CCNA Application Design and Build Questions

75 of 178 questions · Page 1/3 · Application Design and Build · Answers revealed

1
MCQmedium

A developer creates a Deployment with 3 replicas that uses a ConfigMap mounted as a volume. After updating the ConfigMap, the developer expects the pods to pick up the new configuration immediately, but the old configuration is still in use. What is the most likely reason?

A.ConfigMap updates are not propagated to mounted volumes.
B.The kubelet sync interval delays the propagation of ConfigMap changes to pods.
C.The pods must be recreated after a ConfigMap update to see the changes.
D.ConfigMaps are immutable and cannot be updated.
AnswerB

The kubelet periodically syncs ConfigMap data; changes may take up to the sync period to appear.

Why this answer

When a ConfigMap is mounted as a volume, updates to the ConfigMap are eventually propagated to the pods, but not instantly. The kubelet periodically syncs mounted ConfigMaps (default interval is 60 seconds), so there is a delay before pods see the new configuration. This is the most likely reason the old configuration is still in use.

Exam trap

The trap here is that candidates often assume ConfigMap updates are either instant or require pod recreation, but the CKAD exam tests the nuance that mounted volumes are updated with a kubelet sync delay, while environment variables are not updated at all.

How to eliminate wrong answers

Option A is wrong because ConfigMap updates are propagated to mounted volumes — the kubelet does update the files in the volume, but with a sync delay. Option C is wrong because pods do not need to be recreated; the mounted volume is updated in-place by the kubelet, though some applications may require a restart to reload the configuration. Option D is wrong because ConfigMaps are not immutable by default; they can be updated unless explicitly created with the `immutable: true` field.

2
Multi-Selectmedium

Which TWO of the following are valid fields in a Job spec? (Select TWO.)

Select 2 answers
A.replicas
B.backoffLimit
C.schedule
D.restartPolicy
E.parallelism
AnswersB, E

Specifies the number of retries before marking the Job as failed.

Why this answer

Options B and D are correct. 'parallelism' controls concurrency, 'backoffLimit' controls retries. Option A (restartPolicy) is a pod-level field, not a Job spec field; Jobs have a default restartPolicy of OnFailure. Option C (replicas) is for Deployments.

Option E (schedule) is for CronJobs.

3
Multi-Selectmedium

A developer is creating a CronJob that should not start a new job if the previous one is still running. Which TWO configurations achieve this? (Select exactly 2.)

Select 2 answers
A.Set concurrencyPolicy: Allow
B.Set startingDeadlineSeconds to a low value
C.Set concurrencyPolicy: Replace
D.Set concurrencyPolicy: Forbid
E.Use a schedule that ensures jobs finish before the next scheduled time
AnswersD, E

Forbid prevents new job creation while a previous job is still running.

Why this answer

concurrencyPolicy: Forbid prevents overlapping jobs. Also, setting a schedule that never overlaps (though less flexible) or using 'Allow' would not prevent overlap.

4
MCQeasy

A developer is designing a Job that should run exactly once and then stop. The Job runs a batch process that is expected to complete within one hour. Which restartPolicy and backoffLimit are appropriate?

A.restartPolicy: Always, backoffLimit: 6
B.restartPolicy: OnFailure, backoffLimit: 4
C.restartPolicy: Never, backoffLimit: 0
D.restartPolicy: Always, backoffLimit: 0
AnswerB

OnFailure retries within the backoff limit; Job completes when pod succeeds.

Why this answer

Option B is correct because a Job designed to run exactly once and stop should use `restartPolicy: OnFailure` or `Never`, and `backoffLimit: 4` provides a reasonable number of retries (up to 4) before the Job is marked as Failed, ensuring the batch process can recover from transient errors within the expected one-hour completion window. The `restartPolicy: Always` is invalid for Jobs (only `OnFailure` or `Never` are allowed), and `backoffLimit: 0` would prevent any retries, which is too restrictive for a batch process that may encounter temporary failures.

Exam trap

The trap here is that candidates often confuse the `restartPolicy` for Pods in a Job with the `restartPolicy` for Deployments, forgetting that Jobs only accept `OnFailure` or `Never`, and that `backoffLimit` controls retries at the Job level, not the container level.

How to eliminate wrong answers

Option A is wrong because `restartPolicy: Always` is not permitted for a Kubernetes Job; Jobs only support `OnFailure` or `Never`, and using `Always` would cause an API validation error. Option C is wrong because `backoffLimit: 0` means the Job will not retry at all after a failure, which is inappropriate for a batch process that may need a few retries to complete successfully within the one-hour window. Option D is wrong because `restartPolicy: Always` is invalid for Jobs, and `backoffLimit: 0` would also prevent any retries, combining two incorrect settings.

5
Multi-Selecteasy

Which TWO of the following commands can be used to create a Pod in Kubernetes? (Select 2)

Select 3 answers
A.kubectl create service my-svc --image=nginx
B.kubectl create deployment mydeploy --image=nginx
C.kubectl run mypod --image=nginx
D.kubectl apply -f pod.yaml
E.kubectl create cronjob myjob --image=nginx
AnswersB, C, D

Correct: creates a Deployment that manages pods.

Why this answer

kubectl run and kubectl create deployment (which creates a Deployment that in turn creates pods) can be used. kubectl apply can apply a YAML file that defines a pod. However, kubectl create cronjob creates a CronJob, not a pod. kubectl create service creates a Service.

6
MCQeasy

Which Kubernetes API version is used for creating a CronJob?

A.batch/v1beta1
B.batch/v1
C.cron/v1
D.apps/v1
AnswerB

batch/v1 is the stable version for CronJob.

Why this answer

CronJob is in the batch/v1 API group.

7
Matchingmedium

Match each Kubernetes resource to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Smallest deployable unit running containers

Stable network endpoint for a set of pods

Store non-sensitive configuration data

Request for storage resources

HTTP and HTTPS routing to services

Why these pairings

These are core Kubernetes resources with distinct roles.

8
Multi-Selectmedium

Which TWO of the following are valid concurrencyPolicy values for a CronJob? (Select TWO.)

Select 3 answers
A.Replace
B.Allow
C.Parallel
D.Forbid
E.Serial
AnswersA, B, D

Replaces the currently running job with a new one.

