Certified Kubernetes Application Developer CKAD (CKAD) — Questions 601675

991 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
MCQmedium

You have an HPA that scales a Deployment based on CPU utilization. You want to prevent the Deployment from scaling down for at least 5 minutes. Which HPA behavior field should you configure?

A.behavior.scaleUp.policies[0].periodSeconds
B.behavior.scaleDown.stabilizationWindowSeconds
C.behavior.scaleUp.stabilizationWindowSeconds
D.behavior.scaleDown.policies[0].periodSeconds
AnswerB

This sets a stabilization window for scale-down events, preventing rapid scale-down.

Why this answer

To prevent scaling down, you can set a stabilization window on the scaleDown policy. Option B correctly sets a stabilizationWindowSeconds in the scaleDown behavior.

602
Multi-Selecthard

Which THREE of the following are capabilities that can be added to a container's securityContext?

Select 3 answers
A.RuntimeDefault
B.CAP_SYS_ADMIN
C.NET_ADMIN
D.CHOWN
E.SYS_TIME
AnswersC, D, E

Allows various network-related operations (e.g., interface configuration).

Why this answer

Option C (NET_ADMIN) is correct because it is a Linux capability that can be added to a container's securityContext under the `capabilities.add` field. This capability allows the container to perform network administration tasks such as interface configuration, firewall management, and routing table manipulation, which are common in network-focused pods.

Exam trap

The trap here is that candidates often confuse seccomp profiles (like RuntimeDefault) with Linux capabilities, or they assume that all capability names must be prefixed with 'CAP_' in the YAML (e.g., writing 'CAP_NET_ADMIN' instead of 'NET_ADMIN'), leading them to select incorrect options.

603
MCQhard

You need to create a Role and RoleBinding to allow a ServiceAccount 'monitor' in namespace 'app' to list pods in that namespace. Which YAML snippet correctly achieves this?

A.apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: pod-reader namespace: app rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: monitor-binding namespace: app roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: pod-reader subjects: - kind: ServiceAccount name: monitor namespace: app
B.apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: pod-reader namespace: app rules: - apiGroups: [""] resources: ["pods"] verbs: ["read"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: monitor-binding namespace: app roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: pod-reader subjects: - kind: ServiceAccount name: monitor
C.apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: pod-reader rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: monitor-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: pod-reader subjects: - kind: ServiceAccount name: monitor namespace: app
D.apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: pod-reader namespace: app rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: monitor-binding namespace: app roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: pod-reader subjects: - kind: ServiceAccount name: monitor namespace: app
AnswerA, D

A Role in namespace 'app' grants permissions only in that namespace. The RoleBinding binds the Role to the ServiceAccount 'monitor' in the same namespace.

Why this answer

Option A is correct because it defines a Role in the 'app' namespace with rules allowing 'get' and 'list' verbs on 'pods', and binds that Role to the 'monitor' ServiceAccount using a RoleBinding in the same namespace. This grants the ServiceAccount the exact permissions needed to list pods within the namespace, following the principle of least privilege.

Exam trap

The trap here is that candidates may confuse 'read' with the valid verbs 'get' and 'list', or mistakenly use a ClusterRole/ClusterRoleBinding when a namespace-scoped Role/RoleBinding is required, leading to overly broad permissions.

How to eliminate wrong answers

Option B is wrong because it uses the verb 'read' instead of the valid Kubernetes verbs 'get' and 'list'; Kubernetes RBAC does not recognize 'read' as a verb, so the Role would grant no permissions. Option C is wrong because it uses a ClusterRole and ClusterRoleBinding, which would grant pod list permissions across all namespaces, violating the requirement to restrict access to only the 'app' namespace; the question explicitly requires namespace-scoped access.

604
MCQhard

You have a pod that runs a single container with the following resource limits: memory: 256Mi, cpu: 500m. The container is consistently using 300Mi of memory and 300m of CPU. The pod is running but you want to avoid OOMKilled. Which change should you make?

A.Increase memory limit to 512Mi
B.Set memory request to 128Mi and keep limit at 256Mi
C.Decrease memory limit to 128Mi
D.Increase CPU limit to 1000m
AnswerA

The container uses more memory than the current limit, so increasing the memory limit prevents OOMKilled.

Why this answer

Option A is correct. The memory limit is 256Mi, but the container uses 300Mi, which will cause OOMKilled. Increasing the memory limit to 512Mi avoids the OOM.

CPU limit (500m) is fine because usage is 300m. Increasing CPU limit does not help memory. Decreasing memory limit would make the problem worse.

Setting requests does not prevent OOM if limit is still low.

605
MCQmedium

A NetworkPolicy named 'deny-all' is applied in a namespace. Which YAML snippet correctly implements a default-deny-all ingress policy?

A.spec: podSelector: {} policyTypes: - Ingress
B.spec: podSelector: {} ingress: - from: []
C.spec: podSelector: matchLabels: {} ingress: - from: []
D.spec: podSelector: matchLabels: {} policyTypes: - Ingress
AnswerA

Empty podSelector targets all pods; no ingress rules means deny all ingress.

Why this answer

Option A is correct. A default-deny ingress policy has an empty podSelector (meaning all pods) and no ingress rules, blocking all incoming traffic.

606
MCQhard

You are tasked with debugging a pod that is crashing so quickly that you cannot exec into it. Which approach should you use to gain access to the pod's filesystem?

A.kubectl run debug --image=busybox -it --rm
B.kubectl debug <pod> -it --copy-to=<pod>-debug --image=busybox
C.kubectl exec -it <pod> -- /bin/sh
D.kubectl debug -it <pod> --image=busybox
AnswerB

Creates a copy of the pod with a debug container, allowing you to explore the filesystem.

Why this answer

Option D is correct. kubectl debug with --copy-to creates a copy of the pod with a sidecar container for debugging. Option A works if the container is running, but not if it crashes immediately. Option B is for running commands in existing containers.

Option C adds an ephemeral container, but the original container may still crash; --copy-to is better for this scenario.

607
MCQmedium

What is the purpose of the 'maxUnavailable' field in a Deployment's rolling update configuration?

A.The maximum number of Pods that can be created above the desired replicas.
B.The maximum number of Pods that can be unavailable during the update.
C.The maximum time allowed for the update to complete.
D.The maximum number of Pods to be terminated simultaneously.
AnswerB

Correct. It ensures a certain number of Pods remain available.

Why this answer

The 'maxUnavailable' field in a Deployment's rolling update configuration specifies the maximum number of Pods that can be unavailable during the update process, relative to the desired replica count. This ensures that a controlled number of Pods are taken down at a time, maintaining application availability while the update progresses. It is defined as either an absolute number or a percentage of the desired replicas, and it works in conjunction with 'maxSurge' to control the update pace.

Exam trap

The trap here is that candidates often confuse 'maxUnavailable' with 'maxSurge' or assume it controls the termination rate, but the CKAD exam tests the precise definition that it limits the number of Pods that can be in an unavailable state during the update, not the number created above desired or the termination speed.

How to eliminate wrong answers

Option A is wrong because it describes the 'maxSurge' field, which controls the maximum number of Pods that can be created above the desired replicas, not 'maxUnavailable'. Option C is wrong because there is no 'maxUnavailable' field for time limits; Kubernetes uses 'progressDeadlineSeconds' for update timeout, not 'maxUnavailable'. Option D is wrong because while 'maxUnavailable' indirectly limits simultaneous terminations, it specifically caps the number of unavailable Pods (including those being terminated), not the number of Pods terminated simultaneously—Kubernetes handles termination in a rolling fashion based on availability constraints.

608
MCQhard

An Ingress resource specifies TLS termination using a secret. The secret must contain which keys?

A.username and password
B.cert.pem and key.pem
C.ca.crt and tls.crt
D.tls.crt and tls.key
AnswerD

Standard keys for TLS certificate and private key.

Why this answer

Option C is correct. TLS secrets in Kubernetes must contain 'tls.crt' and 'tls.key' data keys. Option A is for a different purpose.

Option B is for authentication. Option D is for custom.

609
Multi-Selecthard

You have a Deployment 'web-app' with 4 replicas. You want to perform a rolling update such that during the update, at most 2 pods can be unavailable and at most 5 pods can be above the desired replica count. Which TWO of the following strategy configurations achieve this?

Select 2 answers
A.maxSurge: 3, maxUnavailable: 3
B.maxSurge: 5, maxUnavailable: 0
C.maxSurge: 5, maxUnavailable: 2
D.maxSurge: '125%', maxUnavailable: '50%'
E.maxSurge: 1, maxUnavailable: 2
AnswersC, D

Absolute numbers: maxSurge=5 allows up to 5 extra pods (total 9), maxUnavailable=2 allows up to 2 unavailable pods – meets requirements.

