Certified Kubernetes Application Developer CKAD (CKAD) — Questions 76150

991 questions total · 14pages · All types, answers revealed

Page 1

Page 2 of 14

Page 3
76
MCQeasy

A pod needs to run as a non-root user with UID 1000. Which SecurityContext field should be set?

A.runAsUser: 1000
B.runAsGroup: 1000
C.runAsNonRoot: true
D.fsGroup: 1000
AnswerA

This sets the user ID to 1000 for all processes in the container.

Why this answer

The `runAsUser` field in the PodSecurityContext or container SecurityContext sets the user ID (UID) under which the container's main process runs. Setting `runAsUser: 1000` ensures the container runs as a non-root user with UID 1000, meeting the requirement. This field directly controls the effective UID of the process, overriding the default root (UID 0).

Exam trap

The trap here is that candidates often confuse `runAsUser` with `runAsGroup` or `fsGroup`, thinking group or filesystem settings control the process user identity, when only `runAsUser` directly sets the UID of the running process.

How to eliminate wrong answers

Option B is wrong because `runAsGroup: 1000` sets the primary group ID (GID) for the container process, not the user ID; it does not change the user from root. Option C is wrong because `runAsNonRoot: true` only enforces that the container cannot run as root (UID 0), but it does not specify which non-root UID to use; the container would fail if no explicit UID is set or if the image's default user is root. Option D is wrong because `fsGroup: 1000` applies to the group ownership of mounted volumes, not the user identity of the running process; it is used for volume access control, not for running as a non-root user.

77
MCQeasy

Which kubectl command creates a ConfigMap named 'app-config' from a file called 'config.properties'?

A.kubectl create configmap app-config --from-env-file=config.properties
B.kubectl create configmap app-config --from-literal=config.properties
C.kubectl create configmap app-config --from-file=config.properties
D.kubectl apply -f config.properties
AnswerC

Correct. The --from-file flag creates a ConfigMap from the file content.

Why this answer

Option C is correct because the `kubectl create configmap` command with the `--from-file` flag directly creates a ConfigMap from the contents of a specified file, using the filename as the key and the file content as the value. This is the standard method for creating a ConfigMap from a single file like 'config.properties'.

Exam trap

The trap here is that candidates often confuse `--from-file` (which imports a file as a single data entry) with `--from-env-file` (which parses a file as multiple key-value pairs), leading them to choose Option A incorrectly.

How to eliminate wrong answers

Option A is wrong because `--from-env-file` is used to create a ConfigMap from a file that contains key=value pairs (one per line), treating each line as a separate environment variable, not as a single file with arbitrary content. Option B is wrong because `--from-literal` is used to specify key-value pairs directly on the command line (e.g., `--from-literal=key=value`), not to reference a file. Option D is wrong because `kubectl apply -f` is used to apply a YAML or JSON manifest to create or update resources, and 'config.properties' is not a valid Kubernetes manifest file.

78
MCQeasy

A pod is running with the default service account. An administrator wants to prevent the pod from automatically mounting the service account token. Which field in the pod spec accomplishes this?

A.serviceAccountName: ""
B.automountServiceAccountToken: false
C.serviceAccountToken: none
D.securityContext.readOnlyRootFilesystem: true
AnswerB

This field in the pod spec prevents automatic mounting of the service account token.

Why this answer

Option B is correct because setting `automountServiceAccountToken: false` in the pod spec explicitly prevents the automatic mounting of the service account token into the pod. By default, Kubernetes mounts a projected service account token into every pod at `/var/run/secrets/kubernetes.io/serviceaccount`; this field overrides that default behavior at the pod level.

Exam trap

The trap here is that candidates often confuse `automountServiceAccountToken` with `serviceAccountName` or assume that setting an empty service account name removes the token, but only the explicit boolean field controls the mounting behavior.

How to eliminate wrong answers

Option A is wrong because setting `serviceAccountName: ""` does not prevent token mounting; it simply assigns the pod to the default service account in the namespace, which still results in automatic token mounting. Option C is wrong because `serviceAccountToken: none` is not a valid field in the pod spec; Kubernetes does not recognize this field. Option D is wrong because `securityContext.readOnlyRootFilesystem: true` only makes the container's root filesystem read-only, which does not prevent the service account token from being mounted (the token is still mounted and accessible, just on a read-only filesystem).

79
MCQmedium

A developer wants to use a ConfigMap named 'app-config' to set environment variables for a pod. The ConfigMap has keys 'DEBUG' and 'DATABASE_URL'. Which annotation should be added to the pod spec to inject all keys from the ConfigMap as environment variables?

A.env: - name: DEBUG valueFrom: configMapKeyRef: name: app-config key: DEBUG
B.envFrom: - configMapRef: name: app-config
C.envFrom: - secretRef: name: app-config
D.env: - configMapRef: name: app-config
AnswerB

This injects all keys from the ConfigMap as environment variables.

Why this answer

Option B is correct because the `envFrom` field in a Pod spec allows injecting all key-value pairs from a ConfigMap as environment variables into the container. By specifying `configMapRef` with the ConfigMap name, every key in the ConfigMap becomes an environment variable, which matches the requirement to inject all keys without listing them individually.

Exam trap

CNCF often tests the distinction between `env` (for individual key injection) and `envFrom` (for bulk injection), and the trap here is that candidates confuse `envFrom` with `env` syntax or mistakenly use `secretRef` for ConfigMaps, overlooking the specific resource type required.

How to eliminate wrong answers

Option A is wrong because it uses `env` with individual `configMapKeyRef` entries, which requires manually listing each key (DEBUG and DATABASE_URL) rather than injecting all keys automatically. Option C is wrong because it uses `secretRef` instead of `configMapRef`, which is designed for Secrets, not ConfigMaps, and would fail to reference the ConfigMap 'app-config'. Option D is wrong because `env` does not support a `configMapRef` field; `configMapRef` is only valid under `envFrom`, and using it under `env` is syntactically invalid in Kubernetes.

80
MCQmedium

A company wants to deploy a stateful database on Kubernetes. The database requires stable network identities and persistent storage per pod. Which resource should be used?

A.Job
B.StatefulSet
C.Deployment
D.DaemonSet
AnswerB

StatefulSet provides stable network identities and persistent storage.

Why this answer

StatefulSet is the correct resource because it provides stable, unique network identities (via headless Services and ordinal pod names like `db-0`, `db-1`) and persistent storage per pod (via PersistentVolumeClaims that are retained across rescheduling). This matches the requirement for a stateful database where each pod must maintain its identity and data independently.

Exam trap

The trap here is that candidates often choose Deployment because they associate it with scaling and rolling updates, but they overlook the critical need for stable network identities and per-pod persistent storage, which only StatefulSet provides.

How to eliminate wrong answers

Option A is wrong because a Job is designed for batch processing or one-off tasks, not for long-running stateful workloads that require stable identities and persistent storage. Option C is wrong because a Deployment creates pods with random, ephemeral names and does not guarantee stable network identities or per-pod persistent storage; it is suited for stateless applications. Option D is wrong because a DaemonSet ensures one pod per node, typically for node-level services like logging or monitoring, and does not provide ordered deployment, stable identities, or per-pod persistent storage for a database.

81
MCQmedium

You need to debug a pod that is crashing immediately upon start. You cannot exec into the container because it exits before you can run commands. Which approach should you use to inspect the container's file system?

A.kubectl debug -it pod-name --image=busybox --target=container-name
B.kubectl exec -it pod-name -- /bin/sh
C.kubectl logs pod-name --previous
D.kubectl describe pod pod-name
AnswerA

The debug command creates an ephemeral container that can share the same process namespace or volumes as the crashed container, allowing inspection.

Why this answer

The 'kubectl debug' command with an ephemeral container allows you to attach a debug container to a running pod, even if the original container is not running. You can share the process namespace or mount volumes to inspect files. Option A is not possible if the container crashes.

Option C shows configuration, not runtime state. Option D is for logs, not filesystem.

82
MCQmedium

You have a Deployment with replicas: 5 and update strategy type: RollingUpdate with maxSurge: 25% and maxUnavailable: 25%. During a rolling update, what is the maximum number of pods that can be unavailable at any given time?

A.2
B.5
C.1
D.0
AnswerC

25% of 5 is 1.25, which rounds up to 1 (Kubernetes rounds up).

