CCNA Application Design and Build Questions

75 of 178 questions · Page 2/3 · Application Design and Build · Answers revealed

76
MCQmedium

You need to schedule a task that runs every day at 2:00 AM. The task should be allowed to run even if a previous instance is still running. Which concurrencyPolicy should you set in the CronJob spec?

A.Allow
B.Replace
C.Forbid
D.Ignore
AnswerA

Allow permits concurrent runs, so if a previous instance is still running, a new one can start.

Why this answer

Option B is correct. concurrencyPolicy: Allow permits multiple Job instances to run concurrently. Forbid prevents new runs if any is currently running. Replace kills the current run and starts a new one.

The default is Allow, but explicitly setting Allow is better for clarity.

77
MCQhard

A Pod has two containers: one with a liveness probe that fails after 30 seconds. The restartPolicy is 'Never'. What state will the Pod be in after the liveness probe fails?

A.Running
B.Failed
C.Unknown
D.CrashLoopBackOff
AnswerB

With restartPolicy: Never, the Pod enters Failed state when a container exits with non-zero or is killed.

Why this answer

With restartPolicy: Never, the container that fails is not restarted. The Pod status becomes Failed.

78
Multi-Selectmedium

Which TWO statements about the .dockerignore file are true?

Select 2 answers
A.It is automatically applied to all docker commands
B.It supports pattern matching similar to .gitignore
C.It can be used to specify which Dockerfile to use
D.It can override the base image from the Dockerfile
E.It can exclude files from being copied into the image by COPY and ADD instructions
AnswersB, E

.dockerignore uses glob patterns similar to .gitignore.

Why this answer

.dockerignore excludes files from the build context, reducing build time and preventing secrets from being copied.

79
MCQmedium

You are writing a Dockerfile and want to ensure that the CMD instruction is overridable when running the container, but the ENTRYPOINT should not be easily overridden. Which combination should you use?

A.ENTRYPOINT ["myapp"]; CMD ["--help"]
B.CMD ["myapp", "--help"]
C.ENTRYPOINT myapp; CMD --help
D.ENTRYPOINT ["myapp"]
AnswerD

ENTRYPOINT defines the main command and is not easily overridden; CMD is omitted so no default arguments.

Why this answer

Option D is correct. ENTRYPOINT sets the executable that cannot be overridden (unless --entrypoint flag is used). CMD provides default arguments that can be overridden by command line arguments.

Option A uses ENTRYPOINT with exec form which is overridable via --entrypoint. Option B uses both as CMD, which is fully overridable. Option C uses ENTRYPOINT with shell form, which is also overridable.

80
Multi-Selectmedium

Which TWO statements about init containers are true? (Select 2)

Select 2 answers
A.Init containers support liveness and readiness probes.
B.Init containers share the same filesystem as the application containers by default.
C.Init containers run sequentially in the order they are defined.
D.Init containers have a restart policy of Always.
E.Init containers must complete successfully before application containers start.
AnswersC, E

Correct: init containers run one after another.

Why this answer

Options A and D are correct. Init containers run sequentially before app containers, and they must run to completion successfully. Option B is false: init containers do not share filesystems by default; they can share volumes.

Option C is false: init containers cannot have liveness probes. Option E is false: init containers use the same restart policy as the pod, not always Never.

81
MCQhard

A pod named 'app' has a container that logs to stdout. You want to add a sidecar container that streams these logs to a centralized logging service. Which pattern does this represent?

A.Ambassador pattern
B.Adapter pattern
C.Sidecar pattern
D.Init container pattern
AnswerC

A sidecar container runs alongside the main container to provide additional functionality like log shipping.

Why this answer

A sidecar container that enhances the primary container (e.g., log shipper) is a classic sidecar pattern.

82
MCQmedium

You have a YAML file for a Job named 'data-processor' with 'spec.backoffLimit: 4'. After 3 retries, one pod fails. How many more retries will Kubernetes attempt on that pod?

A.0 retries; the job is marked as failed
B.Unlimited retries until success
C.1 retry
D.4 retries
AnswerC

backoffLimit counts retries; after 3 retries, one more is allowed before the job fails.

Why this answer

backoffLimit limits the total number of retries across all pods. The job's pod will be retried up to backoffLimit times, including the initial attempt. So after 3 retries (i.e., 4 attempts total? Actually careful: backoffLimit specifies the number of retries before marking the Job as failed.

The initial attempt is not a retry. So backoffLimit=4 means up to 4 retries. After 3 retries, one more retry is allowed.

But the question says 'after 3 retries', meaning 3 retries have already occurred. So one more is allowed. However, the options should reflect that.

83
MCQeasy

Which kubectl command creates a deployment named 'web' from the image 'nginx:1.25' and exposes it on port 80?

A.kubectl create deployment web --image=nginx:1.25 --expose
B.kubectl apply -f deployment.yaml
C.kubectl run web --image=nginx:1.25 --port=80
D.kubectl create deployment web --image=nginx:1.25
AnswerD

This creates a deployment. To expose it, you would need an additional 'kubectl expose' command.

Why this answer

The 'kubectl create deployment' command creates a deployment, then 'kubectl expose' creates a service. However, among the options, the correct one is the command that creates the deployment only. The question asks for a command that creates a deployment and exposes it.

The best match is using 'kubectl run' with --port, which creates a pod, not a deployment. So the intended correct answer is the deployment creation command, but exposure is separate. The correct answer should be 'kubectl create deployment web --image=nginx:1.25' and then expose separately.

Among the given options, the one that creates a deployment is correct.

84
MCQmedium

A user runs: kubectl run my-pod --image=nginx --restart=Never --dry-run=client -o yaml. Which apiVersion is used in the generated YAML?

A.apps/v1
B.batch/v1
C.networking.k8s.io/v1
D.v1
AnswerD

The command creates a Pod, and Pods are in the core v1 API group.

Why this answer

The 'kubectl run' command without '--restart=Never' defaults to a Deployment (apps/v1), but with '--restart=Never' it creates a standalone Pod (v1).