Why this answer

maxUnavailable sets the maximum number of pods that can be unavailable during the update. maxSurge sets the maximum number of extra pods above the desired count. With 4 replicas, 2 maxUnavailable means at most 2 pods can be down, and 5 maxSurge means at most 5 extra pods, but due to absolute numbers, the total pods can go up to 9 (4+5). Option B uses absolute numbers: maxSurge=1 and maxUnavailable=2 – but maxSurge=1 allows only 1 extra pod (total 5), which is less than 5.

Option D uses percentages: maxSurge=125% (of 4 = 5) and maxUnavailable=50% (of 4 = 2). Option C has maxUnavailable=0 which contradicts the requirement. Option E has maxUnavailable=3 which exceeds 2.

610
MCQhard

You want to restrict a Pod to only run with a seccomp profile of 'RuntimeDefault'. Which SecurityContext field should you set?

A.appArmorProfile
B.capabilities
C.seLinuxOptions
D.seccompProfile
AnswerD

Correct field to set the seccomp profile. Set type: RuntimeDefault.

Why this answer

The `seccompProfile` field in a Pod's SecurityContext allows you to specify a seccomp profile to restrict system calls. Setting it to `RuntimeDefault` applies the container runtime's default seccomp profile, which blocks a set of dangerous syscalls while allowing normal operation. This is the correct field to enforce a seccomp profile of 'RuntimeDefault'.

Exam trap

The trap here is that candidates confuse seccomp with other security mechanisms like AppArmor or SELinux, or think that `capabilities` can restrict syscalls, when in fact seccomp is the only field that directly controls syscall filtering.

How to eliminate wrong answers

Option A is wrong because `appArmorProfile` is used to set AppArmor profiles, not seccomp profiles; AppArmor is a separate Linux Security Module (LSM) that controls file access and capabilities. Option B is wrong because `capabilities` adds or drops Linux capabilities (e.g., CAP_NET_ADMIN), which are privileges, not syscall filters. Option C is wrong because `seLinuxOptions` configures SELinux labels for process and file security contexts, which is another LSM unrelated to seccomp.

611
MCQmedium

A pod named 'db-pod' is running but not responding as expected. You want to check its logs from the previous instantiation (after a crash). Which command should you use?

A.kubectl exec db-pod -- cat /var/log/app.log
B.kubectl logs -f db-pod
C.kubectl describe pod db-pod
D.kubectl logs db-pod --previous
AnswerD

This command shows the logs from the previous (crashed) container instance.

Why this answer

Option D is correct because the `--previous` flag in `kubectl logs` retrieves logs from the previous instantiation of a container in a pod that has crashed or restarted. This allows you to inspect the logs from the terminated container before the current running instance, which is essential for debugging why the pod is not responding as expected after a crash.

Exam trap

The trap here is that candidates often confuse `kubectl logs` with `kubectl describe` or assume that `kubectl exec` into the running container can access logs from a previous crash, but the `--previous` flag is the only way to retrieve logs from a terminated container instance.

How to eliminate wrong answers

Option A is wrong because `kubectl exec db-pod -- cat /var/log/app.log` attempts to read a log file from the current running container, which may not exist or may not contain logs from the previous crashed instance; it also assumes the application writes logs to a specific file path, which is not the standard Kubernetes logging mechanism. Option B is wrong because `kubectl logs -f db-pod` streams the logs of the currently running container in real-time, but it does not show logs from the previous instantiation after a crash. Option C is wrong because `kubectl describe pod db-pod` provides metadata, events, and status of the pod, but it does not retrieve container logs, let alone logs from a previous instantiation.

612
MCQhard

You need to create a Pod that mounts a Secret named 'mysecret' as an environment variable 'SECRET_DATA'. The secret has a key 'password'. Which YAML snippet correctly achieves this?

A.env: - name: SECRET_DATA valueFrom: configMapKeyRef: name: mysecret key: password
B.env: - name: SECRET_DATA valueFrom: secretKeyRef: name: mysecret key: password
C.env: - name: SECRET_DATA valueFrom: secretKeyRef: name: password key: mysecret
D.volumeMounts: - name: secret-volume mountPath: /etc/secret volumes: - name: secret-volume secret: secretName: mysecret items: - key: password path: secret.txt
AnswerB

Correct. secretKeyRef uses name for the secret and key for the key within the secret.

Why this answer

Option B is correct because it uses the `secretKeyRef` field under `valueFrom` to reference a specific key from a Secret named 'mysecret' and inject its value into the environment variable `SECRET_DATA`. This is the standard Kubernetes syntax for exposing a Secret's key-value pair as an environment variable.

Exam trap

The trap here is that candidates often confuse `configMapKeyRef` with `secretKeyRef` or swap the `name` and `key` fields, leading them to pick options that either reference the wrong resource type or misorder the required fields.

How to eliminate wrong answers

Option A is wrong because it uses `configMapKeyRef` instead of `secretKeyRef`; ConfigMaps are for non-sensitive data, while Secrets require `secretKeyRef`. Option C is wrong because it swaps the `name` and `key` fields: `name` should be the Secret's name ('mysecret'), and `key` should be the key within that Secret ('password'). Option D is wrong because it mounts the Secret as a file via a volume, not as an environment variable, which does not meet the requirement to expose the value as `SECRET_DATA`.

613
Multi-Selecteasy

Which TWO of the following are valid types for a Kubernetes Secret? (Choose two.)

Select 2 answers
A.kubernetes.io/tls
B.kubernetes.io/basic-auth
C.kubernetes.io/configmap
D.Opaque
E.kubernetes.io/ssh-auth
AnswersA, D

Correct.

Why this answer

Option A is correct because `kubernetes.io/tls` is a built-in Secret type used to store TLS certificates and private keys, typically for ingress TLS termination. This type expects the data keys `tls.crt` and `tls.key` and is automatically validated by Kubernetes to ensure the certificate and key are properly paired.

Exam trap

CNCF often tests the distinction between valid Secret types and common but incorrect type names, such as confusing `kubernetes.io/basic-auth` (which is valid) with `kubernetes.io/configmap` (which is not a Secret type), or assuming that only `Opaque` and `kubernetes.io/tls` are valid while forgetting that other service-specific types like `kubernetes.io/dockercfg` also exist.

614
MCQeasy

Which kubectl command sets the number of replicas for a deployment named 'nginx' to 5?

A.kubectl update deployment nginx --replicas=5
B.kubectl scale deployment nginx --replicas=5
C.kubectl set scale deployment nginx --replicas=5
D.kubectl resize deployment nginx --replicas=5
AnswerB

Correct. The --replicas flag sets the number of replicas.

Why this answer

kubectl scale is the correct command to change the replica count of a deployment.

615
MCQhard

A DevOps engineer notices that traffic to a Service named 'api' is not being forwarded to newly created pods. The Service selects pods with label 'app: api'. The pods are running and have the correct label. However, the Service's endpoints list does not include the new pods. What is the most likely cause?

A.The pods are in a different namespace
B.The Service's targetPort does not match the container's port
C.The Service type is NodePort instead of ClusterIP
D.The pods have a different label than 'app: api'
AnswerB

If targetPort does not match, endpoints are not created.

Why this answer

Option B is correct because the Service's `targetPort` must match the `containerPort` defined in the pod's container spec. If they differ, the Service will not route traffic to the pod, and the pod will not appear in the Endpoints object, even if the label selector matches. Kubernetes validates the endpoint population by checking that the pod's readiness probe passes and that the target port is reachable on the pod's IP.

Exam trap

CNCF often tests the subtle distinction between the Service's `port` (exposed by the Service) and `targetPort` (the container's listening port), where candidates assume the `port` field is used for pod selection, leading them to overlook the `targetPort` mismatch.

How to eliminate wrong answers

Option A is wrong because Services and pods in different namespaces cannot be selected by the Service's label selector; the Service would have no endpoints at all, not just missing new pods. Option C is wrong because changing the Service type to NodePort does not affect endpoint population; NodePort still uses the same selector and targetPort logic. Option D is wrong because the question explicitly states the pods have the correct label 'app: api', so a label mismatch is not the issue.

616
Multi-Selectmedium

Which TWO actions can help prevent a container from being compromised if an attacker gains access? (Select 2)

Select 2 answers
A.Setting securityContext.readOnlyRootFilesystem: true
B.Setting automountServiceAccountToken: true
C.Setting securityContext.capabilities.drop: ["ALL"]
D.Setting securityContext.allowPrivilegeEscalation: true
E.Setting securityContext.runAsUser: 0
AnswersA, C

Prevents writes to container filesystem.

