CCNA Services and Networking Questions

75 of 204 questions · Page 1/3 · Services and Networking · Answers revealed

1
MCQmedium

A developer runs `kubectl expose deployment web-deploy --port=80 --target-port=8080 --type=NodePort` and later wants to access the Service from outside the cluster. What is the correct way to find the external port?

A.Run `kubectl get nodes -o wide` and use the node's external IP and port 80.
B.Run `kubectl get pod -l app=web-deploy` and use the pod IP with port 8080.
C.Run `kubectl describe svc web-deploy` and look for the NodePort field.
D.Run `kubectl get svc web-deploy -o yaml` and look for `spec.ports[0].port`.
AnswerC

`kubectl describe svc` shows NodePort in the Port section.

Why this answer

The `kubectl get svc web-deploy` command shows the NodePort assigned in the PORT(S) column, e.g., 80:31234/TCP.

2
MCQeasy

Which of the following commands creates a Service named 'my-svc' of type ClusterIP that exposes TCP port 80 on a set of pods selected by the label 'app: web'?

A.kubectl port-forward my-pod 8080:80
B.kubectl expose deployment my-deploy --port=80 --type=LoadBalancer --name=my-svc
C.kubectl expose pod my-pod --port=80 --target-port=80 --type=NodePort --name=my-svc
D.kubectl expose pod my-pod --port=80 --target-port=80 --type=ClusterIP --name=my-svc --selector=app=web
AnswerD

Correct. The expose command creates a ClusterIP Service with the given name and port mapping.

Why this answer

The 'kubectl expose' command with '--type=ClusterIP' creates a ClusterIP Service. The '--port' flag specifies the service port, and '--target-port' maps to the container port. The selector is derived from the pod's labels (here 'app: web').

Option A is correct. Option B uses NodePort, which is incorrect. Option C uses LoadBalancer.

Option D is a port-forward command, not a Service creation.

3
MCQhard

A team uses a Service named 'backend' in namespace 'prod' to reach Pods in namespace 'staging'. The Service in 'prod' has no endpoints. What is the most likely cause?

A.The Service port name does not match the container port
B.The Service selector does not match any Pods in the same namespace
C.The Service type is ClusterIP but should be NodePort
D.DNS resolution is broken in the staging namespace
AnswerB

Service selects Pods only within its own namespace; no matching Pods in prod means no endpoints.

Why this answer

The Service in the 'prod' namespace has no endpoints because its selector does not match any Pods in the same namespace. Kubernetes Services only discover Pods within the same namespace via label selectors; cross-namespace access requires a different approach (e.g., ExternalName Service or manual endpoint configuration). Since the Pods are in 'staging', the selector in 'prod' finds no matching Pods, resulting in zero endpoints.

Exam trap

The trap here is that candidates assume Services can automatically discover Pods across namespaces, but Kubernetes restricts Service selectors to the same namespace, so a Service in 'prod' cannot select Pods in 'staging' without manual endpoint configuration.

How to eliminate wrong answers

Option A is wrong because a port name mismatch would cause connectivity issues but would not prevent the Service from having endpoints—endpoints are generated based on selector matches, not port names. Option C is wrong because Service type (ClusterIP vs. NodePort) affects external accessibility, not endpoint population; a ClusterIP Service can still have endpoints if the selector matches Pods.

Option D is wrong because DNS resolution is irrelevant to endpoint creation; endpoints are populated by the kube-controller-manager based on selector matching, not DNS.

4
MCQhard

Given the following NetworkPolicy YAML: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress - Egress What is the effect of this policy?

A.Denies all ingress and egress traffic to and from all pods in the namespace
B.Denies all ingress traffic but allows all egress traffic
C.Allows all traffic to and from pods in the namespace
D.Denies all traffic except traffic that is explicitly allowed by other policies
AnswerA

Correct. The policy denies all traffic because it has no allow rules.

Why this answer

The NetworkPolicy selects all pods in the namespace (empty podSelector). It specifies both Ingress and Egress policyTypes, but no rules under ingress or egress. This means all inbound and outbound traffic is denied for those pods.

Option D is correct. Option A is wrong because it mentions 'allow all'. Option B is wrong because it allows traffic that is not explicitly denied (default deny).

Option C is wrong because it suggests only ingress is affected.

5
MCQmedium

You have an Ingress with the following spec: spec: rules: - host: app.example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-service port: number: 80 How does the Ingress controller route a request to http://app.example.com/api/v1/users?

A.The request is rejected because pathType Prefix requires trailing /
B.It matches but the host is app.example.com, so it goes to api-service
C.It does not match because the path is exactly /api
D.It matches because /api/v1/users begins with /api
AnswerD

Prefix matching allows any subpaths.

Why this answer

Option B is correct. With pathType: Prefix, the path /api matches any path that starts with /api. So /api/v1/users matches.

Option A would be for Exact pathType. Option C is incorrect because the host matches. Option D is irrelevant.

6
MCQmedium

When using 'kubectl expose', which flag creates a NodePort service?

A.--node-port
B.--type=NodePort
C.--type=ClusterIP
D.--port
AnswerB

Creates NodePort service.

Why this answer

Option B is correct. '--type=NodePort' creates a NodePort service. Option A is default. Option C is not a valid flag.

Option D is not a flag.

7
Multi-Selecteasy

Which TWO of the following are valid Ingress path types? (Select 2)

Select 2 answers
A.Glob
B.Exact
C.Wildcard
D.Regex
E.Prefix
AnswersB, E

Exact matches the path exactly.

Why this answer

Exact and Prefix are the valid path types in networking.k8s.io/v1.

8
MCQeasy

Which command exposes a deployment named 'web' as a ClusterIP service on port 80?

A.kubectl create service clusterip web --port=80
B.kubectl expose deployment web --port=80
C.kubectl run web --expose --port=80
D.kubectl expose deployment web --port=80 --type=NodePort
AnswerB

Correct. kubectl expose creates a ClusterIP service by default on the specified port.

Why this answer

The correct command is 'kubectl expose deployment web --port=80' which creates a ClusterIP service by default. Option B uses '--type=NodePort', option C uses 'service' incorrectly, and option D uses incorrect syntax.

9
MCQeasy

A developer wants to expose a set of Pods on a specific port on each node's IP. Which Service type should be used?

A.LoadBalancer
B.ClusterIP
C.NodePort
D.ExternalName
AnswerC

NodePort exposes on each node's IP at a static port.

Why this answer

NodePort is the correct Service type because it exposes each Pod's port on a static port (the NodePort) on every node's IP address. This allows external traffic to reach the Pods by accessing any node's IP on that specific port, fulfilling the requirement to expose the Pods on a per-node IP basis.

