Certified Kubernetes Application Developer CKAD (CKAD) — Questions 451525

991 questions total · 14pages · All types, answers revealed

Page 6

Page 7 of 14

Page 8
451
Multi-Selectmedium

Which TWO statements about the .dockerignore file are true?

Select 2 answers
A.It is automatically applied to all docker commands
B.It supports pattern matching similar to .gitignore
C.It can be used to specify which Dockerfile to use
D.It can override the base image from the Dockerfile
E.It can exclude files from being copied into the image by COPY and ADD instructions
AnswersB, E

.dockerignore uses glob patterns similar to .gitignore.

Why this answer

.dockerignore excludes files from the build context, reducing build time and preventing secrets from being copied.

452
Multi-Selecthard

A Deployment named 'api' has 6 replicas. You want to perform a rolling update with the following constraints: at most 2 pods can be unavailable during the update, and at most 1 extra pod can be created above the desired 6. Which strategy configurations achieve this? (Choose TWO)

Select 2 answers
A.strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 2
B.strategy: rollingUpdate: maxSurge: 16% maxUnavailable: 33%
C.strategy: rollingUpdate: maxSurge: 2 maxUnavailable: 2
D.strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 3
E.strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 1
AnswersA, B

Absolute numbers match constraints.

Why this answer

Option A: maxSurge=1 (extra pod), maxUnavailable=2 (unavailable pods) - satisfies constraints. Option E: maxSurge=1, maxUnavailable=2 - same. Option B has maxUnavailable=1 not 2.

Option C has maxSurge=2. Option D has maxUnavailable=3. So A and E are correct.

But note that A uses absolute numbers, E uses percentages. Both are valid.

453
Multi-Selectmedium

Which TWO of the following are correct ways to pause a rollout of a Deployment named 'myapp'? (Select TWO)

Select 2 answers
A.kubectl rollout pause deployment/myapp
B.kubectl rollout undo deployment/myapp
C.kubectl edit deployment myapp and set spec.paused: true
D.kubectl rollout resume deployment/myapp
E.kubectl set image deployment/myapp app=nginx && kubectl rollout pause deployment/myapp
AnswersA, E

Correct.

Why this answer

'kubectl rollout pause deployment/myapp' pauses the rollout. 'kubectl set image ... && kubectl rollout pause' pauses after setting the image but before the rollout completes. 'kubectl rollout resume' resumes, not pauses.

454
MCQhard

You want to perform a canary deployment where 10% of traffic goes to the new version. You have a Deployment 'app-v1' with 10 replicas. You create a second Deployment 'app-v2' with 1 replica and a new Service. What Kubernetes resource is typically used to split traffic between the two Services?

A.A single Service with multiple selectors
B.NetworkPolicy
C.Ingress resource with a canary annotation
D.HorizontalPodAutoscaler
AnswerC

Ingress controllers support canary rules to split traffic.

Why this answer

An Ingress controller (like NGINX or other) with traffic splitting capabilities (e.g., via annotations or canary config) can distribute traffic between services. Alternatively, a Service Mesh like Istio can be used, but Ingress is the most common standard resource.

455
Multi-Selecthard

Which THREE components are required for a basic Ingress to route HTTP traffic to a Service? (Choose three.)

Select 3 answers
A.A Deployment of the application
B.A Service of type ClusterIP or NodePort
C.A NetworkPolicy allowing traffic from the Ingress controller
D.An Ingress resource YAML file
E.An Ingress controller (e.g., nginx-ingress)
AnswersB, D, E

The Ingress forwards traffic to a Service.

Why this answer

A Service of type ClusterIP or NodePort is required because the Ingress resource routes external HTTP traffic to a Service, which then forwards it to the Pods. ClusterIP is the default and most common type for internal cluster routing, while NodePort can also be used but is less typical. Without a Service, the Ingress has no endpoint to direct traffic to.

Exam trap

CNCF often tests the misconception that a Deployment is mandatory for Ingress to work, but the Ingress only requires a Service to route to, and the underlying Pods can be created by any workload resource (e.g., a ReplicaSet or even a standalone Pod).

456
Multi-Selecthard

Which THREE of the following are valid fields in a HorizontalPodAutoscaler (HPA) v2 specification?

Select 3 answers
A.spec.targetCPUUtilizationPercentage
B.spec.metrics
C.spec.minReplicas
D.spec.behavior
E.spec.maxReplicas
AnswersB, C, D

Yes, spec.metrics is an array of metric specifications.

Why this answer

In HPA v2 (autoscaling/v2), the spec includes 'metrics', 'behavior', and 'minReplicas'. 'metrics' defines the metrics to scale on, 'behavior' defines scaling policies, and 'minReplicas' sets the minimum number of pods. 'targetCPUUtilizationPercentage' is a deprecated field from v1. 'scaleTargetRef' is a required field but is not listed among the options as a field of spec; it's a separate field in the spec.

457
MCQmedium

A Pod needs to communicate with another Pod in the same cluster but in a different namespace. What is the correct DNS name to use?

A.<namespace>.<service>.svc.cluster.local
B.<service>.<namespace>.pod.cluster.local
C.<service>.svc.cluster.local
D.<service>.<namespace>.svc.cluster.local
AnswerD

Standard format for cross-namespace DNS.

Why this answer

Option D is correct because Kubernetes DNS resolves services across namespaces using the format `<service>.<namespace>.svc.cluster.local`. When a Pod in one namespace needs to communicate with a service in another namespace, the fully qualified domain name (FQDN) must include the namespace to disambiguate the service. This is defined by the Kubernetes DNS specification, which appends `svc.cluster.local` as the cluster domain suffix.

Exam trap

The trap here is that candidates often forget the namespace is required for cross-namespace communication and pick Option C, which only works within the same namespace, or confuse the order of service and namespace as in Option A.

How to eliminate wrong answers

Option A is wrong because it reverses the order of service and namespace, which would not resolve to the correct service endpoint. Option B is wrong because it uses `.pod.cluster.local` instead of `.svc.cluster.local`; Pod DNS records use the format `<pod-ip>.<namespace>.pod.cluster.local`, not service names. Option C is wrong because it omits the namespace, which only works when the source and target are in the same namespace; cross-namespace communication requires the namespace qualifier.

458
MCQmedium

A Pod in a namespace with a ResourceQuota fails to create with the error: 'exceeded quota: compute-quota, requested: pods=1, used: pods=5, limited: pods=5'. What is the issue?

A.The Pod's service account does not have permission to create Pods.
B.The Pod's resource requests exceed the quota.
C.The namespace has reached its maximum number of Pods allowed by the ResourceQuota.
D.The Pod is trying to mount a Secret that does not exist.
AnswerC

Correct: the quota limits pods to 5, and all 5 slots are used.

Why this answer

The error message explicitly states 'requested: pods=1, used: pods=5, limited: pods=5'. This means the ResourceQuota named 'compute-quota' has a hard limit of 5 pods in the namespace, and that limit has already been reached. The Pod creation fails because the quota's `count/pods` scope is exhausted, not because of resource requests or permissions.

Exam trap

CNCF often tests the distinction between count-based quotas (e.g., `count/pods`) and resource-based quotas (e.g., `requests.cpu`), leading candidates to incorrectly assume the error is about resource requests when the message clearly references pod count.

How to eliminate wrong answers

Option A is wrong because a ServiceAccount permission issue would produce a 'Forbidden' or 'Unauthorized' error, not a quota-exceeded error. Option B is wrong because the error message mentions 'pods=1' (count of pods), not CPU or memory resource requests; a resource request exceed would show 'requested: cpu=...' or 'memory=...'. Option D is wrong because a missing Secret would cause a 'MountVolume.SetUp failed' or 'secret not found' error during Pod startup, not a quota-exceeded error at creation time.

459
MCQhard

During a deployment update, the rollout is stuck and new pods are not becoming ready. The developer checks the events and sees 'Back-off restarting failed container'. What is the most likely cause?

A.The liveness probe is failing
B.The container's entrypoint command fails immediately after start
C.The image pull secret is missing
D.The pod exceeds its memory limit and is OOMKilled
AnswerB

If the command exits, the container crashes, leading to restart back-off.