Why this answer

Setting `securityContext.readOnlyRootFilesystem: true` makes the container's root filesystem read-only, preventing an attacker who gains access from modifying system binaries, libraries, or configuration files. This is a key defense-in-depth measure that limits the impact of a compromise by restricting write access to only explicitly mounted volumes.

Exam trap

CNCF often tests the misconception that running as a non-root user (e.g., `runAsUser: 1000`) is sufficient, but the trap here is that `runAsUser: 0` explicitly sets root, which is a common mistake when candidates confuse 'default' with 'secure'—always drop all capabilities and make the filesystem read-only for defense in depth.

617
MCQhard

A cluster has a node that is NotReady. The kubelet on that node is not responding. Which command should be used to investigate the kubelet logs on the node?

A.kubectl logs <pod> --node=<node>
B.kubectl describe node <node>
C.kubectl get events --field-selector involvedObject.kind=Node
D.journalctl -u kubelet
AnswerD

Retrieves kubelet logs via systemd journal.

Why this answer

Option D is correct because `journalctl -u kubelet` directly queries the systemd journal for logs from the kubelet service on the node. Since the kubelet is not responding, you cannot use `kubectl` to access its logs remotely; you must SSH into the node and use `journalctl` (or `systemctl status kubelet`) to read the kubelet's logs locally.

Exam trap

The trap here is that candidates assume `kubectl` can retrieve kubelet logs remotely, but `kubectl` only accesses pod/container logs via the kubelet API; when the kubelet itself is down, you must use node-level tools like `journalctl` or `systemctl`.

How to eliminate wrong answers

Option A is wrong because `kubectl logs <pod> --node=<node>` is not a valid syntax; `kubectl logs` retrieves logs from a specific pod container, not from the kubelet process, and the `--node` flag does not exist. Option B is wrong because `kubectl describe node <node>` shows the node's status and conditions (including NotReady) but does not provide the kubelet's logs, which are needed to diagnose why the kubelet is not responding. Option C is wrong because `kubectl get events --field-selector involvedObject.kind=Node` displays cluster events related to nodes, but these events are generated by the control plane, not by the kubelet itself, and they do not contain the detailed kubelet log output required to investigate a non-responsive kubelet.

618
MCQhard

You create a Pod with a securityContext set to 'runAsNonRoot: true' and a container image that runs as root (user 0). What will happen when you create the Pod?

A.The Pod will run but with root user, ignoring the setting
B.The Pod will not be created and you will see an error about securityContext violation
C.The Pod will be created but the container will be in a CrashLoopBackOff
D.The Pod will run with root but the container will be killed by a security policy
AnswerB

The kubelet will reject the Pod because runAsNonRoot is true but the container image runs as root.

Why this answer

When a Pod has `runAsNonRoot: true` in its security context and the container image runs as root (UID 0), the Pod will not be created. Kubernetes validates this at admission time (via the PodSecurity admission controller or a validating webhook) and rejects the Pod with an error indicating a security context violation. This is because `runAsNonRoot: true` enforces that the container must not run as UID 0, and the image's default user is root, so the Pod fails creation immediately.

Exam trap

CNCF often tests the distinction between Pod creation failure (admission-time rejection) and runtime failures like CrashLoopBackOff, leading candidates to incorrectly choose a runtime error when the Pod is never scheduled.

How to eliminate wrong answers

Option A is wrong because `runAsNonRoot: true` is not ignored; it is a mandatory security constraint that causes the Pod to be rejected, not silently bypassed. Option C is wrong because the Pod is never created, so it cannot enter a CrashLoopBackOff state; CrashLoopBackOff occurs only after a container starts and then repeatedly fails. Option D is wrong because the container is never started, so there is no running process to be killed by a security policy; the rejection happens before any container execution.

619
MCQmedium

A pod has been scheduled on a node but is stuck in 'ContainerCreating' state. The team suspects a missing storage class. Which command would best confirm this?

A.kubectl describe node
B.kubectl get pvc
C.kubectl get storageclass
D.kubectl describe pod <pod>
AnswerD

Shows events like 'FailedMount' indicating missing storage class.

Why this answer

Option D is correct because `kubectl describe pod <pod>` provides detailed event logs and status conditions for the pod, including specific error messages like 'failed to provision volume with StorageClass' or 'storageclass.storage.k8s.io "<name>" not found'. This directly confirms whether a missing storage class is the root cause of the 'ContainerCreating' state, as the pod's events will surface the exact provisioning failure.

Exam trap

The trap here is that candidates assume checking the StorageClass list (`kubectl get storageclass`) or PVC status (`kubectl get pvc`) will reveal the missing class, but only the pod's detailed description shows the specific provisioning failure event tied to the missing StorageClass.

How to eliminate wrong answers

Option A is wrong because `kubectl describe node` shows node-level conditions, capacity, and resource usage, but does not reveal pod-level storage provisioning errors or missing storage class details. Option B is wrong because `kubectl get pvc` lists PersistentVolumeClaims and their status (e.g., Pending), but does not show the underlying error message about a missing storage class; a PVC might be stuck in Pending for other reasons like insufficient PV capacity. Option C is wrong because `kubectl get storageclass` only lists available storage classes in the cluster, but does not indicate which storage class a specific pod or PVC is trying to use, nor does it show the failure event.

620
Multi-Selecthard

Which THREE of the following are true about using 'kubectl rollout undo'? (Select three)

Select 3 answers
A.It rolls back to the previous revision by default
B.It can roll back to a specific revision using the --to-revision flag
C.It pauses the current rollout
D.It can be used on DaemonSets
E.It deletes the current Deployment and recreates it from scratch
AnswersA, B, D

Correct; without flags, it reverts to the previous revision.

Why this answer

Options A, C, and E are correct. 'kubectl rollout undo' can rollback to a previous revision (A), can specify a revision (C), and is available for DaemonSets (E). Option B is false because it doesn't delete the Deployment. Option D is false because 'undo' is used for rollback, not pause.

621
MCQmedium

A user creates a Job with '.spec.completions=5' and '.spec.parallelism=2'. How many pods will run at the same time?

A.5
B.10
C.7
D.2
AnswerD

parallelism=2 means up to 2 pods run concurrently.

Why this answer

parallelism defines the maximum number of pods running concurrently.

622
MCQeasy

What is the default service type in Kubernetes?

A.NodePort
B.ExternalName
C.ClusterIP
D.LoadBalancer
AnswerC

ClusterIP is the default service type.

Why this answer

If you create a Service without specifying type, it defaults to ClusterIP, which makes the service accessible only within the cluster.

623
Multi-Selecthard

Which THREE of the following are characteristics of Pod Security Admission (PSA) standards? (Select three.)

Select 3 answers
A.PSA can be configured to warn or audit violations without blocking
B.There are three predefined security levels: privileged, baseline, restricted
C.PSA requires Open Policy Agent (OPA) Gatekeeper to function
D.A namespace can be labeled to enforce a security level for all pods in that namespace
E.PSA is a CustomResourceDefinition (CRD) that must be installed separately
AnswersA, B, D

PSA supports modes: enforce, audit, and warn.

Why this answer

Option A is correct because Pod Security Admission (PSA) supports three modes: enforce (blocks violations), audit (logs violations in audit logs), and warn (returns a warning to the user). This allows administrators to test or monitor PSA policies without immediately blocking pod creation, which is critical for gradual adoption.

Exam trap

The trap here is that candidates confuse PSA with third-party tools like OPA Gatekeeper or think it requires a CRD, when in fact PSA is a built-in, label-driven admission controller that works out of the box in Kubernetes v1.23+.

624
MCQeasy

Which Dockerfile instruction is used to define a mount point for a volume?

A.ADD
B.VOLUME
C.EXPOSE
D.MOUNT
AnswerB

VOLUME creates a mount point for a volume.

Why this answer

The VOLUME instruction creates a mount point for externally mounted volumes or other containers.

625
MCQmedium

You need to check the CPU and memory usage of a pod named 'monitored-pod' in the 'default' namespace. Which command should you run?

A.kubectl get pod monitored-pod -o wide
B.kubectl describe pod monitored-pod
C.kubectl top pod monitored-pod
D.kubectl logs monitored-pod
AnswerC

Correct. Shows CPU and memory usage.

Why this answer

The kubectl top pod command shows resource usage for pods.

626
MCQeasy

Which command is used to scale a Deployment named 'frontend' to 10 replicas?

A.kubectl scale deploy frontend --replicas 10
B.kubectl scale deployment/frontend --replicas=10
C.kubectl set replicas deployment/frontend 10
D.kubectl edit deployment frontend and change replicas to 10
AnswerB

This is the correct syntax.

Why this answer

kubectl scale can change the replica count of a Deployment.

627
MCQmedium

You have a multi-stage Dockerfile. You want to copy artifacts from the builder stage to the final stage. Which instruction should you use in the final stage?

