - podSelector: matchLabels: role: frontend namespaceSelector: matchLabels: name: monitoring
C.spec: podSelector: matchLabels: app: web ingress: - from: - podSelector: matchLabels: role: frontend - namespaceSelector: matchLabels: name: monitoring
D.spec: podSelector: matchLabels: app: web ingress: - from: - podSelector: matchLabels: role: frontend - from: - namespaceSelector: matchLabels: name: monitoring
AnswerC

Correct: two separate from entries for each source.

Why this answer

Option A is correct. The ingress rule has two from entries: one for pods with label 'role: frontend' (namespaceSelector with empty namespaceSelector means current namespace) and another for all pods in namespace 'monitoring' (namespaceSelector with matchLabels).

951
MCQhard

You have a Deployment with a liveness probe that fails intermittently, causing the pod to restart. You want to reduce the sensitivity of the probe so that it only restarts after 3 consecutive failures. Which probe parameter should you adjust?

A.initialDelaySeconds
B.periodSeconds
C.failureThreshold
D.successThreshold
AnswerC

Increasing failureThreshold to 3 means the container will only be restarted after 3 consecutive probe failures, reducing sensitivity.

Why this answer

The `failureThreshold` parameter defines the number of consecutive probe failures required before Kubernetes considers the probe to have failed and triggers the configured action (e.g., restarting the container). By default, this value is 3, but if it is set lower (e.g., 1), a single failure causes a restart. Increasing `failureThreshold` to 3 (or higher) ensures that the liveness probe only restarts the pod after three consecutive failures, thereby reducing sensitivity to transient issues.

Exam trap

The trap here is that candidates often confuse `failureThreshold` with `periodSeconds`, thinking that reducing the probe frequency (period) will reduce sensitivity, but the correct way to require multiple consecutive failures is to increase the `failureThreshold` value.

How to eliminate wrong answers

Option A is wrong because `initialDelaySeconds` controls how long to wait after the container starts before initiating the first probe; it does not affect the number of consecutive failures required to trigger a restart. Option B is wrong because `periodSeconds` sets the frequency (in seconds) at which the probe is executed; adjusting it changes how often checks occur, not how many failures are needed. Option D is wrong because `successThreshold` defines the number of consecutive successes required for the probe to be considered successful after a failure; it is relevant for startup and readiness probes but not for liveness probes (where it is always 1 and cannot be changed).

952
Multi-Selecthard

Which THREE of the following are correct about the .dockerignore file? (Select 3)

Select 3 answers
A.It supports wildcard patterns to exclude files
B.It is a replacement for .gitignore
C.It can be used to exclude .git directory from the build context
D.It allows comments starting with #
E.It affects the files available in the running container
AnswersA, C, D

Correct: .dockerignore supports glob patterns.

Why this answer

.dockerignore excludes files from the build context, reducing build time and image size. It can use wildcards (A), excludes .git (B), and can have comments (C). It does not affect container runtime (D) and is not a replacement for .gitignore (E).

953
MCQeasy

Which instruction in a Dockerfile sets the default command to run when the container starts, but allows overriding?

A.START
B.RUN
C.CMD
D.ENTRYPOINT
AnswerC

CMD provides defaults that can be overridden.

Why this answer

Option C is correct. CMD can be overridden by passing arguments to 'docker run'. ENTRYPOINT (option B) is not easily overridden unless combined with CMD.

Option A (RUN) is for build-time commands. Option D (START) is invalid.

954
MCQhard

An Ingress resource has the following spec. What is the effect? spec: tls: - hosts: - myapp.example.com secretName: myapp-tls rules: - host: myapp.example.com http: paths: - path: / pathType: Prefix backend: service: name: myapp port: number: 80

A.Ingress terminates TLS using the secret and routes to the service.
B.Ingress uses the secret for client authentication.
C.Ingress redirects HTTP to HTTPS automatically.
D.Ingress passes the TLS connection through to the service.
AnswerA

Correct interpretation.

Why this answer

The Ingress terminates TLS for the host myapp.example.com using the secret 'myapp-tls' and then routes HTTP traffic to the service 'myapp' on port 80. This is a typical TLS termination configuration.

955
MCQmedium

You need to create a NetworkPolicy that denies all ingress traffic to pods with label 'app: db' in namespace 'prod'. Which YAML snippet correctly implements this?