Why this answer

With replicas=5 and maxUnavailable=25% (which rounds up to 1), at most 1 pod can be unavailable during the update.

83
Multi-Selectmedium

Which THREE of the following are valid parameters for configuring probes? (Select 3)

Select 3 answers
A.retryIntervalSeconds
B.timeoutSeconds
C.cooldownSeconds
D.initialDelaySeconds
E.periodSeconds
AnswersB, D, E

Valid probe parameter.

Why this answer

initialDelaySeconds, periodSeconds, timeoutSeconds, failureThreshold, and successThreshold are all valid. The correct three are A, B, C.

84
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Increase the memory limit in the pod's container resource specification
B.Delete and recreate the pod to clear the crash loop
C.Delete the namespace and redeploy all workloads
D.Increase the CPU request for the container
AnswerA

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

The 'OOMKilled' status indicates the pod's container was terminated because it exceeded its memory limit. Since the pod ran successfully for days, a gradual memory leak or increased workload likely caused the usage to spike past the configured limit. Increasing the memory limit in the container's resource specification allows the pod to handle the higher memory demand without being killed, resolving the CrashLoopBackOff.

Exam trap

The trap here is that candidates confuse OOMKilled with a general crash and choose to delete/recreate the pod, not realizing the underlying memory limit is the cause and must be adjusted.

How to eliminate wrong answers

Option B is wrong because deleting and recreating the pod does not address the root cause — the new pod will still have the same memory limit and will be OOMKilled again. Option C is wrong because deleting the entire namespace and redeploying all workloads is an extreme, unnecessary action that disrupts other workloads and does not fix the memory limit issue. Option D is wrong because increasing the CPU request does not affect memory constraints; OOMKilled is a memory-related termination, not CPU-related.

85
Multi-Selecthard

Which THREE of the following are best practices for configuring readiness probes?

Select 3 answers
A.Use the same endpoint as the liveness probe
B.Configure the probe to restart the container if it fails
C.Set initialDelaySeconds to avoid startup race conditions
D.Use a separate endpoint from the liveness probe
E.Use an HTTP GET request to a lightweight endpoint
AnswersC, D, E

Gives the app time to start before probing.

Why this answer

Option C is correct because setting `initialDelaySeconds` in a readiness probe prevents the probe from starting before the container's application has had time to initialize. Without this delay, the probe might fail immediately during startup, causing the container to be prematurely marked as not ready and removed from service, even though the application would have become ready given a few more seconds. This avoids race conditions between container startup and probe evaluation.

Exam trap

The trap here is that candidates confuse readiness probes with liveness probes, mistakenly thinking readiness probes can restart containers or that sharing the same endpoint is acceptable, when in fact readiness probes only control traffic routing and should use a separate, dependency-aware endpoint.

86
MCQhard

Which of the following is a correct Kustomize kustomization.yaml configuration for setting an image tag to 'v2'?

A.images: - name: my-app newName: v2
B.images: - name: my-app newTag: v2
C.patches: - target: kind: Deployment patch: |- - op: replace path: /spec/template/spec/containers/0/image value: my-app:v2
D.imageTag: - name: my-app tag: v2
AnswerB

This correctly sets the image tag to v2.

Why this answer

Option A is correct: in Kustomize, images are patched using the 'images' field with 'newTag'. Option B uses 'newName' which changes the image name, not tag. Option C is incorrect syntax.

Option D is not a valid field.

87
MCQhard

You need to create a TLS secret for an ingress with certificate and key. Which command correctly creates the secret?

A.kubectl create secret tls tls-secret --cert=tls.crt --key=tls.key
B.kubectl create secret docker-registry tls-secret --docker-cert=tls.crt --docker-key=tls.key
C.kubectl create secret generic tls-secret --from-file=tls.crt --from-file=tls.key
D.kubectl create secret certificate tls-secret --cert= --key=
AnswerA

This creates a TLS secret of type kubernetes.io/tls.

Why this answer

Option A is correct because `kubectl create secret tls` is the dedicated subcommand for creating a TLS secret, which automatically encodes the certificate and key files and stores them under the expected keys (`tls.crt` and `tls.key`). This is the only command that produces a secret of type `kubernetes.io/tls`, which is required by Ingress controllers to serve HTTPS traffic.

Exam trap

The trap here is that candidates may think `kubectl create secret generic` with `--from-file` can create a TLS secret, but they overlook that the secret type must be `kubernetes.io/tls` for the Ingress controller to use it, and the generic command does not set that type.

How to eliminate wrong answers

Option B is wrong because `kubectl create secret docker-registry` creates a secret of type `kubernetes.io/dockerconfigjson` for container registry authentication, not TLS; it expects `--docker-username`, `--docker-password`, etc., not certificate flags. Option C is wrong because `kubectl create secret generic` creates a secret of type `Opaque`, not `kubernetes.io/tls`, and while it can store the files, the Ingress controller will not recognize the keys unless they are named exactly `tls.crt` and `tls.key` and the secret type is correct; this command does not set the type automatically. Option D is wrong because `kubectl create secret certificate` is not a valid kubectl subcommand; the correct subcommand is `tls`, and the flags `--cert=` and `--key=` are incomplete (they require file paths).

88
Multi-Selecthard

Which TWO of the following are correct methods to implement a canary deployment using Kubernetes resources?

Select 2 answers
A.Use a Deployment with 'strategy.type: Canary' in the spec.
B.Create two Services and use a header-based routing to send specific users to canary.
C.Create two Deployments (stable and canary) with a shared Service that selects both based on a common label. Initially, canary has 1 replica while stable has many. Gradually increase canary replicas.
D.Create two separate Services, one for stable and one for canary, and use DNS to route a percentage of traffic.
E.Use an Ingress controller that supports traffic splitting (like Nginx Ingress with canary annotation) to route a percentage of requests to the canary Deployment.
AnswersC, E

This is a standard canary pattern using a single Service.

Why this answer

Option A is correct: run two versions with a Service that distributes traffic, initially 1 green pod. Option C is correct: use an ingress with traffic splitting based on weight (if supported). Option B is incorrect because canary typically uses a single Service.

Option D is incorrect because canary does not involve a separate service for each user. Option E is incorrect because canary is not based on annotations.

89
Multi-Selecthard

Which TWO of the following conditions must be met for a RollingUpdate to proceed?

Select 2 answers
A.The new pod must pass its readiness probe
B.The number of unavailable pods must not exceed maxUnavailable
C.The new ReplicaSet must have the desired number of pods
D.The old ReplicaSet must be scaled to zero
E.The old ReplicaSet must be deleted
AnswersA, B

A pod must be Ready before the rollout updates more pods.

Why this answer

A is correct because during a RollingUpdate, the new pod must pass its readiness probe before the old pod is terminated. This ensures the new pod is capable of serving traffic, preventing service disruption. The readiness probe is checked by the kubelet, and only when it succeeds does the ReplicaSet controller proceed with the update.

Exam trap

The trap here is that candidates often confuse the conditions for a RollingUpdate to proceed with the final state of the update, mistakenly thinking the old ReplicaSet must be scaled to zero or deleted, when in fact the update proceeds incrementally and the old ReplicaSet is only scaled down as new pods become ready.

90
Multi-Selectmedium

A team is deploying a multi-container pod with a main application container and a sidecar container for logging. Which THREE statements about pod design are correct?

Select 3 answers
A.Containers in a pod share the same filesystem root.
B.Containers in a pod share the same network namespace.
C.Containers in a pod can share the same volume mounts.
D.The sidecar container must use the same image as the main container.
E.The sidecar container should be designed to not block the main container from starting.
AnswersB, C, E

They share IP and port space.

Why this answer

Option B is correct because containers within the same Kubernetes pod share the same network namespace, including the same IP address and port space. This allows them to communicate via localhost and share network resources, which is essential for sidecar patterns like logging agents that need to intercept or monitor the main container's traffic.

Exam trap

CNCF often tests the misconception that containers in a pod share the same filesystem root, but in reality they only share volumes via explicit mounts, not the entire root filesystem.

91
MCQeasy

Which probe type is used to indicate that a container is ready to serve traffic and should be added to Service endpoints?

A.Readiness probe
B.Liveness probe
C.Startup probe
D.Both liveness and readiness probes
AnswerA

Readiness probes indicate whether the container is ready to serve traffic.