A.ADD --from=builder /app/artifact /app/
B.RUN --from=builder cp /app/artifact /app/
C.COPY --from=builder /app/artifact /app/
D.CMD --from=builder /app/artifact /app/
AnswerC

COPY with --from is the standard way to copy files from a previous build stage.

Why this answer

Option B is correct. COPY --from=builder copies files from a previous stage named 'builder'. ADD is similar but also supports remote URLs and tar extraction, but --from is not typically used with ADD.

CMD and RUN are not for copying files.

628
MCQhard

You apply the following NetworkPolicy: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress - Egress After applying, pods in the namespace cannot reach the kube-dns service. What is the most likely reason?

A.The policy does not have a namespaceSelector
B.The policy blocks all egress traffic, including DNS
C.The policy blocks all ingress traffic only
D.The kube-dns service is not running
AnswerB

Empty egress rules allow no egress traffic, so DNS (UDP 53) is blocked.

Why this answer

This policy selects all pods and has empty ingress and egress rules, which default to denying all traffic. Egress to DNS is blocked.

629
Multi-Selecthard

Which THREE components are typically involved when using Ingress to expose a service?

Select 3 answers
A.Ingress resource
B.External load balancer
C.Ingress controller
D.NetworkPolicy
E.Service
AnswersA, C, E

Defines routing rules.

Why this answer

A, B, D are correct. Ingress resource defines rules, Ingress controller implements them, and Service routes to pods. C is not required; E is optional but not typically involved.

630
MCQeasy

A deployment is configured with a liveness probe that checks an HTTP endpoint. The probe fails intermittently, causing pod restarts. What is the best first step to diagnose the issue?

A.Check the liveness probe events via 'kubectl describe pod' to see the exact probe responses.
B.Run 'kubectl exec' to curl the endpoint from another pod to test network connectivity.
C.Review the liveness probe parameters in the deployment YAML and increase the failureThreshold.
D.Examine the container logs via 'kubectl logs' for error messages around the time of the failures.
AnswerD

Logs provide insight into application behavior during probe failures.

Why this answer

Option D is correct because container logs provide the application's perspective on why the HTTP endpoint is failing intermittently. The liveness probe failure is a symptom; the root cause (e.g., a transient error, resource exhaustion, or a bug) is most directly visible in the application's own log output around the failure timestamps. This aligns with the CKAD domain of Application Observability and Maintenance, where logs are the primary diagnostic tool for application-level issues.

Exam trap

The trap here is that candidates assume the liveness probe failure is a network or configuration issue (options A, B, C) rather than recognizing that intermittent failures are almost always an application-level problem best diagnosed via container logs.

How to eliminate wrong answers

Option A is wrong because 'kubectl describe pod' shows probe events (e.g., 'Liveness probe failed: HTTP probe failed with statuscode: 503') but only reports the failure itself, not the application's internal state or the reason for the failure. Option B is wrong because testing network connectivity from another pod (e.g., via 'kubectl exec' and curl) checks network-level reachability, but the probe is failing intermittently, not due to a network partition; the issue is likely application-level. Option C is wrong because increasing failureThreshold only masks the symptom by allowing more failures before restart, without diagnosing or fixing the underlying intermittent problem.

631
MCQmedium

A Role named 'pod-reader' in namespace 'ns1' grants get, list, and watch on pods. Which RoleBinding correctly binds this role to a ServiceAccount 'sa1' in the same namespace?

A.roleRef: { apiGroup: rbac.authorization.k8s.io, kind: Role, name: pod-reader } subjects: - kind: ServiceAccount name: sa1 namespace: ns1
B.roleRef: { apiGroup: rbac.authorization.k8s.io, kind: Role, name: pod-reader } subjects: - kind: User name: sa1
C.roleRef: { apiGroup: rbac.authorization.k8s.io, kind: ClusterRole, name: pod-reader } subjects: - kind: ServiceAccount name: sa1 namespace: ns1
D.roleRef: { apiGroup: rbac.authorization.k8s.io, kind: Role, name: pod-reader } subjects: - kind: ServiceAccount name: sa1 namespace: default
AnswerA

Correct. RoleBinding references the Role and ServiceAccount in the same namespace.

Why this answer

Option A is correct because a RoleBinding in the same namespace as the Role and ServiceAccount must specify the Role's kind as 'Role' (not ClusterRole) and include the ServiceAccount's namespace in the subjects list. The roleRef references the 'pod-reader' Role with the correct apiGroup and kind, and the subject specifies the ServiceAccount 'sa1' in namespace 'ns1', which matches the Role's namespace, allowing the binding to grant the permissions.

Exam trap

The trap here is that candidates often forget to include the ServiceAccount's namespace in the subjects list or mistakenly use 'kind: User' for a ServiceAccount, leading to a binding that either fails or applies to the wrong entity.

How to eliminate wrong answers

Option B is wrong because it uses 'kind: User' instead of 'kind: ServiceAccount', and a ServiceAccount cannot be bound via a User subject; the subject must match the actual entity type. Option C is wrong because it uses 'kind: ClusterRole' in the roleRef, but the question specifies a Role (namespaced), not a ClusterRole; a RoleBinding can only reference a Role in the same namespace or a ClusterRole (which would then be scoped to the namespace), but here the role is a Role, so the kind must be 'Role'. Option D is wrong because it specifies 'namespace: default' in the subject, but the ServiceAccount 'sa1' is in namespace 'ns1', so the subject's namespace must match the ServiceAccount's actual namespace for the binding to work.

632
Multi-Selectmedium

Which TWO commands can be used to create a Secret named 'db-creds' with keys 'username' and 'password'? (Select TWO.)

Select 2 answers
A.kubectl create secret generic db-creds --from-literal=username=admin --from-literal=password=secret123
B.kubectl create secret generic db-creds --from-file=username=admin --from-file=password=secret123
C.kubectl create secret opaque db-creds --from-literal=username=admin
D.echo -e 'username: admin\npassword: secret123' | kubectl apply -f -
E.kubectl create secret tls db-creds --cert=cert.pem --key=key.pem
AnswersA, D

Correct. This creates a generic secret with the specified literals.

Why this answer

Option A is correct because `kubectl create secret generic` with `--from-literal` is the standard way to create a generic (Opaque) Secret from key-value pairs directly in the command line. Each `--from-literal` flag specifies a key=value pair, and the command creates a Secret named 'db-creds' with keys 'username' and 'password'.

Exam trap

CNCF often tests the distinction between `--from-literal` and `--from-file`, and the fact that `kubectl create secret generic` is the only valid subcommand for Opaque Secrets, not `opaque` or `tls`.

633
MCQmedium

You are tasked with creating a NetworkPolicy that denies all ingress traffic to pods in the 'db' namespace by default. Which YAML snippet correctly implements this?

A.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress namespace: db spec: podSelector: {} policyTypes: - Ingress ingress: []
B.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress namespace: db spec: podSelector: {} policyTypes: - Ingress
C.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress namespace: db spec: podSelector: {} ingress: - {}
D.apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress namespace: db spec: podSelector: {} policyTypes: - Egress
AnswerB

This selects all pods in the namespace and specifies only Ingress in policyTypes with no rules, thus denying all ingress traffic.

Why this answer

The default deny all ingress policy selects all pods (podSelector: {}) and has no ingress rules. Option A is correct. Option B allows ingress with {} rule.

Option C selects nothing. Option D is egress-only.

634
MCQhard

An Ingress resource is configured with TLS termination. The secret referenced in the Ingress is present, but the Ingress controller returns 404. What is the most likely cause?

A.The IngressClass annotation is missing
B.The Ingress controller is not installed
C.The backend Service does not have any endpoints
D.The TLS certificate is expired
AnswerC

If the Service's selector does not match any pods, the Ingress controller will return 404.

Why this answer

If the Ingress controller returns 404, often the backend Service or its endpoints are not correctly configured or the Service does not have matching selectors.

635
MCQmedium

You need to scale a Deployment named 'frontend' to 10 replicas. Which command correctly accomplishes this?

A.kubectl scale deployment/frontend --replicas=10
B.kubectl patch deployment frontend -p '{"spec":{"replicas":10}}'
C.kubectl set replicas deployment/frontend 10
D.kubectl scale --replicas=10 deployment frontend
AnswerA

This is the correct syntax.

Why this answer

kubectl scale deployment frontend --replicas=10 is the correct command.

636
MCQhard

A Deployment named 'web' has replicas: 3 and update strategy type: Recreate. You run 'kubectl set image deployment/web web=nginx:1.22'. What immediate effect will this have on the existing pods?