Why this answer

Options A and C are correct. Allow and Forbid are valid. Option B (Replace) is also valid but the question asks for TWO, and we need to select two.

Since there are three valid ones (Allow, Forbid, Replace), the correct ones are A and C (or any two). However, to be precise, the question expects two: Allow and Forbid are the most common. Option D (Parallel) is not valid.

Option E (Serial) is not valid.

9
MCQmedium

You run 'kubectl run debug-pod --image=busybox -it --restart=Never -- sh' but the pod starts and immediately exits. You want to keep the container running to execute commands later. What flag should you add?

A.--stdin=true
B.--command
C.-- sleep infinity
D.--attach
AnswerC

This overrides the command to run 'sleep infinity', keeping the container alive.

Why this answer

The '--' and 'sh' run a shell that exits when stdin is closed. To keep it running, use 'sleep infinity' or a 'while' loop. The simplest is to change the command to 'sleep infinity'.

10
Multi-Selectmedium

Which TWO of the following are valid concurrencyPolicy values for a CronJob?

Select 2 answers
A.Parallel
B.Forbid
C.Serial
D.Allow
E.Replace
AnswersB, D

Forbids concurrent runs; skips if previous is still running.

Why this answer

Allow, Forbid, and Replace are the three valid values.

11
MCQmedium

A user runs 'kubectl run nginx --image=nginx --restart=Never' and the pod goes into 'Pending' state. What is a likely reason?

A.The image name is incorrect
B.The pod is missing a readiness probe
C.The pod's restart policy is set to Never
D.The node has insufficient resources to schedule the pod
AnswerD

Pending means the pod is unschedulable due to resource shortages.

Why this answer

Pending often indicates resource constraints like insufficient CPU or memory.

12
Multi-Selectmedium

Which TWO practices optimize Docker image size? (Select 2)

Select 2 answers
A.Running 'apt-get upgrade' in the Dockerfile
B.Using a full OS base image like ubuntu:latest
C.Including a .dockerignore file to exclude unnecessary files
D.Using multi-stage builds to copy only necessary artifacts
E.Installing all packages in one layer without cleanup
AnswersC, D

.dockerignore prevents sending large files to the Docker daemon, reducing context size and build time.

Why this answer

Options A and D are correct. Multi-stage builds (A) allow using a large build image and a small runtime image. .dockerignore (D) excludes unnecessary files. Option B (running apt-get upgrade) increases size.

Option C (using a larger base image) increases size.

13
MCQhard

You have a CronJob that runs every 5 minutes. The previous job is still running when the next scheduled time arrives. You want the new job to be skipped if the previous one is still running. Which concurrencyPolicy should you set?

A.Skip
B.Allow
C.Replace
D.Forbid
AnswerD

Forbid skips the new job if the previous one is still running, meeting the requirement.

Why this answer

Option B is correct. concurrencyPolicy: Forbid prevents a new job from starting if the previous one hasn't finished. Allow would start another instance concurrently; Replace would terminate the running job and start a new one.

14
MCQeasy

Which of the following Dockerfile instructions is used to set a command that runs when the container starts and can be overridden by command-line arguments?

A.EXPOSE
B.CMD
C.COPY
D.RUN
AnswerB

CMD provides defaults for an executing container; it can be overridden by providing command-line arguments to docker run.

Why this answer

Option B is correct. CMD sets the default command that can be overridden. ENTRYPOINT sets the command that cannot be overridden (unless --entrypoint flag is used).

Option A (RUN) runs during image build. Option C (EXPOSE) documents ports. Option D (COPY) copies files.

15
MCQmedium

A DevOps engineer wants to deploy a logging sidecar container that reads log files from the main application container. Which volume type should be used to share files between the two containers?

A.emptyDir
B.persistentVolumeClaim
C.configMap
D.hostPath
AnswerA

emptyDir is created empty and shared across all containers in the Pod, ideal for sidecar log collection.

Why this answer

An emptyDir volume is shared between containers in the same Pod and can be used for ephemeral log sharing.

16
MCQhard

You need to debug a pod that is not responding. Which command attaches an ephemeral debug container to a running pod named 'web-pod'?

A.kubectl debug web-pod --copy-to=debug-pod --image=busybox
B.kubectl debug -it web-pod --image=busybox --target=web-container
C.kubectl attach web-pod
D.kubectl run debug --image=busybox -it
AnswerB

Correct command to add an ephemeral debug container.

Why this answer

Option C is correct: kubectl debug -it web-pod --image=busybox --target=web-container attaches an ephemeral container. Option A runs a standalone Pod. Option B attaches to existing container.

Option D creates a copy of the pod, not an ephemeral container.

17
MCQmedium

A developer needs to expose a deployment named 'web-app' running on port 8080 to external traffic. The cluster is on-premises with no cloud load balancer. Which service type should be used?

A.ExternalName
B.ClusterIP
C.LoadBalancer
D.NodePort
AnswerD

NodePort exposes a port on each node's IP address for external access.

Why this answer

Option D (NodePort) is correct because it exposes a service on a static port on each node's IP address, allowing external traffic to reach the 'web-app' deployment on port 8080 without requiring a cloud load balancer. In on-premises clusters, NodePort is the standard service type for external access when no cloud LB is available, as it opens a high-port (30000-32767) on every node that forwards traffic to the ClusterIP service.

Exam trap

The trap here is that candidates may choose LoadBalancer (C) by default when they see 'expose to external traffic,' forgetting that LoadBalancer requires a cloud provider's external LB, which is not available in on-premises clusters.

How to eliminate wrong answers

Option A is wrong because ExternalName maps a service to an external DNS name (e.g., an external database) via CNAME records, not to expose internal pods to external traffic. Option B is wrong because ClusterIP exposes the service only on a cluster-internal IP, making it unreachable from outside the cluster without additional components like an ingress or proxy. Option C is wrong because LoadBalancer provisions an external load balancer (e.g., AWS ELB, GCP LB), which is unavailable in on-premises environments without a cloud provider integration.

18
MCQhard

A CronJob is configured with 'concurrencyPolicy: Forbid'. If a job from the previous schedule is still running when the next scheduled time arrives, what happens?