Why this answer

Readiness probes determine if a pod is ready to receive traffic. Option A is correct.

92
Multi-Selectmedium

Which THREE of the following are valid fields in a PodSecurityPolicy (PSP) that control Linux capabilities? (Select exactly 3)

Select 3 answers
A.privileged
B.defaultAddCapabilities
C.readOnlyRootFilesystem
D.requiredDropCapabilities
E.allowedCapabilities
AnswersB, D, E

Capabilities added by default to containers.

Why this answer

Option B is correct because `defaultAddCapabilities` is a valid field in a PodSecurityPolicy (PSP) that specifies a list of Linux capabilities to be added to containers by default, even if not explicitly requested in the container's security context. This field is part of the PSP's capabilities control mechanism, as defined in the Kubernetes PodSecurityPolicy spec.

Exam trap

CNCF often tests the distinction between fields that directly control capabilities (like `allowedCapabilities`, `defaultAddCapabilities`, `requiredDropCapabilities`) and other security-related fields (like `privileged` or `readOnlyRootFilesystem`) that serve different purposes, causing candidates to select options that are not capability-specific.

93
MCQhard

You have a pod with two containers: app and sidecar. The sidecar logs are verbose and you want to view only the app container logs. Which command should you use?

A.kubectl logs pod-name --container app
B.kubectl logs pod-name
C.kubectl logs pod-name -c app
D.kubectl logs -l app=pod-name
AnswerC

The -c flag selects the specific container to view logs from.

Why this answer

Use the -c flag to specify the container name when a pod has multiple containers.

94
MCQmedium

A NetworkPolicy named 'default-deny-ingress' is applied to a namespace but contains no rules. What is the effect on pods in that namespace?

A.All ingress traffic is denied.
B.Only traffic from pods with label 'allow: true' is allowed.
C.All ingress traffic is allowed.
D.Only traffic from pods in the same namespace is allowed.
AnswerA

Correct. A NetworkPolicy with no ingress rules denies all incoming traffic.

Why this answer

An empty ingress rules array in a NetworkPolicy denies all ingress traffic by default. This is a common pattern to isolate pods.

95
MCQeasy

Which of the following Dockerfile instructions is used to set a command that runs when the container starts and can be overridden by command-line arguments?

A.EXPOSE
B.CMD
C.COPY
D.RUN
AnswerB

CMD provides defaults for an executing container; it can be overridden by providing command-line arguments to docker run.

Why this answer

Option B is correct. CMD sets the default command that can be overridden. ENTRYPOINT sets the command that cannot be overridden (unless --entrypoint flag is used).

Option A (RUN) runs during image build. Option C (EXPOSE) documents ports. Option D (COPY) copies files.

96
MCQmedium

A DevOps engineer wants to deploy a logging sidecar container that reads log files from the main application container. Which volume type should be used to share files between the two containers?

A.emptyDir
B.persistentVolumeClaim
C.configMap
D.hostPath
AnswerA

emptyDir is created empty and shared across all containers in the Pod, ideal for sidecar log collection.

Why this answer

An emptyDir volume is shared between containers in the same Pod and can be used for ephemeral log sharing.

97
MCQhard

A Pod is configured with securityContext: { runAsUser: 1000, runAsGroup: 2000, fsGroup: 3000 }. The container's image runs a process that must listen on a TCP port below 1024 (e.g., port 80). The process is currently failing to start. What should you modify to allow the process to bind to a privileged port?

A.Set 'allowPrivilegeEscalation: true'
B.Add 'capabilities.drop: [ALL]' to the container's securityContext
C.Add 'capabilities.add: [NET_BIND_SERVICE]' to the container's securityContext
D.Set runAsUser: 0 to run as root
AnswerC

Correct. The NET_BIND_SERVICE capability allows a non-root process to bind to ports below 1024.

Why this answer

Option C is correct. When a container runs as a non-root user (runAsUser: 1000), it cannot bind to ports below 1024. Adding the NET_BIND_SERVICE capability to the container's capabilities allows it to bind to privileged ports without being root.

Dropping all capabilities is not necessary.

98
MCQeasy

Which command is used to rollback a Deployment to the previous revision?

A.kubectl rollout undo deployment my-deployment
B.kubectl rollout redo deployment my-deployment
C.kubectl rollout revert deployment my-deployment
D.kubectl rollout history deployment my-deployment
AnswerA

Correct command.

Why this answer

Option A is correct: 'kubectl rollout undo deployment my-deployment'. Option B rolls forward? Option C is not valid. Option D is for history.

99
MCQhard

You need to debug a pod that is not responding. Which command attaches an ephemeral debug container to a running pod named 'web-pod'?

A.kubectl debug web-pod --copy-to=debug-pod --image=busybox
B.kubectl debug -it web-pod --image=busybox --target=web-container
C.kubectl attach web-pod
D.kubectl run debug --image=busybox -it
AnswerB

Correct command to add an ephemeral debug container.

Why this answer

Option C is correct: kubectl debug -it web-pod --image=busybox --target=web-container attaches an ephemeral container. Option A runs a standalone Pod. Option B attaches to existing container.

Option D creates a copy of the pod, not an ephemeral container.

100
MCQeasy

What is the purpose of a ResourceQuota in Kubernetes?

A.To set default resource limits for containers that do not specify them.
B.To limit the total amount of resources (CPU, memory, etc.) that can be consumed by all pods in a namespace.
C.To limit the number of nodes in a cluster.
D.To limit the number of replicas in a Deployment.
AnswerB

ResourceQuota enforces aggregate limits on resource usage within a namespace.

Why this answer

A ResourceQuota is a Kubernetes object that enforces aggregate resource consumption limits on a per-namespace basis. It constrains the total CPU, memory, and other resource requests and limits across all pods in that namespace, preventing any single namespace from exhausting cluster resources. Option B correctly identifies this namespace-level resource cap.

Exam trap

The trap here is confusing ResourceQuota (namespace-wide resource cap) with LimitRange (per-container default limits), as both deal with resource constraints but at different scopes and with different enforcement mechanisms.

How to eliminate wrong answers

Option A is wrong because setting default resource limits for containers is the purpose of a LimitRange, not a ResourceQuota; a LimitRange applies default requests/limits per container, while a ResourceQuota caps total namespace usage. Option C is wrong because the number of nodes in a cluster is managed by cluster autoscalers or cloud provider configurations, not by a ResourceQuota, which operates only within a namespace. Option D is wrong because limiting replicas in a Deployment is done via the Deployment's spec.replicas field or a HorizontalPodAutoscaler, not by a ResourceQuota, which does not control replica counts directly.

101
MCQeasy

During a rolling update, you want to ensure that at most 2 pods are unavailable at any time. Which field should you set in the Deployment spec?

A.spec.strategy.type: Recreate
B.spec.replicas: 2
C.spec.strategy.rollingUpdate.maxSurge: 2
D.spec.strategy.rollingUpdate.maxUnavailable: 2
AnswerD

maxUnavailable controls the maximum number of pods that can be unavailable during the update.

Why this answer

maxUnavailable defines the maximum number of pods that can be unavailable during a rolling update. Setting it to 2 ensures at most 2 pods are unavailable at any time.

102
MCQmedium

You need to grant a ServiceAccount 'my-sa' read-only access to pods in the 'test' namespace. Which RBAC YAML should you create?

A.kind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: pod-reader\nrules:\n- apiGroups: [""]\n resources: ["pods"]\n verbs: ["get", "list", "watch"]\n---\nkind: ClusterRoleBinding\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: read-pods\nsubjects:\n- kind: ServiceAccount\n name: my-sa\n namespace: test\nroleRef:\n kind: ClusterRole\n name: pod-reader\n apiGroup: rbac.authorization.k8s.io
B.kind: Role\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n namespace: test\n name: pod-reader\nrules:\n- apiGroups: [""]\n resources: ["pods"]\n verbs: ["get", "list", "watch"]\n---\nkind: RoleBinding\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n namespace: test\n name: read-pods\nsubjects:\n- kind: ServiceAccount\n name: my-sa\n namespace: test\nroleRef:\n kind: Role\n name: pod-reader\n apiGroup: rbac.authorization.k8s.io
C.kind: Role\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n namespace: test\n name: pod-reader\nrules:\n- apiGroups: [""]\n resources: ["pods"]\n verbs: ["create", "delete"]
D.kind: Role\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: pod-reader\n namespace: default\nrules: ...\n---\nkind: RoleBinding ...
AnswerB

Correct Role and RoleBinding in the same namespace.