Exam trap

The trap here is that candidates often confuse NodePort with LoadBalancer, thinking LoadBalancer is needed for external access, but the question specifically asks for exposure on each node's IP, which is exactly what NodePort provides without requiring a cloud load balancer.

How to eliminate wrong answers

Option A is wrong because LoadBalancer exposes the Service via an external load balancer (typically a cloud provider's LB), not directly on each node's IP; it builds on top of NodePort but adds an external IP that distributes traffic, not per-node exposure. Option B is wrong because ClusterIP exposes the Service only on a cluster-internal IP, making it unreachable from outside the cluster without additional components like a proxy or ingress. Option D is wrong because ExternalName maps a Service to a DNS name (via CNAME records) and does not expose any ports or Pods at all; it is used for external service aliasing, not for exposing Pods on node IPs.

10
MCQmedium

You want to block all ingress traffic to pods labeled 'app=api' except from pods labeled 'app=frontend'. Which NetworkPolicy rule is correct?

A.ingress: - from: - podSelector: matchLabels: app: frontend
B.ingress: - from: - namespaceSelector: matchLabels: app: frontend
C.ingress: - ports: - port: 80
D.ingress: - from: - ipBlock: cidr: 10.0.0.0/8
AnswerA

This allows ingress only from pods with label app=frontend.

Why this answer

The ingress rule should allow from pods with matching labels.

11
Multi-Selectmedium

Which TWO of the following are valid Service types in Kubernetes? (Select 2)

Select 2 answers
A.ExternalName
B.ClusterIP
C.NodePort
D.Headless
E.Ingress
AnswersB, C

Default service type.

Why this answer

ClusterIP, NodePort, LoadBalancer, and ExternalName are the four standard types.

12
MCQeasy

You create a Service with `kubectl expose deployment web --port=80 --target-port=8080`. What type of Service is created by default?

A.ClusterIP
B.LoadBalancer
C.NodePort
D.ExternalName
AnswerA

ClusterIP is the default Service type when no type is specified.

Why this answer

By default, `kubectl expose` creates a ClusterIP Service if no type is specified.

13
MCQmedium

A NetworkPolicy named 'default-deny-ingress' is applied to a namespace but contains no rules. What is the effect on pods in that namespace?

A.All ingress traffic is denied.
B.Only traffic from pods with label 'allow: true' is allowed.
C.All ingress traffic is allowed.
D.Only traffic from pods in the same namespace is allowed.
AnswerA

Correct. A NetworkPolicy with no ingress rules denies all incoming traffic.

Why this answer

An empty ingress rules array in a NetworkPolicy denies all ingress traffic by default. This is a common pattern to isolate pods.

14
MCQmedium

You have an Ingress that should route requests to 'api.example.com' to a service named 'api-svc' on port 80, and requests to 'www.example.com' to 'web-svc' on port 80. Which host-based routing rule is correct?

A.spec: rules: - http: paths: - host: api.example.com backend: service: name: api-svc port: number: 80 - host: www.example.com backend: service: name: web-svc port: number: 80
B.spec: rules: - host: api.example.com http: paths: - backend: service: name: api-svc port: number: 80 - host: www.example.com http: paths: - backend: service: name: web-svc port: number: 80
C.spec: rules: - host: api.example.com - backend: service: name: api-svc port: number: 80 - host: www.example.com - backend: service: name: web-svc port: number: 80
D.spec: rules: - host: api.example.com http: paths: - backend: serviceName: api-svc servicePort: 80 - host: www.example.com http: paths: - backend: serviceName: web-svc servicePort: 80
AnswerB

Correct host-based routing with multiple rules.

Why this answer

The Ingress spec uses the 'host' field under rules to specify host-based routing.

15
MCQmedium

A StatefulSet named 'web' is created with 3 replicas. What is the DNS name for the second pod (index 1)?

A.web-1.web.default.svc.cluster.local
B.web-2.web.default.svc.cluster.local
C.web.default.svc.cluster.local
D.web-1.default.svc.cluster.local
AnswerA

Correct. Pod name web-1, service web, namespace default.

Why this answer

For StatefulSets, pod DNS names follow the format <pod-name>.<service-name>.<namespace>.svc.cluster.local, where pod names are <statefulset-name>-<ordinal>. Here, the second pod is web-1. The headless service (assuming a service named 'web') provides DNS.

Option C is correct. Option A is incorrect because the pod name is missing. Option B has wrong ordinal.

Option D has wrong format (no pod name prefix).

16
MCQhard

An Ingress has two rules: - host: app.example.com, path: /api -> service-a:80 - host: api.example.com, path: / -> service-b:80 A request to `app.example.com/api/v1` reaches which service?

A.Both services
B.Neither service
C.service-a
D.service-b
AnswerC

The path /api matches /api/v1.

Why this answer

The path prefix `/api` matches the start of `/api/v1`, so the request goes to service-a.

17
MCQmedium

You create a Service with the following YAML: ``` apiVersion: v1 kind: Service metadata: name: my-service spec: ports: - name: http port: 80 targetPort: 8080 selector: app: my-app ``` What is the default Service type?

A.NodePort
B.ClusterIP
C.LoadBalancer
D.ExternalName
AnswerB

Default type.

Why this answer

If no type is specified, the default is ClusterIP.

18
MCQmedium

An admin wants to expose a Service only for internal cluster communication, without external access. Which Service type should they use?

A.ExternalName
B.NodePort
C.LoadBalancer
D.ClusterIP
AnswerD

ClusterIP is internal-only.

Why this answer

ClusterIP is the default Service type, accessible only within the cluster.

19
MCQhard

An admin creates a Service without a selector. Which of the following is true about such a Service?

A.The Service will use the default ClusterIP and route to all pods in the cluster.
B.The Service will automatically route traffic to all pods in the namespace.
C.The admin must manually create an Endpoints object with the desired IPs.
D.The Service will not have any endpoints until a selector is added.
AnswerC

Manual Endpoints are required for selectorless Services.

Why this answer

A selectorless Service does not automatically create endpoints; the admin must manually create an Endpoints resource to route traffic.

20
Multi-Selecthard

Which THREE statements about NetworkPolicy are correct? (Select 3)

Select 3 answers
A.NetworkPolicy follows an allow-list model; if no policy matches, traffic is denied.
B.NetworkPolicy can block traffic to specific external IP addresses using ipBlock.
C.NetworkPolicy can use namespaceSelector to allow traffic from all pods in a namespace.
D.NetworkPolicy is a cluster-scoped resource.
E.NetworkPolicy can restrict egress traffic from pods.
AnswersA, C, E

The default behavior is deny if any policy selects the pod; otherwise, traffic is allowed. But with policies, it's allow-list.