A.The CronJob is suspended
B.The new job starts immediately, and the old job is terminated
C.The new job is skipped until the old job completes
D.Both jobs run concurrently
AnswerC

Forbid skips the new run if a job is still running.

Why this answer

Forbid prevents concurrent runs; the next job is skipped if the previous one is still running.

19
Multi-Selecthard

Which THREE of the following are valid fields in a CronJob specification?

Select 3 answers
A.completions
B.successfulJobsHistoryLimit
C.concurrencyPolicy
D.schedule
E.parallelism
AnswersB, C, D

successfulJobsHistoryLimit limits how many successful finished jobs are retained.

Why this answer

schedule, concurrencyPolicy, and successfulJobsHistoryLimit are fields in a CronJob spec. completions is a field in Job spec, not directly in CronJob.

20
Multi-Selectmedium

Which TWO statements about init containers are true?

Select 2 answers
A.Init containers run to completion before any regular containers start.
B.Init containers run in parallel with regular containers.
C.Init containers run sequentially, one after another.
D.Init containers must use the same image as the main container.
E.Init containers cannot access volumes shared with regular containers.
AnswersA, C

All init containers must complete successfully before regular containers are started.

Why this answer

Options A and D are correct. Init containers run sequentially (each must complete before the next starts). They run before any regular containers in the pod.

Init containers can have different restart policies than regular containers (they always restart until completion). They share the same volumes as regular containers. Init containers are not separate pods.

21
MCQmedium

A developer runs 'kubectl run mypod --image=nginx --restart=Never' and the pod is created. However, when the container exits, the pod terminates. Which restart policy ensures the pod does NOT restart after completion?

A.Always
B.OnFailure
C.AlwaysFail
D.Never
AnswerD

Never ensures the pod is not restarted, and the pod remains in Succeeded/Failed state.

Why this answer

The '--restart=Never' flag sets the restart policy to 'Never', meaning the pod will not be restarted after the container exits.

22
MCQeasy

Which command is used to create a CronJob in Kubernetes that runs a job every 5 minutes?

A.kubectl apply -f cronjob.yaml
B.kubectl run cronjob --image=busybox --schedule="*/5 * * * *" -- /bin/sh -c 'date'
C.kubectl create cronjob hello --image=busybox --schedule="*/5 * * * *" -- /bin/sh -c 'date'
D.kubectl create job hello --image=busybox --schedule="*/5 * * * *" -- /bin/sh -c 'date'
AnswerC

Correct: kubectl create cronjob creates a CronJob resource with the specified schedule.

Why this answer

The correct command is 'kubectl create cronjob' because CronJob is a standard Kubernetes resource. The --schedule flag defines the schedule.

23
MCQmedium

You need to run a one-time batch job that processes 10 work items in parallel, with a maximum of 3 pods running at the same time. Which Job YAML fields should you set?

A.spec.template.spec.containers and spec.completions
B.spec.parallelism: 10 and spec.completions: 3
C.spec.parallelism: 3 and spec.completions: 10
D.spec.backoffLimit: 3 and spec.completions: 10
AnswerC

parallelism limits concurrent pods, completions defines total successful runs.

Why this answer

The .spec.parallelism field sets the maximum number of pods running concurrently, and .spec.completions sets the total number of successful completions required.

24
MCQmedium

You want to create a Deployment that runs 5 replicas of a web application. Which kubectl command should you use?

A.kubectl run webapp --image=nginx --replicas=5
B.kubectl create pod webapp --image=nginx --replicas=5
C.kubectl apply -f deployment.yaml
D.kubectl create deployment webapp --image=nginx --replicas=5
AnswerD

This command creates a Deployment with 5 replicas.

Why this answer

The command 'kubectl create deployment' creates a Deployment with the specified number of replicas.

25
MCQhard

You have a multi-stage Docker build. The first stage compiles a binary, and the second stage copies the binary from the first stage. What is the correct COPY syntax to copy a file named 'app' from the first stage named 'builder'?

A.COPY app /app/
B.COPY --from=builder app /app/
C.COPY --stage=builder app /app/
D.COPY source=builder app /app/
AnswerB

--from=builder specifies the source stage.

Why this answer

The COPY --from=builder syntax copies files from a previous build stage.

26
MCQhard

A team is deploying a microservice that requires initialization of a database schema before the main application starts. The init container must run a script that writes to a shared volume. Which configuration correctly ensures the init container completes before the main container runs?

A.Run the script as a sidecar container that shares the volume with the main container.
B.Use a postStart lifecycle hook on the main container to run the script.
C.Define an init container with the script and mount the shared volume to both init and main containers.
D.Add a readiness probe to the main container that checks the shared volume.
AnswerC

Init containers run to completion before app containers start, and shared volumes persist data.

Why this answer

Option C is correct because an init container runs to completion before any main container in the Pod starts, ensuring the database schema script finishes. By mounting the shared volume to both the init container and the main container, the script's output (e.g., schema files) is available to the main application when it launches.

Exam trap

The trap here is that candidates confuse init containers with sidecar containers or lifecycle hooks, not realizing that only init containers guarantee sequential execution before main containers, while sidecars and hooks run concurrently or asynchronously.

How to eliminate wrong answers

Option A is wrong because a sidecar container runs concurrently with the main container, not before it, so the database schema might not be initialized when the main application starts. Option B is wrong because a postStart lifecycle hook runs asynchronously and does not block the main container's entrypoint; the main container could start before the script completes, leading to race conditions. Option D is wrong because a readiness probe only checks if the main container is ready to serve traffic after it has started; it does not guarantee that the schema initialization script has run before the main container begins execution.

27
MCQhard

A CronJob is configured with concurrencyPolicy: Forbid and schedule: '*/5 * * * *'. The first job takes 7 minutes. What happens when the next scheduled time arrives?

A.The previous job is terminated
B.The new job waits until the previous job completes
C.The new job is skipped
D.A new job is created immediately
AnswerC

Forbid skips the new job if the previous one is still running.

Why this answer

Option B is correct. With concurrencyPolicy: Forbid, if a previous job is still running, the new job is skipped. The first job is still running after 5 minutes, so the second job is skipped.

28
MCQhard

A pod has an init container that fails. The status shows 'Init:CrashLoopBackOff'. The pod's restartPolicy is 'Always'. What happens to the init container?