Why this answer

Option B is correct because it creates a Role in the 'test' namespace with read-only verbs ('get', 'list', 'watch') on pods, and binds that Role to the ServiceAccount 'my-sa' in the same namespace via a RoleBinding. This grants the ServiceAccount scoped, namespace-level read-only access to pods, which matches the requirement precisely.

Exam trap

CNCF often tests the distinction between Role and ClusterRole, and between RoleBinding and ClusterRoleBinding, to see if candidates understand that namespace-scoped access requires a Role and RoleBinding, not a ClusterRole and ClusterRoleBinding, even when the permissions are identical.

How to eliminate wrong answers

Option A is wrong because it uses a ClusterRole and ClusterRoleBinding, which grant cluster-wide access; the requirement is for read-only access only in the 'test' namespace, so a namespace-scoped Role and RoleBinding are appropriate. Option C is wrong because it defines a Role with 'create' and 'delete' verbs, which are write operations, not read-only; it also lacks a RoleBinding to actually bind the Role to the ServiceAccount. Option D is wrong because the Role is created in the 'default' namespace, not the 'test' namespace, so it would not grant access to pods in the 'test' namespace.

103
MCQmedium

A pod named 'test-pod' in namespace 'test' has a service account 'my-sa' attached. The service account has a RoleBinding to a Role that allows get/list pods. However, the pod cannot list pods. What is the most likely issue?

A.The pod is using the default service account instead of 'my-sa'
B.The RoleBinding is in a different namespace than the pod
C.RoleBindings cannot grant access to list pods
D.The pod has automountServiceAccountToken set to false
AnswerB

RoleBindings are namespace-scoped. The RoleBinding must be in the same namespace as the pod and service account.

Why this answer

RoleBindings in Kubernetes are namespace-scoped and can only grant permissions within the namespace where they are created. If the RoleBinding is in a different namespace than the pod, the service account 'my-sa' will not have the get/list pods permissions in the pod's namespace, causing the pod to fail when trying to list pods.

Exam trap

CNCF often tests the namespace-scoping of RoleBindings versus ClusterRoleBindings, tricking candidates into thinking a RoleBinding in any namespace can grant permissions to a pod in another namespace.

How to eliminate wrong answers

Option A is wrong because the question explicitly states the pod has service account 'my-sa' attached, so it is not using the default service account. Option C is wrong because RoleBindings can grant access to list pods via a Role that includes the 'list' verb on 'pods' resources; this is a standard RBAC capability. Option D is wrong because automountServiceAccountToken set to false would prevent the pod from mounting the service account token, but the pod would then have no credentials at all, not just fail to list pods; the question states the pod cannot list pods specifically, implying it has some token but lacks the correct permissions.

104
MCQeasy

A developer wants to deploy a stateless application as a set of identical pods. They need the pods to be distributed across nodes and have stable network identities. Which resource should they use?

A.Job
B.Deployment
C.DaemonSet
D.StatefulSet
AnswerB

Deployments manage stateless pods with rolling updates and scale.

Why this answer

A Deployment is the correct choice for a stateless application that needs identical pods distributed across nodes. It manages a ReplicaSet to ensure the desired number of replicas, supports rolling updates, and provides stable network identities via a headless Service or a regular Service, but the pods themselves do not require stable identities—only the Service provides a stable endpoint. For stateless workloads, Deployments are the standard resource.

Exam trap

The trap here is that candidates confuse 'stable network identities' with the need for a StatefulSet, but for stateless applications, a Deployment combined with a regular Service provides stable endpoints via the Service, not per-pod identities, making Deployment the correct choice.

How to eliminate wrong answers

Option A is wrong because a Job is designed for batch processing or one-time tasks, not for running a continuously serving stateless application with multiple identical pods. Option C is wrong because a DaemonSet ensures exactly one pod per node, which is used for node-level services (e.g., logging, monitoring) and does not distribute pods arbitrarily across nodes for scaling. Option D is wrong because a StatefulSet is intended for stateful applications requiring stable, unique network identities and persistent storage, which is unnecessary for a stateless application.

105
MCQeasy

A developer needs to view the logs of a pod named 'web-app-84b7f6f5b6-abcde' that crashed and has been restarted. Which kubectl command should they use to see the logs from the previous (crashed) instance?

A.kubectl logs web-app-84b7f6f5b6-abcde
B.kubectl logs --all-containers web-app-84b7f6f5b6-abcde
C.kubectl logs --previous web-app-84b7f6f5b6-abcde
D.kubectl logs -f web-app-84b7f6f5b6-abcde
AnswerC

The --previous flag retrieves logs from the previous instance of the container.

Why this answer

Option C is correct. The --previous flag in 'kubectl logs' shows logs from the previous instance of a container, which is useful for debugging crashes. Option A shows current logs only.

Option B tails logs but only current. Option D shows logs for all containers, but not the previous instance.

106
MCQmedium

Which command outputs the pod's full YAML specification including status?

A.kubectl describe pod <pod-name>
B.kubectl get pod <pod-name> --export
C.kubectl get pod <pod-name> -o json
D.kubectl get pod <pod-name> -o yaml
AnswerD

This outputs the pod's full YAML manifest including status.

Why this answer

kubectl get pod <pod-name> -o yaml outputs the complete YAML. Option A is correct.

107
MCQmedium

A developer needs to expose a deployment named 'web-app' running on port 8080 to external traffic. The cluster is on-premises with no cloud load balancer. Which service type should be used?

A.ExternalName
B.ClusterIP
C.LoadBalancer
D.NodePort
AnswerD

NodePort exposes a port on each node's IP address for external access.

Why this answer

Option D (NodePort) is correct because it exposes a service on a static port on each node's IP address, allowing external traffic to reach the 'web-app' deployment on port 8080 without requiring a cloud load balancer. In on-premises clusters, NodePort is the standard service type for external access when no cloud LB is available, as it opens a high-port (30000-32767) on every node that forwards traffic to the ClusterIP service.

Exam trap

The trap here is that candidates may choose LoadBalancer (C) by default when they see 'expose to external traffic,' forgetting that LoadBalancer requires a cloud provider's external LB, which is not available in on-premises clusters.

How to eliminate wrong answers

Option A is wrong because ExternalName maps a service to an external DNS name (e.g., an external database) via CNAME records, not to expose internal pods to external traffic. Option B is wrong because ClusterIP exposes the service only on a cluster-internal IP, making it unreachable from outside the cluster without additional components like an ingress or proxy. Option C is wrong because LoadBalancer provisions an external load balancer (e.g., AWS ELB, GCP LB), which is unavailable in on-premises environments without a cloud provider integration.

108
MCQmedium

You have an Ingress that should route requests to 'api.example.com' to a service named 'api-svc' on port 80, and requests to 'www.example.com' to 'web-svc' on port 80. Which host-based routing rule is correct?

A.spec: rules: - http: paths: - host: api.example.com backend: service: name: api-svc port: number: 80 - host: www.example.com backend: service: name: web-svc port: number: 80
B.spec: rules: - host: api.example.com http: paths: - backend: service: name: api-svc port: number: 80 - host: www.example.com http: paths: - backend: service: name: web-svc port: number: 80
C.spec: rules: - host: api.example.com - backend: service: name: api-svc port: number: 80 - host: www.example.com - backend: service: name: web-svc port: number: 80
D.spec: rules: - host: api.example.com http: paths: - backend: serviceName: api-svc servicePort: 80 - host: www.example.com http: paths: - backend: serviceName: web-svc servicePort: 80
AnswerB

Correct host-based routing with multiple rules.

Why this answer

The Ingress spec uses the 'host' field under rules to specify host-based routing.

109
MCQmedium

A StatefulSet named 'web' is created with 3 replicas. What is the DNS name for the second pod (index 1)?

A.web-1.web.default.svc.cluster.local
B.web-2.web.default.svc.cluster.local
C.web.default.svc.cluster.local
D.web-1.default.svc.cluster.local
AnswerA

Correct. Pod name web-1, service web, namespace default.

