Which TWO statements about the .dockerignore file are true?
.dockerignore uses glob patterns similar to .gitignore.
Why this answer
.dockerignore excludes files from the build context, reducing build time and preventing secrets from being copied.
991 questions total · 14pages · All types, answers revealed
Which TWO statements about the .dockerignore file are true?
.dockerignore uses glob patterns similar to .gitignore.
Why this answer
.dockerignore excludes files from the build context, reducing build time and preventing secrets from being copied.
A Deployment named 'api' has 6 replicas. You want to perform a rolling update with the following constraints: at most 2 pods can be unavailable during the update, and at most 1 extra pod can be created above the desired 6. Which strategy configurations achieve this? (Choose TWO)
Absolute numbers match constraints.
Why this answer
Option A: maxSurge=1 (extra pod), maxUnavailable=2 (unavailable pods) - satisfies constraints. Option E: maxSurge=1, maxUnavailable=2 - same. Option B has maxUnavailable=1 not 2.
Option C has maxSurge=2. Option D has maxUnavailable=3. So A and E are correct.
But note that A uses absolute numbers, E uses percentages. Both are valid.
Which TWO of the following are correct ways to pause a rollout of a Deployment named 'myapp'? (Select TWO)
Correct.
Why this answer
'kubectl rollout pause deployment/myapp' pauses the rollout. 'kubectl set image ... && kubectl rollout pause' pauses after setting the image but before the rollout completes. 'kubectl rollout resume' resumes, not pauses.
You want to perform a canary deployment where 10% of traffic goes to the new version. You have a Deployment 'app-v1' with 10 replicas. You create a second Deployment 'app-v2' with 1 replica and a new Service. What Kubernetes resource is typically used to split traffic between the two Services?
Ingress controllers support canary rules to split traffic.
Why this answer
An Ingress controller (like NGINX or other) with traffic splitting capabilities (e.g., via annotations or canary config) can distribute traffic between services. Alternatively, a Service Mesh like Istio can be used, but Ingress is the most common standard resource.
Which THREE components are required for a basic Ingress to route HTTP traffic to a Service? (Choose three.)
The Ingress forwards traffic to a Service.
Why this answer
A Service of type ClusterIP or NodePort is required because the Ingress resource routes external HTTP traffic to a Service, which then forwards it to the Pods. ClusterIP is the default and most common type for internal cluster routing, while NodePort can also be used but is less typical. Without a Service, the Ingress has no endpoint to direct traffic to.
Exam trap
CNCF often tests the misconception that a Deployment is mandatory for Ingress to work, but the Ingress only requires a Service to route to, and the underlying Pods can be created by any workload resource (e.g., a ReplicaSet or even a standalone Pod).
Which THREE of the following are valid fields in a HorizontalPodAutoscaler (HPA) v2 specification?
Yes, spec.metrics is an array of metric specifications.
Why this answer
In HPA v2 (autoscaling/v2), the spec includes 'metrics', 'behavior', and 'minReplicas'. 'metrics' defines the metrics to scale on, 'behavior' defines scaling policies, and 'minReplicas' sets the minimum number of pods. 'targetCPUUtilizationPercentage' is a deprecated field from v1. 'scaleTargetRef' is a required field but is not listed among the options as a field of spec; it's a separate field in the spec.
A Pod needs to communicate with another Pod in the same cluster but in a different namespace. What is the correct DNS name to use?
Standard format for cross-namespace DNS.
Why this answer
Option D is correct because Kubernetes DNS resolves services across namespaces using the format `<service>.<namespace>.svc.cluster.local`. When a Pod in one namespace needs to communicate with a service in another namespace, the fully qualified domain name (FQDN) must include the namespace to disambiguate the service. This is defined by the Kubernetes DNS specification, which appends `svc.cluster.local` as the cluster domain suffix.
Exam trap
The trap here is that candidates often forget the namespace is required for cross-namespace communication and pick Option C, which only works within the same namespace, or confuse the order of service and namespace as in Option A.
How to eliminate wrong answers
Option A is wrong because it reverses the order of service and namespace, which would not resolve to the correct service endpoint. Option B is wrong because it uses `.pod.cluster.local` instead of `.svc.cluster.local`; Pod DNS records use the format `<pod-ip>.<namespace>.pod.cluster.local`, not service names. Option C is wrong because it omits the namespace, which only works when the source and target are in the same namespace; cross-namespace communication requires the namespace qualifier.
A Pod in a namespace with a ResourceQuota fails to create with the error: 'exceeded quota: compute-quota, requested: pods=1, used: pods=5, limited: pods=5'. What is the issue?
Correct: the quota limits pods to 5, and all 5 slots are used.
Why this answer
The error message explicitly states 'requested: pods=1, used: pods=5, limited: pods=5'. This means the ResourceQuota named 'compute-quota' has a hard limit of 5 pods in the namespace, and that limit has already been reached. The Pod creation fails because the quota's `count/pods` scope is exhausted, not because of resource requests or permissions.
Exam trap
CNCF often tests the distinction between count-based quotas (e.g., `count/pods`) and resource-based quotas (e.g., `requests.cpu`), leading candidates to incorrectly assume the error is about resource requests when the message clearly references pod count.
How to eliminate wrong answers
Option A is wrong because a ServiceAccount permission issue would produce a 'Forbidden' or 'Unauthorized' error, not a quota-exceeded error. Option B is wrong because the error message mentions 'pods=1' (count of pods), not CPU or memory resource requests; a resource request exceed would show 'requested: cpu=...' or 'memory=...'. Option D is wrong because a missing Secret would cause a 'MountVolume.SetUp failed' or 'secret not found' error during Pod startup, not a quota-exceeded error at creation time.
During a deployment update, the rollout is stuck and new pods are not becoming ready. The developer checks the events and sees 'Back-off restarting failed container'. What is the most likely cause?
If the command exits, the container crashes, leading to restart back-off.