A.The pod will be deleted and recreated
B.The main containers will start anyway
C.The init container will restart until it succeeds
D.The init container will not restart because the pod's restartPolicy is Always
AnswerC

Init containers always restart on failure until they succeed.

Why this answer

Option C is correct. Init containers always have restartPolicy=Always regardless of the pod's restartPolicy. They restart until they succeed.

If they fail repeatedly, they enter CrashLoopBackOff.

29
MCQmedium

You have a Dockerfile with a multi-stage build. The first stage is named 'builder' and uses 'golang:1.20' to compile a binary. The second stage uses 'alpine:3.18' and should copy the binary from the first stage. Which COPY instruction is correct?

A.ADD --from=builder /app/myapp /usr/local/bin/myapp
B.COPY /app/myapp /usr/local/bin/myapp
C.COPY --from=0 /app/myapp /usr/local/bin/myapp
D.COPY --from=builder /app/myapp /usr/local/bin/myapp
AnswerD

This correctly copies from the 'builder' stage and is the recommended approach.

Why this answer

Option C is correct. In multi-stage builds, COPY --from=builder copies files from the stage named 'builder'. Option A incorrectly uses '--from 0' which would reference the first stage but by name is clearer.

Option B is valid but not the best practice. Option D is for adding remote URLs.

30
MCQmedium

A developer wants to debug a running container in a Pod named 'web-app' in namespace 'dev'. Which command attaches an ephemeral container with the 'nicolaka/netshoot' image for network debugging?

A.kubectl debug web-app -n dev --image=nicolaka/netshoot -c debugger
B.kubectl run debugger -n dev --image=nicolaka/netshoot --restart=Never
C.kubectl attach web-app -n dev -c debugger --image=nicolaka/netshoot
D.kubectl exec -n dev web-app --image=nicolaka/netshoot -- /bin/bash
AnswerA

kubectl debug creates an ephemeral container in the pod with the specified image.

Why this answer

Option C is correct. kubectl debug with --image and -c creates an ephemeral container. Option A uses attach which is for existing containers. Option B uses exec into a new container but ephemeral is the correct approach.

Option D uses run but does not target the pod.

31
MCQmedium

You have a multi-container pod with a main container and a sidecar container that collects logs. The sidecar container must start before the main container and must keep running. Which type of container is the sidecar?

A.Static container
B.Ephemeral container
C.Init container
D.Regular container (in the pod spec)
AnswerD

Correct: sidecar containers are regular containers defined in the pod's containers list.

Why this answer

A sidecar container is a regular container that runs alongside the main container in the same pod. It is not an init container because init containers run to completion before the main containers start. The sidecar typically runs continuously, so it is a regular container.

32
MCQhard

A multi-stage build has two stages named 'builder' and 'final'. Which instruction copies artifacts from the builder stage to the final stage?

A.COPY --from=builder /app /app
B.FROM builder /app /app
C.COPY builder /app /app
D.ADD --from=builder /app /app
AnswerA

Correct syntax to copy from a previous stage.

Why this answer

Option B is correct. 'COPY --from=builder' copies from a previous stage. Option A uses 'ADD', which could work but COPY is preferred for clarity. Option C and D have incorrect syntax.

33
MCQmedium

A pod is stuck in 'Pending' state. You run 'kubectl describe pod mypod' and see the event: '0/4 nodes are available: 4 Insufficient memory'. Which action will resolve the issue?

A.Scale down other pods in the cluster to free memory
B.Add a nodeSelector to target a specific node
C.Increase the memory request in the pod spec
D.Scale up the Deployment to create more pod replicas
AnswerA

Correct: reducing memory usage on nodes may allow the pod to be scheduled.

Why this answer

The pod cannot be scheduled because no node has enough memory. Deleting other pods that are using memory would free up resources. Scaling the Deployment would increase the number of pods, worsening the problem.

Modifying the node selector would not help if the selected nodes still have insufficient memory.

34
Drag & Dropmedium

Arrange the steps to create a Kubernetes Deployment with a rolling update strategy.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First, define the Deployment in YAML. Then apply it. After an update, modify the YAML and re-apply; kubectl performs rolling update automatically.

35
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Increase the memory limit in the pod's container resource specification
B.Delete and recreate the pod to clear the crash loop
C.Increase the CPU request for the container
D.Delete the namespace and redeploy all workloads
AnswerA

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

Option B is correct. OOMKilled means the container exceeded its memory limit and was killed by the kernel OOM killer. The solution is to increase the memory limit in the container's resource specification.

Option A would not help — restarting the pod without addressing the root cause will result in the same failure. Option C addresses CPU, not memory. Option D (deleting the namespace) is destructive and unnecessary.

36
MCQmedium

Which command attaches an ephemeral container to a running pod for debugging?

A.kubectl attach mypod
B.kubectl exec -it mypod -- sh
C.kubectl logs mypod -c mycontainer
D.kubectl debug -it mypod --image=busybox --target=mycontainer
AnswerD

This creates an ephemeral container attached to the pod.

Why this answer

Option A is correct. 'kubectl debug' with '-c' or '--container' specifies the ephemeral container name. Option B is for exec. Option C is for logs.

Option D is for attach but not for ephemeral containers.

37
MCQeasy

In a Kubernetes pod definition, which field specifies the container image to use?

A.containers.image
B.spec.image
C.containers.name
D.spec.containers.image
AnswerA

The 'image' field specifies the container image to pull.

Why this answer

Option B is correct. The container image is specified under the 'image' field inside each container definition in the pod spec. 'containers.name' is for naming the container.

38
MCQmedium

A Job must run 10 times in total, with up to 3 pods running simultaneously. Which fields should be set?

A.completions: 10, parallelism: 3
B.completions: 10, successfulJobsHistoryLimit: 3
C.completions: 10, parallelism: 10
D.completions: 3, parallelism: 10
AnswerA

completions=10 sets total runs, parallelism=3 sets max concurrent pods.

Why this answer

Option B is correct. completions=10 ensures the Job runs to completion 10 times, and parallelism=3 allows up to 3 pods running concurrently. Option A swaps the fields. Option C sets parallelism too high.