Why this answer

For StatefulSets, pod DNS names follow the format <pod-name>.<service-name>.<namespace>.svc.cluster.local, where pod names are <statefulset-name>-<ordinal>. Here, the second pod is web-1. The headless service (assuming a service named 'web') provides DNS.

Option C is correct. Option A is incorrect because the pod name is missing. Option B has wrong ordinal.

Option D has wrong format (no pod name prefix).

110
MCQhard

You want to enforce a Pod Security Standard of 'restricted' in a namespace. Which command applies the correct label?

A.kubectl label namespace my-ns psp=restricted
B.kubectl label namespace my-ns pod-security.kubernetes.io/enforce=restricted
C.kubectl annotate namespace my-ns pod-security.kubernetes.io/enforce=restricted
D.kubectl label namespace my-ns pod-security.kubernetes.io/audit=restricted
AnswerB

Correct.

Why this answer

Option B is correct because Pod Security Standards are enforced by applying a label with the key `pod-security.kubernetes.io/enforce` to a namespace. The value `restricted` sets the most restrictive Pod Security Standard, which prevents pods from running with privileged access or insecure capabilities. This label is part of the built-in Pod Security Admission (PSA) controller, which replaced PodSecurityPolicy in Kubernetes v1.23+.

Exam trap

The trap here is that candidates confuse the deprecated PodSecurityPolicy (PSP) label key `psp` with the correct Pod Security Admission label key `pod-security.kubernetes.io/enforce`, or they mistakenly use `annotate` instead of `label` because both commands can attach metadata to resources.

How to eliminate wrong answers

Option A is wrong because the label key `psp` is not a valid Pod Security Standard label; it references the deprecated PodSecurityPolicy (PSP) feature, which is removed in Kubernetes v1.25. Option C is wrong because `kubectl annotate` adds an annotation, not a label, and Pod Security Standards are enforced via labels, not annotations. Option D is wrong because the label key `pod-security.kubernetes.io/audit` sets the audit level, which only logs violations without blocking them; the enforce level requires the key `pod-security.kubernetes.io/enforce`.

111
MCQhard

A CronJob is configured with 'concurrencyPolicy: Forbid'. If a job from the previous schedule is still running when the next scheduled time arrives, what happens?

A.The CronJob is suspended
B.The new job starts immediately, and the old job is terminated
C.The new job is skipped until the old job completes
D.Both jobs run concurrently
AnswerC

Forbid skips the new run if a job is still running.

Why this answer

Forbid prevents concurrent runs; the next job is skipped if the previous one is still running.

112
MCQmedium

You want to restrict total memory usage in a namespace to 10 Gi. Which resource should you create?

A.ResourceQuota
B.PodDisruptionBudget
C.LimitRange
D.NetworkPolicy
AnswerA

ResourceQuota can limit total memory across all pods in a namespace.

Why this answer

A ResourceQuota is the correct Kubernetes object to enforce aggregate resource consumption limits at the namespace level. By defining a ResourceQuota with `spec.hard.memory: 10Gi`, you restrict the total memory requested and used by all pods in that namespace to 10 GiB. This directly meets the requirement to limit total memory usage.

Exam trap

CNCF often tests the distinction between per-container limits (LimitRange) and aggregate namespace limits (ResourceQuota), leading candidates to mistakenly choose LimitRange when the question explicitly asks for total namespace-wide restrictions.

How to eliminate wrong answers

Option B is wrong because a PodDisruptionBudget (PDB) controls the minimum number of available pods during voluntary disruptions (e.g., node drains), not resource usage limits. Option C is wrong because a LimitRange sets per-container default and minimum/maximum resource constraints, not an aggregate namespace-wide limit. Option D is wrong because a NetworkPolicy governs ingress/egress traffic rules using labels and CIDR blocks, not memory or CPU restrictions.

113
MCQhard

An Ingress has two rules: - host: app.example.com, path: /api -> service-a:80 - host: api.example.com, path: / -> service-b:80 A request to `app.example.com/api/v1` reaches which service?

A.Both services
B.Neither service
C.service-a
D.service-b
AnswerC

The path /api matches /api/v1.

Why this answer

The path prefix `/api` matches the start of `/api/v1`, so the request goes to service-a.

114
Multi-Selecthard

Which THREE of the following are valid fields in a CronJob specification?

Select 3 answers
A.completions
B.successfulJobsHistoryLimit
C.concurrencyPolicy
D.schedule
E.parallelism
AnswersB, C, D

successfulJobsHistoryLimit limits how many successful finished jobs are retained.

Why this answer

schedule, concurrencyPolicy, and successfulJobsHistoryLimit are fields in a CronJob spec. completions is a field in Job spec, not directly in CronJob.

115
Multi-Selectmedium

Which TWO statements about init containers are true?

Select 2 answers
A.Init containers run to completion before any regular containers start.
B.Init containers run in parallel with regular containers.
C.Init containers run sequentially, one after another.
D.Init containers must use the same image as the main container.
E.Init containers cannot access volumes shared with regular containers.
AnswersA, C

All init containers must complete successfully before regular containers are started.

Why this answer

Options A and D are correct. Init containers run sequentially (each must complete before the next starts). They run before any regular containers in the pod.

Init containers can have different restart policies than regular containers (they always restart until completion). They share the same volumes as regular containers. Init containers are not separate pods.

116
MCQhard

You are asked to ensure that a pod with a slow-starting container (requires 60 seconds to initialize) is not prematurely restarted by the liveness probe. The liveness probe should start only after the container is fully initialized. Which probe type should you add to the pod spec?

A.startupProbe
B.readinessProbe
C.livenessProbe with initialDelaySeconds=60
D.lifecycle preStop hook
AnswerA

Startup probes are specifically for slow-starting containers. They delay liveness probes until the startup probe succeeds.

Why this answer

A startupProbe is specifically designed for slow-starting containers. It runs at pod startup and only after it succeeds does the liveness probe begin. This prevents the liveness probe from restarting the container during its 60-second initialization period, as the startupProbe will keep failing until the container is fully ready.

Exam trap

CNCF often tests the misconception that initialDelaySeconds on a liveness probe is sufficient for slow-starting containers, but the trap is that initialDelaySeconds is a fixed delay that does not account for variable startup times, whereas a startupProbe dynamically waits until the container is actually ready.

How to eliminate wrong answers

Option B is wrong because a readinessProbe controls whether the pod receives traffic, not whether the container is restarted; it does not prevent the liveness probe from killing the container during initialization. Option C is wrong because initialDelaySeconds only delays the first liveness probe check by 60 seconds, but if the container takes exactly 60 seconds to initialize and the probe fires immediately after, a single slow response could still trigger a restart; moreover, initialDelaySeconds is a static delay and does not adapt to variable startup times. Option D is wrong because a lifecycle preStop hook runs before a container is terminated, not at startup, and has no effect on preventing premature restarts during initialization.

117
MCQmedium

A developer runs 'kubectl run mypod --image=nginx --restart=Never' and the pod is created. However, when the container exits, the pod terminates. Which restart policy ensures the pod does NOT restart after completion?

A.Always
B.OnFailure
C.AlwaysFail
D.Never
AnswerD

Never ensures the pod is not restarted, and the pod remains in Succeeded/Failed state.

Why this answer

The '--restart=Never' flag sets the restart policy to 'Never', meaning the pod will not be restarted after the container exits.

118
MCQmedium

You create a Service with the following YAML: ``` apiVersion: v1 kind: Service metadata: name: my-service spec: ports: - name: http port: 80 targetPort: 8080 selector: app: my-app ``` What is the default Service type?

A.NodePort
B.ClusterIP
C.LoadBalancer
D.ExternalName
AnswerB

Default type.

Why this answer

If no type is specified, the default is ClusterIP.

119
MCQeasy

Which command is used to create a CronJob in Kubernetes that runs a job every 5 minutes?

A.kubectl apply -f cronjob.yaml
B.kubectl run cronjob --image=busybox --schedule="*/5 * * * *" -- /bin/sh -c 'date'
C.kubectl create cronjob hello --image=busybox --schedule="*/5 * * * *" -- /bin/sh -c 'date'
D.kubectl create job hello --image=busybox --schedule="*/5 * * * *" -- /bin/sh -c 'date'
AnswerC

Correct: kubectl create cronjob creates a CronJob resource with the specified schedule.