85
MCQmedium

You need to run a batch job that processes a queue and must ensure exactly 5 pods run successfully in parallel. Which Job configuration field should be set?

A.spec.backoffLimit: 5
B.spec.ttlSecondsAfterFinished: 5
C.spec.parallelism: 5
D.spec.completions: 5
AnswerC

parallelism controls the maximum number of pods running in parallel.

Why this answer

The 'parallelism' field specifies how many pods can run concurrently. 'completions' is for total successful pod completions.

86
MCQmedium

A developer is writing a Dockerfile and wants to ensure that the container runs a Python script named 'app.py' as its main process. Which instruction should be used?

A.EXPOSE 8080
B.CMD ["python", "app.py"]
C.ENTRYPOINT ["python", "app.py"]
D.RUN ["python", "app.py"]
AnswerC

ENTRYPOINT sets the main command to run python app.py.

Why this answer

ENTRYPOINT sets the main command that will always be executed when the container starts.

87
MCQeasy

Which of the following is the correct apiVersion for a CronJob in Kubernetes v1.29?

A.v1
B.cronjob/v1
C.batch/v1beta1
D.batch/v1
AnswerD

Correct: CronJob uses batch/v1 since 1.21.

Why this answer

In Kubernetes v1.29, the correct apiVersion for a CronJob is batch/v1, as CronJob has been stable since v1.21. Option D is correct because batch/v1 is the stable API version for CronJob resources in this release.

Exam trap

The trap here is that candidates may remember older Kubernetes versions where CronJob was still in beta (batch/v1beta1) and fail to update their knowledge to the stable batch/v1, or they might confuse the apiVersion format with a non-existent cronjob/v1.

How to eliminate wrong answers

Option A is wrong because v1 is the apiVersion for core resources like Pod, Service, and ConfigMap, not for CronJob which belongs to the batch API group. Option B is wrong because there is no apiVersion format like cronjob/v1; Kubernetes uses group/version format, and CronJob is part of the batch group. Option C is wrong because batch/v1beta1 was deprecated in v1.21 and removed in v1.25; using it in v1.29 would cause an error.

88
MCQmedium

A CronJob must run a task every day at midnight, but if the previous job is still running, the new job should be skipped. Which concurrencyPolicy should be set?

A.Skip
B.Forbid
C.Allow
D.Replace
AnswerB

Forbids new jobs if previous is still running, effectively skipping.

Why this answer

Option B is correct: Forbid prevents new jobs from starting if the previous one is still running. Allow allows concurrent runs. Replace replaces the running job.

There is no Skip policy.

89
Drag & Dropmedium

Sequence the steps to expose a Kubernetes Service using a NodePort for external access.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Deployment first, then define NodePort Service, apply, retrieve port, then access externally.

90
MCQeasy

What is the primary purpose of an Init Container in a Pod?

A.Perform initialization tasks such as waiting for a database to be ready
B.Run a sidecar proxy alongside the main container
C.Provide a health check endpoint for the main container
D.Collect logs and metrics from the main container
AnswerA

Init containers handle prerequisites before the application starts.

Why this answer

Init containers run to completion before app containers start, used for setup tasks like waiting for dependencies or preparing data.

91
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Increase the CPU request for the container
B.Delete and recreate the pod to clear the crash loop
C.Increase the memory limit in the pod's container resource specification
D.Delete the namespace and redeploy all workloads
AnswerC

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

Option B is correct. OOMKilled means the container exceeded its memory limit and was killed by the kernel OOM killer. The solution is to increase the memory limit in the container's resource specification.

Option A would not help — restarting the pod without addressing the root cause will result in the same failure. Option C addresses CPU, not memory. Option D (deleting the namespace) is destructive and unnecessary.

92
MCQmedium

You are tasked with containerizing a Go application. The application compiles into a binary. Which Dockerfile best implements a multi-stage build to produce a minimal image?

A.FROM AS builder\nWORKDIR /app\nCOPY . .\nRUN go build -o myapp\nFROM scratch\nCOPY --from=builder /app/myapp /myapp\nCMD ["/myapp"]
B.FROM ubuntu:latest\nRUN apt-get update && apt-get install -y golang\nCOPY . /app\nWORKDIR /app\nRUN go build -o myapp\nCMD ["./myapp"]
C.FROM golang:1.21 AS builder\nWORKDIR /app\nCOPY . .\nRUN go build -o myapp\nFROM scratch\nCOPY --from=builder /app/myapp /myapp\nCMD ["/myapp"]
D.FROM golang:1.21\nWORKDIR /app\nCOPY . .\nRUN go build -o myapp\nCMD ["./myapp"]
AnswerC

Multi-stage build: first stage compiles, second stage scratch only copies binary. Minimal image.

Why this answer

Option C is correct: multi-stage build with a first stage for compilation using a Go image, and a second stage using scratch that only contains the compiled binary. Option A uses a single stage with a full Go runtime. Option B also uses a single stage.

Option D is incorrect because it uses invalid syntax (FROM AS builder without specifying a base image).

93
MCQmedium

You want to expose a container's port 8080 in the Dockerfile. Which instruction should you use?

A.PORT 8080
B.EXPOSE 8080
C.LISTEN 8080
D.PUBLISH 8080
AnswerB

EXPOSE documents the port.

Why this answer

Option B is correct because the `EXPOSE` instruction in a Dockerfile informs Docker that the container listens on the specified network port at runtime. It is a metadata declaration that does not actually publish the port; it serves documentation and inter-container communication purposes via Docker networks.

Exam trap

The trap here is that candidates confuse `EXPOSE` with actually publishing the port to the host, thinking it makes the container accessible externally, when in fact it only declares intent and requires `-p` or `--publish` for host access.

How to eliminate wrong answers

Option A is wrong because `PORT` is not a valid Dockerfile instruction; the correct keyword is `EXPOSE`. Option C is wrong because `LISTEN` is not a Dockerfile instruction; it is a directive used in configuration files for services like Apache or Nginx. Option D is wrong because `PUBLISH` is not a Dockerfile instruction; port publishing is done at container runtime using the `-p` or `--publish` flag with `docker run`.