Why this answer
The 'Back-off restarting failed container' event indicates that the container process exits immediately after starting, causing Kubernetes to repeatedly restart it with increasing back-off delays. This is most commonly caused by a container entrypoint or command that fails at runtime, such as a misconfigured binary, missing dependency, or incorrect startup script. Unlike probe failures, which cause restarts after the container is already running, this error occurs before the container can even become ready.
Exam trap
The trap here is that candidates confuse 'Back-off restarting failed container' with liveness probe failures, but the key distinction is timing: this event occurs immediately at container start, while probe failures happen after the container has been running for some time.
How to eliminate wrong answers
Option A is wrong because a failing liveness probe would cause the container to be restarted after it has started and been running for at least the initialDelaySeconds period, not immediately at startup; the event would typically be 'Liveness probe failed' rather than 'Back-off restarting failed container'. Option C is wrong because a missing image pull secret would result in an 'ImagePullBackOff' or 'ErrImagePull' event, not a back-off restart after the container has started. Option D is wrong because a pod exceeding its memory limit and being OOMKilled would show an 'OOMKilled' reason in the container status and an 'OutOfMemory' event, not a generic back-off restart due to immediate exit.
You need to configure a liveness probe that checks if the container port 8080 is open. Which probe type should you use?
tcpSocket probe succeeds if the TCP handshake completes.
Why this answer
A tcpSocket probe is the correct choice when you need to verify that a container is listening on a specific TCP port, such as port 8080. It works by attempting to open a TCP connection to the specified port; if the connection succeeds, the probe is considered successful. This is ideal for checking basic network-level readiness or liveness without requiring an HTTP endpoint or a custom command.
Exam trap
The trap here is that candidates often choose httpGet because they assume a web server on port 8080, but the question explicitly asks only to check if the port is open, not to validate an HTTP response, making tcpSocket the precise and minimal probe type.
How to eliminate wrong answers
Option B (grpc) is wrong because gRPC probes are used specifically for checking the health of gRPC services using the gRPC health checking protocol, not for verifying that a raw TCP port is open. Option C (exec) is wrong because exec probes run a command inside the container and check its exit code, which is unnecessary overhead when you only need to confirm a port is listening. Option D (httpGet) is wrong because httpGet probes require an HTTP endpoint that returns a valid status code (2xx or 3xx), and they cannot be used to simply check if a TCP port is open without an HTTP server.
You are writing a Dockerfile and want to ensure that the CMD instruction is overridable when running the container, but the ENTRYPOINT should not be easily overridden. Which combination should you use?
ENTRYPOINT defines the main command and is not easily overridden; CMD is omitted so no default arguments.
Why this answer
Option D is correct. ENTRYPOINT sets the executable that cannot be overridden (unless --entrypoint flag is used). CMD provides default arguments that can be overridden by command line arguments.
Option A uses ENTRYPOINT with exec form which is overridable via --entrypoint. Option B uses both as CMD, which is fully overridable. Option C uses ENTRYPOINT with shell form, which is also overridable.
Which THREE are valid types of probes in Kubernetes?
Used for slow-starting containers.
Why this answer
Startup probes are a valid Kubernetes probe type used to determine when a container application has started successfully. They are particularly useful for legacy applications that have slow startup times, as they delay the start of liveness and readiness probes until the startup probe succeeds, preventing premature container restarts.
Exam trap
CNCF often tests the distinction between the three official probe types (liveness, readiness, startup) and common but incorrect terms like 'survival' or 'health', which candidates might confuse due to similar-sounding names or general cloud concepts.
Which TWO statements about init containers are true? (Select 2)
Correct: init containers run one after another.
Why this answer
Options A and D are correct. Init containers run sequentially before app containers, and they must run to completion successfully. Option B is false: init containers do not share filesystems by default; they can share volumes.
Option C is false: init containers cannot have liveness probes. Option E is false: init containers use the same restart policy as the pod, not always Never.
A pod has a readiness probe configured with httpGet on port 8080. The probe is failing, but the pod is running. What is the immediate effect on the pod?
A failing readiness probe marks the pod as not ready, so the service removes it from endpoints.
Why this answer
A failing readiness probe causes the pod to be removed from the Service's endpoints, so it will not receive traffic. The pod continues running and can be restarted by a liveness probe if configured, but readiness only affects traffic routing.
What is the DNS name for a Service named 'backend' in the 'default' namespace?
Correct format: <service>.<namespace>.svc.cluster.local
Why this answer
The DNS name format for a Service is <service-name>.<namespace>.svc.cluster.local. Option A is correct. Option B is missing the namespace.
Option C is incorrect because the suffix is .svc.cluster.local, not .svc.cluster. Option D is incorrect because the namespace comes before 'svc'.
A pod named 'app' has a container that logs to stdout. You want to add a sidecar container that streams these logs to a centralized logging service. Which pattern does this represent?
A sidecar container runs alongside the main container to provide additional functionality like log shipping.
Why this answer
A sidecar container that enhances the primary container (e.g., log shipper) is a classic sidecar pattern.
You have a YAML file for a Job named 'data-processor' with 'spec.backoffLimit: 4'. After 3 retries, one pod fails. How many more retries will Kubernetes attempt on that pod?
backoffLimit counts retries; after 3 retries, one more is allowed before the job fails.
Why this answer
backoffLimit limits the total number of retries across all pods. The job's pod will be retried up to backoffLimit times, including the initial attempt. So after 3 retries (i.e., 4 attempts total? Actually careful: backoffLimit specifies the number of retries before marking the Job as failed.
The initial attempt is not a retry. So backoffLimit=4 means up to 4 retries. After 3 retries, one more retry is allowed.
But the question says 'after 3 retries', meaning 3 retries have already occurred. So one more is allowed. However, the options should reflect that.
A developer wants to debug a container that has crashed and is no longer running. Which command allows them to start an ephemeral container in the same pod for debugging?
This creates an ephemeral container in the target pod for debugging.
Why this answer
kubectl debug with the -it flag creates an ephemeral container for debugging. Option A is correct.
You want to perform a canary deployment. You have a Deployment 'app-v1' with 10 replicas. You create a new Deployment 'app-v2' with 1 replica. Both have the label 'app: myapp'. The Service 'myapp-svc' uses selector 'app: myapp'. How do you gradually increase traffic to v2?