Why this answer

The 'Back-off restarting failed container' event indicates that the container process exits immediately after starting, causing Kubernetes to repeatedly restart it with increasing back-off delays. This is most commonly caused by a container entrypoint or command that fails at runtime, such as a misconfigured binary, missing dependency, or incorrect startup script. Unlike probe failures, which cause restarts after the container is already running, this error occurs before the container can even become ready.

Exam trap

The trap here is that candidates confuse 'Back-off restarting failed container' with liveness probe failures, but the key distinction is timing: this event occurs immediately at container start, while probe failures happen after the container has been running for some time.

How to eliminate wrong answers

Option A is wrong because a failing liveness probe would cause the container to be restarted after it has started and been running for at least the initialDelaySeconds period, not immediately at startup; the event would typically be 'Liveness probe failed' rather than 'Back-off restarting failed container'. Option C is wrong because a missing image pull secret would result in an 'ImagePullBackOff' or 'ErrImagePull' event, not a back-off restart after the container has started. Option D is wrong because a pod exceeding its memory limit and being OOMKilled would show an 'OOMKilled' reason in the container status and an 'OutOfMemory' event, not a generic back-off restart due to immediate exit.

460
MCQhard

You need to configure a liveness probe that checks if the container port 8080 is open. Which probe type should you use?

A.tcpSocket
B.grpc
C.exec
D.httpGet
AnswerA

tcpSocket probe succeeds if the TCP handshake completes.

Why this answer

A tcpSocket probe is the correct choice when you need to verify that a container is listening on a specific TCP port, such as port 8080. It works by attempting to open a TCP connection to the specified port; if the connection succeeds, the probe is considered successful. This is ideal for checking basic network-level readiness or liveness without requiring an HTTP endpoint or a custom command.

Exam trap

The trap here is that candidates often choose httpGet because they assume a web server on port 8080, but the question explicitly asks only to check if the port is open, not to validate an HTTP response, making tcpSocket the precise and minimal probe type.

How to eliminate wrong answers

Option B (grpc) is wrong because gRPC probes are used specifically for checking the health of gRPC services using the gRPC health checking protocol, not for verifying that a raw TCP port is open. Option C (exec) is wrong because exec probes run a command inside the container and check its exit code, which is unnecessary overhead when you only need to confirm a port is listening. Option D (httpGet) is wrong because httpGet probes require an HTTP endpoint that returns a valid status code (2xx or 3xx), and they cannot be used to simply check if a TCP port is open without an HTTP server.

461
MCQmedium

You are writing a Dockerfile and want to ensure that the CMD instruction is overridable when running the container, but the ENTRYPOINT should not be easily overridden. Which combination should you use?

A.ENTRYPOINT ["myapp"]; CMD ["--help"]
B.CMD ["myapp", "--help"]
C.ENTRYPOINT myapp; CMD --help
D.ENTRYPOINT ["myapp"]
AnswerD

ENTRYPOINT defines the main command and is not easily overridden; CMD is omitted so no default arguments.

Why this answer

Option D is correct. ENTRYPOINT sets the executable that cannot be overridden (unless --entrypoint flag is used). CMD provides default arguments that can be overridden by command line arguments.

Option A uses ENTRYPOINT with exec form which is overridable via --entrypoint. Option B uses both as CMD, which is fully overridable. Option C uses ENTRYPOINT with shell form, which is also overridable.

462
Multi-Selecthard

Which THREE are valid types of probes in Kubernetes?

Select 3 answers
A.Startup probe
B.Readiness probe
C.Liveness probe
D.Survival probe
E.Health probe
AnswersA, B, C

Used for slow-starting containers.

Why this answer

Startup probes are a valid Kubernetes probe type used to determine when a container application has started successfully. They are particularly useful for legacy applications that have slow startup times, as they delay the start of liveness and readiness probes until the startup probe succeeds, preventing premature container restarts.

Exam trap

CNCF often tests the distinction between the three official probe types (liveness, readiness, startup) and common but incorrect terms like 'survival' or 'health', which candidates might confuse due to similar-sounding names or general cloud concepts.

463
Multi-Selectmedium

Which TWO statements about init containers are true? (Select 2)

Select 2 answers
A.Init containers support liveness and readiness probes.
B.Init containers share the same filesystem as the application containers by default.
C.Init containers run sequentially in the order they are defined.
D.Init containers have a restart policy of Always.
E.Init containers must complete successfully before application containers start.
AnswersC, E

Correct: init containers run one after another.

Why this answer

Options A and D are correct. Init containers run sequentially before app containers, and they must run to completion successfully. Option B is false: init containers do not share filesystems by default; they can share volumes.

Option C is false: init containers cannot have liveness probes. Option E is false: init containers use the same restart policy as the pod, not always Never.

464
MCQmedium

A pod has a readiness probe configured with httpGet on port 8080. The probe is failing, but the pod is running. What is the immediate effect on the pod?

A.The pod will be removed from the Service's endpoints and will stop receiving traffic
B.The pod will be restarted
C.The pod will be evicted from the node
D.The pod will be deleted
AnswerA

A failing readiness probe marks the pod as not ready, so the service removes it from endpoints.

Why this answer

A failing readiness probe causes the pod to be removed from the Service's endpoints, so it will not receive traffic. The pod continues running and can be restarted by a liveness probe if configured, but readiness only affects traffic routing.

465
MCQeasy

What is the DNS name for a Service named 'backend' in the 'default' namespace?

A.backend.default.cluster.local
B.backend.default.svc.cluster.local
C.backend.svc.cluster.local
D.backend.default.svc.cluster
AnswerB

Correct format: <service>.<namespace>.svc.cluster.local

Why this answer

The DNS name format for a Service is <service-name>.<namespace>.svc.cluster.local. Option A is correct. Option B is missing the namespace.

Option C is incorrect because the suffix is .svc.cluster.local, not .svc.cluster. Option D is incorrect because the namespace comes before 'svc'.

466
MCQhard

A pod named 'app' has a container that logs to stdout. You want to add a sidecar container that streams these logs to a centralized logging service. Which pattern does this represent?

A.Ambassador pattern
B.Adapter pattern
C.Sidecar pattern
D.Init container pattern
AnswerC

A sidecar container runs alongside the main container to provide additional functionality like log shipping.

Why this answer

A sidecar container that enhances the primary container (e.g., log shipper) is a classic sidecar pattern.

467
MCQmedium

You have a YAML file for a Job named 'data-processor' with 'spec.backoffLimit: 4'. After 3 retries, one pod fails. How many more retries will Kubernetes attempt on that pod?

A.0 retries; the job is marked as failed
B.Unlimited retries until success
C.1 retry
D.4 retries
AnswerC

backoffLimit counts retries; after 3 retries, one more is allowed before the job fails.

Why this answer

backoffLimit limits the total number of retries across all pods. The job's pod will be retried up to backoffLimit times, including the initial attempt. So after 3 retries (i.e., 4 attempts total? Actually careful: backoffLimit specifies the number of retries before marking the Job as failed.

The initial attempt is not a retry. So backoffLimit=4 means up to 4 retries. After 3 retries, one more retry is allowed.

But the question says 'after 3 retries', meaning 3 retries have already occurred. So one more is allowed. However, the options should reflect that.

468
MCQmedium

A developer wants to debug a container that has crashed and is no longer running. Which command allows them to start an ephemeral container in the same pod for debugging?

A.kubectl attach <pod>
B.kubectl debug -it <pod> --image=busybox --target=<container>
C.kubectl run debug --image=busybox -it --rm
D.kubectl exec -it <pod> -- /bin/sh
AnswerB

This creates an ephemeral container in the target pod for debugging.

Why this answer

kubectl debug with the -it flag creates an ephemeral container for debugging. Option A is correct.

469
MCQmedium

You want to perform a canary deployment. You have a Deployment 'app-v1' with 10 replicas. You create a new Deployment 'app-v2' with 1 replica. Both have the label 'app: myapp'. The Service 'myapp-svc' uses selector 'app: myapp'. How do you gradually increase traffic to v2?

A.Create a second Service for v2 and use DNS weighting.
B.Gradually increase the replicas of app-v2 and decrease those of app-v1.
C.Update the Service selector to include version labels.
D.Use 'kubectl set image' on the existing Deployment.
AnswerB

This shifts traffic proportionally because both Deployments have the same label.