94
MCQhard

You have a Pod that runs a web server and you want to add a sidecar container that exposes a Prometheus metrics endpoint by scraping the web server's logs. Which sidecar pattern does this exemplify?

A.Sidecar pattern (generic)
B.Adapter pattern
C.Ambassador pattern
D.Init container pattern
AnswerB

The adapter pattern modifies or transforms data from the main container to match external interfaces. Here, the sidecar converts logs to metrics.

Why this answer

Option A is correct. The adapter pattern transforms the main container's output (e.g., logs) into a format expected by an external system (e.g., Prometheus metrics). The sidecar pattern adds functionality without modifying the main container; ambassador patterns proxy external connections; init containers run before the main containers start.

95
MCQeasy

Which of the following is a valid schedule for a CronJob that runs every day at midnight?

A.0 0 1 * *
B.* * * * *
C.0 * * * *
D.0 0 * * *
AnswerD

This is the correct cron expression for daily at midnight.

Why this answer

Cron schedule format: minute hour day month weekday. '0 0 * * *' means at minute 0 of hour 0 every day.

96
MCQeasy

Which Dockerfile instruction sets a command that can be overridden when running the container?

A.RUN
B.EXPOSE
C.ENTRYPOINT
D.CMD
AnswerD

CMD specifies the command to run by default; it can be overridden by supplying a command after the image name in 'docker run'.

Why this answer

The CMD instruction provides defaults for executing the container; it can be overridden by command-line arguments. ENTRYPOINT, on the other hand, defines the executable that will always run.

97
Multi-Selectmedium

Which TWO statements about Init Containers are correct? (Select exactly 2.)

Select 2 answers
A.Init containers run in parallel to reduce startup time
B.Init containers run to completion sequentially before any app containers start
C.Init containers can use a different container image than the app containers
D.If an init container fails, Kubernetes restarts it until it succeeds regardless of restartPolicy
E.Init containers can have liveness and readiness probes
AnswersB, C

They run one after another, each must complete successfully.

Why this answer

Init containers run sequentially and can have different images than the main container. They do not support liveness/readiness probes (only startup probe is allowed, but not by default).

98
MCQmedium

You are tasked with deploying a stateless web application on a Kubernetes cluster. The application is containerized and listens on port 8080. You have created a Deployment named 'webapp' with 3 replicas, and a ClusterIP Service named 'webapp-svc' exposing port 80 targeting the application's port 8080. During testing, you notice that some requests to the service return errors while others succeed. You have verified that all Pods are running and ready. The application logs show no errors. What is the most likely cause of the intermittent failures?

A.The ClusterIP Service type does not support load balancing.
B.The Service is not configured with enough endpoints.
C.The Service's targetPort is set incorrectly, causing traffic to be misrouted.
D.The Deployment lacks a readiness probe, causing the Service to route traffic to Pods that are not ready.
AnswerD

Correct; without a readiness probe, the Service may send traffic to Pods that are not ready, leading to intermittent failures.

Why this answer

The intermittent failures are most likely caused by the absence of a readiness probe in the Deployment. Without a readiness probe, the Service's EndpointSlice controller considers all Pods with a matching label selector as ready endpoints, even if the application inside the container has not finished initializing or is temporarily unable to serve traffic. This results in the ClusterIP Service load-balancing requests to Pods that are not actually ready, causing some requests to fail while others succeed.

Exam trap

CNCF often tests the distinction between 'Pod is Running' (container process started) and 'Pod is Ready' (application is healthy and can serve traffic), trapping candidates who assume that a Running Pod is automatically ready to receive Service traffic.

How to eliminate wrong answers

Option A is wrong because ClusterIP Services do provide internal load balancing via kube-proxy using iptables or IPVS rules, distributing traffic across ready endpoints. Option B is wrong because the Service is configured with a label selector matching the Deployment's Pods, and with 3 replicas all running and ready (as verified), there are exactly 3 endpoints — enough for load balancing. Option C is wrong because the targetPort is set to 8080, which matches the container's listening port, so traffic is correctly routed to the application.

99
MCQeasy

Which of the following is the correct way to create a simple Pod named 'nginx' running the nginx:1.25 image using kubectl?

A.kubectl create nginx --image=nginx:1.25
B.kubectl create pod nginx --image=nginx:1.25
C.kubectl apply nginx --image=nginx:1.25
D.kubectl run nginx --image=nginx:1.25
AnswerD

'kubectl run' creates a pod with the specified image. This is the correct command.

Why this answer

Option C is correct. The 'kubectl run' command with the '--image' flag creates a pod. Option A is incorrect because 'kubectl create pod' is not a valid command; you would use 'kubectl create deployment' or 'kubectl run'.

Option B is incorrect because 'kubectl apply' expects a YAML file, not an image argument directly. Option D is incorrect because 'kubectl create' expects a resource type (e.g., 'deployment'), not 'pod' directly.

100
Multi-Selectmedium

Which TWO fields are required in a CronJob manifest? (Select 2)

Select 2 answers
A.startingDeadlineSeconds
B.successfulJobsHistoryLimit
C.schedule
D.concurrencyPolicy
E.jobTemplate
AnswersC, E

The cron schedule is mandatory.

Why this answer

Options A and D are required. A CronJob must have 'schedule' (A) and 'jobTemplate' (D). Option B (concurrencyPolicy) is optional and defaults to Allow.

Option C (successfulJobsHistoryLimit) is optional. Option E (startingDeadlineSeconds) is optional.

101
MCQeasy

What is the purpose of the '.dockerignore' file?

A.To specify which files to include in the image
B.To ignore files during docker push
C.To exclude files from the build context
D.To list environment variables to ignore
AnswerC

Files listed in .dockerignore are not sent to the Docker daemon.