This shifts traffic proportionally because both Deployments have the same label.
Why this answer
By increasing the number of replicas in the v2 Deployment, more pods will be available to receive traffic from the Service, as both versions share the same label.
Which kubectl command creates a deployment named 'web' from the image 'nginx:1.25' and exposes it on port 80?
This creates a deployment. To expose it, you would need an additional 'kubectl expose' command.
Why this answer
The 'kubectl create deployment' command creates a deployment, then 'kubectl expose' creates a service. However, among the options, the correct one is the command that creates the deployment only. The question asks for a command that creates a deployment and exposes it.
The best match is using 'kubectl run' with --port, which creates a pod, not a deployment. So the intended correct answer is the deployment creation command, but exposure is separate. The correct answer should be 'kubectl create deployment web --image=nginx:1.25' and then expose separately.
Among the given options, the one that creates a deployment is correct.
A pod has a container with envFrom referencing a ConfigMap. The ConfigMap has keys 'APP_DEBUG=true' and 'APP_NAME=myapp'. The pod also has an env entry with name 'APP_DEBUG' set to 'false'. What is the value of APP_DEBUG in the container?
Explicit env entries take precedence over envFrom.
Why this answer
When a pod has both an `envFrom` referencing a ConfigMap and an explicit `env` entry with the same key, the explicit `env` entry takes precedence. This is because Kubernetes merges environment variables from multiple sources, and individual `env` entries override any values from `envFrom` for the same key. Therefore, `APP_DEBUG` will be set to 'false' as defined in the explicit `env` entry.
Exam trap
The trap here is that candidates often assume `envFrom` merges all keys and that explicit `env` entries are additive, but they fail to remember that explicit `env` entries override `envFrom` for duplicate keys, leading them to pick the ConfigMap's value (true) or think both values are concatenated.
How to eliminate wrong answers
Option B is wrong because the environment variable `APP_DEBUG` is defined both via the ConfigMap and the explicit `env` entry, so it is not undefined. Option C is wrong because Kubernetes does not concatenate values for the same key; it applies a precedence rule where the explicit `env` entry overrides the value from `envFrom`. Option D is wrong because the explicit `env` entry with value 'false' overrides the ConfigMap's value of 'true', not the other way around.
You apply a ResourceQuota to a namespace that limits memory requests to 2Gi. You then try to create a pod that requests 3Gi memory. What happens?
The API server validates admission and rejects the request.
Why this answer
When a ResourceQuota is applied to a namespace with a memory request limit of 2Gi, any pod creation that would cause the total memory requests in the namespace to exceed that quota is rejected by the Kubernetes API server. The pod creation fails immediately with an error message indicating the quota would be exceeded, because the admission controller validates the request against the quota before allowing the pod to be scheduled.
Exam trap
The trap here is that candidates may confuse ResourceQuota (which enforces at admission time and rejects the pod) with LimitRange (which sets default requests/limits but does not cap existing requests), or mistakenly think Kubernetes silently adjusts resource requests to fit within quotas.
How to eliminate wrong answers
Option A is wrong because Kubernetes does not create pods with warnings and ignore requests; quota enforcement is strict and fails the creation. Option B is wrong because the memory request is not capped at 2Gi; the pod creation is rejected entirely, not modified. Option D is wrong because the pod is never created, so it cannot be OOMKilled; OOMKilling occurs at runtime if a container exceeds its memory limit, not due to quota enforcement.
A Pod specification includes: securityContext: { seccompProfile: { type: RuntimeDefault } }. What does this configuration do?
RuntimeDefault uses the runtime's default, which is usually a restricted profile.
Why this answer
Setting `seccompProfile.type: RuntimeDefault` in the Pod's securityContext instructs the container runtime (e.g., containerd or CRI-O) to apply its own default seccomp profile to the container. This default profile restricts system calls to a safe subset, blocking dangerous or unnecessary syscalls while allowing common ones required for typical application execution. It is the recommended way to enable seccomp without managing a custom profile.
Exam trap
The trap here is that candidates confuse `RuntimeDefault` with disabling seccomp or allowing all syscalls, when in fact it applies a restrictive, runtime-specific default profile that is neither fully permissive nor custom.
How to eliminate wrong answers
Option A is wrong because `RuntimeDefault` does not disable seccomp; disabling seccomp would require setting the type to `Unconfined` or omitting the seccomp configuration entirely. Option C is wrong because `RuntimeDefault` does not allow all syscalls; it applies a restrictive profile that blocks many syscalls, and allowing all syscalls would be achieved by `Unconfined`. Option D is wrong because using a custom seccomp profile from a file requires setting the type to `Localhost` and specifying a `localhostProfile` path, not `RuntimeDefault`.
A team is deploying a microservice that must be reachable within the cluster via a stable DNS name. They also need to distribute traffic among pods. Which Kubernetes resource provides both service discovery and load balancing?
Service assigns a stable IP and DNS name, and load balances across pods.
Why this answer
A Service in Kubernetes provides a stable DNS name (via cluster DNS, e.g., CoreDNS) that resolves to the Service's ClusterIP, and it load-balances traffic across the pods selected by its label selector using iptables or IPVS rules. This directly fulfills the requirement for both service discovery and load balancing within the cluster.
Exam trap
The trap here is that candidates often confuse Ingress with internal service discovery, but Ingress is designed for external traffic routing and does not provide a stable DNS name for pod-to-pod communication within the cluster.
How to eliminate wrong answers
Option B (ConfigMap) is wrong because it is used to store configuration data as key-value pairs and does not provide any network endpoint or load-balancing functionality. Option C (Secret) is wrong because it stores sensitive data like passwords or tokens and has no role in service discovery or traffic distribution. Option D (Ingress) is wrong because it operates at the HTTP/HTTPS layer to expose services externally (outside the cluster) and does not provide internal DNS-based service discovery or Layer 4 load balancing within the cluster.
Which TWO of the following are valid ways to scale a Deployment named 'my-app' to 5 replicas?