A.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-db namespace: prod spec: podSelector: matchLabels: app: db policyTypes: - Ingress ingress: - from: - ipBlock: cidr: 0.0.0.0/0
B.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all namespace: prod spec: podSelector: {} policyTypes: - Ingress ingress: - from: []
C.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress ingress: []
D.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-db namespace: prod spec: podSelector: matchLabels: app: db policyTypes: - Ingress ingress: []
AnswerD

This selects pods with label 'app: db' in namespace 'prod' and has no ingress rules, thus denying all ingress traffic.

Why this answer

To deny all ingress traffic, you create a NetworkPolicy that selects the pods and has an empty ingress rule (or no ingress rules, which denies all). The correct way is to specify podSelector with the label and have no ingress rules (or an empty ingress array).

956
MCQhard

A NetworkPolicy is applied to a namespace with the following rules: ``` apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress ``` What is the effect on pods in that namespace?

A.All inbound traffic is denied, outbound traffic is allowed
B.All traffic is allowed
C.Only traffic from specific namespaces is allowed
D.All inbound and outbound traffic is denied
AnswerA

Correct.

Why this answer

This policy selects all pods and only specifies Ingress, so all incoming traffic to pods is denied unless other policies allow it. Egress is unaffected.

957
MCQmedium

A developer wants to ensure a container runs as a non-root user with user ID 1000 and group ID 2000. Which SecurityContext fields should be set?

A.runAsUser: 1000, runAsGroup: 2000, runAsNonRoot: false
B.runAsUser: 1000, runAsGroup: 2000, runAsNonRoot: true
C.runAsUser: 1000, runAsGroup: 2000, allowPrivilegeEscalation: false
D.runAsUser: 1000, fsGroup: 2000, runAsNonRoot: true
AnswerB

Correct fields to set the user and group and enforce non-root.

Why this answer

Option B is correct because setting `runAsUser: 1000` and `runAsGroup: 2000` ensures the container's processes run with user ID 1000 and group ID 2000, while `runAsNonRoot: true` enforces that the container cannot run as root (UID 0), providing a security best practice for non-root execution.

Exam trap

The trap here is confusing `fsGroup` (which controls group ownership of mounted volumes) with `runAsGroup` (which sets the container process's primary group ID), leading candidates to pick option D instead of B.

How to eliminate wrong answers

Option A is wrong because `runAsNonRoot: false` explicitly allows root execution, contradicting the requirement to run as a non-root user. Option C is wrong because `allowPrivilegeEscalation: false` only prevents privilege escalation (e.g., via setuid binaries) but does not enforce a specific non-root user or group; the container could still run as root. Option D is wrong because `fsGroup: 2000` sets the group ID for volume ownership, not the container's primary group ID; the correct field for the container's group is `runAsGroup`, not `fsGroup`.

958
Multi-Selecthard

Which TWO statements about Kubernetes DNS are correct?

Select 2 answers
A.The kube-dns service is responsible for DNS resolution
B.A service named 'api' in namespace 'prod' has DNS name 'api.prod.svc.cluster.local'
C.Pods with hostNetwork: true automatically get DNS entries
D.Headless services also have DNS A records for each pod
E.A pod's DNS name is always 'pod-ip.namespace.pod.cluster.local'
AnswersB, D

Standard service DNS format.

Why this answer

Pod DNS uses the pod's IP with dots replaced by dashes. Service DNS format is 'service.namespace.svc.cluster.local'. Pods with hostNetwork do not get DNS by default.

DNS can be customized via CoreDNS.

959
MCQhard

You need to create a Secret of type 'kubernetes.io/tls' for ingress. Which command is correct?

A.kubectl create secret generic my-tls --from-file=cert.pem --from-file=key.pem
B.kubectl create secret tls my-tls --certificate=cert.pem --private-key=key.pem
C.kubectl create secret tls my-tls --from-file=tls.crt=cert.pem --from-file=tls.key=key.pem
D.kubectl create secret tls my-tls --cert=cert.pem --key=key.pem
AnswerD

This command creates a tls secret with the provided certificate and key files.

Why this answer

Option D is correct because `kubectl create secret tls` is the dedicated command for creating a TLS secret, and it uses the `--cert` and `--key` flags to specify the certificate and private key files respectively. This creates a Secret of type `kubernetes.io/tls`, which is required for Ingress resources to terminate HTTPS traffic.

Exam trap

The trap here is that candidates confuse the `--from-file` syntax from `kubectl create secret generic` with the dedicated TLS command, or misremember the flag names as `--certificate`/`--private-key` instead of the correct `--cert`/`--key`.