Why this answer

By increasing the number of replicas in the v2 Deployment, more pods will be available to receive traffic from the Service, as both versions share the same label.

470
MCQeasy

Which kubectl command creates a deployment named 'web' from the image 'nginx:1.25' and exposes it on port 80?

A.kubectl create deployment web --image=nginx:1.25 --expose
B.kubectl apply -f deployment.yaml
C.kubectl run web --image=nginx:1.25 --port=80
D.kubectl create deployment web --image=nginx:1.25
AnswerD

This creates a deployment. To expose it, you would need an additional 'kubectl expose' command.

Why this answer

The 'kubectl create deployment' command creates a deployment, then 'kubectl expose' creates a service. However, among the options, the correct one is the command that creates the deployment only. The question asks for a command that creates a deployment and exposes it.

The best match is using 'kubectl run' with --port, which creates a pod, not a deployment. So the intended correct answer is the deployment creation command, but exposure is separate. The correct answer should be 'kubectl create deployment web --image=nginx:1.25' and then expose separately.

Among the given options, the one that creates a deployment is correct.

471
MCQmedium

A pod has a container with envFrom referencing a ConfigMap. The ConfigMap has keys 'APP_DEBUG=true' and 'APP_NAME=myapp'. The pod also has an env entry with name 'APP_DEBUG' set to 'false'. What is the value of APP_DEBUG in the container?

A.false
B.undefined
C.Both values are concatenated
D.true
AnswerA

Explicit env entries take precedence over envFrom.

Why this answer

When a pod has both an `envFrom` referencing a ConfigMap and an explicit `env` entry with the same key, the explicit `env` entry takes precedence. This is because Kubernetes merges environment variables from multiple sources, and individual `env` entries override any values from `envFrom` for the same key. Therefore, `APP_DEBUG` will be set to 'false' as defined in the explicit `env` entry.

Exam trap

The trap here is that candidates often assume `envFrom` merges all keys and that explicit `env` entries are additive, but they fail to remember that explicit `env` entries override `envFrom` for duplicate keys, leading them to pick the ConfigMap's value (true) or think both values are concatenated.

How to eliminate wrong answers

Option B is wrong because the environment variable `APP_DEBUG` is defined both via the ConfigMap and the explicit `env` entry, so it is not undefined. Option C is wrong because Kubernetes does not concatenate values for the same key; it applies a precedence rule where the explicit `env` entry overrides the value from `envFrom`. Option D is wrong because the explicit `env` entry with value 'false' overrides the ConfigMap's value of 'true', not the other way around.

472
MCQmedium

You apply a ResourceQuota to a namespace that limits memory requests to 2Gi. You then try to create a pod that requests 3Gi memory. What happens?

A.The pod is created with a warning, but the request is ignored.
B.The pod is created, but the memory request is capped at 2Gi.
C.The pod creation fails with an error message indicating the quota would be exceeded.
D.The pod is created, but it will be OOMKilled if it exceeds 2Gi.
AnswerC

The API server validates admission and rejects the request.

Why this answer

When a ResourceQuota is applied to a namespace with a memory request limit of 2Gi, any pod creation that would cause the total memory requests in the namespace to exceed that quota is rejected by the Kubernetes API server. The pod creation fails immediately with an error message indicating the quota would be exceeded, because the admission controller validates the request against the quota before allowing the pod to be scheduled.

Exam trap

The trap here is that candidates may confuse ResourceQuota (which enforces at admission time and rejects the pod) with LimitRange (which sets default requests/limits but does not cap existing requests), or mistakenly think Kubernetes silently adjusts resource requests to fit within quotas.

How to eliminate wrong answers

Option A is wrong because Kubernetes does not create pods with warnings and ignore requests; quota enforcement is strict and fails the creation. Option B is wrong because the memory request is not capped at 2Gi; the pod creation is rejected entirely, not modified. Option D is wrong because the pod is never created, so it cannot be OOMKilled; OOMKilling occurs at runtime if a container exceeds its memory limit, not due to quota enforcement.

473
MCQhard

A Pod specification includes: securityContext: { seccompProfile: { type: RuntimeDefault } }. What does this configuration do?

A.It disables seccomp for the pod
B.It applies the container runtime's default seccomp profile
C.It allows all syscalls
D.It uses a custom seccomp profile from a file
AnswerB

RuntimeDefault uses the runtime's default, which is usually a restricted profile.

Why this answer

Setting `seccompProfile.type: RuntimeDefault` in the Pod's securityContext instructs the container runtime (e.g., containerd or CRI-O) to apply its own default seccomp profile to the container. This default profile restricts system calls to a safe subset, blocking dangerous or unnecessary syscalls while allowing common ones required for typical application execution. It is the recommended way to enable seccomp without managing a custom profile.

Exam trap

The trap here is that candidates confuse `RuntimeDefault` with disabling seccomp or allowing all syscalls, when in fact it applies a restrictive, runtime-specific default profile that is neither fully permissive nor custom.

How to eliminate wrong answers

Option A is wrong because `RuntimeDefault` does not disable seccomp; disabling seccomp would require setting the type to `Unconfined` or omitting the seccomp configuration entirely. Option C is wrong because `RuntimeDefault` does not allow all syscalls; it applies a restrictive profile that blocks many syscalls, and allowing all syscalls would be achieved by `Unconfined`. Option D is wrong because using a custom seccomp profile from a file requires setting the type to `Localhost` and specifying a `localhostProfile` path, not `RuntimeDefault`.

474
MCQmedium

A team is deploying a microservice that must be reachable within the cluster via a stable DNS name. They also need to distribute traffic among pods. Which Kubernetes resource provides both service discovery and load balancing?

A.Service
B.ConfigMap
C.Secret
D.Ingress
AnswerA

Service assigns a stable IP and DNS name, and load balances across pods.

Why this answer

A Service in Kubernetes provides a stable DNS name (via cluster DNS, e.g., CoreDNS) that resolves to the Service's ClusterIP, and it load-balances traffic across the pods selected by its label selector using iptables or IPVS rules. This directly fulfills the requirement for both service discovery and load balancing within the cluster.

Exam trap

The trap here is that candidates often confuse Ingress with internal service discovery, but Ingress is designed for external traffic routing and does not provide a stable DNS name for pod-to-pod communication within the cluster.

How to eliminate wrong answers

Option B (ConfigMap) is wrong because it is used to store configuration data as key-value pairs and does not provide any network endpoint or load-balancing functionality. Option C (Secret) is wrong because it stores sensitive data like passwords or tokens and has no role in service discovery or traffic distribution. Option D (Ingress) is wrong because it operates at the HTTP/HTTPS layer to expose services externally (outside the cluster) and does not provide internal DNS-based service discovery or Layer 4 load balancing within the cluster.

475
Multi-Selecteasy

Which TWO of the following are valid ways to scale a Deployment named 'my-app' to 5 replicas?

Select 2 answers
A.kubectl edit deployment my-app
B.kubectl apply -f deployment.yaml where deployment.yaml has 'replicas: 5'
C.kubectl deployment my-app scale --replicas=5
D.kubectl scale deployment my-app --selector=app=my-app
E.kubectl scale deployment my-app --replicas=5
AnswersB, E

Applying updated YAML scales the deployment.

Why this answer

Option A uses kubectl scale with --replicas flag to set the count. Option C modifies the deployment YAML and applies it, which is also valid. Option B has typo 'scale' missing.

Option D sets a label selector but leaves replicas unchanged if not specified. Option E uses edit but doesn't specify the change.

476
MCQmedium

A pod is in Pending state. 'kubectl describe pod' shows '0/1 nodes are available: 1 Insufficient cpu'. Which action would resolve this?

A.Reduce the CPU request in the container's resource spec
B.Increase the CPU limit of the container
C.Delete and recreate the pod
D.Add more environment variables
AnswerA

Reducing the request makes the pod schedulable on nodes with less available CPU.

Why this answer

The pod cannot be scheduled because the requested CPU is not available on any node. Reducing the CPU request may allow scheduling.

477
MCQmedium

A user runs: kubectl run my-pod --image=nginx --restart=Never --dry-run=client -o yaml. Which apiVersion is used in the generated YAML?