Applying updated YAML scales the deployment.
Why this answer
Option A uses kubectl scale with --replicas flag to set the count. Option C modifies the deployment YAML and applies it, which is also valid. Option B has typo 'scale' missing.
Option D sets a label selector but leaves replicas unchanged if not specified. Option E uses edit but doesn't specify the change.
A pod is in Pending state. 'kubectl describe pod' shows '0/1 nodes are available: 1 Insufficient cpu'. Which action would resolve this?
Reducing the request makes the pod schedulable on nodes with less available CPU.
Why this answer
The pod cannot be scheduled because the requested CPU is not available on any node. Reducing the CPU request may allow scheduling.
A user runs: kubectl run my-pod --image=nginx --restart=Never --dry-run=client -o yaml. Which apiVersion is used in the generated YAML?
The command creates a Pod, and Pods are in the core v1 API group.
Why this answer
The 'kubectl run' command without '--restart=Never' defaults to a Deployment (apps/v1), but with '--restart=Never' it creates a standalone Pod (v1).
Which kubectl command can you use to stream the logs from a pod in real-time?
The '-f' flag follows log output in real-time.
Why this answer
The '-f' flag (follow) allows you to stream logs in real-time.
A namespace 'team-a' has a ResourceQuota that sets 'requests.cpu: 4' and 'limits.cpu: 8'. A developer tries to create a pod with 'resources.requests.cpu: 2' and 'resources.limits.cpu: 10'. What happens?
A ResourceQuota enforces that the sum of limits across all pods in the namespace does not exceed 8.
Why this answer
The pod is rejected because the ResourceQuota in namespace 'team-a' sets a hard limit of 8 CPUs for limits.cpu across all pods. The developer's pod specifies a limit of 10 CPUs, which exceeds this quota. Kubernetes enforces ResourceQuota at admission time, so any resource request or limit that violates the quota's constraints will cause the pod creation to be denied.
Exam trap
The trap here is that candidates often assume only the request is checked against the quota, but Kubernetes enforces both requests and limits independently, and a pod with a limit exceeding the quota's limit will be rejected even if the request is within bounds.
How to eliminate wrong answers
Option B is wrong because even though the request (2) is within the quota, the limit (10) exceeds the quota's allowed limit of 8, and Kubernetes checks both requests and limits against the quota. Option C is wrong because Kubernetes does not automatically reduce resource limits to fit within a quota; it rejects the pod instead, as per the admission controller behavior. Option D is wrong because the pod is not created at all due to admission denial, so it cannot be evicted; eviction occurs only after a pod is running and violates a limit range or is under resource pressure.
Match each YAML key in a Deployment manifest to its purpose.
Drag a concept onto its matching description — or click a concept then click the description.
API version of the resource (e.g., apps/v1)
Desired number of pod instances
Labels used to identify pods managed by the deployment
Labels assigned to pods created by the template
Container image to run
Why these pairings
These are critical fields in a Deployment YAML.
You are deploying a microservice that reads from a ConfigMap and a Secret. The application logs show 'Failed to read configuration: missing key' on startup. Which TWO are likely causes?
If the ConfigMap is missing, the pod may fail to mount or the environment variable will be undefined.
Why this answer
Option B is correct because if the ConfigMap does not exist in the namespace, any pod referencing it will fail to start or the application will be unable to read the configuration data. Kubernetes validates ConfigMap existence at pod creation time, and missing ConfigMaps cause the pod to remain in a pending state or the application to log errors like 'missing key' when attempting to access the configuration.
Exam trap
CNCF often tests the misconception that RBAC permissions are required for reading Secrets mounted as volumes, when in fact any pod with a volume mount can read the Secret data directly from the filesystem without API-level authorization.
You have deployed a microservices application in a Kubernetes cluster. One of the services, 'payment-service', needs to be accessed by other services within the cluster via a stable DNS name. You create a Service of type ClusterIP named 'payment' with selector app=payment. However, when you try to curl http://payment from another Pod, the connection times out. You verify that the Pods backing 'payment-service' are running and ready, and the Endpoints object lists the correct Pod IPs. You also confirm that the Pods are listening on port 8080, and the Service defines targetPort: 8080. The cluster uses a standard CNI plugin (Calico) and DNS is provided by CoreDNS. What is the most likely cause of the timeout?
Pods listening on localhost are not reachable from other Pods via service IP.
Why this answer
The most likely cause is that the Pods are listening only on 127.0.0.1 (localhost), which means they only accept connections from within the same Pod. When the Service sends traffic to the Pod via its cluster IP, the connection arrives on the Pod's network interface (e.g., eth0), not on loopback. Since the application is not bound to 0.0.0.0, it rejects or ignores the incoming packets, causing a timeout.
This is a classic misconfiguration where the application's listen address is too restrictive.
Exam trap
The trap here is that candidates often assume DNS or port mismatches are the issue, but the timeout (not 'connection refused' or 'could not resolve') points to the application not accepting traffic on the correct network interface, which is a subtle but critical detail in Kubernetes networking.
How to eliminate wrong answers
Option A is wrong because the user can successfully curl from another Pod, and DNS resolution would fail immediately with a 'could not resolve host' error, not a timeout; the timeout indicates the connection reached the Pod but was not accepted. Option C is wrong because the user verified that the Endpoints object lists correct Pod IPs and the Service defines targetPort: 8080, which matches the containerPort; if they didn't match, the Endpoints would be empty or the connection would be refused on a different port. Option D is wrong because ClusterIP is the correct type for in-cluster access via a stable DNS name; NodePort is for external access and would not fix a connectivity issue caused by the application binding to localhost.
A pod has a startup probe with failureThreshold: 30 and periodSeconds: 10. The application takes up to 5 minutes to start. What should be changed to ensure the startup probe does not kill the container prematurely?
Increasing failureThreshold gives more attempts (40*10=400 seconds), providing a safety margin.
Why this answer
The current probe allows 300 seconds (30 * 10) before marking the container as failed. The app needs 300 seconds (5 min), so it's borderline. Increasing failureThreshold gives more tolerance.