How to eliminate wrong answers

Option A is wrong because `kubectl create secret generic` creates a generic (Opaque) Secret, not a `kubernetes.io/tls` type, and Ingress requires the TLS-specific type to correctly interpret the certificate and key data. Option B is wrong because the flags `--certificate` and `--private-key` are not valid for `kubectl create secret tls`; the correct flags are `--cert` and `--key`. Option C is wrong because `--from-file` is used with `kubectl create secret generic`, not with `kubectl create secret tls`, and the `tls.crt`/`tls.key` key names are automatically set by the `tls` subcommand when using the correct flags.

960
MCQeasy

Which command streams logs from a pod in real-time?

A.kubectl logs --stream pod-name
B.kubectl logs -f pod-name
C.kubectl logs --previous pod-name
D.kubectl logs pod-name
AnswerB

The -f flag follows log output in real-time.

Why this answer

Option B is correct because `kubectl logs -f` (the `-f` flag stands for 'follow') streams log output from a pod in real-time, similar to `tail -f` on a file. This is the standard Kubernetes command for continuous log monitoring, allowing you to see new log lines as they are written by the container.

Exam trap

CNCF often tests the `-f` flag against the non-existent `--stream` flag, exploiting the candidate's assumption that a verbose flag name exists when the actual flag is a short form.

How to eliminate wrong answers

Option A is wrong because `kubectl logs` does not have a `--stream` flag; the correct flag for real-time streaming is `-f` (or `--follow`). Option C is wrong because `--previous` shows logs from the previous instance of a container (e.g., after a restart), not real-time streaming. Option D is wrong because `kubectl logs pod-name` without any flag only displays the current log snapshot and exits, it does not stream new log entries.

961
MCQmedium

A Pod spec includes 'securityContext' with 'runAsUser: 1000' and 'runAsGroup: 3000'. The container process inside the pod is expected to write to a mounted volume. Which securityContext field should be set to ensure the volume's group ownership is 3000?

A.supplementalGroups: [3000]
B.fsGroup: 1000
C.fsGroup: 3000
D.runAsGroup: 3000
AnswerC

Correct. fsGroup changes the group ownership of the volume to the specified GID and makes the container's processes part of that supplementary group.

Why this answer

Option C is correct because the `fsGroup` field in the Pod's `securityContext` specifies the group ID (GID) that Kubernetes should assign to any volume mounted into the Pod. When `fsGroup: 3000` is set, Kubernetes recursively changes the ownership of the volume's files and directories to group ID 3000, and any new files created by the container process will inherit that group ownership. This ensures the container process, which runs with `runAsGroup: 3000`, can write to the volume without permission errors.

Exam trap

The trap here is that candidates often confuse `fsGroup` with `supplementalGroups` or `runAsGroup`, mistakenly thinking that setting the container's group ID alone will automatically adjust the volume's permissions, when in fact `fsGroup` is the only field that modifies the volume's ownership.

How to eliminate wrong answers

Option A is wrong because `supplementalGroups` adds additional group IDs to the container process's supplementary group list, but it does not change the ownership of the mounted volume; the volume's group ownership remains unchanged unless `fsGroup` is set. Option B is wrong because `fsGroup: 1000` would set the volume's group ownership to GID 1000, not 3000, which would not match the container's `runAsGroup: 3000` and could cause write permission issues. Option D is wrong because `runAsGroup: 3000` already sets the primary group ID for the container process, but it does not affect the ownership of the mounted volume; the volume's group ownership must be explicitly set via `fsGroup`.

962
MCQmedium

A namespace 'test' has a LimitRange that sets default memory request to 256Mi and default memory limit to 512Mi. A pod in that namespace does not specify any resources. What memory request and limit will the pod get?

A.request: 0, limit: 0 (none)
B.request: 256Mi, limit: 512Mi
C.request: 512Mi, limit: 256Mi
D.request: 256Mi, limit: 256Mi
AnswerB

The LimitRange defaults are applied.

Why this answer

When a LimitRange exists in a namespace with default memory request and limit values, any pod that does not specify resource requests or limits will automatically have those defaults injected by the admission controller. This ensures the pod is subject to resource constraints even without explicit specification.

Exam trap

The trap here is that candidates might assume no resources means zero, or confuse the default request and limit values, but the LimitRange admission controller automatically injects the specified defaults.

How to eliminate wrong answers

Option A is wrong because a LimitRange with defaults means the pod will receive those defaults, not zero values. Option C is wrong because it swaps the request and limit values, which would violate the typical constraint that limit >= request. Option D is wrong because it sets both request and limit to 256Mi, ignoring the default limit of 512Mi specified in the LimitRange.