Why this answer

Options A, C, and E are correct. NetworkPolicy can allow traffic from specific namespaces, it can restrict egress, and it is an allow-list model (default deny, then allow). Option B is false because NetworkPolicy is namespace-scoped.

Option D is false because NetworkPolicy cannot block traffic to external IPs directly; it can only control traffic to/from pods.

21
MCQeasy

What is the default Service type when creating a Service via 'kubectl create service' or YAML without specifying type?

A.NodePort
B.ExternalName
C.LoadBalancer
D.ClusterIP
AnswerD

Correct. ClusterIP is the default.

Why this answer

The default Service type is ClusterIP. Option A is correct. NodePort, LoadBalancer, and ExternalName require explicit specification.

22
MCQeasy

A Service uses a selector to target Pods. After updating the Pod labels, you notice the endpoints list is empty. What is the most likely reason?

A.The Service port was changed
B.The new labels do not match the Service selector
C.The Service type changed to ExternalName
D.The Pods have a different container port
AnswerB

Selector mismatch leads to no endpoints.

Why this answer

A Service uses a label selector to dynamically discover Pods and populate its endpoints. When Pod labels are updated, the selector remains unchanged; if the new labels do not match the selector, the Service cannot find any matching Pods, resulting in an empty endpoints list. This is the most direct and common cause of the issue.

Exam trap

The trap here is that candidates often assume updating Pod labels will automatically update the Service's endpoint list, but they forget that the Service selector must explicitly match the new labels for endpoints to be populated.

How to eliminate wrong answers

Option A is wrong because changing the Service port would affect connectivity but not the endpoints list; endpoints are populated based on label matching, not port values. Option C is wrong because changing the Service type to ExternalName would remove the selector entirely and use a DNS CNAME instead, but the question states the selector is still used and the endpoints list is empty, not that the Service type changed. Option D is wrong because a different container port does not prevent label matching; the Service selector targets Pods by labels, and the container port is only relevant for routing traffic after the Pod is selected.

23
MCQmedium

You run 'kubectl port-forward pod/my-pod 8080:80'. What does this command do?

A.Exposes the pod on port 8080 on each node's IP
B.Forwards local port 8080 to port 80 on the pod
C.Forwards local port 8080 to port 80 on the Service
D.Creates a Service that maps port 8080 to port 80 on the pod
AnswerB

Correct.

Why this answer

kubectl port-forward forwards local port 8080 to port 80 on the pod. Option A is correct. Option B is wrong because it forwards to a service.

Option C is wrong because it does not create a service. Option D is wrong because it does not expose on a node port.

24
MCQmedium

You have a Service named 'web' in namespace 'default'. Which DNS name resolves to the Service's ClusterIP?

A.web.default.cluster.local
B.web.default.svc.cluster.local
C.web.svc.cluster.local
D.web.default.pod.cluster.local
AnswerB

This is the standard Service DNS name.

Why this answer

The DNS name for a Service follows the pattern <service>.<namespace>.svc.cluster.local. So 'web.default.svc.cluster.local' resolves to the Service's ClusterIP.

25
MCQmedium

You need to temporarily access a pod's HTTP endpoint on port 8080 from your local machine. Which command should you use?

A.kubectl exec -it pod/my-pod -- curl http://localhost:8080
B.kubectl proxy --port=8080
C.kubectl attach pod/my-pod
D.kubectl port-forward pod/my-pod 8080:8080
AnswerD

Correct command.

Why this answer

kubectl port-forward forwards a local port to a pod port.

26
MCQhard

A StatefulSet is deployed with a headless service (clusterIP: None). The pods are named 'web-0', 'web-1', 'web-2'. What DNS name resolves to the specific IP of 'web-1'?

A.web-1.web.default.svc.cluster.local
B.web-1.default.svc.cluster.local
C.web-0.web.default.svc.cluster.local
D.web.web-1.default.svc.cluster.local
AnswerA

This is the correct DNS name for the pod.

Why this answer

For a headless service, pod DNS is of the form <pod-name>.<service-name>.<namespace>.svc.cluster.local.

27
MCQmedium

You have a headless service 'db' in namespace 'data'. Pods in that namespace can resolve 'db.data.svc.cluster.local'. What is the effect of a headless service on DNS resolution?

A.It does not create any DNS record
B.It returns the IP of the first pod
C.It returns a round-robin list of pod IPs
D.It returns the ClusterIP of the service
AnswerC

DNS returns multiple A records with pod IPs.

Why this answer

A headless service (clusterIP: None) returns A records for the IPs of the pods matching the selector, rather than a single ClusterIP. This is used for StatefulSets where each pod needs a stable network identity.

28
MCQmedium

A developer deploys a set of Pods labeled app=frontend and wants to expose them internally within the cluster on a stable IP. Which resource should be used?

A.Service of type NodePort
B.Service of type LoadBalancer
C.Service of type ClusterIP
D.Ingress resource
AnswerC

Correct: ClusterIP provides a stable internal IP.

Why this answer

A Service of type ClusterIP exposes the Pods on a stable internal IP address that is only reachable within the cluster. This is the default Service type and is ideal for internal communication between components, such as a frontend being accessed by a backend, without exposing the service outside the cluster.

Exam trap

The trap here is that candidates often confuse 'exposing internally' with 'exposing externally' and choose NodePort or LoadBalancer, forgetting that ClusterIP is the default and correct choice for internal-only stable IP access.

How to eliminate wrong answers

Option A is wrong because a NodePort Service exposes the Pods on a static port on each Node's IP address, making it accessible from outside the cluster, which is unnecessary and insecure for internal-only access. Option B is wrong because a LoadBalancer Service provisions an external load balancer (e.g., from a cloud provider) to expose the service to the internet, which is overkill and violates the requirement for internal-only exposure. Option D is wrong because an Ingress resource is not a Service; it provides HTTP/HTTPS routing rules to Services (typically ClusterIP) and is used for external traffic management, not for providing a stable internal IP directly.

29
MCQmedium

A Service named `api` in namespace `default` has multiple endpoints. You run `kubectl get endpoints api` and see no IPs. What is the most likely cause?

A.The Service type is ExternalName
B.The namespace has a NetworkPolicy blocking traffic
C.The Service has a clusterIP of None
D.The Service selector does not match any pods
AnswerD

If the selector does not match any pod labels, no endpoints are created.

Why this answer

Endpoints are created based on pod labels matching the Service's selector. If no pods match, endpoints will be empty.

30
MCQmedium

A ClusterIP service named 'db-service' in namespace 'data' is not reachable from a pod in the same namespace. The pod's /etc/resolv.conf shows 'search data.svc.cluster.local svc.cluster.local cluster.local'. Using the pod, which command tests DNS resolution for the service?