A.apps/v1
B.batch/v1
C.networking.k8s.io/v1
D.v1
AnswerD

The command creates a Pod, and Pods are in the core v1 API group.

Why this answer

The 'kubectl run' command without '--restart=Never' defaults to a Deployment (apps/v1), but with '--restart=Never' it creates a standalone Pod (v1).

478
MCQeasy

Which kubectl command can you use to stream the logs from a pod in real-time?

A.kubectl logs --previous
B.kubectl logs
C.kubectl logs -f
D.kubectl logs --tail=10
AnswerC

The '-f' flag follows log output in real-time.

Why this answer

The '-f' flag (follow) allows you to stream logs in real-time.

479
MCQmedium

A namespace 'team-a' has a ResourceQuota that sets 'requests.cpu: 4' and 'limits.cpu: 8'. A developer tries to create a pod with 'resources.requests.cpu: 2' and 'resources.limits.cpu: 10'. What happens?

A.The pod is rejected because the limit (10) exceeds the quota's allowed limit
B.The pod is created because the request (2) is within the quota
C.The pod is created but its limit is automatically reduced to 8
D.The pod is created, but it will be evicted immediately
AnswerA

A ResourceQuota enforces that the sum of limits across all pods in the namespace does not exceed 8.

Why this answer

The pod is rejected because the ResourceQuota in namespace 'team-a' sets a hard limit of 8 CPUs for limits.cpu across all pods. The developer's pod specifies a limit of 10 CPUs, which exceeds this quota. Kubernetes enforces ResourceQuota at admission time, so any resource request or limit that violates the quota's constraints will cause the pod creation to be denied.

Exam trap

The trap here is that candidates often assume only the request is checked against the quota, but Kubernetes enforces both requests and limits independently, and a pod with a limit exceeding the quota's limit will be rejected even if the request is within bounds.

How to eliminate wrong answers

Option B is wrong because even though the request (2) is within the quota, the limit (10) exceeds the quota's allowed limit of 8, and Kubernetes checks both requests and limits against the quota. Option C is wrong because Kubernetes does not automatically reduce resource limits to fit within a quota; it rejects the pod instead, as per the admission controller behavior. Option D is wrong because the pod is not created at all due to admission denial, so it cannot be evicted; eviction occurs only after a pod is running and violates a limit range or is under resource pressure.

480
Matchingmedium

Match each YAML key in a Deployment manifest to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

API version of the resource (e.g., apps/v1)

Desired number of pod instances

Labels used to identify pods managed by the deployment

Labels assigned to pods created by the template

Container image to run

Why these pairings

These are critical fields in a Deployment YAML.

481
Multi-Selecthard

You are deploying a microservice that reads from a ConfigMap and a Secret. The application logs show 'Failed to read configuration: missing key' on startup. Which TWO are likely causes?

Select 2 answers
A.The Secret data is base64 encoded in the manifest, but the application expects decoded values
B.The ConfigMap does not exist in the namespace
C.The Secret volume mount has files with incorrect permissions (e.g., 0400) and the application runs as a non-root user
D.The ServiceAccount used by the pod does not have permissions to access Secrets
E.The ConfigMap was updated but the pod was not restarted
AnswersB, C

If the ConfigMap is missing, the pod may fail to mount or the environment variable will be undefined.

Why this answer

Option B is correct because if the ConfigMap does not exist in the namespace, any pod referencing it will fail to start or the application will be unable to read the configuration data. Kubernetes validates ConfigMap existence at pod creation time, and missing ConfigMaps cause the pod to remain in a pending state or the application to log errors like 'missing key' when attempting to access the configuration.

Exam trap

CNCF often tests the misconception that RBAC permissions are required for reading Secrets mounted as volumes, when in fact any pod with a volume mount can read the Secret data directly from the filesystem without API-level authorization.

482
MCQmedium

You have deployed a microservices application in a Kubernetes cluster. One of the services, 'payment-service', needs to be accessed by other services within the cluster via a stable DNS name. You create a Service of type ClusterIP named 'payment' with selector app=payment. However, when you try to curl http://payment from another Pod, the connection times out. You verify that the Pods backing 'payment-service' are running and ready, and the Endpoints object lists the correct Pod IPs. You also confirm that the Pods are listening on port 8080, and the Service defines targetPort: 8080. The cluster uses a standard CNI plugin (Calico) and DNS is provided by CoreDNS. What is the most likely cause of the timeout?

A.The Service name 'payment' is not resolvable by DNS
B.The Pods are listening on 127.0.0.1 only, not on 0.0.0.0
C.The targetPort in the Service does not match the containerPort in the Pod spec
D.The Service type should be NodePort instead of ClusterIP
AnswerB

Pods listening on localhost are not reachable from other Pods via service IP.

Why this answer

The most likely cause is that the Pods are listening only on 127.0.0.1 (localhost), which means they only accept connections from within the same Pod. When the Service sends traffic to the Pod via its cluster IP, the connection arrives on the Pod's network interface (e.g., eth0), not on loopback. Since the application is not bound to 0.0.0.0, it rejects or ignores the incoming packets, causing a timeout.

This is a classic misconfiguration where the application's listen address is too restrictive.

Exam trap

The trap here is that candidates often assume DNS or port mismatches are the issue, but the timeout (not 'connection refused' or 'could not resolve') points to the application not accepting traffic on the correct network interface, which is a subtle but critical detail in Kubernetes networking.

How to eliminate wrong answers

Option A is wrong because the user can successfully curl from another Pod, and DNS resolution would fail immediately with a 'could not resolve host' error, not a timeout; the timeout indicates the connection reached the Pod but was not accepted. Option C is wrong because the user verified that the Endpoints object lists correct Pod IPs and the Service defines targetPort: 8080, which matches the containerPort; if they didn't match, the Endpoints would be empty or the connection would be refused on a different port. Option D is wrong because ClusterIP is the correct type for in-cluster access via a stable DNS name; NodePort is for external access and would not fix a connectivity issue caused by the application binding to localhost.

483
MCQhard

A pod has a startup probe with failureThreshold: 30 and periodSeconds: 10. The application takes up to 5 minutes to start. What should be changed to ensure the startup probe does not kill the container prematurely?

A.Increase failureThreshold to 40
B.Change periodSeconds to 5
C.Change timeoutSeconds to 30
D.Set initialDelaySeconds to 300
AnswerA

Increasing failureThreshold gives more attempts (40*10=400 seconds), providing a safety margin.

Why this answer

The current probe allows 300 seconds (30 * 10) before marking the container as failed. The app needs 300 seconds (5 min), so it's borderline. Increasing failureThreshold gives more tolerance.

Option C is correct.

484
Multi-Selecthard

Which THREE of the following are true about Kubernetes Services? (Select 3)

Select 3 answers
A.The NodePort range is 30000-32767 by default.
B.A Service of type ClusterIP is cluster-internal by default.
C.Headless Services have a ClusterIP assigned.
D.A Service of type NodePort exposes the Service on a static port on each node.
E.Services can only expose one port.
AnswersA, B, D

Default NodePort range is 30000-32767.

Why this answer

ClusterIP is default, Services can have multiple ports, and NodePorts are allocated from a range (default 30000-32767).

485
MCQmedium

A pod is running but not receiving traffic from a Service. The readiness probe is failing. What is the likely effect on the pod?

A.The pod will be marked as CrashLoopBackOff
B.The pod will remain running but will not be included in the Service's endpoints
C.The pod will be terminated and restarted
D.The pod will be evicted from the node
AnswerB

Readiness probes control whether a pod is included in the Service's load balancing pool. If it fails, the pod is removed from endpoints but continues running.

Why this answer

A readiness probe determines if a pod is ready to receive traffic. If it fails, the pod is removed from the Service endpoints, but it continues running.

486
Multi-Selectmedium

Which TWO of the following are correct about the ExternalName Service type?

Select 2 answers
A.It maps a Service to a DNS name, not to pods
B.It provides load balancing across pods
C.It selects pods using a label selector
D.It returns a CNAME record in DNS
E.It requires a cloud provider load balancer
AnswersA, D

Correct.

Why this answer

Option A is true: ExternalName maps to an external DNS name. Option D is true: It returns a CNAME record. Option B is false: It does not have selectors or pod endpoints.