963
MCQhard

You have an existing Deployment 'web' created with 'kubectl create deployment web --image=nginx --replicas=3'. You need to change the image to 'nginx:1.19' and record the change. Which command should you use?

A.kubectl set image deployment/web web=nginx:1.19 --record
B.kubectl replace -f deployment.yaml --record
C.kubectl edit deployment web --record
D.kubectl patch deployment web -p '{"spec":{"template":{"spec":{"containers":[{"name":"web","image":"nginx:1.19"}]}}}}' --record
AnswerA

This command updates the container image and records the change in the rollout history annotation.

Why this answer

Option B is correct: 'kubectl set image deployment/web web=nginx:1.19 --record' updates the image and records the command in the rollout history. Option A uses 'kubectl edit' which does not record changes by default unless '--record' is added. Option C uses 'kubectl replace' which requires a file.

Option D applies a patch but '--record' is not a valid flag for patch.

964
MCQhard

A developer wants to run a one-time batch job that processes exactly 10 items, with up to 3 pods running concurrently. The job should retry each pod up to 2 times if it fails. Which YAML snippet correctly configures the Job?

A..spec.parallelism=3, .spec.completions=2, .spec.backoffLimit=3
B..spec.parallelism=10, .spec.completions=3, .spec.backoffLimit=2
C..spec.parallelism=3, .spec.completions=10, .spec.backoffLimit=2
D..spec.parallelism=3, .spec.completions=3, .spec.backoffLimit=2
AnswerC

Correct: parallelism=3 (max concurrent), completions=10 (total desired), backoffLimit=2 (retries).

Why this answer

Option B sets parallelism to 3 (max concurrent pods) and completions to 10 (total successful pods needed) and backoffLimit to 2 (retries on failure). Option A sets completions to 3 which would only need 3 successful pods, not 10. Option C sets parallelism to 10 and completions to 3, which is opposite.

Option D sets backoffLimit to 3 but completions to 2, not matching the requirement.

965
Multi-Selecthard

Which THREE components are essential for setting up Horizontal Pod Autoscaling (HPA) based on CPU utilization? (Select three)

Select 3 answers
A.A readiness probe on the pod
B.A Service of type LoadBalancer
C.An HPA resource targeting the Deployment
D.metrics-server installed in the cluster
E.CPU resource requests set on the container
AnswersC, D, E

The HPA defines the scaling policy.

Why this answer

HPA requires metrics-server (or equivalent), resource requests on containers, and the HPA resource itself. Option A, C, and E are correct.

966
MCQhard

You have a Deployment named 'frontend' with 3 replicas. You run 'kubectl rollout history deployment/frontend' and see revision 1 and revision 2. You want to rollback to revision 1. What command should you use?

A.kubectl rollout undo deployment/frontend --to-revision=1
B.kubectl set image deployment/frontend app=nginx:1.19
C.kubectl rollout undo deployment/frontend revision=1
D.kubectl rollout history deployment/frontend --revision=1
AnswerA

This rolls back to revision 1.

Why this answer

The 'kubectl rollout undo' command with the --to-revision flag rolls back to a specific revision. Option A is correct.

967
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Delete the namespace and redeploy all workloads
B.Delete and recreate the pod to clear the crash loop
C.Increase the CPU request for the container
D.Increase the memory limit in the pod's container resource specification
AnswerD

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

The 'OOMKilled' message indicates the container was terminated because it exceeded its memory limit. The most appropriate action is to increase the memory limit in the pod's container resource specification, allowing the container more memory to operate without being killed by the Out-of-Memory (OOM) killer.

Exam trap

The trap here is that candidates may confuse 'OOMKilled' with a general crash and think restarting the pod (Option B) will fix it, but the OOM killer will immediately terminate the new container again because the memory limit remains unchanged.

How to eliminate wrong answers

Option A is wrong because deleting the namespace and redeploying all workloads is an extreme, unnecessary action that does not address the root cause (insufficient memory limit) and would cause unnecessary downtime. Option B is wrong because deleting and recreating the pod will only temporarily restart the container; it will still hit the same memory limit and crash again, resulting in the same CrashLoopBackOff state. Option C is wrong because increasing the CPU request does not affect memory constraints; OOMKilled is a memory-related issue, not CPU-related.

968
MCQhard

A pod is failing to start. The 'kubectl describe pod' output shows: 'container has runAsNonRoot and image will run as root'. The Dockerfile of the container image does not specify a USER directive. Which action will fix the issue?