A.dig db-service.data.svc.cluster.local
B.ping db-service
C.nslookup db-service.data.svc.cluster.local
D.curl http://db-service:3306
AnswerC

Directly queries DNS for the service's full domain name.

Why this answer

Option C is correct. The full DNS name for a service is 'service.namespace.svc.cluster.local'. Using 'nslookup db-service.data.svc.cluster.local' will test resolution.

In-cluster DNS resolves short names within the same namespace, so 'db-service' should work, but the question asks for a command that tests DNS resolution. Option C explicitly uses the full name.

31
MCQhard

Which of the following is a valid NetworkPolicy that allows ingress traffic only from pods with label 'role: frontend' in any namespace?

A.ingress: - from: - namespaceSelector: {} podSelector: matchLabels: role: frontend
B.ingress: - from: - ipBlock: cidr: 0.0.0.0/0
C.ingress: - from: - podSelector: matchLabels: role: frontend
D.ingress: - from: - namespaceSelector: matchLabels: role: frontend
AnswerA

Empty namespaceSelector selects all namespaces, and podSelector selects frontend pods.

Why this answer

NamespaceSelector selects namespaces, and podSelector selects pods within those namespaces.

32
MCQmedium

You need to expose a Deployment named 'web' on port 80 internally within the cluster. Which command creates the appropriate Service?

A.kubectl create service clusterip web --tcp=80:80
B.kubectl expose deployment web --port=80
C.kubectl apply -f service.yaml
D.kubectl run web --image=nginx --port=80
AnswerB

This creates a ClusterIP Service with the same selectors as the deployment's pod template labels.

Why this answer

kubectl expose exposes a resource as a Kubernetes Service. The default type is ClusterIP.

33
Multi-Selecthard

Which THREE of the following are valid use cases for a Headless Service (clusterIP: None)?

Select 3 answers
A.Discovering all Pod IPs via DNS A/AAAA records
B.Exposing the service externally via cloud load balancer
C.StatefulSet pod DNS (e.g., pod-0.svc.namespace.svc.cluster.local)
D.Implementing a custom load balancing algorithm
E.Providing a stable virtual IP for load balancing
AnswersA, C, D

DNS returns all Pod IPs for headless service.

Why this answer

Option A is correct because a Headless Service (clusterIP: None) does not provide a virtual IP or load balancing. Instead, DNS queries return A/AAAA records containing the IP addresses of all healthy Pods selected by the service. This allows clients to discover and connect directly to individual Pod IPs, which is essential for stateful applications or custom discovery patterns.

Exam trap

The trap here is that candidates often confuse the purpose of a Headless Service with a regular ClusterIP Service, mistakenly thinking it can provide external exposure or a stable virtual IP, when in fact it is designed for direct Pod-to-Pod discovery without load balancing.

34
MCQeasy

Which command creates a Service named 'web' of type ClusterIP that selects pods with label 'tier: frontend' and exposes port 80?

A.kubectl expose deployment frontend --port=80 --target-port=80 --type=ClusterIP --name=web
B.kubectl create service clusterip web --tcp=80
C.kubectl expose deployment web --port=80 --type=NodePort
D.kubectl run web --image=nginx --port=80 --expose
AnswerA

This creates a ClusterIP service named 'web' that selects pods from the deployment 'frontend' which should have label 'tier: frontend'.

Why this answer

kubectl expose deployment or pod requires a resource with labels. Option C uses a deployment with label 'tier: frontend'. Option A uses NodePort.

Option B uses run. Option D is not a valid command (create service clusterip requires --tcp flag).

35
MCQmedium

An Ingress resource is created with the following YAML: apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: my-ingress spec: rules: - host: example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-svc port: number: 80 Which of the following requests will be routed to the api-svc Service?

A.GET http://example.com/other
B.GET http://example.com/api/
C.GET http://example.org/api
D.GET http://example.com/apix
E.GET http://example.com/api/users
AnswerE

Correct. Matches host example.com and path starts with /api.

Why this answer

The Ingress routes requests with host 'example.com' and path prefix '/api' to api-svc. Option A matches both conditions. Option B has wrong host.

Option C has wrong path (does not start with /api). Option D has wrong path type requirement (exact match would be needed for trailing slash behavior, but here it's Prefix).

36
Drag & Dropmedium

Order the steps to perform a rolling rollback of a Deployment to a previous revision.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

View history, choose revision, undo to that revision, wait for completion, then verify.

37
MCQeasy

Which service type is used to expose a service using an external DNS name, such as a database hosted outside Kubernetes?

A.ClusterIP
B.NodePort
C.LoadBalancer
D.ExternalName
AnswerD

Correct. Maps to an external DNS name.

Why this answer

ExternalName service maps to an external DNS name. It returns a CNAME record.

38
Multi-Selectmedium

Which TWO of the following are valid methods to create a Service in Kubernetes? (Select 2)

Select 2 answers
A.kubectl create service clusterip my-svc --tcp=80:80
B.kubectl apply -f service.yaml
C.kubectl create deployment my-svc --image=nginx
D.kubectl run my-svc --image=nginx --port=80
E.kubectl expose deployment my-deploy --port=80
AnswersA, E

Creates a ClusterIP service via kubectl create service.

Why this answer

You can create a Service via kubectl expose or by writing a YAML manifest.

39
Multi-Selectmedium

Which TWO statements about Ingress are correct? (Select 2)

Select 2 answers
A.Ingress can terminate TLS.
B.Ingress provides a ClusterIP for internal access.
C.Ingress can route traffic based on the host header.
D.Ingress can load balance TCP traffic.
E.Ingress automatically assigns an external IP to the Service.
AnswersA, C

Ingress can terminate TLS using secrets.

Why this answer

Options A and D are correct. Ingress can provide host-based routing and TLS termination. Option B is false because Ingress is not for TCP/UDP.

Option C is false because Ingress does not provide a default ClusterIP. Option E is false because Ingress does not directly assign external IPs.

40
MCQhard

An Ingress resource routes traffic to a Service 'web' on port 80. The Service has multiple endpoints but all return 503. What should be checked first?

A.Ensure that the Service type is ClusterIP
B.Check the readiness probe of the Pods
C.Verify that the Service port matches the Pod's container port
D.Check the Ingress controller logs
AnswerB

503 often indicates Pods are not ready; readiness probe failing causes removal from endpoints.

Why this answer

A 503 Service Unavailable error from the Ingress indicates the upstream Service is not ready to serve traffic. The most common cause is Pods failing their readiness probes, which removes them from the Service's endpoint list. Checking the readiness probe status directly addresses why the Service has endpoints but returns 503.