A.One pod is terminated, then a new pod is created, repeating until all are updated.
B.The command fails because Recreate does not support image updates.
C.All existing pods are terminated simultaneously, then new pods are created.
D.The pods are updated in place without termination.
AnswerC

Recreate terminates all pods first, then creates new ones.

Why this answer

The Recreate strategy terminates all existing pods before creating new ones. All 3 pods will be terminated simultaneously, then new pods are created.

637
MCQhard

You have an Ingress resource with TLS configured. The certificate is stored in a Secret named 'my-tls'. Which field in the Ingress YAML specifies the Secret name?

A..spec.tls[0].secretName
B..spec.tls[0].secret
C..metadata.annotations['cert-manager.io/cluster-issuer']
D..spec.tlsSecretName
AnswerA

This is the correct location to reference the Secret.

Why this answer

In the Ingress spec, under tls, the secretName field specifies the Secret containing the TLS certificate and key.

638
Multi-Selecthard

An administrator wants to implement Pod Security Admission (PSA) to enforce the 'restricted' policy for pods in the 'secure' namespace, but allow certain pods to use privileged containers by applying an exemption label. Which three steps are required? (Choose three.)

Select 3 answers
A.Use 'pod-security.kubernetes.io/audit=restricted' to log violations without enforcement.
B.Enable the PodSecurity feature gate on the API server and kubelet.
C.Create a ServiceAccount for exempted pods and label it with 'pod-security.kubernetes.io/enforce=privileged'.
D.Install a custom container runtime that supports privilege escalation.
E.Set the namespace label 'pod-security.kubernetes.io/enforce=restricted' on the 'secure' namespace.
AnswersB, C, E

PSA is enabled by default in v1.23+, but for older clusters you may need to enable it.

Why this answer

Option B is correct because Pod Security Admission (PSA) is a built-in admission controller that requires the PodSecurity feature gate to be enabled on the API server (and, for enforcement, the kubelet must also support it) to activate the admission webhook. Without this feature gate, the PSA labels on namespaces are ignored, and the restricted policy cannot be enforced.

Exam trap

The trap here is that candidates often confuse 'audit' mode (which only logs) with 'enforce' mode (which blocks violations), and may incorrectly think that a custom runtime is needed for privilege escalation, when PSA handles this via security context validation at the admission level.

639
MCQmedium

A cluster administrator wants to prevent all pods in a namespace from running with privileged escalation. Which Pod Security Admission standard enforces this?

A.baseline
B.restricted
C.privileged
D.high
AnswerB

The restricted profile disallows privilege escalation and enforces many security constraints.

Why this answer

The 'restricted' Pod Security Admission (PSA) standard enforces the most stringent security controls, including preventing privileged escalation by setting `securityContext.AllowPrivilegeEscalation` to `false` and requiring containers to run as non-root. This directly addresses the cluster administrator's goal of blocking privilege escalation in all pods within a namespace.

Exam trap

CNCF often tests the distinction between 'baseline' and 'restricted' standards, where candidates mistakenly choose 'baseline' because it blocks some privilege escalation but fails to recognize that 'restricted' is the only standard that explicitly and comprehensively prohibits `AllowPrivilegeEscalation`.

How to eliminate wrong answers

Option A is wrong because the 'baseline' standard only prevents known privilege escalation attacks (e.g., via `CAP_SYS_ADMIN`) but does not explicitly require `AllowPrivilegeEscalation` to be `false`; it allows some flexibility for legacy workloads. Option C is wrong because the 'privileged' standard is the most permissive, allowing unrestricted access including privilege escalation, which is the opposite of what the question asks. Option D is wrong because 'high' is not a valid Pod Security Admission standard; the three defined standards are 'privileged', 'baseline', and 'restricted'.

640
MCQmedium

You have an Ingress resource that routes traffic to two services: 'app1' and 'app2'. The requirement is that traffic for 'app.example.com' goes to app1, and traffic for any other host goes to app2. Which Ingress specification correctly achieves this?

A.spec: rules: - host: "*" http: paths: - path: / pathType: Prefix backend: service: name: app2 port: number: 80 - host: app.example.com http: paths: - path: / pathType: Prefix backend: service: name: app1 port: number: 80
B.spec: defaultBackend: service: name: app2 port: number: 80 rules: - host: app.example.com http: paths: - path: / pathType: Prefix backend: service: name: app1 port: number: 80
C.spec: rules: - host: app.example.com http: paths: - path: / pathType: Prefix backend: service: name: app2 port: number: 80 - http: paths: - path: / pathType: Prefix backend: service: name: app1 port: number: 80
D.spec: rules: - host: app.example.com http: paths: - path: / pathType: Prefix backend: service: name: app1 port: number: 80 - http: paths: - path: / pathType: Prefix backend: service: name: app2 port: number: 80
AnswerD

First rule matches host app.example.com and routes to app1. Second rule has no host, so it matches any other host and routes to app2.

Why this answer

To route based on host, you use the 'host' field under rules. For default backend (no host match), you specify a default backend at the spec level. The correct YAML has two rules: one with host and one without (or a default backend).

641
MCQmedium

What is the default restart policy for a pod created with 'kubectl run nginx --image=nginx'?

A.Always
B.OnFailure
C.Never
D.Restart
AnswerA

Default restart policy is Always.

Why this answer

The default restart policy is Always for pods created by kubectl run without --restart flag.

642
MCQmedium

You have a Service named 'my-svc' in the 'prod' namespace. What is the fully qualified DNS name for this Service?

A.my-svc.prod.svc.cluster.local
B.my-svc.svc.cluster.local
C.prod.my-svc.svc.cluster.local
D.my-svc.prod.cluster.local
AnswerA

Correct DNS name.

Why this answer

The form is <service>.<namespace>.svc.cluster.local.

643
MCQmedium

A pod is unable to resolve the DNS name of a Service in the same namespace. The pod's /etc/resolv.conf shows 'nameserver 10.96.0.10'. What is the most likely cause?

A.The kube-dns Service is not running
B.The pod is using dnsPolicy: Default
C.The Service is of type ExternalName
D.The pod's /etc/hosts file is misconfigured
AnswerA

If kube-dns is not running, DNS resolution fails.

Why this answer

The DNS server IP 10.96.0.10 is the default ClusterIP of the kube-dns Service. If the pod can't resolve a Service in the same namespace, it's likely that the DNS service is not running or the pod's DNS policy is incorrect. However, the most common issue is that the kube-dns Service is not reachable due to network policy or the kube-dns pods are not running.

644
MCQmedium

A pod is running but not responding to requests. The developer suspects the liveness probe is misconfigured. Which command can they use to check the probe configuration of a running pod?

A.kubectl logs <pod-name>
B.kubectl describe pod <pod-name>
C.kubectl exec <pod-name> -- env
D.kubectl get pod <pod-name>
AnswerB

Describe shows full configuration including probes.

Why this answer

Option B is correct because `kubectl describe pod <pod-name>` displays the full pod specification, including the liveness probe configuration (e.g., `Liveness: http-get /healthz delay=0s timeout=1s period=10s #success=1 #failure=3`). This allows the developer to verify the probe type, endpoint, initial delay, timeout, and failure threshold directly from the running pod's definition.

Exam trap

The trap here is that candidates confuse `kubectl logs` (which shows runtime output) with `kubectl describe` (which shows configuration), assuming logs would reveal probe failures, but logs only show application output, not the probe definition itself.

How to eliminate wrong answers

Option A is wrong because `kubectl logs` shows the container's stdout/stderr output, not the pod's configuration or probe settings; it cannot reveal how the probe is defined. Option C is wrong because `kubectl exec -- env` prints environment variables inside the container, which are unrelated to the liveness probe configuration stored in the pod spec. Option D is wrong because `kubectl get pod` only shows a summary (name, status, restarts, age) and does not include detailed probe parameters like path, port, or thresholds.

645
Multi-Selectmedium

Which TWO of the following are valid Ingress pathTypes in Kubernetes networking.k8s.io/v1?

Select 2 answers
A.Prefix
B.Exact
C.Wildcard
D.Suffix
E.ImplementationSpecific
AnswersA, B

Valid pathType.

Why this answer

Options B and C are correct. The valid pathTypes are 'Prefix' (matches based on URL path prefix) and 'Exact' (matches exact URL path). Option A is misspelled.

Option D is not valid. Option E is not valid.

646
MCQmedium

A pod with a liveness probe using 'httpGet' is restarting repeatedly. The probe checks '/healthz' on port 8080. The application is healthy and responds with HTTP 200. What is the most likely cause?

A.The initialDelaySeconds is too high
B.The timeoutSeconds value is too low
C.The liveness probe is checking the wrong port
D.The readiness probe is misconfigured
AnswerB

If the probe times out before the app responds, it will fail and restart the container.