Option D uses 'successfulJobsHistoryLimit' which is not relevant.

39
MCQeasy

Which kubectl command creates a pod named 'nginx' from the image 'nginx:latest'?

A.kubectl run nginx --image=nginx:latest
B.kubectl apply -f pod.yaml
C.kubectl run nginx --image=nginx:latest --restart=Never
D.kubectl create pod nginx --image=nginx:latest
AnswerA

The run command creates a pod by default.

Why this answer

Option A is correct. 'kubectl run nginx --image=nginx:latest' creates a pod. Option B uses 'create pod' which is invalid. Option C uses 'apply' which requires a file.

Option D uses 'deployment' but the question asks for a pod.

40
MCQhard

You have a multi-stage Dockerfile with two stages: 'builder' and 'runtime'. You want to copy artifacts from the builder stage to the runtime stage. Which Dockerfile instruction achieves this?

A.EXPORT builder /app/artifact /app/
B.ADD --from=builder /app/artifact /app/
C.COPY ../builder/artifact /app/
D.COPY --from=builder /app/artifact /app/
AnswerD

--from specifies the source stage.

Why this answer

The COPY instruction with --from=stage-name copies files from a previous build stage.

41
MCQhard

You are designing a Pod that must run a diagnostic tool to collect network logs before the main application starts. The diagnostic tool should run to completion, then the main application starts. Which approach should you use?

A.Add the diagnostic tool as an init container in the Pod
B.Add the diagnostic tool as a sidecar container in the same Pod
C.Add the diagnostic tool as a sidecar container with a postStart hook
D.Create a separate Job that runs before the Pod
AnswerA

Init containers run sequentially before any app containers start. They must complete successfully before app containers launch.

Why this answer

Option B is correct. Init containers run sequentially to completion before app containers start. Option A is incorrect because sidecars run concurrently with the main container.

Option C is incorrect because a Job is a separate resource, not part of the same Pod. Option D is incorrect because the diagnostic tool is not a sidecar.

42
MCQeasy

Which of the following commands creates a Job that runs a single pod executing the command 'sleep 30'?

A.kubectl run myjob --image=busybox --restart=OnFailure -- sleep 30
B.kubectl create job myjob --image=busybox -- sleep 30
C.kubectl create job myjob --image=busybox --command -- sleep 30
D.kubectl create job myjob --image=busybox sleep 30
AnswerB

Correct syntax: 'kubectl create job <name> --image=<image> -- <command>'.

Why this answer

Option C is correct. The 'kubectl create job' command with the '--image' and '--' syntax is the correct way to create a Job from the command line. Option A uses 'run' which creates a Deployment, not a Job.

Option B creates a Job but the syntax '-- sleep 30' is missing the '--' separator. Option D is a correct command but not the only correct one; however, since the question asks for the single best answer and C is more concise, it is correct.

43
Multi-Selectmedium

Which TWO of the following are valid patterns for sidecar containers in a multi-container pod?

Select 2 answers
A.Adapter
B.Sidecar
C.Ambassador
D.Init container
E.Proxy
AnswersA, B

An adapter standardizes interfaces.

Why this answer

The sidecar, adapter, and ambassador are common patterns. Init container is not a sidecar pattern.

44
Multi-Selectmedium

Which TWO of the following are valid fields in a CronJob spec? (Select 2)

Select 2 answers
A.restartPolicy
B.concurrencyPolicy
C.completions
D.schedule
E.parallelism
AnswersB, D

Correct: concurrencyPolicy controls how concurrent runs are handled (Allow, Forbid, Replace).

Why this answer

B is correct because `concurrencyPolicy` is a valid field in a CronJob spec that controls how concurrent executions of the job are handled. It can be set to `Allow`, `Forbid`, or `Replace`, which determines whether a new job can start while a previous one is still running.

Exam trap

CNCF often tests the distinction between CronJob spec fields and Job spec fields, trapping candidates who confuse `completions` and `parallelism` (Job-level) with CronJob-level fields like `schedule` and `concurrencyPolicy`.

45
MCQhard

A Kubernetes Job with parallelism=3 and completions=6 is created. How many pods will run concurrently at most?

A.3
B.9
C.6
D.1
AnswerA

'parallelism' defines the maximum number of pods that can run concurrently. Here it is set to 3.

Why this answer

Option B is correct. The 'parallelism' field specifies the maximum number of pods that can run concurrently. 'completions' is the total number of successful pods needed for the Job to complete. So at most 3 pods will run concurrently.

Option A (6) is the total completions, not concurrency. Option C (1) is the default but not the configured value. Option D (9) is incorrect.

46
MCQmedium

A Kubernetes pod has two containers: a main application container and a sidecar container running a logging agent. The sidecar container is expected to start before the main container because it needs to initialize a shared log directory. What Kubernetes feature ensures this ordering?

A.Lifecycle hooks
B.Readiness probe on the sidecar
C.Init containers
D.Resource limits
AnswerC

Init containers run sequentially and complete before app containers start.

Why this answer

Init containers run to completion before app containers start, ensuring order.

47
MCQmedium

You need to run a batch job that processes 10 items in parallel across 10 Pods, but the job should be considered complete only when all 10 Pods have succeeded. Which Job configuration is correct?

A.spec: completions: 10; parallelism: 1
B.spec: completions: 1; parallelism: 10
C.spec: completions: 10; parallelism: 10
D.spec: completions: 10; parallelism: 0
AnswerC

This runs 10 Pods in parallel and requires all 10 to complete successfully.

Why this answer

Option B is correct. completions: 10 and parallelism: 10 will run 10 Pods in parallel and require all 10 to succeed. Option A has completions: 10 but parallelism: 1, so Pods run sequentially. Option C has completions: 1, so only one Pod needs to succeed.

Option D has parallelism: 10 but completions: 1, so only one Pod needs to succeed.

48
MCQmedium

A developer wants to create a Job that runs exactly 3 pods in parallel. Which field should be set in the Job spec?

A.spec.ttlSecondsAfterFinished: 3
B.spec.backoffLimit: 3
C.spec.parallelism: 3
D.spec.completions: 3
AnswerC

parallelism sets the maximum number of pods running in parallel.

Why this answer

The 'parallelism' field controls how many pods can run concurrently.

