Back to Certified Kubernetes Application Developer CKAD questions

Scenario-based practice

Hard Difficulty Questions

Practise Certified Kubernetes Application Developer CKAD practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
CKAD
exam code
CNCF
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related CKAD topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

You need to create a Pod that mounts a Secret named 'mysecret' as an environment variable 'SECRET_DATA'. The secret has a key 'password'. Which YAML snippet correctly achieves this?

Question 2hardmultiple choice
Full question →

A security requirement states that a container must run with a read-only root filesystem. Which field must be set in the container's securityContext?

Question 3hardmultiple choice
Full question →

A pod must run with a seccomp profile that only allows specific syscalls. Which SecurityContext field is used to specify the seccomp profile type?

Question 4hardmultiple choice
Full question →

A ConfigMap named 'env-config' has keys 'DB_HOST' and 'DB_PORT'. A pod needs to set the environment variable 'DATABASE_HOST' to the value of 'DB_HOST' from the ConfigMap, and 'DB_PORT' directly as 'DB_PORT'. Which YAML snippet correctly achieves this?

Question 5hardmultiple choice
Full question →

A Pod is configured with securityContext: { runAsUser: 1000, runAsGroup: 2000, fsGroup: 3000 }. The container's image runs a process that must listen on a TCP port below 1024 (e.g., port 80). The process is currently failing to start. What should you modify to allow the process to bind to a privileged port?

Question 6hardmultiple choice
Full question →

A cluster administrator wants to enforce that no pod in namespace 'prod' uses more than 4Gi of memory. Which Kubernetes resource should be created?

Question 7hardmultiple choice
Full question →

You have a pod that needs to mount a Secret as a volume. The Secret has keys 'username' and 'password'. How should the volumes and volumeMounts be configured to mount the secret at /etc/secret with each key as a file?

Question 8hardmulti select
Full question →

You want to apply a Pod Security Admission (PSA) policy that enforces the 'restricted' profile in the 'dev' namespace, but only for Pods that are not exempt. Which TWO steps are required? (Select TWO)

Question 9hardmultiple choice
Full question →

A container image requires a seccomp profile that is not the default. The cluster supports the RuntimeDefault seccomp profile. Which Pod securityContext field should be configured to use the RuntimeDefault seccomp profile?

Question 10hardmultiple choice
Full question →

A namespace 'dev' has a ResourceQuota that sets 'requests.cpu: 4' and 'limits.cpu: 8'. A pod is created with a container that has 'resources.requests.cpu: 1' and 'resources.limits.cpu: 3'. However, the pod remains in Pending state. The output of 'kubectl describe quota -n dev' shows 'used requests.cpu: 3.5' and 'used limits.cpu: 7'. What is the most likely reason the pod is pending?

Question 11hardmultiple choice
Full question →

You want to enforce a Pod Security Standard of 'restricted' in a namespace. Which command applies the correct label?

Question 12hardmultiple choice
Full question →

You need to create a Pod that runs with a specific non-root user (UID 1000), prevents privilege escalation, and mounts the container's filesystem as read-only. Which securityContext field is NOT required to achieve these requirements?

Question 13hardmultiple choice
Full question →

A Pod is configured with automountServiceAccountToken: false. The application inside the pod needs to access the Kubernetes API. What should be done?

Question 14hardmultiple choice
Full question →

A pod in a namespace with a ResourceQuota that sets 'requests.cpu: 2' is failing to schedule. The pod manifest specifies 'resources: { requests: { cpu: "500m" } }'. What is the likely cause?

Question 15hardmultiple choice
Full question →

A pod is failing to start with error 'container has runAsNonRoot and image will run as root'. The container image runs as root. Which change allows the pod to run?

Question 16hardmultiple choice
Full question →

A container image requires running as UID 0 but you need to comply with a 'restricted' Pod Security Admission policy. Which SecurityContext setting allows this while still passing the policy?

Question 17hardmultiple choice
Full question →

You need to configure a liveness probe that checks if the container port 8080 is open. Which probe type should you use?

Question 18hardmultiple choice
Full question →

You have a Deployment with 3 replicas. The pods have a readiness probe that checks an HTTP endpoint /ready. One pod's readiness probe is failing. What will happen?

Question 19hardmultiple choice
Full question →

You have a Deployment with a liveness probe using an exec command. The probe currently runs 'cat /tmp/healthy' and fails after 3 failures. You notice the pod is being restarted even though the application is healthy. What is the most likely cause?

Question 20hardmultiple choice
Full question →

You want to configure a pod so that it receives a SIGTERM signal and has 60 seconds to shut down gracefully before being forcefully killed. Which field should you set?

These CKAD practice questions are part of Courseiva's free CNCF certification practice question bank. Courseiva provides original exam-style CKAD questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.