Why this answer

A timeoutSeconds value lower than the application's response time can cause the probe to fail even if the app is healthy. Option C is correct.

647
MCQmedium

You create a ResourceQuota in a namespace that sets requests.cpu: '1' and limits.cpu: '2'. A pod spec has no resource limits or requests. What happens when you try to create this pod?

A.The pod is created without limits, but the quota is enforced at runtime
B.The pod creation is denied because the spec does not specify resource limits or requests
C.The pod is created and the quota is ignored
D.The pod is created with default limits from the LimitRange
AnswerB

ResourceQuota requires that all pods in the namespace have resource limits/requests when quota is set.

Why this answer

When a ResourceQuota is defined with requests.cpu and limits.cpu, Kubernetes requires that every pod in that namespace have explicit resource requests and limits that match the quota constraints. If a pod spec omits these fields, the API server denies the pod creation because it cannot determine whether the pod complies with the quota. This is enforced at admission time, not at runtime.

Exam trap

The trap here is that candidates assume a LimitRange will automatically apply default resource values, but without a LimitRange, the pod creation is denied outright due to the missing fields required by the ResourceQuota.

How to eliminate wrong answers

Option A is wrong because the quota is enforced at admission time, not at runtime; the pod is never created if it lacks required resource specifications. Option C is wrong because the quota is never ignored; it is a hard constraint that the API server enforces during admission. Option D is wrong because a LimitRange can provide default values, but the question does not mention a LimitRange existing in the namespace; without one, the pod creation is denied due to missing resource fields.

648
Multi-Selectmedium

You are using Helm to manage a chart. Which commands are valid to list installed releases? (Choose TWO)

Select 2 answers
A.helm ls
B.helm upgrade
C.helm status
D.helm history
E.helm list
AnswersA, E

Alias for helm list.

Why this answer

Option A is correct: 'helm list'. Option C is also correct: 'helm ls' (alias). Option B is for status.

Option D is for history. Option E is for upgrade.

649
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Delete and recreate the pod to clear the crash loop
B.Delete the namespace and redeploy all workloads
C.Increase the memory limit in the pod's container resource specification
D.Increase the CPU request for the container
AnswerC

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

Option B is correct. OOMKilled means the container exceeded its memory limit and was killed by the kernel OOM killer. The solution is to increase the memory limit in the container's resource specification.

Option A would not help — restarting the pod without addressing the root cause will result in the same failure. Option C addresses CPU, not memory. Option D (deleting the namespace) is destructive and unnecessary.

650
MCQmedium

A company wants to deploy a stateful database cluster where each pod has its own persistent storage. They need stable network identities and ordered pod creation. Which resource should they use?

A.Deployment
B.StatefulSet
C.CronJob
D.DaemonSet
AnswerB

StatefulSet is designed for stateful apps with stable identities and persistent storage.

Why this answer

StatefulSet is the correct resource because it provides stable, unique network identities (via headless Services and ordinal hostnames) and ordered, graceful deployment and scaling (pod creation/deletion in sequence). This matches the requirements for a stateful database cluster where each pod requires its own PersistentVolumeClaim (PVC) and stable identity for clustering.

Exam trap

CNCF often tests the misconception that Deployment can handle stateful workloads by using PersistentVolumeClaims, but they fail to recognize that Deployment lacks stable network identities and ordered pod management, which are critical for database clustering.

How to eliminate wrong answers

Option A is wrong because Deployment does not guarantee stable network identities or ordered pod creation; pods are treated as ephemeral and interchangeable, which is unsuitable for stateful applications requiring persistent storage per pod. Option C is wrong because CronJob is designed for scheduled, batch jobs (running to completion) and does not manage long-running stateful pods with persistent storage or stable identities. Option D is wrong because DaemonSet ensures one pod per node, not ordered creation or per-pod persistent storage; it is intended for node-level services like logging or monitoring, not stateful databases.

651
MCQmedium

A pod in the 'staging' namespace is in a CrashLoopBackOff state. You run 'kubectl logs pod -n staging' and see: 'Error: container has been OOMKilled'. The pod YAML has resources: requests: memory: 256Mi, limits: memory: 256Mi. Which change should you make first?

A.Increase the memory limit to 512Mi.
B.Increase the CPU limit to 1.
C.Reduce the memory request to 128Mi.
D.Set memory request to 512Mi and memory limit to 256Mi.
AnswerA

Increasing the limit gives the container more memory before OOM.

Why this answer

The pod is in CrashLoopBackOff due to OOMKill, meaning the container exceeded its memory limit and was terminated. Since the current memory limit is 256Mi and the container needs more, increasing the limit to 512Mi directly addresses the out-of-memory condition. This is the correct first step because it provides the container with the additional memory it requires to run without being killed.

Exam trap

CNCF often tests the distinction between requests and limits, and the trap here is that candidates might confuse reducing the request (option C) as a solution, when in fact the OOMKill is caused by hitting the limit, not the request.

How to eliminate wrong answers

Option B is wrong because the issue is memory exhaustion (OOMKill), not CPU; increasing the CPU limit does not resolve the out-of-memory condition. Option C is wrong because reducing the memory request to 128Mi would lower the guaranteed memory, potentially worsening the OOM situation and increasing the risk of the container being killed. Option D is wrong because setting the memory request higher than the limit (512Mi request vs 256Mi limit) is invalid in Kubernetes; the request must be less than or equal to the limit, and this configuration would be rejected by the API server.

652
Multi-Selecthard

Which TWO of the following are correct statements about DNS in Kubernetes?

Select 2 answers
A.Pod DNS records are created by default with format pod-ip.namespace.pod.cluster.local
B.DNS resolution works only for ClusterIP services
C.A service's DNS name includes the namespace: service.namespace.svc.cluster.local
D.Headless services return a single A record for the service IP
E.A service's fully qualified domain name is service.namespace.cluster.local
AnswersA, C

Yes, Kubernetes DNS creates pod records.

Why this answer

Options B and D are correct. Service DNS format is 'service.namespace.svc.cluster.local' (B). Pod DNS by default is 'pod-ip-address.namespace.pod.cluster.local' (D).

Option A is missing 'svc'. Option C is wrong because headless services return multiple A records. Option E is wrong because service DNS is not limited to ClusterIP type.

653
MCQeasy

Which Service type is used to expose a Service on a static port on each node in the cluster?

A.ClusterIP
B.ExternalName
C.NodePort
D.LoadBalancer
AnswerC

NodePort exposes a port on each node.

Why this answer

NodePort exposes the Service on a static port on each node's IP address.

654
MCQmedium

You want to expose a Deployment 'app' externally on port 30080 on each node. What service type should you use?

A.LoadBalancer
B.ExternalName
C.NodePort
D.ClusterIP
AnswerC

NodePort exposes on a port on each node.

Why this answer

NodePort exposes a service on a static port on each node's IP, allowing external access via NodeIP:NodePort. Port 30080 is a valid NodePort range (30000-32767).

655
MCQmedium

You are using Kustomize to manage Kubernetes configurations. You have a base configuration for 'nginx' and an overlay for 'production' that sets the replica count to 5. Which file structure is correct for Kustomize?

A.base/kustomization.yaml and overlay/production/kustomization.yaml with bases: [../../base]
B.base/kustomization.yaml and overlay/production/kustomization.yaml with resources: [../base]
C.base/kustomization.yaml and overlay/production/kustomization.yaml with patches: [../base]
D.base/kustomization.yaml and overlay/production/kustomization.yaml with bases: [../base]
AnswerD

Correct: overlay/production/kustomization.yaml references ../base.

Why this answer

Kustomize expects a kustomization.yaml file in each layer. The base has its own kustomization.yaml that includes resources, and the overlay has a kustomization.yaml with a bases field pointing to the base path.

656
MCQeasy

A developer needs to deploy a container that runs a batch job to process data once and then exit. The job should be restarted only if it fails. Which Kubernetes resource should be used?

A.DaemonSet
B.Deployment
C.Job
D.StatefulSet
AnswerC

Job runs a task to completion and restarts on failure.

Why this answer

A Kubernetes Job is the correct resource for a batch workload that runs to completion and exits. It ensures the pod is restarted only on failure (via the `RestartPolicy: OnFailure` or `Never`), which matches the requirement of restarting only if the job fails. Deployments and DaemonSets are designed for long-running processes, not termination.

Exam trap

The trap here is that candidates often confuse a Job with a Deployment because both can run containers, but a Deployment is designed for long-running services and will restart pods even on successful completion, which violates the 'run once' requirement.