Exam trap

CNCF often tests the distinction between readiness and liveness probes, where candidates mistakenly check liveness or assume a port mismatch, but readiness directly controls traffic routing via Services.

How to eliminate wrong answers

Option A is wrong because ClusterIP is the default Service type and does not cause 503 errors; changing it would not fix the issue. Option C is wrong because if the Service port mismatched the container port, the Service would have no endpoints at all, not endpoints returning 503. Option D is wrong because Ingress controller logs would show routing errors or backend unavailability, but the first diagnostic step should be checking the Pods' readiness, not logs.

41
MCQeasy

What annotation is required on an Ingress resource to use a specific IngressClass (e.g., 'nginx')?

A.kubernetes.io/ingress-type: nginx
B.kubernetes.io/ingress.class: nginx
C.ingress.kubernetes.io/class: nginx
D.kubernetes.io/class: nginx
AnswerB

Correct annotation to specify the IngressClass.

Why this answer

The annotation 'kubernetes.io/ingress.class' is used to specify the IngressClass. Alternatively, you can use spec.ingressClassName, but the annotation is the traditional way.

42
MCQeasy

Which command forwards port 8080 on the local machine to port 80 on a pod named 'web-pod'?

A.kubectl expose pod web-pod --port=8080 --target-port=80
B.kubectl proxy --port=8080 --target=pod/web-pod:80
C.kubectl port-forward pod/web-pod 8080:80
D.kubectl exec web-pod -- curl http://localhost:8080
AnswerC

Correct syntax for port-forward.

Why this answer

The kubectl port-forward command is used for this. The syntax is: kubectl port-forward pod/web-pod 8080:80

43
MCQhard

You have a Deployment with multiple replicas. You want to expose it via a Service that has a stable IP address and is accessible from outside the cluster on a static port on each node. Which Service type should you use?

A.NodePort
B.LoadBalancer
C.ClusterIP
D.ExternalName
AnswerA

Correct. NodePort exposes the service on a static port on each node's IP.

Why this answer

NodePort exposes the Service on a static port on each node's IP, allowing external access. ClusterIP is only internal. LoadBalancer builds on NodePort but requires cloud provider support.

ExternalName maps to an external DNS name. Option B is correct.

44
MCQmedium

You have a headless Service for a StatefulSet. The DNS query for the service returns no A records. What is the most likely cause?

A.The Service selector does not match any pod labels
B.The Service has clusterIP set to an IP address
C.The Service is of type ExternalName
D.The StatefulSet is using a volumeClaimTemplate
AnswerA

If the selector doesn't match pod labels, the Service has no endpoints, and DNS returns no A records.

Why this answer

A headless Service (clusterIP: None) returns DNS A records for each ready pod endpoint. If no pod is ready, no A records are returned.

45
Multi-Selectmedium

Which TWO are valid Service types? (Choose two.)

Select 2 answers
A.NodePort
B.Headless
C.Ingress
D.ClusterIP
E.Pod
AnswersA, D

Valid type.

Why this answer

Valid types are ClusterIP, NodePort, LoadBalancer, ExternalName. ClusterIP and NodePort are two of them.

46
MCQeasy

Which Service type is used to expose a Service externally using a cloud provider's load balancer?

A.NodePort
B.LoadBalancer
C.ExternalName
D.ClusterIP
AnswerB

LoadBalancer integrates with cloud providers to expose the Service externally.

Why this answer

Option B is correct. LoadBalancer Service provisions an external load balancer (if supported by the cloud provider) to expose the Service.

47
MCQmedium

You run 'kubectl port-forward pod/my-pod 8080:80' and try to access 'http://localhost:8080', but the connection is refused. The pod is running and port 80 is open. What is the most likely issue?

A.The container is listening on port 8080 instead of 80
B.Local port 8080 is already in use by another process
C.The service must exist for port-forwarding to work
D.The pod is in a different namespace and the namespace flag is missing
AnswerB

If local port 8080 is occupied, the port-forward will fail or the connection will be refused.

Why this answer

kubectl port-forward forwards from a local port to a port on the pod. If the local port 8080 is already in use, the command will fail or the forwarding won't work. Option C is correct.

Option A is incorrect because the command forwards to the pod, not through a service. Option B is incorrect because port 80 on the pod is open. Option D is incorrect because kubectl port-forward works even if no services exist.

48
MCQhard

A StatefulSet named 'mysql' is deployed with 3 replicas. The administrator wants to create a headless Service so that each pod gets a unique DNS entry. Which Service specification should be used?

A.apiVersion: v1 kind: Service metadata: name: mysql spec: type: NodePort selector: app: mysql ports: - port: 3306
B.apiVersion: v1 kind: Service metadata: name: mysql spec: clusterIP: None selector: app: mysql ports: - port: 3306
C.apiVersion: v1 kind: Service metadata: name: mysql spec: type: ClusterIP selector: app: mysql ports: - port: 3306
D.apiVersion: v1 kind: Service metadata: name: mysql spec: clusterIP: "" selector: app: mysql ports: - port: 3306
AnswerB

Setting clusterIP: None creates a headless Service.

Why this answer

A headless Service is created by setting clusterIP: None. This allows DNS to return the pod IPs directly, and for StatefulSets, each pod gets a DNS name like <pod>.<service>.<namespace>.svc.cluster.local.

49
Multi-Selectmedium

Which THREE statements about NetworkPolicy are correct?

Select 3 answers
A.NetworkPolicy uses labels to select pods and namespaces
B.By default, if no NetworkPolicy selects a pod, all traffic to that pod is allowed
C.NetworkPolicy resources are cluster-scoped
D.ipBlock can only be used in ingress rules
E.An empty podSelector in spec selects all pods in the namespace
AnswersA, B, E

podSelector and namespaceSelector use label selectors.

Why this answer

NetworkPolicy is namespaced, can use podSelector and namespaceSelector, and default is allow all if no policy selects the pod. Empty podSelector selects all pods in the namespace. ipBlock can be used in both ingress and egress rules.

50
MCQhard

You are a platform engineer managing a Kubernetes cluster version 1.28. A development team has deployed a microservice application called 'order-processor' in the 'prod' namespace. The application consists of a frontend Pod 'frontend' and a backend Pod 'backend', each with a single container. The frontend needs to communicate with the backend using a headless Service named 'backend-svc' that selects Pods with label 'app:backend'. The backend Pods are expected to scale horizontally, and the frontend uses a DNS lookup to discover all backend Pod IPs for client-side load balancing. However, after deploying, the frontend is unable to resolve 'backend-svc' to any IP addresses. The backend Pod is running and has the correct label 'app:backend'. The Service 'backend-svc' is defined as a ClusterIP with clusterIP: None. The frontend container has the 'default' DNS policy. What is the most likely cause of the failure?