Why this answer

.dockerignore prevents unnecessary files from being sent to the Docker daemon as part of the build context.

102
MCQmedium

You have a multi-stage Dockerfile for a Go application. The first stage compiles the binary, and the second stage uses a scratch image. Which of the following is the correct way to copy the binary from the first stage into the second stage?

A.ADD --from=builder /app/bin /app/
B.COPY /app/bin /app/
C.COPY --from=builder /app/bin /app/
D.COPY --from=0 /app/bin /app/
AnswerC

Correct: 'COPY --from=builder' copies files from the stage named 'builder'.

Why this answer

Option B is correct. The COPY --from=builder syntax copies files from the previous stage named 'builder'. Option A copies from the host, not the builder stage.

Option C copies from an image, but the image name is missing and it's not the standard way. Option D uses ADD which can be used but is recommended for tarballs, not for copying from builder stages.

103
Multi-Selecthard

Which THREE of the following are valid fields in the '.spec' of a Job manifest?

Select 3 answers
A.replicas
B.parallelism
C.strategy
D.completions
E.backoffLimit
AnswersB, D, E

Specifies the maximum number of pods running concurrently.

Why this answer

backoffLimit, parallelism, and completions are all valid Job spec fields.

104
MCQmedium

What is the correct schedule expression for a CronJob that runs every 5 minutes?

A.*/5 * * * *
B.* * * * *
C.0 */5 * * *
D.5 * * * *
AnswerA

Standard cron syntax for every 5 minutes.

Why this answer

Option B is correct: '*/5 * * * *' runs every 5 minutes. Option A runs every minute. Option C runs at minute 5 every hour.

Option D runs every 5 hours.

105
MCQhard

A pod with an init container and a main container has 'restartPolicy: Always'. The init container exits with code 0. What happens next?

A.The pod enters CrashLoopBackOff because the init container should not exit
B.The main container starts; if it fails, it will be restarted
C.The pod is considered complete and enters Succeeded phase
D.The init container restarts and runs again
AnswerB

Init container completed; main container starts and is managed by the restart policy.

Why this answer

Init containers run to completion and are not restarted. The main container starts and runs. If the main container exits, it will be restarted due to restartPolicy Always.

106
MCQeasy

Which of the following is the correct apiVersion for a Kubernetes Job in v1.29?

A.batch/v1
B.apps/v1
C.v1
D.batch/v1beta1
AnswerA

batch/v1 is the stable apiVersion for Jobs since Kubernetes 1.21.

Why this answer

In Kubernetes v1.29, the correct apiVersion for a Job is `batch/v1`. The `batch/v1` API version has been stable since Kubernetes 1.21, and Jobs are part of the batch API group. Using `batch/v1` ensures compatibility with the current stable release and provides access to all Job features, including parallelism, completions, and backoff limits.

Exam trap

The trap here is that candidates may confuse the `batch/v1` apiVersion with the older `batch/v1beta1` (which is no longer valid) or incorrectly assume Jobs are part of the core `v1` or `apps/v1` API groups, leading to a wrong answer.

How to eliminate wrong answers

Option B (`apps/v1`) is wrong because `apps/v1` is used for workloads like Deployments, StatefulSets, DaemonSets, and ReplicaSets, not for Jobs. Option C (`v1`) is wrong because `v1` is the core API group (e.g., Pods, Services, ConfigMaps), and Jobs belong to the `batch` API group, not the core group. Option D (`batch/v1beta1`) is wrong because the `batch/v1beta1` version was deprecated in Kubernetes 1.21 and removed in 1.25; using it in v1.29 would result in an API error.

107
Multi-Selectmedium

Which TWO of the following are valid ways to expose a container port in a pod spec?

Select 2 answers
A.spec.containers[].ports[].hostPort
B.spec.containers[].hostPort
C.spec.containers[].containerPort
D.EXPOSE 8080 in Dockerfile
E.spec.containers[].ports[].containerPort
AnswersA, E

hostPort maps the container port to a port on the host node.

Why this answer

Option A and E are correct. The 'containerPort' field under 'ports' defines which container ports to expose. 'hostPort' is also valid but less common. Option B is not a valid field (hostPort is a subfield of ports).

Option C is not valid (ports is a list). Option D is a Dockerfile instruction, not a pod spec field.

108
Multi-Selecthard

A team wants to deploy a multi-container Pod with a sidecar pattern. Which THREE statements are true about sidecar containers? (Select exactly 3.)

Select 3 answers
A.Sidecar containers are always started before the main container
B.Sidecar containers are used for tasks like log collection, service mesh proxies, or data synchronization
C.Sidecar containers can be updated independently without restarting the main container
D.Sidecar containers run in the same Pod as the main container
E.Sidecar containers share the same network namespace as the main container
AnswersB, D, E

These are common sidecar use cases.

Why this answer

Sidecar containers share the same Pod lifecycle and network namespace, and are typically used for auxiliary tasks like logging, proxying, or sync.

109
MCQeasy

Which Dockerfile instruction is used to specify the base image for a container image?

A.COPY
B.FROM
C.CMD
D.RUN
AnswerB

FROM specifies the base image for the build.

Why this answer

The FROM instruction initializes a new build stage and sets the base image for subsequent instructions.

110
MCQhard

You have a pod that runs a single container with the following resource limits: memory: 256Mi, cpu: 500m. The container is consistently using 300Mi of memory and 300m of CPU. The pod is running but you want to avoid OOMKilled. Which change should you make?

A.Increase memory limit to 512Mi
B.Set memory request to 128Mi and keep limit at 256Mi
C.Decrease memory limit to 128Mi
D.Increase CPU limit to 1000m
AnswerA

The container uses more memory than the current limit, so increasing the memory limit prevents OOMKilled.

Why this answer

Option A is correct. The memory limit is 256Mi, but the container uses 300Mi, which will cause OOMKilled. Increasing the memory limit to 512Mi avoids the OOM.

CPU limit (500m) is fine because usage is 300m. Increasing CPU limit does not help memory. Decreasing memory limit would make the problem worse.