A.Set 'runAsGroup: 1000' in the securityContext
B.Add capability 'CAP_SYS_ADMIN' to the container
C.Remove the 'runAsNonRoot: true' line from the pod spec
D.Add 'runAsUser: 1000' to the container's securityContext
AnswerD

Setting runAsUser to a non-zero UID ensures the container runs as a non-root user, satisfying the runAsNonRoot constraint.

Why this answer

Option D is correct because the error 'container has runAsNonRoot and image will run as root' indicates the pod's securityContext enforces runAsNonRoot: true, but the container image runs as root (default user). Adding runAsUser: 1000 explicitly sets the container's user to a non-root UID, satisfying the runAsNonRoot constraint and allowing the pod to start.

Exam trap

CNCF often tests the misconception that runAsGroup or capabilities can override the user identity, but only runAsUser (or a USER directive in the Dockerfile) changes the effective UID to satisfy runAsNonRoot.

How to eliminate wrong answers

Option A is wrong because setting runAsGroup: 1000 only changes the group ID, not the user ID; the container still runs as root (UID 0), which violates runAsNonRoot. Option B is wrong because adding CAP_SYS_ADMIN grants elevated Linux capabilities but does not change the user the container runs as; the container remains root, so runAsNonRoot still fails. Option C is wrong because removing runAsNonRoot: true would bypass the security check, but this is a security downgrade and not the intended fix; the question implies the constraint should be satisfied, not removed.

969
MCQhard

An administrator creates a Role and RoleBinding in the 'dev' namespace to allow a ServiceAccount 'sa-dev' to list Pods. Which YAML snippet correctly defines the Role?

A.apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: {name: pod-reader, namespace: dev} rules: - apiGroups: [""] resources: ["pods"] verbs: ["create"]
B.apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: {name: pod-reader, namespace: dev} rules: - apiGroups: ["v1"] resources: ["pods"] verbs: ["list"]
C.apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: {name: pod-reader, namespace: dev} rules: - apiGroups: ["apps/v1"] resources: ["pods"] verbs: ["get"]
D.apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: {name: pod-reader, namespace: dev} rules: - apiGroups: [""] resources: ["pods"] verbs: ["list"]
AnswerD

Correct apiGroups and verbs for listing pods.

Why this answer

Option D is correct because it uses the empty string `""` for `apiGroups`, which represents the core API group where Pods reside, and specifies the `list` verb to allow listing Pods. This matches the requirement to allow the ServiceAccount 'sa-dev' to list Pods in the 'dev' namespace.

Exam trap

The trap here is that candidates often confuse the core API group with the version string `v1` or mistakenly use `apps/v1` for Pods, and they may also confuse `list` with `get` or `create`, leading to incorrect verb selection.

How to eliminate wrong answers

Option A is wrong because it uses the verb `create` instead of `list`, which would allow creating Pods but not listing them. Option B is wrong because it incorrectly specifies `apiGroups: ["v1"]`; the core API group is represented by an empty string `""`, not `"v1"`. Option C is wrong because it uses `apiGroups: ["apps/v1"]`, which is for resources like Deployments, not Pods (Pods are in the core API group), and the verb `get` does not allow listing.

970
Multi-Selecteasy

Which TWO are valid ways to create a Service in Kubernetes?

Select 2 answers
A.Using kubectl apply -f service.yaml
B.Using kubectl create service clusterip myservice --tcp=80:80
C.Using kubectl create deployment mydeploy --image=nginx --expose
D.Using kubectl run mypod --image=nginx --expose
E.Using kubectl expose deployment mydeploy --port=80
AnswersA, E

Applies a YAML manifest.

Why this answer

A and B are correct. kubectl expose creates a service from a resource. YAML manifest can be applied. C is incorrect because 'create service' doesn't automatically select pods.

D creates a pod, not a service. E is not a command.

971
MCQmedium

A Pod is running in a namespace with a ResourceQuota that sets 'limits.memory: 2Gi'. The pod's container spec has 'resources.limits.memory: 1Gi' and 'resources.requests.memory: 512Mi'. The pod is in 'Running' state but consumes 1.5Gi of memory. What happens?

A.The pod will be evicted by the kubelet due to namespace quota violation
B.The container will continue running because the namespace quota allows up to 2Gi
C.The container will be OOMKilled because it exceeds its own memory limit of 1Gi
D.The pod will be throttled by the kernel to stay within 1Gi
AnswerC

Correct. The container's limit is 1Gi. Exceeding that triggers OOMKill.