49
MCQhard

You have a Job that should retry up to 3 times if it fails, and should be considered failed after 4 failures total (including retries). Which YAML fields should you set?

A.spec.activeDeadlineSeconds: 4
B.spec.backoffLimit: 4
C.spec.restartPolicy: OnFailure and spec.backoffLimit: 3
D.spec.backoffLimit: 3
AnswerD

backoffLimit sets the number of retries. With 3 retries, total attempts = 1 (initial) + 3 (retries) = 4.

Why this answer

The .spec.backoffLimit field sets the number of retries, and .spec.activeDeadlineSeconds sets a timeout for the job. However, the question asks for failures total. By default, the backoff limit is 6, but setting it to 3 means 4 total attempts (initial + 3 retries).

The field that controls retries is backoffLimit, and activeDeadlineSeconds is optional. However, the most direct answer is to set backoffLimit: 4? Actually, the initial attempt is not a retry; backoffLimit defines the number of retries. So for 4 total attempts, set backoffLimit: 3.

But the options need to be evaluated. Let's create plausible distractors.

50
MCQhard

A Job has the following spec: apiVersion: batch/v1 kind: Job metadata: name: pi spec: template: spec: containers: - name: pi image: perl command: ["perl", "-Mbignum=bpi", "-wle", "print bpi(2000)"] restartPolicy: Never backoffLimit: 4 If the pod fails, how many times will Kubernetes retry the job before considering it failed?

A.4
B.1
C.0
D.5
AnswerA

backoffLimit sets the number of retries. After 4 retries, the job is marked as failed.

Why this answer

Option C is correct. backoffLimit specifies the number of retries before marking the job as failed. The default is 6. Here, backoffLimit: 4 means the job will be retried up to 4 times after the initial failure, so a total of 5 attempts (1 initial + 4 retries).

However, the question asks 'before considering it failed' — after the backoffLimit is exhausted, the job is marked as failed. So the number of retries is exactly the backoffLimit value.

51
MCQeasy

Which of the following commands creates a deployment named 'webapp' that runs the image 'nginx:1.25' with 3 replicas and exposes port 80?

A.kubectl create deployment webapp --image=nginx:1.25 --replicas=3 --port=80
B.kubectl run webapp --image=nginx:1.25 --replicas=3 --port=80
C.kubectl create deployment webapp --image=nginx:1.25 --replicas=3 --port=80
D.kubectl create deployment webapp --image=nginx:1.25 --replicas=3 --port=80
AnswerD

This command creates a deployment named webapp with 3 replicas and exposes port 80.

Why this answer

Option B is correct. The kubectl create deployment command creates a deployment with a given name and image. The --replicas flag sets the number of replicas.

The --port flag is used to create a Service by default, but for this question, it is used to expose the container port. Option A uses --replicas incorrectly (it should be --replicas, not --replicas). Option C uses the wrong command (kubectl run is for pods, not deployments).

Option D has a typo (--replicas instead of --replicas).

52
MCQhard

A CronJob is configured with concurrencyPolicy: Replace and a job execution takes 10 minutes. The schedule is */5 * * * *. Which statement is true about job executions?

A.Jobs will never overlap because the schedule is too frequent
B.Every 5 minutes, a new job is created, and if the previous job is still running, it is killed
C.The job will be skipped if the previous one hasn't finished
D.Jobs will overlap, with up to two jobs running concurrently
AnswerB

Replace policy terminates the running job and starts a new one at each scheduled time.

Why this answer

With concurrencyPolicy: Replace, if a new job should start while a previous one is still running, the running job is terminated and a new one is created. The schedule triggers every 5 minutes.

53
MCQmedium

You have a multi-container pod with a main container and a sidecar container that collects logs. The sidecar container should start before the main container and must complete initialization tasks before the main container starts. Which type of container should you use for this purpose?

A.Ephemeral container
B.Init container
C.Job
D.Regular sidecar container
AnswerB

Init containers run to completion sequentially before any regular containers start, making them suitable for initialization tasks.

Why this answer

Option C is correct. Init containers run sequentially and complete before any regular containers in the pod start. They are ideal for initialization tasks.

Sidecar containers (regular containers) run concurrently with the main container. Ephemeral containers are for debugging and do not run at pod startup. Jobs are not containers within a pod.

54
MCQeasy

Which of the following is NOT a valid restart policy for a Pod?

A.OnFailure
B.Always
C.Never
D.UnlessStopped
AnswerD

UnlessStopped is not a valid Kubernetes restart policy.

Why this answer

Option C is correct. Pod restartPolicy only supports Always, OnFailure, and Never. 'UnlessStopped' is not a valid Kubernetes restart policy.

55
MCQhard

You need to debug a pod that has no running container because it crashed. The pod is in CrashLoopBackOff. Which command allows you to start a temporary container in the same pod for debugging?

A.kubectl debug <pod> -it --image=busybox
B.kubectl attach <pod>
C.kubectl run debug --image=busybox
D.kubectl exec -it <pod> -- /bin/bash
AnswerA

This adds an ephemeral debug container.

Why this answer

kubectl debug can add an ephemeral container to a running or crashed pod.

56
MCQeasy

Which Dockerfile instruction is used to specify the base image for a build?

A.COPY
B.RUN
C.FROM
D.CMD
AnswerC

FROM specifies the base image.

Why this answer

The FROM instruction initializes a new build stage and sets the base image.

57
MCQmedium

Which of the following is true about the CMD instruction in a Dockerfile?

A.CMD is always executed during the image build process
B.CMD is used to expose ports
C.CMD cannot be used in conjunction with ENTRYPOINT
D.CMD provides a default command that can be overridden at runtime
AnswerD

CMD is the default command, easily overridden by docker run arguments.

Why this answer

CMD sets the default command to run when the container starts, but it can be overridden by command-line arguments to docker run.

58
Multi-Selecthard

Which THREE are valid reasons to use a StatefulSet instead of a Deployment?

Select 3 answers
A.The application requires rolling updates.
B.Each pod requires a stable, unique network identity.
C.Each pod needs its own persistent volume that persists across rescheduling.
D.The application cannot be scaled down.
E.Pods must be terminated in reverse order during shutdown.
AnswersB, C, E

StatefulSets assign stable hostnames based on ordinal index.