A.The headless Service must have the 'publishNotReadyAddresses: true' field to include not-ready Pods.
B.The Service and frontend are in different namespaces; the DNS name must be fully qualified.
C.The backend Pod does not have a readiness probe defined, so it is not considered ready and not added to DNS records.
D.The frontend Pod's DNS policy is set to 'None' which disables DNS resolution.
AnswerC

Default behavior: only ready Pods are published in headless Service DNS records.

Why this answer

Option C is correct because a headless Service (clusterIP: None) creates DNS A/AAAA records only for Pods that are in the Ready state. Without a readiness probe defined on the backend Pod, Kubernetes considers the Pod not ready, so it is excluded from the DNS records. The frontend's DNS lookup of 'backend-svc' therefore returns no IP addresses, causing the resolution failure.

Exam trap

The trap here is that candidates assume a headless Service always returns all matching Pod IPs regardless of readiness, but Kubernetes only publishes ready Pods to DNS unless explicitly configured otherwise.

How to eliminate wrong answers

Option A is wrong because 'publishNotReadyAddresses: true' is a legacy field (deprecated in 1.25) that forces inclusion of not-ready Pods in DNS; it is not required for headless Services and is not the default cause of the issue. Option B is wrong because the question states both the frontend and backend are in the 'prod' namespace, so no cross-namespace DNS qualification is needed; a simple service name resolves within the same namespace. Option D is wrong because the frontend container has the 'default' DNS policy (not 'None'), so DNS resolution is enabled and not disabled.

51
Multi-Selecteasy

Which TWO of the following are valid service types in Kubernetes?

Select 2 answers
A.NodePort
B.Headless
C.Ingress
D.Gateway
E.ClusterIP
AnswersA, E

Valid service type.

Why this answer

ClusterIP and NodePort are standard service types. LoadBalancer and ExternalName are also valid, but the question asks for TWO; these are the most basic. Headless is not a type; it's a variation of ClusterIP.

52
MCQeasy

To create a service that will be accessible from outside the cluster using a cloud provider's load balancer, what type should be used?

A.NodePort
B.ClusterIP
C.ExternalName
D.LoadBalancer
AnswerD

Correct. LoadBalancer provisions a cloud load balancer and assigns an external IP.

Why this answer

LoadBalancer provisions an external load balancer in cloud environments. NodePort also exposes externally but on a static port on each node, not via a cloud LB.

53
MCQhard

A ClusterIP service named 'svc' has no endpoints. Which command can you use to debug why the service is not routing traffic?

A.kubectl get endpoints svc
B.kubectl describe service svc
C.kubectl logs svc
D.kubectl exec -it svc -- /bin/sh
AnswerA

Shows the endpoints of the service, which are missing.

Why this answer

Run 'kubectl get endpoints svc' to see if the service has any endpoints. If none, check that the pod selector matches the labels of the pods and that the pods are running.

54
MCQhard

A pod 'app' has an init container that fails. The pod status is Init:Error. What is the first step to diagnose?

A.kubectl describe pod app
B.kubectl logs app -c <init-container-name>
C.kubectl exec -it app -- /bin/sh
D.kubectl logs app
AnswerB

Specifies the init container to get its logs.

Why this answer

Use 'kubectl logs app -c <init-container-name>' to see the logs of the specific init container that failed. The pod logs do not include init containers by default.

55
MCQeasy

An application requires Pods to communicate using hostNetwork: true. Which Kubernetes resource is still necessary for stable DNS names?

A.Headless Service
B.Endpoints resource
C.Regular Service (ClusterIP)
D.Ingress
AnswerC

Regular Service provides stable DNS and IP; works with hostNetwork.

Why this answer

When Pods use hostNetwork: true, they share the node's network namespace and bypass the Pod network, so kube-proxy does not set up iptables rules for ClusterIP Services. However, a regular ClusterIP Service still creates stable DNS records (via CoreDNS) that resolve to the Service's virtual IP, which can then be used for stable DNS names even though direct ClusterIP connectivity is lost. This ensures that other components can discover the Pods via DNS without relying on Pod IPs that may change.

Exam trap

The trap here is that candidates assume hostNetwork: true eliminates the need for any Service, but DNS resolution still depends on the Service object existing in the cluster, even if the ClusterIP is unreachable.

How to eliminate wrong answers

Option A is wrong because a Headless Service (ClusterIP = None) does not provide a stable ClusterIP or load-balanced DNS; it returns Pod IPs directly via DNS A/AAAA records, which are not stable when Pods restart or are rescheduled. Option B is wrong because an Endpoints resource is an internal data structure that tracks Pod IPs for a Service; it is not a standalone resource for stable DNS names and is automatically managed by the Service. Option D is wrong because an Ingress is an HTTP/HTTPS layer-7 routing resource that relies on a Service to function; it does not provide DNS names itself and is not necessary for stable DNS within the cluster.

56
Multi-Selecteasy

Which TWO of the following are true about headless services? (Select 2)

Select 2 answers
A.DNS returns multiple A records, one for each pod's IP
B.They set 'clusterIP: None' in the service spec
C.They provide a stable virtual IP for load balancing
D.They cannot have a selector
E.They are used exclusively with Deployments
AnswersA, B

For headless services, DNS returns the IPs of all pods matching the selector.

Why this answer

Headless services set clusterIP: None, and they return DNS A records for each pod's IP. They are often used with StatefulSets. Option A and D are correct.

Option B is false because they don't provide a single VIP. Option C is false because they are used with StatefulSets. Option E is false because they can be used with any selector, not just StatefulSets, but the most common use is with StatefulSets.

57
MCQeasy

Which kubectl command creates a Service of type ClusterIP named 'my-service' that exposes port 80 on a set of pods selected by label 'app: web'?

A.kubectl run my-service --image=nginx --port=80 --expose
B.kubectl expose deployment my-deployment --port=80 --target-port=80 --type=ClusterIP --name=my-service
C.kubectl create service clusterip my-service --tcp=80:80
D.kubectl expose pod my-pod --port=80 --target-port=80 --type=NodePort --name=my-service
AnswerB

This correctly exposes a deployment as a ClusterIP service.

Why this answer

The correct command uses 'kubectl expose' with the '--type' flag to specify ClusterIP and '--target-port' for the container port. Option B is correct. Option A uses '--type=NodePort', which is incorrect.

Option C uses 'kubectl run' which is not the proper way to create a service. Option D uses 'kubectl create service clusterip' but without specifying the selector explicitly, it will not correctly select pods.