Why this answer

The container has a hard memory limit of 1Gi set in its resources.limits.memory. When the container's memory usage exceeds this limit (1.5Gi > 1Gi), the Linux kernel's OOM killer terminates the container process. The namespace ResourceQuota of 2Gi is not violated because the pod's limit (1Gi) is within the quota, so the kubelet does not evict the pod.

Exam trap

The trap here is that candidates confuse namespace-level ResourceQuota enforcement with container-level memory limit enforcement, assuming the quota's higher value allows the container to exceed its own limit.

How to eliminate wrong answers

Option A is wrong because the namespace quota sets a limit of 2Gi, and the pod's configured limit of 1Gi is within that quota; the kubelet only evicts pods when the total usage exceeds the quota, not when a single container exceeds its own limit. Option B is wrong because the container cannot continue running when it exceeds its own hard memory limit of 1Gi; the kernel enforces the container's limit independently of the namespace quota. Option D is wrong because memory is not throttled like CPU; exceeding a memory limit triggers an OOM kill, not throttling.

972
MCQmedium

You have a Deployment with strategy type: Recreate. You update the container image. What behavior will occur during the update?

A.The update is performed in-place without pod termination.
B.New pods are created before old ones are terminated.
C.The deployment is paused automatically.
D.Old pods are terminated, then new pods are created.
AnswerD

Recreate terminates all old pods before creating new ones.

Why this answer

Recreate strategy first scales down all existing pods, then scales up new ones. This causes a brief downtime.

973
MCQeasy

A Secret of type kubernetes.io/tls requires two data keys. What are they?

A.ca.crt and tls.key
B.certificate and key
C.cert.crt and cert.key
D.tls.crt and tls.key
AnswerD

Correct according to Kubernetes documentation.

Why this answer

Kubernetes requires that a Secret of type `kubernetes.io/tls` contain exactly two data keys: `tls.crt` for the TLS certificate and `tls.key` for the private key. This is mandated by the Kubernetes API specification for TLS secrets, which are used to secure ingress and other TLS-terminated endpoints.

Exam trap

The trap here is that candidates often confuse the required key names with common file extensions or generic terms like `certificate` and `key`, but Kubernetes enforces the exact keys `tls.crt` and `tls.key` for TLS secrets.

How to eliminate wrong answers

Option A is wrong because `ca.crt` is an optional key for a CA certificate, not a required key for a TLS secret; the required keys are `tls.crt` and `tls.key`. Option B is wrong because `certificate` and `key` are generic names that do not match the exact key names (`tls.crt` and `tls.key`) required by the Kubernetes API for TLS secrets. Option C is wrong because `cert.crt` and `cert.key` are not the standard key names; Kubernetes specifically expects `tls.crt` and `tls.key` as defined in the Secret type `kubernetes.io/tls`.

974
MCQhard

An Ingress resource is defined as: apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: test-ingress spec: rules: - host: example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-service port: number: 80 tls: - hosts: - example.com secretName: tls-secret What must exist in the cluster for TLS termination to work?

A.An IngressClass annotation specifying the ingress controller
B.A ServiceAccount named tls-secret
C.A Secret named tls-secret of type kubernetes.io/tls in the same namespace
D.A ConfigMap named tls-secret with certificate data
AnswerC

The Ingress controller reads the TLS certificate from this secret.

Why this answer

For TLS termination, a Kubernetes Secret of type kubernetes.io/tls named 'tls-secret' must exist in the same namespace as the Ingress, containing the TLS certificate and key.

975
Multi-Selectmedium

Which TWO of the following are valid ways to consume a Secret named 'db-secret' in a Pod? (Choose two.)

Select 2 answers
A.As environment variables using env with valueFrom.configMapKeyRef
B.As environment variables using envFrom with secretRef
C.As a command-line argument using $(DB_PASSWORD)
D.As files mounted via a volume with secret.secretName
E.As an imagePullSecrets entry
AnswersB, D

Correct.

Why this answer

Option B is correct because `envFrom` with `secretRef` allows a Pod to consume all key-value pairs from a Secret named 'db-secret' as environment variables. This is a standard Kubernetes feature for injecting Secret data into containers without needing to specify each key individually.

Exam trap

CNCF often tests the distinction between `configMapKeyRef` and `secretKeyRef` — candidates mistakenly use `configMapKeyRef` for Secrets because both are key-value stores, but Secrets require `secretKeyRef` for individual key injection.

Page 12

Page 13 of 14

Page 14