Why this answer

StatefulSet assigns each pod a stable, unique network identity (e.g., a hostname like `web-0`, `web-1`) via a headless Service, which is critical for stateful applications like databases that rely on consistent DNS names for clustering and discovery. Deployments create pods with random, ephemeral hostnames, making them unsuitable for workloads requiring predictable network identities.

Exam trap

CNCF often tests the misconception that only StatefulSets support rolling updates, but both controllers do; the trap is confusing a shared feature with a unique StatefulSet capability.

59
MCQhard

You have a CronJob that runs every 5 minutes. The job sometimes takes longer than 5 minutes to complete. You want to ensure that while a job is running, the next scheduled job is skipped (not started). Which concurrencyPolicy should you use?

A.Forbid
B.Skip
C.Allow
D.Replace
AnswerA

Forbid skips the next run if the previous job is still active.

Why this answer

concurrencyPolicy: Forbid prevents new jobs from starting while the previous job is still running.

60
MCQhard

You run 'kubectl apply -f pod.yaml' but the pod remains in 'Pending' state. 'kubectl describe pod' shows '0/1 nodes are available: 1 Insufficient cpu'. What is the most likely cause?

A.The pod's memory limit is too low
B.The container image is not found in the registry
C.The node is under disk pressure
D.The pod's CPU request exceeds the available CPU capacity on any node
AnswerD

The message 'Insufficient cpu' means no node can satisfy the CPU request. This is the correct interpretation.

Why this answer

Option D is correct. The error indicates that no node has enough CPU capacity to satisfy the pod's CPU request. Option A would cause a different error (ImagePullBackOff).

Option B is unrelated to CPU. Option C is not a typical cause of Insufficient CPU; node pressure is a symptom, not a cause.

61
Multi-Selecthard

Which THREE statements are true about init containers? (Select 3)

Select 3 answers
A.Init containers support liveness and readiness probes
B.Init containers cannot have resource limits
C.Init containers must complete successfully before any main container starts
D.Init containers run sequentially in the order they are defined
E.If an init container fails, it will restart until it succeeds, regardless of the pod's restartPolicy
AnswersC, D, E

Main containers wait for all init containers to succeed.

Why this answer

Options A, C, and D are correct. Init containers run sequentially (A), their restart policy is always RestartPolicyAlways regardless of pod's restartPolicy (C), and they must complete successfully before main containers start (D). Option B is false because init containers don't have liveness probes.

Option E is false because init containers can have resource limits.

62
MCQmedium

A developer wants to containerize a Node.js application. The Dockerfile should first copy only package.json and package-lock.json, run npm install, then copy the rest of the source code. Which Dockerfile best achieves this?

A.COPY . /app\nRUN npm install
B.ADD package*.json /app/\nRUN npm install\nADD . /app/
C.COPY package*.json /app/\nRUN npm install\nCOPY . /app/
D.ADD . /app\nRUN npm install
AnswerC

This order layers the npm install step after copying only the package files, allowing Docker to cache the npm install layer until package files change.

Why this answer

Option B is correct because it copies the package files first, runs npm install to leverage Docker layer caching, and then copies the rest of the source code. Option A copies everything first, which invalidates the cache for npm install on every source code change. Option C and D use ADD, which is unnecessary for local files and may have unintended behaviors like extracting archives.

63
MCQmedium

You have a Deployment with 3 replicas. You need to perform a rolling update with a 10-second delay between each Pod replacement to ensure stability. Which kubectl command is correct?

A.kubectl rollout restart deployment/myapp
B.kubectl edit deployment/myapp and change the image manually
C.kubectl set image deployment/myapp myapp=myapp:v2 --record
D.kubectl patch deployment/myapp -p '{"spec":{"template":{"spec":{"containers":[{"name":"myapp","image":"myapp:v2"}]}}}}'
AnswerC

kubectl set image updates the container image; the rolling update strategy handles the delay via maxSurge and maxUnavailable, not a fixed delay. However, this is the standard command to trigger a rolling update.

Why this answer

Option A is correct. kubectl set image updates the image, and the --record flag is outdated but acceptable. Option B uses edit which is not needed. Option C uses rollout restart which does not change the image.

Option D applies a patch but is more complex.

64
MCQeasy

A developer is creating a ConfigMap from a file named 'app.properties'. The file contains key-value pairs. Which command correctly creates the ConfigMap with keys matching the file content?

A.kubectl create configmap my-config --from-file=app.properties
B.kubectl create configmap my-config --from-literal=app.properties
C.cat app.properties | kubectl create configmap my-config --from-file=-
D.kubectl create configmap my-config --from-env-file=app.properties
AnswerA

--from-file creates a configmap with a key named 'app.properties' containing file content.

Why this answer

Option A is correct because `--from-file=app.properties` creates a ConfigMap where each key-value pair from the file becomes a separate data entry, with the key being the filename (app.properties) and the value being the entire file content. This matches the requirement that the ConfigMap keys match the file content, meaning the file itself is stored as a single key-value pair where the key is the filename.

Exam trap

The trap here is confusing `--from-file` (which stores the entire file as a single value under the filename key) with `--from-env-file` (which parses key-value pairs from the file), leading candidates to choose option D when they want to import key-value pairs from a properties file.

How to eliminate wrong answers

Option B is wrong because `--from-literal` is used to specify key-value pairs directly on the command line (e.g., `--from-literal=key=value`), not to reference a file; `--from-literal=app.properties` would create a ConfigMap with a single key named 'app.properties' and an empty value, not the file content. Option C is wrong because piping the file content via `cat` to `kubectl create configmap --from-file=-` would read the file content as a single blob and store it under the key `-`, not parse the key-value pairs from the file; `--from-file=-` expects the file content to be passed via stdin but still treats the entire input as a single value for the key `-`. Option D is wrong because `--from-env-file=app.properties` is used to create a ConfigMap from a file containing environment-variable-style lines (e.g., `KEY=VALUE`), which would parse the file and create separate keys for each line, not store the file content as a single key-value pair with the filename as the key.

65
MCQmedium

You need to add a debugging container to a running pod named 'app-pod' in the 'dev' namespace. Which command achieves this?