Why this answer

The correct command is 'kubectl create cronjob' because CronJob is a standard Kubernetes resource. The --schedule flag defines the schedule.

120
Multi-Selecteasy

A developer is creating a Deployment with 4 replicas. The application requires a rolling update with zero downtime. Which TWO strategies ensure zero downtime during an update?

Select 2 answers
A.Set maxSurge=1
B.Set maxUnavailable=1
C.Use Recreate strategy
D.Set maxUnavailable=0
E.Set maxSurge=0
AnswersA, D

Allows one extra pod to be created first.

Why this answer

Option A is correct because setting maxSurge=1 allows Kubernetes to spin up one new Pod before terminating any old Pod during a rolling update. This ensures that the total number of available Pods never drops below the desired replica count, maintaining service capacity and achieving zero downtime.

Exam trap

The trap here is that candidates often confuse maxSurge and maxUnavailable, thinking that allowing one Pod to be unavailable (maxUnavailable=1) is safe, but in a strict zero-downtime requirement, even a single unavailable Pod can cause capacity loss if the application cannot tolerate reduced replicas.

121
MCQmedium

A Deployment is configured with strategy type 'Recreate'. What happens during an update to the pod template?

A.Old pods are terminated and then new pods are created
B.New pods are created before old ones are terminated
C.Pods are updated in place
D.The update is paused until manual approval
AnswerA

That is the Recreate strategy.

Why this answer

The Recreate strategy first terminates all existing pods, then creates new pods. This ensures that only one version is running at a time, but causes downtime.

122
MCQeasy

You need to perform a rolling update of a Deployment named 'web-app' with a new image version. Which command should you use?

A.kubectl edit deployment web-app
B.kubectl replace -f web-app.yaml
C.kubectl set image deployment/web-app app=nginx:1.21
D.kubectl rollout restart deployment/web-app
AnswerC

This command updates the container image directly.

Why this answer

The 'kubectl set image' command updates the image of a Deployment's containers. Option A is correct.

123
MCQmedium

An admin wants to expose a Service only for internal cluster communication, without external access. Which Service type should they use?

A.ExternalName
B.NodePort
C.LoadBalancer
D.ClusterIP
AnswerD

ClusterIP is internal-only.

Why this answer

ClusterIP is the default Service type, accessible only within the cluster.

124
Multi-Selectmedium

Which two fields can be used in a SecurityContext to control a container's access to the host filesystem? (Choose two.)

Select 2 answers
A.runAsUser
B.capabilities
C.readOnlyRootFilesystem
D.allowPrivilegeEscalation
E.runAsGroup
AnswersC, D

When set to true, the container's root filesystem is read-only, preventing writes.

Why this answer

Option C is correct because setting `readOnlyRootFilesystem: true` in a container's SecurityContext mounts the container's root filesystem as read-only, preventing any writes to the host filesystem through the container's root. This directly controls access to the host filesystem by blocking modifications. Option D is correct because `allowPrivilegeEscalation: false` prevents a process from gaining more privileges than its parent, which restricts the ability to perform privileged operations that could access the host filesystem, such as mounting or modifying host paths.

Exam trap

CNCF often tests the distinction between fields that control user identity (runAsUser, runAsGroup) versus fields that directly restrict filesystem access or privilege escalation, leading candidates to mistakenly select identity fields as filesystem access controls.

125
MCQmedium

You need to run a one-time batch job that processes 10 work items in parallel, with a maximum of 3 pods running at the same time. Which Job YAML fields should you set?

A.spec.template.spec.containers and spec.completions
B.spec.parallelism: 10 and spec.completions: 3
C.spec.parallelism: 3 and spec.completions: 10
D.spec.backoffLimit: 3 and spec.completions: 10
AnswerC

parallelism limits concurrent pods, completions defines total successful runs.

Why this answer

The .spec.parallelism field sets the maximum number of pods running concurrently, and .spec.completions sets the total number of successful completions required.

126
MCQmedium

You want to ensure your containerized application handles SIGTERM gracefully and shuts down within 30 seconds. Which field should you set in the Pod spec?

A.terminationPeriodSeconds
B.terminationGracePeriodSeconds
C.shutdownTimeoutSeconds
D.gracefulShutdownPeriod
AnswerB

Defines the time given for graceful shutdown after SIGTERM.

Why this answer

Option B is correct because `terminationGracePeriodSeconds` is the Pod spec field that controls the duration Kubernetes waits between sending a SIGTERM signal to the container and forcibly killing it with SIGKILL. Setting this to 30 seconds ensures the application has up to 30 seconds to perform cleanup and shut down gracefully after receiving SIGTERM.

Exam trap

The trap here is that candidates confuse the generic concept of a 'grace period' with the exact Kubernetes field name, often picking a plausible-sounding but non-existent field like `shutdownTimeoutSeconds` or `gracefulShutdownPeriod` instead of the precise `terminationGracePeriodSeconds`.

How to eliminate wrong answers

Option A is wrong because `terminationPeriodSeconds` is not a valid Kubernetes field; the correct field name is `terminationGracePeriodSeconds`. Option C is wrong because `shutdownTimeoutSeconds` is not a Kubernetes Pod spec field; it does not exist in the API. Option D is wrong because `gracefulShutdownPeriod` is not a Kubernetes Pod spec field; it is a generic term that might be used in other orchestrators or application configurations, but not in Kubernetes.

127
MCQmedium

You have a Helm release named 'my-app' that you want to revert to revision 3. Which command accomplishes this?

A.helm undo my-app --revision 3
B.helm rollback my-app 3
C.helm revert my-app 3
D.helm upgrade my-app --revision 3
AnswerB

This rolls back the release to revision 3.

Why this answer

The correct command is 'helm rollback my-app 3'.

128
MCQhard

An admin creates a Service without a selector. Which of the following is true about such a Service?

A.The Service will use the default ClusterIP and route to all pods in the cluster.
B.The Service will automatically route traffic to all pods in the namespace.
C.The admin must manually create an Endpoints object with the desired IPs.
D.The Service will not have any endpoints until a selector is added.
AnswerC

Manual Endpoints are required for selectorless Services.

Why this answer

A selectorless Service does not automatically create endpoints; the admin must manually create an Endpoints resource to route traffic.

129
MCQmedium

You want to create a Deployment that runs 5 replicas of a web application. Which kubectl command should you use?

A.kubectl run webapp --image=nginx --replicas=5
B.kubectl create pod webapp --image=nginx --replicas=5
C.kubectl apply -f deployment.yaml
D.kubectl create deployment webapp --image=nginx --replicas=5
AnswerD

This command creates a Deployment with 5 replicas.

Why this answer

The command 'kubectl create deployment' creates a Deployment with the specified number of replicas.

130
Multi-Selecthard

Which THREE statements about NetworkPolicy are correct? (Select 3)

Select 3 answers
A.NetworkPolicy follows an allow-list model; if no policy matches, traffic is denied.
B.NetworkPolicy can block traffic to specific external IP addresses using ipBlock.
C.NetworkPolicy can use namespaceSelector to allow traffic from all pods in a namespace.
D.NetworkPolicy is a cluster-scoped resource.
E.NetworkPolicy can restrict egress traffic from pods.
AnswersA, C, E

The default behavior is deny if any policy selects the pod; otherwise, traffic is allowed. But with policies, it's allow-list.

Why this answer

Options A, C, and E are correct. NetworkPolicy can allow traffic from specific namespaces, it can restrict egress, and it is an allow-list model (default deny, then allow). Option B is false because NetworkPolicy is namespace-scoped.

Option D is false because NetworkPolicy cannot block traffic to external IPs directly; it can only control traffic to/from pods.

131
MCQeasy

What is the default Service type when creating a Service via 'kubectl create service' or YAML without specifying type?

A.NodePort
B.ExternalName
C.LoadBalancer
D.ClusterIP
AnswerD

Correct. ClusterIP is the default.

Why this answer

The default Service type is ClusterIP. Option A is correct. NodePort, LoadBalancer, and ExternalName require explicit specification.

132
MCQhard

You have a multi-stage Docker build. The first stage compiles a binary, and the second stage copies the binary from the first stage. What is the correct COPY syntax to copy a file named 'app' from the first stage named 'builder'?