Option C is correct.
Which THREE of the following are true about Kubernetes Services? (Select 3)
Default NodePort range is 30000-32767.
Why this answer
ClusterIP is default, Services can have multiple ports, and NodePorts are allocated from a range (default 30000-32767).
A pod is running but not receiving traffic from a Service. The readiness probe is failing. What is the likely effect on the pod?
Readiness probes control whether a pod is included in the Service's load balancing pool. If it fails, the pod is removed from endpoints but continues running.
Why this answer
A readiness probe determines if a pod is ready to receive traffic. If it fails, the pod is removed from the Service endpoints, but it continues running.
Which TWO of the following are correct about the ExternalName Service type?
Correct.
Why this answer
Option A is true: ExternalName maps to an external DNS name. Option D is true: It returns a CNAME record. Option B is false: It does not have selectors or pod endpoints.
Option C is false: It does not provide load balancing. Option E is false: It does not require a cloud provider.
You need to run a batch job that processes a queue and must ensure exactly 5 pods run successfully in parallel. Which Job configuration field should be set?
parallelism controls the maximum number of pods running in parallel.
Why this answer
The 'parallelism' field specifies how many pods can run concurrently. 'completions' is for total successful pod completions.
A StatefulSet named 'mysql' is deployed with 3 replicas. The administrator wants each pod to have a stable network identity. Which service configuration is required?
Headless services provide stable network identities.
Why this answer
StatefulSets require headless services (clusterIP: None) to provide stable DNS names for each pod (e.g., mysql-0.mysql.default.svc.cluster.local).
You have a ConfigMap named 'app-config' with key 'database.url'. Which environment variable definition correctly injects this value into a pod using a configMapKeyRef?
This is the correct YAML structure to reference a specific key from a ConfigMap.
Why this answer
Option D is correct because it uses a `valueFrom` field with a `configMapKeyRef` to inject the value of the key `database.url` from the ConfigMap named `app-config` into the environment variable. The `configMapKeyRef` requires both `name` and `key` fields to specify the ConfigMap and the exact key to extract, and the environment variable name is defined separately (e.g., `- name: DATABASE_URL`). The structure in D correctly places the `valueFrom` block under the container's `env` entry, though the variable name is missing in the snippet; in practice, you must also include `name: DATABASE_URL` above the `valueFrom`.
Exam trap
The trap here is that candidates often confuse `envFrom` with `valueFrom` and `configMapKeyRef`, thinking that `envFrom` can inject a single key, or they mistakenly use `secretKeyRef` for ConfigMaps, failing to recognize that the resource type must match the reference field.
How to eliminate wrong answers
Option A is wrong because it uses `valueFrom` with a `configMapKeyRef` but the syntax is incomplete — it lacks the `- name: DATABASE_URL` line above the `valueFrom` block, which is required to define the environment variable name; however, the core structure is actually correct if the name were present, so this option is not the best answer because the question expects the exact correct snippet. Option B is wrong because `envFrom` with a `configMapRef` injects all keys from the ConfigMap as environment variables, not a single specific key, and it does not allow renaming the variable to `DATABASE_URL`; it would create an environment variable named `database.url`, which is invalid in most shells due to the dot. Option C is wrong because it uses `secretKeyRef` instead of `configMapKeyRef`, which is designed for Secrets, not ConfigMaps; referencing a ConfigMap with `secretKeyRef` will fail because the API expects a Secret resource.
Which TWO commands can be used to list the endpoints of a Service named 'my-svc'?
Shows endpoints in the output.
Why this answer
Endpoints can be viewed via 'kubectl get endpoints my-svc' and 'kubectl describe svc my-svc' shows endpoint information.
Which Helm command is used to install a chart from a repository?
Installs the chart stable/nginx as a release named myrelease.
Why this answer
Helm install with a chart reference installs a chart. Option B is correct.
Which TWO of the following are valid parameters for configuring probes in Kubernetes? (Select TWO.)
Valid parameter to delay the first probe.
Why this answer
Option B is correct because `initialDelaySeconds` is a valid field in a Kubernetes probe configuration (liveness, readiness, or startup probe). It specifies the number of seconds to wait after the container starts before initiating the first probe, allowing the application to initialize before being checked.
Exam trap
The trap here is that candidates confuse the naming convention of probe parameters (e.g., `intervalSeconds` vs `periodSeconds`, `retryCount` vs `failureThreshold`) or mistake a top-level probe field like `readinessProbe` for a parameter within the probe configuration.
A pod in a namespace with a ResourceQuota that sets 'requests.cpu: 2' is failing to schedule. The pod manifest specifies 'resources: { requests: { cpu: "500m" } }'. What is the likely cause?
Even though the pod's request is small, the total sum of requests in the namespace may have already reached the quota limit, preventing this pod from being scheduled.
Why this answer
The ResourceQuota sets a hard limit of 2 CPU cores for total requests across all pods in the namespace. If the sum of CPU requests from all pods already reaches or exceeds 2, a new pod with a 500m CPU request cannot be scheduled because it would exceed the quota. The pod's request (500m) is well within the quota limit, so the issue is that the namespace has exhausted its CPU request budget.
Exam trap
The trap here is that candidates assume the pod's individual request must be less than the quota, but they overlook that the quota is a cumulative limit across all pods in the namespace, so even a small request can fail if the namespace is already at capacity.
How to eliminate wrong answers
Option A is wrong because ResourceQuota can apply to both requests and limits; by default, it applies to requests unless specified otherwise, and the question states 'requests.cpu: 2' which explicitly targets requests. Option C is wrong because a CPU limit is not required for scheduling; the ResourceQuota only enforces the requests.cpu limit, and the pod can run without a limit. Option D is wrong because the pod's CPU request (500m) is less than the ResourceQuota limit (2), so it does not exceed the quota; the failure is due to cumulative usage, not an individual overage.
A developer is writing a Dockerfile and wants to ensure that the container runs a Python script named 'app.py' as its main process. Which instruction should be used?
ENTRYPOINT sets the main command to run python app.py.