A.kubectl run debug-pod --image=busybox -n dev --rm -it
B.kubectl attach pod/app-pod -n dev
C.kubectl debug pod/app-pod -n dev --image=busybox --ephemeral
D.kubectl exec pod/app-pod -n dev -it -- /bin/sh
AnswerC

This adds an ephemeral container to the running pod for debugging.

Why this answer

Option D is correct. kubectl debug allows adding ephemeral containers to running pods. The syntax kubectl debug pod/app-pod -n dev --image=busybox --ephemeral creates an ephemeral container. Option A (kubectl exec) runs commands in existing containers, not add containers.

Option B (kubectl run) creates a new pod, not attach to existing. Option C (kubectl attach) attaches to a running container's stdin/stdout.

66
MCQmedium

A user runs: kubectl apply -f job.yaml. The Job spec has backoffLimit: 0. The pod fails immediately. What happens?

A.The Job is retried indefinitely
B.The pod is restarted until it succeeds
C.The Job enters a Failed state
D.A new pod is created automatically
AnswerC

No retries are allowed, so the Job fails.

Why this answer

With backoffLimit: 0, the Job is not retried after the first failure, so the Job enters Failed state.

67
MCQmedium

You want to debug a running pod by starting a temporary container that has network access to the pod's containers. Which kubectl command should you use?

A.kubectl debug -it <pod> --image=debian --target=<container>
B.kubectl attach <pod>
C.kubectl run debug --image=debian --restart=Never
D.kubectl exec -it <pod> -- /bin/bash
AnswerA

This creates a new ephemeral container in the pod for debugging.

Why this answer

The 'kubectl debug' command with the '-i' (interactive) and '--image' flags creates an ephemeral container for debugging.

68
MCQeasy

Which command builds a Docker image from the current directory and tags it as 'myapp:v1'?

A.docker image build --name myapp:v1 .
B.docker build -t myapp:v1 .
C.docker build myapp:v1 .
D.docker tag myapp:v1 .
AnswerB

Correct syntax: -t for tag, . for build context.

Why this answer

The -t flag tags the image.

69
MCQeasy

Which of the following best describes the purpose of an init container?

A.Init containers run in parallel with the main containers to provide auxiliary functionality
B.Init containers run to completion before the main containers start, and are used for setup tasks
C.Init containers share the same lifecycle as the main containers
D.Init containers are restarted if they exit with a non-zero exit code
AnswerB

Init containers are ideal for initialization tasks like database schema migrations or waiting for services.

Why this answer

Init containers run before the main containers in a pod and must complete successfully before the main containers start.

70
MCQmedium

You need to ensure that a Pod always runs on a node with an SSD. Which node selector mechanism should you use?

A.Tolerations
B.Pod affinity
C.nodeName
D.nodeSelector with a label matching nodes with SSD
AnswerD

Correct: nodeSelector ensures the pod is scheduled on nodes with the specified label.

Why this answer

Node affinity with requiredDuringSchedulingIgnoredDuringExecution ensures the pod is scheduled only on nodes that match the label (e.g., disktype=ssd). nodeSelector is simpler but less expressive; nodeName is not flexible; pod affinity is for co-location with other pods.

71
Multi-Selecthard

Which TWO statements about init containers are true?

Select 2 answers
A.Init containers can run in parallel with each other.
B.Init containers can have resource limits different from app containers.
C.Init containers always run to completion before any app containers start.
D.Init containers are restarted if they fail, using the same restart policy as the app containers.
E.Init containers must use the same container image as the app containers.
AnswersB, C

Init containers have their own resource specifications independent of app containers.

Why this answer

Options A and D are correct. Init containers must run to completion before app containers start (A). They can have different resource limits than app containers (D) and can use different container images.

Option B is false because init containers run sequentially, not in parallel. Option C is false because init containers can have their own images. Option E is false because init containers run before all app containers.

72
MCQeasy

Which command builds a Docker image from the current directory and tags it as 'myapp:v1'?

A.docker build .
B.docker build -t myapp:v1
C.docker push myapp:v1
D.docker build -t myapp:v1 .
AnswerD

Correct syntax: docker build -t <tag> <context>.

Why this answer

Option C is correct. The 'docker build -t' command is used to tag an image during build. Option A misses the tag.

Option B uses wrong syntax. Option D uses 'push' which is for pushing images.

73
MCQeasy

What is the purpose of a .dockerignore file in a Docker build context?

A.It limits the number of layers in the final image
B.It excludes files and directories from being sent to the Docker daemon during the build
C.It defines environment variables for the container
D.It specifies the order of layers in the Docker image
AnswerB

.dockerignore prevents certain files from being included in the build context, reducing build time and avoiding accidental inclusion of sensitive data.

Why this answer

Option C is correct. .dockerignore excludes files and directories from the build context, making builds faster and more secure. Option A is about ordering layers. Option B is about security scanning.

Option D is not a standard behavior.

74
MCQmedium

You need to debug a running pod that does not have a shell installed. Which kubectl command allows you to start an ephemeral container with a shell?

A.kubectl create pod debug --image=busybox --attach
B.kubectl exec -it <pod> -- /bin/sh
C.kubectl debug <pod> --image=busybox --stdin --tty
D.kubectl run debug --image=busybox --attach
AnswerC

kubectl debug adds an ephemeral container to the pod with the specified image and attaches to it.

Why this answer

Option C is correct. 'kubectl debug' is used to create ephemeral containers for debugging. Option A is wrong because kubectl exec requires a shell in the container. Option B is invalid.

Option D creates a new pod, not an ephemeral container.

75
MCQmedium

A CronJob has concurrencyPolicy set to 'Forbid'. At the scheduled time, if the previous job is still running, what happens?

A.The new job is delayed until the previous job completes
B.The new job is skipped (does not run)
C.Both jobs run concurrently
D.The previous job is terminated and the new job starts
AnswerB

Forbid prevents concurrent runs; the new job is simply skipped.

Why this answer

Option A is correct. 'Forbid' means the new job is skipped if the previous job is still running. Option B (Replace) kills the previous and starts new. Option C (Allow) allows concurrent runs.

Option D (Delay) is not a valid concurrency policy.

Page 1 of 3 · 178 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Application Design and Build questions.