A.COPY app /app/
B.COPY --from=builder app /app/
C.COPY --stage=builder app /app/
D.COPY source=builder app /app/
AnswerB

--from=builder specifies the source stage.

Why this answer

The COPY --from=builder syntax copies files from a previous build stage.

133
MCQmedium

You have a Deployment running a web application that takes 60 seconds to start up. You need to configure probes so that Kubernetes waits for the application to fully start before checking its health and directing traffic to it. Which combination of probes should you use?

A.Liveness probe with initialDelaySeconds=10 and readiness probe without delay
B.Readiness probe with initialDelaySeconds=60 only
C.Liveness probe with initialDelaySeconds=60 and readiness probe with initialDelaySeconds=60
D.Startup probe with failureThreshold=30 and periodSeconds=2, plus liveness and readiness probes
AnswerD

The startup probe gives the container up to 60 seconds to start (30×2s), after which liveness and readiness probes take over.

Why this answer

Option D is correct because a startup probe with a low failureThreshold and periodSeconds allows Kubernetes to wait up to 60 seconds (30 failures × 2 seconds) for the application to start, after which the liveness and readiness probes begin. This ensures the liveness probe does not kill the container prematurely during the slow startup, and the readiness probe only directs traffic once the app is fully ready.

Exam trap

The trap here is that candidates often rely solely on initialDelaySeconds for liveness probes, not realizing that a startup probe provides a more robust mechanism for slow-starting containers by decoupling the startup grace period from the regular health-check cycle.

How to eliminate wrong answers

Option A is wrong because a liveness probe with initialDelaySeconds=10 would start checking health after only 10 seconds, likely killing the container before the 60-second startup completes. Option B is wrong because a readiness probe with initialDelaySeconds=60 alone does not protect against the liveness probe killing the container during startup; the liveness probe would still start immediately and fail. Option C is wrong because setting both liveness and readiness probes with initialDelaySeconds=60 still allows the liveness probe to start after 60 seconds, but if the app takes exactly 60 seconds, the first liveness check might fail and restart the container; a startup probe provides a more flexible grace period.

134
MCQmedium

You have a Deployment named 'frontend' with 4 replicas. You want to perform a rolling update with the following constraints: the number of pods above the desired count should never exceed 1, and the number of unavailable pods should never exceed 0. Which deployment strategy configuration achieves this?

A.strategy: rollingUpdate: {maxSurge: 2, maxUnavailable: 0}
B.strategy: rollingUpdate: {maxSurge: 25%, maxUnavailable: 25%}
C.strategy: rollingUpdate: {maxSurge: 1, maxUnavailable: 0}
D.strategy: type: Recreate
AnswerC

maxSurge=1 allows at most one additional pod above the desired count; maxUnavailable=0 ensures all original pods remain available during the update.

Why this answer

Option B is correct: maxSurge=1 ensures at most one extra pod above the desired count, and maxUnavailable=0 ensures no pods are unavailable during the update. Option A allows up to 25% surge and 25% unavailable. Option C allows up to 2 extra pods.

Option D uses Recreate strategy which is not rolling.

135
MCQhard

You are using Kustomize with the following structure: a base with a Deployment YAML, and an overlay that patches the image tag. The overlay's kustomization.yaml contains: 'patches: - target: kind: Deployment, name: myapp, patch: |- ...'. After running 'kubectl apply -k ./overlay', the Deployment is created but the image tag is not updated. What is the most likely cause?

A.The base Deployment has a different name than 'myapp'
B.The image tag is defined in the base and cannot be overridden
C.You need to run 'kustomize build' first
D.The overlay is not referencing the base correctly
AnswerA

If the base Deployment's name is not 'myapp', the patch target will not match, and the patch will not be applied.

Why this answer

The most common issue is that the patch is not matching the Deployment's name or kind correctly. The target's name must match exactly, or the patch may not be applied. Also, the patch format (strategic merge or JSON patch) must be correct.

But the most likely cause is that the patch is not being applied because the patch target does not match the resource.

136
MCQmedium

During a rolling update of a Deployment with 10 replicas, you set maxSurge to 3 and maxUnavailable to 2. What is the maximum number of pods that can be unavailable during the update?

A.5
B.3
C.2
D.10
AnswerC

Directly from maxUnavailable.

Why this answer

maxUnavailable: 2 means at most 2 pods can be unavailable. Option B is correct.

137
MCQhard

A team is deploying a microservice that requires initialization of a database schema before the main application starts. The init container must run a script that writes to a shared volume. Which configuration correctly ensures the init container completes before the main container runs?

A.Run the script as a sidecar container that shares the volume with the main container.
B.Use a postStart lifecycle hook on the main container to run the script.
C.Define an init container with the script and mount the shared volume to both init and main containers.
D.Add a readiness probe to the main container that checks the shared volume.
AnswerC

Init containers run to completion before app containers start, and shared volumes persist data.

Why this answer

Option C is correct because an init container runs to completion before any main container in the Pod starts, ensuring the database schema script finishes. By mounting the shared volume to both the init container and the main container, the script's output (e.g., schema files) is available to the main application when it launches.

Exam trap

The trap here is that candidates confuse init containers with sidecar containers or lifecycle hooks, not realizing that only init containers guarantee sequential execution before main containers, while sidecars and hooks run concurrently or asynchronously.

How to eliminate wrong answers

Option A is wrong because a sidecar container runs concurrently with the main container, not before it, so the database schema might not be initialized when the main application starts. Option B is wrong because a postStart lifecycle hook runs asynchronously and does not block the main container's entrypoint; the main container could start before the script completes, leading to race conditions. Option D is wrong because a readiness probe only checks if the main container is ready to serve traffic after it has started; it does not guarantee that the schema initialization script has run before the main container begins execution.

138
MCQmedium

A HorizontalPodAutoscaler (HPA) is configured to scale a Deployment based on CPU utilization. The target CPU utilization percentage is set to 80%. The current CPU utilization is 90%. What will the HPA do?

A.Delete the pod with the highest CPU usage
B.Scale up the number of replicas
C.Do nothing because 90% is within acceptable range
D.Scale down the number of replicas
AnswerB

The HPA will scale up to reduce CPU utilization.

Why this answer

The HPA will increase the number of replicas to bring CPU utilization down towards 80%. The exact new replicas depends on the metric, but generally it scales up.

139
MCQhard

A CronJob is configured with concurrencyPolicy: Forbid and schedule: '*/5 * * * *'. The first job takes 7 minutes. What happens when the next scheduled time arrives?

A.The previous job is terminated
B.The new job waits until the previous job completes
C.The new job is skipped
D.A new job is created immediately
AnswerC

Forbid skips the new job if the previous one is still running.

Why this answer

Option B is correct. With concurrencyPolicy: Forbid, if a previous job is still running, the new job is skipped. The first job is still running after 5 minutes, so the second job is skipped.

140
Drag & Dropmedium

Arrange the steps to create a PersistentVolumeClaim and use it in a Pod.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create PVC first, ensure it's bound, then define Pod with volume referencing PVC.

141
Multi-Selectmedium

Which THREE of the following are valid parameters for a probe?

Select 3 answers
A.maxRetries
B.initialDelaySeconds
C.timeoutSeconds
D.backoffSeconds
E.periodSeconds
AnswersB, C, E

Valid parameter.

Why this answer

initialDelaySeconds, periodSeconds, timeoutSeconds, failureThreshold, successThreshold are all valid probe parameters.

142
MCQeasy

A Service uses a selector to target Pods. After updating the Pod labels, you notice the endpoints list is empty. What is the most likely reason?

A.The Service port was changed
B.The new labels do not match the Service selector
C.The Service type changed to ExternalName
D.The Pods have a different container port
AnswerB

Selector mismatch leads to no endpoints.

Why this answer

A Service uses a label selector to dynamically discover Pods and populate its endpoints. When Pod labels are updated, the selector remains unchanged; if the new labels do not match the selector, the Service cannot find any matching Pods, resulting in an empty endpoints list. This is the most direct and common cause of the issue.

Exam trap

The trap here is that candidates often assume updating Pod labels will automatically update the Service's endpoint list, but they forget that the Service selector must explicitly match the new labels for endpoints to be populated.