Why this answer
ENTRYPOINT sets the main command that will always be executed when the container starts.
A NetworkPolicy named 'default-deny-all' is applied to a namespace. It has no rules. Which statement is true?
Default deny all pattern.
Why this answer
Option D is correct. A NetworkPolicy with no rules (empty spec) effectively denies all ingress and egress traffic to pods selected by the policy (if podSelector is empty, it applies to all pods in the namespace). Option A is wrong because egress is also denied.
Option B is wrong because empty rules deny all. Option C is wrong because no traffic is allowed.
You are responsible for a multi-tier application running in a Kubernetes cluster. The frontend Pods communicate with backend Pods via a Service named 'backend' in the same namespace. Recently, the frontend team reported that the backend Service is intermittently unreachable. You inspect the backend Pods and notice that they are all running and ready, but the Endpoints object for the 'backend' Service shows only a subset of the Pod IPs. You also notice that the backend Pods have a readiness probe configured that checks an HTTP endpoint '/healthz'. The readiness probe has a periodSeconds of 5 and failureThreshold of 3. The application logs show occasional spikes in response time on the /healthz endpoint, sometimes exceeding 15 seconds. You need to resolve the intermittent unavailability without removing the readiness probe. Which action should you take?
Higher threshold and period allow more tolerance for slow health checks, reducing flapping.
Why this answer
Option D is correct because increasing the failureThreshold to 10 and periodSeconds to 10 gives the readiness probe more time (100 seconds total) to tolerate transient slowness on the /healthz endpoint, preventing premature removal of Pod IPs from the Endpoints object. This keeps all backend Pods in the ready state during response time spikes, ensuring the Service remains reachable.
Exam trap
The trap here is that candidates might think removing the readiness probe (Option A) is a quick fix, but the CKAD exam emphasizes that readiness probes are essential for traffic routing and should be tuned, not removed, to handle transient issues.
How to eliminate wrong answers
Option A is wrong because removing the readiness probe would allow traffic to be sent to Pods that may be unresponsive, causing application errors and defeating the purpose of health checking. Option B is wrong because adding a second readiness probe on a different endpoint does not address the root cause of intermittent slowness on the existing /healthz endpoint; it could even cause more Pods to be marked unready if the new endpoint also experiences delays. Option C is wrong because changing the Service type to NodePort does not bypass endpoint issues; the Endpoints object is still used for routing, and NodePort only exposes the Service externally without fixing the readiness probe logic.
Which THREE statements about Ingress are correct? (Choose three.)
TLS termination is a common use case.
Why this answer
Ingress can do path-based routing and host-based routing. It supports TLS termination. It requires an Ingress controller.
It does not support port-based routing directly; you use path or host.
You have a Secret of type kubernetes.io/tls. The pod mounting it as a volume expects the files 'tls.crt' and 'tls.key'. What keys must the Secret data contain?
These are the required data keys for tls secrets.
Why this answer
For a Secret of type `kubernetes.io/tls`, the Kubernetes API server expects the data to contain exactly the keys `tls.crt` and `tls.key`. When such a Secret is mounted as a volume into a pod, the files created in the mount path are named `tls.crt` and `tls.key`, matching these keys. This is enforced by the Kubernetes TLS secret controller and is documented in the official Kubernetes reference for TLS secrets.
Exam trap
The trap here is that candidates confuse the generic concept of a certificate and key with the exact key names required by the `kubernetes.io/tls` secret type, leading them to choose options like `cert` and `key` or `certificate` and `key` instead of the mandatory `tls.crt` and `tls.key`.
How to eliminate wrong answers
Option A is wrong because `ca.crt` is an optional key for a TLS secret (used to provide a CA bundle), but the required keys for the secret type `kubernetes.io/tls` are `tls.crt` and `tls.key`; the pod expects `tls.crt` and `tls.key` files, not `ca.crt`. Option C is wrong because `cert` and `key` are not the standard key names for a TLS secret; Kubernetes specifically requires the keys to be named `tls.crt` and `tls.key` to match the expected file names on mount. Option D is wrong because `certificate` and `key` are generic terms, not the exact key names mandated by the `kubernetes.io/tls` secret type; the API server will reject a secret that does not contain the exact keys `tls.crt` and `tls.key`.
A Pod needs to access an external database at db.example.com:3306. Which Service type allows Pods to resolve a cluster-local name to this external address?
ExternalName returns CNAME to external DNS name.
Why this answer
The ExternalName Service type maps a cluster-local DNS name (e.g., `my-db.default.svc.cluster.local`) to an external DNS name (`db.example.com`) using a CNAME record. This allows Pods to resolve the service name to the external database address without needing to modify application code or use an external endpoint.
Exam trap
The trap here is that candidates often confuse ExternalName with ClusterIP, thinking any Service can resolve external names, but only ExternalName provides a CNAME-based DNS alias without proxying traffic.
How to eliminate wrong answers
Option B (LoadBalancer) is wrong because it exposes the Service externally via a cloud provider's load balancer, which is used for external traffic ingress, not for resolving a cluster-local name to an external address. Option C (NodePort) is wrong because it exposes the Service on a static port on each Node's IP, intended for external access, not for DNS-based resolution to an external hostname. Option D (ClusterIP) is wrong because it provides a virtual IP within the cluster for Pod-to-Pod communication, but it cannot resolve to an external DNS name; it only routes traffic to internal endpoints.
Which of the following is the correct apiVersion for a CronJob in Kubernetes v1.29?
Correct: CronJob uses batch/v1 since 1.21.
Why this answer
In Kubernetes v1.29, the correct apiVersion for a CronJob is batch/v1, as CronJob has been stable since v1.21. Option D is correct because batch/v1 is the stable API version for CronJob resources in this release.
Exam trap
The trap here is that candidates may remember older Kubernetes versions where CronJob was still in beta (batch/v1beta1) and fail to update their knowledge to the stable batch/v1, or they might confuse the apiVersion format with a non-existent cronjob/v1.