Setting requests does not prevent OOM if limit is still low.

111
MCQmedium

A user creates a Job with '.spec.completions=5' and '.spec.parallelism=2'. How many pods will run at the same time?

A.5
B.10
C.7
D.2
AnswerD

parallelism=2 means up to 2 pods run concurrently.

Why this answer

parallelism defines the maximum number of pods running concurrently.

112
MCQeasy

Which Dockerfile instruction is used to define a mount point for a volume?

A.ADD
B.VOLUME
C.EXPOSE
D.MOUNT
AnswerB

VOLUME creates a mount point for a volume.

Why this answer

The VOLUME instruction creates a mount point for externally mounted volumes or other containers.

113
MCQmedium

You have a multi-stage Dockerfile. You want to copy artifacts from the builder stage to the final stage. Which instruction should you use in the final stage?

A.ADD --from=builder /app/artifact /app/
B.RUN --from=builder cp /app/artifact /app/
C.COPY --from=builder /app/artifact /app/
D.CMD --from=builder /app/artifact /app/
AnswerC

COPY with --from is the standard way to copy files from a previous build stage.

Why this answer

Option B is correct. COPY --from=builder copies files from a previous stage named 'builder'. ADD is similar but also supports remote URLs and tar extraction, but --from is not typically used with ADD.

CMD and RUN are not for copying files.

114
MCQmedium

What is the default restart policy for a pod created with 'kubectl run nginx --image=nginx'?

A.Always
B.OnFailure
C.Never
D.Restart
AnswerA

Default restart policy is Always.

Why this answer

The default restart policy is Always for pods created by kubectl run without --restart flag.

115
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Delete and recreate the pod to clear the crash loop
B.Delete the namespace and redeploy all workloads
C.Increase the memory limit in the pod's container resource specification
D.Increase the CPU request for the container
AnswerC

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

Option B is correct. OOMKilled means the container exceeded its memory limit and was killed by the kernel OOM killer. The solution is to increase the memory limit in the container's resource specification.

Option A would not help — restarting the pod without addressing the root cause will result in the same failure. Option C addresses CPU, not memory. Option D (deleting the namespace) is destructive and unnecessary.

116
MCQeasy

Which 'kubectl' command creates a pod named 'test-pod' using the nginx image and outputs the YAML manifest without actually creating it?

A.kubectl apply -f pod.yaml
B.kubectl run test-pod --image=nginx --dry-run=client -o yaml
C.kubectl run test-pod --image=nginx --dry-run=server
D.kubectl run test-pod --image=nginx --dry-run=client -o json
AnswerB

Correct command to generate YAML without creating the pod.

Why this answer

Option A is correct: kubectl run test-pod --image=nginx --dry-run=client -o yaml. Option B uses -o json. Option C uses --dry-run=server.

Option D is apply command.

117
MCQhard

You are tasked with running a batch job that processes 100 items in parallel, using a Kubernetes Job. The Job should ensure that all items are processed even if some pods fail, and the total number of pod failures should be limited to 3. Which Job configuration is correct?

A.Set spec.parallelism: 100, spec.completions: 100, spec.backoffLimit: 3
B.Set spec.parallelism: 1, spec.completions: 100, spec.backoffLimit: 3
C.Set spec.parallelism: 100, spec.completions: 1, spec.backoffLimit: 3
D.Set spec.parallelism: 100, spec.completions: 100, spec.activeDeadlineSeconds: 300
AnswerA

Correct: parallelism runs up to 100 pods concurrently, completions expects 100 successful completions overall, backoffLimit limits retries to 3.

Why this answer

Option B is correct. For a Job that runs many parallel tasks, you use a work queue pattern with a fixed completion count. spec.parallelism sets the number of pods to run in parallel, spec.completions sets the total number of successful completions required, and spec.backoffLimit sets the number of retries before considering the Job as failed. The spec.backoffLimit field is the correct way to limit retries; spec.activeDeadlineSeconds is a time limit, not a retry limit.

118
Multi-Selectmedium

Which TWO of the following are valid uses of init containers? (Select 2)

Select 2 answers
A.Running a log collection agent continuously
B.Performing health checks on the main container
C.Setting ownership and permissions on a shared volume before the main container uses it
D.Serving HTTP traffic to the main container
E.Waiting for an external database to be ready before starting the main application
AnswersC, E

Correct: init containers can prepare volumes.

Why this answer

Init containers are used for setup tasks that must complete before the main containers start. They can run scripts that wait for a service to be up (B) and can be used to set permissions on shared volumes (C). They are not meant for serving traffic (A) or for long-running sidecar functionality (D).

They do not have liveness probes (E).

119
MCQeasy

Which command builds a Docker image from the current directory and tags it as 'myapp:v1'?

A.docker build -t myapp:v1 .
B.docker build -t myapp:v1
C.docker build . -name myapp:v1
D.docker image build --tag myapp:v1
AnswerA

Correct command to build and tag the image.

Why this answer

Option B is correct: docker build -t myapp:v1 . builds and tags the image. Option A is missing the dot. Option C tags after build but syntax is wrong.

Option D uses incorrect flag (--name).

120
MCQmedium

A CronJob is configured with 'concurrencyPolicy: Forbid'. What happens if the scheduled time arrives while the previous job is still running?

A.The new job is skipped until the next scheduled time
B.The new job starts immediately, running concurrently
C.The running job is terminated and the new job starts
D.The CronJob enters an error state
AnswerA

Forbid prevents overlapping runs; the new job is simply missed.

Why this answer

With 'Forbid', if a job is still running, the new scheduled job is skipped (does not run).

121
MCQmedium

You need to run a database migration as a container before the main application container starts. Which Kubernetes concept should you use?

A.Job
B.Init container
C.Sidecar container
D.Ephemeral container
AnswerB

Init containers run to completion before the main containers start.

Why this answer

Option B is correct. Init containers run sequentially before the main containers start and are ideal for initialization tasks like migrations. Option A (sidecar) runs concurrently.