How to eliminate wrong answers

Option A is wrong because changing the Service port would affect connectivity but not the endpoints list; endpoints are populated based on label matching, not port values. Option C is wrong because changing the Service type to ExternalName would remove the selector entirely and use a DNS CNAME instead, but the question states the selector is still used and the endpoints list is empty, not that the Service type changed. Option D is wrong because a different container port does not prevent label matching; the Service selector targets Pods by labels, and the container port is only relevant for routing traffic after the Pod is selected.

143
MCQhard

A cluster administrator wants to enforce that no pod in namespace 'prod' uses more than 4Gi of memory. Which Kubernetes resource should be created?

A.PodDisruptionBudget
B.NetworkPolicy
C.LimitRange
D.ResourceQuota
AnswerC

A LimitRange with a max limit can enforce a maximum memory limit per container or pod.

Why this answer

Option C is correct because a LimitRange resource in the 'prod' namespace can set a default memory limit and a maximum memory limit per container or pod, enforcing that no pod exceeds 4Gi of memory. This is the appropriate Kubernetes primitive for per-pod resource constraints within a namespace, as it applies to all pods that do not specify their own limits.

Exam trap

The trap here is confusing ResourceQuota (namespace-level aggregate limits) with LimitRange (per-pod/per-container limits), leading candidates to select D when the question explicitly asks for per-pod enforcement.

How to eliminate wrong answers

Option A is wrong because a PodDisruptionBudget is used to define the minimum number of replicas that must be available during voluntary disruptions (e.g., node drains), not to enforce memory limits. Option B is wrong because a NetworkPolicy controls ingress and egress traffic between pods based on labels and ports, not resource usage. Option D is wrong because a ResourceQuota sets aggregate resource consumption limits for the entire namespace (e.g., total memory across all pods), not per-pod maximums, and cannot prevent a single pod from using more than 4Gi.

144
Multi-Selectmedium

Which TWO of the following are valid types of probes in Kubernetes? (Select 2)

Select 2 answers
A.Readiness probe
B.HTTP probe
C.Liveness probe
D.Exec probe
E.TCP probe
AnswersA, C

Correct: readiness is a probe type.

Why this answer

A is correct because a Readiness probe determines whether a Pod is ready to serve traffic. If the probe fails, the Pod is removed from the Service's endpoints, preventing traffic from being routed to an unready container. This is essential for rolling updates and graceful shutdowns.

Exam trap

The trap here is that candidates confuse the probe types (liveness, readiness, startup) with the handler mechanisms (HTTP, TCP, exec), leading them to select handler names as if they were probe types.

145
MCQmedium

You run 'kubectl port-forward pod/my-pod 8080:80'. What does this command do?

A.Exposes the pod on port 8080 on each node's IP
B.Forwards local port 8080 to port 80 on the pod
C.Forwards local port 8080 to port 80 on the Service
D.Creates a Service that maps port 8080 to port 80 on the pod
AnswerB

Correct.

Why this answer

kubectl port-forward forwards local port 8080 to port 80 on the pod. Option A is correct. Option B is wrong because it forwards to a service.

Option C is wrong because it does not create a service. Option D is wrong because it does not expose on a node port.

146
Multi-Selectmedium

Which THREE of the following are valid fields in a Pod's container spec for resource management? (Choose three.)

Select 3 answers
A.resources.limits.ephemeral-storage
B.resources.requests.cpu
C.resources.limits.memory
D.resources.requests.gpu
E.resources.requests.storage
AnswersA, B, C

Correct: ephemeral-storage is a resource type.

Why this answer

Option A is correct because `ephemeral-storage` is a valid resource type in Kubernetes that can be specified under `resources.limits` to control the maximum temporary storage a container can use, preventing pods from exhausting node storage. This is defined in the Kubernetes resource model and is commonly used for scratch space or logs.

Exam trap

The trap here is that candidates often confuse `resources.requests.storage` with `PersistentVolumeClaim` storage requests, or assume `gpu` is a built-in resource like CPU or memory, when in fact Kubernetes only natively supports CPU and memory as core resources, with extended resources requiring explicit configuration.

147
MCQhard

A pod has an init container that fails. The status shows 'Init:CrashLoopBackOff'. The pod's restartPolicy is 'Always'. What happens to the init container?

A.The pod will be deleted and recreated
B.The main containers will start anyway
C.The init container will restart until it succeeds
D.The init container will not restart because the pod's restartPolicy is Always
AnswerC

Init containers always restart on failure until they succeed.

Why this answer

Option C is correct. Init containers always have restartPolicy=Always regardless of the pod's restartPolicy. They restart until they succeed.

If they fail repeatedly, they enter CrashLoopBackOff.

148
Multi-Selectmedium

Which THREE of the following are benefits of using a ResourceQuota in a namespace? (Select THREE)

Select 3 answers
A.It sets default resource requests and limits for Pods that don't specify them
B.It can enforce that every Pod has resource limits set
C.It restricts which users can create Pods in the namespace
D.It prevents a single namespace from exhausting cluster resources
E.It limits the total amount of CPU and memory that can be consumed by all Pods in the namespace
AnswersB, D, E

ResourceQuota can require that all Pods have limits set by specifying 'limits.cpu' and 'limits.memory' in the quota.

Why this answer

Option B is correct because a ResourceQuota can enforce that every Pod in the namespace has resource limits set by specifying the `limits.cpu` and `limits.memory` fields in the quota's `hard` spec. If a Pod is created without those limits, the API server will reject it, ensuring no Pod runs unbounded. This is distinct from setting default values, which is done by a LimitRange, not a ResourceQuota.

Exam trap

The trap here is that candidates often confuse the purpose of a ResourceQuota with a LimitRange, mistakenly thinking a ResourceQuota sets default resource requests/limits, when in fact that is exclusively a LimitRange feature.

149
MCQhard

An application pod is logging sensitive data (e.g., passwords) to stdout. The security team requires that these logs be redacted before they are stored. Which approach should you recommend?

A.Set the log level to ERROR only to reduce verbosity and avoid logging sensitive data.
B.Add a sidecar container that reads the application's log file, redacts sensitive data, and writes to stdout.
C.Configure a LogCollector DaemonSet to filter logs at the node level.
D.Modify the application code to stop logging sensitive data before redeploying.
AnswerB

Sidecar pattern allows log processing before storage, and is a common pattern in Kubernetes.

Why this answer

Option B is correct because a sidecar container can share the application's log file via an emptyDir volume, read the raw logs, apply redaction logic (e.g., regex replacement of password patterns), and then output the sanitized logs to its own stdout. This approach satisfies the security requirement without modifying the application code or losing log verbosity, and it keeps the redaction logic decoupled from the main container.

Exam trap

CNCF often tests the sidecar pattern as the preferred method for modifying or enriching log output without altering the primary application container, and the trap here is that candidates may incorrectly choose to modify application code (Option D) or rely on node-level filtering (Option C), both of which violate the principle of separation of concerns or introduce latency and security gaps.

How to eliminate wrong answers

Option A is wrong because reducing the log level to ERROR only suppresses lower-severity messages but does not guarantee that sensitive data won't appear in ERROR-level logs; it also discards useful debug/info logs, violating observability best practices. Option C is wrong because a DaemonSet-based LogCollector operates at the node level, reading container stdout/stderr after it has already been written; it cannot intercept and redact logs before they are stored without complex post-processing and potential data leakage in transit. Option D is wrong because modifying application code requires a full development cycle, testing, and redeployment, which is slower and riskier than a sidecar-based solution; the question asks for a recommendation that avoids code changes.

150
Multi-Selectmedium

Which TWO statements about readiness probes are correct? (Choose two.)

Select 2 answers
A.Readiness probes are only used during initial startup
B.Readiness probes run continuously after the container starts
C.Readiness probes can only be of type httpGet
D.Readiness probes restart the container if they fail
E.If a readiness probe fails, the pod is removed from all Service endpoints
AnswersB, E

They run periodically according to the probe configuration.

Why this answer

Option B is correct because readiness probes are designed to run continuously throughout the lifecycle of a container, not just during startup. They are periodically executed by the kubelet to determine whether the container is ready to accept traffic, and their success or failure directly controls the pod's inclusion in Service endpoints.

Exam trap

The trap here is confusing readiness probes with liveness probes, leading candidates to incorrectly think readiness probes restart containers or are only used at startup, when in fact readiness probes manage traffic routing without restarting the pod.

Page 1

Page 2 of 14

Page 3