58
MCQhard

You apply the following Ingress manifest: apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: app-ingress spec: ingressClassName: nginx rules: - host: example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-service port: number: 80 The Ingress controller logs show a 404 error when accessing 'http://example.com/api'. The service 'api-service' exists and is reachable via ClusterIP. What is the most likely cause?

A.The service 'api-service' is in a different namespace
B.The service port (80) does not match the container port
C.The IngressClass 'nginx' is not installed or configured
D.The path '/api' should be pathType: Exact
AnswerC

The Ingress controller must be configured to process the specified ingressClassName. If the IngressClass is missing, the Ingress will not be processed, resulting in 404.

Why this answer

The Ingress resource specifies an ingressClassName 'nginx', but if the corresponding IngressClass resource does not exist or the controller is not configured to watch that class, the Ingress will be ignored. Option C is correct. Option A is incorrect because the service port and container port don't need to match; the service targets the container port.

Option B is incorrect because the path and pathType are correct. Option D is incorrect because the service must be in the same namespace as the Ingress.

59
MCQmedium

Which annotation is used to specify the IngressClass for an Ingress resource in Kubernetes v1.18+?

A.nginx.ingress.kubernetes.io/rewrite-target
B.kubernetes.io/ingress.class
C.ingress.kubernetes.io/class
D.kubernetes.io/ingress-controller
AnswerB

Specifies the ingress class to use, though the newer way is spec.ingressClassName.

Why this answer

Option B is correct. The 'kubernetes.io/ingress.class' annotation was deprecated in v1.18 in favor of the 'spec.ingressClassName' field, but the annotation still works. Option A is for a different annotation.

Option C is for ingress controller. Option D is for custom annotation.

60
MCQeasy

You want to deny all incoming traffic to a set of pods except from pods with label 'role: frontend'. Which NetworkPolicy spec should you use?

A.spec: podSelector: matchLabels: app: myapp ingress: - from: - namespaceSelector: matchLabels: role: frontend
B.spec: podSelector: matchLabels: app: myapp egress: - to: - podSelector: matchLabels: role: frontend
C.spec: podSelector: {} ingress: - from: - podSelector: matchLabels: role: frontend
D.spec: podSelector: matchLabels: app: myapp ingress: - from: - podSelector: matchLabels: role: frontend
AnswerD

This selects the target pods and allows traffic only from frontend pods.

Why this answer

A NetworkPolicy with podSelector matching the target pods and an ingress rule allowing only sources with label 'role: frontend' is needed.

61
MCQmedium

A NetworkPolicy allows egress traffic to pods with label 'db: mysql' in the same namespace. Which egress rule is correct?

A.egress: - to: - podSelector: matchLabels: db: mysql
B.egress: - to: - namespaceSelector: matchLabels: db: mysql
C.egress: - from: - podSelector: matchLabels: db: mysql
D.egress: - to: - ipBlock: cidr: 10.0.0.0/8
AnswerA

Correct.

Why this answer

Egress rules use 'to' with podSelector. Option A uses 'from' which is for ingress. Option D uses namespaceSelector incorrectly.

62
Multi-Selectmedium

Which TWO statements about headless services are correct?

Select 2 answers
A.They require a selector to match pods
B.DNS returns the pod IPs directly
C.They are used for StatefulSets to provide stable network identities
D.They provide load balancing across pods
E.They have a ClusterIP assigned
AnswersB, C

DNS returns A records for each pod.

Why this answer

Headless services (clusterIP: None) do not load-balance and return pod IPs directly via DNS. They are commonly used with StatefulSets.

63
Multi-Selecthard

Which THREE of the following are valid rules for a NetworkPolicy that allows egress traffic from pods with label 'app: worker' to the external IP range '192.168.0.0/16' on port 53 UDP? (Select 3)

Select 3 answers
A.egress: - ports: - port: 53 protocol: UDP to: - ipBlock: cidr: 192.168.0.0/16
B.egress: - to: - ipBlock: cidr: 192.168.0.0/16 ports: - port: 53 protocol: UDP - to: - podSelector: {}
C.egress: - to: - ipBlock: cidr: 192.168.0.0/16 ports: - port: 53 protocol: UDP
D.egress: - to: - ipBlock: cidr: 192.168.0.0/16 ports: - port: 53 protocol: UDP
E.egress: - from: - ipBlock: cidr: 192.168.0.0/16 ports: - port: 53 protocol: UDP
AnswersA, C, D

This is also valid; order of fields does not matter.

Why this answer

To allow egress to an external IP range, you use egress rules with to containing ipBlock and ports. Multiple rules can be combined. Options B, D, and E are valid ways to express this.

Option A is incorrect because it also allows to all pods. Option C is incorrect because it uses from instead of to.

64
MCQmedium

You need to allow ingress traffic to pods in namespace 'api' only from pods in namespace 'frontend' that have label 'role: proxy'. Which NetworkPolicy ingress rule correctly implements this?

A.ingress: - from: - namespaceSelector: matchLabels: name: frontend
B.ingress: - from: - namespaceSelector: matchLabels: name: frontend podSelector: matchLabels: role: proxy
C.ingress: - from: - ipBlock: cidr: 0.0.0.0/0 - podSelector: matchLabels: role: proxy
D.ingress: - from: - podSelector: matchLabels: role: proxy
AnswerB

This selects pods with label 'role: proxy' in namespaces that have label 'name: frontend'.

Why this answer

To select pods from another namespace with a specific label, you must use both namespaceSelector and podSelector in the same from item. Option A is correct. Option B allows from any pod in namespace 'frontend' regardless of label.

Option C allows from any pod with label 'role: proxy' in any namespace. Option D uses ipBlock which is not needed.

65
MCQeasy

You have a Deployment named 'web' with label 'app: web'. You want to create a Service that exposes the Deployment on port 80 internally within the cluster. Which kubectl command achieves this?

A.kubectl create service clusterip web --tcp=80
B.kubectl create deployment web --image=nginx --expose --port=80
C.kubectl expose pod web --port=80
D.kubectl expose deployment web --port=80
AnswerD

Correctly creates a ClusterIP Service for the 'web' Deployment on port 80.

Why this answer

Option A is correct. 'kubectl expose deployment web --port=80' creates a ClusterIP Service targeting pods with label 'app: web' (inherited from the Deployment) and exposes port 80.

66
Multi-Selecthard

Which THREE are valid fields in a NetworkPolicy spec? (Choose three.)

Select 3 answers
A.podSelector
B.ingress
C.ports
D.policyTypes
E.ipBlock
AnswersA, B, D

Required.

Why this answer

Valid fields include podSelector, policyTypes, and ingress. egress is also valid but not listed as correct in this set.