Option C (ephemeral) is for debugging. Option D (job) runs to completion but not as part of a pod's lifecycle.

122
Multi-Selectmedium

Which TWO of the following are valid patterns for sidecar containers in Kubernetes?

Select 3 answers
A.Ambassador
B.Singleton
C.Adapter
D.DaemonSet
E.Sidecar
AnswersA, C, E

Ambassador is a sidecar that proxies network connections.

Why this answer

Sidecar, adapter, and ambassador are the three common sidecar patterns. The sidecar pattern adds functionality to the main container, the adapter pattern transforms interfaces, and the ambassador pattern proxies connections.

123
MCQmedium

A developer wants to tag a local image 'myapp:latest' with the tag 'v1.0.0' for pushing to a registry. Which kubectl command does this?

A.docker push myapp:v1.0.0
B.docker tag myapp:latest myapp:v1.0.0
C.kubectl tag myapp:latest myapp:v1.0.0
D.kubectl set image myapp:v1.0.0
AnswerB

Correctly tags the image.

Why this answer

docker tag is the correct command for tagging images.

124
MCQhard

A CronJob is configured with concurrencyPolicy: Forbid. The scheduled job takes longer than the interval between schedules to complete. What happens when the next scheduled time arrives while the previous job is still running?

A.The running job is killed to make room for the new one
B.The new job starts immediately, overriding the running one
C.The CronJob controller skips the new execution and logs a warning
D.The new job is queued and starts after the running job completes
AnswerC

Correct: Forbid prevents concurrent runs and skips the job if one is already running.

Why this answer

With concurrencyPolicy: Forbid, the CronJob controller does not start a new job if the previous job is still running. It skips the execution.

125
MCQeasy

In a Dockerfile, what is the difference between CMD and ENTRYPOINT?

A.CMD always runs, ENTRYPOINT can be overridden
B.There is no difference; they are interchangeable
C.ENTRYPOINT defines the executable and CMD provides default arguments
D.CMD is used for shell form, ENTRYPOINT for exec form
AnswerC

Correct: ENTRYPOINT is the command, CMD is arguments that can be replaced.

Why this answer

ENTRYPOINT defines the executable, and CMD provides default arguments that can be overridden.

126
MCQhard

You need to debug a pod that is running but not serving traffic. You want to add a temporary container with networking tools to the pod. Which command should you use?

A.kubectl run debug --image=busybox -it --restart=Never -- /bin/sh
B.kubectl attach mypod
C.kubectl exec -it mypod -- /bin/sh
D.kubectl debug mypod --image=busybox -it
AnswerD

Correct: kubectl debug adds an ephemeral container to the pod for debugging.

Why this answer

kubectl debug with the --image flag creates an ephemeral container in the pod for debugging. Ephemeral containers are temporary and do not restart if they exit.

127
MCQeasy

Which file prevents certain files from being copied into a Docker image during a build?

A..kubeignore
B.Dockerfile.ignore
C..dockerignore
D..gitignore
AnswerC

.dockerignore excludes files from the Docker build context.

Why this answer

Option C is correct. A .dockerignore file in the build context tells Docker which files to ignore when sending the context to the Docker daemon.

128
MCQhard

You need to debug a pod that has no shell installed. You want to add a temporary container with debugging tools to the pod. Which command should you use?

A.kubectl debug mypod -it --image=busybox -- /bin/sh
B.kubectl run debug --image=busybox -it -- /bin/sh
C.kubectl debug mypod --image=busybox --target=debug -n default
D.kubectl exec -it mypod -- /bin/sh
AnswerA

'kubectl debug' creates an ephemeral container in the target pod.

Why this answer

Option B is correct. 'kubectl debug' creates an ephemeral container in the pod for debugging. Option A uses 'kubectl run' which creates a new pod, not adding to existing. Option C exec requires the container to have a shell.

Option D creates a new pod in a different namespace.

129
MCQeasy

Which of the following Dockerfile instructions sets the working directory for any subsequent RUN, CMD, ENTRYPOINT, COPY, and ADD instructions?

A.EXPOSE
B.WORKDIR
C.COPY
D.USER
AnswerB

WORKDIR sets the working directory for any subsequent instructions in the Dockerfile.

Why this answer

Option C is correct. The WORKDIR instruction sets the working directory for all subsequent instructions in the Dockerfile. COPY and ADD are used to copy files, EXPOSE documents network ports, and USER sets the user name.

130
MCQmedium

You have a Dockerfile with 'CMD ["nginx", "-g", "daemon off;"]'. A developer wants to run the container with a different command: 'nginx -t'. How should they run the container?

A.docker run nginx ["nginx", "-t"]
B.docker run nginx CMD nginx -t
C.docker run nginx nginx -t
D.docker run --entrypoint nginx -t nginx
AnswerC

Appending command overrides CMD.

Why this answer

Option D is correct: To override CMD, append the command after the image name: docker run nginx nginx -t. Option A uses --entrypoint, which overrides ENTRYPOINT, not CMD. Option B uses exec form incorrectly.

Option C is wrong because CMD is overridable.

131
Multi-Selectmedium

Which TWO statements are true about Kubernetes Secrets?

Select 2 answers
A.Secret data is base64 encoded in YAML manifests.
B.Secrets cannot be used as environment variables.
C.Secrets are always encrypted at rest by default.
D.Secrets can be mounted as volumes in a Pod.
E.Secrets are limited to 1KB in size.
AnswersA, D

Secret values are base64 encoded, not plaintext.

Why this answer

Option A is correct because Kubernetes Secrets store data as base64-encoded strings in YAML manifests. This encoding is not encryption; it simply converts binary or non-printable data into an ASCII string format for safe inclusion in YAML. The base64 encoding is a standard practice for representing arbitrary data in Kubernetes resource definitions.

Exam trap

The trap here is that candidates often confuse base64 encoding with encryption, assuming it provides security, or they mistakenly believe Secrets are encrypted at rest by default, when in fact they are stored in plaintext in etcd unless explicitly configured otherwise.