Option C is false: It does not provide load balancing. Option E is false: It does not require a cloud provider.

487
MCQmedium

You need to run a batch job that processes a queue and must ensure exactly 5 pods run successfully in parallel. Which Job configuration field should be set?

A.spec.backoffLimit: 5
B.spec.ttlSecondsAfterFinished: 5
C.spec.parallelism: 5
D.spec.completions: 5
AnswerC

parallelism controls the maximum number of pods running in parallel.

Why this answer

The 'parallelism' field specifies how many pods can run concurrently. 'completions' is for total successful pod completions.

488
MCQmedium

A StatefulSet named 'mysql' is deployed with 3 replicas. The administrator wants each pod to have a stable network identity. Which service configuration is required?

A.A headless service with clusterIP: None and selector matching the StatefulSet
B.A ClusterIP service named 'mysql'
C.A NodePort service named 'mysql'
D.An ExternalName service pointing to an external database
AnswerA

Headless services provide stable network identities.

Why this answer

StatefulSets require headless services (clusterIP: None) to provide stable DNS names for each pod (e.g., mysql-0.mysql.default.svc.cluster.local).

489
MCQeasy

You have a ConfigMap named 'app-config' with key 'database.url'. Which environment variable definition correctly injects this value into a pod using a configMapKeyRef?

A.- name: DATABASE_URL valueFrom: configMapKeyRef: name: app-config key: database.url
B.envFrom: - configMapRef: name: app-config
C.- name: DATABASE_URL valueFrom: secretKeyRef: name: app-config key: database.url
D.- valueFrom: configMapKeyRef: name: app-config key: database.url
AnswerD

This is the correct YAML structure to reference a specific key from a ConfigMap.

Why this answer

Option D is correct because it uses a `valueFrom` field with a `configMapKeyRef` to inject the value of the key `database.url` from the ConfigMap named `app-config` into the environment variable. The `configMapKeyRef` requires both `name` and `key` fields to specify the ConfigMap and the exact key to extract, and the environment variable name is defined separately (e.g., `- name: DATABASE_URL`). The structure in D correctly places the `valueFrom` block under the container's `env` entry, though the variable name is missing in the snippet; in practice, you must also include `name: DATABASE_URL` above the `valueFrom`.

Exam trap

The trap here is that candidates often confuse `envFrom` with `valueFrom` and `configMapKeyRef`, thinking that `envFrom` can inject a single key, or they mistakenly use `secretKeyRef` for ConfigMaps, failing to recognize that the resource type must match the reference field.

How to eliminate wrong answers

Option A is wrong because it uses `valueFrom` with a `configMapKeyRef` but the syntax is incomplete — it lacks the `- name: DATABASE_URL` line above the `valueFrom` block, which is required to define the environment variable name; however, the core structure is actually correct if the name were present, so this option is not the best answer because the question expects the exact correct snippet. Option B is wrong because `envFrom` with a `configMapRef` injects all keys from the ConfigMap as environment variables, not a single specific key, and it does not allow renaming the variable to `DATABASE_URL`; it would create an environment variable named `database.url`, which is invalid in most shells due to the dot. Option C is wrong because it uses `secretKeyRef` instead of `configMapKeyRef`, which is designed for Secrets, not ConfigMaps; referencing a ConfigMap with `secretKeyRef` will fail because the API expects a Secret resource.

490
Multi-Selectmedium

Which TWO commands can be used to list the endpoints of a Service named 'my-svc'?

Select 3 answers
A.kubectl get networkpolicy
B.kubectl get pods -l app=my-svc
C.kubectl describe svc my-svc
D.kubectl get ep my-svc
E.kubectl get endpoints my-svc
AnswersC, D, E

Shows endpoints in the output.

Why this answer

Endpoints can be viewed via 'kubectl get endpoints my-svc' and 'kubectl describe svc my-svc' shows endpoint information.

491
MCQeasy

Which Helm command is used to install a chart from a repository?

A.helm repo add stable https://charts.helm.sh/stable
B.helm create mychart
C.helm install myrelease stable/nginx
D.helm upgrade myrelease stable/nginx
AnswerC

Installs the chart stable/nginx as a release named myrelease.

Why this answer

Helm install with a chart reference installs a chart. Option B is correct.

492
Multi-Selectmedium

Which TWO of the following are valid parameters for configuring probes in Kubernetes? (Select TWO.)

Select 2 answers
A.intervalSeconds
B.initialDelaySeconds
C.retryCount
D.failureThreshold
E.readinessProbe
AnswersB, D

Valid parameter to delay the first probe.

Why this answer

Option B is correct because `initialDelaySeconds` is a valid field in a Kubernetes probe configuration (liveness, readiness, or startup probe). It specifies the number of seconds to wait after the container starts before initiating the first probe, allowing the application to initialize before being checked.

Exam trap

The trap here is that candidates confuse the naming convention of probe parameters (e.g., `intervalSeconds` vs `periodSeconds`, `retryCount` vs `failureThreshold`) or mistake a top-level probe field like `readinessProbe` for a parameter within the probe configuration.

493
MCQhard

A pod in a namespace with a ResourceQuota that sets 'requests.cpu: 2' is failing to schedule. The pod manifest specifies 'resources: { requests: { cpu: "500m" } }'. What is the likely cause?

A.The ResourceQuota applies to limits, not requests.
B.The namespace has already used all its CPU request quota.
C.The pod does not specify a CPU limit.
D.The pod's CPU request exceeds the ResourceQuota limit.
AnswerB

Even though the pod's request is small, the total sum of requests in the namespace may have already reached the quota limit, preventing this pod from being scheduled.

Why this answer

The ResourceQuota sets a hard limit of 2 CPU cores for total requests across all pods in the namespace. If the sum of CPU requests from all pods already reaches or exceeds 2, a new pod with a 500m CPU request cannot be scheduled because it would exceed the quota. The pod's request (500m) is well within the quota limit, so the issue is that the namespace has exhausted its CPU request budget.

Exam trap

The trap here is that candidates assume the pod's individual request must be less than the quota, but they overlook that the quota is a cumulative limit across all pods in the namespace, so even a small request can fail if the namespace is already at capacity.

How to eliminate wrong answers

Option A is wrong because ResourceQuota can apply to both requests and limits; by default, it applies to requests unless specified otherwise, and the question states 'requests.cpu: 2' which explicitly targets requests. Option C is wrong because a CPU limit is not required for scheduling; the ResourceQuota only enforces the requests.cpu limit, and the pod can run without a limit. Option D is wrong because the pod's CPU request (500m) is less than the ResourceQuota limit (2), so it does not exceed the quota; the failure is due to cumulative usage, not an individual overage.

494
MCQmedium

A developer is writing a Dockerfile and wants to ensure that the container runs a Python script named 'app.py' as its main process. Which instruction should be used?

A.EXPOSE 8080
B.CMD ["python", "app.py"]
C.ENTRYPOINT ["python", "app.py"]
D.RUN ["python", "app.py"]
AnswerC

ENTRYPOINT sets the main command to run python app.py.

Why this answer

ENTRYPOINT sets the main command that will always be executed when the container starts.

495
MCQhard

A NetworkPolicy named 'default-deny-all' is applied to a namespace. It has no rules. Which statement is true?

A.All ingress and egress traffic is denied for pods matching the selector
B.Only ingress traffic is denied; egress is allowed by default
C.Only traffic from pods in the same namespace is allowed
D.Traffic is allowed because no rules are defined
AnswerA

Default deny all pattern.

Why this answer

Option D is correct. A NetworkPolicy with no rules (empty spec) effectively denies all ingress and egress traffic to pods selected by the policy (if podSelector is empty, it applies to all pods in the namespace). Option A is wrong because egress is also denied.

Option B is wrong because empty rules deny all. Option C is wrong because no traffic is allowed.

496
MCQhard

You are responsible for a multi-tier application running in a Kubernetes cluster. The frontend Pods communicate with backend Pods via a Service named 'backend' in the same namespace. Recently, the frontend team reported that the backend Service is intermittently unreachable. You inspect the backend Pods and notice that they are all running and ready, but the Endpoints object for the 'backend' Service shows only a subset of the Pod IPs. You also notice that the backend Pods have a readiness probe configured that checks an HTTP endpoint '/healthz'. The readiness probe has a periodSeconds of 5 and failureThreshold of 3. The application logs show occasional spikes in response time on the /healthz endpoint, sometimes exceeding 15 seconds. You need to resolve the intermittent unavailability without removing the readiness probe. Which action should you take?