67
MCQmedium

A NetworkPolicy denies all ingress traffic to a namespace. Which rule would allow traffic only from pods in the same namespace?

A.from: - namespaceSelector: {} podSelector: {}
B.from: - ipBlock: cidr: 0.0.0.0/0
C.from: - podSelector: {}
D.from: - namespaceSelector: matchLabels: name: mynamespace
AnswerC

Empty podSelector selects all pods in the same namespace.

Why this answer

To allow traffic from within the same namespace, use a podSelector that matches all pods (empty selector) in the ingress from rule. This allows traffic from any pod in the namespace.

68
MCQeasy

What is the purpose of the 'spec.externalName' field in a Service of type ExternalName?

A.To expose the service on a static port on each node
B.To expose the service using an external load balancer
C.To return a CNAME record pointing to an external domain
D.To assign a static cluster IP
AnswerC

ExternalName service provides DNS alias to external name.

Why this answer

Option A is correct. ExternalName service maps a service name to an external DNS name, returning a CNAME record. Option B is for LoadBalancer.

Option C for ClusterIP. Option D for NodePort.

69
MCQeasy

What is the default type of a Kubernetes Service when no type is specified in the YAML manifest?

A.NodePort
B.LoadBalancer
C.ClusterIP
D.ExternalName
AnswerC

Default service type.

Why this answer

Option B is correct. The default service type is ClusterIP. If you omit 'spec.type', Kubernetes assumes ClusterIP.

70
MCQmedium

A developer creates a headless Service with 'clusterIP: None' for a StatefulSet. What is the primary purpose of using a headless Service?

A.To prevent DNS resolution of the service
B.To enable TLS termination at the service level
C.To provide load balancing across the pods
D.To provide stable network identities and DNS records for each pod in the StatefulSet
AnswerD

Headless services assign each pod a unique DNS name (pod-name.service-name.namespace.svc.cluster.local) and allow direct pod-to-pod communication.

Why this answer

Headless services are used with StatefulSets to enable direct pod-to-pod communication and stable network identities. Option A is correct. Option B is incorrect because ClusterIP services provide load balancing.

Option C is incorrect because headless services still use DNS. Option D is incorrect because headless services do not provide automatic TLS.

71
Multi-Selectmedium

Which TWO of the following are valid ways to create a Service named 'web' that targets pods with label 'app: web' on port 80?

Select 2 answers
A.kubectl expose deployment web --port=80
B.kubectl apply -f service.yaml where service.yaml contains a Service with spec.clusterIP: None
C.kubectl run web --image=nginx --port=80 --expose
D.kubectl create service clusterip web --tcp=80 --selector=app=web
E.A YAML manifest with apiVersion: v1, kind: Service, metadata.name: web, spec.selector.app: web, spec.ports[0].port: 80
AnswersA, E

Valid command.

Why this answer

kubectl expose deployment web --port=80 creates a service from a deployment. A YAML manifest with spec.selector.app: web and spec.ports[0].port: 80 also works.

72
MCQeasy

A developer wants to expose a Deployment named 'web-app' (with label 'app: web') as a ClusterIP service on port 80. Which command achieves this?

A.kubectl expose service web-app --port=80
B.kubectl create service clusterip web-app --tcp=80
C.kubectl expose deployment web-app --port=80
D.kubectl expose pod web-app --port=80
AnswerC

Correctly exposes the deployment as a service.

Why this answer

The correct command is 'kubectl expose deployment web-app --port=80'. This creates a ClusterIP service named 'web-app' that selects pods with label 'app: web' and exposes port 80.

73
MCQmedium

You have a Service named 'api' with selectors that match pods. However, curl to the Service cluster IP times out. 'kubectl get endpoints api' shows no endpoints. What is the most likely cause?

A.The Service's selector does not match any pod labels.
B.The Service is of type ExternalName.
C.The pods are not listening on the target port.
D.The Service is in a different namespace than the pods.
AnswerA

Empty endpoints indicate selector mismatch.

Why this answer

Option B is correct. If endpoints are empty, the Service's selector does not match any pods, so no endpoints are created.

74
MCQeasy

A developer deploys a web application as a Deployment named 'web-app' with 3 replicas. The application listens on port 8080 and should be accessible from within the cluster via the service name 'web-svc' on port 80. Which Service YAML correctly exposes the application?

A.apiVersion: v1\nkind: Service\nmetadata:\n name: web-svc\nspec:\n ports:\n - port: 80\n targetPort: 8080\n selector:\n app: web-app
B.apiVersion: v1\nkind: Service\nmetadata:\n name: web-svc\nspec:\n type: NodePort\n ports:\n - port: 80\n targetPort: 8080\n selector:\n app: web-app
C.apiVersion: v1\nkind: Service\nmetadata:\n name: web-svc\nspec:\n ports:\n - port: 8080\n targetPort: 80\n selector:\n app: web-app
D.apiVersion: v1\nkind: Service\nmetadata:\n name: web-svc\nspec:\n ports:\n - port: 80\n targetPort: 8080\n selector:\n app: web-app
AnswerA

Correctly selects pods with label app=web-app and maps port 80 to 8080.

Why this answer

Option A is correct because it defines a ClusterIP Service (default type) named 'web-svc' that maps port 80 (the service port) to targetPort 8080 (the container port), and uses the selector `app: web-app` to match the Pods created by the Deployment. This allows internal cluster traffic to reach the application on port 80 via the service name, while the application container listens on port 8080.

Exam trap

The trap here is that candidates often confuse `port` and `targetPort`, mistakenly swapping them (as in Option C), or they add unnecessary `type: NodePort` (Option B) when only internal cluster access is required, leading to over-exposure and incorrect configuration.

How to eliminate wrong answers

Option B is wrong because it specifies `type: NodePort`, which is unnecessary for internal cluster access and exposes the service on a high port on each node, violating the requirement of accessibility via the service name on port 80. Option C is wrong because it incorrectly maps port 8080 (service port) to targetPort 80 (container port), which would not match the application listening on port 8080, causing connection failures. Option D is a duplicate of Option A and is also correct, but the question expects a single correct answer; however, since both A and D are identical, the intended correct answer is A (the first listed), and D is considered a distractor.

75
MCQmedium

A ClusterIP Service named 'db' in namespace 'data' is not reachable from a pod in namespace 'app'. Which DNS name should the pod use to resolve the service?

A.data.db.svc.cluster.local
B.db.app.svc.cluster.local
C.db.svc.cluster.local
D.db.data.svc.cluster.local
AnswerD

This is the correct DNS name for the service.

Why this answer

The correct DNS name for a service is <service>.<namespace>.svc.cluster.local.

Page 1 of 3 · 204 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Services and Networking questions.