132
MCQhard

You have a CronJob that runs a backup every hour. Due to a network issue, some backups take longer than an hour, causing overlapping executions. You want to ensure that if a new job is scheduled while the previous one is still running, the new job is skipped. Which concurrencyPolicy should you set?

A.ConcurrencyPolicy: Skip
B.ConcurrencyPolicy: Allow
C.ConcurrencyPolicy: Forbid
D.ConcurrencyPolicy: Replace
AnswerC

Forbid skips the new job if the previous one is still running.

Why this answer

Option B is correct. Forbid prevents new jobs from starting if the previous job is still running. Option A allows concurrent runs.

Option C replaces the running job with the new one. Option D is invalid.

133
Multi-Selecteasy

Which TWO instructions are commonly used to add files to a Docker image during build? (Select 2)

Select 2 answers
A.COPY
B.ADD
C.ENTRYPOINT
D.RUN
E.CMD
AnswersA, B

Copies files from context into image.

Why this answer

Options A and D are correct: COPY and ADD are used to add files. RUN executes commands, CMD sets default command, ENTRYPOINT sets entry point.

134
MCQhard

You have a multi-container pod with two containers: container-A and container-B. container-B needs to access the network of container-A. Which configuration is required?

A.Define a ServiceAccount for container-B to access container-A
B.No additional configuration is needed; they share the same network namespace
C.Set hostNetwork: true in the pod spec
D.Expose the port in container-A and map it in container-B
AnswerB

Containers in a pod share the same network namespace, so they can communicate via localhost.

Why this answer

Option C is correct. By default, containers in the same pod share the same network namespace, so container-B can access container-A via localhost. Option A (hostNetwork) uses the host's network, not needed.

Option B (ports) exposes ports but doesn't affect network namespace sharing. Option D (service account) is for authentication, not networking.

135
Multi-Selecthard

Which THREE of the following are correct about init containers? (Select THREE.)

Select 3 answers
A.They run to completion before the main application containers start
B.They cannot have resource limits set
C.If an init container fails, the pod restarts according to the pod's restartPolicy
D.They run after the main application containers have started
E.They are defined in the spec.initContainers field of a Pod
AnswersA, C, E

Init containers run sequentially and must complete successfully before main containers start.

Why this answer

Options A, C, and E are correct. Init containers run sequentially (not in parallel) and must complete successfully before app containers start. They are specified under spec.initContainers.

Option B is wrong: init containers run before app containers. Option D is wrong: init containers support the same securityContext as regular containers.

136
MCQeasy

An init container in a pod runs a database migration script. The init container fails and exits with a non-zero exit code. What will happen to the pod?

A.The main containers will start anyway
B.The pod will enter CrashLoopBackOff
C.The init container will be restarted until it succeeds
D.The pod will be deleted and recreated
AnswerC

Correct: init containers are restarted on failure until they succeed.

Why this answer

Init containers must run successfully (exit 0) before the main containers start. If an init container fails, Kubernetes restarts it (if restartPolicy is Always or OnFailure) until it succeeds. The pod will remain in Init:Error state until the init container succeeds.

137
MCQmedium

You have a Pod with two containers: a main application and a sidecar that handles logging. The sidecar needs access to the same log files as the main application. Which volume type allows both containers to share files?

A.persistentVolumeClaim
B.hostPath
C.configMap
D.emptyDir
AnswerD

emptyDir is created when a pod is assigned to a node and exists as long as the pod runs, allowing containers in the same pod to share files.

Why this answer

Option B is correct. An emptyDir volume is shared between containers in the same pod and is useful for sharing files. HostPath mounts a host directory, but it's not specifically for sharing between containers.

ConfigMap is for configuration data, not for sharing dynamic files. PersistentVolumeClaim is for persistent storage, but not necessary for sharing within a pod.

138
Multi-Selectmedium

Which TWO of the following are true about .dockerignore files?

Select 2 answers
A.They are optional and have no effect on the build
B.They are placed in the root of the build context
C.They can exclude files from being sent to the Docker daemon during build
D.They can be used to ignore files only for specific build stages
E.They can include files that are in parent directories
AnswersB, C

.dockerignore must be in the root of the build context.

Why this answer

.dockerignore files exclude files from the build context, improving build performance and security by preventing unwanted files from being copied into the image.

139
MCQmedium

You have a multi-stage Dockerfile. The first stage builds a binary using a large build image. The second stage copies the binary from the first stage into a minimal runtime image. Which Dockerfile instruction is used to copy artifacts from a previous stage?

A.ADD --from=builder /app/artifact /app/
B.ENTRYPOINT --from=builder /app/artifact /app/
C.CMD --from=builder /app/artifact /app/
D.COPY --from=builder /app/artifact /app/
AnswerD

COPY --from copies files from a named stage in a multi-stage build.

Why this answer

Option A is correct. COPY --from=<stage-name> copies files from a named stage in a multi-stage build. ADD can also copy files but is more feature-rich (supports URLs, tar extraction).

However, for copying build artifacts from a previous stage, COPY --from is the standard and recommended approach. CMD and ENTRYPOINT are for runtime commands, not for copying files.

140
MCQhard

An administrator creates a Pod with an ephemeral container using 'kubectl debug my-pod -it --image=busybox --target=my-container'. The ephemeral container shares the same process namespace as the target container. Which flag enables this?

A.--target
B.--container
C.--namespace
D.--share-process-namespace
AnswerA

The --target flag designates the target container for namespace sharing.

Why this answer

The '--target' flag in kubectl debug specifies the target container for sharing namespaces, including process namespace.

141
Multi-Selecthard

Which THREE are valid patterns for multi-container Pods?

Select 3 answers
A.Init
B.Ambassador
C.Replicator
D.Adapter
E.Sidecar
AnswersB, D, E

An ambassador container proxies network connections to external services.