How to eliminate wrong answers

Option A is wrong because a DaemonSet ensures one pod runs on every node and is intended for continuous daemon processes (e.g., log collectors), not for batch jobs that exit. Option B is wrong because a Deployment manages a set of pods that should run indefinitely, maintaining a desired replica count; it will restart pods regardless of exit reason, which does not match the 'restart only on failure' requirement. Option D is wrong because a StatefulSet is for stateful applications requiring stable network identities and persistent storage, not for ephemeral batch processing.

657
MCQhard

A Deployment has replicas: 3 and uses a ConfigMap. The ConfigMap is updated. The developer wants to update the pods to use the new ConfigMap without recreating the Deployment. What is the correct approach?

A.kubectl rollout restart deployment/<name>
B.kubectl set image deployment/<name> <container>=<new-image>
C.The pods automatically mount the new ConfigMap within seconds
D.Delete and recreate each pod manually
AnswerA

Restarts pods, which will mount the updated ConfigMap.

Why this answer

A `kubectl rollout restart deployment/<name>` triggers a rolling restart of the Pods managed by the Deployment. Since ConfigMaps are mounted as volumes or injected as environment variables at Pod creation time, the only way to pick up updated ConfigMap data without recreating the Deployment object itself is to force the existing Pods to be terminated and recreated. The Deployment controller handles this gracefully, ensuring zero downtime by following the configured rolling update strategy.

Exam trap

The trap here is that candidates assume ConfigMaps are dynamically updated in running Pods (Option C), but in reality, Pods must be recreated to consume updated ConfigMap data unless the application explicitly watches for file changes.

How to eliminate wrong answers

Option B is wrong because `kubectl set image` updates the container image, not the ConfigMap; it does not cause Pods to reload ConfigMap data. Option C is wrong because ConfigMaps are not automatically updated inside running Pods — they are snapshotted at Pod start; even if the volume is mounted as a subPath or as environment variables, the Pod must be restarted to reflect changes. Option D is wrong because manually deleting and recreating Pods is error-prone, does not leverage the Deployment’s rollout history or update strategy, and violates the principle of declarative management; the correct imperative command is `kubectl rollout restart`.

658
MCQmedium

Which command creates a TLS secret named 'tls-secret' using certificate file 'tls.crt' and key file 'tls.key'?

A.kubectl create secret docker-registry tls-secret --docker-server=...
B.kubectl create secret tls tls-secret --cert=tls.crt --key=tls.key
C.kubectl create secret generic tls-secret --from-file=tls.crt --from-file=tls.key
D.kubectl create secret generic tls-secret --from-literal=tls.crt=...
AnswerB

Correct syntax for creating a TLS secret.

Why this answer

Option B is correct because the `kubectl create secret tls` command is specifically designed to create a TLS secret from a certificate and key pair. The `--cert` and `--key` flags directly reference the PEM-encoded certificate file (`tls.crt`) and private key file (`tls.key`), which Kubernetes stores as `tls.crt` and `tls.key` data entries in the Secret object.

Exam trap

The trap here is that candidates often choose Option C because they think `--from-file` can create a TLS secret, but they overlook that the secret type must be `kubernetes.io/tls` and the data keys must be exactly `tls.crt` and `tls.key` — a generic secret with arbitrary keys will not work for TLS termination.

How to eliminate wrong answers

Option A is wrong because `kubectl create secret docker-registry` creates a Docker registry authentication secret, not a TLS secret; it uses `--docker-server`, `--docker-username`, etc. Option C is wrong because `kubectl create secret generic` with `--from-file` stores the entire file contents under arbitrary keys (e.g., the filename), not under the standard `tls.crt` and `tls.key` keys required for TLS secrets; the resulting secret would not be recognized as a TLS secret by ingress controllers or other components. Option D is wrong because `--from-literal` expects a literal key=value pair, not a file path; it would store the string 'tls.crt=...' as a literal, not the certificate content.

659
MCQeasy

Which 'kubectl' command creates a pod named 'test-pod' using the nginx image and outputs the YAML manifest without actually creating it?

A.kubectl apply -f pod.yaml
B.kubectl run test-pod --image=nginx --dry-run=client -o yaml
C.kubectl run test-pod --image=nginx --dry-run=server
D.kubectl run test-pod --image=nginx --dry-run=client -o json
AnswerB

Correct command to generate YAML without creating the pod.

Why this answer

Option A is correct: kubectl run test-pod --image=nginx --dry-run=client -o yaml. Option B uses -o json. Option C uses --dry-run=server.

Option D is apply command.

660
Multi-Selectmedium

Which TWO of the following are valid fields in a container's SecurityContext to restrict privilege escalation? (Select two.)

Select 2 answers
A.allowPrivilegeEscalation
B.readOnlyRootFilesystem
C.runAsNonRoot
D.privileged
E.capabilities
AnswersA, E

Setting this to false prevents privilege escalation.

Why this answer

A is correct because `allowPrivilegeEscalation` directly controls whether a process can gain more privileges than its parent, such as via setuid binaries or file capabilities. Setting it to `false` prevents privilege escalation, which is a core security requirement for restricting container breakout.

Exam trap

CNCF often tests the distinction between fields that *prevent* privilege escalation versus fields that enforce other security constraints like filesystem immutability or user identity, leading candidates to confuse `readOnlyRootFilesystem` or `runAsNonRoot` with escalation control.

661
MCQeasy

You create a ConfigMap named 'app-config' with the command 'kubectl create configmap app-config --from-literal=key1=value1'. Which of the following correctly mounts this ConfigMap as environment variables in a pod?

A.env: - name: key1 valueFrom: configMapKeyRef: name: app-config key: key1
B.volumes: - name: config-volume configMap: name: app-config volumeMounts: - name: config-volume mountPath: /etc/config
C.env: - name: key1 valueFrom: configMapRef: name: app-config
D.envFrom: - configMapRef: name: app-config
AnswerD

envFrom with configMapRef injects all key-value pairs from the ConfigMap as environment variables.

Why this answer

Option D is correct because `envFrom` with `configMapRef` is the Kubernetes mechanism to expose all key-value pairs from a ConfigMap as environment variables in a pod. This directly mounts the ConfigMap created with `--from-literal=key1=value1` so that `key1` becomes an environment variable with value `value1`.

Exam trap

The trap here is that candidates confuse `envFrom` with `env` and `configMapRef` with `configMapKeyRef`, or they incorrectly think volume mounts are equivalent to environment variable injection.

How to eliminate wrong answers

Option A is wrong because while the syntax is valid for a single key reference, it requires explicitly listing each key, which is not the 'correctly mounts this ConfigMap' approach when the question implies using the entire ConfigMap; it is a valid but incomplete method for the scenario. Option B is wrong because it describes mounting the ConfigMap as files in a volume at `/etc/config`, not as environment variables. Option C is wrong because `configMapRef` is not a valid field under `env`; the correct field is `configMapKeyRef`.

662
MCQhard

You are tasked with running a batch job that processes 100 items in parallel, using a Kubernetes Job. The Job should ensure that all items are processed even if some pods fail, and the total number of pod failures should be limited to 3. Which Job configuration is correct?

A.Set spec.parallelism: 100, spec.completions: 100, spec.backoffLimit: 3
B.Set spec.parallelism: 1, spec.completions: 100, spec.backoffLimit: 3
C.Set spec.parallelism: 100, spec.completions: 1, spec.backoffLimit: 3
D.Set spec.parallelism: 100, spec.completions: 100, spec.activeDeadlineSeconds: 300
AnswerA

Correct: parallelism runs up to 100 pods concurrently, completions expects 100 successful completions overall, backoffLimit limits retries to 3.

Why this answer

Option B is correct. For a Job that runs many parallel tasks, you use a work queue pattern with a fixed completion count. spec.parallelism sets the number of pods to run in parallel, spec.completions sets the total number of successful completions required, and spec.backoffLimit sets the number of retries before considering the Job as failed. The spec.backoffLimit field is the correct way to limit retries; spec.activeDeadlineSeconds is a time limit, not a retry limit.

663
Multi-Selectmedium

Which TWO of the following are valid uses of init containers? (Select 2)

Select 2 answers
A.Running a log collection agent continuously
B.Performing health checks on the main container
C.Setting ownership and permissions on a shared volume before the main container uses it
D.Serving HTTP traffic to the main container
E.Waiting for an external database to be ready before starting the main application
AnswersC, E

Correct: init containers can prepare volumes.

Why this answer

Init containers are used for setup tasks that must complete before the main containers start. They can run scripts that wait for a service to be up (B) and can be used to set permissions on shared volumes (C). They are not meant for serving traffic (A) or for long-running sidecar functionality (D).

They do not have liveness probes (E).

664
MCQmedium

What is the purpose of the `IngressClass` resource in Kubernetes?

A.To enable path-based routing.
B.To define the TLS certificate for an Ingress.
C.To specify which Ingress controller should implement the Ingress.
D.To set the default backend for an Ingress.
AnswerC

IngressClass selects the controller.