A.Remove the readiness probe configuration from the backend Pods
B.Add a second readiness probe on a different endpoint to increase redundancy
C.Change the Service type from ClusterIP to NodePort to bypass endpoint issues
D.Increase the failureThreshold to 10 and periodSeconds to 10 to tolerate transient slowness
AnswerD

Higher threshold and period allow more tolerance for slow health checks, reducing flapping.

Why this answer

Option D is correct because increasing the failureThreshold to 10 and periodSeconds to 10 gives the readiness probe more time (100 seconds total) to tolerate transient slowness on the /healthz endpoint, preventing premature removal of Pod IPs from the Endpoints object. This keeps all backend Pods in the ready state during response time spikes, ensuring the Service remains reachable.

Exam trap

The trap here is that candidates might think removing the readiness probe (Option A) is a quick fix, but the CKAD exam emphasizes that readiness probes are essential for traffic routing and should be tuned, not removed, to handle transient issues.

How to eliminate wrong answers

Option A is wrong because removing the readiness probe would allow traffic to be sent to Pods that may be unresponsive, causing application errors and defeating the purpose of health checking. Option B is wrong because adding a second readiness probe on a different endpoint does not address the root cause of intermittent slowness on the existing /healthz endpoint; it could even cause more Pods to be marked unready if the new endpoint also experiences delays. Option C is wrong because changing the Service type to NodePort does not bypass endpoint issues; the Endpoints object is still used for routing, and NodePort only exposes the Service externally without fixing the readiness probe logic.

497
Multi-Selectmedium

Which THREE statements about Ingress are correct? (Choose three.)

Select 3 answers
A.Ingress can terminate TLS connections.
B.Ingress can route traffic based on host header.
C.Ingress can route traffic based on source IP.
D.Ingress can route traffic based on URL path.
E.Ingress can route traffic based on destination port.
AnswersA, B, D

TLS termination is a common use case.

Why this answer

Ingress can do path-based routing and host-based routing. It supports TLS termination. It requires an Ingress controller.

It does not support port-based routing directly; you use path or host.

498
MCQhard

You have a Secret of type kubernetes.io/tls. The pod mounting it as a volume expects the files 'tls.crt' and 'tls.key'. What keys must the Secret data contain?

A.ca.crt and tls.key
B.tls.crt and tls.key
C.cert and key
D.certificate and key
AnswerB

These are the required data keys for tls secrets.

Why this answer

For a Secret of type `kubernetes.io/tls`, the Kubernetes API server expects the data to contain exactly the keys `tls.crt` and `tls.key`. When such a Secret is mounted as a volume into a pod, the files created in the mount path are named `tls.crt` and `tls.key`, matching these keys. This is enforced by the Kubernetes TLS secret controller and is documented in the official Kubernetes reference for TLS secrets.

Exam trap

The trap here is that candidates confuse the generic concept of a certificate and key with the exact key names required by the `kubernetes.io/tls` secret type, leading them to choose options like `cert` and `key` or `certificate` and `key` instead of the mandatory `tls.crt` and `tls.key`.

How to eliminate wrong answers

Option A is wrong because `ca.crt` is an optional key for a TLS secret (used to provide a CA bundle), but the required keys for the secret type `kubernetes.io/tls` are `tls.crt` and `tls.key`; the pod expects `tls.crt` and `tls.key` files, not `ca.crt`. Option C is wrong because `cert` and `key` are not the standard key names for a TLS secret; Kubernetes specifically requires the keys to be named `tls.crt` and `tls.key` to match the expected file names on mount. Option D is wrong because `certificate` and `key` are generic terms, not the exact key names mandated by the `kubernetes.io/tls` secret type; the API server will reject a secret that does not contain the exact keys `tls.crt` and `tls.key`.

499
MCQmedium

A Pod needs to access an external database at db.example.com:3306. Which Service type allows Pods to resolve a cluster-local name to this external address?

A.ExternalName
B.LoadBalancer
C.NodePort
D.ClusterIP
AnswerA

ExternalName returns CNAME to external DNS name.

Why this answer

The ExternalName Service type maps a cluster-local DNS name (e.g., `my-db.default.svc.cluster.local`) to an external DNS name (`db.example.com`) using a CNAME record. This allows Pods to resolve the service name to the external database address without needing to modify application code or use an external endpoint.

Exam trap

The trap here is that candidates often confuse ExternalName with ClusterIP, thinking any Service can resolve external names, but only ExternalName provides a CNAME-based DNS alias without proxying traffic.

How to eliminate wrong answers

Option B (LoadBalancer) is wrong because it exposes the Service externally via a cloud provider's load balancer, which is used for external traffic ingress, not for resolving a cluster-local name to an external address. Option C (NodePort) is wrong because it exposes the Service on a static port on each Node's IP, intended for external access, not for DNS-based resolution to an external hostname. Option D (ClusterIP) is wrong because it provides a virtual IP within the cluster for Pod-to-Pod communication, but it cannot resolve to an external DNS name; it only routes traffic to internal endpoints.

500
MCQeasy

Which of the following is the correct apiVersion for a CronJob in Kubernetes v1.29?

A.v1
B.cronjob/v1
C.batch/v1beta1
D.batch/v1
AnswerD

Correct: CronJob uses batch/v1 since 1.21.

Why this answer

In Kubernetes v1.29, the correct apiVersion for a CronJob is batch/v1, as CronJob has been stable since v1.21. Option D is correct because batch/v1 is the stable API version for CronJob resources in this release.

Exam trap

The trap here is that candidates may remember older Kubernetes versions where CronJob was still in beta (batch/v1beta1) and fail to update their knowledge to the stable batch/v1, or they might confuse the apiVersion format with a non-existent cronjob/v1.

How to eliminate wrong answers

Option A is wrong because v1 is the apiVersion for core resources like Pod, Service, and ConfigMap, not for CronJob which belongs to the batch API group. Option B is wrong because there is no apiVersion format like cronjob/v1; Kubernetes uses group/version format, and CronJob is part of the batch group. Option C is wrong because batch/v1beta1 was deprecated in v1.21 and removed in v1.25; using it in v1.29 would cause an error.

501
MCQhard

A Pod Security Admission policy is set to 'restricted' for a namespace. Which of the following pod specs is ALLOWED?

A.A pod with securityContext.runAsNonRoot: true and readOnlyRootFilesystem: true
B.A pod with securityContext.capabilities.add: ["NET_ADMIN"]
C.A pod with no securityContext specified
D.A pod with securityContext.privileged: true
AnswerA

Complies with restricted policy: runAsNonRoot and readOnlyRootFilesystem are required.

Why this answer

The 'restricted' Pod Security Admission (PSA) policy enforces the most stringent security controls, requiring pods to meet specific baseline security constraints. Option A satisfies these requirements by setting `runAsNonRoot: true` (preventing root execution) and `readOnlyRootFilesystem: true` (preventing writes to the root filesystem), both of which are mandatory for the restricted profile. The other options violate the restricted policy by either enabling privileged access, adding dangerous capabilities, or omitting required security contexts.

Exam trap

CNCF often tests the misconception that omitting securityContext is acceptable or that adding a single capability like `NET_ADMIN` is harmless, but the restricted profile mandates explicit non-root execution and read-only root filesystem, and prohibits any capability additions beyond the default set.

How to eliminate wrong answers

Option B is wrong because the restricted policy explicitly forbids adding any capabilities beyond the default set (e.g., `NET_ADMIN` is a privileged capability that grants network administration rights, which is not allowed). Option C is wrong because the restricted policy requires explicit security context settings, including `runAsNonRoot: true` and `readOnlyRootFilesystem: true`; a pod with no securityContext specified defaults to root and writable root filesystem, violating the policy. Option D is wrong because the restricted policy prohibits privileged containers entirely; setting `privileged: true` grants unrestricted host access and bypasses all security constraints.