Why this answer

Options A, B, and C are correct: sidecar (adds helper container), adapter (normalizes output), and ambassador (proxies external access). Option D (replicator) is not a standard pattern. Option E (init) is a special container type, not a pattern for multi-container design.

142
MCQmedium

A pod in the 'production' namespace is in a CrashLoopBackOff state. The pod has been running successfully for several days. You run 'kubectl describe pod app-pod -n production' and see the message: 'OOMKilled'. What is the MOST appropriate action to resolve this issue?

A.Increase the CPU request for the container
B.Delete and recreate the pod to clear the crash loop
C.Delete the namespace and redeploy all workloads
D.Increase the memory limit in the pod's container resource specification
AnswerD

OOMKilled indicates the container exceeded its configured memory limit. Increasing the memory limit allows the container to use more memory and prevents the OOM kill.

Why this answer

Option B is correct. OOMKilled means the container exceeded its memory limit and was killed by the kernel OOM killer. The solution is to increase the memory limit in the container's resource specification.

Option A would not help — restarting the pod without addressing the root cause will result in the same failure. Option C addresses CPU, not memory. Option D (deleting the namespace) is destructive and unnecessary.

143
MCQeasy

What is the primary purpose of an init container in a pod?

A.To provide a debugging shell into the pod
B.To handle traffic routing between services
C.To run a long-running process alongside the main container
D.To perform initialization tasks such as waiting for a database to be ready
AnswerD

Init containers run sequentially and complete before app containers start, making them ideal for setup tasks.

Why this answer

Init containers run to completion before the main containers start, typically used for setup tasks like waiting for a service or preparing data.

144
MCQmedium

Which of the following is the correct way to set a memory limit of 512Mi for a container in a pod spec?

A.resources.requests.memory: 512Mi
B.resources.limits.memory: 512Mi
C.resources.requests.limits.memory: 512Mi
D.resources.limits.cpu: 512Mi
AnswerB

Correct: 'resources.limits.memory' sets the maximum memory the container can use.

Why this answer

Option C is correct. 'resources.limits.memory' sets the memory limit. Option A uses requests, which is the minimum, not limit. Option B is invalid syntax.

Option D sets limits under requests incorrectly.

145
MCQmedium

You run 'kubectl run nginx --image=nginx --restart=Never --dry-run=client -o yaml'. What is the output?

A.A Pod manifest with apiVersion: v1beta1
B.A Pod manifest with apiVersion: v1
C.A Job manifest with apiVersion: batch/v1
D.A Deployment manifest with apiVersion: apps/v1
AnswerB

--restart=Never creates a Pod.

Why this answer

Option A is correct: The command generates a Pod manifest with apiVersion v1, kind Pod. Option B is a Deployment. Option C is a Job.

Option D is a Pod but with wrong apiVersion.

146
MCQmedium

You are tasked with building a container image for a Node.js application. The Dockerfile must first install system dependencies, then copy application code, and finally run the app. Which of the following Dockerfiles is correct?

A.FROM node:14\nCMD apt-get update && apt-get install -y build-essential\nCOPY . /app\nCMD ["node","app.js"]
B.FROM node:14\nRUN apt-get update && apt-get install -y build-essential\nCOPY . /app\nRUN ["node","app.js"]
C.FROM node:14\nRUN apt-get update && apt-get install -y build-essential\nCOPY . /app\nCMD ["node","app.js"]
D.FROM node:14\nRUN apt-get update && apt-get install -y build-essential\nCOPY . /app\nENTRYPOINT ["node","app.js"]
AnswerC

Correct: RUN installs dependencies, COPY adds code, CMD runs the app.

Why this answer

Option B correctly uses RUN to install dependencies, COPY to add code, and CMD to run the app. Option A uses CMD incorrectly for installation; CMD is only the default command. Option C uses ENTRYPOINT instead of CMD, which would require arguments.

Option D uses RUN with a string form which is less efficient and not recommended.

147
MCQeasy

Which YAML snippet correctly defines a CronJob that runs a task every 5 minutes?

A.schedule: "*/5 * * *"
B.schedule: "*/5 * * * *"
C.schedule: "0 */5 * * *"
D.schedule: "* * * * *"
AnswerB

This is the correct cron expression for every 5 minutes.

Why this answer

Option D is correct. The schedule syntax for every 5 minutes is '*/5 * * * *'. Option A is every minute.

Option B is every 5 hours. Option C is not valid.

148
MCQeasy

What is the correct apiVersion for a Kubernetes Job in v1.29?

A.batch/v1beta1
B.apps/v1
C.batch/v1
D.v1
AnswerC

batch/v1 is the current stable version.

Why this answer

Jobs use batch/v1 as of Kubernetes 1.21+.

149
MCQmedium

You have a Dockerfile that uses a multi-stage build. Which of the following statements about multi-stage builds is correct?

A.Multi-stage builds require a single FROM statement
B.Multi-stage builds increase the final image size
C.Each stage must have a unique name
D.Artifacts from earlier stages can be copied to later stages using COPY --from
AnswerD

Correct: COPY --from copies files from a previous stage.

Why this answer

Multi-stage builds allow you to copy artifacts from one stage to another using COPY --from. This reduces the final image size by discarding build dependencies.

150
MCQmedium

A developer creates a Dockerfile with the following content: FROM alpine:3.18 COPY app.sh /app.sh RUN chmod +x /app.sh CMD ["/app.sh"] They want to override the command to run '/app.sh --debug' when deploying the container in Kubernetes. Which of the following pod spec fields should they use?

A.spec.containers[].entrypoint
B.spec.containers[].command
C.spec.containers[].args
D.spec.command
AnswerC

args overrides the CMD instruction in the Dockerfile. Setting args to ['--debug'] will append to the entrypoint, resulting in '/app.sh --debug'.

Why this answer

Option B is correct. The command field in the pod spec overrides the ENTRYPOINT in the Dockerfile, while args overrides CMD. To override CMD, you set args.

If they wanted to override both, they'd use command.

← PreviousPage 2 of 3 · 178 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Application Design and Build questions.