How to eliminate wrong answers
Option A is wrong because v1 is the apiVersion for core resources like Pod, Service, and ConfigMap, not for CronJob which belongs to the batch API group. Option B is wrong because there is no apiVersion format like cronjob/v1; Kubernetes uses group/version format, and CronJob is part of the batch group. Option C is wrong because batch/v1beta1 was deprecated in v1.21 and removed in v1.25; using it in v1.29 would cause an error.
A Pod Security Admission policy is set to 'restricted' for a namespace. Which of the following pod specs is ALLOWED?
Complies with restricted policy: runAsNonRoot and readOnlyRootFilesystem are required.
Why this answer
The 'restricted' Pod Security Admission (PSA) policy enforces the most stringent security controls, requiring pods to meet specific baseline security constraints. Option A satisfies these requirements by setting `runAsNonRoot: true` (preventing root execution) and `readOnlyRootFilesystem: true` (preventing writes to the root filesystem), both of which are mandatory for the restricted profile. The other options violate the restricted policy by either enabling privileged access, adding dangerous capabilities, or omitting required security contexts.
Exam trap
CNCF often tests the misconception that omitting securityContext is acceptable or that adding a single capability like `NET_ADMIN` is harmless, but the restricted profile mandates explicit non-root execution and read-only root filesystem, and prohibits any capability additions beyond the default set.
How to eliminate wrong answers
Option B is wrong because the restricted policy explicitly forbids adding any capabilities beyond the default set (e.g., `NET_ADMIN` is a privileged capability that grants network administration rights, which is not allowed). Option C is wrong because the restricted policy requires explicit security context settings, including `runAsNonRoot: true` and `readOnlyRootFilesystem: true`; a pod with no securityContext specified defaults to root and writable root filesystem, violating the policy. Option D is wrong because the restricted policy prohibits privileged containers entirely; setting `privileged: true` grants unrestricted host access and bypasses all security constraints.
Which TWO are valid reasons to use a HorizontalPodAutoscaler (HPA) with a custom metric? (Select two)
Queue length is a common custom metric for scaling.
Why this answer
HPA can scale based on custom metrics like requests per second or queue length, not just CPU/memory.
Which Service type is used to expose a Service on a static port on each node's IP address, allowing external traffic to reach the Service?
NodePort opens a port on every node for external access.
Why this answer
NodePort exposes the Service on a port on each node's IP address, accessible from outside the cluster.
Which TWO of the following are valid methods to create a Service in Kubernetes? (Select 2)
Applying a YAML manifest creates the Service.
Why this answer
Both `kubectl expose` and creating a YAML manifest are valid methods.
An Ingress resource is configured with TLS. Which field in the Ingress YAML specifies the secret containing the TLS certificate and key?
Correct: secretName specifies the TLS secret.
Why this answer
Option A is correct. The TLS configuration in an Ingress includes a 'secretName' field in the 'tls' array that references a secret in the same namespace.
You have a Deployment with pods labeled 'tier: frontend'. You create a Service with selector 'tier: frontend'. However, the Service has no endpoints. What is the MOST likely cause?
You need an exact match for the service to select pods.
Why this answer
Option C is correct. If a service selector does not match any pod labels, the service will have no endpoints. Option A (wrong port) would still show endpoints if pods match.
Option B (multiple ports) is not a problem. Option D (namespace) would be an issue if different, but the question implies same namespace.
A CronJob must run a task every day at midnight, but if the previous job is still running, the new job should be skipped. Which concurrencyPolicy should be set?
Forbids new jobs if previous is still running, effectively skipping.
Why this answer
Option B is correct: Forbid prevents new jobs from starting if the previous one is still running. Allow allows concurrent runs. Replace replaces the running job.
There is no Skip policy.
Which TWO approaches can be used to expose a Secret's value as an environment variable in a pod?
Correct use of secretKeyRef.
Why this answer
Option A is correct because the `valueFrom.secretKeyRef` field in a container's `env` definition directly references a specific key from a Kubernetes Secret and injects its value as an environment variable. This is the standard method for exposing a single secret key as an environment variable, as defined in the Kubernetes API.
Exam trap
CNCF often tests the distinction between `secretKeyRef` (for individual keys) and `secretRef` (for all keys via `envFrom`), and the trap here is that candidates may confuse `configMapKeyRef` with `secretKeyRef` or think that `volumeMounts` can expose secrets as environment variables.
You need to view the logs of a container named 'sidecar' in a pod called 'app-pod' running in namespace 'dev'. Which command should you use?
This command is equivalent to option B; it uses the long-form flags and is also correct.
Why this answer
The correct command is 'kubectl logs app-pod -c sidecar -n dev'. The -c flag specifies the container name when a pod has multiple containers. Option A omits the -c flag.
Options C and D use incorrect flags.
An administrator applies the following NetworkPolicy: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress - Egress After applying this policy, which traffic flows are affected?
The policy selects all pods and denies ingress and egress; any traffic not explicitly allowed by other policies is denied.
Why this answer
This policy selects all pods (empty podSelector) and denies all ingress and egress traffic by default because no rules are specified. It does not affect traffic that is not covered by policyTypes, but since both are selected, all inbound and outbound traffic is denied for all pods in the namespace.
A developer wants to mount a ConfigMap as a volume in a Pod so that updates to the ConfigMap are reflected in the Pod without restarting. Which two statements are correct? (Choose two.)
subPath mounts a single file; updates require pod restart.
Why this answer
Option C is correct because when a ConfigMap is mounted using `subPath`, Kubernetes treats the mount as a single file rather than a directory of symlinks. This means the atomic update mechanism (which uses symlinks to swap the directory contents) is bypassed, and updates to the ConfigMap are not reflected in the Pod without a restart or remount.
Exam trap
The trap here is that candidates often assume all ConfigMap mounts update automatically, but `subPath` mounts are a critical exception that breaks the automatic update mechanism.
An Ingress resource has the following spec: spec: rules: - host: example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-service port: number: 80 What will the Ingress controller do for a request to http://example.com/api/v1/users?
Prefix match succeeds.
Why this answer
Prefix matching matches any path starting with /api, so /api/v1/users matches.