502
Multi-Selecteasy

Which TWO are valid reasons to use a HorizontalPodAutoscaler (HPA) with a custom metric? (Select two)

Select 2 answers
A.To scale based on the length of a message queue.
B.To scale based on the number of pods in a different Deployment.
C.To scale based on disk I/O utilization.
D.To scale based on the node's CPU temperature.
E.To scale based on the number of HTTP requests per second.
AnswersA, E

Queue length is a common custom metric for scaling.

Why this answer

HPA can scale based on custom metrics like requests per second or queue length, not just CPU/memory.

503
MCQeasy

Which Service type is used to expose a Service on a static port on each node's IP address, allowing external traffic to reach the Service?

A.ClusterIP
B.ExternalName
C.NodePort
D.LoadBalancer
AnswerC

NodePort opens a port on every node for external access.

Why this answer

NodePort exposes the Service on a port on each node's IP address, accessible from outside the cluster.

504
Multi-Selectmedium

Which TWO of the following are valid methods to create a Service in Kubernetes? (Select 2)

Select 3 answers
A.kubectl apply -f service.yaml
B.kubectl expose deployment my-deploy --port=80
C.kubectl port-forward svc/my-svc 8080:80
D.kubectl run my-svc --image=nginx --port=80
E.kubectl create service clusterip my-svc --tcp=80:80
AnswersA, B, E

Applying a YAML manifest creates the Service.

Why this answer

Both `kubectl expose` and creating a YAML manifest are valid methods.

505
MCQmedium

An Ingress resource is configured with TLS. Which field in the Ingress YAML specifies the secret containing the TLS certificate and key?

A.spec.tls[].secretName
B.metadata.annotations['tls-secret']
C.spec.tls[].secret
D.spec.secretName
AnswerA

Correct: secretName specifies the TLS secret.

Why this answer

Option A is correct. The TLS configuration in an Ingress includes a 'secretName' field in the 'tls' array that references a secret in the same namespace.

506
MCQmedium

You have a Deployment with pods labeled 'tier: frontend'. You create a Service with selector 'tier: frontend'. However, the Service has no endpoints. What is the MOST likely cause?

A.The pod labels do not match the service selector
B.The service has multiple ports defined
C.The service port does not match the container port
D.The service and pods are in different namespaces
AnswerA

You need an exact match for the service to select pods.

Why this answer

Option C is correct. If a service selector does not match any pod labels, the service will have no endpoints. Option A (wrong port) would still show endpoints if pods match.

Option B (multiple ports) is not a problem. Option D (namespace) would be an issue if different, but the question implies same namespace.

507
MCQmedium

A CronJob must run a task every day at midnight, but if the previous job is still running, the new job should be skipped. Which concurrencyPolicy should be set?

A.Skip
B.Forbid
C.Allow
D.Replace
AnswerB

Forbids new jobs if previous is still running, effectively skipping.

Why this answer

Option B is correct: Forbid prevents new jobs from starting if the previous one is still running. Allow allows concurrent runs. Replace replaces the running job.

There is no Skip policy.

508
Multi-Selectmedium

Which TWO approaches can be used to expose a Secret's value as an environment variable in a pod?

Select 2 answers
A.env: - name: MY_SECRET valueFrom: secretKeyRef: name: my-secret key: my-key
B.volumeMounts: - name: secret-volume mountPath: /etc/secret
C.envFrom: - secretRef: name: my-secret
D.env: - name: MY_SECRET value: "$(MY_SECRET)"
E.env: - name: MY_SECRET valueFrom: configMapKeyRef: name: my-secret key: my-key
AnswersA, C

Correct use of secretKeyRef.

Why this answer

Option A is correct because the `valueFrom.secretKeyRef` field in a container's `env` definition directly references a specific key from a Kubernetes Secret and injects its value as an environment variable. This is the standard method for exposing a single secret key as an environment variable, as defined in the Kubernetes API.

Exam trap

CNCF often tests the distinction between `secretKeyRef` (for individual keys) and `secretRef` (for all keys via `envFrom`), and the trap here is that candidates may confuse `configMapKeyRef` with `secretKeyRef` or think that `volumeMounts` can expose secrets as environment variables.

509
MCQeasy

You need to view the logs of a container named 'sidecar' in a pod called 'app-pod' running in namespace 'dev'. Which command should you use?

A.kubectl logs sidecar -p app-pod -n dev
B.kubectl logs app-pod -n dev
C.kubectl logs app-pod --container=sidecar --namespace=dev
D.kubectl logs app-pod -c sidecar -n dev
AnswerC, D

This command is equivalent to option B; it uses the long-form flags and is also correct.

Why this answer

The correct command is 'kubectl logs app-pod -c sidecar -n dev'. The -c flag specifies the container name when a pod has multiple containers. Option A omits the -c flag.

Options C and D use incorrect flags.

510
MCQhard

An administrator applies the following NetworkPolicy: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress - Egress After applying this policy, which traffic flows are affected?

A.Only inbound traffic to pods is denied
B.Only outbound traffic from pods is denied
C.Both inbound and outbound traffic for all pods in the namespace is denied
D.Traffic to and from the kube-system namespace is also denied
AnswerC

The policy selects all pods and denies ingress and egress; any traffic not explicitly allowed by other policies is denied.

Why this answer

This policy selects all pods (empty podSelector) and denies all ingress and egress traffic by default because no rules are specified. It does not affect traffic that is not covered by policyTypes, but since both are selected, all inbound and outbound traffic is denied for all pods in the namespace.

511
Multi-Selectmedium

A developer wants to mount a ConfigMap as a volume in a Pod so that updates to the ConfigMap are reflected in the Pod without restarting. Which two statements are correct? (Choose two.)

Select 2 answers
A.Using envFrom to inject ConfigMap data as environment variables will update automatically.
B.ConfigMap updates are reflected immediately in the volume mount.
C.Using subPath in the volume mount prevents automatic updates.
D.The Pod must be restarted for any ConfigMap change to take effect.
E.Mounting the ConfigMap as a volume (without subPath) ensures that file updates are reflected automatically through symlinks.
AnswersC, E

subPath mounts a single file; updates require pod restart.

Why this answer

Option C is correct because when a ConfigMap is mounted using `subPath`, Kubernetes treats the mount as a single file rather than a directory of symlinks. This means the atomic update mechanism (which uses symlinks to swap the directory contents) is bypassed, and updates to the ConfigMap are not reflected in the Pod without a restart or remount.

Exam trap

The trap here is that candidates often assume all ConfigMap mounts update automatically, but `subPath` mounts are a critical exception that breaks the automatic update mechanism.

512
MCQmedium

An Ingress resource has the following spec: spec: rules: - host: example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-service port: number: 80 What will the Ingress controller do for a request to http://example.com/api/v1/users?

A.Route the request to api-service on port 80.
B.Route the request to the default backend.
C.Return a 502 Bad Gateway error.
D.Return 404 Not Found because the path does not match exactly.
AnswerA

Prefix match succeeds.

Why this answer

Prefix matching matches any path starting with /api, so /api/v1/users matches.

513
Multi-Selecthard

Which THREE statements about NetworkPolicy are correct?

Select 3 answers
A.A single NetworkPolicy can contain both ingress and egress rules
B.A NetworkPolicy can use ipBlock in the from or to field to allow traffic to/from specific IP ranges
C.NetworkPolicy is a cluster-scoped resource
D.NetworkPolicy can only be applied to pods with a specific annotation
E.By default, if no NetworkPolicy selects a pod, all traffic to/from that pod is allowed
AnswersA, B, E

Yes, using policyTypes to specify which rules apply.

Why this answer

NetworkPolicy is namespace-scoped. Default is to allow all traffic if no policy selects the pod. An egress rule can restrict outbound traffic to specific IPs (ipBlock).

514
Drag & Dropmedium

Sequence the steps to expose a Kubernetes Service using a NodePort for external access.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Deployment first, then define NodePort Service, apply, retrieve port, then access externally.

515
Multi-Selectmedium

Which TWO statements about Kubernetes Secrets are correct? (Select 2)

Select 2 answers
A.A Secret can be mounted as a volume or exposed as environment variables
B.Secrets are always encrypted in etcd
C.Secret data is base64 encoded in YAML manifests but stored in plaintext in etcd by default
D.The maximum size of a Secret is 1 MB
E.Secrets can only be used by pods in the same namespace as the Secret
AnswersA, C

Both methods are supported.