Why this answer

IngressClass allows selecting a specific Ingress controller implementation to handle the Ingress resource.

665
MCQmedium

A headless service is created with 'clusterIP: None'. What is the primary use case for such a service?

A.To allow direct pod-to-pod DNS resolution for StatefulSets.
B.To provide a stable IP address for the service.
C.To expose the service externally without a load balancer.
D.To enable DNS round-robin across all pods.
AnswerA

Correct. StatefulSets use headless services for stable network identities.

Why this answer

Headless services are used for StatefulSets to allow pod-to-pod DNS resolution. They also enable custom load balancing or when you don't need a single IP.

666
MCQeasy

Which command builds a Docker image from the current directory and tags it as 'myapp:v1'?

A.docker build -t myapp:v1 .
B.docker build -t myapp:v1
C.docker build . -name myapp:v1
D.docker image build --tag myapp:v1
AnswerA

Correct command to build and tag the image.

Why this answer

Option B is correct: docker build -t myapp:v1 . builds and tags the image. Option A is missing the dot. Option C tags after build but syntax is wrong.

Option D uses incorrect flag (--name).

667
MCQeasy

You have a Deployment named 'web-app' with 5 replicas. You run the command: kubectl set image deployment/web-app web-app=nginx:1.25. Which command can you use to monitor the progress of the rollout?

A.kubectl describe deployment/web-app
B.kubectl rollout history deployment/web-app
C.kubectl rollout status deployment/web-app
D.kubectl get events --watch
AnswerC

This command watches the rollout status until it completes.

Why this answer

The kubectl rollout status command tracks the progress of a deployment rollout.

668
MCQmedium

A Deployment is configured with 'resources.requests.memory: 256Mi' and 'resources.limits.memory: 512Mi'. The node runs out of memory. Which pods will be the first to be evicted?

A.The node will not evict pods if limits are set
B.This pod will be evicted first because it has a memory limit
C.BestEffort pods first, then this Burstable pod, then Guaranteed pods last
D.All pods are evicted simultaneously
AnswerC

QoS classes determine eviction order: BestEffort first, then Burstable, then Guaranteed.

Why this answer

C is correct because Kubernetes evicts pods based on their Quality of Service (QoS) class when a node runs out of memory. BestEffort pods (no requests/limits) are evicted first, followed by Burstable pods (requests < limits, as in this case), and Guaranteed pods (requests == limits) are evicted last. This ensures that pods with stricter resource guarantees are more protected during memory pressure.

Exam trap

CNCF often tests the misconception that setting a memory limit alone protects a pod from eviction, but the key factor is the QoS class derived from the relationship between requests and limits, not just the presence of limits.

How to eliminate wrong answers

Option A is wrong because the node will evict pods when memory is exhausted, regardless of whether limits are set; the kubelet uses the QoS class to determine eviction order. Option B is wrong because this Burstable pod will not be evicted first; BestEffort pods (with no resource specifications) are evicted before any Burstable pod. Option D is wrong because eviction is not simultaneous; pods are evicted in a specific order based on their QoS class, starting with BestEffort, then Burstable, and finally Guaranteed.

669
MCQmedium

A CronJob is configured with 'concurrencyPolicy: Forbid'. What happens if the scheduled time arrives while the previous job is still running?

A.The new job is skipped until the next scheduled time
B.The new job starts immediately, running concurrently
C.The running job is terminated and the new job starts
D.The CronJob enters an error state
AnswerA

Forbid prevents overlapping runs; the new job is simply missed.

Why this answer

With 'Forbid', if a job is still running, the new scheduled job is skipped (does not run).

670
Multi-Selectmedium

Which TWO statements are true about Helm releases? (Select two)

Select 2 answers
A.Helm automatically deletes the previous release when upgrading.
B.Helm rollback only works if the current release was created with Helm.
C.A Helm release is immutable once installed.
D.Helm stores release information in the same namespace as the chart's resources.
E.Helm rollback only works on the most recent release revision.
.You can have multiple releases of the same chart in the same namespace.
AnswersD

Release secrets are stored in the namespace where the chart is installed.

Why this answer

Helm releases are tracked in the cluster, and each install creates a new release.

671
MCQeasy

Which Service type exposes a Service externally via each Node's IP on a static port?

A.NodePort
B.ClusterIP
C.LoadBalancer
D.ExternalName
AnswerA

NodePort opens a port on every node that forwards to the service.

Why this answer

NodePort exposes the service on each node's IP at a static port (30000-32767).

672
Multi-Selectmedium

Which TWO commands can be used to update the image of a Deployment? (Select two)

Select 3 answers
A.kubectl set image deployment/myapp app=nginx:1.21
B.kubectl edit deployment myapp
C.kubectl update deployment myapp --image=nginx:1.21
D.kubectl patch deployment myapp -p '{"spec":{"template":{"spec":{"containers":[{"name":"app","image":"nginx:1.21"}]}}}}'
E.kubectl replace deployment myapp --image=nginx:1.21
AnswersA, B, D

Directly sets the image.

Why this answer

kubectl set image and kubectl edit are valid ways to update a Deployment's image. Option A and D are correct.

673
MCQhard

You have a Deployment that is currently paused. You want to resume the rollout and then check the status of the rollout. Which set of commands should you run?

A.kubectl rollout pause deployment/myapp && kubectl rollout status deployment/myapp
B.kubectl rollout resume deployment/myapp && kubectl rollout history deployment/myapp
C.kubectl rollout undo deployment/myapp && kubectl rollout status deployment/myapp
D.kubectl rollout resume deployment/myapp && kubectl rollout status deployment/myapp
AnswerD

Resume then check status.

Why this answer

First, resume the rollout with 'kubectl rollout resume deployment/<name>', then check status with 'kubectl rollout status deployment/<name>'. Option B is correct.

674
MCQhard

Which of the following is a valid YAML snippet for a container that sets the seccomp profile to 'RuntimeDefault' in a PodSecurityContext?

A.securityContext: seccompProfile: type: RuntimeDefault
B.securityContext: seccompProfile: profile: RuntimeDefault
C.securityContext: seccomp: RuntimeDefault
D.securityContext: seccomp: type: RuntimeDefault
AnswerA

Correct. This sets the seccomp profile to RuntimeDefault.

Why this answer

Option A is correct because in a PodSecurityContext, the seccomp profile is configured under the `seccompProfile` field with a `type` key set to `RuntimeDefault`. This tells the container runtime (e.g., containerd) to use the default seccomp profile provided by the runtime, which blocks a set of syscalls that are not typically needed by containers.

Exam trap

The trap here is that candidates confuse the `type` key (which specifies the profile type, e.g., RuntimeDefault, Localhost, Unconfined) with a `profile` key, or they flatten the YAML structure by omitting the `seccompProfile` nesting, leading to invalid configuration.

How to eliminate wrong answers

Option B is wrong because it uses `profile: RuntimeDefault` instead of `type: RuntimeDefault`; the correct key under `seccompProfile` is `type`, not `profile`. Option C is wrong because it uses `seccomp: RuntimeDefault` as a flat key-value pair, but the seccomp configuration must be nested under `seccompProfile` with a `type` field. Option D is wrong because it uses `seccomp: type: RuntimeDefault` as a flat key-value pair, which is invalid YAML structure; the correct nesting requires `seccompProfile` as an intermediate key.

675
MCQmedium

A pod named 'web' is in a CrashLoopBackOff state. You suspect the application is failing due to a configuration error. You want to see the logs from the previous instance of the container. Which command should you use?

A.kubectl logs web
B.kubectl logs -f web
C.kubectl logs web --previous
D.kubectl describe pod web
AnswerC

This shows logs from the previous instance of the container, which is useful for debugging crashes.

Why this answer

The `--previous` flag in `kubectl logs` retrieves logs from the previous instance of a container in a pod that has restarted. Since the pod is in CrashLoopBackOff, the current container has likely crashed and a new one has started; `--previous` shows the logs from the terminated container that caused the crash, helping diagnose the configuration error.

Exam trap

The trap here is that candidates assume `kubectl logs` alone shows all logs, but they forget that a crashed container's logs are only accessible with `--previous`, and they may mistakenly choose `kubectl describe pod` thinking it includes logs.

How to eliminate wrong answers

Option A is wrong because `kubectl logs web` only shows logs from the currently running container, which may be empty or unhelpful if the container has already crashed and restarted. Option B is wrong because `kubectl logs -f web` streams logs from the current container in real-time, but does not show logs from the previous terminated instance. Option D is wrong because `kubectl describe pod web` provides pod metadata, events, and status, but does not show container logs, which are needed to see the application error output.

Page 8

Page 9 of 14

Page 10