Which THREE statements about NetworkPolicy are correct?
Yes, using policyTypes to specify which rules apply.
Why this answer
NetworkPolicy is namespace-scoped. Default is to allow all traffic if no policy selects the pod. An egress rule can restrict outbound traffic to specific IPs (ipBlock).
Sequence the steps to expose a Kubernetes Service using a NodePort for external access.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
Deployment first, then define NodePort Service, apply, retrieve port, then access externally.
Which TWO statements about Kubernetes Secrets are correct? (Select 2)
Both methods are supported.
Why this answer
A is correct because Kubernetes Secrets are designed to be consumed by Pods either as files mounted into a volume (via `volumes` and `volumeMounts`) or as environment variables (via `env` or `envFrom`). This flexibility allows applications to access sensitive data like passwords or tokens without hardcoding them into the container image or pod spec.
Exam trap
CNCF often tests the misconception that base64 encoding is encryption, leading candidates to think Secrets are secure by default, when in fact base64 is just encoding and Secrets are stored in plaintext in etcd unless encryption at rest is configured.
You need to perform a blue-green deployment using Deployments and Services. What is the most common approach to switch traffic from the old version (blue) to the new version (green)?
This is the standard way to switch traffic instantly in a blue-green deployment.
Why this answer
In a blue-green deployment, you have two Deployments (blue and green) and a Service that selects pods by a label. The Service's label selector initially matches the blue pods. To switch traffic to green, you update the Service's selector to match the green pods' labels.
This instantly routes traffic to the green version.
What is the primary purpose of an Init Container in a Pod?
Init containers handle prerequisites before the application starts.
Why this answer
Init containers run to completion before app containers start, used for setup tasks like waiting for dependencies or preparing data.
A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?
OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.
Why this answer
Option B is correct. OOMKilled means the container exceeded its memory limit and was killed by the kernel OOM killer. The solution is to increase the memory limit in the container's resource specification.
Option A would not help — restarting the pod without addressing the root cause will result in the same failure. Option C addresses CPU, not memory. Option D (deleting the namespace) is destructive and unnecessary.
Which TWO of the following are valid ways to expose a service externally on a Kubernetes cluster? (Select 2)
NodePort exposes the service on a static port on each node, accessible externally.
Why this answer
NodePort and LoadBalancer are both methods to expose services externally. ClusterIP is internal only. ExternalName maps to an external DNS name.
Port-forward is for development only.
A Service named 'api' has no endpoints. 'kubectl describe svc api' shows the selector 'app: api', but no pods have that label. What is the most likely reason for missing endpoints?
The selector 'app: api' does not match any pods, so no endpoints.
Why this answer
Endpoints are created by the Service based on the selector. If no pods match the selector, the endpoints list will be empty. The solution is to check the pod labels.
You are tasked with containerizing a Go application. The application compiles into a binary. Which Dockerfile best implements a multi-stage build to produce a minimal image?
Multi-stage build: first stage compiles, second stage scratch only copies binary. Minimal image.
Why this answer
Option C is correct: multi-stage build with a first stage for compilation using a Go image, and a second stage using scratch that only contains the compiled binary. Option A uses a single stage with a full Go runtime. Option B also uses a single stage.
Option D is incorrect because it uses invalid syntax (FROM AS builder without specifying a base image).
What is the purpose of the 'values.yaml' file in a Helm chart?
values.yaml is the default values file.
Why this answer
values.yaml contains default configuration values that can be overridden during installation or upgrade.
You want to expose a container's port 8080 in the Dockerfile. Which instruction should you use?
EXPOSE documents the port.
Why this answer
Option B is correct because the `EXPOSE` instruction in a Dockerfile informs Docker that the container listens on the specified network port at runtime. It is a metadata declaration that does not actually publish the port; it serves documentation and inter-container communication purposes via Docker networks.
Exam trap
The trap here is that candidates confuse `EXPOSE` with actually publishing the port to the host, thinking it makes the container accessible externally, when in fact it only declares intent and requires `-p` or `--publish` for host access.
How to eliminate wrong answers
Option A is wrong because `PORT` is not a valid Dockerfile instruction; the correct keyword is `EXPOSE`. Option C is wrong because `LISTEN` is not a Dockerfile instruction; it is a directive used in configuration files for services like Apache or Nginx. Option D is wrong because `PUBLISH` is not a Dockerfile instruction; port publishing is done at container runtime using the `-p` or `--publish` flag with `docker run`.
What is the DNS name for a Service named `svc` in namespace `ns`?
Correct format.
Why this answer
The standard DNS name for a Service is <service>.<namespace>.svc.cluster.local.
A pod fails to start with a 'CreateContainerConfigError'. Running 'kubectl describe pod my-pod' reveals: 'Error: container has runAsNonRoot and image will run as root'. The pod definition includes 'securityContext.runAsNonRoot: true'. What is the most likely cause?
runAsNonRoot: true requires the container to run as a non-root user. If the image defaults to root, the pod will fail with this error.
Why this answer
The error 'container has runAsNonRoot and image will run as root' occurs because the pod's securityContext sets `runAsNonRoot: true`, but the container image's default user is root (UID 0). Kubernetes checks the image's user at container startup; if the image runs as root and the pod enforces non-root, the container fails to start with a CreateContainerConfigError.
Exam trap
The trap here is that candidates often assume the error is about missing runAsUser or capabilities, but the error message directly points to the image's default user being root, which is a mismatch with the runAsNonRoot constraint.
How to eliminate wrong answers
Option A is wrong because CAP_SYS_ADMIN is a Linux capability unrelated to the runAsNonRoot check; the error is about the container's user identity, not capabilities. Option C is wrong because a read-only filesystem does not cause a runAsNonRoot conflict; it would produce a different error (e.g., 'read-only filesystem'). Option D is wrong because runAsUser is not required when runAsNonRoot is true; Kubernetes will still enforce non-root even without an explicit UID, and the error explicitly states the image runs as root, not that a random UID is used.
Practice CKAD by domain
Target a specific domain to shore up weak areas.