Why this answer

A is correct because Kubernetes Secrets are designed to be consumed by Pods either as files mounted into a volume (via `volumes` and `volumeMounts`) or as environment variables (via `env` or `envFrom`). This flexibility allows applications to access sensitive data like passwords or tokens without hardcoding them into the container image or pod spec.

Exam trap

CNCF often tests the misconception that base64 encoding is encryption, leading candidates to think Secrets are secure by default, when in fact base64 is just encoding and Secrets are stored in plaintext in etcd unless encryption at rest is configured.

516
MCQmedium

You need to perform a blue-green deployment using Deployments and Services. What is the most common approach to switch traffic from the old version (blue) to the new version (green)?

A.Update the Deployment's image field in the blue Deployment to the new version
B.Change the Service's label selector to point to the green Deployment's pod labels
C.Delete the blue Deployment and create the green Deployment
D.Scale the blue Deployment to 0 and the green Deployment to desired replicas
AnswerB

This is the standard way to switch traffic instantly in a blue-green deployment.

Why this answer

In a blue-green deployment, you have two Deployments (blue and green) and a Service that selects pods by a label. The Service's label selector initially matches the blue pods. To switch traffic to green, you update the Service's selector to match the green pods' labels.

This instantly routes traffic to the green version.

517
MCQeasy

What is the primary purpose of an Init Container in a Pod?

A.Perform initialization tasks such as waiting for a database to be ready
B.Run a sidecar proxy alongside the main container
C.Provide a health check endpoint for the main container
D.Collect logs and metrics from the main container
AnswerA

Init containers handle prerequisites before the application starts.

Why this answer

Init containers run to completion before app containers start, used for setup tasks like waiting for dependencies or preparing data.

518
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Increase the CPU request for the container
B.Delete and recreate the pod to clear the crash loop
C.Increase the memory limit in the pod's container resource specification
D.Delete the namespace and redeploy all workloads
AnswerC

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

Option B is correct. OOMKilled means the container exceeded its memory limit and was killed by the kernel OOM killer. The solution is to increase the memory limit in the container's resource specification.

Option A would not help — restarting the pod without addressing the root cause will result in the same failure. Option C addresses CPU, not memory. Option D (deleting the namespace) is destructive and unnecessary.

519
Multi-Selectmedium

Which TWO of the following are valid ways to expose a service externally on a Kubernetes cluster? (Select 2)

Select 2 answers
A.NodePort
B.kubectl port-forward
C.ExternalName
D.LoadBalancer
E.ClusterIP
AnswersA, D

NodePort exposes the service on a static port on each node, accessible externally.

Why this answer

NodePort and LoadBalancer are both methods to expose services externally. ClusterIP is internal only. ExternalName maps to an external DNS name.

Port-forward is for development only.

520
MCQhard

A Service named 'api' has no endpoints. 'kubectl describe svc api' shows the selector 'app: api', but no pods have that label. What is the most likely reason for missing endpoints?

A.The Service is in a different namespace than the pods
B.No pods match the Service's selector
C.The Service port is incorrect
D.The Service type is ExternalName
AnswerB

The selector 'app: api' does not match any pods, so no endpoints.

Why this answer

Endpoints are created by the Service based on the selector. If no pods match the selector, the endpoints list will be empty. The solution is to check the pod labels.

521
MCQmedium

You are tasked with containerizing a Go application. The application compiles into a binary. Which Dockerfile best implements a multi-stage build to produce a minimal image?

A.FROM AS builder\nWORKDIR /app\nCOPY . .\nRUN go build -o myapp\nFROM scratch\nCOPY --from=builder /app/myapp /myapp\nCMD ["/myapp"]
B.FROM ubuntu:latest\nRUN apt-get update && apt-get install -y golang\nCOPY . /app\nWORKDIR /app\nRUN go build -o myapp\nCMD ["./myapp"]
C.FROM golang:1.21 AS builder\nWORKDIR /app\nCOPY . .\nRUN go build -o myapp\nFROM scratch\nCOPY --from=builder /app/myapp /myapp\nCMD ["/myapp"]
D.FROM golang:1.21\nWORKDIR /app\nCOPY . .\nRUN go build -o myapp\nCMD ["./myapp"]
AnswerC

Multi-stage build: first stage compiles, second stage scratch only copies binary. Minimal image.

Why this answer

Option C is correct: multi-stage build with a first stage for compilation using a Go image, and a second stage using scratch that only contains the compiled binary. Option A uses a single stage with a full Go runtime. Option B also uses a single stage.

Option D is incorrect because it uses invalid syntax (FROM AS builder without specifying a base image).

522
MCQmedium

What is the purpose of the 'values.yaml' file in a Helm chart?

A.It stores the release history.
B.It defines the Kubernetes resources to be created.
C.It lists dependencies of the chart.
D.It contains default configuration values for the chart.
AnswerD

values.yaml is the default values file.

Why this answer

values.yaml contains default configuration values that can be overridden during installation or upgrade.

523
MCQmedium

You want to expose a container's port 8080 in the Dockerfile. Which instruction should you use?

A.PORT 8080
B.EXPOSE 8080
C.LISTEN 8080
D.PUBLISH 8080
AnswerB

EXPOSE documents the port.

Why this answer

Option B is correct because the `EXPOSE` instruction in a Dockerfile informs Docker that the container listens on the specified network port at runtime. It is a metadata declaration that does not actually publish the port; it serves documentation and inter-container communication purposes via Docker networks.

Exam trap

The trap here is that candidates confuse `EXPOSE` with actually publishing the port to the host, thinking it makes the container accessible externally, when in fact it only declares intent and requires `-p` or `--publish` for host access.

How to eliminate wrong answers

Option A is wrong because `PORT` is not a valid Dockerfile instruction; the correct keyword is `EXPOSE`. Option C is wrong because `LISTEN` is not a Dockerfile instruction; it is a directive used in configuration files for services like Apache or Nginx. Option D is wrong because `PUBLISH` is not a Dockerfile instruction; port publishing is done at container runtime using the `-p` or `--publish` flag with `docker run`.

524
MCQeasy

What is the DNS name for a Service named `svc` in namespace `ns`?

A.svc.cluster.local
B.svc.ns.svc.cluster.local
C.svc.svc.cluster.local
D.ns.svc.cluster.local
AnswerB

Correct format.

Why this answer

The standard DNS name for a Service is <service>.<namespace>.svc.cluster.local.

525
MCQmedium

A pod fails to start with a 'CreateContainerConfigError'. Running 'kubectl describe pod my-pod' reveals: 'Error: container has runAsNonRoot and image will run as root'. The pod definition includes 'securityContext.runAsNonRoot: true'. What is the most likely cause?

A.The container does not have the CAP_SYS_ADMIN capability
B.The container image's default user is root (UID 0), conflicting with runAsNonRoot
C.The container's filesystem is read-only
D.The runAsUser field is missing, so the pod uses a random UID
AnswerB

runAsNonRoot: true requires the container to run as a non-root user. If the image defaults to root, the pod will fail with this error.

Why this answer

The error 'container has runAsNonRoot and image will run as root' occurs because the pod's securityContext sets `runAsNonRoot: true`, but the container image's default user is root (UID 0). Kubernetes checks the image's user at container startup; if the image runs as root and the pod enforces non-root, the container fails to start with a CreateContainerConfigError.

Exam trap

The trap here is that candidates often assume the error is about missing runAsUser or capabilities, but the error message directly points to the image's default user being root, which is a mismatch with the runAsNonRoot constraint.

How to eliminate wrong answers

Option A is wrong because CAP_SYS_ADMIN is a Linux capability unrelated to the runAsNonRoot check; the error is about the container's user identity, not capabilities. Option C is wrong because a read-only filesystem does not cause a runAsNonRoot conflict; it would produce a different error (e.g., 'read-only filesystem'). Option D is wrong because runAsUser is not required when runAsNonRoot is true; Kubernetes will still enforce non-root even without an explicit UID, and the error explicitly states the image runs as root, not that a random UID is used.

Page 6

Page 7 of 14

Page 8